def testInitialRegState(self):
cpu = I386Cpu(Memory32())
#'CR0', 'CR1', 'CR2', 'CR3', 'CR4', 'CR5', 'CR6', 'CR7', 'CR8',
# 'DR0', 'DR1', 'DR2', 'DR3', 'DR4', 'DR5', 'DR6', 'DR7',
#'MM0', 'MM1', 'MM2', 'MM3', 'MM4', 'MM5', 'MM6', 'MM7',
# 'ST0', 'ST1', 'ST2', 'ST3', 'ST4', 'ST5', 'ST6', 'ST7'
values = {
"RFLAGS": 0x0,
"TOP": 0x7,
"FP0": (0, 0),
"FP1": (0, 0),
"FP2": (0, 0),
"FP3": (0, 0),
"FP4": (0, 0),
"FP5": (0, 0),
"FP6": (0, 0),
"FP7": (0, 0),
"CS": 0x0,
"SS": 0x0,
"DS": 0x0,
"ES": 0x0,
}
for reg_name in cpu.canonical_registers:
if len(reg_name) > 2:
v = values.get(reg_name, 0)
self.assertEqual(cpu.read_register(reg_name), v)
def setUp(self):
mem32 = SMemory32(ConstraintSet())
mem32.mmap(0x1000, 0x1000, 'rw ')
mem64 = SMemory64(ConstraintSet())
mem64.mmap(0x1000, 0x1000, 'rw ')
self._cpu_arm = Armv7Cpu(mem32)
self._cpu_arm.SP = 0x1080
self._cpu_arm.func_abi = Armv7CdeclAbi(self._cpu_arm)
self._cpu_arm.syscall_abi = Armv7LinuxSyscallAbi(self._cpu_arm)
self._cpu_x86 = I386Cpu(mem32)
self._cpu_x86.ESP = 0x1080
self._cpu_x86.func_abi = I386CdeclAbi(self._cpu_x86)
self._cpu_x86.syscall_abi = I386LinuxSyscallAbi(self._cpu_x86)
self._cpu_x64 = AMD64Cpu(mem64)
self._cpu_x64.RSP = 0x1080
self._cpu_x64.func_abi = SystemVAbi(self._cpu_x64)
self._cpu_x64.syscall_abi = AMD64LinuxSyscallAbi(self._cpu_x64)
def write(mem, where, val, size):
mem[where:where + size // 8] = [
Operators.CHR(Operators.EXTRACT(val, offset, 8))
for offset in range(0, size, 8)
]
for val in range(0, 0x100, 4):
write(mem32, 0x1000 + val, val, 32)
for val in range(0, 0x100, 8):
write(mem64, 0x1000 + val, val, 64)
def test_ADC_001_symbolic(self):
"""INSTRUCTION: 0x0000000067756f91: adc esi, edx"""
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
# alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, "rwx")
mem[code:code + 2] = "\x13\xf2"
cpu.EIP = code
cpu.ESI = cs.new_bitvec(32, "ESI")
cs.add(cpu.ESI == 0)
cpu.EDX = cs.new_bitvec(32, "EDX")
cs.add(cpu.EDX == 0xFFFFFFFF)
cpu.CF = cs.new_bool("CF")
cs.add(cpu.CF)
cpu.execute()
cs.add(cpu.ESI == 0)
cs.add(cpu.EDX == 0xFFFFFFFF)
cs.add(cpu.CF)
self.assertTrue(solver.check(cs))
def test_SAR_2(self):
''' Instruction SAR_2
'''
mem = Memory32()
cpu = I386Cpu(mem)
mem.mmap(0x0041e000, 0x1000, 'rwx')
mem[0x0041e10a] = '\xc0'
mem[0x0041e10b] = '\xf8'
mem[0x0041e10c] = '\x9f'
cpu.RIP = 0x41e10a
cpu.CF = True
cpu.SF = True
cpu.ZF = False
cpu.AF = False
cpu.OF = False
cpu.PF = False
cpu.EAX = 0xfffffffd
cpu.execute()
self.assertEqual(cpu.PF, True)
self.assertEqual(cpu.SF, True)
self.assertEqual(cpu.ZF, False)
self.assertEqual(cpu.OF, False)
self.assertEqual(cpu.AF, False)
self.assertEqual(cpu.EAX, 0xffffffff)
def test_ADC_001_symbolic(self):
'''INSTRUCTION: 0x0000000067756f91: adc esi, edx'''
