def test_set_get_concrete_value(self):
"""Check setting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
setConcreteRegisterValue(Register(r, 0xdeadbeaf))
elif r.getBitSize() == 64:
setConcreteRegisterValue(Register(r, 0xabcdef0123456789))
elif r.getBitSize() == 128:
setConcreteRegisterValue(Register(r, 0xabcdef01234567899876543210fedcba))
elif r.getBitSize() == 256:
setConcreteRegisterValue(Register(r, 0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba))
else:
pass
"""Check getting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
self.assertEqual(getConcreteRegisterValue(r), 0xdeadbeaf)
elif r.getBitSize() == 64:
self.assertEqual(getConcreteRegisterValue(r), 0xabcdef0123456789)
elif r.getBitSize() == 128:
self.assertEqual(getConcreteRegisterValue(r), 0xabcdef01234567899876543210fedcba)
elif r.getBitSize() == 256:
self.assertEqual(getConcreteRegisterValue(r), 0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba)
else:
pass
"""Set everything to zero"""
for r in self.ar:
setConcreteRegisterValue(Register(r, 0))
"""Check if everything is equal to zero"""
for r in self.ar:
self.assertEqual(getConcreteRegisterValue(r), 0)
def reset(self):
triton.resetEngines()
triton.clearPathConstraints()
triton.setArchitecture(self.arch)
triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)
triton.addCallback(self.memoryCaching,
triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
triton.addCallback(self.constantFolding,
triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)
for r in self.regs:
if r in self.triton_regs:
triton.setConcreteRegisterValue(
triton.Register(
self.triton_regs[r], self.regs[r] &
((1 << self.triton_regs[r].getBitSize()) - 1)))
for m in cache:
self.write_mem(m['start'], m["data"])
for address in self.inputs:
self.inputs[address] = triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(address, triton.CPUSIZE.BYTE))
def reset(self):
triton.resetEngines()
triton.clearPathConstraints()
triton.setArchitecture(self.arch)
triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)
triton.addCallback(self.memoryCaching,
triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
triton.addCallback(self.constantFolding,
triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)
for r in self.regs:
if r in self.triton_regs:
triton.setConcreteRegisterValue(
triton.Register(self.triton_regs[r], self.regs[r] & ((1 << self.triton_regs[r].getBitSize()) - 1))
)
for m in cache:
self.write_mem(m['start'], m["data"])
for address in self.inputs:
self.inputs[address] = triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(
address,
triton.CPUSIZE.BYTE
)
)
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(
Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_load_immediate_fs(self):
"""Check load from fs segment with immediate."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov eax, DWORD PTR fs:0xffffffffffffdf98
inst.setOpcodes("\x64\x8B\x04\x25\x98\xDF\xFF\xFF")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9698)
self.assertEqual(load.getBitSize(), 32)
def test_set_flags(self):
"""Check flags can be set in any order with a correct output result."""
registers = [
REG.ZF, REG.AF, REG.IF, REG.CF, REG.DF, REG.PF, REG.SF, REG.OF,
REG.TF
]
values = [0] * len(registers)
rand_registers = list(registers)
random.shuffle(rand_registers)
# Randomnly set flags registers and check result is the one expected
for reg in rand_registers:
setConcreteRegisterValue(Register(reg, 1))
values[registers.index(reg)] = 1
self.assertListEqual(
[getConcreteRegisterValue(r) for r in registers], values)
def test_load_indirect_fs(self):
"""Check load from fs with indirect address."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov rax, QWORD PTR fs:[rax]
inst.setOpcodes("\x64\x48\x8B\x00")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
setConcreteRegisterValue(Register(REG.RAX, 0xffffffffffffdf90))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9690)
self.assertEqual(load.getBitSize(), 64)
def test_set_get_concrete_value(self):
"""Check setting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
setConcreteRegisterValue(Register(r, 0xdeadbeaf))
elif r.getBitSize() == 64:
setConcreteRegisterValue(Register(r, 0xabcdef0123456789))
elif r.getBitSize() == 128:
setConcreteRegisterValue(
Register(r, 0xabcdef01234567899876543210fedcba))
elif r.getBitSize() == 256:
setConcreteRegisterValue(
Register(
r,
0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba
))
else:
pass
"""Check getting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
self.assertEqual(getConcreteRegisterValue(r), 0xdeadbeaf)
elif r.getBitSize() == 64:
self.assertEqual(getConcreteRegisterValue(r),
0xabcdef0123456789)
elif r.getBitSize() == 128:
self.assertEqual(getConcreteRegisterValue(r),
0xabcdef01234567899876543210fedcba)
elif r.getBitSize() == 256:
self.assertEqual(
getConcreteRegisterValue(r),
0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba
)
else:
pass
"""Set everything to zero"""
for r in self.ar:
setConcreteRegisterValue(Register(r, 0))
"""Check if everything is equal to zero"""
for r in self.ar:
self.assertEqual(getConcreteRegisterValue(r), 0)
def init_ctxt(self):
"""Setup memory and register values."""
