def main():
buf = assemble_text(test_code, [("L_MAIN", 0)])
mdis = dis_engine(buf)
disasm = mdis.dis_multibloc(0)
ir = ir_a_x86_64(mdis.symbol_pool)
for bbl in disasm:
ir.add_bloc(bbl)
symbols_init = {}
for i, r in enumerate(all_regs_ids):
symbols_init[r] = all_regs_ids_init[i]
conds = find_goal(ir, 0, symbols_init, rax_is_one)
if conds == None:
print "Goal was not found"
sys.exit(-1)
solver = z3.Solver()
for lval, rval in conds:
z3_cond = Translator.to_language("z3").from_expr(lval)
solver.add(z3_cond == int(rval.arg))
rslt = solver.check()
if rslt == z3.sat:
m = solver.model()
for var in m:
print "%s: %d" % (var.name(), m[var].as_long())
else:
print "No solution"
sys.exit(-1)
def main():
buf = assemble_text(test_code, [("L_MAIN", 0)])
mdis = dis_engine(buf)
disasm = mdis.dis_multibloc(0)
ir = ir_a_x86_64(mdis.symbol_pool)
for bbl in disasm:
ir.add_bloc(bbl)
symbols_init = {}
for i, r in enumerate(all_regs_ids):
symbols_init[r] = all_regs_ids_init[i]
conds = find_goal(ir, 0, symbols_init, rax_is_one)
if conds == None:
print "Goal was not found"
sys.exit(-1)
solver = z3.Solver()
for lval, rval in conds:
z3_cond = Translator.to_language("z3").from_expr(lval)
solver.add(z3_cond == int(rval.arg))
rslt = solver.check()
if rslt == z3.sat:
m = solver.model()
for var in m:
print "%s: %d" % (var.name(), m[var].as_long())
else:
print "No solution"
sys.exit(-1)
def test_ExprSlice_strcst(self):
from miasm2.expression.expression import ExprInt, ExprOp
from miasm2.ir.translators.translator import Translator
translator_smt2 = Translator.to_language("smt2")
args = [ExprInt(i, 32) for i in xrange(9)]
self.assertEqual(translator_smt2.from_expr(args[0][1:2]),
r'((_ extract 1 1) (_ bv0 32))')
self.assertRaises(ValueError, args[0].__getitem__, slice(1, 7, 2))
def test_ExprOp_strcst(self):
from miasm2.expression.expression import ExprInt, ExprOp
from miasm2.ir.translators.translator import Translator
translator_smt2 = Translator.to_language("smt2")
args = [ExprInt(i, 32) for i in xrange(9)]
self.assertEqual(translator_smt2.from_expr(ExprOp('|', *args[:2])),
r'(bvor (_ bv0 32) (_ bv1 32))')
self.assertEqual(translator_smt2.from_expr(ExprOp('-', *args[:2])),
r'(bvsub (_ bv0 32) (_ bv1 32))')
self.assertEqual(translator_smt2.from_expr(ExprOp('+', *args[:3])),
r'(bvadd (bvadd (_ bv0 32) (_ bv1 32)) (_ bv2 32))')
self.assertRaises(NotImplementedError, translator_smt2.from_expr,
ExprOp('X', *args[:1]))
tuple(list(conds) + cond_group_b.items())))
elif addr == ret_addr:
print 'Return address reached'
continue
elif addr.is_int():
addr = int(addr.arg)
states_todo.add((addr, symbexec.symbols.copy(), tuple(conds)))
elif addr.is_loc():
states_todo.add((addr, symbexec.symbols.copy(), tuple(conds)))
else:
raise ValueError("Unsupported destination")
if __name__ == '__main__':
translator_smt2 = Translator.to_language("smt2")
addr = int(options.address, 16)
cont = Container.from_stream(open(args[0]))
mdis = machine.dis_engine(cont.bin_stream, loc_db=cont.loc_db)
