def cafter(instruction): if instruction.address == 0x4005ae: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getBacktrackedSymExpr(zfId) expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True)) print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction): # movzx esi,BYTE PTR [rax] # RAX points on the user password if instruction.getAddress() == 0x400572: rsiId = getRegSymbolicID(IDREF.REG.RSI) convertExprToSymVar(rsiId, 64) # mov eax,DWORD PTR [rbp-0x4] # RAX must be equal to 0xad6d to win if instruction.getAddress() == 0x4005c5: print '[+] Please wait, computing in progress...' raxId = getRegSymbolicID(IDREF.REG.RAX) raxExpr = getFullExpression(getSymExpr(raxId).getAst()) # We want printable characters expr = smt2lib.compound([ smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_0'), smt2lib.bv(96, 64))), smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_0'), smt2lib.bv(123, 64))), smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_1'), smt2lib.bv(96, 64))), smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_1'), smt2lib.bv(123, 64))), smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_2'), smt2lib.bv(96, 64))), smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_2'), smt2lib.bv(123, 64))), smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_3'), smt2lib.bv(96, 64))), smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_3'), smt2lib.bv(123, 64))), smt2lib.smtAssert(smt2lib.bvugt(smt2lib.variable('SymVar_4'), smt2lib.bv(96, 64))), smt2lib.smtAssert(smt2lib.bvult(smt2lib.variable('SymVar_4'), smt2lib.bv(123, 64))), smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64))) # collision: (assert (= rax 0xad6d) ]) # Get max 20 different models models = getModels(expr, 20) for model in models: print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
def sbefore(instruction): concretizeAllMem() concretizeAllReg() for op in instruction.getOperands(): if op.getType() == IDREF.OPERAND.MEM_R or op.getType( ) == IDREF.OPERAND.MEM_W: # The instruction must have a memory access symId = getMemSymbolicID(op.getMem().getAddress()) if symId == IDREF.MISC.UNSET: # Case which wasn't handle addr = op.getMem().getAddress() if addr != 0: # Check valid address print instruction.getDisassembly(), "at", hex(addr) print "Operand mem size:", op.getMem().getSize() s = convertMemToSymVar(addr, op.getMem().getBitSize(), "test") # convertMemToSymVar print "New symbolic variable:" print "[+] Comment:", s.getComment() print "[+] Size: %d" % (s.getSize()) print "[+] Concrete value: 0x%x" % (s.getConcreteValue()) print "[+] Address: 0x%x" % (s.getKindValue()) memExpr = getFullExpression( getSymExpr(getMemSymbolicID( op.getMem().getAddress())).getAst()) expr = smt2lib.smtAssert( smt2lib.equal(memExpr, smt2lib.bv(1, s.getSize()))) print expr model = getModel(expr) print model return
def cafter(instruction): # movzx esi,BYTE PTR [rax] # RAX points on the user password if instruction.address == 0x400572: rsiId = getRegSymbolicID(IDREF.REG.RSI) convertExprToSymVar(rsiId, 8) # mov eax,DWORD PTR [rbp-0x4] # RAX must be equal to 0xad6d to win if instruction.address == 0x4005c5: print '[+] Please wait, computing in progress...' raxId = getRegSymbolicID(IDREF.REG.RAX) raxExpr = getBacktrackedSymExpr(raxId) expr = str() # We want printable characters # (assert (bvsgt SymVar_0 96) # (assert (bvslt SymVar_0 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert( smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64))) # (assert (bvsgt SymVar_1 96) # (assert (bvslt SymVar_1 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_1', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert( smt2lib.bvult('SymVar_1', smt2lib.bv(123, 64))) # (assert (bvsgt SymVar_2 96) # (assert (bvslt SymVar_2 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_2', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert( smt2lib.bvult('SymVar_2', smt2lib.bv(123, 