def test_set_get_concrete_value(self):
"""Check setting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
setConcreteRegisterValue(Register(r, 0xdeadbeaf))
elif r.getBitSize() == 64:
setConcreteRegisterValue(Register(r, 0xabcdef0123456789))
elif r.getBitSize() == 128:
setConcreteRegisterValue(Register(r, 0xabcdef01234567899876543210fedcba))
elif r.getBitSize() == 256:
setConcreteRegisterValue(Register(r, 0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba))
else:
pass
"""Check getting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
self.assertEqual(getConcreteRegisterValue(r), 0xdeadbeaf)
elif r.getBitSize() == 64:
self.assertEqual(getConcreteRegisterValue(r), 0xabcdef0123456789)
elif r.getBitSize() == 128:
self.assertEqual(getConcreteRegisterValue(r), 0xabcdef01234567899876543210fedcba)
elif r.getBitSize() == 256:
self.assertEqual(getConcreteRegisterValue(r), 0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba)
else:
pass
"""Set everything to zero"""
for r in self.ar:
setConcreteRegisterValue(Register(r, 0))
"""Check if everything is equal to zero"""
for r in self.ar:
self.assertEqual(getConcreteRegisterValue(r), 0)
def test_backup(self):
"""
Check Symbolics value are saved when engine is disable.
* Also check reseting a disable symbolic engines doesn't crash.
"""
inst = Instruction()
# update RAX
inst.setOpcodes("\x48\xFF\xC0")
processing(inst)
self.assertEqual(getSymbolicRegisterValue(REG.RAX), 1)
# This call triton::api.backupSymbolicEngine()
enableSymbolicEngine(False)
inst = Instruction()
# update RAX again
inst.setOpcodes("\x48\xFF\xC0")
processing(inst)
self.assertEqual(getConcreteRegisterValue(REG.RAX), 2, "concrete value is updated")
self.assertEqual(getSymbolicRegisterValue(REG.RAX), 1, "Symbolic value is not update")
# Try to reset engine after a backup to test if the bug #385 is fixed.
resetEngines()
def test_set_get_concrete_value(self):
"""Check setting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
setConcreteRegisterValue(Register(r, 0xdeadbeaf))
elif r.getBitSize() == 64:
setConcreteRegisterValue(Register(r, 0xabcdef0123456789))
elif r.getBitSize() == 128:
setConcreteRegisterValue(
Register(r, 0xabcdef01234567899876543210fedcba))
elif r.getBitSize() == 256:
setConcreteRegisterValue(
Register(
r,
0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba
))
else:
pass
"""Check getting concrete values"""
for r in self.pr:
if r.getBitSize() == 32:
self.assertEqual(getConcreteRegisterValue(r), 0xdeadbeaf)
elif r.getBitSize() == 64:
self.assertEqual(getConcreteRegisterValue(r),
0xabcdef0123456789)
elif r.getBitSize() == 128:
self.assertEqual(getConcreteRegisterValue(r),
0xabcdef01234567899876543210fedcba)
elif r.getBitSize() == 256:
self.assertEqual(
getConcreteRegisterValue(r),
0xabcdef01234567899876543210fedcbaabcdef01234567899876543210fedcba
)
else:
pass
"""Set everything to zero"""
for r in self.ar:
setConcreteRegisterValue(Register(r, 0))
"""Check if everything is equal to zero"""
for r in self.ar:
self.assertEqual(getConcreteRegisterValue(r), 0)
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(
Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_emulate(self, concretize=False):
"""Run a dumped simulation and check output registers."""
# Get dumped data
dump = os.path.join(os.path.dirname(__file__), "misc", "emu_1.dump")
with open(dump) as f:
regs, mems = eval(f.read())
# Load memory
for mem in mems:
start = mem['start']
if mem['memory'] is not None:
setConcreteMemoryAreaValue(start, bytearray(mem['memory']))
# setup registers
for reg_name in ("rax", "rbx", "rcx", "rdx", "rdi", "rsi", "rbp",
"rsp", "rip", "r8", "r9", "r10", "r11", "r12", "r13",
"r14", "eflags", "xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7", "xmm8", "xmm9",
"xmm10", "xmm11", "xmm12", "xmm13", "xmm14", "xmm15"):
setConcreteRegisterValue(Register(getattr(REG, reg_name.upper()), regs[reg_name]))
# run the code
pc = getConcreteRegisterValue(REG.RIP)
while pc != 0x409A18:
opcodes = getConcreteMemoryAreaValue(pc, 20)
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Check if triton doesn't supports this instruction
self.assertTrue(processing(instruction))
pc = getConcreteRegisterValue(REG.RIP)
if concretize:
concretizeAllMemory()
concretizeAllRegister()
rax = getConcreteRegisterValue(REG.RAX)
rbx = getConcreteRegisterValue(REG.RBX)
rcx = getConcreteRegisterValue(REG.RCX)
rdx = getConcreteRegisterValue(REG.RDX)
rsi = getConcreteRegisterValue(REG.RSI)
self.assertEqual(rax, 0)
self.assertEqual(rbx, 0)
self.assertEqual(rcx, 0)
self.assertEqual(rdx, 0x4d2)
self.assertEqual(rsi, 0x3669000000000000)
def test_set_flags(self):
"""Check flags can be set in any order with a correct output result."""
registers = [
REG.ZF, REG.AF, REG.IF, REG.CF, REG.DF, REG.PF, REG.SF, REG.OF,
REG.TF
]
values = [0] * len(registers)
rand_registers = list(registers)
random.shuffle(rand_registers)
# Randomnly set flags registers and check result is the one expected
for reg in rand_registers:
setConcreteRegisterValue(Register(reg, 1))
values[registers.index(reg)] = 1
self.assertListEqual(
[getConcreteRegisterValue(r) for r in registers], values)
def _call(s):
try:
args = s.split()
module, command = args[0].split(".")
except:
# exit slently, this is not for us
return Pimp.CMD_NOT_HANDLED
try:
if module == "pimp":
self.handle(command, args[1:])
for r in self.triton_regs:
self.r2p.set_flag("regs", r, self.triton_regs[r].getSize(), triton.getConcreteRegisterValue(self.triton_regs[r]) )
return Pimp.CMD_HANDLED
# not for us
return Pimp.CMD_NOT_HANDLED
except Exception as e:
# this is an actual pimp error.
print e
return Pimp.CMD_HANDLED
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(
getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(
ast.land(getPathConstraintsAst(),
ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(ast.land(getPathConstraintsAst(), ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def _call(s):
try:
args = s.split()
module, command = args[0].split(".")
except:
# exit slently, this is not for us
return Pimp.CMD_NOT_HANDLED
try:
if module == "pimp":
self.handle(command, args[1:])
for r in self.triton_regs:
self.r2p.set_flag(
"regs", r, self.triton_regs[r].getSize(),
triton.getConcreteRegisterValue(
self.triton_regs[r]))
return Pimp.CMD_HANDLED
# not for us
return Pimp.CMD_NOT_HANDLED
except Exception as e:
# this is an actual pimp error.
print e
return Pimp.CMD_HANDLED
def get_current_pc(self):
return triton.getConcreteRegisterValue(self.pcreg)
def get_current_pc(self):
return triton.getConcreteRegisterValue(self.pcreg)
