示例#1
0
    def reset(self):
        triton.resetEngines()
        triton.clearPathConstraints()
        triton.setArchitecture(self.arch)

        triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
        triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)

        triton.addCallback(self.memoryCaching,
                           triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
        triton.addCallback(self.constantFolding,
                           triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)

        for r in self.regs:
            if r in self.triton_regs:
                triton.setConcreteRegisterValue(
                    triton.Register(self.triton_regs[r], self.regs[r] & ((1 << self.triton_regs[r].getBitSize()) - 1))
                )

        for m in cache:
            self.write_mem(m['start'], m["data"])

        for address in self.inputs:
                self.inputs[address] = triton.convertMemoryToSymbolicVariable(
                    triton.MemoryAccess(
                        address,
                        triton.CPUSIZE.BYTE
                    )
                )
示例#2
0
    def reset(self):
        triton.resetEngines()
        triton.clearPathConstraints()
        triton.setArchitecture(self.arch)

        triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
        triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)

        triton.addCallback(self.memoryCaching,
                           triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
        triton.addCallback(self.constantFolding,
                           triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)

        for r in self.regs:
            if r in self.triton_regs:
                triton.setConcreteRegisterValue(
                    triton.Register(
                        self.triton_regs[r], self.regs[r] &
                        ((1 << self.triton_regs[r].getBitSize()) - 1)))

        for m in cache:
            self.write_mem(m['start'], m["data"])

        for address in self.inputs:
            self.inputs[address] = triton.convertMemoryToSymbolicVariable(
                triton.MemoryAccess(address, triton.CPUSIZE.BYTE))
示例#3
0
#  0x400597: mov ecx, eax
#  0x400599: mov rdx, qword ptr [rip+0x200aa0]
#  0x4005a0: mov eax, dword ptr [rbp-0x4]
#  0x4005a3: cdqe
#  0x4005a5: add rax, rdx
#  0x4005a8: movzx eax, byte ptr [rax]
#  0x4005ab: movsx eax, al
#  0x4005ae: cmp ecx, eax
#  0x4005b0: jz 0x4005b9
#  0x4005b2: mov eax, 0x1
#  0x4005b7: jmp 0x4005c8
#  0x4005c8: pop rbp
#  loose
#  $


def cafter(instruction):
    print '%#x: %s' %(instruction.address, instruction.assembly)
    return


if __name__ == '__main__':

    # Start the symbolic analysis from the 0x40056d to 0x4005c9
    triton.startAnalysisFromOffset(0x56d)
    triton.stopAnalysisFromOffset(0x5c9)

    triton.addCallback(cafter, triton.IDREF.CALLBACK.AFTER)
    triton.runProgram()
示例#4
0
import triton


def fini():
    triton.saveTrace('trace.log')


if __name__ == '__main__':

    # Start the symbolic analysis from the 'check' function
    triton.startAnalysisFromSymbol('check')

    # When the instruction is over, call the fini function
    triton.addCallback(fini, triton.IDREF.CALLBACK.FINI)
    
    # Run the instrumentation - Never returns
    triton.runProgram()
示例#5
0
#  0x400594: xor eax, 0x55
#  0x400597: mov ecx, eax
#  0x400599: mov rdx, qword ptr [rip+0x200aa0]
#  0x4005a0: mov eax, dword ptr [rbp-0x4]
#  0x4005a3: cdqe
#  0x4005a5: add rax, rdx
#  0x4005a8: movzx eax, byte ptr [rax]
#  0x4005ab: movsx eax, al
#  0x4005ae: cmp ecx, eax
#  0x4005b0: jz 0x4005b9
#  0x4005b2: mov eax, 0x1
#  0x4005b7: jmp 0x4005c8
#  0x4005c8: pop rbp
#  loose
#  $


def cafter(instruction):
    print '%#x: %s' % (instruction.getAddress(), instruction.getDisassembly())
    return


if __name__ == '__main__':

    # Start the symbolic analysis from the 0x40056d to 0x4005c9
    triton.startAnalysisFromOffset(0x56d)
    triton.stopAnalysisFromOffset(0x5c9)

    triton.addCallback(cafter, triton.IDREF.CALLBACK.AFTER)
    triton.runProgram()