64))) # (assert (bvsgt SymVar_3 96) # (assert (bvslt SymVar_3 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_3', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert( smt2lib.bvult('SymVar_3', smt2lib.bv(123, 64))) # (assert (bvsgt SymVar_4 96) # (assert (bvslt SymVar_4 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_4', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert( smt2lib.bvult('SymVar_4', smt2lib.bv(123, 64))) # We want the collision # (assert (= rax 0xad6d) expr += smt2lib.smtAssert( smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64))) print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction): # movzx esi,BYTE PTR [rax] # RAX points on the user password if instruction.getAddress() == 0x400572: convertRegToSymVar(IDREF.REG.RSI, IDREF.CPUSIZE.QWORD_BIT) # mov eax,DWORD PTR [rbp-0x4] # RAX must be equal to 0xad6d to win if instruction.getAddress() == 0x4005c5: print '[+] Please wait, computing in progress...' raxId = getRegSymbolicID(IDREF.REG.RAX) raxExpr = getFullExpression(getSymExpr(raxId).getAst()) # We want printable characters expr = smt2lib.compound([ smt2lib.smtAssert( smt2lib.bvugt(smt2lib.variable('SymVar_0'), smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvult(smt2lib.variable('SymVar_0'), smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvugt(smt2lib.variable('SymVar_1'), smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvult(smt2lib.variable('SymVar_1'), smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvugt(smt2lib.variable('SymVar_2'), smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvult(smt2lib.variable('SymVar_2'), smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvugt(smt2lib.variable('SymVar_3'), smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvult(smt2lib.variable('SymVar_3'), smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvugt(smt2lib.variable('SymVar_4'), smt2lib.bv(96, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.bvult(smt2lib.variable('SymVar_4'), smt2lib.bv(123, IDREF.CPUSIZE.QWORD_BIT))), smt2lib.smtAssert( smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, IDREF.CPUSIZE.QWORD_BIT)) ) # collision: (assert (= rax 0xad6d) ]) # Get max 20 different models models = getModels(expr, 20) for model in models: print {k: "0x%x, '%c'" % (v, v) for k, v in model.items()}
def cafter(instruction): if instruction.address == 0x4005ae: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getBacktrackedSymExpr(zfId) expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True)) models = getModel(expr) global password for k, v in models.items(): password.update({getMemoryFromSymVar(k): v}) return
def cafter(instruction): if instruction.address == 0x40058b: convertExprToSymVar(getRegSymbolicID(IDREF.REG.RAX), 4) if instruction.address == 0x4005ae: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getBacktrackedSymExpr(zfId) expr = smt2lib.smtAssert(smt2lib.equal( zfExpr, smt2lib.bvtrue())) # (assert (= zf True)) print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction): # [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41) # [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41) # [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41) if instruction.getAddress() == 0x400891: raxId = getRegSymbolicID(IDREF.REG.RAX) convertExprToSymVar(raxId, 64) if instruction.getAddress() == 0x400b69: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getFullExpression(getSymExpr(zfId).getAst()) expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) print getModel(expr) return
def cafter(instruction): print '%#x: %s' %(instruction.address, instruction.assembly) for se in instruction.symbolicElements: if se.isTainted == True: print '%s\t -> %s%s' %(_GREEN, se.expression, _ENDC) else: print '%s\t -> %s%s' %(_ENDC, se.expression, _ENDC) if instruction.address == 0x4011ed: raxId = getRegSymbolicID(IDREF.REG.RAX) raxExpr = getBacktrackedSymExpr(raxId) expr = smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0, 64))) # (assert (= rax 0) print expr print getModel(expr)
