def test_get_concrete_register_value(self):
global flag
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
flag = False
self.Triton.addCallback(CALLBACK.GET_CONCRETE_REGISTER_VALUE,
self.cb_flag)
self.Triton.processing(Instruction(b"\x48\x89\xd8")) # mov rax, rbx
self.assertTrue(flag)
flag = False
self.Triton.removeCallback(CALLBACK.GET_CONCRETE_REGISTER_VALUE,
self.cb_flag)
self.Triton.processing(Instruction(b"\x48\x89\xd8")) # mov rax, rbx
self.assertFalse(flag)
# Remove all callbacks
flag = False
self.Triton.addCallback(CALLBACK.GET_CONCRETE_REGISTER_VALUE,
self.cb_flag)
self.Triton.processing(Instruction(b"\x48\x89\xd8")) # mov rax, rbx
self.assertTrue(flag)
flag = False
self.Triton.clearCallbacks()
self.Triton.processing(Instruction(b"\x48\x89\xd8")) # mov rax, rbx
self.assertFalse(flag)
def test_backup(self):
"""
Check Symbolics value are saved when engine is disable.
* Also check reseting a disable symbolic engines doesn't crash.
"""
inst = Instruction()
# update RAX
inst.setOpcode("\x48\xFF\xC0")
self.Triton.processing(inst)
self.assertEqual(
self.Triton.getSymbolicRegisterValue(self.Triton.registers.rax), 1)
# This call triton::api.backupSymbolicEngine()
self.Triton.enableSymbolicEngine(False)
inst = Instruction()
# update RAX again
inst.setOpcode("\x48\xFF\xC0")
self.Triton.processing(inst)
self.assertEqual(
self.Triton.getConcreteRegisterValue(self.Triton.registers.rax), 2,
"concrete value is updated")
self.assertEqual(
self.Triton.getSymbolicRegisterValue(self.Triton.registers.rax), 1)
self.assertEqual(
self.Triton.getSymbolicRegisterValue(self.Triton.registers.rax), 1,
"Symbolic value is not update")
# Try to reset engine after a backup to test if the bug #385 is fixed.
self.Triton.resetEngines()
def test_constructor(self):
"""Check opcode informations."""
inst1 = Instruction()
inst2 = Instruction(b"\xc3")
inst3 = Instruction(0x1000, b"\xc3")
self.assertEqual(inst1.getOpcode(), b"")
self.assertEqual(inst1.getAddress(), 0)
self.assertEqual(inst2.getOpcode(), b"\xc3")
self.assertEqual(inst2.getAddress(), 0)
self.assertEqual(inst3.getOpcode(), b"\xc3")
self.assertEqual(inst3.getAddress(), 0x1000)
def test_trace(trace):
Triton.setArchitecture(ARCH.X86)
symbolization_init()
astCtxt = Triton.getAstContext()
for opcode in trace:
instruction = Instruction()
instruction.setOpcode(opcode)
Triton.processing(instruction)
print(instruction.getDisassembly())
if instruction.isBranch():
# Opaque Predicate AST
op_ast = Triton.getPathPredicate()
# Try another model
model = Triton.getModel(astCtxt.lnot(op_ast))
if model:
print("not an opaque predicate")
else:
if instruction.isConditionTaken():
print("opaque predicate: always taken")
else:
print("opaque predicate: never taken")
print('----------------------------------')
return
def emulate(pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
#print instruction
if instruction.getType() == OPCODE.X86.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
debug('Instruction executed: %d' % (count))
return
def emulate(pc):
print('[+] Starting emulation.')