# Define the address of the serial pointer. The address of the serial
# pointer must be the same that the one hardcoded into the targeted
# function. However, the serial pointer (here 0x900000) is arbitrary.
setConcreteMemoryValue(0x601040, 0x00)
setConcreteMemoryValue(0x601041, 0x00)
setConcreteMemoryValue(0x601042, 0x90)
# Define the serial context. We store the serial content located on our
# arbitrary # serial pointer (0x900000).
setConcreteMemoryValue(0x900000, 0x31)
setConcreteMemoryValue(0x900001, 0x3e)
setConcreteMemoryValue(0x900002, 0x3d)
setConcreteMemoryValue(0x900003, 0x26)
setConcreteMemoryValue(0x900004, 0x31)
# Point RDI on our buffer. The address of our buffer is arbitrary. We
# just need to point the RDI register on it as first argument of our
# targeted function.
setConcreteRegisterValue(Register(REG.RDI, 0x1000))
# Setup stack on an abitrary address.
setConcreteRegisterValue(Register(REG.RSP, 0x7fffffff))
setConcreteRegisterValue(Register(REG.RBP, 0x7fffffff))
def init_ctxt(self):
"""Setup memory and register values."""
# Define the address of the serial pointer. The address of the serial
# pointer must be the same that the one hardcoded into the targeted
# function. However, the serial pointer (here 0x900000) is arbitrary.
setConcreteMemoryValue(0x601040, 0x00)
setConcreteMemoryValue(0x601041, 0x00)
setConcreteMemoryValue(0x601042, 0x90)
# Define the serial context. We store the serial content located on our
# arbitrary # serial pointer (0x900000).
setConcreteMemoryValue(0x900000, 0x31)
setConcreteMemoryValue(0x900001, 0x3e)
setConcreteMemoryValue(0x900002, 0x3d)
setConcreteMemoryValue(0x900003, 0x26)
setConcreteMemoryValue(0x900004, 0x31)
# Point RDI on our buffer. The address of our buffer is arbitrary. We
# just need to point the RDI register on it as first argument of our
# targeted function.
setConcreteRegisterValue(Register(REG.RDI, 0x1000))
# Setup stack on an abitrary address.
setConcreteRegisterValue(Register(REG.RSP, 0x7fffffff))
setConcreteRegisterValue(Register(REG.RBP, 0x7fffffff))
def test_defcamp_2015(self):
"""Load binary, setup environment and solve challenge with sym eval."""
# Load the binary
binary_file = os.path.join(os.path.dirname(__file__), "misc", "defcamp-2015-r100.bin")
self.load_binary(binary_file)
# Define a fake stack
setConcreteRegisterValue(Register(REG.RBP, 0x7fffffff))
setConcreteRegisterValue(Register(REG.RSP, 0x6fffffff))
# Define an user input
setConcreteRegisterValue(Register(REG.RDI, 0x10000000))
# Symbolize user inputs (30 bytes)
for index in range(30):
convertMemoryToSymbolicVariable(MemoryAccess(0x10000000+index, CPUSIZE.BYTE))
# Emulate from the verification function
solution = self.emulate(0x4006FD)
self.assertEqual(solution, 'Code_Talkers')
def test_defcamp_2015(self):
"""Load binary, setup environment and solve challenge with sym eval."""
# Load the binary
binary_file = os.path.join(os.path.dirname(__file__), "misc",
"defcamp-2015-r100.bin")
self.load_binary(binary_file)
# Define a fake stack
setConcreteRegisterValue(Register(REG.RBP, 0x7fffffff))
setConcreteRegisterValue(Register(REG.RSP, 0x6fffffff))
# Define an user input
setConcreteRegisterValue(Register(REG.RDI, 0x10000000))
# Symbolize user inputs (30 bytes)
for index in range(30):
convertMemoryToSymbolicVariable(
MemoryAccess(0x10000000 + index, CPUSIZE.BYTE))
# Emulate from the verification function
solution = self.emulate(0x4006FD)
self.assertEqual(solution, 'Code_Talkers')