def test_AND_1(self):
''' Instruction AND
Groups:
0x7ffff7de390a: and rax, 0xfc000000
'''
mem = Memory64()
cpu = AMD64Cpu(mem)
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
mem[0x7ffff7de390a] = '\x48'
mem[0x7ffff7de390b] = '\x25'
mem[0x7ffff7de390c] = '\x00'
mem[0x7ffff7de390d] = '\x00'
mem[0x7ffff7de390e] = '\x00'
mem[0x7ffff7de390f] = '\xfc'
cpu.PF = True
cpu.RAX = 0x7ffff7ff7658
cpu.OF = False
cpu.ZF = False
cpu.CF = False
cpu.RIP = 0x7ffff7de390a
cpu.SF = False
cpu.execute()
self.assertEqual(mem[0x7ffff7de390a], b'\x48')
self.assertEqual(mem[0x7ffff7de390b], b'\x25')
self.assertEqual(mem[0x7ffff7de390c], b'\x00')
self.assertEqual(mem[0x7ffff7de390d], b'\x00')
self.assertEqual(mem[0x7ffff7de390e], b'\x00')
self.assertEqual(mem[0x7ffff7de390f], b'\xfc')
self.assertEqual(cpu.PF, True)
self.assertEqual(cpu.RAX, 0x7ffff4000000)
self.assertEqual(cpu.OF, False)
self.assertEqual(cpu.ZF, False)
self.assertEqual(cpu.CF, False)
self.assertEqual(cpu.RIP, 0x7ffff7de3910)
self.assertEqual(cpu.SF, False)
def test_DEC_1(self):
''' Instruction DEC_1
Groups: mode64
0x41e10a: dec ecx
'''
mem = Memory64()
cpu = AMD64Cpu(mem)
mem.mmap(0x0041e000, 0x1000, 'rwx')
mem[0x0041e10a] = '\xff'
mem[0x0041e10b] = '\xc9'
cpu.AF = False
cpu.OF = False
cpu.ZF = False
cpu.RIP = 0x41e10a
cpu.PF = False
cpu.SF = False
cpu.ECX = 0xd
cpu.execute()
self.assertItemsEqual(mem[0x41e10a:0x41e10c], to_bytelist(b'\xff\xc9'))
self.assertEqual(cpu.AF, False)
self.assertEqual(cpu.OF, False)
self.assertEqual(cpu.ZF, False)
self.assertEqual(cpu.RIP, 4317452)
self.assertEqual(cpu.PF, True)
self.assertEqual(cpu.SF, False)
self.assertEqual(cpu.ECX, 12)
def test_cache_004(self):
import random
cs = ConstraintSet()
mem = SMemory64(cs)
cpu = AMD64Cpu(mem)
#alloc/map a little mem
addr = mem.mmap(0x1000, 0x1000, 'rwx')
self.assertEqual(addr, 0x1000)
memory = bytearray(0x1000)
written = set()
for _ in range(1000):
address = random.randint(0x1000,0x2000-8)
[written.add(i) for i in range(address,address+8)]
value = random.randint(0x0,0xffffffffffffffff)
memory[address-0x1000:address-0x1000+8] = list(struct.pack('<Q',value))
cpu.write_int(address, value, 64)
if random.randint(0,10) > 5:
cpu.read_int(random.randint(0x1000,0x2000-8), random.choice([8,16,32,64]))
written = list(written)
random.shuffle(written)
for address in written:
size = random.choice([8,16,32,64])
if address > 0x2000-(size // 8):
continue
pattern = {8:'B', 16:'<H', 32:'<L', 64:'<Q'} [size]
start = address - 0x1000
self.assertEqual(cpu.read_int(address, size),
struct.unpack(pattern, bytes(memory[start:start + (size // 8)]))[0])
def test_cache_005(self):
cs = ConstraintSet()
mem = SMemory64(cs)
cpu = AMD64Cpu(mem)
#alloc/map a little mem
addr = mem.mmap(0x1000, 0x1000, 'rwx')
self.assertEqual(addr, 0x1000)
self.assertRaises(Exception, cpu.write_int, 0x1000-1, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.write_int, 0x2000-7, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.read_int, 0x1000-1, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.read_int, 0x2000-7, 0x414243445464748, 64)
#alloc/map a little mem
addr = mem.mmap(0x7000, 0x1000, 'r')
self.assertEqual(addr, 0x7000)
self.assertRaises(Exception, cpu.write_int, 0x7000-1, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.write_int, 0x8000-7, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.read_int, 0x7000-1, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.read_int, 0x8000-7, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.write_int, 0x7100, 0x414243445464748, 64)