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print(instruction)
if instruction.getType() == OPCODE.X86.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print('[+] Emulation done.')
return
def trace(self, ip):
self.setup()
while True:
if len(self.instructions) > 1000:
break
op = idc.GetManyBytes(ip, idc.ItemSize(ip))
prev_esp = self.tx.buildSymbolicRegister(
self.tx.registers.esp).evaluate()
ins = Instruction()
ins.setOpcode(op)
ins.setAddress(ip)
self.tx.processing(ins)
ins_id = self.add_instruction(ins, prev_esp)
if self.debug:
reads = " ".join(
map(lambda x: x.getName(), self.get_side_reads(ins)))
writes = " ".join(
map(lambda x: x.getName(), self.get_side_writes(ins)))
mem_writes = " ".join(
map(lambda x: "%08x" % x.getAddress(),
self.get_side_mem_writes(ins)))
#print "%08x [%03d] %-30s %-20s %-20s %s" % (ip,ins_id,ins.getDisassembly(),reads,writes,self.instructions[-1]['state'])
print "%08x [%03d] %-40s %-30s %-30s (mem writes: %s)" % (
ip, ins_id, ins.getDisassembly(), reads, writes,
mem_writes)
next_ip = self.follow_flow()
if not next_ip:
break
ip = next_ip
good = self.extract_good()
print "Good instructions: %s" % sorted(good)
svar_lookup = dict()
num = 0
for i in sorted(good):
esp = ""
for op in self.instructions[i]['ins'].getOperands():
if op.getType() == OPERAND.MEM and op.getBaseRegister(
).getName() == "esp":
esp = "%08x" % op.getAddress()
line = "[%03d] %s" % (
i, self.instructions[i]['ins'].getDisassembly())
if esp:
line = re.sub(r"\[esp.*\]", "[%s]" % esp, line)
if int(esp, 16) not in svar_lookup:
svar_lookup[int(esp, 16)] = "svar%d" % num
num += 1
line = line.replace("[%s]" % esp,
"[%s]" % svar_lookup[int(esp, 16)])
print line
def emulate(Triton, pc):
global variables
global goodBranches
print '[+] Starting emulation.'
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print instruction
# End of the CheckSolution() function
if pc == 0x4025E6:
break
if pc == 0x4025CC:
print '[+] Win'
break
if pc in goodBranches:
astCtxt = Triton.getAstContext()
# Slice expressions
rax = Triton.getSymbolicExpressionFromId(
Triton.getSymbolicRegisterId(Triton.registers.rax))
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([
Triton.getPathConstraintsAst(),
astCtxt.equal(eax, astCtxt.bv(goodBranches[pc], 32))
])
print '[+] Asking for a model, please wait...'
model = Triton.getModel(cstr)
# Save new state
for k, v in model.items():
print '[+]', v
variables[k] = v.getValue()
# Go deeper
del goodBranches[pc]
# Restart emulation with a good input.
Triton = initialize()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print '[+] Emulation done.'
return
def __emulate(self, pc: int, countBBlocks: bool):
targetAddressFound = False
currentBBlockAddr = pc # The basic block address that we started to analyze currently
numNewBasicBlocks = 0 # The number of new basic blocks found by this function (only if countBBlocks was activated)
newBasicBlocksFound = set()
basicBlocksPathFoundThisRun = []
def onBasicBlockFound(addr):
nonlocal numNewBasicBlocks
nonlocal newBasicBlocksFound
nonlocal basicBlocksPathFoundThisRun
basicBlocksPathFoundThisRun.append(addr)
# Is this a new basic block ?
if addr not in self.allBlocksFound:
numNewBasicBlocks += 1
newBasicBlocksFound.add(addr)
self.allBlocksFound.add(addr)
onBasicBlockFound(currentBBlockAddr)
logging.info('[+] Starting emulation.')
while pc and (pc >= self.codeSection_begin
and pc <= self.codeSection_end):
# Fetch opcode
opcode = self.context.getConcreteMemoryAreaValue(pc, 16)
# Create the ctx instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.context.processing(instruction)
logging.info(instruction)
# Next
prevpc = pc
pc = self.context.getConcreteRegisterValue(
self.context.registers.rip)
if instruction.isControlFlow():
currentBBlockAddr = pc
onBasicBlockFound(currentBBlockAddr)
logging.info(
f"Instruction is control flow of type {instruction.getType()}. Addr of the new Basic block {hex(currentBBlockAddr)}"
)
if self.TARGET_TO_REACH is not None and pc == self.TARGET_TO_REACH:
targetAddressFound = True
logging.info('[+] Emulation done.')