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
#alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
mem[code:code+2] = '\x13\xf2'
cpu.EIP = code
cpu.ESI = cs.new_bitvec(32, 'ESI')
cs.add(cpu.ESI == 0)
cpu.EDX = cs.new_bitvec(32, 'EDX')
cs.add(cpu.EDX == 0xffffffff)
cpu.CF = cs.new_bool('CF')
cs.add(cpu.CF)
cpu.execute()
cs.add(cpu.ESI == 0)
cs.add(cpu.EDX == 0xffffffff)
cs.add(cpu.CF)
self.assertTrue(solver.check(cs))
def test_MOVHPS_1(self):
mem = Memory32()
cpu = I386Cpu(mem)
mem.mmap(0x0041E000, 0x1000, "rwx")
# 3.14
mem[0x0041E000] = "\x40"
mem[0x0041E001] = "\x48"
mem[0x0041E002] = "\xf5"
mem[0x0041E003] = "\xc3"
# 6.28
mem[0x0041E004] = "\x40"
mem[0x0041E005] = "\xc8"
mem[0x0041E006] = "\xf5"
mem[0x0041E007] = "\xc3"
# movhps xmm0, qword ptr [eax]
mem[0x0041E10A] = "\x0f"
mem[0x0041E10B] = "\x16"
mem[0x0041E10C] = "\x00"
cpu.RIP = 0x41E10A
cpu.EAX = 0x41E000
cpu.XMM0 = 0x0000000000000000FFFFFFFFFFFFFFFF
cpu.execute()
self.assertEqual(cpu.XMM0, 0xC3F5C840C3F54840FFFFFFFFFFFFFFFF)
def test_CMPXCHG8B_symbolic(self):
'''CMPXCHG8B'''
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
#alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
data = mem.mmap(0x2000, 0x1000, 'rwx')
mem[code:code+5] = '\xf0\x0f\xc7\x0f;'
cpu.EIP = code
cpu.EDI = cs.new_bitvec(32, 'EDI')
cs.add( Operators.OR(cpu.EDI == 0x2000, cpu.EDI == 0x2100, cpu.EDI == 0x2200 ) )
self.assertEqual(sorted(solver.get_all_values(cs, cpu.EDI)),[0x2000,0x2100,0x2200])
self.assertEqual(cpu.read_int(0x2000,64), 0)
self.assertEqual(cpu.read_int(0x2100,64), 0)
self.assertEqual(cpu.read_int(0x2200,64), 0)
self.assertItemsEqual(solver.get_all_values(cs, cpu.read_int(cpu.EDI,64)), [0])
#self.assertEqual(cpu.read_int(cpu.EDI,64), 0 )
cpu.write_int(0x2100, 0x4142434445464748, 64)
cpu.EAX = cs.new_bitvec(32, 'EAX')
cs.add( Operators.OR(cpu.EAX == 0x41424344, cpu.EAX == 0x0badf00d, cpu.EAX == 0xf7f7f7f7 ) )
cpu.EDX= 0x45464748
cpu.execute()
self.assertTrue(solver.check(cs))
self.assertItemsEqual(solver.get_all_values(cs, cpu.read_int(cpu.EDI,64)), [0, 4702394921427289928])
def test_SAR_2(self):
""" Instruction SAR_2
"""
mem = Memory32()
cpu = I386Cpu(mem)
mem.mmap(0x0041E000, 0x1000, "rwx")
mem[0x0041E10A] = "\xc0"
mem[0x0041E10B] = "\xf8"
mem[0x0041E10C] = "\x9f"
cpu.RIP = 0x41E10A
cpu.CF = True
cpu.SF = True
cpu.ZF = False
cpu.AF = False
cpu.OF = False
cpu.PF = False
cpu.EAX = 0xFFFFFFFD
cpu.execute()
self.assertEqual(cpu.PF, True)
self.assertEqual(cpu.SF, True)
self.assertEqual(cpu.ZF, False)
self.assertEqual(cpu.OF, False)
self.assertEqual(cpu.AF, False)
self.assertEqual(cpu.EAX, 0xFFFFFFFF)
def test_PUSHFD_1(self):
""" Instruction PUSHFD_1
Groups: not64bitmode
0x8065f6f: pushfd
"""
mem = Memory32()
