def emulate(self, pc):
"""
Emulate every opcode from pc.
Process instruction until the end
"""
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
ret = self.Triton.processing(instruction)
if instruction.getType() == OPCODE.HLT:
break
self.assertTrue(ret)
self.assertTrue(checkAstIntegrity(instruction))
# Simulate routines
self.hooking_handler()
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return
def emulate(pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
#print instruction
if instruction.getType() == OPCODE.X86.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
debug('Instruction executed: %d' % (count))
return
def emulate(pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
#print instruction
if instruction.getType() == OPCODE.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
debug('Instruction executed: %d' %(count))
return
def emulate(self, pc):
"""
Emulate every opcode from pc.
Process instruction until the end
"""
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
ret = self.Triton.processing(instruction)
if instruction.getType() == OPCODE.HLT:
break
self.assertTrue(ret)
self.assertTrue(checkAstIntegrity(instruction))
# Simulate routines
self.hooking_handler()
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return
def emulate(pc):
print('[+] Starting emulation.')
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print(instruction)
if instruction.getType() == OPCODE.X86.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print('[+] Emulation done.')
return
def emulate(pc):
print '[+] Starting emulation.'
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print instruction
if instruction.getType() == OPCODE.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print '[+] Emulation done.'
return
def emulate(Triton, pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
print("Emulating %s" % (instruction))
#print instruction
if instruction.getType() == OPCODE.X86.RET:
break
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.eip)
print('Instructions executed: %d' % (count))
return
def emulate(pc):
global frameDepth
while (True):
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst = Instruction()
inst.setOpcode(opcode)
inst.setAddress(pc)
Triton.processing(inst)
# if(inst.getAddress() == int(sys.argv[2],16)):
# dumpInput()
# exit(0)
print inst,
print "size: " + str(format(inst.getSize(), 'x'))
if (inst.getType() == OPCODE.CALL):
frameDepth += 1
esp = Triton.getConcreteRegisterValue(Triton.registers.rsp)
retAddr = Triton.getConcreteMemoryValue(MemoryAccess(esp, 4))
returnStack.append(retAddr)
for ret in returnStack:
print format(ret, 'x')
# printStack()
if inst.getAddress() == 0x804849b or inst.getAddress(
) == 0x804847a or inst.getAddress() == 0x804844c:
print "EAX:"+str(format(Triton.getConcreteRegisterValue(Triton.registers.rax),'x')) + \
" EDX:"+str(format(Triton.getConcreteRegisterValue(Triton.registers.rdx),'x')) + \
" EBP : "+ str(format(Triton.getConcreteRegisterValue(Triton.registers.rbp),'x')) + \
" EIP : "+ str(format(Triton.getConcreteRegisterValue(Triton.registers.rip),'x'))
id = Triton.getSymbolicRegisterId(Triton.registers.rax)
currentEBP = Triton.getConcreteRegisterValue(Triton.registers.rbp)
if (inst.getType() == OPCODE.HLT):
break
hookingHandler()
if inst.getType() == OPCODE.RET:
frameDepth -= 1
evaluatepc()
if (inst.getAddress() == 0):
exit(0)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
def emulate(pc,w):
while pc:
#print 'pc1',pc
opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
#print 'opcodes',opcodes
instruction = Instruction()
instruction.setOpcode(opcodes)
instruction.setAddress(pc)
Triton.processing(instruction)
if instruction.getType()== OPCODE.INT :
if Triton.getConcreteRegisterValue(Triton.registers.eax)==1:
break
pc=pc+2
continue
if instruction.getType() == OPCODE.HLT:
break
pc = Triton.buildSymbolicRegister(Triton.registers.eip).evaluate()
if sys.argv[3].startswith("0x"):
target = int(sys.argv[3][2:],16)
#print 'target',target
i=1
if pc == target:
#printoutput()
'''for address, value in seed.items():
#print 'address',address
print chr(value)
if(address==1879048195):
print 'argc ',value
else:
x=address-22528
y=int(x/100)
z=int(x%100)
print 'argv[',y,'][',z,'] ',value
i=i+1'''
w=11
break
return w
def emulate(Triton, pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
# Handle nested memory reads
if instruction.isMemoryRead():
memory_access, read__memory_ast_node = instruction.getLoadAccess()[0]