#alloc/map a little mem
addr = mem.mmap(0xf000, 0x1000, 'w')
self.assertEqual(addr, 0xf000)
self.assertRaises(Exception, cpu.write_int, 0xf000-1, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.write_int, 0x10000-7, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.read_int, 0xf000-1, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.read_int, 0x10000-7, 0x414243445464748, 64)
self.assertRaises(Exception, cpu.read_int, 0xf100, 0x414243445464748, 64)
def test_cache_001(self):
cs = ConstraintSet()
mem = SMemory64(ConstraintSet())
cpu = AMD64Cpu(mem)
mem.mmap(0x1000,0x1000,'rwx')
cpu.write_int(0x1000, 0x4142434445464748, 64)
#print cpu.mem_cache
cpu.write_int(0x1004, 0x5152535455565758, 64)
#print cpu.mem_cache
cpu.write_int(0x1008, 0x6162636465666768, 64)
#print cpu.mem_cache
#print hex(cpu.read_int(0x1000,32))
#print hex(cpu.read_int(0x1000,32))
#print hex(cpu.read_int(0x1000,32))
#print hex(cpu.read_int(0x1000,32))
#print hex(cpu.read_int(0x1000,32))
self.assertEqual(cpu.read_int(0x1000,32), 0x45464748)
cpu.write_int( 0x1000, 0x45464748,32)
self.assertEqual(cpu.read_int(0x1000,32), 0x45464748)
self.assertEqual(cpu.read_int(0x1004,32), 0x55565758)
self.assertEqual(cpu.read_int(0x1008,32), 0x65666768)
self.assertEqual(cpu.read_int(0x1008,64), 0x6162636465666768)
self.assertEqual(cpu.read_int(0x1000,64), 0x5556575845464748)
#cpu.writeback()
for i in range(0x10):
self.assertEqual(mem[i+0x1000], b'HGFEXWVUhgfedcba'[i:i+1])
self.assertEqual(mem.read(0x1000,0x10), to_bytelist(b'HGFEXWVUhgfedcba'))
def test_le_or(self):
cs = ConstraintSet()
mem = SMemory64(cs)
cpu = AMD64Cpu(mem)
mem.mmap(0x1000,0x1000,'rwx')
cpu.write_int(0x1000, 0x4142434445464748, 64)
cpu.write_int(0x1000, cpu.read_int(0x1000, 32) | 0, 32)
addr1 = cs.new_bitvec(64)
cs.add(addr1 == 0x1004)
cpu.write_int(addr1, 0x58, 8)
self.assertEqual(cpu.read_int(0x1000,32), 0x45464748)
addr1 = cs.new_bitvec(64)
cs.add(addr1 == 0x1000)
cpu.write_int(addr1, 0x59, 8)
solutions = solver.get_all_values(cs, cpu.read_int(0x1000,32))
self.assertEqual(len(solutions), 1)
self.assertEqual(solutions[0], 0x45464759)
cpu.write_int(0x1000, cpu.read_int(0x1000,32) | 0, 32)
cpu.write_int(0x1000, cpu.read_int(0x1000,32) | 0, 32)
cpu.write_int(0x1000, cpu.read_int(0x1000,32) | 0, 32)
solutions = solver.get_all_values(cs, cpu.read_int(0x1000,32))
self.assertEqual(len(solutions), 1)
self.assertEqual(solutions[0], 0x45464759)
def test_DEC_1(self):
""" Instruction DEC_1
Groups: mode64
0x41e10a: dec ecx
"""
mem = Memory64()
cpu = AMD64Cpu(mem)
mem.mmap(0x0041E000, 0x1000, "rwx")
mem[0x0041E10A] = "\xff"
mem[0x0041E10B] = "\xc9"
cpu.AF = False
cpu.OF = False
cpu.ZF = False
cpu.RIP = 0x41E10A
cpu.PF = False
cpu.SF = False
cpu.ECX = 0xD
cpu.execute()
self.assertItemsEqual(mem[0x41E10A:0x41E10C], to_bytelist(b"\xff\xc9"))
self.assertEqual(cpu.AF, False)
self.assertEqual(cpu.OF, False)
self.assertEqual(cpu.ZF, False)
self.assertEqual(cpu.RIP, 4317452)
self.assertEqual(cpu.PF, True)
self.assertEqual(cpu.SF, False)
self.assertEqual(cpu.ECX, 12)
def test_AND_1(self):
""" Instruction AND
Groups:
0x7ffff7de390a: and rax, 0xfc000000
"""
mem = Memory64()
cpu = AMD64Cpu(mem)
mem.mmap(0x7FFFF7DE3000, 0x1000, "rwx")
mem[0x7FFFF7DE390A] = "\x48"
mem[0x7FFFF7DE390B] = "\x25"
mem[0x7FFFF7DE390C] = "\x00"
mem[0x7FFFF7DE390D] = "\x00"
mem[0x7FFFF7DE390E] = "\x00"
mem[0x7FFFF7DE390F] = "\xfc"
cpu.PF = True
cpu.RAX = 0x7FFFF7FF7658
cpu.OF = False
cpu.ZF = False
cpu.CF = False