ir_arch = machine.ir(mdis.loc_db)
ircfg = ir_arch.new_ircfg()
symbexec = SymbolicExecutionEngine(ir_arch)
asmcfg, loc_db = parse_asm.parse_txt(machine.mn,
32,
'''
init:
PUSH argv
PUSH argc
mem.get(eax, 32),
# @16[EAX+2] . @16[EAX]
z3.Concat(mem.get(eax + 2, 16), mem.get(eax, 16)))
# --------------------------------------------------------------------------
ax = z3.BitVec('AX', 16)
assert not equiv(
# @16[EAX] with EAX = ZeroExtend(AX)
mem.get(z3.ZeroExt(16, ax), 16),
# @16[AX]
mem.get(ax, 16))
# TranslatorZ3 tests
# --------------------------------------------------------------------------
e = ExprId('x', 32)
ez3 = Translator.to_language('z3').from_expr(e)
z3_e = z3.BitVec('x', 32)
assert equiv(ez3, z3_e)
# --------------------------------------------------------------------------
four = ExprInt(4, 32)
five = ExprInt(5, 32)
e2 = (e + five + four) * five
ez3 = Translator.to_language('z3').from_expr(e2)
z3_four = z3.BitVecVal(4, 32)
z3_five = z3.BitVecVal(5, 32)
z3_e2 = (z3_e + z3_five + z3_four) * z3_five
assert equiv(ez3, z3_e2)
# @16[EAX+2] . @16[EAX]
z3.Concat(mem.get(eax+2, 16),
mem.get(eax, 16)))
# --------------------------------------------------------------------------
ax = z3.BitVec('AX', 16)
assert not equiv(
# @16[EAX] with EAX = ZeroExtend(AX)
mem.get(z3.ZeroExt(16, ax), 16),
# @16[AX]
mem.get(ax, 16))
# TranslatorZ3 tests
# --------------------------------------------------------------------------
e = ExprId('x', 32)
ez3 = Translator.to_language('z3').from_expr(e)
z3_e = z3.BitVec('x', 32)
assert equiv(ez3, z3_e)
# --------------------------------------------------------------------------
four = ExprInt(4, 32)
five = ExprInt(5, 32)
e2 = (e + five + four) * five
ez3 = Translator.to_language('z3').from_expr(e2)
z3_four = z3.BitVecVal(4, 32)
z3_five = z3.BitVecVal(5, 32)
z3_e2 = (z3_e + z3_five + z3_four) * z3_five
assert equiv(ez3, z3_e2)
states_todo.add((addr_b, symbexec.symbols.copy(), tuple(list(conds) + cond_group_b.items())))
elif addr == ret_addr:
print 'Return address reached'
continue
elif addr.is_int():
addr = int(addr.arg)
states_todo.add((addr, symbexec.symbols.copy(), tuple(conds)))
elif addr.is_loc():
states_todo.add((addr, symbexec.symbols.copy(), tuple(conds)))
else:
raise ValueError("Unsupported destination")
if __name__ == '__main__':
translator_smt2 = Translator.to_language("smt2")
data = open(args[0]).read()
bs = bin_stream_str(data)
mdis = dis_engine(bs)
addr = int(options.address, 16)
ir_arch = machine.ir(mdis.loc_db)
ircfg = ir_arch.new_ircfg()
symbexec = SymbolicExecutionEngine(ir_arch)
asmcfg, loc_db = parse_asm.parse_txt(machine.mn, 32, '''
init:
PUSH argv
mem.get(eax, 32),
# @16[EAX+2] . @16[EAX]
z3.Concat(mem.get(eax + 2, 16), mem.get(eax, 16)))
# --------------------------------------------------------------------------
ax = z3.BitVec('AX', 16)
assert not equiv(
# @16[EAX] with EAX = ZeroExtend(AX)
mem.get(z3.ZeroExt(16, ax), 16),
# @16[AX]
mem.get(ax, 16))
# TranslatorZ3 tests
# --------------------------------------------------------------------------
e = ExprId('x', 32)