cpu = I386Cpu(mem)
mem.mmap(0x08065000, 0x1000, "rwx")
mem.mmap(0xFFFFC000, 0x1000, "rwx")
mem[0xFFFFC600:0xFFFFC609] = b"\x00\x00\x00\x00\x02\x03\x00\x00\x00"
mem[0x08065F6F] = b"\x9c"
cpu.EIP = 0x8065F6F
cpu.EBP = 0xFFFFB600
cpu.ESP = 0xFFFFC604
cpu.CF = True
cpu.OF = True
cpu.AF = True
cpu.ZF = True
cpu.PF = True
cpu.execute()
self.assertItemsEqual(
mem[0xFFFFC600:0xFFFFC609],
to_bytelist(b"\x55\x08\x00\x00\x02\x03\x00\x00\x00"))
self.assertEqual(mem[0x8065F6F], b"\x9c")
self.assertEqual(cpu.EIP, 0x8065F70)
self.assertEqual(cpu.EBP, 0xFFFFB600)
self.assertEqual(cpu.ESP, 0xFFFFC600)
def test_PUSHFD_1(self):
''' Instruction PUSHFD_1
Groups: not64bitmode
0x8065f6f: pushfd
'''
mem = Memory32()
cpu = I386Cpu(mem)
mem.mmap(0x08065000, 0x1000, 'rwx')
mem.mmap(0xffffc000, 0x1000, 'rwx')
mem[0xffffc600:0xffffc609] = b'\x00\x00\x00\x00\x02\x03\x00\x00\x00'
mem[0x08065f6f] = b'\x9c'
cpu.EIP = 0x8065f6f
cpu.EBP = 0xffffb600
cpu.ESP = 0xffffc604
cpu.CF = True
cpu.OF = True
cpu.AF = True
cpu.ZF = True
cpu.PF = True
cpu.execute()
self.assertItemsEqual(mem[0xffffc600:0xffffc609], to_bytelist(b'\x55\x08\x00\x00\x02\x03\x00\x00\x00'))
self.assertEqual(mem[0x8065f6f], b'\x9c')
self.assertEqual(cpu.EIP, 0x8065f70)
self.assertEqual(cpu.EBP, 0xffffb600)
self.assertEqual(cpu.ESP, 0xffffc600)
def test_get_sym_eflags(self):
def flatten_ors(x: BitVecOr) -> List:
"""
Retrieve all nodes of a BitVecOr expression tree
"""
assert isinstance(x, BitVecOr)
if any(isinstance(op, BitVecOr) for op in x.operands):
ret: List = []
for op in x.operands:
if isinstance(op, BitVecOr):
ret += flatten_ors(op)
else:
ret.append(op)
return ret
else:
return list(x.operands)
cpu = I386Cpu(Memory32())
cpu.CF = 1
cpu.AF = 1
a = BitVecConstant(32, 1) != 0
b = BitVecConstant(32, 0) != 0
cpu.ZF = a
cpu.SF = b
flags = flatten_ors(cpu.EFLAGS)
self.assertTrue(isinstance(cpu.EFLAGS, BitVecOr))
self.assertEqual(len(flags), 8)
self.assertEqual(cpu.CF, 1)
self.assertEqual(cpu.AF, 1)
self.assertIs(cpu.ZF, a)
self.assertIs(cpu.SF, b)
def test_SAR_1(self):
''' Instruction SAR_1
Groups: mode64
0x41e10a: SAR cl, EBX
Using the SAR instruction to perform a division operation does not produce the same result as the IDIV instruction. The quotient from the IDIV instruction is rounded toward zero, whereas the "quotient" of the SAR instruction is rounded toward negative infinity. This difference is apparent only for negative numbers. For example, when the IDIV instruction is used to divide -9 by 4, the result is -2 with a remainder of -1. If the SAR instruction is used to shift -9 right by two bits, the result is -3 and the "remainder" is +3; however, the SAR instruction stores only the most significant bit of the remainder (in the CF flag).