if countBBlocks:
logging.info(
f'===== New basic blocks found: {[hex(intBlock) for intBlock in newBasicBlocksFound]}'
)
if basicBlocksPathFoundThisRun[-1] == 0: # ret instruction
basicBlocksPathFoundThisRun = basicBlocksPathFoundThisRun[:-1]
return targetAddressFound, numNewBasicBlocks, basicBlocksPathFoundThisRun
def setUp(self):
"""Define the arch."""
self.ctx = TritonContext()
self.ctx.setArchitecture(ARCH.X86_64)
self.inst1 = Instruction("\x48\x31\xd8") # xor rax, rbx
self.ctx.setConcreteRegisterValue(self.ctx.registers.al, 0x10)
self.ctx.setConcreteRegisterValue(self.ctx.registers.bl, 0x55)
self.inst2 = Instruction("\x48\x89\x03") # mov [rbx], rax
self.ctx.processing(self.inst1)
self.ctx.processing(self.inst2)
self.expr1 = self.inst1.getSymbolicExpressions()[0]
self.expr2 = self.inst2.getSymbolicExpressions()[8]
def emulate(Triton, pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
print("Emulating %s" % (instruction))
#print instruction
if instruction.getType() == OPCODE.X86.RET:
break
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.eip)
print('Instructions executed: %d' % (count))
return
def emulate(pc, w):
while pc:
#print 'pc1',pc
opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
#print 'opcodes',opcodes
instruction = Instruction()
instruction.setOpcode(opcodes)
instruction.setAddress(pc)
Triton.processing(instruction)
#pc = hex(eip.evaluate())
pc = Triton.getConcreteRegisterValue(Triton.registers.eip)
if sys.argv[3].startswith("0x"):
target = int(sys.argv[3][2:], 16)
#print 'target',target
i = 1
if pc == target:
print '==================Address found with following seeds============='
for address, value in seed.items():
if (address == 1879048195):
print 'argc ', value
else:
x = address - 22528
y = int(x / 100)
z = int(x % 100)
print 'argv[', y, '][', z, '] ', value
i = i + 1
w = 11
break
return w
def emulate(self, pc):
"""
Emulate every opcode from pc.
Process instruction until the end
"""
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
ret = self.Triton.processing(instruction)
if instruction.getType() == OPCODE.HLT:
break
self.assertTrue(ret)
self.assertTrue(checkAstIntegrity(instruction))
# Simulate routines
self.hooking_handler()
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return
def test_get_concrete_memory_value(self):
global flag
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
flag = False
self.Triton.addCallback(self.cb_flag, CALLBACK.GET_CONCRETE_MEMORY_VALUE)
# movabs rax, qword ptr [0x1000]
self.Triton.processing(Instruction("\x48\xa1\x00\x10\x00\x00\x00\x00\x00\x00"))
self.assertTrue(flag)
flag = False
self.Triton.removeCallback(self.cb_flag, CALLBACK.GET_CONCRETE_MEMORY_VALUE)
# movabs rax, qword ptr [0x1000]
self.Triton.processing(Instruction("\x48\xa1\x00\x10\x00\x00\x00\x00\x00\x00"))
self.assertFalse(flag)
def emulate(ctx, pc):
targetFound = False
astCtxt = ctx.getAstContext()
logging.info('[+] Starting emulation.')
while pc:
# Fetch opcode
opcode = ctx.getConcreteMemoryAreaValue(pc, 16)
# Create the ctx instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
ctx.processing(instruction)
logging.info(instruction)
# Next
pc = ctx.getConcreteRegisterValue(ctx.registers.rip)
if TARGET_TO_REACH is not None and pc == TARGET_TO_REACH:
targetFound = True
logging.info('[+] Emulation done.')
return targetFound
def test_1(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.setMode(MODE.ONLY_ON_TAINTED, False)
self.assertEqual(ctx.isModeEnabled(MODE.ONLY_ON_TAINTED), False)
inst = Instruction(b"\x48\x89\xc3") # mov rbx, rax
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
ctx.setMode(MODE.ONLY_ON_TAINTED, True)
self.assertEqual(ctx.isModeEnabled(MODE.ONLY_ON_TAINTED), True)
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getSymbolicExpressions()), 0)
self.assertEqual(len(inst.getReadRegisters()), 0)
self.assertEqual(len(inst.getReadImmediates()), 0)
self.assertEqual(len(inst.getWrittenRegisters()), 0)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
def emulate(Triton, pc):
global variables
global goodBranches
print('[+] Starting emulation.')
