def memoryCaching(mem):
addr = mem.getAddress()
size = mem.getSize()
mapped = triton.isMemoryMapped(addr)
if not mapped:
dump = pimp.memoryCaching.memsolver.read_mem(addr, size)
triton.setConcreteMemoryAreaValue(addr, bytearray(dump))
cache.append({"start": addr, "data": bytearray(dump)})
return
def memoryCaching(mem):
addr = mem.getAddress()
size = mem.getSize()
mapped = triton.isMemoryMapped(addr)
if not mapped:
dump = pimp.memoryCaching.memsolver.read_mem(addr, size)
triton.setConcreteMemoryAreaValue(addr, bytearray(dump))
cache.append({"start": addr, "data": bytearray(dump)})
return
def cmd_reset(p, a):
global cache
ncache = []
for m in cache:
addr = m["start"]
size = len(m["data"])
data = p.r2p.read_mem(addr, size)
triton.setConcreteMemoryAreaValue(addr, bytearray(data))
ncache.append({"start": addr, "data": data})
cache = ncache
def load_binary(self, filename):
"""Load in memory every opcode from an elf program."""
binary = Elf(filename)
raw = binary.getRaw()
phdrs = binary.getProgramHeaders()
for phdr in phdrs:
offset = phdr.getOffset()
size = phdr.getFilesz()
vaddr = phdr.getVaddr()
setConcreteMemoryAreaValue(vaddr, raw[offset:offset+size])
def load_binary(self, filename):
"""Load in memory every opcode from an elf program."""
binary = Elf(filename)
raw = binary.getRaw()
phdrs = binary.getProgramHeaders()
for phdr in phdrs:
offset = phdr.getOffset()
size = phdr.getFilesz()
vaddr = phdr.getVaddr()
setConcreteMemoryAreaValue(vaddr, raw[offset:offset + size])
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(
Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_set_get_concrete_value(self):
base = 0x2000
size = 512
count = 1
self.assertFalse(isMemoryMapped(base, size))
for x in range(size):
setConcreteMemoryValue(base + x, count & 0xff)
self.assertEqual(getConcreteMemoryValue(base + x), count & 0xff)
count += 1
self.assertTrue(isMemoryMapped(base, size))
unmapMemory(base, size)
self.assertFalse(isMemoryMapped(base, size))
setConcreteMemoryAreaValue(0x1000, "\x11\x22\x33\x44\x55\x66")
setConcreteMemoryAreaValue(0x1006, [0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc])
self.assertEqual(getConcreteMemoryAreaValue(0x1000, 12), "\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc")
def test_set_get_concrete_value(self):
base = 0x2000
size = 512
count = 1
self.assertFalse(isMemoryMapped(base, size))
for x in range(size):
setConcreteMemoryValue(base + x, count & 0xff)
self.assertEqual(getConcreteMemoryValue(base + x), count & 0xff)
count += 1
self.assertTrue(isMemoryMapped(base, size))
unmapMemory(base, size)
self.assertFalse(isMemoryMapped(base, size))
setConcreteMemoryAreaValue(0x1000, "\x11\x22\x33\x44\x55\x66")
setConcreteMemoryAreaValue(0x1006,
[0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc])
self.assertEqual(getConcreteMemoryAreaValue(0x1000, 12),
"\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc")
def reset(self):
triton.resetEngines()
triton.clearPathConstraints()
triton.setArchitecture(self.arch)
triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)
triton.addCallback(self.memoryCaching,
triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
triton.addCallback(self.constantFolding,
triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)
for r in self.regs:
if r in self.triton_regs:
triton.setConcreteRegisterValue(
triton.Register(self.triton_regs[r], self.regs[r]))
for m in cache:
triton.setConcreteMemoryAreaValue(m['start'], bytearray(m["data"]))
for address in self.inputs:
self.inputs[address] = triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(address, triton.CPUSIZE.BYTE))
def write_mem(self, addr, data):
triton.setConcreteMemoryAreaValue(addr, data)
def write_mem(self, addr, data):
triton.setConcreteMemoryAreaValue(addr, data)