'''
mem = Memory32()
cpu = I386Cpu(mem)
mem.mmap(0x0041e000, 0x1000, 'rwx')
mem[0x0041e10a] = '\xc1'
mem[0x0041e10b] = '\xf8'
mem[0x0041e10c] = '\x02'
cpu.RIP = 0x41e10a
cpu.PF = True
cpu.SF = True
cpu.ZF = False
cpu.AF = False
cpu.OF = False
cpu.EAX = 0xfffffff7
cpu.execute()
self.assertEqual(cpu.CF, True)
self.assertEqual(cpu.SF, True)
self.assertEqual(cpu.PF, False)
self.assertEqual(cpu.ZF, False)
self.assertEqual(cpu.EAX, 0xfffffffd)
def test_set_eflags(self) -> None:
cpu = I386Cpu(Memory32())
self.assertEqual(cpu.EFLAGS, 0)
flags = ["CF", "PF", "AF", "ZF", "SF"]
cpu.EFLAGS = self._construct_flag_bitfield(flags)
self._check_flags_CPAZSIDO(cpu, 1, 1, 1, 1, 1, 0, 0, 0)
def test_get_eflags(self) -> None:
cpu = I386Cpu(Memory32())
self.assertEqual(cpu.EFLAGS, 0)
flags = ["CF", "AF", "SF"]
cpu.CF = 1
cpu.AF = 1
cpu.SF = 1
cpu.DF = 0
self.assertEqual(cpu.EFLAGS, self._construct_flag_bitfield(flags))
def testRegisterCacheAccess(self):
cpu = I386Cpu(Memory32())
cpu.ESI = 0x12345678
self.assertEqual(cpu.ESI, 0x12345678)
cpu.SI = 0xAAAA
self.assertEqual(cpu.SI, 0xAAAA)
cpu.RAX = 0x12345678AABBCCDD
self.assertEqual(cpu.ESI, 0x1234AAAA)
cpu.SI = 0xAAAA
self.assertEqual(cpu.SI, 0xAAAA)
def test_SAR_2_symbolicsa(self):
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
mem.mmap(0x0041E000, 0x1000, "rwx")
mem[0x0041E10A] = "\xc0"
mem[0x0041E10B] = "\xf8"
mem[0x0041E10C] = "\xff"
cpu.RIP = 0x41E10A
cpu.PF = cs.new_bool()
cs.add(cpu.PF == True)
cpu.CF = cs.new_bool()
cs.add(cpu.CF == False)
cpu.SF = cs.new_bool()
cs.add(cpu.SF == True)
cpu.ZF = cs.new_bool()
cs.add(cpu.ZF == False)
cpu.AF = cs.new_bool()
cs.add(cpu.AF == False)
cpu.OF = cs.new_bool()
cs.add(cpu.OF == False)
cpu.EAX = cs.new_bitvec(32)
cs.add(cpu.EAX == 0xFFFFFFFF)
done = False
while not done:
try:
cpu.execute()
done = True
except ConcretizeRegister as e:
symbol = getattr(cpu, e.reg_name)
values = solver.get_all_values(cs, symbol)
self.assertEqual(len(values), 1)
setattr(cpu, e.reg_name, values[0])
condition = True
condition = Operators.AND(condition, cpu.EAX == 0xFFFFFFFF)
condition = Operators.AND(condition, cpu.ZF == False)
condition = Operators.AND(condition, cpu.PF == True)
condition = Operators.AND(condition, cpu.SF == True)
condition = Operators.AND(condition, cpu.CF == True)
with cs as temp_cs:
temp_cs.add(condition)
self.assertTrue(solver.check(temp_cs))
with cs as temp_cs:
temp_cs.add(condition == False)
self.assertFalse(solver.check(temp_cs))
def test_IDIV_grr001(self):
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
#alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
mem[code:code+2] = '\xf7\xf9'
cpu.EIP = code
cpu.EAX = 0xffffffff
cpu.EDX = 0xffffffff
cpu.ECX = 0x32
cpu.execute()
self.assertEqual(cpu.EAX, 0)
def test_SAR_1_symbolic(self):
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
mem.mmap(0x0041e000, 0x1000, 'rwx')
mem[0x0041e10a] = '\xc1'
mem[0x0041e10b] = '\xf8'
mem[0x0041e10c] = '\x02'
