import unittest from manticore.core.cpu.x86 import * from manticore.core.smtlib import * from manticore.core.memory import * class CPUTest(unittest.TestCase): _multiprocess_can_split_ = True class ROOperand(object): ''' Mocking class for operand ronly ''' def __init__(self, size, value): self.size = size self.value = value def read(self): return self.value & ((1<') self.assertEqual(cpu.RIP, 4400130L) def test_JAE_4(self): ''' Instruction JAE_4 Groups: jump 0x411d5b: jae 0x412155 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x00411d60] = '\x00' mem[0x00411d5b] = '\x0f' mem[0x00411d5c] = '\x83' mem[0x00411d5d] = '\xf4' mem[0x00411d5e] = '\x03' mem[0x00411d5f] = '\x00' cpu.CF = False cpu.RIP = 0x411d5b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x411d60], '\x00') self.assertEqual(mem[0x411d5b], '\x0f') self.assertEqual(mem[0x411d5c], '\x83') self.assertEqual(mem[0x411d5d], '\xf4') self.assertEqual(mem[0x411d5e], '\x03') self.assertEqual(mem[0x411d5f], '\x00') self.assertEqual(cpu.RIP, 4268373L) def test_JAE_5(self): ''' Instruction JAE_5 Groups: jump 0x7ffff7b58f5d: jae 0x7ffff7b58f00 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f5d] = 's' mem[0x7ffff7b58f5e] = '\xa1' cpu.CF = False cpu.RIP = 0x7ffff7b58f5d cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58f5d], 's') self.assertEqual(mem[0x7ffff7b58f5e], '\xa1') self.assertEqual(cpu.RIP, 140737349259008L) def test_JAE_6(self): ''' Instruction JAE_6 Groups: jump 0x400b82: jae 0x400b9f ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x00400b82] = 's' mem[0x00400b83] = '\x1b' cpu.CF = True cpu.RIP = 0x400b82 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x400b82], 's') self.assertEqual(mem[0x400b83], '\x1b') self.assertEqual(cpu.RIP, 4197252L) def test_JA_1(self): ''' Instruction JA_1 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de6132 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6132], 'w') self.assertEqual(mem[0x7ffff7de6133], '\xd4') self.assertEqual(cpu.RIP, 140737351934216L) def test_JA_2(self): ''' Instruction JA_2 Groups: jump 0x7ffff7ddf066: ja 0x7ffff7ddf0b2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddf000, 0x1000, 'rwx') mem[0x7ffff7ddf066] = 'w' mem[0x7ffff7ddf067] = 'J' cpu.ZF = False cpu.CF = True cpu.RIP = 0x7ffff7ddf066 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddf066], 'w') self.assertEqual(mem[0x7ffff7ddf067], 'J') self.assertEqual(cpu.RIP, 140737351905384L) def test_JA_3(self): ''' Instruction JA_3 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de6132 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6132], 'w') self.assertEqual(mem[0x7ffff7de6133], '\xd4') self.assertEqual(cpu.RIP, 140737351934216L) def test_JA_4(self): ''' Instruction JA_4 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de6132 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6132], 'w') self.assertEqual(mem[0x7ffff7de6133], '\xd4') self.assertEqual(cpu.RIP, 140737351934216L) def test_JA_5(self): ''' Instruction JA_5 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de6132 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6132], 'w') self.assertEqual(mem[0x7ffff7de6133], '\xd4') self.assertEqual(cpu.RIP, 140737351934216L) def test_JA_6(self): ''' Instruction JA_6 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de6132 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6132], 'w') self.assertEqual(mem[0x7ffff7de6133], '\xd4') self.assertEqual(cpu.RIP, 140737351934216L) def test_JBE_1(self): ''' Instruction JBE_1 Groups: jump 0x41188d: jbe 0x411ec0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x0041188d] = '\x0f' mem[0x0041188e] = '\x86' mem[0x0041188f] = '-' mem[0x00411890] = '\x06' mem[0x00411891] = '\x00' mem[0x00411892] = '\x00' cpu.ZF = False cpu.CF = True cpu.RIP = 0x41188d cpu.execute() #cpu.writeback() self.assertEqual(mem[0x41188d], '\x0f') self.assertEqual(mem[0x41188e], '\x86') self.assertEqual(mem[0x41188f], '-') self.assertEqual(mem[0x411890], '\x06') self.assertEqual(mem[0x411891], '\x00') self.assertEqual(mem[0x411892], '\x00') self.assertEqual(cpu.RIP, 4267712L) def test_JBE_2(self): ''' Instruction JBE_2 Groups: jump 0x4325e3: jbe 0x4326cf ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004325e3] = '\x0f' mem[0x004325e4] = '\x86' mem[0x004325e5] = '\xe6' mem[0x004325e6] = '\x00' mem[0x004325e7] = '\x00' mem[0x004325e8] = '\x00' cpu.ZF = False cpu.CF = False cpu.RIP = 0x4325e3 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4325e3], '\x0f') self.assertEqual(mem[0x4325e4], '\x86') self.assertEqual(mem[0x4325e5], '\xe6') self.assertEqual(mem[0x4325e6], '\x00') self.assertEqual(mem[0x4325e7], '\x00') self.assertEqual(mem[0x4325e8], '\x00') self.assertEqual(cpu.RIP, 4400617L) def test_JBE_3(self): ''' Instruction JBE_3 Groups: jump 0x432388: jbe 0x4323aa ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432388] = 'v' mem[0x00432389] = ' ' cpu.ZF = False cpu.CF = False cpu.RIP = 0x432388 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432388], 'v') self.assertEqual(mem[0x432389], ' ') self.assertEqual(cpu.RIP, 4400010L) def test_JBE_4(self): ''' Instruction JBE_4 Groups: jump 0x4325e3: jbe 0x4326cf ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004325e3] = '\x0f' mem[0x004325e4] = '\x86' mem[0x004325e5] = '\xe6' mem[0x004325e6] = '\x00' mem[0x004325e7] = '\x00' mem[0x004325e8] = '\x00' cpu.ZF = False cpu.CF = False cpu.RIP = 0x4325e3 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4325e3], '\x0f') self.assertEqual(mem[0x4325e4], '\x86') self.assertEqual(mem[0x4325e5], '\xe6') self.assertEqual(mem[0x4325e6], '\x00') self.assertEqual(mem[0x4325e7], '\x00') self.assertEqual(mem[0x4325e8], '\x00') self.assertEqual(cpu.RIP, 4400617L) def test_JBE_5(self): ''' Instruction JBE_5 Groups: jump 0x7ffff7df1269: jbe 0x7ffff7df1289 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1269] = 'v' mem[0x7ffff7df126a] = '\x1e' cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7df1269 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1269], 'v') self.assertEqual(mem[0x7ffff7df126a], '\x1e') self.assertEqual(cpu.RIP, 140737351979627L) def test_JBE_6(self): ''' Instruction JBE_6 Groups: jump 0x7ffff7acff53: jbe 0x7ffff7ad003f ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7acf000, 0x1000, 'rwx') mem[0x7ffff7acff53] = '\x0f' mem[0x7ffff7acff54] = '\x86' mem[0x7ffff7acff55] = '\xe6' mem[0x7ffff7acff56] = '\x00' mem[0x7ffff7acff57] = '\x00' mem[0x7ffff7acff58] = '\x00' cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7acff53 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7acff53], '\x0f') self.assertEqual(mem[0x7ffff7acff54], '\x86') self.assertEqual(mem[0x7ffff7acff55], '\xe6') self.assertEqual(mem[0x7ffff7acff56], '\x00') self.assertEqual(mem[0x7ffff7acff57], '\x00') self.assertEqual(mem[0x7ffff7acff58], '\x00') self.assertEqual(cpu.RIP, 140737348697945L) def test_JB_1(self): ''' Instruction JB_1 Groups: jump 0x7ffff7b58f46: jb 0x7ffff7b58f00 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f46] = 'r' mem[0x7ffff7b58f47] = '\xb8' cpu.CF = True cpu.RIP = 0x7ffff7b58f46 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58f46], 'r') self.assertEqual(mem[0x7ffff7b58f47], '\xb8') self.assertEqual(cpu.RIP, 140737349259008L) def test_JB_2(self): ''' Instruction JB_2 Groups: jump 0x7ffff7b58f46: jb 0x7ffff7b58f00 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f46] = 'r' mem[0x7ffff7b58f47] = '\xb8' cpu.CF = False cpu.RIP = 0x7ffff7b58f46 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58f46], 'r') self.assertEqual(mem[0x7ffff7b58f47], '\xb8') self.assertEqual(cpu.RIP, 140737349259080L) def test_JB_3(self): ''' Instruction JB_3 Groups: jump 0x400bab: jb 0x400ab4 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x00400bab] = '\x0f' mem[0x00400bac] = '\x82' mem[0x00400bad] = '\x03' mem[0x00400bae] = '\xff' mem[0x00400baf] = '\xff' mem[0x00400bb0] = '\xff' cpu.CF = True cpu.RIP = 0x400bab cpu.execute() #cpu.writeback() self.assertEqual(mem[0x400bab], '\x0f') self.assertEqual(mem[0x400bac], '\x82') self.assertEqual(mem[0x400bad], '\x03') self.assertEqual(mem[0x400bae], '\xff') self.assertEqual(mem[0x400baf], '\xff') self.assertEqual(mem[0x400bb0], '\xff') self.assertEqual(cpu.RIP, 4197044L) def test_JB_4(self): ''' Instruction JB_4 Groups: jump 0x7ffff7b58f46: jb 0x7ffff7b58f00 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f46] = 'r' mem[0x7ffff7b58f47] = '\xb8' cpu.CF = True cpu.RIP = 0x7ffff7b58f46 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58f46], 'r') self.assertEqual(mem[0x7ffff7b58f47], '\xb8') self.assertEqual(cpu.RIP, 140737349259008L) def test_JB_5(self): ''' Instruction JB_5 Groups: jump 0x7ffff7ddeff1: jb 0x7ffff7ddefd0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7dde000, 0x1000, 'rwx') mem[0x7ffff7ddeff1] = 'r' mem[0x7ffff7ddeff2] = '\xdd' cpu.CF = True cpu.RIP = 0x7ffff7ddeff1 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddeff1], 'r') self.assertEqual(mem[0x7ffff7ddeff2], '\xdd') self.assertEqual(cpu.RIP, 140737351905232L) def test_JB_6(self): ''' Instruction JB_6 Groups: jump 0x7ffff7b58f46: jb 0x7ffff7b58f00 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f46] = 'r' mem[0x7ffff7b58f47] = '\xb8' cpu.CF = True cpu.RIP = 0x7ffff7b58f46 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58f46], 'r') self.assertEqual(mem[0x7ffff7b58f47], '\xb8') self.assertEqual(cpu.RIP, 140737349259008L) def test_JE_1(self): ''' Instruction JE_1 Groups: jump 0x7ffff7de3a9d: je 0x7ffff7de3ed1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3aa0] = '\x04' mem[0x7ffff7de3aa1] = '\x00' mem[0x7ffff7de3aa2] = '\x00' mem[0x7ffff7de3a9d] = '\x0f' mem[0x7ffff7de3a9e] = '\x84' mem[0x7ffff7de3a9f] = '.' cpu.ZF = False cpu.RIP = 0x7ffff7de3a9d cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de3aa0], '\x04') self.assertEqual(mem[0x7ffff7de3aa1], '\x00') self.assertEqual(mem[0x7ffff7de3aa2], '\x00') self.assertEqual(mem[0x7ffff7de3a9d], '\x0f') self.assertEqual(mem[0x7ffff7de3a9e], '\x84') self.assertEqual(mem[0x7ffff7de3a9f], '.') self.assertEqual(cpu.RIP, 140737351924387L) def test_JE_2(self): ''' Instruction JE_2 Groups: jump 0x7ffff7de61be: je 0x7ffff7de65b8 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de61c0] = '\xf4' mem[0x7ffff7de61c1] = '\x03' mem[0x7ffff7de61c2] = '\x00' mem[0x7ffff7de61c3] = '\x00' mem[0x7ffff7de61be] = '\x0f' mem[0x7ffff7de61bf] = '\x84' cpu.ZF = False cpu.RIP = 0x7ffff7de61be cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de61c0], '\xf4') self.assertEqual(mem[0x7ffff7de61c1], '\x03') self.assertEqual(mem[0x7ffff7de61c2], '\x00') self.assertEqual(mem[0x7ffff7de61c3], '\x00') self.assertEqual(mem[0x7ffff7de61be], '\x0f') self.assertEqual(mem[0x7ffff7de61bf], '\x84') self.assertEqual(cpu.RIP, 140737351934404L) def test_JE_3(self): ''' Instruction JE_3 Groups: jump 0x7ffff7de38c6: je 0x7ffff7de3960 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de38c6] = '\x0f' mem[0x7ffff7de38c7] = '\x84' mem[0x7ffff7de38c8] = '\x94' mem[0x7ffff7de38c9] = '\x00' mem[0x7ffff7de38ca] = '\x00' mem[0x7ffff7de38cb] = '\x00' cpu.ZF = False cpu.RIP = 0x7ffff7de38c6 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de38c6], '\x0f') self.assertEqual(mem[0x7ffff7de38c7], '\x84') self.assertEqual(mem[0x7ffff7de38c8], '\x94') self.assertEqual(mem[0x7ffff7de38c9], '\x00') self.assertEqual(mem[0x7ffff7de38ca], '\x00') self.assertEqual(mem[0x7ffff7de38cb], '\x00') self.assertEqual(cpu.RIP, 140737351923916L) def test_JE_4(self): ''' Instruction JE_4 Groups: jump 0x7ffff7de440b: je 0x7ffff7de4644 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de440b] = '\x0f' mem[0x7ffff7de440c] = '\x84' mem[0x7ffff7de440d] = '3' mem[0x7ffff7de440e] = '\x02' mem[0x7ffff7de440f] = '\x00' mem[0x7ffff7de4410] = '\x00' cpu.ZF = False cpu.RIP = 0x7ffff7de440b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de440b], '\x0f') self.assertEqual(mem[0x7ffff7de440c], '\x84') self.assertEqual(mem[0x7ffff7de440d], '3') self.assertEqual(mem[0x7ffff7de440e], '\x02') self.assertEqual(mem[0x7ffff7de440f], '\x00') self.assertEqual(mem[0x7ffff7de4410], '\x00') self.assertEqual(cpu.RIP, 140737351926801L) def test_JE_5(self): ''' Instruction JE_5 Groups: jump 0x7ffff7de6115: je 0x7ffff7de6121 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6115] = 't' mem[0x7ffff7de6116] = '\n' cpu.ZF = False cpu.RIP = 0x7ffff7de6115 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6115], 't') self.assertEqual(mem[0x7ffff7de6116], '\n') self.assertEqual(cpu.RIP, 140737351934231L) def test_JE_6(self): ''' Instruction JE_6 Groups: jump 0x406e0b: je 0x406dc6 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x00406e0b] = 't' mem[0x00406e0c] = '\xb9' cpu.ZF = False cpu.RIP = 0x406e0b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x406e0b], 't') self.assertEqual(mem[0x406e0c], '\xb9') self.assertEqual(cpu.RIP, 4222477L) def test_JGE_1(self): ''' Instruction JGE_1 Groups: jump 0x7ffff7ab5b02: jge 0x7ffff7ab5be0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx') mem[0x7ffff7ab5b02] = '\x0f' mem[0x7ffff7ab5b03] = '\x8d' mem[0x7ffff7ab5b04] = '\xd8' mem[0x7ffff7ab5b05] = '\x00' mem[0x7ffff7ab5b06] = '\x00' mem[0x7ffff7ab5b07] = '\x00' cpu.OF = False cpu.SF = True cpu.RIP = 0x7ffff7ab5b02 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab5b02], '\x0f') self.assertEqual(mem[0x7ffff7ab5b03], '\x8d') self.assertEqual(mem[0x7ffff7ab5b04], '\xd8') self.assertEqual(mem[0x7ffff7ab5b05], '\x00') self.assertEqual(mem[0x7ffff7ab5b06], '\x00') self.assertEqual(mem[0x7ffff7ab5b07], '\x00') self.assertEqual(cpu.RIP, 140737348590344L) def test_JGE_2(self): ''' Instruction JGE_2 Groups: jump 0x7ffff7b09879: jge 0x7ffff7b0987f ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b09000, 0x1000, 'rwx') mem[0x7ffff7b09879] = '}' mem[0x7ffff7b0987a] = '\x04' cpu.OF = False cpu.SF = False cpu.RIP = 0x7ffff7b09879 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b09879], '}') self.assertEqual(mem[0x7ffff7b0987a], '\x04') self.assertEqual(cpu.RIP, 140737348933759L) def test_JGE_3(self): ''' Instruction JGE_3 Groups: jump 0x7ffff7ab5b02: jge 0x7ffff7ab5be0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx') mem[0x7ffff7ab5b02] = '\x0f' mem[0x7ffff7ab5b03] = '\x8d' mem[0x7ffff7ab5b04] = '\xd8' mem[0x7ffff7ab5b05] = '\x00' mem[0x7ffff7ab5b06] = '\x00' mem[0x7ffff7ab5b07] = '\x00' cpu.OF = False cpu.SF = True cpu.RIP = 0x7ffff7ab5b02 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab5b02], '\x0f') self.assertEqual(mem[0x7ffff7ab5b03], '\x8d') self.assertEqual(mem[0x7ffff7ab5b04], '\xd8') self.assertEqual(mem[0x7ffff7ab5b05], '\x00') self.assertEqual(mem[0x7ffff7ab5b06], '\x00') self.assertEqual(mem[0x7ffff7ab5b07], '\x00') self.assertEqual(cpu.RIP, 140737348590344L) def test_JG_1(self): ''' Instruction JG_1 Groups: jump 0x403684: jg 0x40361a ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00403000, 0x1000, 'rwx') mem[0x00403684] = '\x7f' mem[0x00403685] = '\x94' cpu.OF = False cpu.ZF = False cpu.SF = False cpu.RIP = 0x403684 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x403684], '\x7f') self.assertEqual(mem[0x403685], '\x94') self.assertEqual(cpu.RIP, 4208154L) def test_JG_2(self): ''' Instruction JG_2 Groups: jump 0x40c120: jg 0x40c3f0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0040c000, 0x1000, 'rwx') mem[0x0040c120] = '\x0f' mem[0x0040c121] = '\x8f' mem[0x0040c122] = '\xca' mem[0x0040c123] = '\x02' mem[0x0040c124] = '\x00' mem[0x0040c125] = '\x00' cpu.OF = False cpu.ZF = False cpu.SF = True cpu.RIP = 0x40c120 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x40c120], '\x0f') self.assertEqual(mem[0x40c121], '\x8f') self.assertEqual(mem[0x40c122], '\xca') self.assertEqual(mem[0x40c123], '\x02') self.assertEqual(mem[0x40c124], '\x00') self.assertEqual(mem[0x40c125], '\x00') self.assertEqual(cpu.RIP, 4243750L) def test_JG_3(self): ''' Instruction JG_3 Groups: jump 0x7ffff7df1357: jg 0x7ffff7df13a0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1358] = 'G' mem[0x7ffff7df1357] = '\x7f' cpu.OF = False cpu.ZF = False cpu.SF = True cpu.RIP = 0x7ffff7df1357 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1358], 'G') self.assertEqual(mem[0x7ffff7df1357], '\x7f') self.assertEqual(cpu.RIP, 140737351979865L) def test_JG_4(self): ''' Instruction JG_4 Groups: jump 0x7ffff7ddc9fb: jg 0x7ffff7ddce16 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddca00] = '\x00' mem[0x7ffff7ddc9fb] = '\x0f' mem[0x7ffff7ddc9fc] = '\x8f' mem[0x7ffff7ddc9fd] = '\x15' mem[0x7ffff7ddc9fe] = '\x04' mem[0x7ffff7ddc9ff] = '\x00' cpu.OF = False cpu.ZF = False cpu.SF = False cpu.RIP = 0x7ffff7ddc9fb cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddca00], '\x00') self.assertEqual(mem[0x7ffff7ddc9fb], '\x0f') self.assertEqual(mem[0x7ffff7ddc9fc], '\x8f') self.assertEqual(mem[0x7ffff7ddc9fd], '\x15') self.assertEqual(mem[0x7ffff7ddc9fe], '\x04') self.assertEqual(mem[0x7ffff7ddc9ff], '\x00') self.assertEqual(cpu.RIP, 140737351896598L) def test_JG_5(self): ''' Instruction JG_5 Groups: jump 0x7ffff7ddc9fb: jg 0x7ffff7ddce16 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddca00] = '\x00' mem[0x7ffff7ddc9fb] = '\x0f' mem[0x7ffff7ddc9fc] = '\x8f' mem[0x7ffff7ddc9fd] = '\x15' mem[0x7ffff7ddc9fe] = '\x04' mem[0x7ffff7ddc9ff] = '\x00' cpu.OF = False cpu.ZF = False cpu.SF = False cpu.RIP = 0x7ffff7ddc9fb cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddca00], '\x00') self.assertEqual(mem[0x7ffff7ddc9fb], '\x0f') self.assertEqual(mem[0x7ffff7ddc9fc], '\x8f') self.assertEqual(mem[0x7ffff7ddc9fd], '\x15') self.assertEqual(mem[0x7ffff7ddc9fe], '\x04') self.assertEqual(mem[0x7ffff7ddc9ff], '\x00') self.assertEqual(cpu.RIP, 140737351896598L) def test_JG_6(self): ''' Instruction JG_6 Groups: jump 0x40c2e4: jg 0x40c250 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0040c000, 0x1000, 'rwx') mem[0x0040c2e4] = '\x0f' mem[0x0040c2e5] = '\x8f' mem[0x0040c2e6] = 'f' mem[0x0040c2e7] = '\xff' mem[0x0040c2e8] = '\xff' mem[0x0040c2e9] = '\xff' cpu.OF = False cpu.ZF = False cpu.SF = True cpu.RIP = 0x40c2e4 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x40c2e4], '\x0f') self.assertEqual(mem[0x40c2e5], '\x8f') self.assertEqual(mem[0x40c2e6], 'f') self.assertEqual(mem[0x40c2e7], '\xff') self.assertEqual(mem[0x40c2e8], '\xff') self.assertEqual(mem[0x40c2e9], '\xff') self.assertEqual(cpu.RIP, 4244202L) def test_JLE_1(self): ''' Instruction JLE_1 Groups: jump 0x400b2b: jle 0x400b01 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x00400b2b] = '~' mem[0x00400b2c] = '\xd4' cpu.OF = False cpu.ZF = False cpu.SF = True cpu.RIP = 0x400b2b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x400b2b], '~') self.assertEqual(mem[0x400b2c], '\xd4') self.assertEqual(cpu.RIP, 4197121L) def test_JLE_2(self): ''' Instruction JLE_2 Groups: jump 0x7ffff7a4e1cb: jle 0x7ffff7a4e429 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4e1cb] = '\x0f' mem[0x7ffff7a4e1cc] = '\x8e' mem[0x7ffff7a4e1cd] = 'X' mem[0x7ffff7a4e1ce] = '\x02' mem[0x7ffff7a4e1cf] = '\x00' mem[0x7ffff7a4e1d0] = '\x00' cpu.OF = False cpu.ZF = False cpu.SF = False cpu.RIP = 0x7ffff7a4e1cb cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a4e1cb], '\x0f') self.assertEqual(mem[0x7ffff7a4e1cc], '\x8e') self.assertEqual(mem[0x7ffff7a4e1cd], 'X') self.assertEqual(mem[0x7ffff7a4e1ce], '\x02') self.assertEqual(mem[0x7ffff7a4e1cf], '\x00') self.assertEqual(mem[0x7ffff7a4e1d0], '\x00') self.assertEqual(cpu.RIP, 140737348166097L) def test_JLE_3(self): ''' Instruction JLE_3 Groups: jump 0x437c08: jle 0x437c1f ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00437000, 0x1000, 'rwx') mem[0x00437c08] = '~' mem[0x00437c09] = '\x15' cpu.OF = False cpu.ZF = False cpu.SF = False cpu.RIP = 0x437c08 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x437c08], '~') self.assertEqual(mem[0x437c09], '\x15') self.assertEqual(cpu.RIP, 4422666L) def test_JLE_4(self): ''' Instruction JLE_4 Groups: jump 0x7ffff7de4486: jle 0x7ffff7de4430 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4486] = '~' mem[0x7ffff7de4487] = '\xa8' cpu.OF = False cpu.ZF = False cpu.SF = False cpu.RIP = 0x7ffff7de4486 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4486], '~') self.assertEqual(mem[0x7ffff7de4487], '\xa8') self.assertEqual(cpu.RIP, 140737351926920L) def test_JLE_5(self): ''' Instruction JLE_5 Groups: jump 0x7ffff7de4486: jle 0x7ffff7de4430 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4486] = '~' mem[0x7ffff7de4487] = '\xa8' cpu.OF = False cpu.ZF = False cpu.SF = False cpu.RIP = 0x7ffff7de4486 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4486], '~') self.assertEqual(mem[0x7ffff7de4487], '\xa8') self.assertEqual(cpu.RIP, 140737351926920L) def test_JLE_6(self): ''' Instruction JLE_6 Groups: jump 0x7ffff7de4486: jle 0x7ffff7de4430 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4486] = '~' mem[0x7ffff7de4487] = '\xa8' cpu.OF = False cpu.ZF = False cpu.SF = False cpu.RIP = 0x7ffff7de4486 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4486], '~') self.assertEqual(mem[0x7ffff7de4487], '\xa8') self.assertEqual(cpu.RIP, 140737351926920L) def test_JL_1(self): ''' Instruction JL_1 Groups: jump 0x555555556f00: jl 0x555555556ee2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem[0x555555556f00] = '|' mem[0x555555556f01] = '\xe0' cpu.OF = False cpu.SF = True cpu.RIP = 0x555555556f00 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555556f00], '|') self.assertEqual(mem[0x555555556f01], '\xe0') self.assertEqual(cpu.RIP, 93824992243426L) def test_JL_2(self): ''' Instruction JL_2 Groups: jump 0x555555556f00: jl 0x555555556ee2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem[0x555555556f00] = '|' mem[0x555555556f01] = '\xe0' cpu.OF = False cpu.SF = False cpu.RIP = 0x555555556f00 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555556f00], '|') self.assertEqual(mem[0x555555556f01], '\xe0') self.assertEqual(cpu.RIP, 93824992243458L) def test_JL_3(self): ''' Instruction JL_3 Groups: jump 0x555555556f00: jl 0x555555556ee2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem[0x555555556f00] = '|' mem[0x555555556f01] = '\xe0' cpu.OF = False cpu.SF = True cpu.RIP = 0x555555556f00 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555556f00], '|') self.assertEqual(mem[0x555555556f01], '\xe0') self.assertEqual(cpu.RIP, 93824992243426L) def test_JMP_1(self): ''' Instruction JMP_1 Groups: jump 0x7ffff7de4279: jmp 0x7ffff7de3a98 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4279] = '\xe9' mem[0x7ffff7de427a] = '\x1a' mem[0x7ffff7de427b] = '\xf8' mem[0x7ffff7de427c] = '\xff' mem[0x7ffff7de427d] = '\xff' cpu.RIP = 0x7ffff7de4279 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4279], '\xe9') self.assertEqual(mem[0x7ffff7de427a], '\x1a') self.assertEqual(mem[0x7ffff7de427b], '\xf8') self.assertEqual(mem[0x7ffff7de427c], '\xff') self.assertEqual(mem[0x7ffff7de427d], '\xff') self.assertEqual(cpu.RIP, 140737351924376L) def test_JMP_2(self): ''' Instruction JMP_2 Groups: jump 0x7ffff7b58ee7: jmp 0x7ffff7b58f10 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58ee8] = "'" mem[0x7ffff7b58ee7] = '\xeb' cpu.RIP = 0x7ffff7b58ee7 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58ee8], "'") self.assertEqual(mem[0x7ffff7b58ee7], '\xeb') self.assertEqual(cpu.RIP, 140737349259024L) def test_JMP_3(self): ''' Instruction JMP_3 Groups: jump 0x7ffff7df28e1: jmp 0x7ffff7ddaa00 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem[0x7ffff7df28e1] = '\xe9' mem[0x7ffff7df28e2] = '\x1a' mem[0x7ffff7df28e3] = '\x81' mem[0x7ffff7df28e4] = '\xfe' mem[0x7ffff7df28e5] = '\xff' cpu.RIP = 0x7ffff7df28e1 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df28e1], '\xe9') self.assertEqual(mem[0x7ffff7df28e2], '\x1a') self.assertEqual(mem[0x7ffff7df28e3], '\x81') self.assertEqual(mem[0x7ffff7df28e4], '\xfe') self.assertEqual(mem[0x7ffff7df28e5], '\xff') self.assertEqual(cpu.RIP, 140737351887360L) def test_JMP_4(self): ''' Instruction JMP_4 Groups: mode64, jump 0x7ffff7de62ee: jmp rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de62ee] = '\xff' mem[0x7ffff7de62ef] = '\xe2' cpu.RDX = 0x7ffff7de63b8 cpu.RIP = 0x7ffff7de62ee cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de62ee], '\xff') self.assertEqual(mem[0x7ffff7de62ef], '\xe2') self.assertEqual(cpu.RDX, 140737351934904L) self.assertEqual(cpu.RIP, 140737351934904L) def test_JMP_5(self): ''' Instruction JMP_5 Groups: jump 0x7ffff7de4042: jmp 0x7ffff7de4054 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4042] = '\xeb' mem[0x7ffff7de4043] = '\x10' cpu.RIP = 0x7ffff7de4042 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4042], '\xeb') self.assertEqual(mem[0x7ffff7de4043], '\x10') self.assertEqual(cpu.RIP, 140737351925844L) def test_JMP_6(self): ''' Instruction JMP_6 Groups: jump 0x7ffff7b58ee7: jmp 0x7ffff7b58f10 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58ee8] = "'" mem[0x7ffff7b58ee7] = '\xeb' cpu.RIP = 0x7ffff7b58ee7 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58ee8], "'") self.assertEqual(mem[0x7ffff7b58ee7], '\xeb') self.assertEqual(cpu.RIP, 140737349259024L) def test_JNE_1(self): ''' Instruction JNE_1 Groups: jump 0x7ffff7df459e: jne 0x7ffff7df4590 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df459e] = 'u' mem[0x7ffff7df459f] = '\xf0' cpu.ZF = False cpu.RIP = 0x7ffff7df459e cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df459e], 'u') self.assertEqual(mem[0x7ffff7df459f], '\xf0') self.assertEqual(cpu.RIP, 140737351992720L) def test_JNE_2(self): ''' Instruction JNE_2 Groups: jump 0x7ffff7de5a4b: jne 0x7ffff7de5a40 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5a4b] = 'u' mem[0x7ffff7de5a4c] = '\xf3' cpu.ZF = False cpu.RIP = 0x7ffff7de5a4b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de5a4b], 'u') self.assertEqual(mem[0x7ffff7de5a4c], '\xf3') self.assertEqual(cpu.RIP, 140737351932480L) def test_JNE_3(self): ''' Instruction JNE_3 Groups: jump 0x7ffff7de611b: jne 0x7ffff7de73ad ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6120] = '\x00' mem[0x7ffff7de611b] = '\x0f' mem[0x7ffff7de611c] = '\x85' mem[0x7ffff7de611d] = '\x8c' mem[0x7ffff7de611e] = '\x12' mem[0x7ffff7de611f] = '\x00' cpu.ZF = True cpu.RIP = 0x7ffff7de611b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6120], '\x00') self.assertEqual(mem[0x7ffff7de611b], '\x0f') self.assertEqual(mem[0x7ffff7de611c], '\x85') self.assertEqual(mem[0x7ffff7de611d], '\x8c') self.assertEqual(mem[0x7ffff7de611e], '\x12') self.assertEqual(mem[0x7ffff7de611f], '\x00') self.assertEqual(cpu.RIP, 140737351934241L) def test_JNE_4(self): ''' Instruction JNE_4 Groups: jump 0x7ffff7aab197: jne 0x7ffff7aab188 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7aab000, 0x1000, 'rwx') mem[0x7ffff7aab198] = '\xef' mem[0x7ffff7aab197] = 'u' cpu.ZF = False cpu.RIP = 0x7ffff7aab197 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7aab198], '\xef') self.assertEqual(mem[0x7ffff7aab197], 'u') self.assertEqual(cpu.RIP, 140737348546952L) def test_JNE_5(self): ''' Instruction JNE_5 Groups: jump 0x7ffff7df4594: jne 0x7ffff7df45a3 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4594] = 'u' mem[0x7ffff7df4595] = '\r' cpu.ZF = True cpu.RIP = 0x7ffff7df4594 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4594], 'u') self.assertEqual(mem[0x7ffff7df4595], '\r') self.assertEqual(cpu.RIP, 140737351992726L) def test_JNE_6(self): ''' Instruction JNE_6 Groups: jump 0x7ffff7df459e: jne 0x7ffff7df4590 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df459e] = 'u' mem[0x7ffff7df459f] = '\xf0' cpu.ZF = False cpu.RIP = 0x7ffff7df459e cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df459e], 'u') self.assertEqual(mem[0x7ffff7df459f], '\xf0') self.assertEqual(cpu.RIP, 140737351992720L) def test_JNS_1(self): ''' Instruction JNS_1 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = True cpu.RIP = 0x7ffff7df138f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1390], '\xbf') self.assertEqual(mem[0x7ffff7df138f], 'y') self.assertEqual(cpu.RIP, 140737351979921L) def test_JNS_2(self): ''' Instruction JNS_2 Groups: jump 0x555555565fb2: jns 0x5555555659ec ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem[0x555555565fb2] = '\x0f' mem[0x555555565fb3] = '\x89' mem[0x555555565fb4] = '4' mem[0x555555565fb5] = '\xfa' mem[0x555555565fb6] = '\xff' mem[0x555555565fb7] = '\xff' cpu.SF = False cpu.RIP = 0x555555565fb2 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555565fb2], '\x0f') self.assertEqual(mem[0x555555565fb3], '\x89') self.assertEqual(mem[0x555555565fb4], '4') self.assertEqual(mem[0x555555565fb5], '\xfa') self.assertEqual(mem[0x555555565fb6], '\xff') self.assertEqual(mem[0x555555565fb7], '\xff') self.assertEqual(cpu.RIP, 93824992303596L) def test_JNS_3(self): ''' Instruction JNS_3 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = True cpu.RIP = 0x7ffff7df138f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1390], '\xbf') self.assertEqual(mem[0x7ffff7df138f], 'y') self.assertEqual(cpu.RIP, 140737351979921L) def test_JNS_4(self): ''' Instruction JNS_4 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = False cpu.RIP = 0x7ffff7df138f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1390], '\xbf') self.assertEqual(mem[0x7ffff7df138f], 'y') self.assertEqual(cpu.RIP, 140737351979856L) def test_JNS_5(self): ''' Instruction JNS_5 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = True cpu.RIP = 0x7ffff7df138f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1390], '\xbf') self.assertEqual(mem[0x7ffff7df138f], 'y') self.assertEqual(cpu.RIP, 140737351979921L) def test_JNS_6(self): ''' Instruction JNS_6 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = False cpu.RIP = 0x7ffff7df138f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1390], '\xbf') self.assertEqual(mem[0x7ffff7df138f], 'y') self.assertEqual(cpu.RIP, 140737351979856L) def test_JS_1(self): ''' Instruction JS_1 Groups: jump 0x4326b2: js 0x4328fb ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004326b2] = '\x0f' mem[0x004326b3] = '\x88' mem[0x004326b4] = 'C' mem[0x004326b5] = '\x02' mem[0x004326b6] = '\x00' mem[0x004326b7] = '\x00' cpu.SF = False cpu.RIP = 0x4326b2 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4326b2], '\x0f') self.assertEqual(mem[0x4326b3], '\x88') self.assertEqual(mem[0x4326b4], 'C') self.assertEqual(mem[0x4326b5], '\x02') self.assertEqual(mem[0x4326b6], '\x00') self.assertEqual(mem[0x4326b7], '\x00') self.assertEqual(cpu.RIP, 4400824L) def test_JS_2(self): ''' Instruction JS_2 Groups: jump 0x4322d2: js 0x43251b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004322d2] = '\x0f' mem[0x004322d3] = '\x88' mem[0x004322d4] = 'C' mem[0x004322d5] = '\x02' mem[0x004322d6] = '\x00' mem[0x004322d7] = '\x00' cpu.SF = False cpu.RIP = 0x4322d2 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4322d2], '\x0f') self.assertEqual(mem[0x4322d3], '\x88') self.assertEqual(mem[0x4322d4], 'C') self.assertEqual(mem[0x4322d5], '\x02') self.assertEqual(mem[0x4322d6], '\x00') self.assertEqual(mem[0x4322d7], '\x00') self.assertEqual(cpu.RIP, 4399832L) def test_JS_3(self): ''' Instruction JS_3 Groups: jump 0x555555565075: js 0x555555566260 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem[0x555555565075] = '\x0f' mem[0x555555565076] = '\x88' mem[0x555555565077] = '\xe5' mem[0x555555565078] = '\x11' mem[0x555555565079] = '\x00' mem[0x55555556507a] = '\x00' cpu.SF = False cpu.RIP = 0x555555565075 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555565075], '\x0f') self.assertEqual(mem[0x555555565076], '\x88') self.assertEqual(mem[0x555555565077], '\xe5') self.assertEqual(mem[0x555555565078], '\x11') self.assertEqual(mem[0x555555565079], '\x00') self.assertEqual(mem[0x55555556507a], '\x00') self.assertEqual(cpu.RIP, 