read_register, read_register_ast_node = instruction.getReadRegisters()[0]
written_register, write_register_ast_node = instruction.getWrittenRegisters()[0]
if read_register.getName() != "unknown":
expression = read_register_ast_node.getSymbolicExpression()
expression_ast = expression.getAst()
#import pdb
#pdb.set_trace()
if expression_ast.getType() == AST_NODE.VARIABLE:
variable = expression_ast.getSymbolicVariable()
alias = variable.getAlias()
displacement = memory_access.getDisplacement().getValue()
newalias = "(%s)[0x%x]" % (alias, displacement)
#newalias = "(%s)[0]" % alias
Triton.symbolizeRegister(written_register, newalias)
elif expression_ast.getType() == AST_NODE.CONCAT:
import pdb
pdb.set_trace()
pass
else:
import pdb
pdb.set_trace()
raise Exception("Unexpected ast node")
print("Emulating %s" % (instruction))
#print instruction
if instruction.getType() == OPCODE.X86.RET:
break
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.eip)
print('Instructions executed: %d' %(count))
return
def emulate(pc, index, y, targetadd):
Triton.concretizeAllRegister()
Triton.concretizeAllMemory()
flag = 0
Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6ffffffb)
Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6fffffff)
esp = Triton.buildSymbolicRegister(Triton.registers.ebp).evaluate()
address = 28
addressv = 200
Triton.setConcreteMemoryValue(esp + 12, address)
Triton.setConcreteMemoryValue(address, addressv)
for i in range(index + 1):
Triton.setConcreteMemoryValue(addressv, ord('S'))
addressv = addressv + 1
if (y == 1):
#strin= ""
for j in range(index):
print 'F'
#strin = strin+'F'
#print strin,hex(targetadd)
print hex(targetadd)
while pc:
opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
instruction = Instruction()
instruction.setOpcode(opcodes)
instruction.setAddress(pc)
Triton.processing(instruction)
if (instruction.isControlFlow()):
flag = flag + 1
if instruction.getType() == OPCODE.INT:
pc = instruction.getNextAddress()
y = Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
if y == 1:
break
continue
pc = Triton.buildSymbolicRegister(Triton.registers.eip).evaluate()
if (pc == 28):
return 5
return 1
def emulate(pc):
flag = bytearray(39)
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
#print(instruction)
# NOTE: Here is the solution of the challenge. The flag is decoded
# and written into the memory. So, let's track all memory STORE of
# 1 byte.
for mem, memAst in instruction.getStoreAccess():
if mem.getSize() == CPUSIZE.BYTE:
value = Triton.getConcreteMemoryValue(mem)
if value:
flag[count] = value
count += 1
if instruction.getType() == OPCODE.X86.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print(' %s' % flag)
if flag == b"hackover15{I_USE_GOTO_WHEREEVER_I_W4NT}":
return 0
return -1
def emulate(pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
#print(instruction)
# NOTE: Here is the solution of the challenge. The flag is decoded
# and written into the memory. So, let's track all memory STORE of
# 1 byte.
for mem, memAst in instruction.getStoreAccess():
if mem.getSize() == CPUSIZE.BYTE:
sys.stdout.write(chr(Triton.getConcreteMemoryValue(mem)))
# End of solution
if instruction.getType() == OPCODE.X86.HLT:
break
# Simulate routines
hookingHandler()
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
debug('Instruction executed: %d' % (count))
return
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode(b"\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
inst = Instruction()
inst.setAddress(-1)
self.assertEqual(inst.getAddress(), 0xffffffffffffffff)
inst.setAddress(-2)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffe)
inst.setAddress(-3)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffd)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.X86.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), b"\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.X86.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def emulate(pc, sgx_ocall, sgx_free, is_threaded):
count = 0
policies.init_emulator()
policies.init_thread_env()
while pc and count < MAX_INST_CNT:
if (not policies.is_thread_unlocked()):
continue
if is_threaded:
emul_thread_lock.acquire()
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
try:
ret = Triton.processing(instruction)
if not ret:
if WARN_DEBUG:
print(
'[LIMITATION] unsupported instruction at 0x%x' % (pc))
Triton.setConcreteRegisterValue(Triton.registers.rip,
instruction.getNextAddress())
except:
if WARN_DEBUG:
print('[EXCEPTION] instruction process error ...')