cpu.RIP = 0x7FFFF7DE390A
cpu.SF = False
cpu.execute()
self.assertEqual(mem[0x7FFFF7DE390A], b"\x48")
self.assertEqual(mem[0x7FFFF7DE390B], b"\x25")
self.assertEqual(mem[0x7FFFF7DE390C], b"\x00")
self.assertEqual(mem[0x7FFFF7DE390D], b"\x00")
self.assertEqual(mem[0x7FFFF7DE390E], b"\x00")
self.assertEqual(mem[0x7FFFF7DE390F], b"\xfc")
self.assertEqual(cpu.PF, True)
self.assertEqual(cpu.RAX, 0x7FFFF4000000)
self.assertEqual(cpu.OF, False)
self.assertEqual(cpu.ZF, False)
self.assertEqual(cpu.CF, False)
self.assertEqual(cpu.RIP, 0x7FFFF7DE3910)
self.assertEqual(cpu.SF, False)
def setUp(self):
mem32 = SMemory32(ConstraintSet())
mem32.mmap(0x1000, 0x1000, 'rw ')
mem64 = SMemory64(ConstraintSet())
mem64.mmap(0x1000, 0x1000, 'rw ')
self._cpu_arm = Armv7Cpu(mem32)
self._cpu_arm.SP = 0x1080
self._cpu_arm.func_abi = Armv7CdeclAbi(self._cpu_arm)
self._cpu_arm.syscall_abi = Armv7LinuxSyscallAbi(self._cpu_arm)
self._cpu_x86 = I386Cpu(mem32)
self._cpu_x86.ESP = 0x1080
self._cpu_x86.func_abi = I386CdeclAbi(self._cpu_x86)
self._cpu_x86.syscall_abi = I386LinuxSyscallAbi(self._cpu_x86)
self._cpu_x64 = AMD64Cpu(mem64)
self._cpu_x64.RSP = 0x1080
self._cpu_x64.func_abi = SystemVAbi(self._cpu_x64)
self._cpu_x64.syscall_abi = AMD64LinuxSyscallAbi(self._cpu_x64)
def write(mem, where, val, size):
mem[where:where + size // 8] = [
Operators.CHR(Operators.EXTRACT(val, offset, 8))
for offset in range(0, size, 8)
]
for val in range(0, 0x100, 4):
write(mem32, 0x1000 + val, val, 32)
for val in range(0, 0x100, 8):
write(mem64, 0x1000 + val, val, 64)
def test_cache_003(self):
cs = ConstraintSet()
mem = SMemory64(cs)
cpu = AMD64Cpu(mem)
# alloc/map a little mem
addr = mem.mmap(0x1000, 0x1000, "rwx")
self.assertEqual(addr, 0x1000)
cpu.write_int(0x1000, 0x4142434445464748, 64)
cpu.write_int(0x1008, 0x6162636465666768, 64)
self.assertEqual(cpu.read_int(0x1000, 64), 0x4142434445464748)
self.assertEqual(cpu.read_int(0x1008, 64), 0x6162636465666768)
for i in range(8):
self.assertEqual(cpu.read_int(0x1000 + i, 8), ord("HGFEDCBA"[i]))
for i in range(8):
self.assertEqual(cpu.read_int(0x1008 + i, 8), ord("hgfedcba"[i]))
addr1 = cs.new_bitvec(64)
cs.add(addr1 == 0x1004)
cpu.write_int(addr1, 0x58, 8)
# 48 47 46 45 58 43 42 41 68 67 66 65 64 63 62 61
value = cpu.read_int(0x1004, 16)
self.assertItemsEqual(solver.get_all_values(cs, value), [0x4358])
addr2 = cs.new_bitvec(64)
cs.add(Operators.AND(addr2 >= 0x1000, addr2 <= 0x100C))
cpu.write_int(addr2, 0x5959, 16)
solutions = solver.get_all_values(cs, cpu.read_int(addr2, 32))
self.assertEqual(len(solutions), 0x100C - 0x1000 + 1)
self.assertEqual(
set(solutions),
set(
[
0x45465959,
0x41425959,
0x58455959,
0x65665959,
0x67685959,
0x43585959,
0x68415959,
0x42435959,
0x66675959,
0x62635959,
0x64655959,
0x63645959,
0x61625959,
]
),
)
def test_cache_002(self):
cs = ConstraintSet()
mem = SMemory64(cs)
cpu = AMD64Cpu(mem)
#alloc/map a little mem
addr = mem.mmap(0x1000, 0x1000, 'rwx')
self.assertEqual(addr, 0x1000)
cpu.write_int(0x1000, 0x4142434445464748, 64)
cpu.write_int(0x1004, 0x5152535455565758, 64)
cpu.write_int(0x1008, 0x6162636465666768, 64)
self.assertEqual(cpu.read_int(0x1000,32), 0x45464748)
self.assertEqual(cpu.read_int(0x1004,32), 0x55565758)
self.assertEqual(cpu.read_int(0x1008,32), 0x65666768)
self.assertEqual(cpu.read_int(0x1008,64), 0x6162636465666768)
self.assertEqual(cpu.read_int(0x1000,64), 0x5556575845464748)
#cpu.writeback()
for i in range(0x10):
self.assertEqual(mem[i+0x1000], b'HGFEXWVUhgfedcba'[i:i+1])