93824992301179L) def test_JS_4(self): ''' Instruction JS_4 Groups: jump 0x40dd40: js 0x40dd4c ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0040d000, 0x1000, 'rwx') mem[0x0040dd40] = 'x' mem[0x0040dd41] = '\n' cpu.SF = True cpu.RIP = 0x40dd40 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x40dd40], 'x') self.assertEqual(mem[0x40dd41], '\n') self.assertEqual(cpu.RIP, 4250956L) def test_JS_5(self): ''' Instruction JS_5 Groups: jump 0x555555559cb6: js 0x555555559ccf ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555559000, 0x1000, 'rwx') mem[0x555555559cb6] = 'x' mem[0x555555559cb7] = '\x17' cpu.SF = True cpu.RIP = 0x555555559cb6 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555559cb6], 'x') self.assertEqual(mem[0x555555559cb7], '\x17') self.assertEqual(cpu.RIP, 93824992255183L) def test_JS_6(self): ''' Instruction JS_6 Groups: jump 0x5555555673d5: js 0x555555567450 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555567000, 0x1000, 'rwx') mem[0x5555555673d5] = 'x' mem[0x5555555673d6] = 'y' cpu.SF = False cpu.RIP = 0x5555555673d5 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x5555555673d5], 'x') self.assertEqual(mem[0x5555555673d6], 'y') self.assertEqual(cpu.RIP, 93824992310231L) def test_LEAVE_1(self): ''' Instruction LEAVE_1 Groups: mode64 0x7ffff7b30c15: leave ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b30000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7b30c15] = '\xc9' mem[0x7fffffffda98] = '\xd0' mem[0x7fffffffda99] = '\xda' mem[0x7fffffffda9a] = '\xff' mem[0x7fffffffda9b] = '\xff' mem[0x7fffffffda9c] = '\xff' mem[0x7fffffffda9d] = '\x7f' mem[0x7fffffffda9e] = '\x00' mem[0x7fffffffda9f] = '\x00' mem[0x7fffffffdaa0] = '\xf0' mem[0x7fffffffdaa1] = '\xda' mem[0x7fffffffdaa2] = '\xff' mem[0x7fffffffdaa3] = '\xff' mem[0x7fffffffdaa4] = '\xff' mem[0x7fffffffdaa5] = '\x7f' mem[0x7fffffffdaa6] = '\x00' mem[0x7fffffffdaa7] = '\x00' mem[0x7fffffffdaa8] = 'H' mem[0x7fffffffdaa9] = '\xe1' mem[0x7fffffffdaaa] = '\xff' mem[0x7fffffffdaab] = '\xf7' mem[0x7fffffffdaac] = '\xff' mem[0x7fffffffdaad] = '\x7f' mem[0x7fffffffdaae] = '\x00' mem[0x7fffffffdaaf] = '\x00' mem[0x7fffffffdab0] = '\xc0' mem[0x7fffffffdab1] = '\xda' mem[0x7fffffffdab2] = '\xff' mem[0x7fffffffdab3] = '\xff' mem[0x7fffffffdab4] = '\xff' mem[0x7fffffffdab5] = '\x7f' mem[0x7fffffffdab6] = '\x00' mem[0x7fffffffdab7] = '\x00' mem[0x7fffffffdab8] = '\xb3' cpu.RSP = 0x7fffffffdaa0 cpu.RIP = 0x7ffff7b30c15 cpu.RBP = 0x7fffffffdab0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b30c15], '\xc9') self.assertEqual(mem[0x7fffffffda98], '\xd0') self.assertEqual(mem[0x7fffffffda99], '\xda') self.assertEqual(mem[0x7fffffffda9a], '\xff') self.assertEqual(mem[0x7fffffffda9b], '\xff') self.assertEqual(mem[0x7fffffffda9c], '\xff') self.assertEqual(mem[0x7fffffffda9d], '\x7f') self.assertEqual(mem[0x7fffffffda9e], '\x00') self.assertEqual(mem[0x7fffffffda9f], '\x00') self.assertEqual(mem[0x7fffffffdaa0], '\xf0') self.assertEqual(mem[0x7fffffffdaa1], '\xda') self.assertEqual(mem[0x7fffffffdaa2], '\xff') self.assertEqual(mem[0x7fffffffdaa3], '\xff') self.assertEqual(mem[0x7fffffffdaa4], '\xff') self.assertEqual(mem[0x7fffffffdaa5], '\x7f') self.assertEqual(mem[0x7fffffffdaa6], '\x00') self.assertEqual(mem[0x7fffffffdaa7], '\x00') self.assertEqual(mem[0x7fffffffdaa8], 'H') self.assertEqual(mem[0x7fffffffdaa9], '\xe1') self.assertEqual(mem[0x7fffffffdaaa], '\xff') self.assertEqual(mem[0x7fffffffdaab], '\xf7') self.assertEqual(mem[0x7fffffffdaac], '\xff') self.assertEqual(mem[0x7fffffffdaad], '\x7f') self.assertEqual(mem[0x7fffffffdaae], '\x00') self.assertEqual(mem[0x7fffffffdaaf], '\x00') self.assertEqual(mem[0x7fffffffdab0], '\xc0') self.assertEqual(mem[0x7fffffffdab1], '\xda') self.assertEqual(mem[0x7fffffffdab2], '\xff') self.assertEqual(mem[0x7fffffffdab3], '\xff') self.assertEqual(mem[0x7fffffffdab4], '\xff') self.assertEqual(mem[0x7fffffffdab5], '\x7f') self.assertEqual(mem[0x7fffffffdab6], '\x00') self.assertEqual(mem[0x7fffffffdab7], '\x00') self.assertEqual(mem[0x7fffffffdab8], '\xb3') self.assertEqual(cpu.RSP, 140737488345784L) self.assertEqual(cpu.RIP, 140737349094422L) self.assertEqual(cpu.RBP, 140737488345792L) def test_LEAVE_2(self): ''' Instruction LEAVE_2 Groups: mode64 0x4176f4: leave ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00417000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcad8] = '\xf0' mem[0x7fffffffcad9] = 'v' mem[0x7fffffffcada] = 'A' mem[0x7fffffffcadb] = '\x00' mem[0x7fffffffcadc] = '\x00' mem[0x7fffffffcadd] = '\x00' mem[0x7fffffffcade] = '\x00' mem[0x7fffffffcadf] = '\x00' mem[0x7fffffffcae0] = '@' mem[0x7fffffffcae1] = '\x00' mem[0x7fffffffcae2] = '\x00' mem[0x7fffffffcae3] = '\x00' mem[0x7fffffffcae4] = '\x00' mem[0x7fffffffcae5] = '\x00' mem[0x7fffffffcae6] = '\x00' mem[0x7fffffffcae7] = '\x00' mem[0x7fffffffcae8] = 'A' mem[0x7fffffffcae9] = '\x00' mem[0x7fffffffcaea] = '\x00' mem[0x7fffffffcaeb] = '\x00' mem[0x7fffffffcaec] = '\x00' mem[0x7fffffffcaed] = '\x00' mem[0x7fffffffcaee] = '\x00' mem[0x7fffffffcaef] = '\x00' mem[0x7fffffffcaf0] = ' ' mem[0x7fffffffcaf1] = '\xdb' mem[0x7fffffffcaf2] = '\xff' mem[0x7fffffffcaf3] = '\xff' mem[0x7fffffffcaf4] = '\xff' mem[0x7fffffffcaf5] = '\x7f' mem[0x7fffffffcaf6] = '\x00' mem[0x7fffffffcaf7] = '\x00' mem[0x7fffffffcaf8] = '+' mem[0x004176f4] = '\xc9' cpu.RSP = 0x7fffffffcae0 cpu.RIP = 0x4176f4 cpu.RBP = 0x7fffffffcaf0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcad8], '\xf0') self.assertEqual(mem[0x7fffffffcad9], 'v') self.assertEqual(mem[0x7fffffffcada], 'A') self.assertEqual(mem[0x7fffffffcadb], '\x00') self.assertEqual(mem[0x7fffffffcadc], '\x00') self.assertEqual(mem[0x7fffffffcadd], '\x00') self.assertEqual(mem[0x7fffffffcade], '\x00') self.assertEqual(mem[0x7fffffffcadf], '\x00') self.assertEqual(mem[0x7fffffffcae0], '@') self.assertEqual(mem[0x7fffffffcae1], '\x00') self.assertEqual(mem[0x7fffffffcae2], '\x00') self.assertEqual(mem[0x7fffffffcae3], '\x00') self.assertEqual(mem[0x7fffffffcae4], '\x00') self.assertEqual(mem[0x7fffffffcae5], '\x00') self.assertEqual(mem[0x7fffffffcae6], '\x00') self.assertEqual(mem[0x7fffffffcae7], '\x00') self.assertEqual(mem[0x7fffffffcae8], 'A') self.assertEqual(mem[0x7fffffffcae9], '\x00') self.assertEqual(mem[0x7fffffffcaea], '\x00') self.assertEqual(mem[0x7fffffffcaeb], '\x00') self.assertEqual(mem[0x7fffffffcaec], '\x00') self.assertEqual(mem[0x7fffffffcaed], '\x00') self.assertEqual(mem[0x7fffffffcaee], '\x00') self.assertEqual(mem[0x7fffffffcaef], '\x00') self.assertEqual(mem[0x7fffffffcaf0], ' ') self.assertEqual(mem[0x7fffffffcaf1], '\xdb') self.assertEqual(mem[0x7fffffffcaf2], '\xff') self.assertEqual(mem[0x7fffffffcaf3], '\xff') self.assertEqual(mem[0x4176f4], '\xc9') self.assertEqual(mem[0x7fffffffcaf5], '\x7f') self.assertEqual(mem[0x7fffffffcaf6], '\x00') self.assertEqual(mem[0x7fffffffcaf7], '\x00') self.assertEqual(mem[0x7fffffffcaf8], '+') self.assertEqual(mem[0x7fffffffcaf4], '\xff') self.assertEqual(cpu.RSP, 140737488341752L) self.assertEqual(cpu.RIP, 4290293L) self.assertEqual(cpu.RBP, 140737488345888L) def test_LEAVE_3(self): ''' Instruction LEAVE_3 Groups: mode64 0x7ffff7b59b18: leave ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b59000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffda08] = '\xd0' mem[0x7fffffffda09] = '\xd4' mem[0x7fffffffda0a] = '\xa4' mem[0x7fffffffda0b] = '\xf7' mem[0x7fffffffda0c] = '\xff' mem[0x7fffffffda0d] = '\x7f' mem[0x7fffffffda0e] = '\x00' mem[0x7fffffffda0f] = '\x00' mem[0x7fffffffda10] = '@' mem[0x7fffffffda11] = '\xda' mem[0x7fffffffda12] = '\xff' mem[0x7fffffffda13] = '\xff' mem[0x7fffffffda14] = '\xff' mem[0x7fffffffda15] = '\x7f' mem[0x7fffffffda16] = '\x00' mem[0x7fffffffda17] = '\x00' mem[0x7ffff7b59b18] = '\xc9' mem[0x7fffffffd9d9] = '\x00' mem[0x7fffffffd9da] = '\x00' mem[0x7fffffffd9db] = '\x00' mem[0x7fffffffd9dc] = '\x00' mem[0x7fffffffd9dd] = '\x00' mem[0x7fffffffd9de] = '\x00' mem[0x7fffffffd9df] = '\x00' mem[0x7fffffffd9e0] = '\x00' mem[0x7fffffffd9e1] = '\x00' mem[0x7fffffffd9e2] = '\x00' mem[0x7fffffffd9e3] = '\x00' mem[0x7fffffffd9d8] = '\x00' mem[0x7fffffffd9e5] = '\x00' mem[0x7fffffffda18] = "'" mem[0x7fffffffd9e7] = '\x00' mem[0x7fffffffd9e8] = '\xf0' mem[0x7fffffffd9e6] = '\x00' mem[0x7fffffffd9e4] = '\x00' cpu.RSP = 0x7fffffffd9e0 cpu.RIP = 0x7ffff7b59b18 cpu.RBP = 0x7fffffffda10 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffda08], '\xd0') self.assertEqual(mem[0x7fffffffda09], '\xd4') self.assertEqual(mem[0x7fffffffda0a], '\xa4') self.assertEqual(mem[0x7fffffffda0b], '\xf7') self.assertEqual(mem[0x7fffffffda0c], '\xff') self.assertEqual(mem[0x7fffffffda0d], '\x7f') self.assertEqual(mem[0x7fffffffda0e], '\x00') self.assertEqual(mem[0x7fffffffda0f], '\x00') self.assertEqual(mem[0x7fffffffda10], '@') self.assertEqual(mem[0x7fffffffda11], '\xda') self.assertEqual(mem[0x7fffffffda12], '\xff') self.assertEqual(mem[0x7fffffffda13], '\xff') self.assertEqual(mem[0x7fffffffda14], '\xff') self.assertEqual(mem[0x7fffffffda15], '\x7f') self.assertEqual(mem[0x7fffffffda16], '\x00') self.assertEqual(mem[0x7fffffffda17], '\x00') self.assertEqual(mem[0x7ffff7b59b18], '\xc9') self.assertEqual(mem[0x7fffffffd9d9], '\x00') self.assertEqual(mem[0x7fffffffd9da], '\x00') self.assertEqual(mem[0x7fffffffd9db], '\x00') self.assertEqual(mem[0x7fffffffd9dc], '\x00') self.assertEqual(mem[0x7fffffffd9dd], '\x00') self.assertEqual(mem[0x7fffffffd9de], '\x00') self.assertEqual(mem[0x7fffffffd9df], '\x00') self.assertEqual(mem[0x7fffffffd9e0], '\x00') self.assertEqual(mem[0x7fffffffd9e1], '\x00') self.assertEqual(mem[0x7fffffffd9e2], '\x00') self.assertEqual(mem[0x7fffffffd9e3], '\x00') self.assertEqual(mem[0x7fffffffd9d8], '\x00') self.assertEqual(mem[0x7fffffffd9e5], '\x00') self.assertEqual(mem[0x7fffffffda18], "'") self.assertEqual(mem[0x7fffffffd9e7], '\x00') self.assertEqual(mem[0x7fffffffd9e8], '\xf0') self.assertEqual(mem[0x7fffffffd9e6], '\x00') self.assertEqual(mem[0x7fffffffd9e4], '\x00') self.assertEqual(cpu.RSP, 140737488345624L) self.assertEqual(cpu.RIP, 140737349262105L) self.assertEqual(cpu.RBP, 140737488345664L) def test_LEAVE_4(self): ''' Instruction LEAVE_4 Groups: mode64 0x7ffff7b59b18: leave ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b59000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdb98] = '\x00' mem[0x7fffffffdb71] = '\xdc' mem[0x7ffff7b59b18] = '\xc9' mem[0x7fffffffdb99] = '\x00' mem[0x7fffffffdb9a] = '\x00' mem[0x7fffffffdb9b] = '\x00' mem[0x7fffffffdb9c] = '\x00' mem[0x7fffffffdb9d] = '\x00' mem[0x7fffffffdb9e] = '\x00' mem[0x7fffffffdb9f] = '\x00' mem[0x7fffffffdba0] = '\xf0' mem[0x7fffffffdba1] = '\xdb' mem[0x7fffffffdba2] = '\xff' mem[0x7fffffffdba3] = '\xff' mem[0x7fffffffdba4] = '\xff' mem[0x7fffffffdba5] = '\x7f' mem[0x7fffffffdba6] = '\x00' mem[0x7fffffffdba7] = '\x00' mem[0x7fffffffdba8] = ':' mem[0x7fffffffdb69] = '\x00' mem[0x7fffffffdb6a] = '\x00' mem[0x7fffffffdb6b] = '\x00' mem[0x7fffffffdb6c] = '\x00' mem[0x7fffffffdb6d] = '\x00' mem[0x7fffffffdb6e] = '\x00' mem[0x7fffffffdb6f] = '\x00' mem[0x7fffffffdb70] = '\xb8' mem[0x7fffffffdb68] = '\x00' mem[0x7fffffffdb72] = '\xff' mem[0x7fffffffdb73] = '\xff' mem[0x7fffffffdb74] = '\xff' mem[0x7fffffffdb75] = '\x7f' mem[0x7fffffffdb76] = '\x00' mem[0x7fffffffdb77] = '\x00' mem[0x7fffffffdb78] = 'P' cpu.RSP = 0x7fffffffdb70 cpu.RIP = 0x7ffff7b59b18 cpu.RBP = 0x7fffffffdba0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b59b18], '\xc9') self.assertEqual(mem[0x7fffffffdb71], '\xdc') self.assertEqual(mem[0x7fffffffdb98], '\x00') self.assertEqual(mem[0x7fffffffdb99], '\x00') self.assertEqual(mem[0x7fffffffdb9a], '\x00') self.assertEqual(mem[0x7fffffffdb9b], '\x00') self.assertEqual(mem[0x7fffffffdb9c], '\x00') self.assertEqual(mem[0x7fffffffdb9d], '\x00') self.assertEqual(mem[0x7fffffffdb9e], '\x00') self.assertEqual(mem[0x7fffffffdb9f], '\x00') self.assertEqual(mem[0x7fffffffdba0], '\xf0') self.assertEqual(mem[0x7fffffffdba1], '\xdb') self.assertEqual(mem[0x7fffffffdba2], '\xff') self.assertEqual(mem[0x7fffffffdba3], '\xff') self.assertEqual(mem[0x7fffffffdba4], '\xff') self.assertEqual(mem[0x7fffffffdba5], '\x7f') self.assertEqual(mem[0x7fffffffdba6], '\x00') self.assertEqual(mem[0x7fffffffdba7], '\x00') self.assertEqual(mem[0x7fffffffdba8], ':') self.assertEqual(mem[0x7fffffffdb69], '\x00') self.assertEqual(mem[0x7fffffffdb6a], '\x00') self.assertEqual(mem[0x7fffffffdb6b], '\x00') self.assertEqual(mem[0x7fffffffdb6c], '\x00') self.assertEqual(mem[0x7fffffffdb6d], '\x00') self.assertEqual(mem[0x7fffffffdb6e], '\x00') self.assertEqual(mem[0x7fffffffdb6f], '\x00') self.assertEqual(mem[0x7fffffffdb70], '\xb8') self.assertEqual(mem[0x7fffffffdb68], '\x00') self.assertEqual(mem[0x7fffffffdb72], '\xff') self.assertEqual(mem[0x7fffffffdb73], '\xff') self.assertEqual(mem[0x7fffffffdb74], '\xff') self.assertEqual(mem[0x7fffffffdb75], '\x7f') self.assertEqual(mem[0x7fffffffdb76], '\x00') self.assertEqual(mem[0x7fffffffdb77], '\x00') self.assertEqual(mem[0x7fffffffdb78], 'P') self.assertEqual(cpu.RSP, 140737488346024L) self.assertEqual(cpu.RIP, 140737349262105L) self.assertEqual(cpu.RBP, 140737488346096L) def test_LEAVE_5(self): ''' Instruction LEAVE_5 Groups: mode64 0x7ffff7ae0541: leave ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ae0000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7ae0541] = '\xc9' mem[0x7fffffffd988] = '7' mem[0x7fffffffd989] = '\x05' mem[0x7fffffffd98a] = '\xae' mem[0x7fffffffd98b] = '\xf7' mem[0x7fffffffd98c] = '\xff' mem[0x7fffffffd98d] = '\x7f' mem[0x7fffffffd98e] = '\x00' mem[0x7fffffffd98f] = '\x00' mem[0x7fffffffd990] = '\xa8' mem[0x7fffffffd991] = '\n' mem[0x7fffffffd992] = '\xba' mem[0x7fffffffd993] = '\xf7' mem[0x7fffffffd994] = '\xff' mem[0x7fffffffd995] = '\x7f' mem[0x7fffffffd996] = '\x00' mem[0x7fffffffd997] = '\x00' mem[0x7fffffffd998] = '\xf6' mem[0x7fffffffd9a8] = '\xe0' mem[0x7fffffffd9a9] = '\xda' mem[0x7fffffffd9aa] = '\xff' mem[0x7fffffffd9ab] = '\xff' mem[0x7fffffffd9ac] = '\xff' mem[0x7fffffffd9ad] = '\x7f' mem[0x7fffffffd9ae] = '\x00' mem[0x7fffffffd9af] = '\x00' mem[0x7fffffffd9b0] = '\xe0' mem[0x7fffffffd9b1] = '\xda' mem[0x7fffffffd9b2] = '\xff' mem[0x7fffffffd9b3] = '\xff' mem[0x7fffffffd9b4] = '\xff' mem[0x7fffffffd9b5] = '\x7f' mem[0x7fffffffd9b6] = '\x00' mem[0x7fffffffd9b7] = '\x00' mem[0x7fffffffd9b8] = '\xf8' cpu.RSP = 0x7fffffffd990 cpu.RIP = 0x7ffff7ae0541 cpu.RBP = 0x7fffffffd9b0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ae0541], '\xc9') self.assertEqual(mem[0x7fffffffd988], '7') self.assertEqual(mem[0x7fffffffd989], '\x05') self.assertEqual(mem[0x7fffffffd98a], '\xae') self.assertEqual(mem[0x7fffffffd98b], '\xf7') self.assertEqual(mem[0x7fffffffd98c], '\xff') self.assertEqual(mem[0x7fffffffd98d], '\x7f') self.assertEqual(mem[0x7fffffffd98e], '\x00') self.assertEqual(mem[0x7fffffffd98f], '\x00') self.assertEqual(mem[0x7fffffffd990], '\xa8') self.assertEqual(mem[0x7fffffffd991], '\n') self.assertEqual(mem[0x7fffffffd992], '\xba') self.assertEqual(mem[0x7fffffffd993], '\xf7') self.assertEqual(mem[0x7fffffffd994], '\xff') self.assertEqual(mem[0x7fffffffd995], '\x7f') self.assertEqual(mem[0x7fffffffd996], '\x00') self.assertEqual(mem[0x7fffffffd997], '\x00') self.assertEqual(mem[0x7fffffffd998], '\xf6') self.assertEqual(mem[0x7fffffffd9a8], '\xe0') self.assertEqual(mem[0x7fffffffd9a9], '\xda') self.assertEqual(mem[0x7fffffffd9aa], '\xff') self.assertEqual(mem[0x7fffffffd9ab], '\xff') self.assertEqual(mem[0x7fffffffd9ac], '\xff') self.assertEqual(mem[0x7fffffffd9ad], '\x7f') self.assertEqual(mem[0x7fffffffd9ae], '\x00') self.assertEqual(mem[0x7fffffffd9af], '\x00') self.assertEqual(mem[0x7fffffffd9b0], '\xe0') self.assertEqual(mem[0x7fffffffd9b1], '\xda') self.assertEqual(mem[0x7fffffffd9b2], '\xff') self.assertEqual(mem[0x7fffffffd9b3], '\xff') self.assertEqual(mem[0x7fffffffd9b4], '\xff') self.assertEqual(mem[0x7fffffffd9b5], '\x7f') self.assertEqual(mem[0x7fffffffd9b6], '\x00') self.assertEqual(mem[0x7fffffffd9b7], '\x00') self.assertEqual(mem[0x7fffffffd9b8], '\xf8') self.assertEqual(cpu.RSP, 140737488345528L) self.assertEqual(cpu.RIP, 140737348764994L) self.assertEqual(cpu.RBP, 140737488345824L) def test_LEAVE_6(self): ''' Instruction LEAVE_6 Groups: mode64 0x7ffff7a626cd: leave ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a62000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffda6c] = '\x00' mem[0x7fffffffda6b] = '\x00' mem[0x7fffffffda68] = '\x00' mem[0x7ffff7a626cd] = '\xc9' mem[0x7fffffffda6d] = '\x00' mem[0x7fffffffda6e] = '\x00' mem[0x7fffffffda6f] = '\x00' mem[0x7fffffffda60] = '\x00' mem[0x7fffffffda61] = '\x00' mem[0x7fffffffda62] = '\x00' mem[0x7fffffffda63] = '\x00' mem[0x7fffffffda64] = '\x00' mem[0x7fffffffda65] = '\x00' mem[0x7fffffffda66] = '\x00' mem[0x7fffffffda67] = '\x00' mem[0x7fffffffdb28] = '\x00' mem[0x7fffffffdb29] = '\x00' mem[0x7fffffffdb2a] = '\x00' mem[0x7fffffffdb2b] = '\x00' mem[0x7fffffffdb2c] = '\x00' mem[0x7fffffffdb2d] = '\x00' mem[0x7fffffffdb2e] = '\x00' mem[0x7fffffffdb2f] = '\x00' mem[0x7fffffffdb30] = '0' mem[0x7fffffffdb31] = '\xdc' mem[0x7fffffffdb32] = '\xff' mem[0x7fffffffdb33] = '\xff' mem[0x7fffffffdb34] = '\xff' mem[0x7fffffffdb35] = '\x7f' mem[0x7fffffffdb36] = '\x00' mem[0x7fffffffdb37] = '\x00' mem[0x7fffffffdb38] = 'x' mem[0x7fffffffda70] = '\x00' mem[0x7fffffffda69] = '\x00' mem[0x7fffffffda6a] = '\x00' cpu.RSP = 0x7fffffffda68 cpu.RIP = 0x7ffff7a626cd cpu.RBP = 0x7fffffffdb30 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffda6c], '\x00') self.assertEqual(mem[0x7fffffffda6b], '\x00') self.assertEqual(mem[0x7fffffffda68], '\x00') self.assertEqual(mem[0x7ffff7a626cd], '\xc9') self.assertEqual(mem[0x7fffffffda6d], '\x00') self.assertEqual(mem[0x7fffffffda6e], '\x00') self.assertEqual(mem[0x7fffffffda6f], '\x00') self.assertEqual(mem[0x7fffffffda60], '\x00') self.assertEqual(mem[0x7fffffffda61], '\x00') self.assertEqual(mem[0x7fffffffda62], '\x00') self.assertEqual(mem[0x7fffffffda63], '\x00') self.assertEqual(mem[0x7fffffffda64], '\x00') self.assertEqual(mem[0x7fffffffda65], '\x00') self.assertEqual(mem[0x7fffffffda66], '\x00') self.assertEqual(mem[0x7fffffffda67], '\x00') self.assertEqual(mem[0x7fffffffdb28], '\x00') self.assertEqual(mem[0x7fffffffdb29], '\x00') self.assertEqual(mem[0x7fffffffdb2a], '\x00') self.assertEqual(mem[0x7fffffffdb2b], '\x00') self.assertEqual(mem[0x7fffffffdb2c], '\x00') self.assertEqual(mem[0x7fffffffdb2d], '\x00') self.assertEqual(mem[0x7fffffffdb2e], '\x00') self.assertEqual(mem[0x7fffffffdb2f], '\x00') self.assertEqual(mem[0x7fffffffdb30], '0') self.assertEqual(mem[0x7fffffffdb31], '\xdc') self.assertEqual(mem[0x7fffffffdb32], '\xff') self.assertEqual(mem[0x7fffffffdb33], '\xff') self.assertEqual(mem[0x7fffffffdb34], '\xff') self.assertEqual(mem[0x7fffffffdb35], '\x7f') self.assertEqual(mem[0x7fffffffdb36], '\x00') self.assertEqual(mem[0x7fffffffdb37], '\x00') self.assertEqual(mem[0x7fffffffdb38], 'x') self.assertEqual(mem[0x7fffffffda70], '\x00') self.assertEqual(mem[0x7fffffffda69], '\x00') self.assertEqual(mem[0x7fffffffda6a], '\x00') self.assertEqual(cpu.RSP, 140737488345912L) self.assertEqual(cpu.RIP, 140737348249294L) self.assertEqual(cpu.RBP, 140737488346160L) def test_LEA_1(self): ''' Instruction LEA_1 Groups: 0x7ffff7de44f3: lea rsp, qword ptr [rbp - 0x28] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7de44f3] = 'H' mem[0x7ffff7de44f4] = '\x8d' mem[0x7ffff7de44f5] = 'e' mem[0x7ffff7de44f6] = '\xd8' mem[0x7fffffffd978] = '\xc8' mem[0x7fffffffd979] = '\xcd' mem[0x7fffffffd97a] = '\xa4' mem[0x7fffffffd97b] = '\xf7' mem[0x7fffffffd97c] = '\xff' mem[0x7fffffffd97d] = '\x7f' mem[0x7fffffffd97e] = '\x00' mem[0x7fffffffd97f] = '\x00' cpu.RSP = 0x7fffffffd8b0 cpu.RIP = 0x7ffff7de44f3 cpu.RBP = 0x7fffffffd9a0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de44f3], 'H') self.assertEqual(mem[0x7ffff7de44f4], '\x8d') self.assertEqual(mem[0x7ffff7de44f5], 'e') self.assertEqual(mem[0x7ffff7de44f6], '\xd8') self.assertEqual(mem[0x7fffffffd978], '\xc8') self.assertEqual(mem[0x7fffffffd979], '\xcd') self.assertEqual(mem[0x7fffffffd97a], '\xa4') self.assertEqual(mem[0x7fffffffd97b], '\xf7') self.assertEqual(mem[0x7fffffffd97c], '\xff') self.assertEqual(mem[0x7fffffffd97d], '\x7f') self.assertEqual(mem[0x7fffffffd97e], '\x00') self.assertEqual(mem[0x7fffffffd97f], '\x00') self.assertEqual(cpu.RSP, 140737488345464L) self.assertEqual(cpu.RIP, 140737351927031L) self.assertEqual(cpu.RBP, 140737488345504L) def test_LEA_2(self): ''' Instruction LEA_2 Groups: 0x7ffff7b58ee3: lea r8, qword ptr [r8 + rdx*4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a2f000, 0x1000, 'rwx') mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7a2fde3] = '\xb2' mem[0x7ffff7a2fde4] = '4' mem[0x7ffff7a2fde5] = '\xd5' mem[0x7ffff7a2fde0] = 'x' mem[0x7ffff7a2fde1] = ')' mem[0x7ffff7a2fde2] = '\xce' mem[0x7ffff7b58ee3] = 'M' mem[0x7ffff7b58ee4] = '\x8d' mem[0x7ffff7b58ee5] = '\x04' mem[0x7ffff7b58ee6] = '\x90' mem[0x7ffff7a2fde7] = 'P' mem[0x7ffff7a2fde6] = '\x92' cpu.R8 = 0x7ffff7a2fa7c cpu.RDX = 0xd9 cpu.RIP = 0x7ffff7b58ee3 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a2fde3], '\xb2') self.assertEqual(mem[0x7ffff7a2fde4], '4') self.assertEqual(mem[0x7ffff7a2fde5], '\xd5') self.assertEqual(mem[0x7ffff7a2fde0], 'x') self.assertEqual(mem[0x7ffff7a2fde1], ')') self.assertEqual(mem[0x7ffff7a2fde2], '\xce') self.assertEqual(mem[0x7ffff7b58ee3], 'M') self.assertEqual(mem[0x7ffff7b58ee4], '\x8d') self.assertEqual(mem[0x7ffff7b58ee5], '\x04') self.assertEqual(mem[0x7ffff7b58ee6], '\x90') self.assertEqual(mem[0x7ffff7a2fde7], 'P') self.assertEqual(mem[0x7ffff7a2fde6], '\x92') self.assertEqual(cpu.R8, 140737348042208L) self.assertEqual(cpu.RDX, 217L) self.assertEqual(cpu.RIP, 140737349258983L) def test_LEA_3(self): ''' Instruction LEA_3 Groups: 0x7ffff7de3841: lea rsi, qword ptr [rbp - 0x3c] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7de3841] = 'H' mem[0x7ffff7de3842] = '\x8d' mem[0x7ffff7de3843] = 'u' mem[0x7ffff7de3844] = '\xc4' mem[0x7fffffffd8c5] = '\x00' mem[0x7fffffffd8c6] = '\x00' mem[0x7fffffffd8c7] = '\x00' mem[0x7fffffffd8c8] = '\x00' mem[0x7fffffffd8c9] = '\x00' mem[0x7fffffffd8ca] = '\x00' mem[0x7fffffffd8cb] = '\x00' mem[0x7fffffffd8c4] = '\x00' cpu.RSI = 0xbdd69f1b cpu.RIP = 0x7ffff7de3841 cpu.RBP = 0x7fffffffd900 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de3841], 'H') self.assertEqual(mem[0x7ffff7de3842], '\x8d') self.assertEqual(mem[0x7ffff7de3843], 'u') self.assertEqual(mem[0x7ffff7de3844], '\xc4') self.assertEqual(mem[0x7fffffffd8c5], '\x00') self.assertEqual(mem[0x7fffffffd8c6], '\x00') self.assertEqual(mem[0x7fffffffd8c7], '\x00') self.assertEqual(mem[0x7fffffffd8c8], '\x00') self.assertEqual(mem[0x7fffffffd8c9], '\x00') self.assertEqual(mem[0x7fffffffd8ca], '\x00') self.assertEqual(mem[0x7fffffffd8cb], '\x00') self.assertEqual(mem[0x7fffffffd8c4], '\x00') self.assertEqual(cpu.RSI, 140737488345284L) self.assertEqual(cpu.RIP, 140737351923781L) self.assertEqual(cpu.RBP, 140737488345344L) def test_LEA_4(self): ''' Instruction LEA_4 Groups: 0x7ffff7b58f14: lea rdx, qword ptr [rbx + rdx*8] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a34000, 0x1000, 'rwx') mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f14] = 'H' mem[0x7ffff7b58f15] = '\x8d' mem[0x7ffff7b58f16] = '\x14' mem[0x7ffff7b58f17] = '\xd3' mem[0x7ffff7a34270] = '\xb5' mem[0x7ffff7a34271] = '*' mem[0x7ffff7a34272] = '\x00' mem[0x7ffff7a34273] = '\x00' mem[0x7ffff7a34274] = '\x1a' mem[0x7ffff7a34275] = '\x00' mem[0x7ffff7a34276] = '\x0b' mem[0x7ffff7a34277] = '\x00' cpu.RDX = 0x4a1 cpu.RIP = 0x7ffff7b58f14 cpu.RBX = 0x7ffff7a31d68 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58f14], 'H') self.assertEqual(mem[0x7ffff7b58f15], '\x8d') self.assertEqual(mem[0x7ffff7b58f16], '\x14') self.assertEqual(mem[0x7ffff7b58f17], '\xd3') self.assertEqual(mem[0x7ffff7a34270], '\xb5') self.assertEqual(mem[0x7ffff7a34271], '*') self.assertEqual(mem[0x7ffff7a34272], '\x00') self.assertEqual(mem[0x7ffff7a34273], '\x00') self.assertEqual(mem[0x7ffff7a34274], '\x1a') self.assertEqual(mem[0x7ffff7a34275], '\x00') self.assertEqual(mem[0x7ffff7a34276], '\x0b') self.assertEqual(mem[0x7ffff7a34277], '\x00') self.assertEqual(cpu.RDX, 140737348059760L) self.assertEqual(cpu.RIP, 140737349259032L) self.assertEqual(cpu.RBX, 140737348050280L) def test_LEA_5(self): ''' Instruction LEA_5 Groups: 0x7ffff7a652b7: lea rsi, qword ptr [rip + 0x36e35a] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a65000, 0x1000, 'rwx') mem.mmap(0x7ffff7dd3000, 0x1000, 'rwx') mem[0x7ffff7dd3618] = '@' mem[0x7ffff7dd3619] = 'M' mem[0x7ffff7dd361a] = '\xdd' mem[0x7ffff7dd361b] = '\xf7' mem[0x7ffff7dd361c] = '\xff' mem[0x7ffff7dd361d] = '\x7f' mem[0x7ffff7dd361e] = '\x00' mem[0x7ffff7dd361f] = '\x00' mem[0x7ffff7a652b7] = 'H' mem[0x7ffff7a652b8] = '\x8d' mem[0x7ffff7a652b9] = '5' mem[0x7ffff7a652ba] = 'Z' mem[0x7ffff7a652bb] = '\xe3' mem[0x7ffff7a652bc] = '6' mem[0x7ffff7a652bd] = '\x00' cpu.RSI = 0x555555554a00 cpu.RIP = 0x7ffff7a652b7 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7dd3618], '@') self.assertEqual(mem[0x7ffff7dd3619], 'M') self.assertEqual(mem[0x7ffff7dd361a], '\xdd') self.assertEqual(mem[0x7ffff7dd361b], '\xf7') self.assertEqual(mem[0x7ffff7dd361c], '\xff') self.assertEqual(mem[0x7ffff7dd361d], '\x7f') self.assertEqual(mem[0x7ffff7dd361e], '\x00') self.assertEqual(mem[0x7ffff7dd361f], '\x00') self.assertEqual(mem[0x7ffff7a652b7], 'H') self.assertEqual(mem[0x7ffff7a652b8], '\x8d') self.assertEqual(mem[0x7ffff7a652b9], '5') self.assertEqual(mem[0x7ffff7a652ba], 'Z') self.assertEqual(mem[0x7ffff7a652bb], '\xe3') self.assertEqual(mem[0x7ffff7a652bc], '6') self.assertEqual(mem[0x7ffff7a652bd], '\x00') self.assertEqual(cpu.RSI, 140737351857688L) self.assertEqual(cpu.RIP, 140737348260542L) def test_LEA_6(self): ''' Instruction LEA_6 Groups: 0x7ffff7de4418: lea rdi, qword ptr [rbp - 0xa0] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffd910] = '\xff' mem[0x7fffffffd911] = '\xff' mem[0x7fffffffd912] = '\xff' mem[0x7fffffffd913] = '\xff' mem[0x7fffffffd914] = '\x00' mem[0x7fffffffd915] = '\x00' mem[0x7fffffffd916] = '\x00' mem[0x7fffffffd917] = '\x00' mem[0x7ffff7de4418] = 'H' mem[0x7ffff7de4419] = '\x8d' mem[0x7ffff7de441a] = '\xbd' mem[0x7ffff7de441b] = '`' mem[0x7ffff7de441c] = '\xff' mem[0x7ffff7de441d] = '\xff' mem[0x7ffff7de441e] = '\xff' cpu.RDI = 0x555555554548 cpu.RIP = 0x7ffff7de4418 cpu.RBP = 0x7fffffffd9b0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffd910], '\xff') self.assertEqual(mem[0x7fffffffd911], '\xff') self.assertEqual(mem[0x7fffffffd912], '\xff') self.assertEqual(mem[0x7fffffffd913], '\xff') self.assertEqual(mem[0x7fffffffd914], '\x00') self.assertEqual(mem[0x7fffffffd915], '\x00') self.assertEqual(mem[0x7fffffffd916], '\x00') self.assertEqual(mem[0x7fffffffd917], '\x00') self.assertEqual(mem[0x7ffff7de4418], 'H') self.assertEqual(mem[0x7ffff7de4419], '\x8d') self.assertEqual(mem[0x7ffff7de441a], '\xbd') self.assertEqual(mem[0x7ffff7de441b], '`') self.assertEqual(mem[0x7ffff7de441c], '\xff') self.assertEqual(mem[0x7ffff7de441d], '\xff') self.assertEqual(mem[0x7ffff7de441e], '\xff') self.assertEqual(cpu.RDI, 140737488345360L) self.assertEqual(cpu.RIP, 140737351926815L) self.assertEqual(cpu.RBP, 140737488345520L) def test_MOVABS_1(self): ''' Instruction MOVABS_1 Groups: 0x7ffff7ddc5df: movabs r8, 0x37ffff1a0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddc5e0] = '\xb8' mem[0x7ffff7ddc5e1] = '\xa0' mem[0x7ffff7ddc5e2] = '\xf1' mem[0x7ffff7ddc5e3] = '\xff' mem[0x7ffff7ddc5e4] = '\x7f' mem[0x7ffff7ddc5e5] = '\x03' mem[0x7ffff7ddc5e6] = '\x00' mem[0x7ffff7ddc5e7] = '\x00' mem[0x7ffff7ddc5e8] = '\x00' mem[0x7ffff7ddc5df] = 'I' cpu.R8 = 0x0 cpu.RIP = 0x7ffff7ddc5df cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddc5e0], '\xb8') self.assertEqual(mem[0x7ffff7ddc5e1], '\xa0') self.assertEqual(mem[0x7ffff7ddc5e2], '\xf1') self.assertEqual(mem[0x7ffff7ddc5e3], '\xff') self.assertEqual(mem[0x7ffff7ddc5e4], '\x7f') self.assertEqual(mem[0x7ffff7ddc5e5], '\x03') self.assertEqual(mem[0x7ffff7ddc5e6], '\x00') self.assertEqual(mem[0x7ffff7ddc5e7], '\x00') self.assertEqual(mem[0x7ffff7ddc5e8], '\x00') self.assertEqual(mem[0x7ffff7ddc5df], 'I') self.assertEqual(cpu.R8, 15032381856L) self.assertEqual(cpu.RIP, 140737351894505L) def test_MOVABS_2(self): ''' Instruction MOVABS_2 Groups: 0x7ffff7ddc5df: movabs r8, 0x37ffff1a0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddc5e0] = '\xb8' mem[0x7ffff7ddc5e1] = '\xa0' mem[0x7ffff7ddc5e2] = '\xf1' mem[0x7ffff7ddc5e3] = '\xff' mem[0x7ffff7ddc5e4] = '\x7f' mem[0x7ffff7ddc5e5] = '\x03' mem[0x7ffff7ddc5e6] = '\x00' mem[0x7ffff7ddc5e7] = '\x00' mem[0x7ffff7ddc5e8] = '\x00' mem[0x7ffff7ddc5df] = 'I' cpu.R8 = 0x0 cpu.RIP = 0x7ffff7ddc5df cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddc5e0], '\xb8') self.assertEqual(mem[0x7ffff7ddc5e1], '\xa0') self.assertEqual(mem[0x7ffff7ddc5e2], '\xf1') self.assertEqual(mem[0x7ffff7ddc5e3], '\xff') self.assertEqual(mem[0x7ffff7ddc5e4], '\x7f') self.assertEqual(mem[0x7ffff7ddc5e5], '\x03') self.assertEqual(mem[0x7ffff7ddc5e6], '\x00') self.assertEqual(mem[0x7ffff7ddc5e7], '\x00') self.assertEqual(mem[0x7ffff7ddc5e8], '\x00') self.assertEqual(mem[0x7ffff7ddc5df], 'I') self.assertEqual(cpu.R8, 15032381856L) self.assertEqual(cpu.RIP, 140737351894505L) def test_MOVABS_3(self): ''' Instruction MOVABS_3 Groups: 0x7ffff7df1435: movabs rcx, -0x8000000000000000 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1435] = 'H' mem[0x7ffff7df1436] = '\xb9' mem[0x7ffff7df1437] = '\x00' mem[0x7ffff7df1438] = '\x00' mem[0x7ffff7df1439] = '\x00' mem[0x7ffff7df143a] = '\x00' mem[0x7ffff7df143b] = '\x00' mem[0x7ffff7df143c] = '\x00' mem[0x7ffff7df143d] = '\x00' mem[0x7ffff7df143e] = '\x80' cpu.RCX = 0x31 cpu.RIP = 0x7ffff7df1435 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1435], 'H') self.assertEqual(mem[0x7ffff7df1436], '\xb9') self.assertEqual(mem[0x7ffff7df1437], '\x00') self.assertEqual(mem[0x7ffff7df1438], '\x00') self.assertEqual(mem[0x7ffff7df1439], '\x00') self.assertEqual(mem[0x7ffff7df143a], '\x00') self.assertEqual(mem[0x7ffff7df143b], '\x00') self.assertEqual(mem[0x7ffff7df143c], '\x00') self.assertEqual(mem[0x7ffff7df143d], '\x00') self.assertEqual(mem[0x7ffff7df143e], '\x80') self.assertEqual(cpu.RCX, 9223372036854775808L) self.assertEqual(cpu.RIP, 140737351980095L) def test_MOVABS_4(self): ''' Instruction MOVABS_4 Groups: 0x45f853: movabs rdx, -0x3333333333333333 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0045f000, 0x1000, 'rwx') mem[0x0045f853] = 'H' mem[0x0045f854] = '\xba' mem[0x0045f855] = '\xcd' mem[0x0045f856] = '\xcc' mem[0x0045f857] = '\xcc' mem[0x0045f858] = '\xcc' mem[0x0045f859] = '\xcc' mem[0x0045f85a] = '\xcc' mem[0x0045f85b] = '\xcc' mem[0x0045f85c] = '\xcc' cpu.RDX = 0x6bf710 cpu.RIP = 0x45f853 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x45f853], 'H') self.assertEqual(mem[0x45f854], '\xba') self.assertEqual(mem[0x45f855], '\xcd') self.assertEqual(mem[0x45f856], '\xcc') self.assertEqual(mem[0x45f857], '\xcc') self.assertEqual(mem[0x45f858], '\xcc') self.assertEqual(mem[0x45f859], '\xcc') self.assertEqual(mem[0x45f85a], '\xcc') self.assertEqual(mem[0x45f85b], '\xcc') self.assertEqual(mem[0x45f85c], '\xcc') self.assertEqual(cpu.RDX, 14757395258967641293L) self.assertEqual(cpu.RIP, 4585565L) def test_MOVABS_5(self): ''' Instruction MOVABS_5 Groups: 0x7ffff7df4630: movabs r8, -0x101010101010101 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4630] = 