def cafter(instruction):
if instruction.address == 0x4005ae:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getBacktrackedSymExpr(zfId)
expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.getAddress() == 0x400572:
rsiId = getRegSymbolicID(IDREF.REG.RSI)
convertExprToSymVar(rsiId, 64)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.getAddress() == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getFullExpression(getSymExpr(raxId).getAst())
# We want printable characters
expr = smt2lib.compound([
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_0'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_0'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_1'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_1'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_2'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_2'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_3'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_3'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_4'), smt2lib.bv(96, 64))),
smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_4'), smt2lib.bv(123, 64))),
smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64))) # collision: (assert (= rax 0xad6d)
])
# Get max 20 different models
models = getModels(expr, 20)
for model in models:
print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
def sbefore(instruction):
concretizeAllMem()
concretizeAllReg()
for op in instruction.getOperands():
if op.getType() == IDREF.OPERAND.MEM_R or op.getType(
) == IDREF.OPERAND.MEM_W: # The instruction must have a memory access
symId = getMemSymbolicID(op.getMem().getAddress())
if symId == IDREF.MISC.UNSET: # Case which wasn't handle
addr = op.getMem().getAddress()
if addr != 0: # Check valid address
print instruction.getDisassembly(), "at", hex(addr)
print "Operand mem size:", op.getMem().getSize()
s = convertMemToSymVar(addr,
op.getMem().getBitSize(),
"test") # convertMemToSymVar
print "New symbolic variable:"
print "[+] Comment:", s.getComment()
print "[+] Size: %d" % (s.getSize())
print "[+] Concrete value: 0x%x" % (s.getConcreteValue())
print "[+] Address: 0x%x" % (s.getKindValue())
memExpr = getFullExpression(
getSymExpr(getMemSymbolicID(
op.getMem().getAddress())).getAst())
expr = smt2lib.smtAssert(
smt2lib.equal(memExpr, smt2lib.bv(1, s.getSize())))
print expr
model = getModel(expr)
print model
return
def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.address == 0x400572:
rsiId = getRegSymbolicID(IDREF.REG.RSI)
convertExprToSymVar(rsiId, 8)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.address == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getBacktrackedSymExpr(raxId)
expr = str()
# We want printable characters
# (assert (bvsgt SymVar_0 96)
# (assert (bvslt SymVar_0 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_1 96)
# (assert (bvslt SymVar_1 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_1', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_1', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_2 96)
# (assert (bvslt SymVar_2 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_2', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_2', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_3 96)
# (assert (bvslt SymVar_3 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_3', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_3', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_4 96)
# (assert (bvslt SymVar_4 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_4', smt2lib.bv(96,
64)))
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_4', smt2lib.bv(123, 64)))
# We want the collision
# (assert (= rax 0xad6d)
expr += smt2lib.smtAssert(
smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64)))
print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.getAddress() == 0x400572:
convertRegToSymVar(IDREF.REG.RSI, IDREF.CPUSIZE.QWORD_BIT)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.getAddress() == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getFullExpression(getSymExpr(raxId).getAst())
# We want printable characters
expr = smt2lib.compound([
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_0'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_0'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_1'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_1'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_2'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_2'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_3'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_3'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvugt(smt2lib.variable('SymVar_4'),
smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.bvult(smt2lib.variable('SymVar_4'),
smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))),
smt2lib.smtAssert(
smt2lib.equal(raxExpr,
smt2lib.bv(0xad6d, IDREF.CPUSIZE.QWORD_BIT))
) # collision: (assert (= rax 0xad6d)
])
# Get max 20 different models
models = getModels(expr, 20)
for model in models:
print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
def cafter(instruction):
if instruction.address == 0x4005ae:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getBacktrackedSymExpr(zfId)
expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
models = getModel(expr)
global password
for k, v in models.items():
password.update({getMemoryFromSymVar(k): v})
return
def cafter(instruction):
if instruction.address == 0x40058b:
convertExprToSymVar(getRegSymbolicID(IDREF.REG.RAX), 4)
if instruction.address == 0x4005ae:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getBacktrackedSymExpr(zfId)
expr = smt2lib.smtAssert(smt2lib.equal(
zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction):
# [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41)
# [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
# [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
if instruction.getAddress() == 0x400891:
raxId = getRegSymbolicID(IDREF.REG.RAX)
convertExprToSymVar(raxId, 64)
if instruction.getAddress() == 0x400b69:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getFullExpression(getSymExpr(zfId).getAst())
expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue()))
print getModel(expr)
return
def cafter(instruction):
print '%#x: %s' %(instruction.address, instruction.assembly)
for se in instruction.symbolicElements:
if se.isTainted == True:
print '%s\t -> %s%s' %(_GREEN, se.expression, _ENDC)
else:
print '%s\t -> %s%s' %(_ENDC, se.expression, _ENDC)
if instruction.address == 0x4011ed:
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getBacktrackedSymExpr(raxId)
expr = smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0, 64))) # (assert (= rax 0)
print expr
print getModel(expr)
def cafter(instruction):
# movzx esi,BYTE PTR [rax]
# RAX points on the user password
if instruction.address == 0x400572:
rsiId = getRegSymbolicID(IDREF.REG.RSI)
convertExprToSymVar(rsiId, 8)
# mov eax,DWORD PTR [rbp-0x4]
# RAX must be equal to 0xad6d to win
if instruction.address == 0x4005c5:
print '[+] Please wait, computing in progress...'
