def test_constructor(self):
"""Check opcode informations."""
inst1 = Instruction()
inst2 = Instruction(b"\xc3")
inst3 = Instruction(0x1000, b"\xc3")
self.assertEqual(inst1.getOpcode(), b"")
self.assertEqual(inst1.getAddress(), 0)
self.assertEqual(inst2.getOpcode(), b"\xc3")
self.assertEqual(inst2.getAddress(), 0)
self.assertEqual(inst3.getOpcode(), b"\xc3")
self.assertEqual(inst3.getAddress(), 0x1000)
def run(pc, seed):
global seeds
while pc:
if pc in seeds and seeds[pc] == 0:
print("get one")
seeds[pc] = seed
flag = 0
# Build an instruction
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
# Setup Address
Triton.processing(inst)
# hookingHandler(Triton)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
for seedr in seeds.values():
if seedr == 0:
flag = 1
break
if flag == 0:
break
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), "\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def run(pc, seed):
global flagr
prev=None
prevpc=0
while pc:
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
Triton.processing(inst)
if pc==0x403cec:
print("new ok")
if prevpc not in visited_branch and prev!=None and prev.isBranch():
visited_branch.add(prevpc)
print("new branch "+str(hex(prevpc)))
break
prev=inst
prevpc=pc
print("inst: "+str(inst))
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
if arr[0] == 'e8':
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
faddr = offset + pc + 5
faddr = faddr & 0xffffffff
# print(str(hex(pc))+ " calling "+str(hex(faddr)))
try:
printf_addr = gbinary.get_function_address("printf")
if printf_addr == faddr:
pc += 5
continue
except:
pass
try:
fprintf_addr = gbinary.get_function_address("fprintf")
if fprintf_addr == faddr:
pc += 5
continue
except:
pass
try:
fread_addr = gbinary.get_function_address("fread")
if fread_addr == faddr:
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(
Triton.registers.rsi
) * Triton.getConcreteRegisterValue(Triton.registers.rdx)
for i in range(num):
if adr + i not in seed:
# Triton.symbolizeMemory(MemoryAccess(adr + i, 1))
seed[adr + i] = 0
pc += 5
Triton.setConcreteRegisterValue(Triton.registers.rax, num)
continue
except:
pass
try:
fseek_addr = gbinary.get_function_address("fseek")
if fseek_addr == faddr:
Triton.setConcreteRegisterValue(Triton.registers.rax, 0)
pc += 5
continue
except:
pass
pc = Triton.getRegisterAst(Triton.registers.rip).evaluate()
return seed
def run(pc, func_spec, seed):
global addrs
flag = 0
while pc:
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
if arr[0] == 'e8':
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
faddr = offset + pc + 5
faddr = faddr & 0xffffffff
try:
fclose_addr = gbinary.get_function_address("fclose")
if fclose_addr == faddr:
pc += 5
continue
except:
pass
try:
fgets_addr = gbinary.get_function_address("fgets")
if fgets_addr == faddr:
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(Triton.registers.rsi)
for i in range(num):
if adr + i not in seed:
seed[adr + i] = 0
pc += 5
continue
except:
pass
try:
fread_addr = gbinary.get_function_address("fread")
if fread_addr == faddr:
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(
Triton.registers.rsi
) * Triton.getConcreteRegisterValue(Triton.registers.rdx)
for i in range(num):
if adr + i not in seed:
print("new fread")
seed[adr + i] = 0
pc += 5
continue
except:
pass
try:
printf_addr = gbinary.get_function_address("printf")
if printf_addr == faddr:
pc += 5
continue
except:
pass
try:
fprintf_addr = gbinary.get_function_address("fprintf")
if fprintf_addr == faddr:
pc += 5
continue
except:
pass
if arr[0] == 'e8' and flag == 0:
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
addr = offset + pc + 5
addr = addr & 0xffffffff
if addr in func_spec:
last_op = addr
if func_spec[addr][0] in ["==", ">=", "<="]:
Triton.setConcreteRegisterValue(Triton.registers.rax,
func_spec[addr][1])
if func_spec[addr][0] == '>':
Triton.setConcreteRegisterValue(Triton.registers.rax,
func_spec[addr][1] + 1)
if func_spec[addr][0] == '!=':
Triton.setConcreteRegisterValue(Triton.registers.rax,
func_spec[addr][1] + 1)
if func_spec[addr][0] == '<':
Triton.setConcreteRegisterValue(Triton.registers.rax,
func_spec[addr][1] - 1)
flag = 1
pc += 5
continue
Triton.processing(inst)
gflag = 0
for addr in func_spec:
if addr not in addrs:
gflag = 1
break
if gflag == 0:
break
if flag == 2:
addrs[last_op] = pc
flag = 0
if flag == 1:
if inst.isBranch():
flag = 2
# hookingHandler(Triton)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
def runR(pc, binary):
seed = {}
while pc:
# Build an instruction
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
# endbr64
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
if arr[0] == 'e8':
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
faddr = offset + pc + 5
faddr = faddr & 0xffffffff
print(str(hex(pc)) + " calling: " + str(hex(faddr)))
try:
fclose_addr = binary.get_function_address("fclose")
if fclose_addr == faddr:
pc += 5
continue
except:
pass
try:
fgets_addr = binary.get_function_address("fgets")
if fgets_addr == faddr:
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(Triton.registers.rsi)
for i in range(num):
seed[adr + i] = 0
pc += 5
continue
except:
pass
try:
fread_addr = binary.get_function_address("fread")
if fread_addr == faddr:
print("fread at " + str(hex(pc)))
adr = Triton.getConcreteRegisterValue(Triton.registers.rdi)
num = Triton.getConcreteRegisterValue(
Triton.registers.rsi
) * Triton.getConcreteRegisterValue(Triton.registers.rdx)
for i in range(num):
seed[adr + i] = 0
pc += 5
continue
except:
pass
try:
printf_addr = binary.get_function_address("printf")
if printf_addr == faddr:
pc += 5
continue
except:
pass
try:
fprintf_addr = binary.get_function_address("fprintf")
if fprintf_addr == faddr:
pc += 5
continue
except:
pass
Triton.processing(inst)
# Setup Address
# hookingHandler(Triton)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
return seed
class TestInstruction(unittest.TestCase):
"""Testing the Instruction class."""