'I' mem[0x7ffff7df4631] = '\xb8' mem[0x7ffff7df4632] = '\xff' mem[0x7ffff7df4633] = '\xfe' mem[0x7ffff7df4634] = '\xfe' mem[0x7ffff7df4635] = '\xfe' mem[0x7ffff7df4636] = '\xfe' mem[0x7ffff7df4637] = '\xfe' mem[0x7ffff7df4638] = '\xfe' mem[0x7ffff7df4639] = '\xfe' cpu.R8 = 0x7ffff7fdd5a0 cpu.RIP = 0x7ffff7df4630 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4630], 'I') self.assertEqual(mem[0x7ffff7df4631], '\xb8') self.assertEqual(mem[0x7ffff7df4632], '\xff') self.assertEqual(mem[0x7ffff7df4633], '\xfe') self.assertEqual(mem[0x7ffff7df4634], '\xfe') self.assertEqual(mem[0x7ffff7df4635], '\xfe') self.assertEqual(mem[0x7ffff7df4636], '\xfe') self.assertEqual(mem[0x7ffff7df4637], '\xfe') self.assertEqual(mem[0x7ffff7df4638], '\xfe') self.assertEqual(mem[0x7ffff7df4639], '\xfe') self.assertEqual(cpu.R8, 18374403900871474943L) self.assertEqual(cpu.RIP, 140737351992890L) def test_MOVABS_6(self): ''' Instruction MOVABS_6 Groups: 0x7ffff7ddc5df: movabs r8, 0x37ffff1a0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddc5e0] = '\xb8' mem[0x7ffff7ddc5e1] = '\xa0' mem[0x7ffff7ddc5e2] = '\xf1' mem[0x7ffff7ddc5e3] = '\xff' mem[0x7ffff7ddc5e4] = '\x7f' mem[0x7ffff7ddc5e5] = '\x03' mem[0x7ffff7ddc5e6] = '\x00' mem[0x7ffff7ddc5e7] = '\x00' mem[0x7ffff7ddc5e8] = '\x00' mem[0x7ffff7ddc5df] = 'I' cpu.R8 = 0x0 cpu.RIP = 0x7ffff7ddc5df cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddc5e0], '\xb8') self.assertEqual(mem[0x7ffff7ddc5e1], '\xa0') self.assertEqual(mem[0x7ffff7ddc5e2], '\xf1') self.assertEqual(mem[0x7ffff7ddc5e3], '\xff') self.assertEqual(mem[0x7ffff7ddc5e4], '\x7f') self.assertEqual(mem[0x7ffff7ddc5e5], '\x03') self.assertEqual(mem[0x7ffff7ddc5e6], '\x00') self.assertEqual(mem[0x7ffff7ddc5e7], '\x00') self.assertEqual(mem[0x7ffff7ddc5e8], '\x00') self.assertEqual(mem[0x7ffff7ddc5df], 'I') self.assertEqual(cpu.R8, 15032381856L) self.assertEqual(cpu.RIP, 140737351894505L) def test_MOVDQA_1(self): ''' Instruction MOVDQA_1 Groups: sse2 0x7ffff7ac0b0b: movdqa xmm4, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0b0b] = 'f' mem[0x7ffff7ac0b0c] = '\x0f' mem[0x7ffff7ac0b0d] = 'o' mem[0x7ffff7ac0b0e] = '\xe0' cpu.XMM0 = 0x616572635f706374746e6c63000a7325 cpu.RIP = 0x7ffff7ac0b0b cpu.XMM4 = 0xff0000000000 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0b0b], 'f') self.assertEqual(mem[0x7ffff7ac0b0c], '\x0f') self.assertEqual(mem[0x7ffff7ac0b0d], 'o') self.assertEqual(mem[0x7ffff7ac0b0e], '\xe0') self.assertEqual(cpu.XMM0, 129461857641668707752067115693843837733L) self.assertEqual(cpu.XMM4, 129461857641668707752067115693843837733L) self.assertEqual(cpu.RIP, 140737348635407L) def test_MOVDQA_2(self): ''' Instruction MOVDQA_2 Groups: sse2 0x457d38: movdqa xmm0, xmm2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457d38] = 'f' mem[0x00457d39] = '\x0f' mem[0x00457d3a] = 'o' mem[0x00457d3b] = '\xc2' cpu.XMM2 = 0x414d00323d524e54565f474458003267 cpu.XMM0 = 0xff0000 cpu.RIP = 0x457d38 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457d38], 'f') self.assertEqual(mem[0x457d39], '\x0f') self.assertEqual(mem[0x457d3a], 'o') self.assertEqual(mem[0x457d3b], '\xc2') self.assertEqual(cpu.XMM2, 86799630564512926596007573190145487463L) self.assertEqual(cpu.XMM0, 86799630564512926596007573190145487463L) self.assertEqual(cpu.RIP, 4554044L) def test_MOVDQA_3(self): ''' Instruction MOVDQA_3 Groups: sse2 0x457aaf: movdqa xmm5, xmm3 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457ab0] = '\x0f' mem[0x00457ab1] = 'o' mem[0x00457ab2] = '\xeb' mem[0x00457aaf] = 'f' cpu.XMM3 = 0x726f74756365784563696c6f626d7953 cpu.RIP = 0x457aaf cpu.XMM5 = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457ab0], '\x0f') self.assertEqual(mem[0x457ab1], 'o') self.assertEqual(mem[0x457ab2], '\xeb') self.assertEqual(mem[0x457aaf], 'f') self.assertEqual(cpu.XMM3, 152110698530748498584558466992035428691L) self.assertEqual(cpu.RIP, 4553395L) self.assertEqual(cpu.XMM5, 152110698530748498584558466992035428691L) def test_MOVDQA_4(self): ''' Instruction MOVDQA_4 Groups: sse2 0x457a08: movdqa xmm2, xmmword ptr [rdi + 0x30] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem.mmap(0x7fffffffe000, 0x1000, 'rwx') mem[0x00457a08] = 'f' mem[0x00457a09] = '\x0f' mem[0x00457a0a] = 'o' mem[0x00457a0b] = 'W' mem[0x00457a0c] = '0' mem[0x7fffffffe070] = 'D' mem[0x7fffffffe071] = 'G' mem[0x7fffffffe072] = '_' mem[0x7fffffffe073] = 'V' mem[0x7fffffffe074] = 'T' mem[0x7fffffffe075] = 'N' mem[0x7fffffffe076] = 'R' mem[0x7fffffffe077] = '=' mem[0x7fffffffe078] = '2' mem[0x7fffffffe079] = '\x00' mem[0x7fffffffe07a] = 'M' mem[0x7fffffffe07b] = 'A' mem[0x7fffffffe07c] = 'N' mem[0x7fffffffe07d] = 'P' mem[0x7fffffffe07e] = 'A' mem[0x7fffffffe07f] = 'T' cpu.XMM2 = 0x0 cpu.RDI = 0x7fffffffe040 cpu.RIP = 0x457a08 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457a08], 'f') self.assertEqual(mem[0x457a09], '\x0f') self.assertEqual(mem[0x457a0a], 'o') self.assertEqual(mem[0x457a0b], 'W') self.assertEqual(mem[0x457a0c], '0') self.assertEqual(mem[0x7fffffffe070], 'D') self.assertEqual(mem[0x7fffffffe071], 'G') self.assertEqual(mem[0x7fffffffe072], '_') self.assertEqual(mem[0x7fffffffe073], 'V') self.assertEqual(mem[0x7fffffffe074], 'T') self.assertEqual(mem[0x7fffffffe075], 'N') self.assertEqual(mem[0x7fffffffe076], 'R') self.assertEqual(mem[0x7fffffffe077], '=') self.assertEqual(mem[0x7fffffffe078], '2') self.assertEqual(mem[0x7fffffffe079], '\x00') self.assertEqual(mem[0x7fffffffe07a], 'M') self.assertEqual(mem[0x7fffffffe07b], 'A') self.assertEqual(mem[0x7fffffffe07c], 'N') self.assertEqual(mem[0x7fffffffe07d], 'P') self.assertEqual(mem[0x7fffffffe07e], 'A') self.assertEqual(mem[0x7fffffffe07f], 'T') self.assertEqual(cpu.XMM2, 111994279734512279219280163309057165124L) self.assertEqual(cpu.RDI, 140737488347200L) self.assertEqual(cpu.RIP, 4553229L) def test_MOVDQA_5(self): ''' Instruction MOVDQA_5 Groups: sse2 0x457b38: movdqa xmm0, xmm2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457b38] = 'f' mem[0x00457b39] = '\x0f' mem[0x00457b3a] = 'o' mem[0x00457b3b] = '\xc2' cpu.XMM2 = 0x504e414d00323d524e54565f47445800 cpu.XMM0 = 0x0 cpu.RIP = 0x457b38 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457b38], 'f') self.assertEqual(mem[0x457b39], '\x0f') self.assertEqual(mem[0x457b3a], 'o') self.assertEqual(mem[0x457b3b], '\xc2') self.assertEqual(cpu.XMM2, 106744563275012473217874926561820694528L) self.assertEqual(cpu.XMM0, 106744563275012473217874926561820694528L) self.assertEqual(cpu.RIP, 4553532L) def test_MOVDQA_6(self): ''' Instruction MOVDQA_6 Groups: sse2 0x7ffff7ac0b0b: movdqa xmm4, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0b0b] = 'f' mem[0x7ffff7ac0b0c] = '\x0f' mem[0x7ffff7ac0b0d] = 'o' mem[0x7ffff7ac0b0e] = '\xe0' cpu.XMM0 = 0xcd202730fa0892a58d0000007fffff00 cpu.RIP = 0x7ffff7ac0b0b cpu.XMM4 = 0xffffff000000ff0000 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0b0b], 'f') self.assertEqual(mem[0x7ffff7ac0b0c], '\x0f') self.assertEqual(mem[0x7ffff7ac0b0d], 'o') self.assertEqual(mem[0x7ffff7ac0b0e], '\xe0') self.assertEqual(cpu.XMM0, 272658687529688827910500737779280903936L) self.assertEqual(cpu.XMM4, 272658687529688827910500737779280903936L) self.assertEqual(cpu.RIP, 140737348635407L) def test_MOVDQU_1(self): ''' Instruction MOVDQU_1 Groups: sse2 0x6a74d4: movdqu xmm0, xmmword ptr [rsp] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x006a7000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb4] = '!' mem[0x006a74d6] = 'o' mem[0x7fffffffccb8] = '\x01' mem[0x006a74d7] = '\x04' mem[0x7fffffffccb0] = '\xff' mem[0x7fffffffccb1] = '\x7f' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x00' mem[0x006a74d4] = '\xf3' mem[0x006a74d5] = '\x0f' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x006a74d8] = '$' mem[0x7fffffffccb9] = '\x00' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x80' mem[0x7fffffffccbc] = '\xff' mem[0x7fffffffccbd] = '\x7f' mem[0x7fffffffccbe] = '\x00' mem[0x7fffffffccbf] = '\x00' cpu.XMM0 = 0x7fff800000000000002100007fff cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x6a74d4 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffccbb], '\x80') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb9], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccbf], '\x00') self.assertEqual(mem[0x7fffffffccb0], '\xff') self.assertEqual(mem[0x7fffffffccb1], '\x7f') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x00') self.assertEqual(mem[0x6a74d4], '\xf3') self.assertEqual(mem[0x6a74d5], '\x0f') self.assertEqual(mem[0x6a74d6], 'o') self.assertEqual(mem[0x6a74d7], '\x04') self.assertEqual(mem[0x6a74d8], '$') self.assertEqual(mem[0x7fffffffccb4], '!') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccb8], '\x01') self.assertEqual(mem[0x7fffffffccbc], '\xff') self.assertEqual(mem[0x7fffffffccbd], '\x7f') self.assertEqual(mem[0x7fffffffccbe], '\x00') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(cpu.XMM0, 2596108815186175128840666836140031L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 6976729L) def test_MOVDQU_2(self): ''' Instruction MOVDQU_2 Groups: sse2 0x568fac: movdqu xmm0, xmmword ptr [rsp] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00568000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x00568fb0] = '$' mem[0x00568fac] = '\xf3' mem[0x00568fad] = '\x0f' mem[0x00568fae] = 'o' mem[0x00568faf] = '\x04' mem[0x7fffffffccb0] = 'x' mem[0x7fffffffccb1] = 'V' mem[0x7fffffffccb2] = '4' mem[0x7fffffffccb3] = '\x12' mem[0x7fffffffccb4] = '\xff' mem[0x7fffffffccb5] = '\x7f' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x7fffffffccb8] = '\x01' mem[0x7fffffffccb9] = '\x80' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x00' mem[0x7fffffffccbc] = 'x' mem[0x7fffffffccbd] = 'V' mem[0x7fffffffccbe] = '4' mem[0x7fffffffccbf] = '\x12' cpu.XMM0 = 0x1234567800007fff00007fff12345678 cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x568fac cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffccb0], 'x') self.assertEqual(mem[0x568fac], '\xf3') self.assertEqual(mem[0x568fad], '\x0f') self.assertEqual(mem[0x568fae], 'o') self.assertEqual(mem[0x568faf], '\x04') self.assertEqual(mem[0x568fb0], '$') self.assertEqual(mem[0x7fffffffccb1], 'V') self.assertEqual(mem[0x7fffffffccb2], '4') self.assertEqual(mem[0x7fffffffccb3], '\x12') self.assertEqual(mem[0x7fffffffccb4], '\xff') self.assertEqual(mem[0x7fffffffccb5], '\x7f') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccb8], '\x01') self.assertEqual(mem[0x7fffffffccb9], '\x80') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccbb], '\x00') self.assertEqual(mem[0x7fffffffccbc], 'x') self.assertEqual(mem[0x7fffffffccbd], 'V') self.assertEqual(mem[0x7fffffffccbe], '4') self.assertEqual(mem[0x7fffffffccbf], '\x12') self.assertEqual(cpu.XMM0, 24197857155378316985685775704845997688L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 5672881L) def test_MOVDQU_3(self): ''' Instruction MOVDQU_3 Groups: sse2 0x6f4c12: movdqu xmm1, xmmword ptr [rsp + 4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x006f4000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x006f4c12] = '\xf3' mem[0x006f4c13] = '\x0f' mem[0x006f4c14] = 'o' mem[0x006f4c15] = 'L' mem[0x006f4c16] = '$' mem[0x006f4c17] = '\x04' mem[0x7fffffffccb4] = '\xff' mem[0x7fffffffccb5] = '\x7f' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x7fffffffccb8] = ' ' mem[0x7fffffffccb9] = '\x00' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x00' mem[0x7fffffffccbc] = '!' mem[0x7fffffffccbd] = '\x00' mem[0x7fffffffccbe] = '\x00' mem[0x7fffffffccbf] = '\x00' mem[0x7fffffffccc0] = '\xff' mem[0x7fffffffccc1] = '\x7f' mem[0x7fffffffccc2] = '\x00' mem[0x7fffffffccc3] = '\x00' cpu.XMM1 = 0x7fff000000210000002100007fff cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x6f4c12 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x6f4c12], '\xf3') self.assertEqual(mem[0x6f4c13], '\x0f') self.assertEqual(mem[0x6f4c14], 'o') self.assertEqual(mem[0x6f4c15], 'L') self.assertEqual(mem[0x6f4c16], '$') self.assertEqual(mem[0x6f4c17], '\x04') self.assertEqual(mem[0x7fffffffccb4], '\xff') self.assertEqual(mem[0x7fffffffccb5], '\x7f') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccb8], ' ') self.assertEqual(mem[0x7fffffffccb9], '\x00') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccbb], '\x00') self.assertEqual(mem[0x7fffffffccbc], '!') self.assertEqual(mem[0x7fffffffccbd], '\x00') self.assertEqual(mem[0x7fffffffccbe], '\x00') self.assertEqual(mem[0x7fffffffccbf], '\x00') self.assertEqual(mem[0x7fffffffccc0], '\xff') self.assertEqual(mem[0x7fffffffccc1], '\x7f') self.assertEqual(mem[0x7fffffffccc2], '\x00') self.assertEqual(mem[0x7fffffffccc3], '\x00') self.assertEqual(cpu.XMM1, 2596069201105508292482224474849279L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 7293976L) def test_MOVDQU_4(self): ''' Instruction MOVDQU_4 Groups: sse2 0x56fa50: movdqu xmm1, xmmword ptr [rsp + 4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0056f000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffccb4] = ' ' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x7fffffffccb8] = '!' mem[0x7fffffffccb9] = '\x00' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x00' mem[0x7fffffffccbc] = '!' mem[0x7fffffffccbd] = 'C' mem[0x7fffffffccbe] = 'e' mem[0x7fffffffccbf] = '\x87' mem[0x7fffffffccc0] = ' ' mem[0x7fffffffccc1] = '\x00' mem[0x7fffffffccc2] = '\x00' mem[0x7fffffffccc3] = '\x00' mem[0x0056fa50] = '\xf3' mem[0x0056fa51] = '\x0f' mem[0x0056fa52] = 'o' mem[0x0056fa53] = 'L' mem[0x0056fa54] = '$' mem[0x0056fa55] = '\x04' cpu.XMM1 = 0x20876543218765432100000020 cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x56fa50 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffccb4], ' ') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccb8], '!') self.assertEqual(mem[0x7fffffffccb9], '\x00') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccbb], '\x00') self.assertEqual(mem[0x7fffffffccbc], '!') self.assertEqual(mem[0x7fffffffccbd], 'C') self.assertEqual(mem[0x7fffffffccbe], 'e') self.assertEqual(mem[0x7fffffffccbf], '\x87') self.assertEqual(mem[0x7fffffffccc0], ' ') self.assertEqual(mem[0x7fffffffccc1], '\x00') self.assertEqual(mem[0x7fffffffccc2], '\x00') self.assertEqual(mem[0x7fffffffccc3], '\x00') self.assertEqual(mem[0x56fa50], '\xf3') self.assertEqual(mem[0x56fa51], '\x0f') self.assertEqual(mem[0x56fa52], 'o') self.assertEqual(mem[0x56fa53], 'L') self.assertEqual(mem[0x56fa54], '$') self.assertEqual(mem[0x56fa55], '\x04') self.assertEqual(cpu.XMM1, 2577204095297418371658275618848L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 5700182L) def test_MOVDQU_5(self): ''' Instruction MOVDQU_5 Groups: sse2 0x606649: movdqu xmm1, xmmword ptr [rsp + 4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00606000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffccb4] = '\xff' mem[0x7fffffffccb5] = '\xff' mem[0x7fffffffccb6] = '\xff' mem[0x7fffffffccb7] = '\xff' mem[0x7fffffffccb8] = '\x01' mem[0x7fffffffccb9] = '\x80' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x00' mem[0x7fffffffccbc] = '\x01' mem[0x7fffffffccbd] = '\x80' mem[0x7fffffffccbe] = '\x00' mem[0x7fffffffccbf] = '\x00' mem[0x7fffffffccc0] = '\xff' mem[0x7fffffffccc1] = '\xff' mem[0x7fffffffccc2] = '\xff' mem[0x7fffffffccc3] = '\xff' mem[0x00606649] = '\xf3' mem[0x0060664a] = '\x0f' mem[0x0060664b] = 'o' mem[0x0060664c] = 'L' mem[0x0060664d] = '$' mem[0x0060664e] = '\x04' cpu.XMM1 = 0xffffffff0000800100007fffffffffff cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x606649 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffccb4], '\xff') self.assertEqual(mem[0x7fffffffccb5], '\xff') self.assertEqual(mem[0x7fffffffccb6], '\xff') self.assertEqual(mem[0x7fffffffccb7], '\xff') self.assertEqual(mem[0x7fffffffccb8], '\x01') self.assertEqual(mem[0x7fffffffccb9], '\x80') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccbb], '\x00') self.assertEqual(mem[0x7fffffffccbc], '\x01') self.assertEqual(mem[0x7fffffffccbd], '\x80') self.assertEqual(mem[0x7fffffffccbe], '\x00') self.assertEqual(mem[0x7fffffffccbf], '\x00') self.assertEqual(mem[0x7fffffffccc0], '\xff') self.assertEqual(mem[0x7fffffffccc1], '\xff') self.assertEqual(mem[0x7fffffffccc2], '\xff') self.assertEqual(mem[0x7fffffffccc3], '\xff') self.assertEqual(mem[0x606649], '\xf3') self.assertEqual(mem[0x60664a], '\x0f') self.assertEqual(mem[0x60664b], 'o') self.assertEqual(mem[0x60664c], 'L') self.assertEqual(mem[0x60664d], '$') self.assertEqual(mem[0x60664e], '\x04') self.assertEqual(cpu.XMM1, 340282366841710905430466961972599455743L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 6317647L) def test_MOVDQU_6(self): ''' Instruction MOVDQU_6 Groups: sse2 0x6fc91e: movdqu xmm0, xmmword ptr [rsp] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x006fc000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x006fc920] = 'o' mem[0x006fc921] = '\x04' mem[0x006fc922] = '$' mem[0x006fc91f] = '\x0f' mem[0x006fc91e] = '\xf3' mem[0x7fffffffccb0] = '@' mem[0x7fffffffccb1] = '\x00' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x00' mem[0x7fffffffccb4] = '\x01' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x80' mem[0x7fffffffccb8] = '\x01' mem[0x7fffffffccb9] = '\x00' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x80' mem[0x7fffffffccbc] = '@' mem[0x7fffffffccbd] = '\x00' mem[0x7fffffffccbe] = '\x00' mem[0x7fffffffccbf] = '\x00' cpu.XMM0 = 0x40800000008000000100000040 cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x6fc91e cpu.execute() #cpu.writeback() self.assertEqual(mem[0x6fc920], 'o') self.assertEqual(mem[0x6fc921], '\x04') self.assertEqual(mem[0x6fc922], '$') self.assertEqual(mem[0x7fffffffccbf], '\x00') self.assertEqual(mem[0x7fffffffccbe], '\x00') self.assertEqual(mem[0x7fffffffccb0], '@') self.assertEqual(mem[0x7fffffffccb1], '\x00') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x00') self.assertEqual(mem[0x7fffffffccb4], '\x01') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x80') self.assertEqual(mem[0x7fffffffccb8], '\x01') self.assertEqual(mem[0x7fffffffccb9], '\x00') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccbb], '\x80') self.assertEqual(mem[0x7fffffffccbc], '@') self.assertEqual(mem[0x7fffffffccbd], '\x00') self.assertEqual(mem[0x6fc91e], '\xf3') self.assertEqual(mem[0x6fc91f], '\x0f') self.assertEqual(cpu.XMM0, 5110216482197719890898444091456L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 7325987L) def test_MOVD_1(self): ''' Instruction MOVD_1 Groups: sse2 0x7ffff7df4370: movd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4370] = 'f' mem[0x7ffff7df4371] = '\x0f' mem[0x7ffff7df4372] = 'n' mem[0x7ffff7df4373] = '\xce' cpu.XMM1 = 0x24242424242424242424242424242424 cpu.RIP = 0x7ffff7df4370 cpu.ESI = 0x2f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4370], 'f') self.assertEqual(mem[0x7ffff7df4371], '\x0f') self.assertEqual(mem[0x7ffff7df4372], 'n') self.assertEqual(mem[0x7ffff7df4373], '\xce') self.assertEqual(cpu.XMM1, 47) self.assertEqual(cpu.ESI, 47L) self.assertEqual(cpu.RIP, 140737351992180L) def test_MOVD_2(self): ''' Instruction MOVD_2 Groups: sse2 0x7ffff7ab7980: movd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab7980] = 'f' mem[0x7ffff7ab7981] = '\x0f' mem[0x7ffff7ab7982] = 'n' mem[0x7ffff7ab7983] = '\xce' cpu.XMM1 = 0x24242424242424242424242424242424 cpu.RIP = 0x7ffff7ab7980 cpu.ESI = 0x2f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab7980], 'f') self.assertEqual(mem[0x7ffff7ab7981], '\x0f') self.assertEqual(mem[0x7ffff7ab7982], 'n') self.assertEqual(mem[0x7ffff7ab7983], '\xce') self.assertEqual(cpu.XMM1, 47) self.assertEqual(cpu.ESI, 47L) self.assertEqual(cpu.RIP, 140737348598148L) def test_MOVD_3(self): ''' Instruction MOVD_3 Groups: sse2 0x4578e0: movd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x004578e0] = 'f' mem[0x004578e1] = '\x0f' mem[0x004578e2] = 'n' mem[0x004578e3] = '\xce' cpu.XMM1 = 0x0 cpu.RIP = 0x4578e0 cpu.ESI = 0x2f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4578e0], 'f') self.assertEqual(mem[0x4578e1], '\x0f') self.assertEqual(mem[0x4578e2], 'n') self.assertEqual(mem[0x4578e3], '\xce') self.assertEqual(cpu.XMM1, 47) self.assertEqual(cpu.ESI, 47L) self.assertEqual(cpu.RIP, 4552932L) def test_MOVD_4(self): ''' Instruction MOVD_4 Groups: sse2 0x421b10: movd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00421000, 0x1000, 'rwx') mem[0x00421b10] = 'f' mem[0x00421b11] = '\x0f' mem[0x00421b12] = 'n' mem[0x00421b13] = '\xce' cpu.XMM1 = 0x25252525252525252525252525252525 cpu.RIP = 0x421b10 cpu.ESI = 0x25 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x421b10], 'f') self.assertEqual(mem[0x421b11], '\x0f') self.assertEqual(mem[0x421b12], 'n') self.assertEqual(mem[0x421b13], '\xce') self.assertEqual(cpu.XMM1, 37) self.assertEqual(cpu.ESI, 37L) self.assertEqual(cpu.RIP, 4332308L) def test_MOVD_5(self): ''' Instruction MOVD_5 Groups: sse2 0x457da0: movd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457da0] = 'f' mem[0x00457da1] = '\x0f' mem[0x00457da2] = 'n' mem[0x00457da3] = '\xce' cpu.XMM1 = 0x0 cpu.RIP = 0x457da0 cpu.ESI = 0x2f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457da0], 'f') self.assertEqual(mem[0x457da1], '\x0f') self.assertEqual(mem[0x457da2], 'n') self.assertEqual(mem[0x457da3], '\xce') self.assertEqual(cpu.XMM1, 47) self.assertEqual(cpu.ESI, 47L) self.assertEqual(cpu.RIP, 4554148L) def test_MOVD_6(self): ''' Instruction MOVD_6 Groups: sse2 0x7ffff7ac0ae0: movd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0ae0] = 'f' mem[0x7ffff7ac0ae1] = '\x0f' mem[0x7ffff7ac0ae2] = 'n' mem[0x7ffff7ac0ae3] = '\xce' cpu.XMM1 = 0x25252525252525252525252525252525 cpu.RIP = 0x7ffff7ac0ae0 cpu.ESI = 0x25 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0ae0], 'f') self.assertEqual(mem[0x7ffff7ac0ae1], '\x0f') self.assertEqual(mem[0x7ffff7ac0ae2], 'n') self.assertEqual(mem[0x7ffff7ac0ae3], '\xce') self.assertEqual(cpu.XMM1, 37) self.assertEqual(cpu.ESI, 37L) self.assertEqual(cpu.RIP, 140737348635364L) def test_MOVLPD_1(self): ''' Instruction MOVLPD_1 Groups: sse2 0x50f61f: movlpd xmm1, qword ptr [rsp] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0050f000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x0050f61f] = 'f' mem[0x0050f620] = '\x0f' mem[0x0050f621] = '\x12' mem[0x0050f622] = '\x0c' mem[0x0050f623] = '$' mem[0x7fffffffccb0] = '@' mem[0x7fffffffccb1] = '\x00' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x00' mem[0x7fffffffccb4] = '\x80' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' cpu.XMM1 = 0x80000000400000008000000040 cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x50f61f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x50f61f], 'f') self.assertEqual(mem[0x50f620], '\x0f') self.assertEqual(mem[0x50f621], '\x12') self.assertEqual(mem[0x50f622], '\x0c') self.assertEqual(mem[0x50f623], '$') self.assertEqual(mem[0x7fffffffccb0], '@') self.assertEqual(mem[0x7fffffffccb1], '\x00') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x00') self.assertEqual(mem[0x7fffffffccb4], '\x80') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(cpu.XMM1, 10141204803006426833240792760384L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 5305892L) def test_MOVLPD_2(self): ''' Instruction MOVLPD_2 Groups: sse2 0x4aa891: movlpd qword ptr [rsp], xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x004aa000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x004aa891] = 'f' mem[0x004aa892] = '\x0f' mem[0x004aa893] = '\x13' mem[0x004aa894] = '\x0c' mem[0x004aa895] = '$' mem[0x7fffffffccb0] = '!' mem[0x7fffffffccb1] = 'C' mem[0x7fffffffccb2] = 'e' mem[0x7fffffffccb3] = '\x87' mem[0x7fffffffccb4] = '@' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' cpu.XMM1 = 0x87654321800000000000004087654321 cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x4aa891 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4aa891], 'f') self.assertEqual(mem[0x4aa892], '\x0f') self.assertEqual(mem[0x4aa893], '\x13') self.assertEqual(mem[0x4aa894], '\x0c') self.assertEqual(mem[0x4aa895], '$') self.assertEqual(mem[0x7fffffffccb0], '!') self.assertEqual(mem[0x7fffffffccb1], 'C') self.assertEqual(mem[0x7fffffffccb2], 'e') self.assertEqual(mem[0x7fffffffccb3], '\x87') self.assertEqual(mem[0x7fffffffccb4], '@') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(cpu.XMM1, 179971562989262549322269247393805714209L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 4892822L) def test_MOVLPD_3(self): ''' Instruction MOVLPD_3 Groups: sse2 0x4adf87: movlpd qword ptr [rsp], xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x004ad000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x004adf87] = 'f' mem[0x004adf88] = '\x0f' mem[0x004adf89] = '\x13' mem[0x004adf8a] = '\x0c' mem[0x004adf8b] = '$' mem[0x7fffffffccb0] = '\xfe' mem[0x7fffffffccb1] = '\xff' mem[0x7fffffffccb2] = '\xff' mem[0x7fffffffccb3] = '\xff' mem[0x7fffffffccb4] = '\x01' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x80' cpu.XMM1 = 0xfffffffe8000000180000001fffffffe cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x4adf87 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4adf87], 'f') self.assertEqual(mem[0x4adf88], '\x0f') self.assertEqual(mem[0x4adf89], '\x13') self.assertEqual(mem[0x4adf8a], '\x0c') self.assertEqual(mem[0x4adf8b], '$') self.assertEqual(mem[0x7fffffffccb0], '\xfe') self.assertEqual(mem[0x7fffffffccb1], '\xff') self.assertEqual(mem[0x7fffffffccb2], '\xff') self.assertEqual(mem[0x7fffffffccb3], '\xff') self.assertEqual(mem[0x7fffffffccb4], '\x01') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x80') self.assertEqual(cpu.XMM1, 340282366802096219719648217160606547966L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 4906892L) def test_MOVLPD_4(self): ''' Instruction MOVLPD_4 Groups: sse2 0x4acf88: movlpd qword ptr [rsp], xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x004ac000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x004acf88] = 'f' mem[0x004acf89] = '\x0f' mem[0x004acf8a] = '\x13' mem[0x004acf8b] = '\x0c' mem[0x004acf8c] = '$' mem[0x7fffffffccb0] = '\xff' mem[0x7fffffffccb1] = '\x7f' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x00' mem[0x7fffffffccb4] = '\x01' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x80' cpu.XMM1 = 0x7fff800000018000000100007fff cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x4acf88 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4acf88], 'f') self.assertEqual(mem[0x4acf89], '\x0f') self.assertEqual(mem[0x4acf8a], '\x13') self.assertEqual(mem[0x4acf8b], '\x0c') self.assertEqual(mem[0x4acf8c], '$') self.assertEqual(mem[0x7fffffffccb0], '\xff') self.assertEqual(mem[0x7fffffffccb1], '\x7f') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x00') self.assertEqual(mem[0x7fffffffccb4], '\x01') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x80') self.assertEqual(cpu.XMM1, 2596108815186184352212566251962367L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 4902797L) def test_MOVLPD_5(self): ''' Instruction MOVLPD_5 Groups: sse2 0x50a2c7: movlpd xmm1, qword ptr [rsp] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0050a000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x0050a2c7] = 'f' mem[0x0050a2c8] = '\x0f' mem[0x0050a2c9] = '\x12' mem[0x0050a2ca] = '\x0c' mem[0x0050a2cb] = '$' mem[0x7fffffffccb0] = ' ' mem[0x7fffffffccb1] = '\x00' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x00' mem[0x7fffffffccb4] = '!' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' cpu.XMM1 = 0x21000000200000004000000021 cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x50a2c7 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x50a2c7], 'f') self.assertEqual(mem[0x50a2c8], '\x0f') self.assertEqual(mem[0x50a2c9], '\x12') self.assertEqual(mem[0x50a2ca], '\x0c') self.assertEqual(mem[0x50a2cb], '$') self.assertEqual(mem[0x7fffffffccb0], ' ') self.assertEqual(mem[0x7fffffffccb1], '\x00') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x00') self.assertEqual(mem[0x7fffffffccb4], '!') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(cpu.XMM1, 2614529363561018951087389933600L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 5284556L) def test_MOVLPD_6(self): ''' Instruction MOVLPD_6 Groups: sse2 0x4d851b: movlpd qword ptr [rsp], xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x004d8000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x004d851b] = 'f' mem[0x004d851c] = '\x0f' mem[0x004d851d] = '\x13' mem[0x004d851e] = '\x0c' mem[0x004d851f] = '$' mem[0x7fffffffccb0] = '\xff' mem[0x7fffffffccb1] = '\x7f' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x00' mem[0x7fffffffccb4] = '\xff' mem[0x7fffffffccb5] = '\x7f' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' cpu.XMM1 = 0x7fff0000008000007fff00007fff cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x4d851b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4d851b], 'f') self.assertEqual(mem[0x4d851c], '\x0f') self.assertEqual(mem[0x4d851d], '\x13') self.assertEqual(mem[0x4d851e], '\x0c') self.assertEqual(mem[0x4d851f], '$') self.assertEqual(mem[0x7fffffffccb0], '\xff') self.assertEqual(mem[0x7fffffffccb1], '\x7f') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x00') self.assertEqual(mem[0x7fffffffccb4], '\xff') self.assertEqual(mem[0x7fffffffccb5], '\x7f') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(cpu.XMM1, 2596069201107260733309822636687359L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 5080352L) def test_MOVSD_1(self): ''' Instruction MOVSD_1 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdba0] = '\x10' mem[0x7fffffffdba1] = '\xdb' mem[0x7fffffffdba2] = '\xff' mem[0x7fffffffdba3] = '\xff' mem[0x7fffffffdba4] = '\xff' mem[0x7fffffffdba5] = '\x7f' mem[0x7fffffffdba6] = '\x00' mem[0x7fffffffdba7] = '\x00' mem[0x555555556e3c] = '\xa5' mem[0x55555576e63b] = '\x00' mem[0x55555576e638] = '\x00' mem[0x55555576e639] = '\x00' mem[0x55555576e63a] = '\x00' mem[0x555555556e3b] = '\xf3' mem[0x55555576e63c] = '\x00' mem[0x55555576e63d] = '\x00' mem[0x55555576e63e] = '\x00' mem[0x55555576e63f] = '\x00' cpu.RDI = 0x7fffffffdba0 cpu.RCX = 0x12 cpu.RSI = 0x55555576e638 cpu.RIP = 0x555555556e3b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdba0], '\x00') self.assertEqual(mem[0x7fffffffdba1], '\x00') self.assertEqual(mem[0x7fffffffdba2], '\x00') self.assertEqual(mem[0x7fffffffdba3], '\x00') self.assertEqual(mem[0x7fffffffdba4], '\xff') self.assertEqual(mem[0x7fffffffdba5], '\x7f') self.assertEqual(mem[0x7fffffffdba6], '\x00') self.assertEqual(mem[0x7fffffffdba7], '\x00') self.assertEqual(mem[0x55555576e63c], '\x00') self.assertEqual(mem[0x555555556e3b], '\xf3') self.assertEqual(mem[0x55555576e638], '\x00') self.assertEqual(mem[0x55555576e639], '\x00') self.assertEqual(mem[0x55555576e63a], '\x00') self.assertEqual(mem[0x55555576e63b], '\x00') self.assertEqual(mem[0x555555556e3c], '\xa5') self.assertEqual(mem[0x55555576e63d], '\x00') self.assertEqual(mem[0x55555576e63e], '\x00') self.assertEqual(mem[0x55555576e63f], '\x00') self.assertEqual(cpu.RCX, 17L) self.assertEqual(cpu.RDI, 140737488346020L) self.assertEqual(cpu.RSI, 93824994436668L) self.assertEqual(cpu.RIP, 93824992243259L) def test_MOVSD_2(self): ''' Instruction MOVSD_2 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x55555576e620] = '\x00' mem[0x55555576e621] = '\x00' mem[0x55555576e622] = '\x00' mem[0x55555576e623] = '\x00' mem[0x7fffffffdb84] = 'U' mem[0x7fffffffdb85] = 'U' mem[0x7fffffffdb86] = '\x00' mem[0x7fffffffdb87] = '\x00' mem[0x7fffffffdb88] = '\x00' mem[0x7fffffffdb89] = '\x00' mem[0x7fffffffdb8a] = '\x00' mem[0x7fffffffdb8b] = '\x00' mem[0x55555576e61c] = '\x00' mem[0x555555556e3b] = '\xf3' mem[0x555555556e3c] = '\xa5' mem[0x55555576e61d] = '\x00' mem[0x55555576e61e] = '\x00' mem[0x55555576e61f] = '\x00' cpu.RDI = 0x7fffffffdb84 cpu.RCX = 0x19 cpu.RSI = 0x55555576e61c cpu.RIP = 0x555555556e3b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x55555576e620], '\x00') self.assertEqual(mem[0x55555576e621], '\x00') self.assertEqual(mem[0x55555576e622], '\x00') self.assertEqual(mem[0x55555576e623], '\x00') self.assertEqual(mem[0x7fffffffdb84], '\x00') self.assertEqual(mem[0x7fffffffdb85], '\x00') self.assertEqual(mem[0x7fffffffdb86], '\x00') self.assertEqual(mem[0x7fffffffdb87], '\x00') self.assertEqual(mem[0x7fffffffdb88], '\x00') self.assertEqual(mem[0x7fffffffdb89], '\x00') self.assertEqual(mem[0x7fffffffdb8a], '\x00') self.assertEqual(mem[0x7fffffffdb8b], '\x00') self.assertEqual(mem[0x555555556e3c], '\xa5') self.assertEqual(mem[0x555555556e3b], '\xf3') self.assertEqual(mem[0x55555576e61c], '\x00') self.assertEqual(mem[0x55555576e61d], '\x00') self.assertEqual(mem[0x55555576e61e], '\x00') self.assertEqual(mem[0x55555576e61f], '\x00') self.assertEqual(cpu.RCX, 24L) self.assertEqual(cpu.RDI, 140737488345992L) self.assertEqual(cpu.RSI, 93824994436640L) self.assertEqual(cpu.RIP, 93824992243259L) def test_MOVSD_3(self): ''' Instruction MOVSD_3 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x555555556e3b] = '\xf3' mem[0x55555576e64c] = '\x00' mem[0x55555576e64d] = '\x00' mem[0x55555576e64e] = '\x00' mem[0x55555576e64f] = '\x00' mem[0x55555576e650] = '\x00' mem[0x55555576e651] = '\x00' mem[0x55555576e652] = '\x00' mem[0x55555576e653] = '\x00' mem[0x7fffffffdbb4] = '\xff' mem[0x7fffffffdbb5] = '\x7f' mem[0x7fffffffdbb6] = '\x00' mem[0x7fffffffdbb7] = '\x00' mem[0x7fffffffdbb8] = '\x00' mem[0x7fffffffdbb9] = '\x00' mem[0x7fffffffdbba] = '\x00' mem[0x7fffffffdbbb] = '\x00' mem[0x555555556e3c] = '\xa5' cpu.RDI = 0x7fffffffdbb4 cpu.RCX = 0xd cpu.RSI = 0x55555576e64c cpu.RIP = 0x555555556e3b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdbbb], '\x00') self.assertEqual(mem[0x55555576e64c], '\x00') self.assertEqual(mem[0x55555576e64d], '\x00') self.assertEqual(mem[0x55555576e64e], '\x00') self.assertEqual(mem[0x55555576e64f], '\x00') self.assertEqual(mem[0x55555576e650], '\x00') self.assertEqual(mem[0x55555576e651], '\x00') self.assertEqual(mem[0x55555576e652], '\x00') self.assertEqual(mem[0x55555576e653], '\x00') self.assertEqual(mem[0x7fffffffdbb4], '\x00') self.assertEqual(mem[0x7fffffffdbb5], '\x00') self.assertEqual(mem[0x7fffffffdbb6], '\x00') self.assertEqual(mem[0x7fffffffdbb7], '\x00') self.assertEqual(mem[0x7fffffffdbb8], '\x00') self.assertEqual(mem[0x7fffffffdbb9], '\x00') self.assertEqual(mem[0x7fffffffdbba], '\x00') self.assertEqual(mem[0x555555556e3b], '\xf3') self.assertEqual(mem[0x555555556e3c], '\xa5') self.assertEqual(cpu.RCX, 12L) self.assertEqual(cpu.RDI, 140737488346040L) self.assertEqual(cpu.RSI, 93824994436688L) self.assertEqual(cpu.RIP, 93824992243259L) def test_MOVSD_4(self): ''' Instruction MOVSD_4 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x55555576e640] = '\x00' mem[0x55555576e641] = '\x00' mem[0x55555576e642] = '\x00' mem[0x55555576e643] = '\x00' mem[0x55555576e644] = '\x00' mem[0x55555576e645] = '\x00' mem[0x55555576e646] = '\x00' mem[0x55555576e647] = '\x00' mem[0x7fffffffdba8] = 'g' mem[0x7fffffffdba9] = '\xa8' mem[0x7fffffffdbaa] = '\xb0' mem[0x7fffffffdbab] = '\xf7' mem[0x7fffffffdbac] = '\xff' mem[0x7fffffffdbad] = '\x7f' mem[0x7fffffffdbae] = '\x00' mem[0x7fffffffdbaf] = '\x00' mem[0x555555556e3b] = '\xf3' mem[0x555555556e3c] = '\xa5' cpu.RDI = 0x7fffffffdba8 cpu.RCX = 0x10 cpu.RSI = 0x55555576e640 cpu.RIP = 0x555555556e3b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x55555576e640], '\x00') self.assertEqual(mem[0x55555576e641], '\x00') self.assertEqual(mem[0x55555576e642], '\x00') self.assertEqual(mem[0x55555576e643], '\x00') self.assertEqual(mem[0x55555576e644], '\x00') self.assertEqual(mem[0x55555576e645], '\x00') self.assertEqual(mem[0x55555576e646], '\x00') self.assertEqual(mem[0x55555576e647], '\x00') self.assertEqual(mem[0x7fffffffdba8], '\x00') self.assertEqual(mem[0x7fffffffdba9], '\x00') self.assertEqual(mem[0x7fffffffdbaa], '\x00') self.assertEqual(mem[0x7fffffffdbab], '\x00') self.assertEqual(mem[0x7fffffffdbac], '\xff') self.assertEqual(mem[0x7fffffffdbad], '\x7f') self.assertEqual(mem[0x7fffffffdbae], '\x00') self.assertEqual(mem[0x7fffffffdbaf], '\x00') self.assertEqual(mem[0x555555556e3b], '\xf3') self.assertEqual(mem[0x555555556e3c], '\xa5') self.assertEqual(cpu.RCX, 15L) self.assertEqual(cpu.RDI, 140737488346028L) self.assertEqual(cpu.RSI, 93824994436676L) self.assertEqual(cpu.RIP, 93824992243259L) def test_MOVSD_5(self): ''' Instruction MOVSD_5 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdba0] = '\x10' mem[0x7fffffffdba1] = '\xdb' mem[0x7fffffffdba2] = '\xff' mem[0x7fffffffdba3] = '\xff' mem[0x7fffffffdb9c] = '\x00' mem[0x555555556e3b] = '\xf3' mem[0x55555576e634] = '\x00' mem[0x55555576e635] = '\x00' mem[0x55555576e636] = '\x00' mem[0x55555576e637] = '\x00' mem[0x55555576e638] = '\x00' mem[0x55555576e639] = '\x00' mem[0x55555576e63a] = '\x00' mem[0x55555576e63b] = '\x00' mem[0x555555556e3c] = '\xa5' mem[0x7fffffffdb9d] = '\x00' mem[0x7fffffffdb9e] = '\x00' mem[0x7fffffffdb9f] = '\x00' cpu.RDI = 0x7fffffffdb9c cpu.RCX = 0x13 cpu.RSI = 0x55555576e634 cpu.RIP = 0x555555556e3b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdba0], '\x10') self.assertEqual(mem[0x7fffffffdba1], '\xdb') self.assertEqual(mem[0x7fffffffdba2], '\xff') self.assertEqual(mem[0x7fffffffdba3], '\xff') self.assertEqual(mem[0x55555576e63b], '\x00') self.assertEqual(mem[0x555555556e3c], '\xa5') self.assertEqual(mem[0x55555576e634], '\x00') self.assertEqual(mem[0x55555576e635], '\x00') self.assertEqual(mem[0x55555576e636], '\x00') self.assertEqual(mem[0x55555576e637], '\x00') self.assertEqual(mem[0x55555576e638], '\x00') self.assertEqual(mem[0x55555576e639], '\x00') self.assertEqual(mem[0x55555576e63a], '\x00') self.assertEqual(mem[0x555555556e3b], '\xf3') self.assertEqual(mem[0x7fffffffdb9c], '\x00') self.assertEqual(mem[0x7fffffffdb9d], '\x00') self.assertEqual(mem[0x7fffffffdb9e], '\x00') self.assertEqual(mem[0x7fffffffdb9f], '\x00') self.assertEqual(cpu.RCX, 18L) self.assertEqual(cpu.RDI, 140737488346016L) self.assertEqual(cpu.RSI, 93824994436664L) self.assertEqual(cpu.RIP, 93824992243259L) def test_MOVSD_6(self): ''' Instruction MOVSD_6 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x55555576e604] = '\x00' mem[0x55555576e605] = '\x00' mem[0x55555576e606] = '\x00' mem[0x55555576e607] = '\x00' mem[0x55555576e608] = '\x00' mem[0x55555576e609] = '\x00' mem[0x55555576e60a] = '\x00' mem[0x55555576e60b] = '\x00' mem[0x7fffffffdb6c] = '\x00' mem[0x7fffffffdb6d] = '\x00' mem[0x7fffffffdb6e] = '\x00' mem[0x7fffffffdb6f] = '\x00' mem[0x7fffffffdb70] = '\xe0' mem[0x7fffffffdb71] = '\xdb' mem[0x7fffffffdb72] = '\xff' mem[0x7fffffffdb73] = '\xff' mem[0x555555556e3b] = '\xf3' mem[0x555555556e3c] = '\xa5' cpu.RDI = 0x7fffffffdb6c cpu.RCX = 0x1f cpu.RSI = 0x55555576e604 cpu.RIP = 0x555555556e3b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x55555576e604], '\x00') self.assertEqual(mem[0x55555576e605], '\x00') self.assertEqual(mem[0x55555576e606], '\x00') self.assertEqual(mem[0x55555576e607], '\x00') self.assertEqual(mem[0x55555576e608], '\x00') self.assertEqual(mem[0x55555576e609], '\x00') self.assertEqual(mem[0x55555576e60a], '\x00') self.assertEqual(mem[0x55555576e60b], '\x00') self.assertEqual(mem[0x7fffffffdb6c], '\x00') self.assertEqual(mem[0x7fffffffdb6d], '\x00') self.assertEqual(mem[0x7fffffffdb6e], '\x00') self.assertEqual(mem[0x7fffffffdb6f], '\x00') self.assertEqual(mem[0x7fffffffdb70], '\xe0') self.assertEqual(mem[0x7fffffffdb71], '\xdb') self.assertEqual(mem[0x7fffffffdb72], '\xff') self.assertEqual(mem[0x7fffffffdb73], '\xff') self.assertEqual(mem[0x555555556e3b], '\xf3') self.assertEqual(mem[0x555555556e3c], '\xa5') self.assertEqual(cpu.RCX, 30L) self.assertEqual(cpu.RDI, 140737488345968L) self.assertEqual(cpu.RSI, 93824994436616L) self.assertEqual(cpu.RIP, 93824992243259L) def test_MOVSXD_1(self): ''' Instruction MOVSXD_1 Groups: 0x466083: movsxd rdi, edi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00466000, 0x1000, 'rwx') mem[0x00466083] = 'H' mem[0x00466084] = 'c' mem[0x00466085] = '\xff' cpu.EDI = 0x41 cpu.RDI = 0x41 cpu.RIP = 0x466083 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x466083], 'H') self.assertEqual(mem[0x466084], 'c') self.assertEqual(mem[0x466085], '\xff') self.assertEqual(cpu.EDI, 65L) self.assertEqual(cpu.RDI, 65L) self.assertEqual(cpu.RIP, 4612230L) def test_MOVSXD_2(self): ''' Instruction MOVSXD_2 Groups: 0x7ffff7ddf068: movsxd rdx, dword ptr [r8 + rbx*4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddf000, 0x1000, 'rwx') mem.mmap(0x7ffff7df5000, 0x1000, 'rwx') mem[0x7ffff7ddf068] = 'I' mem[0x7ffff7ddf069] = 'c' mem[0x7ffff7ddf06a] = '\x14' mem[0x7ffff7ddf06b] = '\x98' mem[0x7ffff7df5f1c] = '\x8f' mem[0x7ffff7df5f1d] = '\x91' mem[0x7ffff7df5f1e] = '\xfe' mem[0x7ffff7df5f1f] = '\xff' cpu.R8 = 0x7ffff7df5f1c cpu.RDX = 0x2 cpu.RIP = 0x7ffff7ddf068 cpu.RBX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddf068], 'I') self.assertEqual(mem[0x7ffff7ddf069], 'c') self.assertEqual(mem[0x7ffff7ddf06a], '\x14') self.assertEqual(mem[0x7ffff7ddf06b], '\x98') self.assertEqual(mem[0x7ffff7df5f1c], '\x8f') self.assertEqual(mem[0x7ffff7df5f1d], '\x91') self.assertEqual(mem[0x7ffff7df5f1e], '\xfe') self.assertEqual(mem[0x7ffff7df5f1f], '\xff') self.assertEqual(cpu.R8, 140737351999260L) self.assertEqual(cpu.RDX, 18446744073709457807L) self.assertEqual(cpu.RIP, 140737351905388L) self.assertEqual(cpu.RBX, 0L) def test_MOVSXD_3(self): ''' Instruction MOVSXD_3 Groups: 0x436902: movsxd rax, dword ptr [rdx + rax*4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00436000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') mem[0x00494cf0] = '\xa0' mem[0x00494cf1] = '\x1c' mem[0x00436902] = 'H' mem[0x00436903] = 'c' mem[0x00436904] = '\x04' mem[0x00436905] = '\x82' mem[0x00494cf3] = '\xff' mem[0x00494cf2] = '\xfa' cpu.RIP = 0x436902 cpu.RAX = 0x1c cpu.RDX = 0x494c80 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x494cf0], '\xa0') self.assertEqual(mem[0x494cf1], '\x1c') self.assertEqual(mem[0x436902], 'H') self.assertEqual(mem[0x436903], 'c') self.assertEqual(mem[0x436904], '\x04') self.assertEqual(mem[0x436905], '\x82') self.assertEqual(mem[0x494cf3], '\xff') self.assertEqual(mem[0x494cf2], '\xfa') self.assertEqual(cpu.RAX, 18446744073709165728L) self.assertEqual(cpu.RIP, 4417798L) self.assertEqual(cpu.RDX, 4803712L) def test_MOVSXD_4(self): ''' Instruction MOVSXD_4 Groups: 0x7ffff7df214a: movsxd rax, dword ptr [rcx + rax*4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem.mmap(0x7ffff7df6000, 0x1000, 'rwx') mem[0x7ffff7df674f] = '\xff' mem[0x7ffff7df674c] = '0' mem[0x7ffff7df214a] = 'H' mem[0x7ffff7df214b] = 'c' mem[0x7ffff7df214c] = '\x04' mem[0x7ffff7df214d] = '\x81' mem[0x7ffff7df674e] = '\xff' mem[0x7ffff7df674d] = '\xbb' cpu.RCX = 0x7ffff7df6740 cpu.RIP = 0x7ffff7df214a cpu.RAX = 0x3 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df674f], '\xff') self.assertEqual(mem[0x7ffff7df214c], '\x04') self.assertEqual(mem[0x7ffff7df214a], 'H') self.assertEqual(mem[0x7ffff7df214b], 'c') self.assertEqual(mem[0x7ffff7df674c], '0') self.assertEqual(mem[0x7ffff7df214d], '\x81') self.assertEqual(mem[0x7ffff7df674e], '\xff') self.assertEqual(mem[0x7ffff7df674d], '\xbb') self.assertEqual(cpu.RCX, 140737352001344L) self.assertEqual(cpu.RAX, 18446744073709534000L) self.assertEqual(cpu.RIP, 140737351983438L) def test_MOVSXD_5(self): ''' Instruction MOVSXD_5 Groups: 0x436b12: movsxd rax, dword ptr [rdx + rax*4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00436000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') mem[0x00494ea0] = '\x10' mem[0x00494ea1] = '\x1d' mem[0x00494ea2] = '\xfa' mem[0x00494ea3] = '\xff' mem[0x00436b14] = '\x04' mem[0x00436b15] = '\x82' mem[0x00436b13] = 'c' mem[0x00436b12] = 'H' cpu.RIP = 0x436b12 cpu.RAX = 0x8 cpu.RDX = 0x494e80 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x494ea0], '\x10') self.assertEqual(mem[0x494ea1], '\x1d') self.assertEqual(mem[0x494ea2], '\xfa') self.assertEqual(mem[0x494ea3], '\xff') self.assertEqual(mem[0x436b14], '\x04') self.assertEqual(mem[0x436b15], '\x82') self.assertEqual(mem[0x436b13], 'c') self.assertEqual(mem[0x436b12], 'H') self.assertEqual(cpu.RAX, 18446744073709165840L) self.assertEqual(cpu.RIP, 4418326L) self.assertEqual(cpu.RDX, 4804224L) def test_MOVSXD_6(self): ''' Instruction MOVSXD_6 Groups: 0x7ffff7de62e7: movsxd rdx, dword ptr [rax + r12*4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem.mmap(0x7ffff7df6000, 0x1000, 'rwx') mem[0x7ffff7df6458] = 'x' mem[0x7ffff7df6459] = '\xff' mem[0x7ffff7de62e7] = 'J' mem[0x7ffff7de62e8] = 'c' mem[0x7ffff7de62e9] = '\x14' mem[0x7ffff7de62ea] = '\xa0' mem[0x7ffff7df645b] = '\xff' mem[0x7ffff7df645a] = '\xfe' cpu.RIP = 0x7ffff7de62e7 cpu.R12 = 0x6 cpu.RDX = 0x7ffff7a32fe0 cpu.RAX = 0x7ffff7df6440 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df6458], 'x') self.assertEqual(mem[0x7ffff7df6459], '\xff') self.assertEqual(mem[0x7ffff7de62e7], 'J') self.assertEqual(mem[0x7ffff7de62e8], 'c') self.assertEqual(mem[0x7ffff7de62e9], '\x14') self.assertEqual(mem[0x7ffff7de62ea], '\xa0') self.assertEqual(mem[0x7ffff7df645b], '\xff') self.assertEqual(mem[0x7ffff7df645a], '\xfe') self.assertEqual(cpu.RAX, 140737352000576L) self.assertEqual(cpu.R12, 6L) self.assertEqual(cpu.RDX, 18446744073709485944L) self.assertEqual(cpu.RIP, 140737351934699L) def test_MOVSX_1(self): ''' Instruction MOVSX_1 Groups: 0x7ffff7df1273: movsx edx, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1273] = '\x0f' mem[0x7ffff7df1274] = '\xbe' mem[0x7ffff7df1275] = '\x17' mem[0x555555554435] = '.' cpu.EDX = 0x63 cpu.RDI = 0x555555554435 cpu.RIP = 0x7ffff7df1273 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1273], '\x0f') self.assertEqual(mem[0x7ffff7df1274], '\xbe') self.assertEqual(mem[0x7ffff7df1275], '\x17') self.assertEqual(mem[0x555555554435], '.') self.assertEqual(cpu.EDX, 46L) self.assertEqual(cpu.RDI, 93824992232501L) self.assertEqual(cpu.RIP, 140737351979638L) def test_MOVSX_2(self): ''' Instruction MOVSX_2 Groups: 0x7ffff7df1273: movsx edx, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1273] = '\x0f' mem[0x7ffff7df1274] = '\xbe' mem[0x7ffff7df1275] = '\x17' mem[0x55555555444d] = '.' cpu.EDX = 0x63 cpu.RDI = 0x55555555444d cpu.RIP = 0x7ffff7df1273 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1273], '\x0f') self.assertEqual(mem[0x7ffff7df1274], '\xbe') self.assertEqual(mem[0x7ffff7df1275], '\x17') self.assertEqual(mem[0x55555555444d], '.') self.assertEqual(cpu.EDX, 46L) self.assertEqual(cpu.RDI, 93824992232525L) self.assertEqual(cpu.RIP, 140737351979638L) def test_MOVSX_3(self): ''' Instruction MOVSX_3 Groups: 0x7ffff7df1260: movsx eax, byte ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem.mmap(0x7ffff7ff2000, 0x1000, 'rwx') mem[0x7ffff7df1260] = '\x0f' mem[0x7ffff7df1261] = '\xbe' mem[0x7ffff7df1262] = '\x06' mem[0x7ffff7ff23b6] = 'l' cpu.EAX = 0x3c cpu.RSI = 0x7ffff7ff23b6 cpu.RIP = 0x7ffff7df1260 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1260], '\x0f') self.assertEqual(mem[0x7ffff7df1261], '\xbe') self.assertEqual(mem[0x7ffff7df1262], '\x06') self.assertEqual(mem[0x7ffff7ff23b6], 'l') self.assertEqual(cpu.EAX, 108L) self.assertEqual(cpu.RSI, 140737354081206L) self.assertEqual(cpu.RIP, 140737351979619L) def test_MOVSX_4(self): ''' Instruction MOVSX_4 Groups: 0x7ffff7df1260: movsx eax, byte ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem.mmap(0x7ffff7fed000, 0x1000, 'rwx') mem[0x7ffff7df1260] = '\x0f' mem[0x7ffff7df1261] = '\xbe' mem[0x7ffff7df1262] = '\x06' mem[0x7ffff7fede8e] = 'i' cpu.EAX = 0x39 cpu.RSI = 0x7ffff7fede8e cpu.RIP = 0x7ffff7df1260 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1260], '\x0f') self.assertEqual(mem[0x7ffff7df1261], '\xbe') self.assertEqual(mem[0x7ffff7df1262], '\x06') self.assertEqual(mem[0x7ffff7fede8e], 'i') self.assertEqual(cpu.EAX, 105L) self.assertEqual(cpu.RSI, 140737354063502L) self.assertEqual(cpu.RIP, 140737351979619L) def test_MOVSX_5(self): ''' Instruction MOVSX_5 Groups: 0x7ffff7df1260: movsx eax, byte ptr [rsi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem.mmap(0x7ffff7fed000, 0x1000, 'rwx') mem[0x7ffff7df1260] = '\x0f' mem[0x7ffff7df1261] = '\xbe' mem[0x7ffff7df1262] = '\x06' mem[0x7ffff7fede8f] = 'b' cpu.EAX = 0x32 cpu.RSI = 0x7ffff7fede8f cpu.RIP = 0x7ffff7df1260 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df1260], '\x0f') self.assertEqual(mem[0x7ffff7df1261], '\xbe') self.assertEqual(mem[0x7ffff7df1262], '\x06') self.assertEqual(mem[0x7ffff7fede8f], 'b') self.assertEqual(cpu.EAX, 98L) self.assertEqual(cpu.RSI, 140737354063503L) self.assertEqual(cpu.RIP, 140737351979619L) def test_MOVSX_6(self): ''' Instruction MOVSX_6 Groups: 0x7ffff7df1273: movsx edx, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1274] = '\xbe' mem[0x7ffff7df1273] = '\x0f' mem[0x555555554434] = 'c' mem[0x7ffff7df1275] = '\x17' cpu.EDX = 0x62 cpu.RDI = 0x555555554434 cpu.RIP = 0x7ffff7df1273 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555554434], 'c') self.assertEqual(mem[0x7ffff7df1273], '\x0f') self.assertEqual(mem[0x7ffff7df1274], '\xbe') self.assertEqual(mem[0x7ffff7df1275], '\x17') self.assertEqual(cpu.EDX, 99L) self.assertEqual(cpu.RDI, 93824992232500L) self.assertEqual(cpu.RIP, 140737351979638L) def test_MOVZX_1(self): ''' Instruction MOVZX_1 Groups: 0x7ffff7de3aa3: movzx edx, byte ptr [rcx + 4] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a32000, 0x1000, 'rwx') mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3aa4] = '\xb6' mem[0x7ffff7de3aa3] = '\x0f' mem[0x7ffff7a324bc] = '\x11' mem[0x7ffff7de3aa5] = 'Q' mem[0x7ffff7de3aa6] = '\x04' cpu.EDX = 0x6 cpu.RCX = 0x7ffff7a324b8 cpu.RIP = 0x7ffff7de3aa3 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a324bc], '\x11') self.assertEqual(mem[0x7ffff7de3aa3], '\x0f') self.assertEqual(mem[0x7ffff7de3aa4], '\xb6') self.assertEqual(mem[0x7ffff7de3aa5], 'Q') self.assertEqual(mem[0x7ffff7de3aa6], '\x04') self.assertEqual(cpu.EDX, 17L) self.assertEqual(cpu.RCX, 140737348052152L) self.assertEqual(cpu.RIP, 140737351924391L) def test_MOVZX_2(self): ''' Instruction MOVZX_2 Groups: 0x7ffff7de4399: movzx edx, byte ptr [rcx] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4399] = '\x0f' mem[0x7ffff7de439a] = '\xb6' mem[0x7ffff7de439b] = '\x11' mem[0x555555554e44] = '_' cpu.EDX = 0x6c cpu.RCX = 0x555555554e44 cpu.RIP = 0x7ffff7de4399 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4399], '\x0f') self.assertEqual(mem[0x7ffff7de439a], '\xb6') self.assertEqual(mem[0x7ffff7de439b], '\x11') self.assertEqual(mem[0x555555554e44], '_') self.assertEqual(cpu.EDX, 95L) self.assertEqual(cpu.RCX, 93824992235076L) self.assertEqual(cpu.RIP, 140737351926684L) def test_MOVZX_3(self): ''' Instruction MOVZX_3 Groups: 0x400aaa: movzx eax, al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x00400aaa] = '\x0f' mem[0x00400aab] = '\xb6' mem[0x00400aac] = '\xc0' cpu.EAX = 0x79 cpu.AL = 0x79 cpu.RIP = 0x400aaa cpu.execute() #cpu.writeback() self.assertEqual(mem[0x400aaa], '\x0f') self.assertEqual(mem[0x400aab], '\xb6') self.assertEqual(mem[0x400aac], '\xc0') self.assertEqual(cpu.EAX, 121L) self.assertEqual(cpu.AL, 121L) self.assertEqual(cpu.RIP, 4197037L) def test_MOVZX_4(self): ''' Instruction MOVZX_4 Groups: 0x7ffff7b58f18: movzx r10d, word ptr [rdx + 6] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a35000, 0x1000, 'rwx') mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f18] = 'D' mem[0x7ffff7b58f19] = '\x0f' mem[0x7ffff7b58f1a] = '\xb7' mem[0x7ffff7b58f1b] = 'R' mem[0x7ffff7b58f1c] = '\x06' mem[0x7ffff7a3575e] = '\x0b' mem[0x7ffff7a3575f] = '\x00' cpu.RDX = 0x7ffff7a35758 cpu.RIP = 0x7ffff7b58f18 cpu.R10D = 0x24 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58f18], 'D') self.assertEqual(mem[0x7ffff7b58f19], '\x0f') self.assertEqual(mem[0x7ffff7b58f1a], '\xb7') self.assertEqual(mem[0x7ffff7b58f1b], 'R') self.assertEqual(mem[0x7ffff7b58f1c], '\x06') self.assertEqual(mem[0x7ffff7a3575e], '\x0b') self.assertEqual(mem[0x7ffff7a3575f], '\x00') self.assertEqual(cpu.RDX, 140737348065112L) self.assertEqual(cpu.RIP, 140737349259037L) self.assertEqual(cpu.R10D, 11L) def test_MOVZX_5(self): ''' Instruction MOVZX_5 Groups: 0x7ffff7de6219: movzx r9d, r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6219] = 'E' mem[0x7ffff7de621a] = '\x0f' mem[0x7ffff7de621b] = '\xb6' mem[0x7ffff7de621c] = '\xc9' cpu.R9D = 0xffffff00 cpu.R9B = 0x0 cpu.RIP = 0x7ffff7de6219 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6219], 'E') self.assertEqual(mem[0x7ffff7de621a], '\x0f') self.assertEqual(mem[0x7ffff7de621b], '\xb6') self.assertEqual(mem[0x7ffff7de621c], '\xc9') self.assertEqual(cpu.R9D, 0L) self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 140737351934493L) def test_MOVZX_6(self): ''' Instruction MOVZX_6 Groups: 0x7ffff7de3929: movzx ecx, byte ptr [rbp - 0x78] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffd808] = '8' mem[0x7ffff7de3929] = '\x0f' mem[0x7ffff7de392a] = '\xb6' mem[0x7ffff7de392b] = 'M' mem[0x7ffff7de392c] = '\x88' cpu.ECX = 0x2917737 cpu.RIP = 0x7ffff7de3929 cpu.RBP = 0x7fffffffd880 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffd808], '8') self.assertEqual(mem[0x7ffff7de3929], '\x0f') self.assertEqual(mem[0x7ffff7de392a], '\xb6') self.assertEqual(mem[0x7ffff7de392b], 'M') self.assertEqual(mem[0x7ffff7de392c], '\x88') self.assertEqual(cpu.RBP, 140737488345216L) self.assertEqual(cpu.RIP, 140737351924013L) self.assertEqual(cpu.ECX, 56L) def test_MOV_1(self): ''' Instruction MOV_1 Groups: 0x737287: mov ebx, 0x40 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00737000, 0x1000, 'rwx') mem[0x00737288] = '@' mem[0x00737289] = '\x00' mem[0x0073728a] = '\x00' mem[0x0073728b] = '\x00' mem[0x00737287] = '\xbb' cpu.EBX = 0x40 cpu.RIP = 0x737287 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x737288], '@') self.assertEqual(mem[0x737289], '\x00') self.assertEqual(mem[0x73728a], '\x00') self.assertEqual(mem[0x73728b], '\x00') self.assertEqual(mem[0x737287], '\xbb') self.assertEqual(cpu.EBX, 64L) self.assertEqual(cpu.RIP, 7565964L) def test_MOV_2(self): ''' Instruction MOV_2 Groups: 0x7ffff7de6121: mov rax, r13 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6121] = 'L' mem[0x7ffff7de6122] = '\x89' mem[0x7ffff7de6123] = '\xe8' cpu.RIP = 0x7ffff7de6121 cpu.RAX = 0x8 cpu.R13 = 0x7ffff7a2e000 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6121], 'L') self.assertEqual(mem[0x7ffff7de6122], '\x89') self.assertEqual(mem[0x7ffff7de6123], '\xe8') self.assertEqual(cpu.RAX, 140737348034560L) self.assertEqual(cpu.RIP, 140737351934244L) self.assertEqual(cpu.R13, 140737348034560L) def test_MOV_3(self): ''' Instruction MOV_3 Groups: 0x74dced: mov dword ptr [rsp], 0x7fff ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0074d000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x0074dced] = '\xc7' mem[0x0074dcf0] = '\xff' mem[0x0074dcf1] = '\x7f' mem[0x7fffffffccb2] = '\x00' mem[0x0074dcee] = '\x04' mem[0x0074dcef] = '$' mem[0x7fffffffccb0] = '\xff' mem[0x7fffffffccb1] = '\x7f' mem[0x0074dcf2] = '\x00' mem[0x7fffffffccb3] = '\x00' mem[0x0074dcf3] = '\x00' cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x74dced cpu.execute() #cpu.writeback() self.assertEqual(mem[0x74dced], '\xc7') self.assertEqual(mem[0x7fffffffccb0], '\xff') self.assertEqual(mem[0x7fffffffccb1], '\x7f') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x74dcee], '\x04') self.assertEqual(mem[0x74dcef], '$') self.assertEqual(mem[0x74dcf0], '\xff') self.assertEqual(mem[0x74dcf1], '\x7f') self.assertEqual(mem[0x74dcf2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x00') self.assertEqual(mem[0x74dcf3], '\x00') self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 7658740L) def test_MOV_4(self): ''' Instruction MOV_4 Groups: 0x4b00dc: mov dword ptr [rsp + 4], 0x80 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x004b0000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x004b00dc] = '\xc7' mem[0x004b00dd] = 'D' mem[0x004b00de] = '$' mem[0x004b00df] = '\x04' mem[0x004b00e0] = '\x80' mem[0x004b00e1] = '\x00' mem[0x004b00e2] = '\x00' mem[0x004b00e3] = '\x00' mem[0x7fffffffccb4] = '\xff' mem[0x7fffffffccb5] = '\xff' mem[0x7fffffffccb6] = '\xff' mem[0x7fffffffccb7] = '\xff' cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x4b00dc cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4b00dc], '\xc7') self.assertEqual(mem[0x4b00dd], 'D') self.assertEqual(mem[0x4b00de], '$') self.assertEqual(mem[0x4b00df], '\x04') self.assertEqual(mem[0x4b00e0], '\x80') self.assertEqual(mem[0x4b00e1], '\x00') self.assertEqual(mem[0x4b00e2], '\x00') self.assertEqual(mem[0x4b00e3], '\x00') self.assertEqual(mem[0x7fffffffccb4], '\x80') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 4915428L) def test_MOV_5(self): ''' Instruction MOV_5 Groups: 0x7776d9: mov dword ptr [rsp + 8], 0x80000000 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00777000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x007776d9] = '\xc7' mem[0x007776da] = 'D' mem[0x007776db] = '$' mem[0x007776dc] = '\x08' mem[0x007776dd] = '\x00' mem[0x007776de] = '\x00' mem[0x007776df] = '\x00' mem[0x007776e0] = '\x80' mem[0x7fffffffccb8] = '\x7f' mem[0x7fffffffccb9] = '\x00' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x00' cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x7776d9 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7776d9], '\xc7') self.assertEqual(mem[0x7776da], 'D') self.assertEqual(mem[0x7776db], '$') self.assertEqual(mem[0x7776dc], '\x08') self.assertEqual(mem[0x7776dd], '\x00') self.assertEqual(mem[0x7776de], '\x00') self.assertEqual(mem[0x7776df], '\x00') self.assertEqual(mem[0x7776e0], '\x80') self.assertEqual(mem[0x7fffffffccb8], '\x00') self.assertEqual(mem[0x7fffffffccb9], '\x00') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccbb], '\x80') self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 7829217L) def test_MOV_6(self): ''' Instruction MOV_6 Groups: 0x4c3b88: mov dword ptr [rsp + 0xc], 0x12345678 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x004c3000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x004c3b88] = '\xc7' mem[0x004c3b89] = 'D' mem[0x004c3b8a] = '$' mem[0x004c3b8b] = '\x0c' mem[0x004c3b8c] = 'x' mem[0x004c3b8d] = 'V' mem[0x004c3b8e] = '4' mem[0x004c3b8f] = '\x12' mem[0x7fffffffccbc] = 'x' mem[0x7fffffffccbd] = 'V' mem[0x7fffffffccbe] = '4' mem[0x7fffffffccbf] = '\x12' cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x4c3b88 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4c3b88], '\xc7') self.assertEqual(mem[0x4c3b89], 'D') self.assertEqual(mem[0x4c3b8a], '$') self.assertEqual(mem[0x4c3b8b], '\x0c') self.assertEqual(mem[0x4c3b8c], 'x') self.assertEqual(mem[0x4c3b8d], 'V') self.assertEqual(mem[0x4c3b8e], '4') self.assertEqual(mem[0x4c3b8f], '\x12') self.assertEqual(mem[0x7fffffffccbc], 'x') self.assertEqual(mem[0x7fffffffccbd], 'V') self.assertEqual(mem[0x7fffffffccbe], '4') self.assertEqual(mem[0x7fffffffccbf], '\x12') self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 4995984L) def test_MUL_1(self): ''' Instruction MUL_1 Groups: 0x7ffff7de253f: mul rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de2000, 0x1000, 'rwx') mem[0x7ffff7de2540] = '\xf7' mem[0x7ffff7de2541] = '\xe2' mem[0x7ffff7de253f] = 'H' cpu.OF = False cpu.RIP = 0x7ffff7de253f cpu.CF = False cpu.RAX = 0x5f cpu.RDX = 0xcccccccccccccccd cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de2540], '\xf7') self.assertEqual(mem[0x7ffff7de2541], '\xe2') self.assertEqual(mem[0x7ffff7de253f], 'H') self.assertEqual(cpu.OF, True) self.assertEqual(cpu.RAX, 19L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351918914L) self.assertEqual(cpu.RDX, 76L) def test_MUL_2(self): ''' Instruction MUL_2 Groups: 0x7ffff7de253f: mul rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de2000, 0x1000, 'rwx') mem[0x7ffff7de2540] = '\xf7' mem[0x7ffff7de2541] = '\xe2' mem[0x7ffff7de253f] = 'H' cpu.OF = False cpu.RIP = 0x7ffff7de253f cpu.CF = False cpu.RAX = 0x5f cpu.RDX = 0xcccccccccccccccd cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de2540], '\xf7') self.assertEqual(mem[0x7ffff7de2541], '\xe2') self.assertEqual(mem[0x7ffff7de253f], 'H') self.assertEqual(cpu.OF, True) self.assertEqual(cpu.RAX, 19L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351918914L) self.assertEqual(cpu.RDX, 76L) def test_MUL_3(self): ''' Instruction MUL_3 Groups: 0x7ffff7de253f: mul rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de2000, 0x1000, 'rwx') mem[0x7ffff7de2540] = '\xf7' mem[0x7ffff7de2541] = '\xe2' mem[0x7ffff7de253f] = 'H' cpu.OF = False cpu.RIP = 0x7ffff7de253f cpu.CF = False cpu.RAX = 0x5f cpu.RDX = 0xcccccccccccccccd cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de2540], '\xf7') self.assertEqual(mem[0x7ffff7de2541], '\xe2') self.assertEqual(mem[0x7ffff7de253f], 'H') self.assertEqual(cpu.OF, True) self.assertEqual(cpu.RAX, 19L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351918914L) self.assertEqual(cpu.RDX, 76L) def test_MUL_4(self): ''' Instruction MUL_4 Groups: 0x45f865: mul rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0045f000, 0x1000, 'rwx') mem[0x0045f865] = 'H' mem[0x0045f866] = '\xf7' mem[0x0045f867] = '\xe2' cpu.OF = False cpu.RIP = 0x45f865 cpu.CF = False cpu.RAX = 0x57 cpu.RDX = 0xcccccccccccccccd cpu.execute() #cpu.writeback() self.assertEqual(mem[0x45f865], 'H') self.assertEqual(mem[0x45f866], '\xf7') self.assertEqual(mem[0x45f867], '\xe2') self.assertEqual(cpu.OF, True) self.assertEqual(cpu.RAX, 11068046444225730987L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4585576L) self.assertEqual(cpu.RDX, 69L) def test_MUL_5(self): ''' Instruction MUL_5 Groups: 0x4624e5: mul rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00462000, 0x1000, 'rwx') mem[0x004624e5] = 'H' mem[0x004624e6] = '\xf7' mem[0x004624e7] = '\xe2' cpu.OF = False cpu.RIP = 0x4624e5 cpu.CF = False cpu.RAX = 0x57 cpu.RDX = 0xcccccccccccccccd cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4624e5], 'H') self.assertEqual(mem[0x4624e6], '\xf7') self.assertEqual(mem[0x4624e7], '\xe2') self.assertEqual(cpu.OF, True) self.assertEqual(cpu.RAX, 11068046444225730987L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4596968L) self.assertEqual(cpu.RDX, 69L) def test_MUL_6(self): ''' Instruction MUL_6 Groups: 0x443dc7: mul r9 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00443000, 0x1000, 'rwx') mem[0x00443dc8] = '\xf7' mem[0x00443dc9] = '\xe1' mem[0x00443dc7] = 'I' cpu.OF = False cpu.R9 = 0xcccccccccccccccd cpu.RIP = 0x443dc7 cpu.RDX = 0xa cpu.CF = False cpu.RAX = 0x3 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x443dc8], '\xf7') self.assertEqual(mem[0x443dc9], '\xe1') self.assertEqual(mem[0x443dc7], 'I') self.assertEqual(cpu.RDX, 2L) self.assertEqual(cpu.OF, True) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4472266L) self.assertEqual(cpu.R9, 14757395258967641293L) self.assertEqual(cpu.RAX, 7378697629483820647L) def test_NEG_1(self): ''' Instruction NEG_1 Groups: 0x7ffff7df27cf: neg rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem[0x7ffff7df27d0] = '\xf7' mem[0x7ffff7df27d1] = '\xd8' mem[0x7ffff7df27cf] = 'H' cpu.PF = True cpu.RAX = 0x7ffff7ffeb78 cpu.AF = False cpu.OF = False cpu.ZF = False cpu.CF = True cpu.RIP = 0x7ffff7df27cf cpu.SF = True cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df27d0], '\xf7') self.assertEqual(mem[0x7ffff7df27d1], '\xd8') self.assertEqual(mem[0x7ffff7df27cf], 