def test_constructor(self):
"""Check opcode informations."""
inst1 = Instruction()
inst2 = Instruction(b"\xc3")
inst3 = Instruction(0x1000, b"\xc3")
self.assertEqual(inst1.getOpcode(), b"")
self.assertEqual(inst1.getAddress(), 0)
self.assertEqual(inst2.getOpcode(), b"\xc3")
self.assertEqual(inst2.getAddress(), 0)
self.assertEqual(inst3.getOpcode(), b"\xc3")
self.assertEqual(inst3.getAddress(), 0x1000)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
inst = Instruction()
inst.setAddress(-1)
self.assertEqual(inst.getAddress(), 0xffffffffffffffff)
inst.setAddress(-2)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffe)
inst.setAddress(-3)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffd)
def emulate(pc):
global frameDepth
while (True):
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst = Instruction()
inst.setOpcode(opcode)
inst.setAddress(pc)
Triton.processing(inst)
# if(inst.getAddress() == int(sys.argv[2],16)):
# dumpInput()
# exit(0)
print inst,
print "size: " + str(format(inst.getSize(), 'x'))
if (inst.getType() == OPCODE.CALL):
frameDepth += 1
esp = Triton.getConcreteRegisterValue(Triton.registers.rsp)
retAddr = Triton.getConcreteMemoryValue(MemoryAccess(esp, 4))
returnStack.append(retAddr)
for ret in returnStack:
print format(ret, 'x')
# printStack()
if inst.getAddress() == 0x804849b or inst.getAddress(
) == 0x804847a or inst.getAddress() == 0x804844c:
print "EAX:"+str(format(Triton.getConcreteRegisterValue(Triton.registers.rax),'x')) + \
" EDX:"+str(format(Triton.getConcreteRegisterValue(Triton.registers.rdx),'x')) + \
" EBP : "+ str(format(Triton.getConcreteRegisterValue(Triton.registers.rbp),'x')) + \
" EIP : "+ str(format(Triton.getConcreteRegisterValue(Triton.registers.rip),'x'))
id = Triton.getSymbolicRegisterId(Triton.registers.rax)
currentEBP = Triton.getConcreteRegisterValue(Triton.registers.rbp)
if (inst.getType() == OPCODE.HLT):
break
hookingHandler()
if inst.getType() == OPCODE.RET:
frameDepth -= 1
evaluatepc()
if (inst.getAddress() == 0):
exit(0)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
def emulate(pc):
global instCount
global taintCount
astCtxt = Triton.getAstContext()
print('[+] Starting emulation.')
while pc:
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
if instruction.getAddress() == 0x400a74:
Triton.taintRegister(Triton.registers.rdi)
Triton.processing(instruction)
hookingHandler(Triton)
if "call" in str(instruction):
print('[call] %s' % (str(instruction)))
print("skipping...")
ret_addr = Triton.getConcreteMemoryValue(
MemoryAccess(
Triton.getConcreteRegisterValue(Triton.registers.rsp),
CPUSIZE.QWORD))
Triton.setConcreteRegisterValue(Triton.registers.rip, ret_addr)
Triton.setConcreteRegisterValue(
Triton.registers.rsp,
Triton.getConcreteRegisterValue(Triton.registers.rsp) +
CPUSIZE.QWORD)
instCount += 1
if instruction.isTainted():
print('[tainted] %s' % (str(instruction)))
taintCount += 1
else:
#print(instruction)
pass
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print('[*] ' + str(instCount) + ' instructions emulated')
print('[*] ' + str(taintCount) + ' instructions tainted')
return
def emulate(self, pc):
"""
Emulate every opcode from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then self.Triton.set the new correct value and keep going.
"""
astCtxt = self.Triton.getAstContext()
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.Triton.processing(instruction)
self.assertTrue(checkAstIntegrity(instruction))
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = self.Triton.getSymbolicExpressionFromId(
self.Triton.getSymbolicRegisterId(
self.Triton.registers.rax))
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([
self.Triton.getPathConstraintsAst(),
astCtxt.equal(eax, astCtxt.bv(1, 32))
])
model = self.Triton.getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
self.Triton.setConcreteSymbolicVariableValue(
self.Triton.getSymbolicVariableFromId(k), value)
# Next
pc = self.Triton.getConcreteRegisterValue(
self.Triton.registers.rip)
return solution
def emulate(pc):
astCtxt = Triton.getAstContext()
print '[+] Starting emulation.'
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print instruction
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = Triton.getSymbolicRegister(Triton.registers.rax)
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([
Triton.getPathConstraintsAst(),
astCtxt.equal(eax, astCtxt.bv(1, 32))
])
print '[+] Asking for a model, please wait...'
model = Triton.getModel(cstr)
for k, v in model.items():
value = v.getValue()
Triton.setConcreteVariableValue(
Triton.getSymbolicVariableFromId(k), value)
print '[+] Symbolic variable %02d = %02x (%c)' % (k, value,
chr(value))
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print '[+] Emulation done.'
return
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(
getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(
ast.land(getPathConstraintsAst(),
ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
def emulate(self, pc):
"""
Emulate every opcode from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then self.Triton.set the new correct value and keep going.