raxId = getRegSymbolicID(IDREF.REG.RAX)
raxExpr = getBacktrackedSymExpr(raxId)
expr = str()
# We want printable characters
# (assert (bvsgt SymVar_0 96)
# (assert (bvslt SymVar_0 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_1 96)
# (assert (bvslt SymVar_1 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_1', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_1', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_2 96)
# (assert (bvslt SymVar_2 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_2', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_2', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_3 96)
# (assert (bvslt SymVar_3 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_3', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_3', smt2lib.bv(123, 64)))
# (assert (bvsgt SymVar_4 96)
# (assert (bvslt SymVar_4 123)
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_4', smt2lib.bv(96, 64)))
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_4', smt2lib.bv(123, 64)))
# We want the collision
# (assert (= rax 0xad6d)
expr += smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64)))
print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction):
# 0x40058b: movzx eax, byte ptr [rax]
if instruction.address == 0x40058b:
convertRegToSymVar(IDREF.REG.RAX, 32)
# 0x4005ae: cmp ecx, eax
if instruction.address == 0x4005ae:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getFullExpression(getSymExpr(zfId).getAst())
expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
models = getModel(expr)
global password
for k, v in models.items():
password.update({symVarMem: v})
return
def cafter(instruction):
# 0x40058b: movzx eax, byte ptr [rax]
if instruction.getAddress() == 0x40058b:
v = convertRegToSymVar(IDREF.REG.RAX, IDREF.CPUSIZE.DWORD_BIT)
#print "Concrete value:\t%s\t%c" % (v, v.getConcreteValue())
# 0x4005ae: cmp ecx, eax
if instruction.getAddress() == 0x4005ae:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getFullExpression(getSymExpr(zfId).getAst())
expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
models = getModel(expr)
global password
for k, v in models.items():
password.update({symVarMem: v})
return
def cafter(instruction):
# 0x40058b: movzx eax, byte ptr [rax]
if instruction.address == 0x40058b:
convertRegToSymVar(IDREF.REG.RAX, 4)
# 0x4005ae: cmp ecx, eax
if instruction.address == 0x4005ae:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getBacktrackedSymExpr(zfId)
expr = smt2lib.smtAssert(smt2lib.equal(
zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
models = getModel(expr)
global password
for k, v in models.items():
password.update({symVarMem: v})
return
def cafter(instruction):
# 0x40058b: movzx eax, byte ptr [rax]
if instruction.getAddress() == 0x40058b:
v = convertRegToSymVar(IDREF.REG.RAX, IDREF.CPUSIZE.DWORD_BIT)
#print "Concrete value:\t%s\t%c" % (v, v.getConcreteValue())
# 0x4005ae: cmp ecx, eax
if instruction.getAddress() == 0x4005ae:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getFullExpression(getSymExpr(zfId).getAst())
expr = smt2lib.smtAssert(smt2lib.equal(
zfExpr, smt2lib.bvtrue())) # (assert (= zf True))
models = getModel(expr)
global password
for k, v in models.items():
password.update({symVarMem: v})
return
def cafter(instruction):
print '%#x: %s' %(instruction.address, instruction.assembly)
# [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41)
# [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
# [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
if instruction.address == 0x400891:
raxId = getRegSymbolicID(IDREF.REG.RAX)
convertExprToSymVar(raxId, 8)
