def __emulate(self, pc: int, countBBlocks: bool):
targetAddressFound = False
currentBBlockAddr = pc # The basic block address that we started to analyze currently
numNewBasicBlocks = 0 # The number of new basic blocks found by this function (only if countBBlocks was activated)
newBasicBlocksFound = set()
basicBlocksPathFoundThisRun = []
def onBasicBlockFound(addr):
nonlocal numNewBasicBlocks
nonlocal newBasicBlocksFound
nonlocal basicBlocksPathFoundThisRun
basicBlocksPathFoundThisRun.append(addr)
# Is this a new basic block ?
if addr not in self.allBlocksFound:
numNewBasicBlocks += 1
newBasicBlocksFound.add(addr)
self.allBlocksFound.add(addr)
onBasicBlockFound(currentBBlockAddr)
logging.info('[+] Starting emulation.')
while pc and (pc >= self.codeSection_begin
and pc <= self.codeSection_end):
# Fetch opcode
opcode = self.context.getConcreteMemoryAreaValue(pc, 16)
# Create the ctx instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.context.processing(instruction)
logging.info(instruction)
# Next
prevpc = pc
pc = self.context.getConcreteRegisterValue(
self.context.registers.rip)
if instruction.isControlFlow():
currentBBlockAddr = pc
onBasicBlockFound(currentBBlockAddr)
logging.info(
f"Instruction is control flow of type {instruction.getType()}. Addr of the new Basic block {hex(currentBBlockAddr)}"
)
if self.TARGET_TO_REACH is not None and pc == self.TARGET_TO_REACH:
targetAddressFound = True
logging.info('[+] Emulation done.')
if countBBlocks:
logging.info(
f'===== New basic blocks found: {[hex(intBlock) for intBlock in newBasicBlocksFound]}'
)
if basicBlocksPathFoundThisRun[-1] == 0: # ret instruction
basicBlocksPathFoundThisRun = basicBlocksPathFoundThisRun[:-1]
return targetAddressFound, numNewBasicBlocks, basicBlocksPathFoundThisRun
def emulate(pc, index, y, targetadd):
Triton.concretizeAllRegister()
Triton.concretizeAllMemory()
flag = 0
Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6ffffffb)
Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6fffffff)
esp = Triton.buildSymbolicRegister(Triton.registers.ebp).evaluate()
address = 28
addressv = 200
Triton.setConcreteMemoryValue(esp + 12, address)
Triton.setConcreteMemoryValue(address, addressv)
for i in range(index + 1):
Triton.setConcreteMemoryValue(addressv, ord('S'))
addressv = addressv + 1
if (y == 1):
#strin= ""
for j in range(index):
print 'F'
#strin = strin+'F'
#print strin,hex(targetadd)
print hex(targetadd)
while pc:
opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
instruction = Instruction()
instruction.setOpcode(opcodes)
instruction.setAddress(pc)
Triton.processing(instruction)
if (instruction.isControlFlow()):
flag = flag + 1
if instruction.getType() == OPCODE.INT:
pc = instruction.getNextAddress()
y = Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
if y == 1:
break
continue
pc = Triton.buildSymbolicRegister(Triton.registers.eip).evaluate()
if (pc == 28):
return 5
return 1
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), "\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode(b"\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
inst = Instruction()
inst.setAddress(-1)
self.assertEqual(inst.getAddress(), 0xffffffffffffffff)
inst.setAddress(-2)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffe)
inst.setAddress(-3)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffd)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.X86.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), b"\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.X86.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def emulate(pc, index, y, targetadd):
Triton.concretizeAllRegister()
Triton.concretizeAllMemory()
x = 0
#Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6ffffffb)
Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6fffffff)
esp = Triton.buildSymbolicRegister(Triton.registers.ebp).evaluate()
address = 28
addressv = 234
Triton.setConcreteMemoryValue(esp + 12, address)
Triton.setConcreteMemoryValue(address, addressv)
#Triton.setConcreteMemoryAreaValue(address,CPUSIZE.WORD,addressv)
#print 'index',index
for i in range(index + 1):
#index=index-1
Triton.setConcreteMemoryValue(addressv, ord('A'))
#print 'A'
addressv = addressv + 1
if (y == 1):
print 'This Input its is going to given/invalid address'
strin = ""
for j in range(index):
strin = strin + 'A'
print strin, hex(targetadd) #, type(targetadd)
#Triton.setConcreteMemoryValue(MemoryAccess(addressv,CPUSIZE.DWORD),targetadd)
#inte = int(targetadd[2:3])
#print unichr(inte)
#+ targetadd[0]+targetadd[1]+targetadd[2]+targetadd[3]+targetadd[4]+targetadd[5]+targetadd[6]
#Triton.setConcreteMemoryAreaValue(address,CPUSIZE.WORD,addressv)
while pc:
# Fetch opcodes
opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcodes)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
#print instruction
if (instruction.isControlFlow()):
x = x + 1
if instruction.getType() == OPCODE.INT:
pc = instruction.getNextAddress()
y = Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
#y = getConcreteRegisterValue(REG.EAX)
if y == 1:
break
continue
# Next
pc = Triton.buildSymbolicRegister(Triton.registers.eip).evaluate()
#print pc
if (pc == 28):
#print "reached"
return 5
#print 'The number of control transfer instructions are :'
#print x
return 1