def setUp(self):
"""Define and process the instruction to test."""
self.Triton = TritonContext()
self.Triton.setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcode(b"\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rax, 0x1122334455667788)
self.Triton.setConcreteRegisterValue(self.Triton.registers.rbx, 0x8877665544332211)
self.Triton.processing(self.inst)
def test_address(self):
"""Check instruction current and next address."""
self.assertEqual(self.inst.getAddress(), 0x400000)
self.assertEqual(self.inst.getNextAddress(), 0x400003)
inst = Instruction()
inst.setAddress(-1)
self.assertEqual(inst.getAddress(), 0xffffffffffffffff)
inst.setAddress(-2)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffe)
inst.setAddress(-3)
self.assertEqual(inst.getAddress(), 0xfffffffffffffffd)
def test_memory(self):
"""Check memory access."""
self.assertListEqual(self.inst.getLoadAccess(), [])
self.assertListEqual(self.inst.getStoreAccess(), [])
self.assertFalse(self.inst.isMemoryWrite())
self.assertFalse(self.inst.isMemoryRead())
def test_registers(self):
"""Check register access."""
self.assertEqual(len(self.inst.getReadRegisters()), 2, "access RAX and RBX")
self.assertEqual(len(self.inst.getWrittenRegisters()), 8, "write in RAX, RIP, AF, XF, OF, PF, SF and ZF")
def test_taints(self):
"""Check taints attributes."""
self.assertFalse(self.inst.isTainted())
def test_prefix(self):
"""Check prefix data."""
self.assertFalse(self.inst.isPrefixed())
self.assertEqual(self.inst.getPrefix(), PREFIX.X86.INVALID)
def test_control_flow(self):
"""Check control flow flags."""
self.assertFalse(self.inst.isControlFlow(), "It is not a jmp, ret or call")
self.assertFalse(self.inst.isBranch(), "It is not a jmp")
def test_condition(self):
"""Check condition flags."""
self.assertFalse(self.inst.isConditionTaken())
def test_opcode(self):
"""Check opcode informations."""
self.assertEqual(self.inst.getOpcode(), b"\x48\x01\xd8")
self.assertEqual(self.inst.getType(), OPCODE.X86.ADD)
def test_thread(self):
"""Check threads information."""
self.assertEqual(self.inst.getThreadId(), 0)
def test_operand(self):
"""Check operand information."""
self.assertEqual(len(self.inst.getOperands()), 2)
self.assertEqual(self.inst.getOperands()[0].getName(), "rax")
self.assertEqual(self.inst.getOperands()[1].getName(), "rbx")
with self.assertRaises(Exception):
self.inst.getOperands()[2]
def test_symbolic(self):
"""Check symbolic information."""
self.assertEqual(len(self.inst.getSymbolicExpressions()), 8)
def test_size(self):
"""Check size information."""
self.assertEqual(self.inst.getSize(), 3)
def test_disassembly(self):
"""Check disassembly equivalent."""
self.assertEqual(self.inst.getDisassembly(), "add rax, rbx")
def run(pc, seed):
global seeds
while pc:
if pc in seeds and seeds[pc] == 0:
print("get one")
seeds[pc] = seed
flag = 0
# Build an instruction
inst = Instruction()
# Setup opcode
opcode = Triton.getConcreteMemoryAreaValue(pc, 16)
inst.setOpcode(opcode)
inst.setAddress(pc)
arr = [elem.encode("hex") for elem in inst.getOpcode()]
if arr[:4] == ['f3', '0f', '1e', 'fa']:
pc += 4
continue
if arr[:3] == ['0f', '01', 'd0']:
pc += 3
continue
if arr[0] == 'f4':
print("abort")
break
if arr[0] == 'e8':
offset = 0
offset += int(arr[4], 16)
offset = offset << 8
offset += int(arr[3], 16)
offset = offset << 8
offset += int(arr[2], 16)
offset = offset << 8
offset += int(arr[1], 16)
faddr = offset + pc + 5
faddr = faddr & 0xffffffff
try:
fclose_addr = binary.get_function_address("fclose")
if fclose_addr == faddr:
pc += 5
continue
except:
pass
try:
fgets_addr = binary.get_function_address("fgets")
if fgets_addr == faddr:
pc += 5
continue
except:
pass
try:
fread_addr = binary.get_function_address("fread")
if fread_addr == faddr:
pc += 5
continue
except:
pass
try:
fprintf_addr = binary.get_function_address("printf")
if fprintf_addr == faddr:
pc += 5
continue
except:
pass
try:
fprintf_addr = binary.get_function_address("fprintf")
if fprintf_addr == faddr:
pc += 5
continue
except:
pass
# Setup Address
Triton.processing(inst)
print(str(hex(pc)) + " path: " + str(Triton.getPathConstraints()))
# hookingHandler(Triton)
pc = Triton.getConcreteRegisterValue(Triton.registers.rip)
for seedr in seeds.values():
if seedr == 0:
flag = 1
break
if flag == 0:
break