"""
astCtxt = self.Triton.getAstContext()
while pc:
# Fetch opcode
opcode = self.Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
self.Triton.processing(instruction)
self.assertTrue(checkAstIntegrity(instruction))
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = self.Triton.getSymbolicRegister(self.Triton.registers.rax)
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([self.Triton.getPathConstraintsAst(), astCtxt.equal(eax, astCtxt.bv(1, 32))])
model = self.Triton.getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
self.Triton.setConcreteVariableValue(self.Triton.getSymbolicVariableFromId(k), value)
# Next
pc = self.Triton.getConcreteRegisterValue(self.Triton.registers.rip)
return solution
def emulate(pc):
astCtxt = Triton.getAstContext()
print '[+] Starting emulation.'
while pc:
# Fetch opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
# Process
Triton.processing(instruction)
print instruction
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = Triton.getSymbolicRegister(Triton.registers.rax)
eax = astCtxt.extract(31, 0, rax.getAst())
# Define constraint
cstr = astCtxt.land([
Triton.getPathConstraintsAst(),
astCtxt.equal(eax, astCtxt.bv(1, 32))
])
print '[+] Asking for a model, please wait...'
model = Triton.getModel(cstr)
for k, v in model.items():
value = v.getValue()
Triton.setConcreteVariableValue(Triton.getSymbolicVariableFromId(k), value)
print '[+] Symbolic variable %02d = %02x (%c)' %(k, value, chr(value))
# Next
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
print '[+] Emulation done.'
return
def emulate(self, pc):
"""
Emulate every opcodes from pc.
* Process instruction until the end and search for constraint
resolution on cmp eax, 1 then set the new correct value and keep going.
"""
while pc:
# Fetch opcodes
opcodes = getConcreteMemoryAreaValue(pc, 16)
# Create the Triton instruction
instruction = Instruction()
instruction.setOpcodes(opcodes)
instruction.setAddress(pc)
# Process
processing(instruction)
# 40078B: cmp eax, 1
# eax must be equal to 1 at each round.
if instruction.getAddress() == 0x40078B:
# Slice expressions
rax = getSymbolicExpressionFromId(getSymbolicRegisterId(REG.RAX))
eax = ast.extract(31, 0, rax.getAst())
# Define constraint
cstr = ast.assert_(ast.land(getPathConstraintsAst(), ast.equal(eax, ast.bv(1, 32))))
model = getModel(cstr)
solution = str()
for k, v in model.items():
value = v.getValue()
solution += chr(value)
getSymbolicVariableFromId(k).setConcreteValue(value)
# Next
pc = getConcreteRegisterValue(REG.RIP)
return solution
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), "\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode(b"\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
inst = Instruction()
inst.setAddress(-1)
self.assertEqual(inst.getAddress(), 0xffffffffffffffff)
inst.setAddress(-2)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffe)
inst.setAddress(-3)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffd)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.X86.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), b"\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.X86.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def emulate(pc, sgx_ocall, sgx_free, is_threaded):
count = 0
policies.init_emulator()
policies.init_thread_env()
while pc and count < MAX_INST_CNT:
if (not policies.is_thread_unlocked()):
continue
if is_threaded:
emul_thread_lock.acquire()
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
instruction = Instruction()
instruction.setOpcode(opcode)
instruction.setAddress(pc)
try:
ret = Triton.processing(instruction)
if not ret:
if WARN_DEBUG:
print(
'[LIMITATION] unsupported instruction at 0x%x' % (pc))
Triton.setConcreteRegisterValue(Triton.registers.rip,
instruction.getNextAddress())
except:
if WARN_DEBUG:
print('[EXCEPTION] instruction process error ...')
if('\xf3\x0f\x1e\xfa' in opcode):
Triton.setConcreteRegisterValue(Triton.registers.rip,
pc + 0x4)
else:
break
count += 1
inst_ring_buffer[instruction.getAddress()] = True
if (PRINT_INST_DEBUG and instruction.getType() == OPCODE.X86.RET):
ret_addr = Triton.getConcreteRegisterValue(Triton.registers.rip)
print('[INSTRUCTION] return instruction: ', instruction)
print('[INSTRUCTION] return to: 0x%x' % ret_addr)
if (PRINT_INST_DEBUG and instruction.getType() == OPCODE.X86.CALL):
print('[INSTRUCTION] call instruction: ', instruction)
policies.push_inst_to_ring_buffer(instruction)
policies.inspection(instruction)
if (instruction.getDisassembly() == sgx_ocall
or instruction.getDisassembly() == sgx_free):
force_return_to_callsite(0x0)
if (instruction.getType() == OPCODE.X86.XGETBV):
Triton.setConcreteRegisterValue(Triton.registers.rip,
instruction.getNextAddress())
if instruction.getType() == OPCODE.X86.HLT:
if is_threaded:
emul_thread_lock.release()
break
if (not hook_process_inst(instruction)):
if is_threaded:
emul_thread_lock.release()
break
if (policies.is_report_avl()):
print_report()
policies.clear_last_report()
if is_threaded:
emul_thread_lock.release()
break
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
del instruction
if is_threaded:
emul_thread_lock.release()
if (count % 10000 == 0):
gc.collect()
policies.exit_emulator()
policies.destroy_thread_env()
return (count)