if('\xf3\x0f\x1e\xfa' in opcode):
Triton.setConcreteRegisterValue(Triton.registers.rip,
pc + 0x4)
else:
break
count += 1
inst_ring_buffer[instruction.getAddress()] = True
if (PRINT_INST_DEBUG and instruction.getType() == OPCODE.X86.RET):
ret_addr = Triton.getConcreteRegisterValue(Triton.registers.rip)
print('[INSTRUCTION] return instruction: ', instruction)
print('[INSTRUCTION] return to: 0x%x' % ret_addr)
if (PRINT_INST_DEBUG and instruction.getType() == OPCODE.X86.CALL):
print('[INSTRUCTION] call instruction: ', instruction)
policies.push_inst_to_ring_buffer(instruction)
policies.inspection(instruction)
if (instruction.getDisassembly() == sgx_ocall
or instruction.getDisassembly() == sgx_free):
force_return_to_callsite(0x0)
if (instruction.getType() == OPCODE.X86.XGETBV):
Triton.setConcreteRegisterValue(Triton.registers.rip,
instruction.getNextAddress())
if instruction.getType() == OPCODE.X86.HLT:
if is_threaded:
emul_thread_lock.release()
break
if (not hook_process_inst(instruction)):
if is_threaded:
emul_thread_lock.release()
break
if (policies.is_report_avl()):
print_report()
policies.clear_last_report()
if is_threaded:
emul_thread_lock.release()
break
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
del instruction
if is_threaded:
emul_thread_lock.release()
if (count % 10000 == 0):
gc.collect()
policies.exit_emulator()
policies.destroy_thread_env()
return (count)
def emulate(pc):
count = 0
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
count += 1
# Print instruction
# print("pc = {:#x}, rax = {:#x}".format(pc, Triton.getConcreteRegisterValue(Triton.registers.rax)))
# debug("{} (size={})".format(instruction, instruction.getSize()))
# for expr in instruction.getSymbolicExpressions():
# print('\t', expr)
if instruction.getType() == OPCODE.X86.HLT:
break
# Simulate routines
flag_exit = hookingHandler(instruction)
if flag_exit:
break
# Update branch constraint
reg_zf = Triton.getRegisterAst(Triton.getRegister(REG.X86.ZF))
reg_sf = Triton.getRegisterAst(Triton.getRegister(REG.X86.SF))
reg_of = Triton.getRegisterAst(Triton.getRegister(REG.X86.OF))
reg_cf = Triton.getRegisterAst(Triton.getRegister(REG.X86.CF))
ast = Triton.getAstContext()
# Next
if instruction.isBranch(
) and not instruction.getType() == OPCODE.X86.JMP:
# メインのバイナリのトレースになるまで読み飛ばし
while True:
event = Trace.get_next_branch()
# debug(event)
# if Trace.get_relative_addr_and_image(event['inst_addr'])[0] == pc:
# break
if event['inst_addr'].startswith('0x5') and int(
event['inst_addr'], 16) & 0xfff == pc & 0xfff:
break
# debug(event)
# 分岐条件を収集
def ja_succ(cf, zf):
# CF=0 and ZF=0
return ast.land([cf == 0, zf == 0])
def jae_succ(cf):
return cf == 0
def jb_succ(cf):
return cf == 1
def jbe_succ(cf, zf):
# CF=1 or ZF=1
return ast.lor([cf == 1, zf == 1])
def jg_succ(zf, sf, of):
# ZF=0 and SF=OF
return ast.land([zf == 0, sf == of])
def jge_succ(sf, of):
# SF=OF
return sf == of
def jl_succ(sf, of):
# SF ≠ OF
return sf != of
def jle_succ(zf, sf, of):
# ZF=1 or SF ≠ OF
return ast.lor([zf == 1, sf != of])
def je_succ(zf):
return zf == 1
def jne_succ(zf):
return zf == 0
def js_succ(sf):
return sf == 1
def jns_succ(sf):
return sf == 0
def selecter(instruction, event, succ_opcode, succ, fail_opcode,
fail):
if instruction.getType() == succ_opcode:
if event['branch_taken']:
return succ
else:
return fail
if instruction.getType() == fail_opcode:
if event['branch_taken']:
return fail
else:
return succ