ez3 = Translator.to_language('z3').from_expr(e)
z3_e = z3.BitVec('x', 32)
assert equiv(ez3, z3_e)
# --------------------------------------------------------------------------
four = ExprInt32(4)
five = ExprInt32(5)
e2 = (e + five + four) * five
ez3 = Translator.to_language('z3').from_expr(e2)
z3_four = z3.BitVecVal(4, 32)
z3_five = z3.BitVecVal(5, 32)
z3_e2 = (z3_e + z3_five + z3_four) * z3_five
assert equiv(ez3, z3_e2)
mem.get(eax, 32),
# @16[EAX+2] . @16[EAX]
z3.Concat(mem.get(eax + 2, 16), mem.get(eax, 16)))
# --------------------------------------------------------------------------
ax = z3.BitVec('AX', 16)
assert not equiv(
# @16[EAX] with EAX = ZeroExtend(AX)
mem.get(z3.ZeroExt(16, ax), 16),
# @16[AX]
mem.get(ax, 16))
# TranslatorZ3 tests
# --------------------------------------------------------------------------
e = ExprId('x', 32)
ez3 = Translator.to_language('z3').from_expr(e)
z3_e = z3.BitVec('x', 32)
assert equiv(ez3, z3_e)
# --------------------------------------------------------------------------
four = ExprInt32(4)
five = ExprInt32(5)
e2 = (e + five + four) * five
ez3 = Translator.to_language('z3').from_expr(e2)
z3_four = z3.BitVecVal(4, 32)
z3_five = z3.BitVecVal(5, 32)
z3_e2 = (z3_e + z3_five + z3_four) * z3_five
assert equiv(ez3, z3_e2)
# @16[EAX+2] . @16[EAX]
z3.Concat(mem.get(eax+2, 16),
mem.get(eax, 16)))
# --------------------------------------------------------------------------
ax = z3.BitVec('AX', 16)
assert not equiv(
# @16[EAX] with EAX = ZeroExtend(AX)
mem.get(z3.ZeroExt(16, ax), 16),
# @16[AX]
mem.get(ax, 16))
# TranslatorZ3 tests
# --------------------------------------------------------------------------
e = ExprId('x', 32)
ez3 = Translator.to_language('z3').from_expr(e)
z3_e = z3.BitVec('x', 32)
assert equiv(ez3, z3_e)
# --------------------------------------------------------------------------
four = ExprInt32(4)
five = ExprInt32(5)
e2 = (e + five + four) * five
ez3 = Translator.to_language('z3').from_expr(e2)
z3_four = z3.BitVecVal(4, 32)
z3_five = z3.BitVecVal(5, 32)
z3_e2 = (z3_e + z3_five + z3_four) * z3_five
assert equiv(ez3, z3_e2)
# @16[EAX+2] . @16[EAX]
z3.Concat(mem.get(eax+2, 16),
mem.get(eax, 16)))
# --------------------------------------------------------------------------
ax = z3.BitVec('AX', 16)
assert not equiv(
# @16[EAX] with EAX = ZeroExtend(AX)
mem.get(z3.ZeroExt(16, ax), 16),
# @16[AX]
mem.get(ax, 16))
# TranslatorZ3 tests
# --------------------------------------------------------------------------
e = ExprId('x', 32)
ez3 = Translator.to_language('z3').from_expr(e)
z3_e = z3.BitVec('x', 32)
assert equiv(ez3, z3_e)
# --------------------------------------------------------------------------
four = ExprInt32(4)
five = ExprInt32(5)
e2 = (e + five + four) * five
ez3 = Translator.to_language('z3').from_expr(e2)
z3_four = z3.BitVecVal(4, 32)
z3_five = z3.BitVecVal(5, 32)
z3_e2 = (z3_e + z3_five + z3_four) * z3_five
assert equiv(ez3, z3_e2)