def cafter(instruction): # movzx esi,BYTE PTR [rax] # RAX points on the user password if instruction.address == 0x400572: rsiId = getRegSymbolicID(IDREF.REG.RSI) convertExprToSymVar(rsiId, 8) # mov eax,DWORD PTR [rbp-0x4] # RAX must be equal to 0xad6d to win if instruction.address == 0x4005c5: print '[+] Please wait, computing in progress...' raxId = getRegSymbolicID(IDREF.REG.RAX) raxExpr = getBacktrackedSymExpr(raxId) expr = str() # We want printable characters # (assert (bvsgt SymVar_0 96) # (assert (bvslt SymVar_0 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64))) # (assert (bvsgt SymVar_1 96) # (assert (bvslt SymVar_1 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_1', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_1', smt2lib.bv(123, 64))) # (assert (bvsgt SymVar_2 96) # (assert (bvslt SymVar_2 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_2', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_2', smt2lib.bv(123, 64))) # (assert (bvsgt SymVar_3 96) # (assert (bvslt SymVar_3 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_3', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_3', smt2lib.bv(123, 64))) # (assert (bvsgt SymVar_4 96) # (assert (bvslt SymVar_4 123) expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_4', smt2lib.bv(96, 64))) expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_4', smt2lib.bv(123, 64))) # We want the collision # (assert (= rax 0xad6d) expr += smt2lib.smtAssert(smt2lib.equal(raxExpr, smt2lib.bv(0xad6d, 64))) print {k: "0x%x, '%c'" % (v, v) for k, v in getModel(expr).items()}
def cafter(instruction): # 0x40058b: movzx eax, byte ptr [rax] if instruction.address == 0x40058b: convertRegToSymVar(IDREF.REG.RAX, 32) # 0x4005ae: cmp ecx, eax if instruction.address == 0x4005ae: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getFullExpression(getSymExpr(zfId).getAst()) expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True)) models = getModel(expr) global password for k, v in models.items(): password.update({symVarMem: v}) return
def cafter(instruction): # 0x40058b: movzx eax, byte ptr [rax] if instruction.getAddress() == 0x40058b: v = convertRegToSymVar(IDREF.REG.RAX, IDREF.CPUSIZE.DWORD_BIT) #print "Concrete value:\t%s\t%c" % (v, v.getConcreteValue()) # 0x4005ae: cmp ecx, eax if instruction.getAddress() == 0x4005ae: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getFullExpression(getSymExpr(zfId).getAst()) expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf True)) models = getModel(expr) global password for k, v in models.items(): password.update({symVarMem: v}) return
def cafter(instruction): # 0x40058b: movzx eax, byte ptr [rax] if instruction.address == 0x40058b: convertRegToSymVar(IDREF.REG.RAX, 4) # 0x4005ae: cmp ecx, eax if instruction.address == 0x4005ae: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getBacktrackedSymExpr(zfId) expr = smt2lib.smtAssert(smt2lib.equal( zfExpr, smt2lib.bvtrue())) # (assert (= zf True)) models = getModel(expr) global password for k, v in models.items(): password.update({symVarMem: v}) return
def cafter(instruction): # 0x40058b: movzx eax, byte ptr [rax] if instruction.getAddress() == 0x40058b: v = convertRegToSymVar(IDREF.REG.RAX, IDREF.CPUSIZE.DWORD_BIT) #print "Concrete value:\t%s\t%c" % (v, v.getConcreteValue()) # 0x4005ae: cmp ecx, eax if instruction.getAddress() == 0x4005ae: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getFullExpression(getSymExpr(zfId).getAst()) expr = smt2lib.smtAssert(smt2lib.equal( zfExpr, smt2lib.bvtrue())) # (assert (= zf True)) models = getModel(expr) global password for k, v in models.items(): password.update({symVarMem: v}) return