if instruction.address == 0x400b69:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getBacktrackedSymExpr(zfId)
expr = str()
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64))) # printable char
expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64))) # printable char
expr += smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf true)
print getModel(expr)
return
def sbefore(instruction):
concretizeAllMem()
concretizeAllReg()
for op in instruction.getOperands():
if op.getType() == IDREF.OPERAND.MEM_R or op.getType() == IDREF.OPERAND.MEM_W: # The instruction must have a memory access
symId = getMemSymbolicID(op.getMem().getAddress())
if symId == IDREF.MISC.UNSET: # Case which wasn't handle
addr = op.getMem().getAddress()
if addr != 0: # Check valid address
print instruction.getDisassembly(), "at", hex(addr)
print "Operand mem size:", op.getMem().getSize()
s = convertMemToSymVar(addr, op.getMem().getSize(), "test") # convertMemToSymVar
print "New symbolic variable:"
print "[+] Comment:", s.getComment()
print "[+] Size: %d" % (s.getSize())
print "[+] Concrete value: 0x%x" % (s.getConcreteValue())
print "[+] Address: 0x%x" % (s.getKindValue())
memExpr = getFullExpression(getSymExpr(getMemSymbolicID(op.getMem().getAddress())).getAst())
expr = smt2lib.smtAssert(smt2lib.equal(memExpr, smt2lib.bv(1, s.getSize())))
print expr
model = getModel(expr)
print model
return
def cafter(instruction):
print '%#x: %s' % (instruction.address, instruction.assembly)
# [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41)
# [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
# [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41)
if instruction.address == 0x400891:
raxId = getRegSymbolicID(IDREF.REG.RAX)
convertExprToSymVar(raxId, 8)
if instruction.address == 0x400b69:
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
zfExpr = getBacktrackedSymExpr(zfId)
expr = str()
expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(
96, 64))) # printable char
expr += smt2lib.smtAssert(
smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64))) # printable char
expr += smt2lib.smtAssert(smt2lib.equal(
zfExpr, smt2lib.bvtrue())) # (assert (= zf true)
print getModel(expr)
return
def cbefore(instruction):
if instruction.getAddress() == TritonExecution.entryPoint:
TritonExecution.AddrAfterEP = instruction.getNextAddress()
if instruction.getAddress() == TritonExecution.AddrAfterEP:
TritonExecution.myPC = [] # Reset the path constraint
TritonExecution.input = TritonExecution.worklist.pop(
) # Take the first input
TritonExecution.inputTested.append(
TritonExecution.input) # Add this input to the tested input
return
if instruction.getAddress(
) == TritonExecution.entryPoint and not isSnapshotEnabled():
print "[+] Take Snapshot"
takeSnapshot()
return
if instruction.isBranch() and instruction.getRoutineName(
) in TritonExecution.whitelist:
addr1 = instruction.getNextAddress(
) # next address next from the current one
addr2 = instruction.getOperands()[0].getImm().getValue(
) # Address in the instruction condition (branch taken)
ripId = getRegSymbolicID(
IDREF.REG.RIP
) # Get the reference of the RIP symbolic register
# [PC id, address taken, address not taken]
if instruction.isBranchTaken():
TritonExecution.myPC.append([ripId, addr2, addr1])
else:
TritonExecution.myPC.append([ripId, addr1, addr2])
return
if instruction.getAddress() == TritonExecution.exitPoint:
print "[+] Exit point"
# SAGE algorithm
# http://research.microsoft.com/en-us/um/people/pg/public_psfiles/ndss2008.pdf
for j in range(TritonExecution.input.bound,
len(TritonExecution.myPC)):
expr = []
for i in range(0, j):
ripId = TritonExecution.myPC[i][0]