'H') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.RAX, 18446603336355419272L) self.assertEqual(cpu.AF, True) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351985106L) self.assertEqual(cpu.SF, True) def test_NEG_2(self): ''' Instruction NEG_2 Groups: 0x7ffff7de5c54: neg rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5c54] = 'H' mem[0x7ffff7de5c55] = '\xf7' mem[0x7ffff7de5c56] = '\xd8' cpu.PF = True cpu.RAX = 0x1000 cpu.AF = False cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de5c54 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de5c54], 'H') self.assertEqual(mem[0x7ffff7de5c55], '\xf7') self.assertEqual(mem[0x7ffff7de5c56], '\xd8') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.RAX, 18446744073709547520L) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351933015L) self.assertEqual(cpu.SF, True) def test_NEG_3(self): ''' Instruction NEG_3 Groups: 0x40baad: neg eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0040b000, 0x1000, 'rwx') mem[0x0040baad] = '\xf7' mem[0x0040baae] = '\xd8' cpu.EAX = 0x0 cpu.PF = False cpu.AF = False cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x40baad cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x40baad], '\xf7') self.assertEqual(mem[0x40baae], '\xd8') self.assertEqual(cpu.EAX, 0L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 4242095L) self.assertEqual(cpu.SF, False) def test_NEG_4(self): ''' Instruction NEG_4 Groups: 0x7ffff7df27b6: neg rdi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem[0x7ffff7df27b8] = '\xdf' mem[0x7ffff7df27b6] = 'H' mem[0x7ffff7df27b7] = '\xf7' cpu.PF = True cpu.AF = False cpu.OF = False cpu.ZF = False cpu.RDI = 0x8 cpu.CF = False cpu.RIP = 0x7ffff7df27b6 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df27b8], '\xdf') self.assertEqual(mem[0x7ffff7df27b6], 'H') self.assertEqual(mem[0x7ffff7df27b7], '\xf7') self.assertEqual(cpu.PF, False) self.assertEqual(cpu.AF, True) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RDI, 18446744073709551608L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351985081L) self.assertEqual(cpu.SF, True) def test_NEG_5(self): ''' Instruction NEG_5 Groups: 0x411176: neg r10 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x00411178] = '\xda' mem[0x00411176] = 'I' mem[0x00411177] = '\xf7' cpu.PF = True cpu.R10 = 0x1000 cpu.AF = False cpu.OF = False cpu.ZF = True cpu.CF = False cpu.RIP = 0x411176 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x411178], '\xda') self.assertEqual(mem[0x411176], 'I') self.assertEqual(mem[0x411177], '\xf7') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.R10, 18446744073709547520L) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4264313L) self.assertEqual(cpu.SF, True) def test_NEG_6(self): ''' Instruction NEG_6 Groups: 0x7ffff7df27b6: neg rdi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem[0x7ffff7df27b8] = '\xdf' mem[0x7ffff7df27b6] = 'H' mem[0x7ffff7df27b7] = '\xf7' cpu.PF = True cpu.AF = False cpu.OF = False cpu.ZF = False cpu.RDI = 0x8 cpu.CF = False cpu.RIP = 0x7ffff7df27b6 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df27b8], '\xdf') self.assertEqual(mem[0x7ffff7df27b6], 'H') self.assertEqual(mem[0x7ffff7df27b7], '\xf7') self.assertEqual(cpu.PF, False) self.assertEqual(cpu.AF, True) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RDI, 18446744073709551608L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351985081L) self.assertEqual(cpu.SF, True) def test_NOT_1(self): ''' Instruction NOT_1 Groups: 0x7ffff7df144a: not rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df144a] = 'H' mem[0x7ffff7df144b] = '\xf7' mem[0x7ffff7df144c] = '\xd0' cpu.RIP = 0x7ffff7df144a cpu.RAX = 0x8000000000000000 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df144a], 'H') self.assertEqual(mem[0x7ffff7df144b], '\xf7') self.assertEqual(mem[0x7ffff7df144c], '\xd0') self.assertEqual(cpu.RAX, 9223372036854775807L) self.assertEqual(cpu.RIP, 140737351980109L) def test_NOT_2(self): ''' Instruction NOT_2 Groups: 0x4008f7: not esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x004008f8] = '\xd6' mem[0x004008f7] = '\xf7' cpu.RIP = 0x4008f7 cpu.ESI = 0xfffffff0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4008f8], '\xd6') self.assertEqual(mem[0x4008f7], '\xf7') self.assertEqual(cpu.ESI, 15L) self.assertEqual(cpu.RIP, 4196601L) def test_NOT_3(self): ''' Instruction NOT_3 Groups: 0x7ffff7a78242: not rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem[0x7ffff7a78242] = 'H' mem[0x7ffff7a78243] = '\xf7' mem[0x7ffff7a78244] = '\xd0' cpu.RIP = 0x7ffff7a78242 cpu.RAX = 0xfffffffffffffffc cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a78242], 'H') self.assertEqual(mem[0x7ffff7a78243], '\xf7') self.assertEqual(mem[0x7ffff7a78244], '\xd0') self.assertEqual(cpu.RAX, 3L) self.assertEqual(cpu.RIP, 140737348338245L) def test_NOT_4(self): ''' Instruction NOT_4 Groups: 0x7ffff7de5765: not r10 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5765] = 'I' mem[0x7ffff7de5766] = '\xf7' mem[0x7ffff7de5767] = '\xd2' cpu.RIP = 0x7ffff7de5765 cpu.R10 = 0xffffffffffffffff cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de5765], 'I') self.assertEqual(mem[0x7ffff7de5766], '\xf7') self.assertEqual(mem[0x7ffff7de5767], '\xd2') self.assertEqual(cpu.R10, 0L) self.assertEqual(cpu.RIP, 140737351931752L) def test_NOT_5(self): ''' Instruction NOT_5 Groups: 0x7ffff7de5765: not r10 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5765] = 'I' mem[0x7ffff7de5766] = '\xf7' mem[0x7ffff7de5767] = '\xd2' cpu.RIP = 0x7ffff7de5765 cpu.R10 = 0xffffffffffffffff cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de5765], 'I') self.assertEqual(mem[0x7ffff7de5766], '\xf7') self.assertEqual(mem[0x7ffff7de5767], '\xd2') self.assertEqual(cpu.R10, 0L) self.assertEqual(cpu.RIP, 140737351931752L) def test_NOT_6(self): ''' Instruction NOT_6 Groups: 0x7ffff7de5765: not r10 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5765] = 'I' mem[0x7ffff7de5766] = '\xf7' mem[0x7ffff7de5767] = '\xd2' cpu.RIP = 0x7ffff7de5765 cpu.R10 = 0xffffffffffffffff cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de5765], 'I') self.assertEqual(mem[0x7ffff7de5766], '\xf7') self.assertEqual(mem[0x7ffff7de5767], '\xd2') self.assertEqual(cpu.R10, 0L) self.assertEqual(cpu.RIP, 140737351931752L) def test_OR_1(self): ''' Instruction OR_1 Groups: 0x7ffff7de6235: or r9d, eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6235] = 'A' mem[0x7ffff7de6236] = '\t' mem[0x7ffff7de6237] = '\xc1' cpu.EAX = 0x0 cpu.PF = False cpu.SF = False cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de6235 cpu.R9D = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6235], 'A') self.assertEqual(mem[0x7ffff7de6236], '\t') self.assertEqual(mem[0x7ffff7de6237], '\xc1') self.assertEqual(cpu.EAX, 0L) self.assertEqual(cpu.R9D, 0L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351934520L) self.assertEqual(cpu.SF, False) def test_OR_2(self): ''' Instruction OR_2 Groups: 0x7ffff7de4344: or qword ptr [rsp], 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7ffff7de4344] = 'H' mem[0x7ffff7de4345] = '\x83' mem[0x7ffff7de4346] = '\x0c' mem[0x7ffff7de4347] = '$' mem[0x7ffff7de4348] = '\x00' mem[0x7fffffffc920] = '\x00' mem[0x7fffffffc921] = '\x00' mem[0x7fffffffc922] = '\x00' mem[0x7fffffffc923] = '\x00' mem[0x7fffffffc924] = '\x00' mem[0x7fffffffc925] = '\x00' mem[0x7fffffffc926] = '\x00' mem[0x7fffffffc927] = '\x00' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de4344 cpu.PF = False cpu.RSP = 0x7fffffffc920 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4344], 'H') self.assertEqual(mem[0x7ffff7de4345], '\x83') self.assertEqual(mem[0x7ffff7de4346], '\x0c') self.assertEqual(mem[0x7ffff7de4347], '$') self.assertEqual(mem[0x7ffff7de4348], '\x00') self.assertEqual(mem[0x7fffffffc920], '\x00') self.assertEqual(mem[0x7fffffffc921], '\x00') self.assertEqual(mem[0x7fffffffc922], '\x00') self.assertEqual(mem[0x7fffffffc923], '\x00') self.assertEqual(mem[0x7fffffffc924], '\x00') self.assertEqual(mem[0x7fffffffc925], '\x00') self.assertEqual(mem[0x7fffffffc926], '\x00') self.assertEqual(mem[0x7fffffffc927], '\x00') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351926601L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.RSP, 140737488341280L) self.assertEqual(cpu.SF, False) def test_OR_3(self): ''' Instruction OR_3 Groups: 0x7ffff7de3814: or qword ptr [rsp], 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7ffff7de3816] = '\x0c' mem[0x7ffff7de3817] = '$' mem[0x7fffffffc790] = '\x00' mem[0x7fffffffc791] = '\x00' mem[0x7fffffffc792] = '\x00' mem[0x7fffffffc793] = '\x00' mem[0x7ffff7de3814] = 'H' mem[0x7ffff7de3815] = '\x83' mem[0x7fffffffc796] = '\x00' mem[0x7fffffffc797] = '\x00' mem[0x7ffff7de3818] = '\x00' mem[0x7fffffffc794] = '\x00' mem[0x7fffffffc795] = '\x00' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de3814 cpu.PF = True cpu.RSP = 0x7fffffffc790 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffc796], '\x00') self.assertEqual(mem[0x7fffffffc797], '\x00') self.assertEqual(mem[0x7fffffffc790], '\x00') self.assertEqual(mem[0x7fffffffc791], '\x00') self.assertEqual(mem[0x7fffffffc792], '\x00') self.assertEqual(mem[0x7fffffffc793], '\x00') self.assertEqual(mem[0x7ffff7de3814], 'H') self.assertEqual(mem[0x7ffff7de3815], '\x83') self.assertEqual(mem[0x7ffff7de3816], '\x0c') self.assertEqual(mem[0x7ffff7de3817], '$') self.assertEqual(mem[0x7ffff7de3818], '\x00') self.assertEqual(mem[0x7fffffffc794], '\x00') self.assertEqual(mem[0x7fffffffc795], '\x00') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351923737L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.RSP, 140737488340880L) self.assertEqual(cpu.SF, False) def test_OR_4(self): ''' Instruction OR_4 Groups: 0x7ffff7de3814: or qword ptr [rsp], 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7ffff7de3816] = '\x0c' mem[0x7ffff7de3817] = '$' mem[0x7fffffffc790] = '\x00' mem[0x7fffffffc791] = '\x00' mem[0x7fffffffc792] = '\x00' mem[0x7fffffffc793] = '\x00' mem[0x7ffff7de3814] = 'H' mem[0x7ffff7de3815] = '\x83' mem[0x7fffffffc796] = '\x00' mem[0x7fffffffc797] = '\x00' mem[0x7ffff7de3818] = '\x00' mem[0x7fffffffc794] = '\x00' mem[0x7fffffffc795] = '\x00' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de3814 cpu.PF = True cpu.RSP = 0x7fffffffc790 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffc796], '\x00') self.assertEqual(mem[0x7fffffffc797], '\x00') self.assertEqual(mem[0x7fffffffc790], '\x00') self.assertEqual(mem[0x7fffffffc791], '\x00') self.assertEqual(mem[0x7fffffffc792], '\x00') self.assertEqual(mem[0x7fffffffc793], '\x00') self.assertEqual(mem[0x7ffff7de3814], 'H') self.assertEqual(mem[0x7ffff7de3815], '\x83') self.assertEqual(mem[0x7ffff7de3816], '\x0c') self.assertEqual(mem[0x7ffff7de3817], '$') self.assertEqual(mem[0x7ffff7de3818], '\x00') self.assertEqual(mem[0x7fffffffc794], '\x00') self.assertEqual(mem[0x7fffffffc795], '\x00') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351923737L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.RSP, 140737488340880L) self.assertEqual(cpu.SF, False) def test_OR_5(self): ''' Instruction OR_5 Groups: 0x40a38c: or qword ptr [rsp], 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0040a000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcb00] = '/' mem[0x7fffffffcb01] = 'h' mem[0x7fffffffcb02] = 'o' mem[0x7fffffffcb03] = 'm' mem[0x7fffffffcb04] = 'e' mem[0x7fffffffcb05] = '/' mem[0x7fffffffcb06] = 'f' mem[0x7fffffffcb07] = 'e' mem[0x0040a38c] = 'H' mem[0x0040a38d] = '\x83' mem[0x0040a38e] = '\x0c' mem[0x0040a38f] = '$' mem[0x0040a390] = '\x00' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x40a38c cpu.PF = True cpu.RSP = 0x7fffffffcb00 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcb00], '/') self.assertEqual(mem[0x7fffffffcb01], 'h') self.assertEqual(mem[0x7fffffffcb02], 'o') self.assertEqual(mem[0x7fffffffcb03], 'm') self.assertEqual(mem[0x7fffffffcb04], 'e') self.assertEqual(mem[0x7fffffffcb05], '/') self.assertEqual(mem[0x7fffffffcb06], 'f') self.assertEqual(mem[0x7fffffffcb07], 'e') self.assertEqual(mem[0x40a38c], 'H') self.assertEqual(mem[0x40a38d], '\x83') self.assertEqual(mem[0x40a38e], '\x0c') self.assertEqual(mem[0x40a38f], '$') self.assertEqual(mem[0x40a390], '\x00') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 4236177L) self.assertEqual(cpu.PF, False) self.assertEqual(cpu.RSP, 140737488341760L) self.assertEqual(cpu.SF, False) def test_OR_6(self): ''' Instruction OR_6 Groups: 0x7ffff7de6212: or r9d, eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6212] = 'A' mem[0x7ffff7de6213] = '\t' mem[0x7ffff7de6214] = '\xc1' cpu.EAX = 0xffffff00 cpu.PF = True cpu.SF = True cpu.OF = False cpu.ZF = False cpu.CF = True cpu.RIP = 0x7ffff7de6212 cpu.R9D = 0xf7ff7600 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6212], 'A') self.assertEqual(mem[0x7ffff7de6213], '\t') self.assertEqual(mem[0x7ffff7de6214], '\xc1') self.assertEqual(cpu.EAX, 4294967040L) self.assertEqual(cpu.R9D, 4294967040L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351934485L) self.assertEqual(cpu.SF, True) def test_PCMPEQB_1(self): ''' Instruction PCMPEQB_1 Groups: sse2 0x457e12: pcmpeqb xmm5, xmm2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457e12] = 'f' mem[0x00457e13] = '\x0f' mem[0x00457e14] = 't' mem[0x00457e15] = '\xea' cpu.XMM2 = 0x0 cpu.RIP = 0x457e12 cpu.XMM5 = 0x2f65726f6369746e614d2f737463656a cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457e12], 'f') self.assertEqual(mem[0x457e13], '\x0f') self.assertEqual(mem[0x457e14], 't') self.assertEqual(mem[0x457e15], '\xea') self.assertEqual(cpu.XMM2, 0) self.assertEqual(cpu.RIP, 4554262L) self.assertEqual(cpu.XMM5, 0) def test_PCMPEQB_2(self): ''' Instruction PCMPEQB_2 Groups: sse2 0x4184bf: pcmpeqb xmm12, xmm8 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x004184c0] = 'E' mem[0x004184c1] = '\x0f' mem[0x004184c2] = 't' mem[0x004184c3] = '\xe0' mem[0x004184bf] = 'f' cpu.XMM12 = 0x6e696874796e61206f642074276e6f44 cpu.XMM8 = 0x0 cpu.RIP = 0x4184bf cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4184c0], 'E') self.assertEqual(mem[0x4184c1], '\x0f') self.assertEqual(mem[0x4184c2], 't') self.assertEqual(mem[0x4184c3], '\xe0') self.assertEqual(mem[0x4184bf], 'f') self.assertEqual(cpu.XMM12, 0) self.assertEqual(cpu.XMM8, 0) self.assertEqual(cpu.RIP, 4293828L) def test_PCMPEQB_3(self): ''' Instruction PCMPEQB_3 Groups: sse2 0x457a26: pcmpeqb xmm0, xmm7 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457a28] = 't' mem[0x00457a29] = '\xc7' mem[0x00457a26] = 'f' mem[0x00457a27] = '\x0f' cpu.XMM0 = 0x5400324e2f2f00313d524e00455f4744 cpu.XMM7 = 0x0 cpu.RIP = 0x457a26 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457a28], 't') self.assertEqual(mem[0x457a29], '\xc7') self.assertEqual(mem[0x457a26], 'f') self.assertEqual(mem[0x457a27], '\x0f') self.assertEqual(cpu.XMM0, 1324035698927585248728409418697277440L) self.assertEqual(cpu.XMM7, 0) self.assertEqual(cpu.RIP, 4553258L) def test_PCMPEQB_4(self): ''' Instruction PCMPEQB_4 Groups: sse2 0x4579e8: pcmpeqb xmm0, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x004579e8] = 'f' mem[0x004579e9] = '\x0f' mem[0x004579ea] = 't' mem[0x004579eb] = '\xc1' cpu.XMM0 = 0x2f78756e696c2f73656c706d6178652f cpu.XMM1 = 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f cpu.RIP = 0x4579e8 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4579e8], 'f') self.assertEqual(mem[0x4579e9], '\x0f') self.assertEqual(mem[0x4579ea], 't') self.assertEqual(mem[0x4579eb], '\xc1') self.assertEqual(cpu.XMM0, 338953138925154751793923932131017359615L) self.assertEqual(cpu.XMM1, 62718710765820030520700417840365121327L) self.assertEqual(cpu.RIP, 4553196L) def test_PCMPEQB_5(self): ''' Instruction PCMPEQB_5 Groups: sse2 0x7ffff7ab7ac6: pcmpeqb xmm0, xmm7 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab7ac8] = 't' mem[0x7ffff7ab7ac9] = '\xc7' mem[0x7ffff7ab7ac6] = 'f' mem[0x7ffff7ab7ac7] = '\x0f' cpu.XMM0 = 0x322f2f4d00313d522f00565f474458 cpu.XMM7 = 0x0 cpu.RIP = 0x7ffff7ab7ac6 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab7ac8], 't') self.assertEqual(mem[0x7ffff7ab7ac9], '\xc7') self.assertEqual(mem[0x7ffff7ab7ac6], 'f') self.assertEqual(mem[0x7ffff7ab7ac7], '\x0f') self.assertEqual(cpu.XMM0, 338953138925461823674472811186503024640L) self.assertEqual(cpu.XMM7, 0) self.assertEqual(cpu.RIP, 140737348598474L) def test_PCMPEQB_6(self): ''' Instruction PCMPEQB_6 Groups: sse2 0x7ffff7ab79b1: pcmpeqb xmm0, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab79b1] = 'f' mem[0x7ffff7ab79b2] = '\x0f' mem[0x7ffff7ab79b3] = 't' mem[0x7ffff7ab79b4] = '\xc1' cpu.XMM0 = 0x6f72502f6570696c65662f656d6f682f cpu.XMM1 = 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f cpu.RIP = 0x7ffff7ab79b1 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab79b1], 'f') self.assertEqual(mem[0x7ffff7ab79b2], '\x0f') self.assertEqual(mem[0x7ffff7ab79b3], 't') self.assertEqual(mem[0x7ffff7ab79b4], '\xc1') self.assertEqual(cpu.XMM0, 20203181441137406366729172418815L) self.assertEqual(cpu.XMM1, 62718710765820030520700417840365121327L) self.assertEqual(cpu.RIP, 140737348598197L) def test_PMINUB_1(self): ''' Instruction PMINUB_1 Groups: sse2 0x41b15f: pminub xmm8, xmmword ptr [rax + 0x10] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0041b000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') mem[0x00494290] = ' ' mem[0x00494291] = ' ' mem[0x00494292] = ' ' mem[0x00494293] = ' ' mem[0x00494294] = ' ' mem[0x00494295] = ' ' mem[0x00494296] = ' ' mem[0x00494297] = ' ' mem[0x00494298] = ' ' mem[0x00494299] = ' ' mem[0x0049429a] = ' ' mem[0x0049429b] = ' ' mem[0x0049429c] = ' ' mem[0x0049429d] = ' ' mem[0x0049429e] = ' ' mem[0x0049429f] = ' ' mem[0x0041b15f] = 'f' mem[0x0041b160] = 'D' mem[0x0041b161] = '\x0f' mem[0x0041b162] = '\xda' mem[0x0041b163] = '@' mem[0x0041b164] = '\x10' cpu.XMM8 = 0x5f5f5f5f5f200a2e646574726f706572 cpu.RIP = 0x41b15f cpu.RAX = 0x494280 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x494290], ' ') self.assertEqual(mem[0x494291], ' ') self.assertEqual(mem[0x494292], ' ') self.assertEqual(mem[0x494293], ' ') self.assertEqual(mem[0x494294], ' ') self.assertEqual(mem[0x494295], ' ') self.assertEqual(mem[0x494296], ' ') self.assertEqual(mem[0x494297], ' ') self.assertEqual(mem[0x494298], ' ') self.assertEqual(mem[0x494299], ' ') self.assertEqual(mem[0x49429a], ' ') self.assertEqual(mem[0x49429b], ' ') self.assertEqual(mem[0x49429c], ' ') self.assertEqual(mem[0x49429d], ' ') self.assertEqual(mem[0x49429e], ' ') self.assertEqual(mem[0x49429f], ' ') self.assertEqual(mem[0x41b15f], 'f') self.assertEqual(mem[0x41b160], 'D') self.assertEqual(mem[0x41b161], '\x0f') self.assertEqual(mem[0x41b162], '\xda') self.assertEqual(mem[0x41b163], '@') self.assertEqual(mem[0x41b164], '\x10') self.assertEqual(cpu.XMM8, 42702100946941193483733406035713466400L) self.assertEqual(cpu.RAX, 4801152L) self.assertEqual(cpu.RIP, 4305253L) def test_PMINUB_2(self): ''' Instruction PMINUB_2 Groups: sse2 0x41b142: pminub xmm8, xmmword ptr [rax + 0x70] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0041b000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') mem[0x0041b142] = 'f' mem[0x0041b143] = 'D' mem[0x0041b144] = '\x0f' mem[0x0041b145] = '\xda' mem[0x0041b146] = '@' mem[0x0041b147] = 'p' mem[0x004942f0] = '_' mem[0x004942f1] = '_' mem[0x004942f2] = '_' mem[0x004942f3] = ' ' mem[0x004942f4] = '_' mem[0x004942f5] = '_' mem[0x004942f6] = '_' mem[0x004942f7] = '_' mem[0x004942f8] = '_' mem[0x004942f9] = ' ' mem[0x004942fa] = ' ' mem[0x004942fb] = ' ' mem[0x004942fc] = ' ' mem[0x004942fd] = ' ' mem[0x004942fe] = ' ' mem[0x004942ff] = '_' cpu.XMM8 = 0x2020202020202020202020200a202020 cpu.RIP = 0x41b142 cpu.RAX = 0x494280 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x41b142], 'f') self.assertEqual(mem[0x41b143], 'D') self.assertEqual(mem[0x41b144], '\x0f') self.assertEqual(mem[0x41b145], '\xda') self.assertEqual(mem[0x41b146], '@') self.assertEqual(mem[0x41b147], 'p') self.assertEqual(mem[0x4942f0], '_') self.assertEqual(mem[0x4942f1], '_') self.assertEqual(mem[0x4942f2], '_') self.assertEqual(mem[0x4942f3], ' ') self.assertEqual(mem[0x4942f4], '_') self.assertEqual(mem[0x4942f5], '_') self.assertEqual(mem[0x4942f6], '_') self.assertEqual(mem[0x4942f7], '_') self.assertEqual(mem[0x4942f8], '_') self.assertEqual(mem[0x4942f9], ' ') self.assertEqual(mem[0x4942fa], ' ') self.assertEqual(mem[0x4942fb], ' ') self.assertEqual(mem[0x4942fc], ' ') self.assertEqual(mem[0x4942fd], ' ') self.assertEqual(mem[0x4942fe], ' ') self.assertEqual(mem[0x4942ff], '_') self.assertEqual(cpu.XMM8, 42702100946941297375796029167539068960L) self.assertEqual(cpu.RAX, 4801152L) self.assertEqual(cpu.RIP, 4305224L) def test_PMINUB_3(self): ''' Instruction PMINUB_3 Groups: sse2 0x457af6: pminub xmm0, xmm2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457af8] = '\xda' mem[0x00457af9] = '\xc2' mem[0x00457af6] = 'f' mem[0x00457af7] = '\x0f' cpu.XMM2 = 0x504e414d00323d524e54565f47445800 cpu.XMM0 = 0x32677261003167726100706d636e7274 cpu.RIP = 0x457af6 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457af8], '\xda') self.assertEqual(mem[0x457af9], '\xc2') self.assertEqual(mem[0x457af6], 'f') self.assertEqual(mem[0x457af7], '\x0f') self.assertEqual(cpu.XMM2, 106744563275012473217874926561820694528L) self.assertEqual(cpu.XMM0, 66867723401463788104917456226191955968L) self.assertEqual(cpu.RIP, 4553466L) def test_PMINUB_4(self): ''' Instruction PMINUB_4 Groups: sse2 0x41b13c: pminub xmm8, xmmword ptr [rax + 0x60] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0041b000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') mem[0x0041b13c] = 'f' mem[0x0041b13d] = 'D' mem[0x0041b13e] = '\x0f' mem[0x0041b13f] = '\xda' mem[0x0041b140] = '@' mem[0x0041b141] = '`' mem[0x004941e0] = 'h' mem[0x004941e1] = 'e' mem[0x004941e2] = 'c' mem[0x004941e3] = 'k' mem[0x004941e4] = 'e' mem[0x004941e5] = 'd' mem[0x004941e6] = ' ' mem[0x004941e7] = 'b' mem[0x004941e8] = 'y' mem[0x004941e9] = ' ' mem[0x004941ea] = 's' mem[0x004941eb] = 'y' mem[0x004941ec] = 's' mem[0x004941ed] = 't' mem[0x004941ee] = 'e' mem[0x004941ef] = 'm' cpu.XMM8 = 0x632067676f6120736720720a646e6120 cpu.RIP = 0x41b13c cpu.RAX = 0x494180 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x41b13c], 'f') self.assertEqual(mem[0x41b13d], 'D') self.assertEqual(mem[0x41b13e], '\x0f') self.assertEqual(mem[0x41b13f], '\xda') self.assertEqual(mem[0x41b140], '@') self.assertEqual(mem[0x41b141], '`') self.assertEqual(mem[0x4941e0], 'h') self.assertEqual(mem[0x4941e1], 'e') self.assertEqual(mem[0x4941e2], 'c') self.assertEqual(mem[0x4941e3], 'k') self.assertEqual(mem[0x4941e4], 'e') self.assertEqual(mem[0x4941e5], 'd') self.assertEqual(mem[0x4941e6], ' ') self.assertEqual(mem[0x4941e7], 'b') self.assertEqual(mem[0x4941e8], 'y') self.assertEqual(mem[0x4941e9], ' ') self.assertEqual(mem[0x4941ea], 's') self.assertEqual(mem[0x4941eb], 'y') self.assertEqual(mem[0x4941ec], 's') self.assertEqual(mem[0x4941ed], 't') self.assertEqual(mem[0x4941ee], 'e') self.assertEqual(mem[0x4941ef], 'm') self.assertEqual(cpu.XMM8, 131761822365339956131716016926609334560L) self.assertEqual(cpu.RAX, 4800896L) self.assertEqual(cpu.RIP, 4305218L) def test_PMINUB_5(self): ''' Instruction PMINUB_5 Groups: sse2 0x457ee2: pminub xmm0, xmm5 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457ee2] = 'f' mem[0x00457ee3] = '\x0f' mem[0x00457ee4] = '\xda' mem[0x00457ee5] = '\xc5' cpu.XMM0 = 0x4d00313d524e00565f472f2f00326763 cpu.RIP = 0x457ee2 cpu.XMM5 = 0x65784563696c6f626d79532f65726f63 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457ee2], 'f') self.assertEqual(mem[0x457ee3], '\x0f') self.assertEqual(mem[0x457ee4], '\xda') self.assertEqual(mem[0x457ee5], '\xc5') self.assertEqual(cpu.XMM0, 102351554371899083128134245349023967075L) self.assertEqual(cpu.RIP, 4554470L) self.assertEqual(cpu.XMM5, 134876510559778439374245404375482789731L) def test_PMINUB_6(self): ''' Instruction PMINUB_6 Groups: sse2 0x7ffff7ab7abe: pminub xmm0, xmm4 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab7ac0] = '\xda' mem[0x7ffff7ab7ac1] = '\xc4' mem[0x7ffff7ab7abe] = 'f' mem[0x7ffff7ab7abf] = '\x0f' cpu.XMM0 = 0x324e414d00313d524e00565f474458 cpu.RIP = 0x7ffff7ab7abe cpu.XMM4 = 0x7274732f78756e696c2f73656c706d61 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab7ac0], '\xda') self.assertEqual(mem[0x7ffff7ab7ac1], '\xc4') self.assertEqual(mem[0x7ffff7ab7abe], 'f') self.assertEqual(mem[0x7ffff7ab7abf], '\x0f') self.assertEqual(cpu.XMM0, 261200618430042665518031405314425944L) self.assertEqual(cpu.XMM4, 152136634193178674532939302896952962401L) self.assertEqual(cpu.RIP, 140737348598466L) def test_PMOVMSKB_1(self): ''' Instruction PMOVMSKB_1 Groups: sse2 0x4184f1: pmovmskb ecx, xmm11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x004184f1] = 'f' mem[0x004184f2] = 'A' mem[0x004184f3] = '\x0f' mem[0x004184f4] = '\xd7' mem[0x004184f5] = '\xcb' cpu.XMM11 = 0x0 cpu.RIP = 0x4184f1 cpu.ECX = 0x10e cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4184f1], 'f') self.assertEqual(mem[0x4184f2], 'A') self.assertEqual(mem[0x4184f3], '\x0f') self.assertEqual(mem[0x4184f4], '\xd7') self.assertEqual(mem[0x4184f5], '\xcb') self.assertEqual(cpu.XMM11, 0) self.assertEqual(cpu.RIP, 4293878L) self.assertEqual(cpu.ECX, 0L) def test_PMOVMSKB_2(self): ''' Instruction PMOVMSKB_2 Groups: sse2 0x457d6e: pmovmskb r10d, xmm3 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457d70] = '\x0f' mem[0x00457d71] = '\xd7' mem[0x00457d72] = '\xd3' mem[0x00457d6e] = 'f' mem[0x00457d6f] = 'D' cpu.XMM3 = 0xff00000000ff0000000000000000 cpu.RIP = 0x457d6e cpu.R10D = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457d70], '\x0f') self.assertEqual(mem[0x457d71], '\xd7') self.assertEqual(mem[0x457d72], '\xd3') self.assertEqual(mem[0x457d6e], 'f') self.assertEqual(mem[0x457d6f], 'D') self.assertEqual(cpu.XMM3, 5172014448935879877845345013596160L) self.assertEqual(cpu.RIP, 4554099L) self.assertEqual(cpu.R10D, 8448L) def test_PMOVMSKB_3(self): ''' Instruction PMOVMSKB_3 Groups: sse2 0x457ddd: pmovmskb edx, xmm3 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457de0] = '\xd3' mem[0x00457ddd] = 'f' mem[0x00457dde] = '\x0f' mem[0x00457ddf] = '\xd7' cpu.XMM3 = 0x0 cpu.EDX = 0xffffdcc8 cpu.RIP = 0x457ddd cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457de0], '\xd3') self.assertEqual(mem[0x457ddd], 'f') self.assertEqual(mem[0x457dde], '\x0f') self.assertEqual(mem[0x457ddf], '\xd7') self.assertEqual(cpu.XMM3, 0) self.assertEqual(cpu.EDX, 0L) self.assertEqual(cpu.RIP, 4554209L) def test_PMOVMSKB_4(self): ''' Instruction PMOVMSKB_4 Groups: sse2 0x7ffff7ab5ce1: pmovmskb ecx, xmm11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx') mem[0x7ffff7ab5ce1] = 'f' mem[0x7ffff7ab5ce2] = 'A' mem[0x7ffff7ab5ce3] = '\x0f' mem[0x7ffff7ab5ce4] = '\xd7' mem[0x7ffff7ab5ce5] = '\xcb' cpu.XMM11 = 0xffffff0000000000ffffff0000000000 cpu.RIP = 0x7ffff7ab5ce1 cpu.ECX = 0xa00 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab5ce1], 'f') self.assertEqual(mem[0x7ffff7ab5ce2], 'A') self.assertEqual(mem[0x7ffff7ab5ce3], '\x0f') self.assertEqual(mem[0x7ffff7ab5ce4], '\xd7') self.assertEqual(mem[0x7ffff7ab5ce5], '\xcb') self.assertEqual(cpu.XMM11, 340282346638528859830150926458714849280L) self.assertEqual(cpu.RIP, 140737348590822L) self.assertEqual(cpu.ECX, 57568L) def test_PMOVMSKB_5(self): ''' Instruction PMOVMSKB_5 Groups: sse2 0x4184e7: pmovmskb edx, xmm9 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x004184e8] = 'A' mem[0x004184e9] = '\x0f' mem[0x004184ea] = '\xd7' mem[0x004184eb] = '\xd1' mem[0x004184e7] = 'f' cpu.EDX = 0x0 cpu.XMM9 = 0xff00000000000000000000000000 cpu.RIP = 0x4184e7 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4184e8], 'A') self.assertEqual(mem[0x4184e9], '\x0f') self.assertEqual(mem[0x4184ea], '\xd7') self.assertEqual(mem[0x4184eb], '\xd1') self.assertEqual(mem[0x4184e7], 'f') self.assertEqual(cpu.EDX, 8192L) self.assertEqual(cpu.XMM9, 5172014448931175958106549077934080L) self.assertEqual(cpu.RIP, 4293868L) def test_PMOVMSKB_6(self): ''' Instruction PMOVMSKB_6 Groups: sse2 0x4184c4: pmovmskb edx, xmm12 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x004184c8] = '\xd4' mem[0x004184c4] = 'f' mem[0x004184c5] = 'A' mem[0x004184c6] = '\x0f' mem[0x004184c7] = '\xd7' cpu.EDX = 0x100 cpu.XMM12 = 0x0 cpu.RIP = 0x4184c4 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4184c8], '\xd4') self.assertEqual(mem[0x4184c4], 'f') self.assertEqual(mem[0x4184c5], 'A') self.assertEqual(mem[0x4184c6], '\x0f') self.assertEqual(mem[0x4184c7], '\xd7') self.assertEqual(cpu.EDX, 0L) self.assertEqual(cpu.XMM12, 0) self.assertEqual(cpu.RIP, 4293833L) def test_POP_1(self): ''' Instruction POP_1 Groups: mode64 0x7ffff7de3b0b: pop rbp ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffd880] = '\xb0' mem[0x7fffffffd881] = '\xd9' mem[0x7fffffffd882] = '\xff' mem[0x7fffffffd883] = '\xff' mem[0x7fffffffd884] = '\xff' mem[0x7fffffffd885] = '\x7f' mem[0x7fffffffd886] = '\x00' mem[0x7fffffffd887] = '\x00' mem[0x7fffffffd888] = '\x7f' mem[0x7ffff7de3b0b] = ']' mem[0x7fffffffd878] = 'p' mem[0x7fffffffd879] = '\xda' mem[0x7fffffffd87a] = '\xff' mem[0x7fffffffd87b] = '\xff' mem[0x7fffffffd87c] = '\xff' mem[0x7fffffffd87d] = '\x7f' mem[0x7fffffffd87e] = '\x00' mem[0x7fffffffd87f] = '\x00' cpu.RSP = 0x7fffffffd880 cpu.RIP = 0x7ffff7de3b0b cpu.RBP = 0x7fffffffd880 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffd880], '\xb0') self.assertEqual(mem[0x7fffffffd881], '\xd9') self.assertEqual(mem[0x7fffffffd882], '\xff') self.assertEqual(mem[0x7fffffffd883], '\xff') self.assertEqual(mem[0x7fffffffd884], '\xff') self.assertEqual(mem[0x7fffffffd885], '\x7f') self.assertEqual(mem[0x7fffffffd886], '\x00') self.assertEqual(mem[0x7fffffffd887], '\x00') self.assertEqual(mem[0x7fffffffd888], '\x7f') self.assertEqual(mem[0x7ffff7de3b0b], ']') self.assertEqual(mem[0x7fffffffd878], 'p') self.assertEqual(mem[0x7fffffffd879], '\xda') self.assertEqual(mem[0x7fffffffd87a], '\xff') self.assertEqual(mem[0x7fffffffd87b], '\xff') self.assertEqual(mem[0x7fffffffd87c], '\xff') self.assertEqual(mem[0x7fffffffd87d], '\x7f') self.assertEqual(mem[0x7fffffffd87e], '\x00') self.assertEqual(mem[0x7fffffffd87f], '\x00') self.assertEqual(cpu.RSP, 140737488345224L) self.assertEqual(cpu.RIP, 140737351924492L) self.assertEqual(cpu.RBP, 140737488345520L) def test_POP_2(self): ''' Instruction POP_2 Groups: mode64 0x7ffff7dea3ad: pop r14 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7dea000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffda08] = '\x01' mem[0x7fffffffda09] = '\x00' mem[0x7fffffffda0a] = '\x00' mem[0x7fffffffda0b] = '\x00' mem[0x7fffffffda0c] = '\x00' mem[0x7ffff7dea3ad] = 'A' mem[0x7ffff7dea3ae] = '^' mem[0x7fffffffda0d] = '\x00' mem[0x7fffffffda10] = '0' mem[0x7fffffffda11] = '\xda' mem[0x7fffffffda12] = '\xff' mem[0x7fffffffda13] = '\xff' mem[0x7fffffffda14] = '\xff' mem[0x7fffffffda0e] = '\x00' mem[0x7fffffffda16] = '\x00' mem[0x7fffffffda17] = '\x00' mem[0x7fffffffda18] = '`' mem[0x7fffffffda0f] = '\x00' mem[0x7fffffffda15] = '\x7f' cpu.R14 = 0x4 cpu.RSP = 0x7fffffffda10 cpu.RIP = 0x7ffff7dea3ad cpu.RBP = 0x7fffffffda20 