cpu.RIP = 0x41e10a
cpu.PF = cs.new_bool()
cs.add(cpu.PF == True)
cpu.SF = cs.new_bool()
cs.add(cpu.SF == True)
cpu.ZF = cs.new_bool()
cs.add(cpu.ZF == False)
cpu.AF = cs.new_bool()
cs.add(cpu.AF == False)
cpu.OF = cs.new_bool()
cs.add(cpu.OF == False)
cpu.EAX = cs.new_bitvec(32)
cs.add(cpu.EAX == 0xfffffff7)
done = False
while not done:
try:
cpu.execute()
#cpu.writeback()
done = True
except ConcretizeRegister as e:
symbol = getattr(cpu, e.reg_name)
values = solver.get_all_values(cs, symbol)
self.assertEqual(len(values), 1)
setattr(cpu, e.reg_name, values[0])
condition = True
condition = Operators.AND(condition, cpu.EAX == 0xfffffffd)
condition = Operators.AND(condition, cpu.ZF == False)
condition = Operators.AND(condition, cpu.CF == True)
condition = Operators.AND(condition, cpu.SF == True)
condition = Operators.AND(condition, cpu.PF == False)
with cs as temp_cs:
temp_cs.add(condition)
self.assertTrue(solver.check(temp_cs))
with cs as temp_cs:
temp_cs.add(condition == False)
self.assertFalse(solver.check(temp_cs))
def test_XLATB_1_symbolic(self):
''' Instruction XLATB_1
Groups:
0x8059a8d: xlatb
'''
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
mem.mmap(0x08059000, 0x1000, 'rwx')
mem.mmap(0xffffd000, 0x1000, 'rwx')
mem[0x8059a8d] = '\xd7'
mem[0xffffd00a] = '\x41'
cpu.EIP = 0x8059a8d
cpu.AL=0xa
cpu.EBX=0xffffd000
def test_XLATB_1_symbolic(self):
""" Instruction XLATB_1
Groups:
0x8059a8d: xlatb
"""
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
mem.mmap(0x08059000, 0x1000, "rwx")
mem.mmap(0xFFFFD000, 0x1000, "rwx")
mem[0x8059A8D] = "\xd7"
mem[0xFFFFD00A] = "\x41"
cpu.EIP = 0x8059A8D
cpu.AL = 0xA
cpu.EBX = 0xFFFFD000
def test_set_sym_eflags(self):
def check_flag(obj, flag):
equal = obj.operands[0]
extract = equal.operands[0]
assert isinstance(obj, Bool)
assert extract.begining == self._flag_offsets[flag]
assert extract.end == extract.begining
flags = ["CF", "PF", "AF", "ZF"]
sym_bitfield = self._construct_sym_flag_bitfield(flags)
cpu = I386Cpu(Memory32())
cpu.EFLAGS = sym_bitfield
check_flag(cpu.CF, "CF")
check_flag(cpu.PF, "PF")
check_flag(cpu.AF, "AF")
check_flag(cpu.ZF, "ZF")
def test_MOVHPS_2(self):
mem = Memory32()
cpu = I386Cpu(mem)
mem.mmap(0x0041E000, 0x1000, "rwx")
# movhps qword ptr [eax], xmm1
mem[0x0041E10A] = "\x0f"
mem[0x0041E10B] = "\x17"
mem[0x0041E10C] = "\x08"
cpu.RIP = 0x41E10A
cpu.EAX = 0x41E000
cpu.XMM1 = 0x4048F5C340C8F5C3FFFFFFFFFFFFFFFF
cpu.execute()
self.assertItemsEqual(mem[0x41E000:0x41E004], to_bytelist(b"\x40\xc8\xf5\xc3"))
self.assertItemsEqual(mem[0x41E004:0x41E008], to_bytelist(b"\x40\x48\xf5\xc3"))
def test_IDIV_concrete(self):
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
#alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
stack = mem.mmap(0xf000, 0x1000, 'rw')
mem[code:code+3] = '\xf7\x7d\xf4'
cpu.EIP = code
cpu.EAX = 116
cpu.EBP=stack+0x700
cpu.write_int(cpu.EBP - 0xc, 100, 32)
cpu.execute()
self.assertEqual(cpu.EAX, 1)
