def disassemble(self, addr=None):
if not addr is None:
pc = addr
else:
pc = self.read_reg(self.pc)
inst = triton.Instruction()
inst_code = self.get_area(pc, 16)
inst.setOpcode(inst_code)
inst.setAddress(pc)
self.tc.disassembly(inst)
return inst
def process_inst(self, pc=None):
_pc = self.get_current_pc()
if pc:
_pc = pc
opcodes = triton.getConcreteMemoryAreaValue(_pc, 16)
# Create the Triton instruction
inst = triton.Instruction()
inst.setOpcodes(opcodes)
inst.setAddress(_pc)
# execute instruction
triton.processing(inst)
return inst
def process_inst(self, pc=None):
_pc = self.get_current_pc()
if pc:
_pc = pc
opcodes = self.read_mem(_pc, 16)
# Create the Triton instruction
inst = triton.Instruction()
inst.setOpcode(opcodes)
inst.setAddress(_pc)
# execute instruction
self.triton.processing(inst)
return inst
def disassemble_inst(self, pc=None):
_pc = self.get_current_pc()
if pc:
_pc = pc
opcodes = triton.getConcreteMemoryAreaValue(_pc, 16)
# Create the Triton instruction
inst = triton.Instruction()
inst.setOpcodes(opcodes)
inst.setAddress(_pc)
# disassemble instruction
triton.disassembly(inst)
return inst
def disassemble_inst(self, pc=None):
_pc = self.get_current_pc()
if pc:
_pc = pc
opcodes = self.read_mem(_pc, 16)
# Create the Triton instruction
inst = triton.Instruction()
inst.setOpcode(opcodes)
inst.setAddress(_pc)
# disassemble instruction
self.triton.disassembly(inst)
return inst
def process(self, addr=None):
if not addr is None:
pc = addr
else:
pc = self.read_reg(self.pc)
inst = triton.Instruction()
inst_code = self.get_area(pc, 16)
inst.setOpcode(inst_code)
inst.setAddress(pc)
if not self.tc.processing(inst):
raise UnmanagedInstruction(inst)
for se in inst.getSymbolicExpressions():
se.setComment(str(inst))
return inst
def hook_opcode(ql, address, size):
global cs
# Read instruction.
buf = ql.mem.read(address, size)
instruction = next(cs.disasm(buf, address))
for tainter in ql.tainters.values():
tainter.instruction_hook(ql, instruction)
# Sync Triton and Qiling.
tainter.sync(ql)
# Process instruction, propagate taint.
inst = triton.Instruction()
inst.setAddress(address)
inst.setOpcode(bytes(buf))
tainter.triton_ctx.processing(inst)
def test_urem(self):
code = [
"\xbf\xAB\x00\x00\x00", # mov edi, 0xAB
"\xf7\xff", # idiv edi
"\x83\xfa\x00" # cmp edx, 0x00
]
TT.setArchitecture(TT.ARCH.X86_64)
rax = TT.convertRegisterToSymbolicVariable(TT.REG.RAX)
rax = tritonast2arybo(TAst.variable(rax))
rdx = TT.convertRegisterToSymbolicVariable(TT.REG.RDX)
rdx = tritonast2arybo(TAst.variable(rdx))
for opcodes in code:
inst = TT.Instruction(opcodes)
TT.processing(inst)
exprs = TT.sliceExpressions(TT.getSymbolicRegisters()[TT.REG.RDX])
e = tritonexprs2arybo(exprs)
to_llvm_function(e, [rax.v, rdx.v])
def hook_opcode(ql, address, size):
global cs
# Read instruction.
buf = ql.mem.read(address, size)
instruction = next(cs.disasm(buf, address))
# We are looking for instructions which decrement the stack pointer.
(should_taint, decrement) = is_rsp_decrement(instruction)
if should_taint:
# Taint all stack memory from current rsp to new rsp.
set_taint_range(ql, ql.reg.arch_sp - decrement, ql.reg.arch_sp,
True)
# Sync Triton and Qiling.
sync_triton_ctx(ql)