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print(instruction)
# End of the CheckSolution() function
if pc == 0x4025E6:
break
if pc == 0x4025CC:
print('[+] Win')
break
if pc in goodBranches:
astCtxt = Triton.getAstContext()
# Slice expressions
rax = Triton.getSymbolicRegister(Triton.registers.rax)
eax = astCtxt.extract(31, 0, rax.getAst())
# Push a new constraint to the current path predicate
Triton.pushPathConstraint(eax == goodBranches[pc])
# Solve the path predicate
cstr = Triton.getPathPredicate()
print('[+] Asking for a model, please wait...')
model = Triton.getModel(cstr)
# Save new state
for k, v in list(model.items()):
print('[+]', v)
variables[k] = v.getValue()
# Go deeper
del goodBranches[pc]
# Restart emulation with a good input.
Triton = initialize()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print('[+] Emulation done.')
return
def test_pop_esp(self):
"""Check pop on esp processing."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction(b'\xBC\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst2 = Instruction(b'\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [esp]
inst3 = Instruction(b'\x8F\x04\x24')
self.Triton.processing(inst1)
self.Triton.processing(inst2)
self.Triton.processing(inst3)
self.assertEqual(inst3.getOperands()[0].getAddress(), 0x19fe04, "esp has been poped")
self.assertEqual(inst3.getStoreAccess()[0][0].getAddress(), 0x19fe04, "inst3 set the value in 0x19fe04")
self.assertEqual(inst3.getStoreAccess()[0][1].evaluate(), 0x11111111, "And this value is 0x11111111")
def setUp(self):
"""Define and process the instruction to test."""
setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcodes("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.inst.updateContext(Register(REG.RAX, 0x1122334455667788))
self.inst.updateContext(Register(REG.RBX, 0x8877665544332211))
processing(self.inst)
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode(b"\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
self.Triton.setConcreteMemoryAreaValue(
start, bytearray(mem['memory']))
# self.Triton.setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
self.Triton.setConcreteRegisterValue(
self.Triton.getRegister(getattr(REG.X86_64, reg_name.upper())),
regs[reg_name])
# run the code
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
while pc != 0x409A18:
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(self.Triton.processing(instruction))
self.assertTrue(checkAstIntegrity(instruction))
pc = self.Triton.getConcreteRegisterValue(
self.Triton.registers.rip)
if concretize:
self.Triton.concretizeAllMemory()
self.Triton.concretizeAllRegister()
rax = self.Triton.getConcreteRegisterValue(self.Triton.registers.rax)
rbx = self.Triton.getConcreteRegisterValue(self.Triton.registers.rbx)
rcx = self.Triton.getConcreteRegisterValue(self.Triton.registers.rcx)
rdx = self.Triton.getConcreteRegisterValue(self.Triton.registers.rdx)
rsi = self.Triton.getConcreteRegisterValue(self.Triton.registers.rsi)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_load_ds(self):
"""Check load from ds segment."""
setArchitecture(ARCH.X86)
inst = Instruction()
# mov ax, ds:word_40213C
inst.setOpcodes("\x66\xA1\x3C\x21\x40\x00")
processing(inst)
self.assertEqual(inst.getOperands()[1].getAddress(), 0x40213C)
self.assertEqual(inst.getOperands()[1].getBitSize(), 16)
def test_known_issues(self):
"""Check tainting result after processing."""