def test_symbolic_instruction(self):
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
# alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
stack = mem.mmap(0xf000, 0x1000, 'rw')
mem[code] = BitVecConstant(8, 0x90)
cpu.EIP = code
cpu.EAX = 116
cpu.EBP = stack + 0x700
cpu.write_int(cpu.EBP - 0xc, 100, 32)
cpu.execute()
self.assertEqual(cpu.EIP, code+1)
def test_ADC_001(self):
"""INSTRUCTION: 0x0000000067756f91: adc esi, edx"""
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
# alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, "rwx")
mem[code:code + 2] = "\x13\xf2"
cpu.EIP = code
cpu.ESI = 0x0
cpu.EDX = 0xFFFFFFFF
cpu.CF = True
cpu.execute()
self.assertEqual(cpu.EDX, 0xFFFFFFFF)
self.assertEqual(cpu.ESI, 0)
self.assertEqual(cpu.CF, True)
def test_ADC_001(self):
'''INSTRUCTION: 0x0000000067756f91: adc esi, edx'''
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
#alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
mem[code:code+2] = '\x13\xf2'
cpu.EIP = code
cpu.ESI = 0x0
cpu.EDX = 0xffffffff
cpu.CF = True
cpu.execute()
self.assertEqual(cpu.EDX, 0xffffffff)
self.assertEqual(cpu.ESI, 0)
self.assertEqual(cpu.CF, True)
def test_POPCNT(self):
'''POPCNT EAX, EAX
CPU Dump
Address Hex dump
00333689 F3 0F B8 C0
'''
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
#alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
mem[code:code+4] = '\xF3\x0F\xB8\xC0'
cpu.EIP = code
cpu.EAX = 0x75523C33
cpu.execute()
self.assertEqual(cpu.EAX, 0x10)
self.assertEqual(cpu.ZF, False)
def test_IDIV_grr001_symbolic(self):
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
#alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
mem[code:code+2] = '\xf7\xf9'
cpu.EIP = code
cpu.EAX = cs.new_bitvec(32, 'EAX')
cs.add(cpu.EAX == 0xffffffff)
cpu.EDX = cs.new_bitvec(32, 'EDX')
cs.add(cpu.EDX == 0xffffffff)
cpu.ECX = cs.new_bitvec(32, 'ECX')
cs.add(cpu.ECX == 0x32)
cpu.execute()
cs.add(cpu.EAX == 0)
self.assertTrue(solver.check(cs))
def test_XLATB_1(self):
''' Instruction XLATB_1
Groups:
0x8059a8d: xlatb
'''
mem = Memory32()
cpu = I386Cpu(mem)
mem.mmap(0x08059000, 0x1000, 'rwx')
mem.mmap(0xffffd000, 0x1000, 'rwx')
mem[0x08059a8d] = b'\xd7'
mem[0xffffd00a] = b'\x41'
cpu.EBX=0xffffd000
cpu.AL=0x0a
cpu.EIP = 0x8059a8d
cpu.execute()
self.assertEqual(mem[0x8059a8d], b'\xd7')
self.assertEqual(mem[0xffffd00a], b'\x41')
self.assertEqual(cpu.AL, 0x41)
self.assertEqual(cpu.EIP, 134584974)
def test_IDIV_symbolic(self):
cs = ConstraintSet()
mem = SMemory32(cs)
cpu = I386Cpu(mem)
#alloc/map a little mem
code = mem.mmap(0x1000, 0x1000, 'rwx')
stack = mem.mmap(0xf000, 0x1000, 'rw')
mem[code:code+3] = '\xf7\x7d\xf4'
cpu.EIP = code
cpu.EAX = cs.new_bitvec(32, 'EAX')
cs.add(cpu.EAX == 116)
cpu.EBP = cs.new_bitvec(32, 'EBP')
cs.add(cpu.EBP == stack+0x700)
value = cs.new_bitvec(32, 'VALUE')
cpu.write_int(cpu.EBP - 0xc, value, 32)
cs.add(value == 100)
cpu.execute()
cs.add(cpu.EAX == 1)
self.assertTrue(solver.check(cs))