if False:
pass
elif instruction.getType() in [OPCODE.X86.JA, OPCODE.X86.JBE]:
conditional_branch_constraints.append(
selecter(instruction, event, OPCODE.X86.JA, ja_succ,
OPCODE.X86.JBE, jbe_succ)(cf=reg_cf, zf=reg_zf))
elif instruction.getType() in [OPCODE.X86.JB, OPCODE.X86.JAE]:
conditional_branch_constraints.append(
selecter(instruction, event, OPCODE.X86.JB, jb_succ,
OPCODE.X86.JAE, jae_succ)(cf=reg_cf, zf=reg_zf))
elif instruction.getType() in [OPCODE.X86.JL, OPCODE.X86.JGE]:
conditional_branch_constraints.append(
selecter(instruction, event, OPCODE.X86.JL, jl_succ,
OPCODE.X86.JGE, jge_succ)(sf=reg_sf, of=reg_of))
elif instruction.getType() in [OPCODE.X86.JG, OPCODE.X86.JLE]:
conditional_branch_constraints.append(
selecter(instruction, event, OPCODE.X86.JG, jg_succ,
OPCODE.X86.JLE, jle_succ)(zf=reg_zf,
sf=reg_sf,
of=reg_of))
elif instruction.getType() in [OPCODE.X86.JE, OPCODE.X86.JNE]:
conditional_branch_constraints.append(
selecter(instruction, event, OPCODE.X86.JE, je_succ,
OPCODE.X86.JNE, jne_succ)(zf=reg_zf))
elif instruction.getType() in [OPCODE.X86.JS, OPCODE.X86.JNS]:
conditional_branch_constraints.append(
selecter(instruction, event, OPCODE.X86.JS, js_succ,
OPCODE.X86.JNS, jns_succ)(sf=reg_sf))
else:
raise Exception(
"Unhandled jcc instruction: {}".format(instruction))
# 分岐結果をプログラムカウンタに反映
if event['branch_taken']:
pc = int(instruction.getDisassembly().split(' ')[-1], 16)
continue
else:
pc = pc + instruction.getSize()
else:
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
debug('Number of instruction executed: %d' % (count))
return
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), "\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def emulate(pc, index, y, targetadd):
Triton.concretizeAllRegister()
Triton.concretizeAllMemory()
x = 0
#Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6ffffffb)
Triton.setConcreteRegisterValue(Triton.registers.ebp, 0x6fffffff)
esp = Triton.buildSymbolicRegister(Triton.registers.ebp).evaluate()
address = 28
addressv = 234
Triton.setConcreteMemoryValue(esp + 12, address)
Triton.setConcreteMemoryValue(address, addressv)
#Triton.setConcreteMemoryAreaValue(address,CPUSIZE.WORD,addressv)
#print 'index',index
for i in range(index + 1):
#index=index-1
Triton.setConcreteMemoryValue(addressv, ord('A'))
#print 'A'
addressv = addressv + 1
if (y == 1):
print 'This Input its is going to given/invalid address'
strin = ""
for j in range(index):
strin = strin + 'A'
print strin, hex(targetadd) #, type(targetadd)
#Triton.setConcreteMemoryValue(MemoryAccess(addressv,CPUSIZE.DWORD),targetadd)
#inte = int(targetadd[2:3])
#print unichr(inte)
#+ targetadd[0]+targetadd[1]+targetadd[2]+targetadd[3]+targetadd[4]+targetadd[5]+targetadd[6]
#Triton.setConcreteMemoryAreaValue(address,CPUSIZE.WORD,addressv)
while pc:
# Fetch opcodes
opcodes = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcodes)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
#print instruction
if (instruction.isControlFlow()):
x = x + 1
if instruction.getType() == OPCODE.INT:
pc = instruction.getNextAddress()
y = Triton.buildSymbolicRegister(Triton.registers.eax).evaluate()
#y = getConcreteRegisterValue(REG.EAX)
if y == 1:
break
continue
# Next
pc = Triton.buildSymbolicRegister(Triton.registers.eip).evaluate()
#print pc
if (pc == 28):
#print "reached"
return 5
#print 'The number of control transfer instructions are :'
#print x
return 1