def cafter(instruction): print '%#x: %s' %(instruction.address, instruction.assembly) # [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41) # [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41) # [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41) if instruction.address == 0x400891: raxId = getRegSymbolicID(IDREF.REG.RAX) convertExprToSymVar(raxId, 8) if instruction.address == 0x400b69: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getBacktrackedSymExpr(zfId) expr = str() expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv(96, 64))) # printable char expr += smt2lib.smtAssert(smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64))) # printable char expr += smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue())) # (assert (= zf true) print getModel(expr) return
def sbefore(instruction): concretizeAllMem() concretizeAllReg() for op in instruction.getOperands(): if op.getType() == IDREF.OPERAND.MEM_R or op.getType() == IDREF.OPERAND.MEM_W: # The instruction must have a memory access symId = getMemSymbolicID(op.getMem().getAddress()) if symId == IDREF.MISC.UNSET: # Case which wasn't handle addr = op.getMem().getAddress() if addr != 0: # Check valid address print instruction.getDisassembly(), "at", hex(addr) print "Operand mem size:", op.getMem().getSize() s = convertMemToSymVar(addr, op.getMem().getSize(), "test") # convertMemToSymVar print "New symbolic variable:" print "[+] Comment:", s.getComment() print "[+] Size: %d" % (s.getSize()) print "[+] Concrete value: 0x%x" % (s.getConcreteValue()) print "[+] Address: 0x%x" % (s.getKindValue()) memExpr = getFullExpression(getSymExpr(getMemSymbolicID(op.getMem().getAddress())).getAst()) expr = smt2lib.smtAssert(smt2lib.equal(memExpr, smt2lib.bv(1, s.getSize()))) print expr model = getModel(expr) print model return
def cafter(instruction): print '%#x: %s' % (instruction.address, instruction.assembly) # [R:1] 0x400798: movsx eax, byte ptr [rcx+rax*1] R:0x7fffb63d610a: 41 (0x41) # [W:8] 0x40079c: mov qword ptr [rbp-0x50], rax W:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41) # [R:8] 0x400891: mov rax, qword ptr [rbp-0x50] R:0x7fffb63d52b0: 41 00 00 00 00 00 00 00 (0x41) if instruction.address == 0x400891: raxId = getRegSymbolicID(IDREF.REG.RAX) convertExprToSymVar(raxId, 8) if instruction.address == 0x400b69: zfId = getRegSymbolicID(IDREF.FLAG.ZF) zfExpr = getBacktrackedSymExpr(zfId) expr = str() expr += smt2lib.smtAssert(smt2lib.bvugt('SymVar_0', smt2lib.bv( 96, 64))) # printable char expr += smt2lib.smtAssert( smt2lib.bvult('SymVar_0', smt2lib.bv(123, 64))) # printable char expr += smt2lib.smtAssert(smt2lib.equal( zfExpr, smt2lib.bvtrue())) # (assert (= zf true) print getModel(expr) return
def cbefore(instruction): if instruction.getAddress() == TritonExecution.entryPoint: TritonExecution.AddrAfterEP = instruction.getNextAddress() if instruction.getAddress() == TritonExecution.AddrAfterEP: TritonExecution.myPC = [] # Reset the path constraint TritonExecution.input = TritonExecution.worklist.pop( ) # Take the first input TritonExecution.inputTested.append( TritonExecution.input) # Add this input to the tested input return if instruction.getAddress( ) == TritonExecution.entryPoint and not isSnapshotEnabled(): print "[+] Take Snapshot" takeSnapshot() return if instruction.isBranch() and instruction.getRoutineName( ) in TritonExecution.whitelist: addr1 = instruction.getNextAddress( ) # next address next from the current one addr2 = instruction.getOperands()[0].getImm().getValue( ) # Address in the instruction condition (branch taken) ripId = getRegSymbolicID( IDREF.REG.RIP ) # Get the reference of the RIP symbolic register # [PC id, address taken, address not taken] if instruction.isBranchTaken(): TritonExecution.myPC.append([ripId, addr2, addr1]) else: TritonExecution.myPC.append([ripId, addr1, addr2]) return if instruction.getAddress() == TritonExecution.exitPoint: print "[+] Exit