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7dea3ae], '^') self.assertEqual(mem[0x7fffffffda08], '\x01') self.assertEqual(mem[0x7fffffffda09], '\x00') self.assertEqual(mem[0x7fffffffda0a], '\x00') self.assertEqual(mem[0x7fffffffda0b], '\x00') self.assertEqual(mem[0x7fffffffda0c], '\x00') self.assertEqual(mem[0x7fffffffda0d], '\x00') self.assertEqual(mem[0x7fffffffda0e], '\x00') self.assertEqual(mem[0x7fffffffda0f], '\x00') self.assertEqual(mem[0x7fffffffda10], '0') self.assertEqual(mem[0x7fffffffda11], '\xda') self.assertEqual(mem[0x7fffffffda12], '\xff') self.assertEqual(mem[0x7fffffffda13], '\xff') self.assertEqual(mem[0x7fffffffda14], '\xff') self.assertEqual(mem[0x7fffffffda15], '\x7f') self.assertEqual(mem[0x7fffffffda16], '\x00') self.assertEqual(mem[0x7fffffffda17], '\x00') self.assertEqual(mem[0x7fffffffda18], '`') self.assertEqual(mem[0x7ffff7dea3ad], 'A') self.assertEqual(cpu.R14, 140737488345648L) self.assertEqual(cpu.RSP, 140737488345624L) self.assertEqual(cpu.RIP, 140737351951279L) self.assertEqual(cpu.RBP, 140737488345632L) def test_POP_3(self): ''' Instruction POP_3 Groups: mode64 0x4624e4: pop r12 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00462000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdb00] = 'H' mem[0x7fffffffdb01] = '\xd4' mem[0x7fffffffdb02] = 'k' mem[0x7fffffffdb03] = '\x00' mem[0x004624e4] = 'A' mem[0x004624e5] = '\\' mem[0x7fffffffdb06] = '\x00' mem[0x7fffffffdb07] = '\x00' mem[0x7fffffffdb08] = '\xb8' mem[0x7fffffffdaff] = '\x00' mem[0x7fffffffdaf9] = '\x00' mem[0x7fffffffdaf8] = '\x03' mem[0x7fffffffdb04] = '\x00' mem[0x7fffffffdafa] = '\x00' mem[0x7fffffffdafb] = '\x00' mem[0x7fffffffdafc] = '\x00' mem[0x7fffffffdafd] = '\x00' mem[0x7fffffffdafe] = '\x00' mem[0x7fffffffdb05] = '\x00' cpu.RSP = 0x7fffffffdb00 cpu.R12 = 0x1 cpu.RIP = 0x4624e4 cpu.RBP = 0x7fffffffdb20 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdb00], 'H') self.assertEqual(mem[0x7fffffffdb01], '\xd4') self.assertEqual(mem[0x7fffffffdb02], 'k') self.assertEqual(mem[0x7fffffffdb03], '\x00') self.assertEqual(mem[0x7fffffffdb04], '\x00') self.assertEqual(mem[0x7fffffffdb05], '\x00') self.assertEqual(mem[0x7fffffffdb06], '\x00') self.assertEqual(mem[0x7fffffffdb07], '\x00') self.assertEqual(mem[0x7fffffffdb08], '\xb8') self.assertEqual(mem[0x7fffffffdaff], '\x00') self.assertEqual(mem[0x7fffffffdaf9], '\x00') self.assertEqual(mem[0x7fffffffdaf8], '\x03') self.assertEqual(mem[0x4624e4], 'A') self.assertEqual(mem[0x7fffffffdafa], '\x00') self.assertEqual(mem[0x7fffffffdafb], '\x00') self.assertEqual(mem[0x7fffffffdafc], '\x00') self.assertEqual(mem[0x7fffffffdafd], '\x00') self.assertEqual(mem[0x7fffffffdafe], '\x00') self.assertEqual(mem[0x4624e5], '\\') self.assertEqual(cpu.R12, 7066696L) self.assertEqual(cpu.RSP, 140737488345864L) self.assertEqual(cpu.RIP, 4596966L) self.assertEqual(cpu.RBP, 140737488345888L) def test_POP_4(self): ''' Instruction POP_4 Groups: mode64 0x6ff233: pop rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x006ff000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcca0] = '\x00' mem[0x7fffffffcca1] = '\x00' mem[0x7fffffffcca2] = '\x00' mem[0x7fffffffcca3] = '\x00' mem[0x7fffffffcca4] = '\x00' mem[0x7fffffffcca5] = '\x00' mem[0x7fffffffcca6] = '\x00' mem[0x7fffffffcca7] = '\x00' mem[0x7fffffffcca8] = '\x01' mem[0x7fffffffcca9] = '\x00' mem[0x7fffffffccaa] = '\x00' mem[0x7fffffffccab] = '\x00' mem[0x7fffffffccac] = '\x00' mem[0x7fffffffccad] = '\x00' mem[0x7fffffffccae] = '\x00' mem[0x7fffffffccaf] = '\x00' mem[0x7fffffffccb0] = '@' mem[0x006ff233] = 'Z' cpu.RSP = 0x7fffffffcca8 cpu.RDX = 0x80000001 cpu.RIP = 0x6ff233 cpu.RBP = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcca0], '\x00') self.assertEqual(mem[0x7fffffffcca1], '\x00') self.assertEqual(mem[0x7fffffffcca2], '\x00') self.assertEqual(mem[0x7fffffffcca3], '\x00') self.assertEqual(mem[0x7fffffffcca4], '\x00') self.assertEqual(mem[0x7fffffffcca5], '\x00') self.assertEqual(mem[0x7fffffffcca6], '\x00') self.assertEqual(mem[0x7fffffffcca7], '\x00') self.assertEqual(mem[0x7fffffffcca8], '\x01') self.assertEqual(mem[0x7fffffffcca9], '\x00') self.assertEqual(mem[0x7fffffffccaa], '\x00') self.assertEqual(mem[0x7fffffffccab], '\x00') self.assertEqual(mem[0x7fffffffccac], '\x00') self.assertEqual(mem[0x7fffffffccad], '\x00') self.assertEqual(mem[0x7fffffffccae], '\x00') self.assertEqual(mem[0x7fffffffccaf], '\x00') self.assertEqual(mem[0x7fffffffccb0], '@') self.assertEqual(mem[0x6ff233], 'Z') self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RDX, 1L) self.assertEqual(cpu.RIP, 7336500L) self.assertEqual(cpu.RBP, 0L) def test_POP_5(self): ''' Instruction POP_5 Groups: mode64 0x632f8a: pop rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00632000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcca0] = '\x00' mem[0x7fffffffcca1] = '\x00' mem[0x7fffffffcca2] = '\x00' mem[0x7fffffffcca3] = '\x00' mem[0x7fffffffcca4] = '\x00' mem[0x7fffffffcca5] = '\x00' mem[0x7fffffffcca6] = '\x00' mem[0x7fffffffcca7] = '\x00' mem[0x7fffffffcca8] = '\x00' mem[0x7fffffffcca9] = '\x00' mem[0x00632f8a] = 'Z' mem[0x7fffffffccab] = '\x80' mem[0x7fffffffccac] = '\x00' mem[0x7fffffffccad] = '\x00' mem[0x7fffffffccae] = '\x00' mem[0x7fffffffccaf] = '\x00' mem[0x7fffffffccb0] = '\x00' mem[0x7fffffffccaa] = '\x00' cpu.RSP = 0x7fffffffcca8 cpu.RDX = 0x7f cpu.RIP = 0x632f8a cpu.RBP = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcca0], '\x00') self.assertEqual(mem[0x7fffffffcca1], '\x00') self.assertEqual(mem[0x7fffffffcca2], '\x00') self.assertEqual(mem[0x7fffffffcca3], '\x00') self.assertEqual(mem[0x7fffffffcca4], '\x00') self.assertEqual(mem[0x7fffffffcca5], '\x00') self.assertEqual(mem[0x7fffffffcca6], '\x00') self.assertEqual(mem[0x7fffffffcca7], '\x00') self.assertEqual(mem[0x7fffffffcca8], '\x00') self.assertEqual(mem[0x7fffffffcca9], '\x00') self.assertEqual(mem[0x632f8a], 'Z') self.assertEqual(mem[0x7fffffffccab], '\x80') self.assertEqual(mem[0x7fffffffccac], '\x00') self.assertEqual(mem[0x7fffffffccad], '\x00') self.assertEqual(mem[0x7fffffffccae], '\x00') self.assertEqual(mem[0x7fffffffccaf], '\x00') self.assertEqual(mem[0x7fffffffccb0], '\x00') self.assertEqual(mem[0x7fffffffccaa], '\x00') self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RDX, 2147483648L) self.assertEqual(cpu.RIP, 6500235L) self.assertEqual(cpu.RBP, 0L) def test_POP_6(self): ''' Instruction POP_6 Groups: mode64 0x737db3: pop rdx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00737000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcca0] = '\x00' mem[0x7fffffffcca1] = '\x00' mem[0x7fffffffcca2] = '\x00' mem[0x7fffffffcca3] = '\x00' mem[0x7fffffffcca4] = '\x00' mem[0x7fffffffcca5] = '\x00' mem[0x7fffffffcca6] = '\x00' mem[0x7fffffffcca7] = '\x00' mem[0x7fffffffcca8] = '\x00' mem[0x7fffffffcca9] = '\xff' mem[0x7fffffffccaa] = '\x00' mem[0x7fffffffccab] = '\x00' mem[0x7fffffffccac] = '\x00' mem[0x7fffffffccad] = '\x00' mem[0x7fffffffccae] = '\x00' mem[0x7fffffffccaf] = '\x00' mem[0x7fffffffccb0] = '@' mem[0x00737db3] = 'Z' cpu.RSP = 0x7fffffffcca8 cpu.RDX = 0x40 cpu.RIP = 0x737db3 cpu.RBP = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcca0], '\x00') self.assertEqual(mem[0x7fffffffcca1], '\x00') self.assertEqual(mem[0x7fffffffcca2], '\x00') self.assertEqual(mem[0x7fffffffcca3], '\x00') self.assertEqual(mem[0x7fffffffcca4], '\x00') self.assertEqual(mem[0x7fffffffcca5], '\x00') self.assertEqual(mem[0x7fffffffcca6], '\x00') self.assertEqual(mem[0x7fffffffcca7], '\x00') self.assertEqual(mem[0x7fffffffcca8], '\x00') self.assertEqual(mem[0x7fffffffcca9], '\xff') self.assertEqual(mem[0x7fffffffccaa], '\x00') self.assertEqual(mem[0x7fffffffccab], '\x00') self.assertEqual(mem[0x7fffffffccac], '\x00') self.assertEqual(mem[0x7fffffffccad], '\x00') self.assertEqual(mem[0x7fffffffccae], '\x00') self.assertEqual(mem[0x7fffffffccaf], '\x00') self.assertEqual(mem[0x7fffffffccb0], '@') self.assertEqual(mem[0x737db3], 'Z') self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RDX, 65280L) self.assertEqual(cpu.RIP, 7568820L) self.assertEqual(cpu.RBP, 0L) def test_POR_1(self): ''' Instruction POR_1 Groups: sse2 0x7ffff7df43a7: por xmm0, xmm4 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df43a8] = '\x0f' mem[0x7ffff7df43a9] = '\xeb' mem[0x7ffff7df43aa] = '\xc4' mem[0x7ffff7df43a7] = 'f' cpu.XMM0 = 0x0 cpu.RIP = 0x7ffff7df43a7 cpu.XMM4 = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df43a8], '\x0f') self.assertEqual(mem[0x7ffff7df43a9], '\xeb') self.assertEqual(mem[0x7ffff7df43aa], '\xc4') self.assertEqual(mem[0x7ffff7df43a7], 'f') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM4, 0) self.assertEqual(cpu.RIP, 140737351992235L) def test_POR_2(self): ''' Instruction POR_2 Groups: sse2 0x7ffff7df43a7: por xmm0, xmm4 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df43a8] = '\x0f' mem[0x7ffff7df43a9] = '\xeb' mem[0x7ffff7df43aa] = '\xc4' mem[0x7ffff7df43a7] = 'f' cpu.XMM0 = 0x0 cpu.RIP = 0x7ffff7df43a7 cpu.XMM4 = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df43a8], '\x0f') self.assertEqual(mem[0x7ffff7df43a9], '\xeb') self.assertEqual(mem[0x7ffff7df43aa], '\xc4') self.assertEqual(mem[0x7ffff7df43a7], 'f') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM4, 0) self.assertEqual(cpu.RIP, 140737351992235L) def test_POR_3(self): ''' Instruction POR_3 Groups: sse2 0x7ffff7df43a7: por xmm0, xmm4 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df43a8] = '\x0f' mem[0x7ffff7df43a9] = '\xeb' mem[0x7ffff7df43aa] = '\xc4' mem[0x7ffff7df43a7] = 'f' cpu.XMM0 = 0x0 cpu.RIP = 0x7ffff7df43a7 cpu.XMM4 = 0xff00000000ff000000000000000000 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df43a8], '\x0f') self.assertEqual(mem[0x7ffff7df43a9], '\xeb') self.assertEqual(mem[0x7ffff7df43aa], '\xc4') self.assertEqual(mem[0x7ffff7df43a7], 'f') self.assertEqual(cpu.XMM0, 1324035698927585248728408323480616960L) self.assertEqual(cpu.XMM4, 1324035698927585248728408323480616960L) self.assertEqual(cpu.RIP, 140737351992235L) def test_POR_4(self): ''' Instruction POR_4 Groups: sse2 0x7ffff7df43a7: por xmm0, xmm4 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df43a8] = '\x0f' mem[0x7ffff7df43a9] = '\xeb' mem[0x7ffff7df43aa] = '\xc4' mem[0x7ffff7df43a7] = 'f' cpu.XMM0 = 0x0 cpu.RIP = 0x7ffff7df43a7 cpu.XMM4 = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df43a8], '\x0f') self.assertEqual(mem[0x7ffff7df43a9], '\xeb') self.assertEqual(mem[0x7ffff7df43aa], '\xc4') self.assertEqual(mem[0x7ffff7df43a7], 'f') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM4, 0) self.assertEqual(cpu.RIP, 140737351992235L) def test_POR_5(self): ''' Instruction POR_5 Groups: sse2 0x7ffff7df4412: por xmm0, xmm3 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4412] = 'f' mem[0x7ffff7df4413] = '\x0f' mem[0x7ffff7df4414] = '\xeb' mem[0x7ffff7df4415] = '\xc3' cpu.XMM3 = 0xff000000000000 cpu.XMM0 = 0x0 cpu.RIP = 0x7ffff7df4412 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4412], 'f') self.assertEqual(mem[0x7ffff7df4413], '\x0f') self.assertEqual(mem[0x7ffff7df4414], '\xeb') self.assertEqual(mem[0x7ffff7df4415], '\xc3') self.assertEqual(cpu.XMM3, 71776119061217280) self.assertEqual(cpu.XMM0, 71776119061217280) self.assertEqual(cpu.RIP, 140737351992342L) def test_POR_6(self): ''' Instruction POR_6 Groups: sse2 0x7ffff7ac0b17: por xmm0, xmm4 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0b18] = '\x0f' mem[0x7ffff7ac0b19] = '\xeb' mem[0x7ffff7ac0b1a] = '\xc4' mem[0x7ffff7ac0b17] = 'f' cpu.XMM0 = 0x0 cpu.RIP = 0x7ffff7ac0b17 cpu.XMM4 = 0xffffff000000ff cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0b18], '\x0f') self.assertEqual(mem[0x7ffff7ac0b19], '\xeb') self.assertEqual(mem[0x7ffff7ac0b1a], '\xc4') self.assertEqual(mem[0x7ffff7ac0b17], 'f') self.assertEqual(cpu.XMM0, 72057589742960895) self.assertEqual(cpu.XMM4, 72057589742960895) self.assertEqual(cpu.RIP, 140737348635419L) def test_PSHUFD_1(self): ''' Instruction PSHUFD_1 Groups: sse2 0x7ffff7ac0af8: pshufd xmm1, xmm1, 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0af8] = 'f' mem[0x7ffff7ac0af9] = '\x0f' mem[0x7ffff7ac0afa] = 'p' mem[0x7ffff7ac0afb] = '\xc9' mem[0x7ffff7ac0afc] = '\x00' cpu.XMM1 = 0x25252525 cpu.RIP = 0x7ffff7ac0af8 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0af8], 'f') self.assertEqual(mem[0x7ffff7ac0af9], '\x0f') self.assertEqual(mem[0x7ffff7ac0afa], 'p') self.assertEqual(mem[0x7ffff7ac0afb], '\xc9') self.assertEqual(mem[0x7ffff7ac0afc], '\x00') self.assertEqual(cpu.XMM1, 49374304219900875090764158725393818917L) self.assertEqual(cpu.RIP, 140737348635389L) def test_PSHUFD_2(self): ''' Instruction PSHUFD_2 Groups: sse2 0x7ffff7ac0af8: pshufd xmm1, xmm1, 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0af8] = 'f' mem[0x7ffff7ac0af9] = '\x0f' mem[0x7ffff7ac0afa] = 'p' mem[0x7ffff7ac0afb] = '\xc9' mem[0x7ffff7ac0afc] = '\x00' cpu.XMM1 = 0x25252525 cpu.RIP = 0x7ffff7ac0af8 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0af8], 'f') self.assertEqual(mem[0x7ffff7ac0af9], '\x0f') self.assertEqual(mem[0x7ffff7ac0afa], 'p') self.assertEqual(mem[0x7ffff7ac0afb], '\xc9') self.assertEqual(mem[0x7ffff7ac0afc], '\x00') self.assertEqual(cpu.XMM1, 49374304219900875090764158725393818917L) self.assertEqual(cpu.RIP, 140737348635389L) def test_PSHUFD_3(self): ''' Instruction PSHUFD_3 Groups: sse2 0x7ffff7df4388: pshufd xmm1, xmm1, 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4388] = 'f' mem[0x7ffff7df4389] = '\x0f' mem[0x7ffff7df438a] = 'p' mem[0x7ffff7df438b] = '\xc9' mem[0x7ffff7df438c] = '\x00' cpu.XMM1 = 0x24242424 cpu.RIP = 0x7ffff7df4388 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4388], 'f') self.assertEqual(mem[0x7ffff7df4389], '\x0f') self.assertEqual(mem[0x7ffff7df438a], 'p') self.assertEqual(mem[0x7ffff7df438b], '\xc9') self.assertEqual(mem[0x7ffff7df438c], '\x00') self.assertEqual(cpu.XMM1, 48039863565308959547770532813896688676L) self.assertEqual(cpu.RIP, 140737351992205L) def test_PSHUFD_4(self): ''' Instruction PSHUFD_4 Groups: sse2 0x7ffff7ab799a: pshufd xmm1, xmm1, 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab799a] = 'f' mem[0x7ffff7ab799b] = '\x0f' mem[0x7ffff7ab799c] = 'p' mem[0x7ffff7ab799d] = '\xc9' mem[0x7ffff7ab799e] = '\x00' cpu.XMM1 = 0x2f2f2f2f cpu.RIP = 0x7ffff7ab799a cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab799a], 'f') self.assertEqual(mem[0x7ffff7ab799b], '\x0f') self.assertEqual(mem[0x7ffff7ab799c], 'p') self.assertEqual(mem[0x7ffff7ab799d], '\xc9') self.assertEqual(mem[0x7ffff7ab799e], '\x00') self.assertEqual(cpu.XMM1, 62718710765820030520700417840365121327L) self.assertEqual(cpu.RIP, 140737348598175L) def test_PSHUFD_5(self): ''' Instruction PSHUFD_5 Groups: sse2 0x7ffff7df4388: pshufd xmm1, xmm1, 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4388] = 'f' mem[0x7ffff7df4389] = '\x0f' mem[0x7ffff7df438a] = 'p' mem[0x7ffff7df438b] = '\xc9' mem[0x7ffff7df438c] = '\x00' cpu.XMM1 = 0x24242424 cpu.RIP = 0x7ffff7df4388 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4388], 'f') self.assertEqual(mem[0x7ffff7df4389], '\x0f') self.assertEqual(mem[0x7ffff7df438a], 'p') self.assertEqual(mem[0x7ffff7df438b], '\xc9') self.assertEqual(mem[0x7ffff7df438c], '\x00') self.assertEqual(cpu.XMM1, 48039863565308959547770532813896688676L) self.assertEqual(cpu.RIP, 140737351992205L) def test_PSHUFD_6(self): ''' Instruction PSHUFD_6 Groups: sse2 0x7ffff7ab799a: pshufd xmm1, xmm1, 0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab799a] = 'f' mem[0x7ffff7ab799b] = '\x0f' mem[0x7ffff7ab799c] = 'p' mem[0x7ffff7ab799d] = '\xc9' mem[0x7ffff7ab799e] = '\x00' cpu.XMM1 = 0x2f2f2f2f cpu.RIP = 0x7ffff7ab799a cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ab799a], 'f') self.assertEqual(mem[0x7ffff7ab799b], '\x0f') self.assertEqual(mem[0x7ffff7ab799c], 'p') self.assertEqual(mem[0x7ffff7ab799d], '\xc9') self.assertEqual(mem[0x7ffff7ab799e], '\x00') self.assertEqual(cpu.XMM1, 62718710765820030520700417840365121327L) self.assertEqual(cpu.RIP, 140737348598175L) def test_PUNPCKLBW_1(self): ''' Instruction PUNPCKLBW_1 Groups: sse2 0x7ffff7df437b: punpcklbw xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df437b] = 'f' mem[0x7ffff7df437c] = '\x0f' mem[0x7ffff7df437d] = '`' mem[0x7ffff7df437e] = '\xc9' cpu.XMM1 = 0x24 cpu.RIP = 0x7ffff7df437b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df437b], 'f') self.assertEqual(mem[0x7ffff7df437c], '\x0f') self.assertEqual(mem[0x7ffff7df437d], '`') self.assertEqual(mem[0x7ffff7df437e], '\xc9') self.assertEqual(cpu.XMM1, 9252) self.assertEqual(cpu.RIP, 140737351992191L) def test_PUNPCKLBW_2(self): ''' Instruction PUNPCKLBW_2 Groups: sse2 0x7ffff7ac0aeb: punpcklbw xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0aeb] = 'f' mem[0x7ffff7ac0aec] = '\x0f' mem[0x7ffff7ac0aed] = '`' mem[0x7ffff7ac0aee] = '\xc9' cpu.XMM1 = 0x25 cpu.RIP = 0x7ffff7ac0aeb cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0aeb], 'f') self.assertEqual(mem[0x7ffff7ac0aec], '\x0f') self.assertEqual(mem[0x7ffff7ac0aed], '`') self.assertEqual(mem[0x7ffff7ac0aee], '\xc9') self.assertEqual(cpu.XMM1, 9509) self.assertEqual(cpu.RIP, 140737348635375L) def test_PUNPCKLBW_3(self): ''' Instruction PUNPCKLBW_3 Groups: sse2 0x7ffff7ac0aeb: punpcklbw xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0aeb] = 'f' mem[0x7ffff7ac0aec] = '\x0f' mem[0x7ffff7ac0aed] = '`' mem[0x7ffff7ac0aee] = '\xc9' cpu.XMM1 = 0x25 cpu.RIP = 0x7ffff7ac0aeb cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0aeb], 'f') self.assertEqual(mem[0x7ffff7ac0aec], '\x0f') self.assertEqual(mem[0x7ffff7ac0aed], '`') self.assertEqual(mem[0x7ffff7ac0aee], '\xc9') self.assertEqual(cpu.XMM1, 9509) self.assertEqual(cpu.RIP, 140737348635375L) def test_PUNPCKLBW_4(self): ''' Instruction PUNPCKLBW_4 Groups: sse2 0x4579cc: punpcklbw xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x004579cc] = 'f' mem[0x004579cd] = '\x0f' mem[0x004579ce] = '`' mem[0x004579cf] = '\xc9' cpu.XMM1 = 0x2f cpu.RIP = 0x4579cc cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4579cc], 'f') self.assertEqual(mem[0x4579cd], '\x0f') self.assertEqual(mem[0x4579ce], '`') self.assertEqual(mem[0x4579cf], '\xc9') self.assertEqual(cpu.XMM1, 12079) self.assertEqual(cpu.RIP, 4553168L) def test_PUNPCKLBW_5(self): ''' Instruction PUNPCKLBW_5 Groups: sse2 0x45794c: punpcklbw xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x0045794c] = 'f' mem[0x0045794d] = '\x0f' mem[0x0045794e] = '`' mem[0x0045794f] = '\xc9' cpu.XMM1 = 0x2f cpu.RIP = 0x45794c cpu.execute() #cpu.writeback() self.assertEqual(mem[0x45794c], 'f') self.assertEqual(mem[0x45794d], '\x0f') self.assertEqual(mem[0x45794e], '`') self.assertEqual(mem[0x45794f], '\xc9') self.assertEqual(cpu.XMM1, 12079) self.assertEqual(cpu.RIP, 4553040L) def test_PUNPCKLBW_6(self): ''' Instruction PUNPCKLBW_6 Groups: sse2 0x7ffff7df437b: punpcklbw xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df437b] = 'f' mem[0x7ffff7df437c] = '\x0f' mem[0x7ffff7df437d] = '`' mem[0x7ffff7df437e] = '\xc9' cpu.XMM1 = 0x24 cpu.RIP = 0x7ffff7df437b cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df437b], 'f') self.assertEqual(mem[0x7ffff7df437c], '\x0f') self.assertEqual(mem[0x7ffff7df437d], '`') self.assertEqual(mem[0x7ffff7df437e], '\xc9') self.assertEqual(cpu.XMM1, 9252) self.assertEqual(cpu.RIP, 140737351992191L) def test_PUNPCKLWD_1(self): ''' Instruction PUNPCKLWD_1 Groups: sse2 0x457a46: punpcklwd xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x00457a48] = 'a' mem[0x00457a49] = '\xc9' mem[0x00457a46] = 'f' mem[0x00457a47] = '\x0f' cpu.XMM1 = 0x2f2f cpu.RIP = 0x457a46 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x457a48], 'a') self.assertEqual(mem[0x457a49], '\xc9') self.assertEqual(mem[0x457a46], 'f') self.assertEqual(mem[0x457a47], '\x0f') self.assertEqual(cpu.XMM1, 791621423) self.assertEqual(cpu.RIP, 4553290L) def test_PUNPCKLWD_2(self): ''' Instruction PUNPCKLWD_2 Groups: sse2 0x421b24: punpcklwd xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00421000, 0x1000, 'rwx') mem[0x00421b24] = 'f' mem[0x00421b25] = '\x0f' mem[0x00421b26] = 'a' mem[0x00421b27] = '\xc9' cpu.XMM1 = 0x2525 cpu.RIP = 0x421b24 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x421b24], 'f') self.assertEqual(mem[0x421b25], '\x0f') self.assertEqual(mem[0x421b26], 'a') self.assertEqual(mem[0x421b27], '\xc9') self.assertEqual(cpu.XMM1, 623191333) self.assertEqual(cpu.RIP, 4332328L) def test_PUNPCKLWD_3(self): ''' Instruction PUNPCKLWD_3 Groups: sse2 0x7ffff7df4384: punpcklwd xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4384] = 'f' mem[0x7ffff7df4385] = '\x0f' mem[0x7ffff7df4386] = 'a' mem[0x7ffff7df4387] = '\xc9' cpu.XMM1 = 0x2424 cpu.RIP = 0x7ffff7df4384 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4384], 'f') self.assertEqual(mem[0x7ffff7df4385], '\x0f') self.assertEqual(mem[0x7ffff7df4386], 'a') self.assertEqual(mem[0x7ffff7df4387], '\xc9') self.assertEqual(cpu.XMM1, 606348324) self.assertEqual(cpu.RIP, 140737351992200L) def test_PUNPCKLWD_4(self): ''' Instruction PUNPCKLWD_4 Groups: sse2 0x7ffff7df4384: punpcklwd xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4384] = 'f' mem[0x7ffff7df4385] = '\x0f' mem[0x7ffff7df4386] = 'a' mem[0x7ffff7df4387] = '\xc9' cpu.XMM1 = 0x2424 cpu.RIP = 0x7ffff7df4384 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4384], 'f') self.assertEqual(mem[0x7ffff7df4385], '\x0f') self.assertEqual(mem[0x7ffff7df4386], 'a') self.assertEqual(mem[0x7ffff7df4387], '\xc9') self.assertEqual(cpu.XMM1, 606348324) self.assertEqual(cpu.RIP, 140737351992200L) def test_PUNPCKLWD_5(self): ''' Instruction PUNPCKLWD_5 Groups: sse2 0x45a576: punpcklwd xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0045a000, 0x1000, 'rwx') mem[0x0045a578] = 'a' mem[0x0045a579] = '\xc9' mem[0x0045a576] = 'f' mem[0x0045a577] = '\x0f' cpu.XMM1 = 0x2f2f cpu.RIP = 0x45a576 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x45a578], 'a') self.assertEqual(mem[0x45a579], '\xc9') self.assertEqual(mem[0x45a576], 'f') self.assertEqual(mem[0x45a577], '\x0f') self.assertEqual(cpu.XMM1, 791621423) self.assertEqual(cpu.RIP, 4564346L) def test_PUNPCKLWD_6(self): ''' Instruction PUNPCKLWD_6 Groups: sse2 0x7ffff7ac0af4: punpcklwd xmm1, xmm1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0af4] = 'f' mem[0x7ffff7ac0af5] = '\x0f' mem[0x7ffff7ac0af6] = 'a' mem[0x7ffff7ac0af7] = '\xc9' cpu.XMM1 = 0x2525 cpu.RIP = 0x7ffff7ac0af4 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ac0af4], 'f') self.assertEqual(mem[0x7ffff7ac0af5], '\x0f') self.assertEqual(mem[0x7ffff7ac0af6], 'a') self.assertEqual(mem[0x7ffff7ac0af7], '\xc9') self.assertEqual(cpu.XMM1, 623191333) self.assertEqual(cpu.RIP, 140737348635384L) def test_PUSH_1(self): ''' Instruction PUSH_1 Groups: mode64 0x7ffff7de407a: push r12 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffd7a0] = '4' mem[0x7ffff7de407b] = 'T' mem[0x7fffffffd79a] = '\xff' mem[0x7fffffffd790] = 'X' mem[0x7fffffffd791] = 'v' mem[0x7fffffffd792] = '\xff' mem[0x7fffffffd793] = '\xf7' mem[0x7fffffffd794] = '\xff' mem[0x7fffffffd795] = '\x7f' mem[0x7fffffffd796] = '\x00' mem[0x7fffffffd797] = '\x00' mem[0x7fffffffd798] = '8' mem[0x7fffffffd799] = '\xd8' mem[0x7ffff7de407a] = 'A' mem[0x7fffffffd79b] = '\xff' mem[0x7fffffffd79c] = '\xff' mem[0x7fffffffd79d] = '\x7f' mem[0x7fffffffd79e] = '\x00' mem[0x7fffffffd79f] = '\x00' cpu.RSP = 0x7fffffffd798 cpu.R12 = 0x7ffff7ff7658 cpu.RIP = 0x7ffff7de407a cpu.RBP = 0x7fffffffd870 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffd7a0], '4') self.assertEqual(mem[0x7ffff7de407b], 'T') self.assertEqual(mem[0x7ffff7de407a], 'A') self.assertEqual(mem[0x7fffffffd790], 'X') self.assertEqual(mem[0x7fffffffd791], 'v') self.assertEqual(mem[0x7fffffffd792], '\xff') self.assertEqual(mem[0x7fffffffd793], '\xf7') self.assertEqual(mem[0x7fffffffd794], '\xff') self.assertEqual(mem[0x7fffffffd795], '\x7f') self.assertEqual(mem[0x7fffffffd796], '\x00') self.assertEqual(mem[0x7fffffffd797], '\x00') self.assertEqual(mem[0x7fffffffd798], '8') self.assertEqual(mem[0x7fffffffd799], '\xd8') self.assertEqual(mem[0x7fffffffd79a], '\xff') self.assertEqual(mem[0x7fffffffd79b], '\xff') self.assertEqual(mem[0x7fffffffd79c], '\xff') self.assertEqual(mem[0x7fffffffd79d], '\x7f') self.assertEqual(mem[0x7fffffffd79e], '\x00') self.assertEqual(mem[0x7fffffffd79f], '\x00') self.assertEqual(cpu.R12, 140737354102360L) self.assertEqual(cpu.RSP, 140737488344976L) self.assertEqual(cpu.RIP, 140737351925884L) self.assertEqual(cpu.RBP, 140737488345200L) def test_PUSH_2(self): ''' Instruction PUSH_2 Groups: mode64 0x722546: push 0xff00 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00722000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcca8] = '\x00' mem[0x7fffffffcca9] = '\xff' mem[0x7fffffffccaa] = '\x00' mem[0x7fffffffccab] = '\x00' mem[0x7fffffffccac] = '\x00' mem[0x7fffffffccad] = '\x00' mem[0x7fffffffccae] = '\x00' mem[0x7fffffffccaf] = '\x00' mem[0x7fffffffccb0] = '\xfe' mem[0x7fffffffccb1] = '\xff' mem[0x7fffffffccb2] = '\xff' mem[0x7fffffffccb3] = '\xff' mem[0x7fffffffccb4] = '@' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x7fffffffccb8] = '\xfe' mem[0x00722546] = 'h' mem[0x00722547] = '\x00' mem[0x00722548] = '\xff' mem[0x00722549] = '\x00' mem[0x0072254a] = '\x00' cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x722546 cpu.RBP = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcca8], '\x00') self.assertEqual(mem[0x7fffffffcca9], '\xff') self.assertEqual(mem[0x7fffffffccaa], '\x00') self.assertEqual(mem[0x7fffffffccab], '\x00') self.assertEqual(mem[0x7fffffffccac], '\x00') self.assertEqual(mem[0x7fffffffccad], '\x00') self.assertEqual(mem[0x7fffffffccae], '\x00') self.assertEqual(mem[0x7fffffffccaf], '\x00') self.assertEqual(mem[0x7fffffffccb0], '\xfe') self.assertEqual(mem[0x7fffffffccb1], '\xff') self.assertEqual(mem[0x7fffffffccb2], '\xff') self.assertEqual(mem[0x7fffffffccb3], '\xff') self.assertEqual(mem[0x7fffffffccb4], '@') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccb8], '\xfe') self.assertEqual(mem[0x722546], 'h') self.assertEqual(mem[0x722547], '\x00') self.assertEqual(mem[0x722548], '\xff') self.assertEqual(mem[0x722549], '\x00') self.assertEqual(mem[0x72254a], '\x00') self.assertEqual(cpu.RSP, 140737488342184L) self.assertEqual(cpu.RIP, 7480651L) self.assertEqual(cpu.RBP, 0L) def test_PUSH_3(self): ''' Instruction PUSH_3 Groups: mode64 0x744c3e: push 0xf00aabb ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00744000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcca8] = '\xbb' mem[0x7fffffffcca9] = '\xaa' mem[0x7fffffffccaa] = '\x00' mem[0x7fffffffccab] = '\x0f' mem[0x7fffffffccac] = '\x00' mem[0x7fffffffccad] = '\x00' mem[0x7fffffffccae] = '\x00' mem[0x7fffffffccaf] = '\x00' mem[0x7fffffffccb0] = '\x00' mem[0x7fffffffccb1] = '\x00' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x80' mem[0x7fffffffccb4] = '!' mem[0x7fffffffccb5] = 'C' mem[0x7fffffffccb6] = 'e' mem[0x7fffffffccb7] = '\x87' mem[0x7fffffffccb8] = '@' mem[0x00744c3e] = 'h' mem[0x00744c3f] = '\xbb' mem[0x00744c40] = '\xaa' mem[0x00744c41] = '\x00' mem[0x00744c42] = '\x0f' cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x744c3e cpu.RBP = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcca8], '\xbb') self.assertEqual(mem[0x7fffffffcca9], '\xaa') self.assertEqual(mem[0x7fffffffccaa], '\x00') self.assertEqual(mem[0x7fffffffccab], '\x0f') self.assertEqual(mem[0x7fffffffccac], '\x00') self.assertEqual(mem[0x7fffffffccad], '\x00') self.assertEqual(mem[0x7fffffffccae], '\x00') self.assertEqual(mem[0x7fffffffccaf], '\x00') self.assertEqual(mem[0x7fffffffccb0], '\x00') self.assertEqual(mem[0x7fffffffccb1], '\x00') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x80') self.assertEqual(mem[0x7fffffffccb4], '!') self.assertEqual(mem[0x7fffffffccb5], 'C') self.assertEqual(mem[0x7fffffffccb6], 'e') self.assertEqual(mem[0x7fffffffccb7], '\x87') self.assertEqual(mem[0x7fffffffccb8], '@') self.assertEqual(mem[0x744c3e], 'h') self.assertEqual(mem[0x744c3f], '\xbb') self.assertEqual(mem[0x744c40], '\xaa') self.assertEqual(mem[0x744c41], '\x00') self.assertEqual(mem[0x744c42], '\x0f') self.assertEqual(cpu.RSP, 140737488342184L) self.assertEqual(cpu.RIP, 7621699L) self.assertEqual(cpu.RBP, 0L) def test_PUSH_4(self): ''' Instruction PUSH_4 Groups: mode64 0x6651fa: push rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00665000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcca8] = '\x7f' mem[0x7fffffffcca9] = '\x00' mem[0x7fffffffccaa] = '\x00' mem[0x7fffffffccab] = '\x00' mem[0x7fffffffccac] = '\x00' mem[0x7fffffffccad] = '\x00' mem[0x7fffffffccae] = '\x00' mem[0x7fffffffccaf] = '\x00' mem[0x7fffffffccb0] = '\x7f' mem[0x7fffffffccb1] = '\x00' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x00' mem[0x7fffffffccb4] = ' ' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x7fffffffccb8] = '!' mem[0x006651fa] = 'P' cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x6651fa cpu.RAX = 0x7f cpu.RBP = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcca8], '\x7f') self.assertEqual(mem[0x7fffffffcca9], '\x00') self.assertEqual(mem[0x7fffffffccaa], '\x00') self.assertEqual(mem[0x7fffffffccab], '\x00') self.assertEqual(mem[0x7fffffffccac], '\x00') self.assertEqual(mem[0x7fffffffccad], '\x00') self.assertEqual(mem[0x7fffffffccae], '\x00') self.assertEqual(mem[0x7fffffffccaf], '\x00') self.assertEqual(mem[0x7fffffffccb0], '\x7f') self.assertEqual(mem[0x7fffffffccb1], '\x00') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x00') self.assertEqual(mem[0x7fffffffccb4], ' ') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccb8], '!') self.assertEqual(mem[0x6651fa], 'P') self.assertEqual(cpu.RSP, 140737488342184L) self.assertEqual(cpu.RAX, 127L) self.assertEqual(cpu.RIP, 6705659L) self.assertEqual(cpu.RBP, 0L) def test_PUSH_5(self): ''' Instruction PUSH_5 Groups: mode64 0x7ffff7de4330: push rbp ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffda40] = '\x01' mem[0x7ffff7de4330] = 'U' mem[0x7fffffffda30] = 'p' mem[0x7fffffffda31] = '\xdb' mem[0x7fffffffda32] = '\xff' mem[0x7fffffffda33] = '\xff' mem[0x7fffffffda34] = '\xff' mem[0x7fffffffda35] = '\x7f' mem[0x7fffffffda36] = '\x00' mem[0x7fffffffda37] = '\x00' mem[0x7fffffffda38] = '\x94' mem[0x7fffffffda39] = 'b' mem[0x7fffffffda3a] = '\xde' mem[0x7fffffffda3b] = '\xf7' mem[0x7fffffffda3c] = '\xff' mem[0x7fffffffda3d] = '\x7f' mem[0x7fffffffda3e] = '\x00' mem[0x7fffffffda3f] = '\x00' cpu.RSP = 0x7fffffffda38 cpu.RIP = 0x7ffff7de4330 cpu.RBP = 0x7fffffffdb70 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffda40], '\x01') self.assertEqual(mem[0x7fffffffda30], 'p') self.assertEqual(mem[0x7ffff7de4330], 'U') self.assertEqual(mem[0x7fffffffda31], '\xdb') self.assertEqual(mem[0x7fffffffda32], '\xff') self.assertEqual(mem[0x7fffffffda33], '\xff') self.assertEqual(mem[0x7fffffffda34], '\xff') self.assertEqual(mem[0x7fffffffda35], '\x7f') self.assertEqual(mem[0x7fffffffda36], '\x00') self.assertEqual(mem[0x7fffffffda37], '\x00') self.assertEqual(mem[0x7fffffffda38], '\x94') self.assertEqual(mem[0x7fffffffda39], 'b') self.assertEqual(mem[0x7fffffffda3a], '\xde') self.assertEqual(mem[0x7fffffffda3b], '\xf7') self.assertEqual(mem[0x7fffffffda3c], '\xff') self.assertEqual(mem[0x7fffffffda3d], '\x7f') self.assertEqual(mem[0x7fffffffda3e], '\x00') self.assertEqual(mem[0x7fffffffda3f], '\x00') self.assertEqual(cpu.RSP, 140737488345648L) self.assertEqual(cpu.RIP, 140737351926577L) self.assertEqual(cpu.RBP, 140737488345968L) def test_PUSH_6(self): ''' Instruction PUSH_6 Groups: mode64 0x75c167: push 0xf00aabb ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0075c000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffcca8] = '\xbb' mem[0x7fffffffcca9] = '\xaa' mem[0x7fffffffccaa] = '\x00' mem[0x7fffffffccab] = '\x0f' mem[0x7fffffffccac] = '\x00' mem[0x7fffffffccad] = '\x00' mem[0x7fffffffccae] = '\x00' mem[0x7fffffffccaf] = '\x00' mem[0x7fffffffccb0] = '\xfe' mem[0x7fffffffccb1] = '\xff' mem[0x7fffffffccb2] = '\xff' mem[0x7fffffffccb3] = '\xff' mem[0x7fffffffccb4] = '\x80' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x7fffffffccb8] = 