setArchitecture(ARCH.X86)
taintRegister(REG.EAX)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcodes("\x8D\x04\x06")
processing(inst)
self.assertTrue(isRegisterTainted(REG.EAX))
self.assertFalse(isRegisterTainted(REG.EBX))
def test_3(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 2)
self.assertEqual(len(inst.getLoadAccess()), 1)
self.assertEqual(len(inst.getStoreAccess()), 0)
def test_7(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.setConcreteRegisterValue(ctx.registers.rax, 0x1337)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(inst.getOperands()[1].getAddress(), 0x1337)
self.assertIsNone(inst.getOperands()[1].getLeaAst())
def emulate(Triton, pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
# Handle nested memory reads
if instruction.isMemoryRead():
memory_access, read__memory_ast_node = instruction.getLoadAccess()[0]
read_register, read_register_ast_node = instruction.getReadRegisters()[0]
written_register, write_register_ast_node = instruction.getWrittenRegisters()[0]
if read_register.getName() != "unknown":
expression = read_register_ast_node.getSymbolicExpression()
expression_ast = expression.getAst()
#import pdb
#pdb.set_trace()
if expression_ast.getType() == AST_NODE.VARIABLE:
variable = expression_ast.getSymbolicVariable()
alias = variable.getAlias()
displacement = memory_access.getDisplacement().getValue()
newalias = "(%s)[0x%x]" % (alias, displacement)
#newalias = "(%s)[0]" % alias
Triton.symbolizeRegister(written_register, newalias)
elif expression_ast.getType() == AST_NODE.CONCAT:
import pdb
pdb.set_trace()
pass
else:
import pdb
pdb.set_trace()
raise Exception("Unexpected ast node")
print("Emulating %s" % (instruction))
#print instruction
if instruction.getType() == OPCODE.X86.RET:
break
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.eip)
print('Instructions executed: %d' %(count))
return
def test_pop(self):
"""Check the pop instruction processing."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction(b'\xBC\x00\xFE\x19\x00')
# mov edi, 0x19fe00
inst2 = Instruction(b'\xBF\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst3 = Instruction(b'\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [edi]
inst4 = Instruction(b'\x8F\x07')
self.Triton.processing(inst1)
self.Triton.processing(inst2)
self.Triton.processing(inst3)
self.Triton.processing(inst4)
self.assertEqual(inst4.getOperands()[0].getAddress(), 0x19fe00, "poping edi doesn't change it")
self.assertEqual(inst4.getStoreAccess()[0][0].getAddress(), 0x19fe00, "inst4 store the new value in 0x19fe00 (edi value)")
self.assertEqual(inst4.getStoreAccess()[0][1].evaluate(), 0x11111111, "The stored value is 0x11111111")
def __raise():
debug('raise hooked')
# Get arguments
signal = Triton.getConcreteRegisterValue(Triton.registers.rdi)
handler = sigHandlers[signal]
Triton.processing(Instruction(b"\x6A\x00")) # push 0
emulate(handler)
# Return value
return 0
def test_known_issues(self):
"""Check tainting result after processing."""
Triton = TritonContext()
Triton.setArchitecture(ARCH.X86)
Triton.taintRegister(Triton.registers.eax)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcode(b"\x8D\x04\x06")
Triton.processing(inst)
self.assertTrue(Triton.isRegisterTainted(Triton.registers.eax))
self.assertFalse(Triton.isRegisterTainted(Triton.registers.ebx))
def test_4(self):
ctx = TritonContext()
ctx.setArchitecture(ARCH.X86_64)
ctx.enableMode(MODE.ONLY_ON_SYMBOLIZED, True)
ctx.convertRegisterToSymbolicVariable(ctx.registers.rax)
inst = Instruction(b"\x48\x8b\x18") # mov rbx, qword ptr [rax]
self.assertTrue(ctx.processing(inst))
self.assertTrue(checkAstIntegrity(inst))
self.assertEqual(len(inst.getReadRegisters()), 1)
self.assertEqual(len(inst.getWrittenRegisters()), 0)
self.assertEqual(len(inst.getLoadAccess()), 0)
self.assertEqual(len(inst.getStoreAccess()), 0)