point" # SAGE algorithm # http://research.microsoft.com/en-us/um/people/pg/public_psfiles/ndss2008.pdf for j in range(TritonExecution.input.bound, len(TritonExecution.myPC)): expr = [] for i in range(0, j): ripId = TritonExecution.myPC[i][0] symExp = getFullExpression(getSymExpr(ripId).getAst()) addr = TritonExecution.myPC[i][1] expr.append( smt2lib.smtAssert( smt2lib.equal( symExp, smt2lib.bv(addr, IDREF.CPUSIZE.QWORD_BIT)))) ripId = TritonExecution.myPC[j][0] symExp = getFullExpression(getSymExpr(ripId).getAst()) addr = TritonExecution.myPC[j][2] expr.append( smt2lib.smtAssert( smt2lib.equal( symExp, smt2lib.bv(addr, IDREF.CPUSIZE.QWORD_BIT)))) expr = smt2lib.compound(expr) model = getModel(expr) if len(model) > 0: newInput = deepcopy(TritonExecution.input) newInput.setBound(j + 1) for k, v in model.items(): symVar = getSymVar(k) newInput.addDataAddress(symVar.getKindValue(), v) print newInput.dataAddr isPresent = False for inp in TritonExecution.worklist: if inp.dataAddr == newInput.dataAddr: isPresent = True break if not isPresent: TritonExecution.worklist.append(newInput) # If there is input to test in the worklist, we restore the snapshot if len(TritonExecution.worklist) > 0 and isSnapshotEnabled(): print "[+] Restore snapshot" restoreSnapshot() return return
def cbefore(instruction): if instruction.getAddress() == TritonExecution.entryPoint: TritonExecution.AddrAfterEP = instruction.getNextAddress() if instruction.getAddress() == TritonExecution.AddrAfterEP: TritonExecution.myPC = [] # Reset the path constraint TritonExecution.input = TritonExecution.worklist.pop() # Take the first input TritonExecution.inputTested.append(TritonExecution.input) # Add this input to the tested input return if instruction.getAddress() == TritonExecution.entryPoint and not isSnapshotEnabled(): print "[+] Take Snapshot" takeSnapshot() return if getRoutineName(instruction.getAddress()) in TritonExecution.whitelist and instruction.isBranch() and instruction.getType() != OPCODE.JMP and instruction.getOperands()[0].getType() == OPERAND.IMM: addr1 = instruction.getNextAddress() # next address next from the current one addr2 = instruction.getOperands()[0].getValue() # Address in the instruction condition (branch taken) ripId = getSymbolicRegisterId(REG.RIP) # Get the reference of the RIP symbolic register # [PC id, address taken, address not taken] if instruction.isConditionTaken(): TritonExecution.myPC.append([ripId, addr2, addr1]) else: TritonExecution.myPC.append([ripId, addr1, addr2]) return if instruction.getAddress() == TritonExecution.exitPoint: print "[+] Exit point" # SAGE algorithm # http://research.microsoft.com/en-us/um/people/pg/public_psfiles/ndss2008.pdf for j in range(TritonExecution.input.bound, len(TritonExecution.myPC)): expr = [] for i in range(0,j): ripId = TritonExecution.myPC[i][0] symExp = getFullAst(getSymbolicExpressionFromId(ripId).getAst()) addr = TritonExecution.myPC[i][1] expr.append(smt2lib.smtAssert(smt2lib.equal(symExp, smt2lib.bv(addr, CPUSIZE.QWORD_BIT)))) ripId = TritonExecution.myPC[j][0] symExp = getFullAst(getSymbolicExpressionFromId(ripId).getAst()) addr = TritonExecution.myPC[j][2] expr.append(smt2lib.smtAssert(smt2lib.equal(symExp, smt2lib.bv(addr, CPUSIZE.QWORD_BIT)))) expr = smt2lib.compound(expr) model = getModel(expr) if len(model) > 0: newInput = deepcopy(TritonExecution.input) newInput.setBound(j + 1) for k,v in model.items(): symVar = getSymbolicVariableFromId(k) newInput.addDataAddress(symVar.getKindValue(), v.getValue()) print newInput.dataAddr isPresent = False for inp in TritonExecution.worklist: if inp.dataAddr == newInput.dataAddr: isPresent = True break if not isPresent: TritonExecution.worklist.append(newInput) # If there is input to test in the worklist, we restore the snapshot if len(TritonExecution.worklist) > 0 and isSnapshotEnabled(): print "[+] Restore snapshot" restoreSnapshot() return return