'x' mem[0x0075c167] = 'h' mem[0x0075c168] = '\xbb' mem[0x0075c169] = '\xaa' mem[0x0075c16a] = '\x00' mem[0x0075c16b] = '\x0f' cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x75c167 cpu.RBP = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffcca8], '\xbb') self.assertEqual(mem[0x7fffffffcca9], '\xaa') self.assertEqual(mem[0x7fffffffccaa], '\x00') self.assertEqual(mem[0x7fffffffccab], '\x0f') self.assertEqual(mem[0x7fffffffccac], '\x00') self.assertEqual(mem[0x7fffffffccad], '\x00') self.assertEqual(mem[0x7fffffffccae], '\x00') self.assertEqual(mem[0x7fffffffccaf], '\x00') self.assertEqual(mem[0x7fffffffccb0], '\xfe') self.assertEqual(mem[0x7fffffffccb1], '\xff') self.assertEqual(mem[0x7fffffffccb2], '\xff') self.assertEqual(mem[0x7fffffffccb3], '\xff') self.assertEqual(mem[0x7fffffffccb4], '\x80') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccb8], 'x') self.assertEqual(mem[0x75c167], 'h') self.assertEqual(mem[0x75c168], '\xbb') self.assertEqual(mem[0x75c169], '\xaa') self.assertEqual(mem[0x75c16a], '\x00') self.assertEqual(mem[0x75c16b], '\x0f') self.assertEqual(cpu.RSP, 140737488342184L) self.assertEqual(cpu.RIP, 7717228L) self.assertEqual(cpu.RBP, 0L) def test_PXOR_1(self): ''' Instruction PXOR_1 Groups: sse2 0x418490: pxor xmm8, xmm8 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x00418490] = 'f' mem[0x00418491] = 'E' mem[0x00418492] = '\x0f' mem[0x00418493] = '\xef' mem[0x00418494] = '\xc0' cpu.XMM8 = 0x0 cpu.RIP = 0x418490 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x418490], 'f') self.assertEqual(mem[0x418491], 'E') self.assertEqual(mem[0x418492], '\x0f') self.assertEqual(mem[0x418493], '\xef') self.assertEqual(mem[0x418494], '\xc0') self.assertEqual(cpu.XMM8, 0) self.assertEqual(cpu.RIP, 4293781L) def test_PXOR_2(self): ''' Instruction PXOR_2 Groups: sse2 0x41848f: pxor xmm11, xmm11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x00418490] = 'E' mem[0x00418491] = '\x0f' mem[0x00418492] = '\xef' mem[0x00418493] = '\xdb' mem[0x0041848f] = 'f' cpu.XMM11 = 0x0 cpu.RIP = 0x41848f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x418490], 'E') self.assertEqual(mem[0x418491], '\x0f') self.assertEqual(mem[0x418492], '\xef') self.assertEqual(mem[0x418493], '\xdb') self.assertEqual(mem[0x41848f], 'f') self.assertEqual(cpu.XMM11, 0) self.assertEqual(cpu.RIP, 4293780L) def test_PXOR_3(self): ''' Instruction PXOR_3 Groups: sse2 0x4184bf: pxor xmm11, xmm11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x004184c0] = 'E' mem[0x004184c1] = '\x0f' mem[0x004184c2] = '\xef' mem[0x004184c3] = '\xdb' mem[0x004184bf] = 'f' cpu.XMM11 = 0x0 cpu.RIP = 0x4184bf cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4184c0], 'E') self.assertEqual(mem[0x4184c1], '\x0f') self.assertEqual(mem[0x4184c2], '\xef') self.assertEqual(mem[0x4184c3], '\xdb') self.assertEqual(mem[0x4184bf], 'f') self.assertEqual(cpu.XMM11, 0) self.assertEqual(cpu.RIP, 4293828L) def test_PXOR_4(self): ''' Instruction PXOR_4 Groups: sse2 0x418480: pxor xmm8, xmm8 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x00418480] = 'f' mem[0x00418481] = 'E' mem[0x00418482] = '\x0f' mem[0x00418483] = '\xef' mem[0x00418484] = '\xc0' cpu.XMM8 = 0x0 cpu.RIP = 0x418480 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x418480], 'f') self.assertEqual(mem[0x418481], 'E') self.assertEqual(mem[0x418482], '\x0f') self.assertEqual(mem[0x418483], '\xef') self.assertEqual(mem[0x418484], '\xc0') self.assertEqual(cpu.XMM8, 0) self.assertEqual(cpu.RIP, 4293765L) def test_PXOR_5(self): ''' Instruction PXOR_5 Groups: sse2 0x4183b5: pxor xmm9, xmm9 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x004183b8] = '\xef' mem[0x004183b9] = '\xc9' mem[0x004183b5] = 'f' mem[0x004183b6] = 'E' mem[0x004183b7] = '\x0f' cpu.XMM9 = 0x0 cpu.RIP = 0x4183b5 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4183b8], '\xef') self.assertEqual(mem[0x4183b9], '\xc9') self.assertEqual(mem[0x4183b5], 'f') self.assertEqual(mem[0x4183b6], 'E') self.assertEqual(mem[0x4183b7], '\x0f') self.assertEqual(cpu.XMM9, 0) self.assertEqual(cpu.RIP, 4293562L) def test_PXOR_6(self): ''' Instruction PXOR_6 Groups: sse2 0x418495: pxor xmm9, xmm9 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x00418498] = '\xef' mem[0x00418499] = '\xc9' mem[0x00418495] = 'f' mem[0x00418496] = 'E' mem[0x00418497] = '\x0f' cpu.XMM9 = 0x0 cpu.RIP = 0x418495 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x418498], '\xef') self.assertEqual(mem[0x418499], '\xc9') self.assertEqual(mem[0x418495], 'f') self.assertEqual(mem[0x418496], 'E') self.assertEqual(mem[0x418497], '\x0f') self.assertEqual(cpu.XMM9, 0) self.assertEqual(cpu.RIP, 4293786L) def test_RET_1(self): ''' Instruction RET_1 Groups: ret, mode64 0x7ffff7de3748: ret ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffd780] = ']' mem[0x7ffff7de3748] = '\xc3' mem[0x7fffffffd770] = 'p' mem[0x7fffffffd771] = '\xd8' mem[0x7fffffffd772] = '\xff' mem[0x7fffffffd773] = '\xff' mem[0x7fffffffd774] = '\xff' mem[0x7fffffffd775] = '\x7f' mem[0x7fffffffd776] = '\x00' mem[0x7fffffffd777] = '\x00' mem[0x7fffffffd778] = '\xab' mem[0x7fffffffd779] = '@' mem[0x7fffffffd77a] = '\xde' mem[0x7fffffffd77b] = '\xf7' mem[0x7fffffffd77c] = '\xff' mem[0x7fffffffd77d] = '\x7f' mem[0x7fffffffd77e] = '\x00' mem[0x7fffffffd77f] = '\x00' cpu.RSP = 0x7fffffffd778 cpu.RIP = 0x7ffff7de3748 cpu.RBP = 0x7fffffffd870 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffd780], ']') self.assertEqual(mem[0x7ffff7de3748], '\xc3') self.assertEqual(mem[0x7fffffffd770], 'p') self.assertEqual(mem[0x7fffffffd771], '\xd8') self.assertEqual(mem[0x7fffffffd772], '\xff') self.assertEqual(mem[0x7fffffffd773], '\xff') self.assertEqual(mem[0x7fffffffd774], '\xff') self.assertEqual(mem[0x7fffffffd775], '\x7f') self.assertEqual(mem[0x7fffffffd776], '\x00') self.assertEqual(mem[0x7fffffffd777], '\x00') self.assertEqual(mem[0x7fffffffd778], '\xab') self.assertEqual(mem[0x7fffffffd779], '@') self.assertEqual(mem[0x7fffffffd77a], '\xde') self.assertEqual(mem[0x7fffffffd77b], '\xf7') self.assertEqual(mem[0x7fffffffd77c], '\xff') self.assertEqual(mem[0x7fffffffd77d], '\x7f') self.assertEqual(mem[0x7fffffffd77e], '\x00') self.assertEqual(mem[0x7fffffffd77f], '\x00') self.assertEqual(cpu.RSP, 140737488344960L) self.assertEqual(cpu.RIP, 140737351925931L) self.assertEqual(cpu.RBP, 140737488345200L) def test_RET_2(self): ''' Instruction RET_2 Groups: ret, mode64 0x7ffff7df537f: ret ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df5000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffd840] = '\x00' mem[0x7ffff7df537f] = '\xc3' mem[0x7fffffffd830] = '\x03' mem[0x7fffffffd831] = '\x00' mem[0x7fffffffd832] = '\x00' mem[0x7fffffffd833] = '\x00' mem[0x7fffffffd834] = '\x00' mem[0x7fffffffd835] = '\x00' mem[0x7fffffffd836] = '\x00' mem[0x7fffffffd837] = '\x00' mem[0x7fffffffd838] = '\xdb' mem[0x7fffffffd839] = '\x7f' mem[0x7fffffffd83a] = '\xde' mem[0x7fffffffd83b] = '\xf7' mem[0x7fffffffd83c] = '\xff' mem[0x7fffffffd83d] = '\x7f' mem[0x7fffffffd83e] = '\x00' mem[0x7fffffffd83f] = '\x00' cpu.RSP = 0x7fffffffd838 cpu.RIP = 0x7ffff7df537f cpu.RBP = 0x7fffffffdae0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffd840], '\x00') self.assertEqual(mem[0x7fffffffd83f], '\x00') self.assertEqual(mem[0x7fffffffd830], '\x03') self.assertEqual(mem[0x7fffffffd831], '\x00') self.assertEqual(mem[0x7fffffffd832], '\x00') self.assertEqual(mem[0x7fffffffd833], '\x00') self.assertEqual(mem[0x7fffffffd834], '\x00') self.assertEqual(mem[0x7fffffffd835], '\x00') self.assertEqual(mem[0x7fffffffd836], '\x00') self.assertEqual(mem[0x7fffffffd837], '\x00') self.assertEqual(mem[0x7fffffffd838], '\xdb') self.assertEqual(mem[0x7fffffffd839], '\x7f') self.assertEqual(mem[0x7fffffffd83a], '\xde') self.assertEqual(mem[0x7fffffffd83b], '\xf7') self.assertEqual(mem[0x7fffffffd83c], '\xff') self.assertEqual(mem[0x7fffffffd83d], '\x7f') self.assertEqual(mem[0x7fffffffd83e], '\x00') self.assertEqual(mem[0x7ffff7df537f], '\xc3') self.assertEqual(cpu.RSP, 140737488345152L) self.assertEqual(cpu.RIP, 140737351942107L) self.assertEqual(cpu.RBP, 140737488345824L) def test_RET_3(self): ''' Instruction RET_3 Groups: ret, mode64 0x406e67: ret ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdb20] = 'p' mem[0x7fffffffdb21] = '\xdb' mem[0x7fffffffdb22] = '\xff' mem[0x7fffffffdb23] = '\xff' mem[0x7fffffffdb24] = '\xff' mem[0x7fffffffdb25] = '\x7f' mem[0x7fffffffdb26] = '\x00' mem[0x00406e67] = '\xc3' mem[0x7fffffffdb28] = 'N' mem[0x7fffffffdb29] = 'o' mem[0x7fffffffdb2a] = 'C' mem[0x7fffffffdb27] = '\x00' mem[0x7fffffffdb2c] = '\x00' mem[0x7fffffffdb2d] = '\x00' mem[0x7fffffffdb2e] = '\x00' mem[0x7fffffffdb2f] = '\x00' mem[0x7fffffffdb30] = '@' mem[0x7fffffffdb2b] = '\x00' cpu.RSP = 0x7fffffffdb28 cpu.RIP = 0x406e67 cpu.RBP = 0x7fffffffdb70 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdb20], 'p') self.assertEqual(mem[0x7fffffffdb21], '\xdb') self.assertEqual(mem[0x7fffffffdb22], '\xff') self.assertEqual(mem[0x7fffffffdb23], '\xff') self.assertEqual(mem[0x7fffffffdb24], '\xff') self.assertEqual(mem[0x7fffffffdb25], '\x7f') self.assertEqual(mem[0x7fffffffdb26], '\x00') self.assertEqual(mem[0x406e67], '\xc3') self.assertEqual(mem[0x7fffffffdb28], 'N') self.assertEqual(mem[0x7fffffffdb29], 'o') self.assertEqual(mem[0x7fffffffdb2a], 'C') self.assertEqual(mem[0x7fffffffdb2b], '\x00') self.assertEqual(mem[0x7fffffffdb2c], '\x00') self.assertEqual(mem[0x7fffffffdb2d], '\x00') self.assertEqual(mem[0x7fffffffdb2e], '\x00') self.assertEqual(mem[0x7fffffffdb2f], '\x00') self.assertEqual(mem[0x7fffffffdb30], '@') self.assertEqual(mem[0x7fffffffdb27], '\x00') self.assertEqual(cpu.RSP, 140737488345904L) self.assertEqual(cpu.RIP, 4419406L) self.assertEqual(cpu.RBP, 140737488345968L) def test_RET_4(self): ''' Instruction RET_4 Groups: ret, mode64 0x7ffff7de2af3: ret ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de2000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffd700] = ' ' mem[0x7fffffffd701] = '\xd7' mem[0x7fffffffd702] = '\xff' mem[0x7fffffffd703] = '\xff' mem[0x7fffffffd704] = '\xff' mem[0x7fffffffd705] = '\x7f' mem[0x7fffffffd706] = '\x00' mem[0x7fffffffd707] = '\x00' mem[0x7fffffffd708] = ')' mem[0x7fffffffd709] = 'u' mem[0x7fffffffd70a] = '\xde' mem[0x7fffffffd70b] = '\xf7' mem[0x7fffffffd70c] = '\xff' mem[0x7fffffffd70d] = '\x7f' mem[0x7fffffffd70e] = '\x00' mem[0x7fffffffd70f] = '\x00' mem[0x7fffffffd710] = '\xb0' mem[0x7ffff7de2af3] = '\xc3' cpu.RSP = 0x7fffffffd708 cpu.RIP = 0x7ffff7de2af3 cpu.RBP = 0x7fffffffd720 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffd700], ' ') self.assertEqual(mem[0x7fffffffd701], '\xd7') self.assertEqual(mem[0x7fffffffd702], '\xff') self.assertEqual(mem[0x7fffffffd703], '\xff') self.assertEqual(mem[0x7fffffffd704], '\xff') self.assertEqual(mem[0x7fffffffd705], '\x7f') self.assertEqual(mem[0x7fffffffd706], '\x00') self.assertEqual(mem[0x7fffffffd707], '\x00') self.assertEqual(mem[0x7fffffffd708], ')') self.assertEqual(mem[0x7fffffffd709], 'u') self.assertEqual(mem[0x7fffffffd70a], '\xde') self.assertEqual(mem[0x7fffffffd70b], '\xf7') self.assertEqual(mem[0x7fffffffd70c], '\xff') self.assertEqual(mem[0x7fffffffd70d], '\x7f') self.assertEqual(mem[0x7fffffffd70e], '\x00') self.assertEqual(mem[0x7fffffffd70f], '\x00') self.assertEqual(mem[0x7fffffffd710], '\xb0') self.assertEqual(mem[0x7ffff7de2af3], '\xc3') self.assertEqual(cpu.RSP, 140737488344848L) self.assertEqual(cpu.RIP, 140737351939369L) self.assertEqual(cpu.RBP, 140737488344864L) def test_RET_5(self): ''' Instruction RET_5 Groups: ret, mode64 0x4118a1: ret ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdae0] = '\x00' mem[0x004118a1] = '\xc3' mem[0x7fffffffdae2] = '\xff' mem[0x7fffffffdae3] = '\xff' mem[0x7fffffffdae4] = '\xff' mem[0x7fffffffdae5] = '\x7f' mem[0x7fffffffdae6] = '\x00' mem[0x7fffffffdae1] = '\xdb' mem[0x7fffffffdae8] = '\x1c' mem[0x7fffffffdae9] = '6' mem[0x7fffffffdaea] = 'A' mem[0x7fffffffdae7] = '\x00' mem[0x7fffffffdaec] = '\x00' mem[0x7fffffffdaed] = '\x00' mem[0x7fffffffdaee] = '\x00' mem[0x7fffffffdaef] = '\x00' mem[0x7fffffffdaf0] = '\x02' mem[0x7fffffffdaeb] = '\x00' cpu.RSP = 0x7fffffffdae8 cpu.RIP = 0x4118a1 cpu.RBP = 0x7fffffffdb00 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdae0], '\x00') self.assertEqual(mem[0x7fffffffdae1], '\xdb') self.assertEqual(mem[0x7fffffffdae2], '\xff') self.assertEqual(mem[0x7fffffffdae3], '\xff') self.assertEqual(mem[0x7fffffffdae4], '\xff') self.assertEqual(mem[0x7fffffffdae5], '\x7f') self.assertEqual(mem[0x7fffffffdae6], '\x00') self.assertEqual(mem[0x4118a1], '\xc3') self.assertEqual(mem[0x7fffffffdae8], '\x1c') self.assertEqual(mem[0x7fffffffdae9], '6') self.assertEqual(mem[0x7fffffffdaea], 'A') self.assertEqual(mem[0x7fffffffdae7], '\x00') self.assertEqual(mem[0x7fffffffdaec], '\x00') self.assertEqual(mem[0x7fffffffdaed], '\x00') self.assertEqual(mem[0x7fffffffdaee], '\x00') self.assertEqual(mem[0x7fffffffdaef], '\x00') self.assertEqual(mem[0x7fffffffdaf0], '\x02') self.assertEqual(mem[0x7fffffffdaeb], '\x00') self.assertEqual(cpu.RSP, 140737488345840L) self.assertEqual(cpu.RIP, 4273692L) self.assertEqual(cpu.RBP, 140737488345856L) def test_RET_6(self): ''' Instruction RET_6 Groups: ret, mode64 0x40fc8d: ret ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0040f000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffda00] = '\x06' mem[0x0040fc8d] = '\xc3' mem[0x7fffffffd9f0] = '\xb0' mem[0x7fffffffd9f1] = '\xda' mem[0x7fffffffd9f2] = '\xff' mem[0x7fffffffd9f3] = '\xff' mem[0x7fffffffd9f4] = '\xff' mem[0x7fffffffd9f5] = '\x7f' mem[0x7fffffffd9f6] = '\x00' mem[0x7fffffffd9f7] = '\x00' mem[0x7fffffffd9f8] = '\xee' mem[0x7fffffffd9f9] = '}' mem[0x7fffffffd9fa] = 'E' mem[0x7fffffffd9fb] = '\x00' mem[0x7fffffffd9fc] = '\x00' mem[0x7fffffffd9fd] = '\x00' mem[0x7fffffffd9fe] = '\x00' mem[0x7fffffffd9ff] = '\x00' cpu.RSP = 0x7fffffffd9f8 cpu.RIP = 0x40fc8d cpu.RBP = 0x7fffffffdab0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffda00], '\x06') self.assertEqual(mem[0x40fc8d], '\xc3') self.assertEqual(mem[0x7fffffffd9f0], '\xb0') self.assertEqual(mem[0x7fffffffd9f1], '\xda') self.assertEqual(mem[0x7fffffffd9f2], '\xff') self.assertEqual(mem[0x7fffffffd9f3], '\xff') self.assertEqual(mem[0x7fffffffd9f4], '\xff') self.assertEqual(mem[0x7fffffffd9f5], '\x7f') self.assertEqual(mem[0x7fffffffd9f6], '\x00') self.assertEqual(mem[0x7fffffffd9f7], '\x00') self.assertEqual(mem[0x7fffffffd9f8], '\xee') self.assertEqual(mem[0x7fffffffd9f9], '}') self.assertEqual(mem[0x7fffffffd9fa], 'E') self.assertEqual(mem[0x7fffffffd9fb], '\x00') self.assertEqual(mem[0x7fffffffd9fc], '\x00') self.assertEqual(mem[0x7fffffffd9fd], '\x00') self.assertEqual(mem[0x7fffffffd9fe], '\x00') self.assertEqual(mem[0x7fffffffd9ff], '\x00') self.assertEqual(cpu.RSP, 140737488345600L) self.assertEqual(cpu.RIP, 4554222L) self.assertEqual(cpu.RBP, 140737488345776L) def test_ROL_1(self): ''' Instruction ROL_1 Groups: 0x44272a: rol rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00442000, 0x1000, 'rwx') mem[0x0044272a] = 'H' mem[0x0044272b] = '\xc1' mem[0x0044272c] = '\xc0' mem[0x0044272d] = '\x11' cpu.OF = False cpu.RIP = 0x44272a cpu.CF = False cpu.RAX = 0x69fd1b8f25bea73 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x44272a], 'H') self.assertEqual(mem[0x44272b], '\xc1') self.assertEqual(mem[0x44272c], '\xc0') self.assertEqual(mem[0x44272d], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 11777445978752552255L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4466478L) def test_ROL_2(self): ''' Instruction ROL_2 Groups: 0x7ffff7df408d: rol rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4090] = '\x11' mem[0x7ffff7df408d] = 'H' mem[0x7ffff7df408e] = '\xc1' mem[0x7ffff7df408f] = '\xc0' cpu.OF = False cpu.RIP = 0x7ffff7df408d cpu.CF = False cpu.RAX = 0x7fffffffd9b0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df4090], '\x11') self.assertEqual(mem[0x7ffff7df408d], 'H') self.assertEqual(mem[0x7ffff7df408e], '\xc1') self.assertEqual(mem[0x7ffff7df408f], '\xc0') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 18446744072423997440L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351991441L) def test_ROL_3(self): ''' Instruction ROL_3 Groups: 0x409c7a: rol rdi, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00409000, 0x1000, 'rwx') mem[0x00409c7a] = 'H' mem[0x00409c7b] = '\xc1' mem[0x00409c7c] = '\xc7' mem[0x00409c7d] = '\x11' cpu.OF = False cpu.RDI = 0x4fb19f79d00a9c7e cpu.CF = False cpu.RIP = 0x409c7a cpu.execute() #cpu.writeback() self.assertEqual(mem[0x409c7a], 'H') self.assertEqual(mem[0x409c7b], '\xc1') self.assertEqual(mem[0x409c7c], '\xc7') self.assertEqual(mem[0x409c7d], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RDI, 4536145262703058787L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4234366L) def test_ROL_4(self): ''' Instruction ROL_4 Groups: 0x40725a: rol rdi, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00407000, 0x1000, 'rwx') mem[0x0040725a] = 'H' mem[0x0040725b] = '\xc1' mem[0x0040725c] = '\xc7' mem[0x0040725d] = '\x11' cpu.OF = False cpu.RDI = 0x1d13aa75a9fb0505 cpu.CF = False cpu.RIP = 0x40725a cpu.execute() #cpu.writeback() self.assertEqual(mem[0x40725a], 'H') self.assertEqual(mem[0x40725b], '\xc1') self.assertEqual(mem[0x40725c], '\xc7') self.assertEqual(mem[0x40725d], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RDI, 6119076834908453415L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4223582L) def test_ROL_5(self): ''' Instruction ROL_5 Groups: 0x4452b5: rol rdx, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00445000, 0x1000, 'rwx') mem[0x004452b8] = '\x11' mem[0x004452b5] = 'H' mem[0x004452b6] = '\xc1' mem[0x004452b7] = '\xc2' cpu.OF = False cpu.CF = False cpu.RIP = 0x4452b5 cpu.RDX = 0x4fb1e0862fb57b2e cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4452b8], '\x11') self.assertEqual(mem[0x4452b5], 'H') self.assertEqual(mem[0x4452b6], '\xc1') self.assertEqual(mem[0x4452b7], '\xc2') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4477625L) self.assertEqual(cpu.RDX, 13910598262045056867L) def test_ROL_6(self): ''' Instruction ROL_6 Groups: 0x7ffff7a6220a: rol rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a62000, 0x1000, 'rwx') mem[0x7ffff7a6220a] = 'H' mem[0x7ffff7a6220b] = '\xc1' mem[0x7ffff7a6220c] = '\xc0' mem[0x7ffff7a6220d] = '\x11' cpu.OF = False cpu.RIP = 0x7ffff7a6220a cpu.CF = False cpu.RAX = 0x4d168f8071dccc80 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a6220a], 'H') self.assertEqual(mem[0x7ffff7a6220b], '\xc1') self.assertEqual(mem[0x7ffff7a6220c], '\xc0') self.assertEqual(mem[0x7ffff7a6220d], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 2234035801451174445L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737348248078L) def test_ROR_1(self): ''' Instruction ROR_1 Groups: 0x406f53: ror rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x00406f53] = 'H' mem[0x00406f54] = '\xc1' mem[0x00406f55] = '\xc8' mem[0x00406f56] = '\x11' cpu.OF = False cpu.RIP = 0x406f53 cpu.CF = False cpu.RAX = 0x9287e74ad78292fc cpu.execute() #cpu.writeback() self.assertEqual(mem[0x406f53], 'H') self.assertEqual(mem[0x406f54], '\xc1') self.assertEqual(mem[0x406f55], '\xc8') self.assertEqual(mem[0x406f56], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 5295750768033622977L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 4222807L) def test_ROR_2(self): ''' Instruction ROR_2 Groups: 0x7ffff7a65253: ror rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a65000, 0x1000, 'rwx') mem[0x7ffff7a65253] = 'H' mem[0x7ffff7a65254] = '\xc1' mem[0x7ffff7a65255] = '\xc8' mem[0x7ffff7a65256] = '\x11' cpu.OF = False cpu.RIP = 0x7ffff7a65253 cpu.CF = False cpu.RAX = 0x42002153efdd741e cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a65253], 'H') self.assertEqual(mem[0x7ffff7a65254], '\xc1') self.assertEqual(mem[0x7ffff7a65255], '\xc8') self.assertEqual(mem[0x7ffff7a65256], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 13406970899868547054L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737348260439L) def test_ROR_3(self): ''' Instruction ROR_3 Groups: 0x406fd3: ror rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x00406fd3] = 'H' mem[0x00406fd4] = '\xc1' mem[0x00406fd5] = '\xc8' mem[0x00406fd6] = '\x11' cpu.OF = False cpu.RIP = 0x406fd3 cpu.CF = False cpu.RAX = 0x4a02228a32751a47 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x406fd3], 'H') self.assertEqual(mem[0x406fd4], '\xc1') self.assertEqual(mem[0x406fd5], '\xc8') self.assertEqual(mem[0x406fd6], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 10170153807536003386L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4222935L) def test_ROR_4(self): ''' Instruction ROR_4 Groups: 0x7ffff7a65253: ror rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a65000, 0x1000, 'rwx') mem[0x7ffff7a65253] = 'H' mem[0x7ffff7a65254] = '\xc1' mem[0x7ffff7a65255] = '\xc8' mem[0x7ffff7a65256] = '\x11' cpu.OF = False cpu.RIP = 0x7ffff7a65253 cpu.CF = False cpu.RAX = 0x1b65e4b049796683 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a65253], 'H') self.assertEqual(mem[0x7ffff7a65254], '\xc1') self.assertEqual(mem[0x7ffff7a65255], '\xc8') self.assertEqual(mem[0x7ffff7a65256], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 12916761005984851132L) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737348260439L) def test_ROR_5(self): ''' Instruction ROR_5 Groups: 0x406f53: ror rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x00406f53] = 'H' mem[0x00406f54] = '\xc1' mem[0x00406f55] = '\xc8' mem[0x00406f56] = '\x11' cpu.OF = False cpu.RIP = 0x406f53 cpu.CF = False cpu.RAX = 0x54eb53f60a0a3a27 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x406f53], 'H') self.assertEqual(mem[0x406f54], '\xc1') self.assertEqual(mem[0x406f55], '\xc8') self.assertEqual(mem[0x406f56], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 2095205673997108485L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 4222807L) def test_ROR_6(self): ''' Instruction ROR_6 Groups: 0x406fc3: ror rax, 0x11 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x00406fc3] = 'H' mem[0x00406fc4] = '\xc1' mem[0x00406fc5] = '\xc8' mem[0x00406fc6] = '\x11' cpu.OF = False cpu.RIP = 0x406fc3 cpu.CF = False cpu.RAX = 0xf69983477b463caa cpu.execute() #cpu.writeback() self.assertEqual(mem[0x406fc3], 'H') self.assertEqual(mem[0x406fc4], '\xc1') self.assertEqual(mem[0x406fc5], '\xc8') self.assertEqual(mem[0x406fc6], '\x11') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.RAX, 2185788763754708387L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 4222919L) def test_SAR_1(self): ''' Instruction SAR_1 Groups: 0x7ffff7de4085: sar rax, 2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de4085 cpu.PF = False cpu.SF = False cpu.RAX = 0x15c8 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4088], '\x02') self.assertEqual(mem[0x7ffff7de4085], 'H') self.assertEqual(mem[0x7ffff7de4086], '\xc1') self.assertEqual(mem[0x7ffff7de4087], '\xf8') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925897L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.RAX, 1394L) def test_SAR_2(self): ''' Instruction SAR_2 Groups: 0x7ffff7acfc78: sar r8d, 0x1f ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7acf000, 0x1000, 'rwx') mem[0x7ffff7acfc78] = 'A' mem[0x7ffff7acfc79] = '\xc1' mem[0x7ffff7acfc7a] = '\xf8' mem[0x7ffff7acfc7b] = '\x1f' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7acfc78 cpu.R8D = 0x9 cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7acfc78], 'A') self.assertEqual(mem[0x7ffff7acfc79], '\xc1') self.assertEqual(mem[0x7ffff7acfc7a], '\xf8') self.assertEqual(mem[0x7ffff7acfc7b], '\x1f') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737348697212L) self.assertEqual(cpu.R8D, 0L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_SAR_3(self): ''' Instruction SAR_3 Groups: 0x7ffff7de4085: sar rax, 2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de4085 cpu.PF = True cpu.SF = False cpu.RAX = 0x1290 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4088], '\x02') self.assertEqual(mem[0x7ffff7de4085], 'H') self.assertEqual(mem[0x7ffff7de4086], '\xc1') self.assertEqual(mem[0x7ffff7de4087], '\xf8') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925897L) self.assertEqual(cpu.PF, False) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.RAX, 1188L) def test_SAR_4(self): ''' Instruction SAR_4 Groups: 0x7ffff7de4085: sar rax, 2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de4085 cpu.PF = False cpu.SF = False cpu.RAX = 0x1450 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4088], '\x02') self.assertEqual(mem[0x7ffff7de4085], 'H') self.assertEqual(mem[0x7ffff7de4086], '\xc1') self.assertEqual(mem[0x7ffff7de4087], '\xf8') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925897L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.RAX, 1300L) def test_SAR_5(self): ''' Instruction SAR_5 Groups: 0x7ffff7de4085: sar rax, 2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de4085 cpu.PF = False cpu.SF = False cpu.RAX = 0x1420 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4088], '\x02') self.assertEqual(mem[0x7ffff7de4085], 'H') self.assertEqual(mem[0x7ffff7de4086], '\xc1') self.assertEqual(mem[0x7ffff7de4087], '\xf8') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925897L) self.assertEqual(cpu.PF, False) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.RAX, 1288L) def test_SAR_6(self): ''' Instruction SAR_6 Groups: 0x7ffff7de4085: sar rax, 2 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de4085 cpu.PF = False cpu.SF = False cpu.RAX = 0x1070 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4088], '\x02') self.assertEqual(mem[0x7ffff7de4085], 'H') self.assertEqual(mem[0x7ffff7de4086], '\xc1') self.assertEqual(mem[0x7ffff7de4087], '\xf8') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925897L) self.assertEqual(cpu.PF, False) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.RAX, 1052L) def test_SCASB_1(self): ''' Instruction SCASB_1 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') mem[0x7ffff7a78234] = '\xae' mem[0x7fffffffa9c8] = 'F' mem[0x7fffffffa9c9] = '{' mem[0x7fffffffa9ca] = '\xaa' mem[0x7fffffffa9cb] = '\xf7' mem[0x7fffffffa9cc] = '\xff' mem[0x7fffffffa9cd] = '\x7f' mem[0x7fffffffa9ce] = '\x00' mem[0x7fffffffa9cf] = '\x00' mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7ba14b4] = 't' mem[0x7ffff7ba14b5] = 'o' mem[0x7ffff7ba14b6] = 'r' mem[0x7ffff7ba14b7] = 'y' mem[0x7ffff7ba14b8] = '\x00' mem[0x7ffff7ba14b9] = 'N' mem[0x7ffff7ba14ba] = 'o' mem[0x7ffff7ba14bb] = ' ' cpu.RDI = 0x7ffff7ba14b4 cpu.RCX = 0xffffffffffffffea cpu.RSI = 0x7fffffffa9c8 cpu.RIP = 0x7ffff7a78233 cpu.AL = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ba14b9], 'N') self.assertEqual(mem[0x7fffffffa9c8], 'F') self.assertEqual(mem[0x7fffffffa9c9], '{') self.assertEqual(mem[0x7fffffffa9ca], '\xaa') self.assertEqual(mem[0x7fffffffa9cb], '\xf7') self.assertEqual(mem[0x7fffffffa9cc], '\xff') self.assertEqual(mem[0x7fffffffa9cd], '\x7f') self.assertEqual(mem[0x7fffffffa9ce], '\x00') self.assertEqual(mem[0x7fffffffa9cf], '\x00') self.assertEqual(mem[0x7ffff7a78233], '\xf2') self.assertEqual(mem[0x7ffff7a78234], '\xae') self.assertEqual(mem[0x7ffff7ba14b5], 'o') self.assertEqual(mem[0x7ffff7ba14b6], 'r') self.assertEqual(mem[0x7ffff7ba14b7], 'y') self.assertEqual(mem[0x7ffff7ba14b8], '\x00') self.assertEqual(mem[0x7ffff7ba14b4], 't') self.assertEqual(mem[0x7ffff7ba14ba], 'o') self.assertEqual(mem[0x7ffff7ba14bb], ' ') self.assertEqual(cpu.RCX, 18446744073709551593L) self.assertEqual(cpu.RDI, 140737349555381L) self.assertEqual(cpu.RSI, 140737488333256L) self.assertEqual(cpu.RIP, 140737348338227L) self.assertEqual(cpu.AL, 0L) def test_SCASB_2(self): ''' Instruction SCASB_2 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') mem[0x7ffff7ba14a1] = ' ' mem[0x7ffff7ba14a2] = 's' mem[0x7ffff7ba14a3] = 'u' mem[0x7ffff7ba14a4] = 'c' mem[0x7ffff7ba14a5] = 'h' mem[0x7ffff7ba14a6] = ' ' mem[0x7ffff7ba14a7] = 'f' mem[0x7ffff7ba14a8] = 'i' mem[0x7fffffffa9c9] = '\x00' mem[0x7fffffffa9ca] = '\x00' mem[0x7fffffffa9cb] = '\x00' mem[0x7fffffffa9cc] = '\x00' mem[0x7fffffffa9cd] = '\x00' mem[0x7fffffffa9ce] = '\x00' mem[0x7fffffffa9cf] = '\x00' mem[0x7fffffffa9c8] = '\x00' mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7a78234] = '\xae' cpu.RDI = 0x7ffff7ba14a1 cpu.RCX = 0xfffffffffffffffd cpu.RSI = 0x7fffffffa9c8 cpu.RIP = 0x7ffff7a78233 cpu.AL = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ba14a1], ' ') self.assertEqual(mem[0x7ffff7ba14a2], 's') self.assertEqual(mem[0x7ffff7ba14a3], 'u') self.assertEqual(mem[0x7ffff7ba14a4], 'c') self.assertEqual(mem[0x7ffff7ba14a5], 'h') self.assertEqual(mem[0x7ffff7ba14a6], ' ') self.assertEqual(mem[0x7ffff7ba14a7], 'f') self.assertEqual(mem[0x7fffffffa9c8], '\x00') self.assertEqual(mem[0x7fffffffa9c9], '\x00') self.assertEqual(mem[0x7fffffffa9ca], '\x00') self.assertEqual(mem[0x7fffffffa9cb], '\x00') self.assertEqual(mem[0x7fffffffa9cc], '\x00') self.assertEqual(mem[0x7fffffffa9cd], '\x00') self.assertEqual(mem[0x7fffffffa9ce], '\x00') self.assertEqual(mem[0x7fffffffa9cf], '\x00') self.assertEqual(mem[0x7ffff7ba14a8], 'i') self.assertEqual(mem[0x7ffff7a78233], '\xf2') self.assertEqual(mem[0x7ffff7a78234], '\xae') self.assertEqual(cpu.RCX, 18446744073709551612L) self.assertEqual(cpu.RDI, 140737349555362L) self.assertEqual(cpu.RSI, 140737488333256L) self.assertEqual(cpu.RIP, 140737348338227L) self.assertEqual(cpu.AL, 0L) def test_SCASB_3(self): ''' Instruction SCASB_3 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') mem[0x7ffff7a78234] = '\xae' mem[0x7fffffffa9c8] = '\x00' mem[0x7fffffffa9c9] = '\x00' mem[0x7fffffffa9ca] = '\x00' mem[0x7fffffffa9cb] = '\x00' mem[0x7fffffffa9cc] = '\x00' mem[0x7fffffffa9cd] = '\x00' mem[0x7fffffffa9ce] = '\x00' mem[0x7fffffffa9cf] = '\x00' mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7ba14b2] = 'e' mem[0x7ffff7ba14b3] = 'c' mem[0x7ffff7ba14b4] = 't' mem[0x7ffff7ba14b5] = 'o' mem[0x7ffff7ba14b6] = 'r' mem[0x7ffff7ba14b7] = 'y' mem[0x7ffff7ba14b8] = '\x00' mem[0x7ffff7ba14b9] = 'N' cpu.RDI = 0x7ffff7ba14b2 cpu.RCX = 0xffffffffffffffec cpu.RSI = 0x7fffffffa9c8 cpu.RIP = 0x7ffff7a78233 cpu.AL = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ba14b9], 'N') self.assertEqual(mem[0x7ffff7ba14b3], 'c') self.assertEqual(mem[0x7fffffffa9c8], '\x00') self.assertEqual(mem[0x7fffffffa9c9], '\x00') self.assertEqual(mem[0x7fffffffa9ca], '\x00') self.assertEqual(mem[0x7fffffffa9cb], '\x00') self.assertEqual(mem[0x7fffffffa9cc], '\x00') self.assertEqual(mem[0x7fffffffa9cd], '\x00') self.assertEqual(mem[0x7fffffffa9ce], '\x00') self.assertEqual(mem[0x7fffffffa9cf], '\x00') self.assertEqual(mem[0x7ffff7ba14b2], 'e') self.assertEqual(mem[0x7ffff7a78233], '\xf2') self.assertEqual(mem[0x7ffff7a78234], '\xae') self.assertEqual(mem[0x7ffff7ba14b5], 'o') self.assertEqual(mem[0x7ffff7ba14b6], 'r') self.assertEqual(mem[0x7ffff7ba14b7], 'y') self.assertEqual(mem[0x7ffff7ba14b8], '\x00') self.assertEqual(mem[0x7ffff7ba14b4], 't') self.assertEqual(cpu.RCX, 18446744073709551595L) self.assertEqual(cpu.RDI, 140737349555379L) self.assertEqual(cpu.RSI, 140737488333256L) self.assertEqual(cpu.RIP, 140737348338227L) self.assertEqual(cpu.AL, 0L) def test_SCASB_4(self): ''' Instruction SCASB_4 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem.mmap(0x7fffffffe000, 0x1000, 'rwx') mem[0x7fffffffe0a5] = 'g' mem[0x7fffffffe0a6] = 'z' mem[0x7fffffffe0a7] = 'i' mem[0x7fffffffe0a8] = 'p' mem[0x7fffffffe0a9] = '\x00' mem[0x7fffffffe0aa] = 