symExp = getFullExpression(getSymExpr(ripId).getAst())
addr = TritonExecution.myPC[i][1]
expr.append(
smt2lib.smtAssert(
smt2lib.equal(
symExp,
smt2lib.bv(addr, IDREF.CPUSIZE.QWORD_BIT))))
ripId = TritonExecution.myPC[j][0]
symExp = getFullExpression(getSymExpr(ripId).getAst())
addr = TritonExecution.myPC[j][2]
expr.append(
smt2lib.smtAssert(
smt2lib.equal(
symExp, smt2lib.bv(addr,
IDREF.CPUSIZE.QWORD_BIT))))
expr = smt2lib.compound(expr)
model = getModel(expr)
if len(model) > 0:
newInput = deepcopy(TritonExecution.input)
newInput.setBound(j + 1)
for k, v in model.items():
symVar = getSymVar(k)
newInput.addDataAddress(symVar.getKindValue(), v)
print newInput.dataAddr
isPresent = False
for inp in TritonExecution.worklist:
if inp.dataAddr == newInput.dataAddr:
isPresent = True
break
if not isPresent:
TritonExecution.worklist.append(newInput)
# If there is input to test in the worklist, we restore the snapshot
if len(TritonExecution.worklist) > 0 and isSnapshotEnabled():
print "[+] Restore snapshot"
restoreSnapshot()
return
return
def cbefore(instruction):
if instruction.getAddress() == TritonExecution.entryPoint:
TritonExecution.AddrAfterEP = instruction.getNextAddress()
if instruction.getAddress() == TritonExecution.AddrAfterEP:
TritonExecution.myPC = [] # Reset the path constraint
TritonExecution.input = TritonExecution.worklist.pop() # Take the first input
TritonExecution.inputTested.append(TritonExecution.input) # Add this input to the tested input
return
if instruction.getAddress() == TritonExecution.entryPoint and not isSnapshotEnabled():
print "[+] Take Snapshot"
takeSnapshot()
return
if getRoutineName(instruction.getAddress()) in TritonExecution.whitelist and instruction.isBranch() and instruction.getType() != OPCODE.JMP and instruction.getOperands()[0].getType() == OPERAND.IMM:
addr1 = instruction.getNextAddress() # next address next from the current one
addr2 = instruction.getOperands()[0].getValue() # Address in the instruction condition (branch taken)
ripId = getSymbolicRegisterId(REG.RIP) # Get the reference of the RIP symbolic register
# [PC id, address taken, address not taken]
if instruction.isConditionTaken():
TritonExecution.myPC.append([ripId, addr2, addr1])
else:
TritonExecution.myPC.append([ripId, addr1, addr2])
return
if instruction.getAddress() == TritonExecution.exitPoint:
print "[+] Exit point"
# SAGE algorithm
# http://research.microsoft.com/en-us/um/people/pg/public_psfiles/ndss2008.pdf
for j in range(TritonExecution.input.bound, len(TritonExecution.myPC)):
expr = []
for i in range(0,j):
ripId = TritonExecution.myPC[i][0]
symExp = getFullAst(getSymbolicExpressionFromId(ripId).getAst())
addr = TritonExecution.myPC[i][1]
expr.append(smt2lib.smtAssert(smt2lib.equal(symExp, smt2lib.bv(addr, CPUSIZE.QWORD_BIT))))
ripId = TritonExecution.myPC[j][0]
symExp = getFullAst(getSymbolicExpressionFromId(ripId).getAst())
addr = TritonExecution.myPC[j][2]
expr.append(smt2lib.smtAssert(smt2lib.equal(symExp, smt2lib.bv(addr, CPUSIZE.QWORD_BIT))))
expr = smt2lib.compound(expr)
model = getModel(expr)
if len(model) > 0:
newInput = deepcopy(TritonExecution.input)
newInput.setBound(j + 1)
for k,v in model.items():
symVar = getSymbolicVariableFromId(k)
newInput.addDataAddress(symVar.getKindValue(), v.getValue())
print newInput.dataAddr
isPresent = False
for inp in TritonExecution.worklist:
if inp.dataAddr == newInput.dataAddr:
isPresent = True
break
if not isPresent:
TritonExecution.worklist.append(newInput)
# If there is input to test in the worklist, we restore the snapshot
if len(TritonExecution.worklist) > 0 and isSnapshotEnabled():
print "[+] Restore snapshot"
restoreSnapshot()
return
return