# Process instruction, propagate taint.
inst = triton.Instruction()
inst.setAddress(address)
inst.setOpcode(bytes(buf))
ql.triton_ctx.processing(inst)
import triton as TT
from arybo.tools import triton2arybo
TT.setArchitecture(TT.ARCH.X86_64)
TT.convertRegisterToSymbolicVariable(TT.REG.RAX)
TT.convertRegisterToSymbolicVariable(TT.REG.RBX)
inst = TT.Instruction()
inst.setOpcodes("\x48\x31\xd8") # xor rax, rbx
TT.processing(inst)
rax_ast = TT.buildSymbolicRegister(TT.REG.RAX)
rax_ast = TT.getFullAst(rax_ast)
print(rax_ast)
e = triton2arybo(rax_ast)
print(e)
def test_exprs_xor_5C(self):
# Based on djo's example
# This is the xor_5C example compiled with optimisations for x86-4
code = [
"\x41\xB8\xE5\xFF\xFF\xFF",
"\x89\xF8",
"\xBA\x26\x00\x00\x00",
"\x41\x0F\xAF\xC0",
"\xB9\xED\xFF\xFF\xFF",
"\x89\xC7",
"\x89\xD0",
"\x83\xEF\x09",
"\x0F\xAF\xC7",
"\x89\xC2",
"\x89\xF8",
"\x0F\xAF\xC1",
"\xB9\x4B\x00\x00\x00",
"\x8D\x44\x02\x2A",
"\x0F\xB6\xC0",
"\x89\xC2",
"\xF7\xDA",
"\x8D\x94\x12\xFF\x00\x00\x00",
"\x81\xE2\xFE\x00\x00\x00",
"\x01\xD0",
"\x8D\x14\x00",
"\x8D\x54\x02\x4D",
"\x0F\xB6\xF2",
"\x6B\xF6\x56",
"\x83\xC6\x24",
"\x83\xE6\x46",
"\x89\xF0",
"\x0F\xAF\xC1",
"\xB9\xE7\xFF\xFF\xFF",
"\x89\xC6",
"\x89\xD0",
"\xBA\x3A\x00\x00\x00",
"\x0F\xAF\xC1",
"\x89\xC1",
"\x89\xD0",
"\x8D\x4C\x0E\x76",
"\xBE\x63\x00\x00\x00",
"\x0F\xAF\xC1",
"\x89\xC2",
"\x89\xC8",
"\x0F\xAF\xC6",
"\x83\xEA\x51",
"\xBE\x2D\x00\x00\x00",
"\x83\xE2\xF4",
"\x89\xC1",
"\x8D\x4C\x0A\x2E",
"\x89\xC8",
"\x25\x94\x00\x00\x00",
"\x01\xC0",
"\x29\xC8",
"\xB9\x67\x00\x00\x00",
"\x0F\xAF\xC1",
"\x8D\x48\x0D",
"\x0F\xB6\xD1",
"\x69\xD2\xAE\x00\x00\x00",
"\x83\xCA\x22",
"\x89\xD0",
"\x41\x0F\xAF\xC0",
"\x89\xC2",
"\x89\xC8",
"\x0F\xAF\xC6",
"\x8D\x44\x02\xC2",
"\x0F\xB6\xC0",
"\x2D\xF7\x00\x00\x00",
"\x69\xC0\xED\x00\x00\x00",
"\x0F\xB6\xC0",
]
TT.setArchitecture(TT.ARCH.X86_64)
rdi = TT.convertRegisterToSymbolicVariable(TT.REG.RDI)
rdi = tritonast2arybo(TAst.variable(rdi), use_exprs=False)
for opcodes in code:
inst = TT.Instruction(opcodes)
TT.processing(inst)
rax_ast = TT.buildSymbolicRegister(TT.REG.RAX)
rax_ast = TT.getFullAst(rax_ast)
rax_ast = TT.simplify(rax_ast, True)
# Check that this gives a xor 5C
e = tritonast2arybo(rax_ast, use_exprs=self.use_expr, use_esf=False)
if self.use_expr:
e = eval_expr(e)
self.assertEqual(e, ((rdi & 0xff) ^ 0x5C).vec)
def loadBinary(path):
import lief
binary = lief.parse(path)
phdrs = binary.segments
for phdr in phdrs:
ctx.setConcreteMemoryAreaValue(phdr.virtual_address, phdr.content)
return
loadBinary(BPATH)
pc = ENTRYPOINT
while (pc):
oc = ctx.getConcreteMemoryAreaValue(pc, 16)
inst = triton.Instruction()
inst.setOpcode(oc)
inst.setAddress(pc)
ctx.processing(inst)
if inst.getAddress() == SOURCE:
ctx.taintRegister(ctx.getRegister(triton.REG.X86_64.RDI))
print("[!] Tainting register rdi")
if inst.getAddress() == SINK:
print("[!] After instruction xor rdi, rdi")
if ctx.isRegisterTainted(ctx.getRegister(triton.REG.X86_64.RDI)):
print("[!] Register rdi is still tainted")
else:
print("[!] Register rdi was sanitized")