'a' mem[0x7fffffffe0ab] = 'r' mem[0x7fffffffe0ac] = 'g' mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7a78234] = '\xae' mem[0x7fffffffc2f8] = '\x1f' mem[0x7fffffffc2f9] = '\xd5' mem[0x7fffffffc2fa] = '\xff' mem[0x7fffffffc2fb] = '\xff' mem[0x7fffffffc2fc] = '\xff' mem[0x7fffffffc2fd] = '\x7f' mem[0x7fffffffc2fe] = '\x00' mem[0x7fffffffc2ff] = '\x00' cpu.RDI = 0x7fffffffe0a5 cpu.RCX = 0xffffffffffffffff cpu.RSI = 0x7fffffffc2f8 cpu.RIP = 0x7ffff7a78233 cpu.AL = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffe0a5], 'g') self.assertEqual(mem[0x7fffffffe0a6], 'z') self.assertEqual(mem[0x7fffffffe0a7], 'i') self.assertEqual(mem[0x7fffffffe0a8], 'p') self.assertEqual(mem[0x7fffffffe0a9], '\x00') self.assertEqual(mem[0x7fffffffe0aa], 'a') self.assertEqual(mem[0x7fffffffe0ab], 'r') self.assertEqual(mem[0x7fffffffe0ac], 'g') self.assertEqual(mem[0x7ffff7a78233], '\xf2') self.assertEqual(mem[0x7ffff7a78234], '\xae') self.assertEqual(mem[0x7fffffffc2f8], '\x1f') self.assertEqual(mem[0x7fffffffc2f9], '\xd5') self.assertEqual(mem[0x7fffffffc2fa], '\xff') self.assertEqual(mem[0x7fffffffc2fb], '\xff') self.assertEqual(mem[0x7fffffffc2fc], '\xff') self.assertEqual(mem[0x7fffffffc2fd], '\x7f') self.assertEqual(mem[0x7fffffffc2fe], '\x00') self.assertEqual(mem[0x7fffffffc2ff], '\x00') self.assertEqual(cpu.RCX, 18446744073709551614L) self.assertEqual(cpu.RDI, 140737488347302L) self.assertEqual(cpu.RSI, 140737488339704L) self.assertEqual(cpu.RIP, 140737348338227L) self.assertEqual(cpu.AL, 0L) def test_SCASB_5(self): ''' Instruction SCASB_5 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') mem[0x7ffff7ba14ab] = ' ' mem[0x7ffff7ba14a5] = 'h' mem[0x7ffff7ba14a6] = ' ' mem[0x7ffff7ba14a7] = 'f' mem[0x7ffff7ba14a8] = 'i' mem[0x7ffff7ba14a9] = 'l' mem[0x7ffff7ba14aa] = 'e' mem[0x7fffffffa9cb] = '\x00' mem[0x7ffff7ba14ac] = 'o' mem[0x7fffffffa9cd] = '\x00' mem[0x7fffffffa9ce] = '\x00' mem[0x7fffffffa9cf] = '\x00' mem[0x7fffffffa9c8] = '\x00' mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7a78234] = '\xae' mem[0x7fffffffa9c9] = '\x00' mem[0x7fffffffa9cc] = '\x00' mem[0x7fffffffa9ca] = '\x00' cpu.RDI = 0x7ffff7ba14a5 cpu.RCX = 0xfffffffffffffff9 cpu.RSI = 0x7fffffffa9c8 cpu.RIP = 0x7ffff7a78233 cpu.AL = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ba14ab], ' ') self.assertEqual(mem[0x7ffff7ba14a5], 'h') self.assertEqual(mem[0x7ffff7ba14a6], ' ') self.assertEqual(mem[0x7ffff7ba14a7], 'f') self.assertEqual(mem[0x7fffffffa9c8], '\x00') self.assertEqual(mem[0x7fffffffa9c9], '\x00') self.assertEqual(mem[0x7fffffffa9ca], '\x00') self.assertEqual(mem[0x7fffffffa9cb], '\x00') self.assertEqual(mem[0x7fffffffa9cc], '\x00') self.assertEqual(mem[0x7fffffffa9cd], '\x00') self.assertEqual(mem[0x7fffffffa9ce], '\x00') self.assertEqual(mem[0x7fffffffa9cf], '\x00') self.assertEqual(mem[0x7ffff7ba14a8], 'i') self.assertEqual(mem[0x7ffff7ba14ac], 'o') self.assertEqual(mem[0x7ffff7a78234], '\xae') self.assertEqual(mem[0x7ffff7a78233], '\xf2') self.assertEqual(mem[0x7ffff7ba14a9], 'l') self.assertEqual(mem[0x7ffff7ba14aa], 'e') self.assertEqual(cpu.RCX, 18446744073709551608L) self.assertEqual(cpu.RDI, 140737349555366L) self.assertEqual(cpu.RSI, 140737488333256L) self.assertEqual(cpu.RIP, 140737348338227L) self.assertEqual(cpu.AL, 0L) def test_SCASB_6(self): ''' Instruction SCASB_6 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555771000, 0x1000, 'rwx') mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') mem[0x555555771dc0] = 'a' mem[0x555555771dc1] = 'r' mem[0x555555771dc2] = 'g' mem[0x555555771dc3] = '1' mem[0x555555771dc4] = '\x00' mem[0x555555771dc5] = '\x00' mem[0x555555771dc6] = '\x00' mem[0x555555771dc7] = '\x00' mem[0x7fffffffa9c8] = '\x00' mem[0x7fffffffa9c9] = '\x00' mem[0x7fffffffa9ca] = '\x00' mem[0x7fffffffa9cb] = '\x00' mem[0x7fffffffa9cc] = '\x00' mem[0x7fffffffa9cd] = '\x00' mem[0x7fffffffa9ce] = '\x00' mem[0x7fffffffa9cf] = '\x00' mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7a78234] = '\xae' cpu.RDI = 0x555555771dc0 cpu.RCX = 0xffffffffffffffff cpu.RSI = 0x7fffffffa9c8 cpu.RIP = 0x7ffff7a78233 cpu.AL = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555771dc0], 'a') self.assertEqual(mem[0x555555771dc1], 'r') self.assertEqual(mem[0x555555771dc2], 'g') self.assertEqual(mem[0x555555771dc3], '1') self.assertEqual(mem[0x555555771dc4], '\x00') self.assertEqual(mem[0x555555771dc5], '\x00') self.assertEqual(mem[0x555555771dc6], '\x00') self.assertEqual(mem[0x555555771dc7], '\x00') self.assertEqual(mem[0x7fffffffa9c8], '\x00') self.assertEqual(mem[0x7fffffffa9c9], '\x00') self.assertEqual(mem[0x7fffffffa9ca], '\x00') self.assertEqual(mem[0x7fffffffa9cb], '\x00') self.assertEqual(mem[0x7fffffffa9cc], '\x00') self.assertEqual(mem[0x7fffffffa9cd], '\x00') self.assertEqual(mem[0x7fffffffa9ce], '\x00') self.assertEqual(mem[0x7fffffffa9cf], '\x00') self.assertEqual(mem[0x7ffff7a78233], '\xf2') self.assertEqual(mem[0x7ffff7a78234], '\xae') self.assertEqual(cpu.RCX, 18446744073709551614L) self.assertEqual(cpu.RDI, 93824994450881L) self.assertEqual(cpu.RSI, 140737488333256L) self.assertEqual(cpu.RIP, 140737348338227L) self.assertEqual(cpu.AL, 0L) def test_SETA_1(self): ''' Instruction SETA_1 Groups: 0x5555555548c2: seta dl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem[0x5555555548c2] = '\x0f' mem[0x5555555548c3] = '\x97' mem[0x5555555548c4] = '\xc2' cpu.DL = 0x0 cpu.ZF = False cpu.RIP = 0x5555555548c2 cpu.CF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x5555555548c2], '\x0f') self.assertEqual(mem[0x5555555548c3], '\x97') self.assertEqual(mem[0x5555555548c4], '\xc2') self.assertEqual(cpu.DL, 1L) self.assertEqual(cpu.RIP, 93824992233669L) def test_SETBE_1(self): ''' Instruction SETBE_1 Groups: 0x7ffff7de6207: setbe r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = False cpu.R9B = 0x58 cpu.CF = False cpu.RIP = 0x7ffff7de6207 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6208], '\x0f') self.assertEqual(mem[0x7ffff7de6209], '\x96') self.assertEqual(mem[0x7ffff7de620a], '\xc1') self.assertEqual(mem[0x7ffff7de6207], 'A') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 140737351934475L) def test_SETBE_2(self): ''' Instruction SETBE_2 Groups: 0x7ffff7de6207: setbe r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = False cpu.R9B = 0x58 cpu.CF = False cpu.RIP = 0x7ffff7de6207 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6208], '\x0f') self.assertEqual(mem[0x7ffff7de6209], '\x96') self.assertEqual(mem[0x7ffff7de620a], '\xc1') self.assertEqual(mem[0x7ffff7de6207], 'A') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 140737351934475L) def test_SETBE_3(self): ''' Instruction SETBE_3 Groups: 0x7ffff7de6207: setbe r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = False cpu.R9B = 0x58 cpu.CF = False cpu.RIP = 0x7ffff7de6207 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6208], '\x0f') self.assertEqual(mem[0x7ffff7de6209], '\x96') self.assertEqual(mem[0x7ffff7de620a], '\xc1') self.assertEqual(mem[0x7ffff7de6207], 'A') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 140737351934475L) def test_SETBE_4(self): ''' Instruction SETBE_4 Groups: 0x7ffff7de6207: setbe r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = False cpu.R9B = 0x58 cpu.CF = False cpu.RIP = 0x7ffff7de6207 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6208], '\x0f') self.assertEqual(mem[0x7ffff7de6209], '\x96') self.assertEqual(mem[0x7ffff7de620a], '\xc1') self.assertEqual(mem[0x7ffff7de6207], 'A') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 140737351934475L) def test_SETBE_5(self): ''' Instruction SETBE_5 Groups: 0x7ffff7de6207: setbe r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = False cpu.R9B = 0x58 cpu.CF = False cpu.RIP = 0x7ffff7de6207 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6208], '\x0f') self.assertEqual(mem[0x7ffff7de6209], '\x96') self.assertEqual(mem[0x7ffff7de620a], '\xc1') self.assertEqual(mem[0x7ffff7de6207], 'A') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 140737351934475L) def test_SETBE_6(self): ''' Instruction SETBE_6 Groups: 0x7ffff7de6207: setbe r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = False cpu.R9B = 0x58 cpu.CF = False cpu.RIP = 0x7ffff7de6207 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6208], '\x0f') self.assertEqual(mem[0x7ffff7de6209], '\x96') self.assertEqual(mem[0x7ffff7de620a], '\xc1') self.assertEqual(mem[0x7ffff7de6207], 'A') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 140737351934475L) def test_SETB_1(self): ''' Instruction SETB_1 Groups: 0x4342ea: setb al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x004342ea] = '\x0f' mem[0x004342eb] = '\x92' mem[0x004342ec] = '\xc0' cpu.CF = False cpu.RIP = 0x4342ea cpu.AL = 0xc0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4342ea], '\x0f') self.assertEqual(mem[0x4342eb], '\x92') self.assertEqual(mem[0x4342ec], '\xc0') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 4408045L) def test_SETB_2(self): ''' Instruction SETB_2 Groups: 0x43426a: setb al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x0043426a] = '\x0f' mem[0x0043426b] = '\x92' mem[0x0043426c] = '\xc0' cpu.CF = False cpu.RIP = 0x43426a cpu.AL = 0xc0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x43426a], '\x0f') self.assertEqual(mem[0x43426b], '\x92') self.assertEqual(mem[0x43426c], '\xc0') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 4407917L) def test_SETB_3(self): ''' Instruction SETB_3 Groups: 0x4346ca: setb al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x004346ca] = '\x0f' mem[0x004346cb] = '\x92' mem[0x004346cc] = '\xc0' cpu.CF = False cpu.RIP = 0x4346ca cpu.AL = 0xc0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4346ca], '\x0f') self.assertEqual(mem[0x4346cb], '\x92') self.assertEqual(mem[0x4346cc], '\xc0') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 4409037L) def test_SETB_4(self): ''' Instruction SETB_4 Groups: 0x4342ea: setb al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x004342ea] = '\x0f' mem[0x004342eb] = '\x92' mem[0x004342ec] = '\xc0' cpu.CF = False cpu.RIP = 0x4342ea cpu.AL = 0xc0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4342ea], '\x0f') self.assertEqual(mem[0x4342eb], '\x92') self.assertEqual(mem[0x4342ec], '\xc0') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 4408045L) def test_SETB_5(self): ''' Instruction SETB_5 Groups: 0x4342ea: setb al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x004342ea] = '\x0f' mem[0x004342eb] = '\x92' mem[0x004342ec] = '\xc0' cpu.CF = False cpu.RIP = 0x4342ea cpu.AL = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4342ea], '\x0f') self.assertEqual(mem[0x4342eb], '\x92') self.assertEqual(mem[0x4342ec], '\xc0') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 4408045L) def test_SETB_6(self): ''' Instruction SETB_6 Groups: 0x43430a: setb al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x0043430a] = '\x0f' mem[0x0043430b] = '\x92' mem[0x0043430c] = '\xc0' cpu.CF = False cpu.RIP = 0x43430a cpu.AL = 0xc0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x43430a], '\x0f') self.assertEqual(mem[0x43430b], '\x92') self.assertEqual(mem[0x43430c], '\xc0') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 4408077L) def test_SETE_1(self): ''' Instruction SETE_1 Groups: 0x7ffff7de36a2: sete r10b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de36a2] = 'A' mem[0x7ffff7de36a3] = '\x0f' mem[0x7ffff7de36a4] = '\x94' mem[0x7ffff7de36a5] = '\xc2' cpu.R10B = 0x0 cpu.ZF = False cpu.RIP = 0x7ffff7de36a2 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de36a2], 'A') self.assertEqual(mem[0x7ffff7de36a3], '\x0f') self.assertEqual(mem[0x7ffff7de36a4], '\x94') self.assertEqual(mem[0x7ffff7de36a5], '\xc2') self.assertEqual(cpu.R10B, 0L) self.assertEqual(cpu.RIP, 140737351923366L) def test_SETE_2(self): ''' Instruction SETE_2 Groups: 0x7ffff7de620f: sete al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6210] = '\x94' mem[0x7ffff7de6211] = '\xc0' mem[0x7ffff7de620f] = '\x0f' cpu.ZF = False cpu.AL = 0xf5 cpu.RIP = 0x7ffff7de620f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6210], '\x94') self.assertEqual(mem[0x7ffff7de6211], '\xc0') self.assertEqual(mem[0x7ffff7de620f], '\x0f') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 140737351934482L) def test_SETE_3(self): ''' Instruction SETE_3 Groups: 0x7ffff7de6229: sete al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6229] = '\x0f' mem[0x7ffff7de622a] = '\x94' mem[0x7ffff7de622b] = '\xc0' cpu.ZF = True cpu.AL = 0x0 cpu.RIP = 0x7ffff7de6229 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6229], '\x0f') self.assertEqual(mem[0x7ffff7de622a], '\x94') self.assertEqual(mem[0x7ffff7de622b], '\xc0') self.assertEqual(cpu.AL, 1L) self.assertEqual(cpu.RIP, 140737351934508L) def test_SETE_4(self): ''' Instruction SETE_4 Groups: 0x7ffff7de6229: sete al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6229] = '\x0f' mem[0x7ffff7de622a] = '\x94' mem[0x7ffff7de622b] = '\xc0' cpu.ZF = True cpu.AL = 0x0 cpu.RIP = 0x7ffff7de6229 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6229], '\x0f') self.assertEqual(mem[0x7ffff7de622a], '\x94') self.assertEqual(mem[0x7ffff7de622b], '\xc0') self.assertEqual(cpu.AL, 1L) self.assertEqual(cpu.RIP, 140737351934508L) def test_SETE_5(self): ''' Instruction SETE_5 Groups: 0x432458: sete r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432458] = 'A' mem[0x00432459] = '\x0f' mem[0x0043245a] = '\x94' mem[0x0043245b] = '\xc1' cpu.ZF = False cpu.R9B = 0x30 cpu.RIP = 0x432458 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432458], 'A') self.assertEqual(mem[0x432459], '\x0f') self.assertEqual(mem[0x43245a], '\x94') self.assertEqual(mem[0x43245b], '\xc1') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 4400220L) def test_SETE_6(self): ''' Instruction SETE_6 Groups: 0x7ffff7de620f: sete al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6210] = '\x94' mem[0x7ffff7de6211] = '\xc0' mem[0x7ffff7de620f] = '\x0f' cpu.ZF = False cpu.AL = 0xf5 cpu.RIP = 0x7ffff7de620f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6210], '\x94') self.assertEqual(mem[0x7ffff7de6211], '\xc0') self.assertEqual(mem[0x7ffff7de620f], '\x0f') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 140737351934482L) def test_SETG_1(self): ''' Instruction SETG_1 Groups: 0x555555567df4: setg r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555567000, 0x1000, 'rwx') mem[0x555555567df4] = 'A' mem[0x555555567df5] = '\x0f' mem[0x555555567df6] = '\x9f' mem[0x555555567df7] = '\xc1' cpu.OF = False cpu.ZF = False cpu.R9B = 0x0 cpu.SF = True cpu.RIP = 0x555555567df4 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555567df4], 'A') self.assertEqual(mem[0x555555567df5], '\x0f') self.assertEqual(mem[0x555555567df6], '\x9f') self.assertEqual(mem[0x555555567df7], '\xc1') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 93824992312824L) def test_SETG_2(self): ''' Instruction SETG_2 Groups: 0x555555567df4: setg r9b ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555567000, 0x1000, 'rwx') mem[0x555555567df4] = 'A' mem[0x555555567df5] = '\x0f' mem[0x555555567df6] = '\x9f' mem[0x555555567df7] = '\xc1' cpu.OF = False cpu.ZF = False cpu.R9B = 0x0 cpu.SF = True cpu.RIP = 0x555555567df4 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x555555567df4], 'A') self.assertEqual(mem[0x555555567df5], '\x0f') self.assertEqual(mem[0x555555567df6], '\x9f') self.assertEqual(mem[0x555555567df7], '\xc1') self.assertEqual(cpu.R9B, 0L) self.assertEqual(cpu.RIP, 93824992312824L) def test_SETLE_1(self): ''' Instruction SETLE_1 Groups: 0x448ae0: setle dl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00448000, 0x1000, 'rwx') mem[0x00448ae0] = '\x0f' mem[0x00448ae1] = '\x9e' mem[0x00448ae2] = '\xc2' cpu.OF = False cpu.ZF = True cpu.SF = False cpu.RIP = 0x448ae0 cpu.DL = 0x1 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x448ae0], '\x0f') self.assertEqual(mem[0x448ae1], '\x9e') self.assertEqual(mem[0x448ae2], '\xc2') self.assertEqual(cpu.DL, 1L) self.assertEqual(cpu.RIP, 4492003L) def test_SETLE_2(self): ''' Instruction SETLE_2 Groups: 0x448ae0: setle dl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00448000, 0x1000, 'rwx') mem[0x00448ae0] = '\x0f' mem[0x00448ae1] = '\x9e' mem[0x00448ae2] = '\xc2' cpu.OF = False cpu.ZF = True cpu.SF = False cpu.RIP = 0x448ae0 cpu.DL = 0x1 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x448ae0], '\x0f') self.assertEqual(mem[0x448ae1], '\x9e') self.assertEqual(mem[0x448ae2], '\xc2') self.assertEqual(cpu.DL, 1L) self.assertEqual(cpu.RIP, 4492003L) def test_SETNE_1(self): ''' Instruction SETNE_1 Groups: 0x410ee5: setne cl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00410000, 0x1000, 'rwx') mem[0x00410ee5] = '\x0f' mem[0x00410ee6] = '\x95' mem[0x00410ee7] = '\xc1' cpu.ZF = True cpu.RIP = 0x410ee5 cpu.CL = 0x6 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x410ee5], '\x0f') self.assertEqual(mem[0x410ee6], '\x95') self.assertEqual(mem[0x410ee7], '\xc1') self.assertEqual(cpu.RIP, 4263656L) self.assertEqual(cpu.CL, 0L) def test_SETNE_2(self): ''' Instruction SETNE_2 Groups: 0x436d20: setne dl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00436000, 0x1000, 'rwx') mem[0x00436d20] = '\x0f' mem[0x00436d21] = '\x95' mem[0x00436d22] = '\xc2' cpu.ZF = True cpu.DL = 0x0 cpu.RIP = 0x436d20 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x436d20], '\x0f') self.assertEqual(mem[0x436d21], '\x95') self.assertEqual(mem[0x436d22], '\xc2') self.assertEqual(cpu.DL, 0L) self.assertEqual(cpu.RIP, 4418851L) def test_SETNE_3(self): ''' Instruction SETNE_3 Groups: 0x410f05: setne cl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00410000, 0x1000, 'rwx') mem[0x00410f05] = '\x0f' mem[0x00410f06] = '\x95' mem[0x00410f07] = '\xc1' cpu.ZF = True cpu.RIP = 0x410f05 cpu.CL = 0x6 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x410f05], '\x0f') self.assertEqual(mem[0x410f06], '\x95') self.assertEqual(mem[0x410f07], '\xc1') self.assertEqual(cpu.RIP, 4263688L) self.assertEqual(cpu.CL, 0L) def test_SETNE_4(self): ''' Instruction SETNE_4 Groups: 0x436f20: setne dl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00436000, 0x1000, 'rwx') mem[0x00436f20] = '\x0f' mem[0x00436f21] = '\x95' mem[0x00436f22] = '\xc2' cpu.ZF = True cpu.DL = 0x0 cpu.RIP = 0x436f20 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x436f20], '\x0f') self.assertEqual(mem[0x436f21], '\x95') self.assertEqual(mem[0x436f22], '\xc2') self.assertEqual(cpu.DL, 0L) self.assertEqual(cpu.RIP, 4419363L) def test_SETNE_5(self): ''' Instruction SETNE_5 Groups: 0x4120f9: setne cl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00412000, 0x1000, 'rwx') mem[0x004120f9] = '\x0f' mem[0x004120fa] = '\x95' mem[0x004120fb] = '\xc1' cpu.ZF = True cpu.RIP = 0x4120f9 cpu.CL = 0x40 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4120f9], '\x0f') self.assertEqual(mem[0x4120fa], '\x95') self.assertEqual(mem[0x4120fb], '\xc1') self.assertEqual(cpu.RIP, 4268284L) self.assertEqual(cpu.CL, 0L) def test_SETNE_6(self): ''' Instruction SETNE_6 Groups: 0x7ffff7de5de4: setne al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5de4] = '\x0f' mem[0x7ffff7de5de5] = '\x95' mem[0x7ffff7de5de6] = '\xc0' cpu.ZF = True cpu.AL = 0x0 cpu.RIP = 0x7ffff7de5de4 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de5de4], '\x0f') self.assertEqual(mem[0x7ffff7de5de5], '\x95') self.assertEqual(mem[0x7ffff7de5de6], '\xc0') self.assertEqual(cpu.AL, 0L) self.assertEqual(cpu.RIP, 140737351933415L) def test_SHLX_1(self): ''' Instruction SHLX_1 Groups: bmi2 0x55555556594d: shlx rax, qword ptr [r14 + 0x50], rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffc800] = '\x00' mem[0x7fffffffc801] = '\x00' mem[0x7fffffffc802] = '\x00' mem[0x7fffffffc803] = '\x00' mem[0x7fffffffc804] = '\x00' mem[0x7fffffffc805] = '\x00' mem[0x7fffffffc806] = '\x00' mem[0x7fffffffc807] = '\x00' mem[0x55555556594d] = '\xc4' mem[0x55555556594e] = '\xc2' mem[0x55555556594f] = '\xf9' mem[0x555555565950] = '\xf7' mem[0x555555565951] = 'F' mem[0x555555565952] = 'P' cpu.R14 = 0x7fffffffc7b0 cpu.RIP = 0x55555556594d cpu.RAX = 0x5 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffc800], '\x00') self.assertEqual(mem[0x7fffffffc801], '\x00') self.assertEqual(mem[0x7fffffffc802], '\x00') self.assertEqual(mem[0x7fffffffc803], '\x00') self.assertEqual(mem[0x7fffffffc804], '\x00') self.assertEqual(mem[0x7fffffffc805], '\x00') self.assertEqual(mem[0x7fffffffc806], '\x00') self.assertEqual(mem[0x7fffffffc807], '\x00') self.assertEqual(mem[0x55555556594d], '\xc4') self.assertEqual(mem[0x55555556594e], '\xc2') self.assertEqual(mem[0x55555556594f], '\xf9') self.assertEqual(mem[0x555555565950], '\xf7') self.assertEqual(mem[0x555555565951], 'F') self.assertEqual(mem[0x555555565952], 'P') self.assertEqual(cpu.R14, 140737488340912L) self.assertEqual(cpu.RAX, 0L) self.assertEqual(cpu.RIP, 93824992303443L) def test_SHLX_2(self): ''' Instruction SHLX_2 Groups: bmi2 0x55555556544a: shlx rax, rdx, rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem[0x55555556544a] = '\xc4' mem[0x55555556544b] = '\xe2' mem[0x55555556544c] = '\xf9' mem[0x55555556544d] = '\xf7' mem[0x55555556544e] = '\xc2' cpu.RIP = 0x55555556544a cpu.RAX = 0x8 cpu.RDX = 0x1 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x55555556544a], '\xc4') self.assertEqual(mem[0x55555556544b], '\xe2') self.assertEqual(mem[0x55555556544c], '\xf9') self.assertEqual(mem[0x55555556544d], '\xf7') self.assertEqual(mem[0x55555556544e], '\xc2') self.assertEqual(cpu.RAX, 256L) self.assertEqual(cpu.RIP, 93824992302159L) self.assertEqual(cpu.RDX, 1L) def test_SHLX_3(self): ''' Instruction SHLX_3 Groups: bmi2 0x55555556544a: shlx rax, rdx, rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem[0x55555556544a] = '\xc4' mem[0x55555556544b] = '\xe2' mem[0x55555556544c] = '\xf9' mem[0x55555556544d] = '\xf7' mem[0x55555556544e] = '\xc2' cpu.RIP = 0x55555556544a cpu.RAX = 0x8 cpu.RDX = 0x1 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x55555556544a], '\xc4') self.assertEqual(mem[0x55555556544b], '\xe2') self.assertEqual(mem[0x55555556544c], '\xf9') self.assertEqual(mem[0x55555556544d], '\xf7') self.assertEqual(mem[0x55555556544e], '\xc2') self.assertEqual(cpu.RAX, 256L) self.assertEqual(cpu.RIP, 93824992302159L) self.assertEqual(cpu.RDX, 1L) def test_SHLX_4(self): ''' Instruction SHLX_4 Groups: bmi2 0x55555556594d: shlx rax, qword ptr [r14 + 0x50], rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffc800] = '\x00' mem[0x7fffffffc801] = '\x00' mem[0x7fffffffc802] = '\x00' mem[0x7fffffffc803] = '\x00' mem[0x7fffffffc804] = '\x00' mem[0x7fffffffc805] = '\x00' mem[0x7fffffffc806] = '\x00' mem[0x7fffffffc807] = '\x00' mem[0x55555556594d] = '\xc4' mem[0x55555556594e] = '\xc2' mem[0x55555556594f] = '\xf9' mem[0x555555565950] = '\xf7' mem[0x555555565951] = 'F' mem[0x555555565952] = 'P' cpu.R14 = 0x7fffffffc7b0 cpu.RIP = 0x55555556594d cpu.RAX = 0x5 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffc800], '\x00') self.assertEqual(mem[0x7fffffffc801], '\x00') self.assertEqual(mem[0x7fffffffc802], '\x00') self.assertEqual(mem[0x7fffffffc803], '\x00') self.assertEqual(mem[0x7fffffffc804], '\x00') self.assertEqual(mem[0x7fffffffc805], '\x00') self.assertEqual(mem[0x7fffffffc806], '\x00') self.assertEqual(mem[0x7fffffffc807], '\x00') self.assertEqual(mem[0x55555556594d], '\xc4') self.assertEqual(mem[0x55555556594e], '\xc2') self.assertEqual(mem[0x55555556594f], '\xf9') self.assertEqual(mem[0x555555565950], '\xf7') self.assertEqual(mem[0x555555565951], 'F') self.assertEqual(mem[0x555555565952], 'P') self.assertEqual(cpu.R14, 140737488340912L) self.assertEqual(cpu.RAX, 0L) self.assertEqual(cpu.RIP, 93824992303443L) def test_SHL_1(self): ''' Instruction SHL_1 Groups: 0x7ffff7de438f: shl rsi, 5 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = 0x597904 cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de438f cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4390], '\xc1') self.assertEqual(mem[0x7ffff7de4391], '\xe6') self.assertEqual(mem[0x7ffff7de4392], '\x05') self.assertEqual(mem[0x7ffff7de438f], 'H') self.assertEqual(cpu.RSI, 187637888L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351926675L) self.assertEqual(cpu.PF, False) self.assertEqual(cpu.SF, False) def test_SHL_2(self): ''' Instruction SHL_2 Groups: 0x7ffff7de438f: shl rsi, 5 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = 0x7144b72823ea49e0 cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de438f cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4390], '\xc1') self.assertEqual(mem[0x7ffff7de4391], '\xe6') self.assertEqual(mem[0x7ffff7de4392], '\x05') self.assertEqual(mem[0x7ffff7de438f], 'H') self.assertEqual(cpu.RSI, 2924776815468297216L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351926675L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_SHL_3(self): ''' Instruction SHL_3 Groups: 0x7ffff7de438f: shl rsi, 5 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = 0xcc5c406168309853 cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de438f cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4390], '\xc1') self.assertEqual(mem[0x7ffff7de4391], '\xe6') self.assertEqual(mem[0x7ffff7de4392], '\x05') self.assertEqual(mem[0x7ffff7de438f], 'H') self.assertEqual(cpu.RSI, 10054299555619605088L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351926675L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, True) def test_SHL_4(self): ''' Instruction SHL_4 Groups: 0x7ffff7de438f: shl rsi, 5 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = 0x726f9570cfb9645b cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de438f cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4390], '\xc1') self.assertEqual(mem[0x7ffff7de4391], '\xe6') self.assertEqual(mem[0x7ffff7de4392], '\x05') self.assertEqual(mem[0x7ffff7de438f], 'H') self.assertEqual(cpu.RSI, 5616743111828736864L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351926675L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_SHL_5(self): ''' Instruction SHL_5 Groups: 0x7ffff7de438f: shl rsi, 5 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = 0x2b60c cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de438f cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4390], '\xc1') self.assertEqual(mem[0x7ffff7de4391], '\xe6') self.assertEqual(mem[0x7ffff7de4392], '\x05') self.assertEqual(mem[0x7ffff7de438f], 'H') self.assertEqual(cpu.RSI, 5685632L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351926675L) self.assertEqual(cpu.PF, False) self.assertEqual(cpu.SF, False) def test_SHL_6(self): ''' Instruction SHL_6 Groups: 0x7ffff7de438f: shl rsi, 5 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = 0x377beb912d8eae5 cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de438f cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4390], '\xc1') self.assertEqual(mem[0x7ffff7de4391], '\xe6') self.assertEqual(mem[0x7ffff7de4392], '\x05') self.assertEqual(mem[0x7ffff7de438f], 'H') self.assertEqual(cpu.RSI, 7996096205977115808L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351926675L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_SHR_1(self): ''' Instruction SHR_1 Groups: 0x7ffff7de405d: shr rdx, 1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de405d] = 'H' mem[0x7ffff7de405e] = '\xd1' mem[0x7ffff7de405f] = '\xea' cpu.ZF = False cpu.RDX = 0x144a5ad4 cpu.RIP = 0x7ffff7de405d cpu.CF = False cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de405d], 'H') self.assertEqual(mem[0x7ffff7de405e], '\xd1') self.assertEqual(mem[0x7ffff7de405f], '\xea') self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925856L) self.assertEqual(cpu.RDX, 170208618L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_SHR_2(self): ''' Instruction SHR_2 Groups: 0x7ffff7de391d: shr rsi, cl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de391d] = 'H' mem[0x7ffff7de391e] = '\xd3' mem[0x7ffff7de391f] = '\xee' cpu.RSI = 0x20ce23f6 cpu.CL = 0x6 cpu.ZF = True cpu.CF = False cpu.RIP = 0x7ffff7de391d cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de391d], 'H') self.assertEqual(mem[0x7ffff7de391e], '\xd3') self.assertEqual(mem[0x7ffff7de391f], '\xee') self.assertEqual(cpu.RSI, 8599695L) self.assertEqual(cpu.CL, 6L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351924000L) self.assertEqual(cpu.PF, False) self.assertEqual(cpu.SF, False) def test_SHR_3(self): ''' Instruction SHR_3 Groups: 0x7ffff7de3926: shr rsi, cl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3928] = '\xee' mem[0x7ffff7de3926] = 'H' mem[0x7ffff7de3927] = '\xd3' cpu.RSI = 0x800000001204088 cpu.CL = 0xda cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de3926 cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de3928], '\xee') self.assertEqual(mem[0x7ffff7de3926], 'H') self.assertEqual(mem[0x7ffff7de3927], '\xd3') self.assertEqual(cpu.RSI, 8589934592L) self.assertEqual(cpu.CL, 218L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351924009L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_SHR_4(self): ''' Instruction SHR_4 Groups: 0x7ffff7de61d2: shr al, 4 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de61d2] = '\xc0' mem[0x7ffff7de61d3] = '\xe8' mem[0x7ffff7de61d4] = '\x04' cpu.ZF = False cpu.AL = 0x22 cpu.RIP = 0x7ffff7de61d2 cpu.CF = False cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de61d2], '\xc0') self.assertEqual(mem[0x7ffff7de61d3], '\xe8') self.assertEqual(mem[0x7ffff7de61d4], '\x04') self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351934421L) self.assertEqual(cpu.AL, 2L) self.assertEqual(cpu.PF, False) self.assertEqual(cpu.SF, False) def test_SHR_5(self): ''' Instruction SHR_5 Groups: 0x7ffff7de391d: shr rsi, cl ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de391d] = 'H' mem[0x7ffff7de391e] = '\xd3' mem[0x7ffff7de391f] = '\xee' cpu.RSI = 0x7c967e3f cpu.CL = 0xe cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de391d cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de391d], 'H') self.assertEqual(mem[0x7ffff7de391e], '\xd3') self.assertEqual(mem[0x7ffff7de391f], '\xee') self.assertEqual(cpu.RSI, 127577L) self.assertEqual(cpu.CL, 14L) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 140737351924000L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_SHR_6(self): ''' Instruction SHR_6 Groups: 0x4322bd: shr rax, 1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004322bd] = 'H' mem[0x004322be] = '\xd1' mem[0x004322bf] = '\xe8' cpu.ZF = False cpu.CF = False cpu.RIP = 0x4322bd cpu.PF = False cpu.SF = False cpu.RAX = 0x1 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4322bd], 'H') self.assertEqual(mem[0x4322be], '\xd1') self.assertEqual(mem[0x4322bf], '\xe8') self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4399808L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.RAX, 0L) def test_STC_1(self): ''' Instruction STC_1 Groups: 0x5667fa: stc ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00566000, 0x1000, 'rwx') mem[0x005667fa] = '\xf9' cpu.CF = False cpu.RIP = 0x5667fa cpu.execute() #cpu.writeback() self.assertEqual(mem[0x5667fa], '\xf9') self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 5662715L) def test_STC_2(self): ''' Instruction STC_2 Groups: 0x42a889: stc ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0042a000, 0x1000, 'rwx') mem[0x0042a889] = '\xf9' cpu.CF = False cpu.RIP = 0x42a889 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x42a889], '\xf9') self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 4368522L) def test_STC_3(self): ''' Instruction STC_3 Groups: 0x60b5d5: stc ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0060b000, 0x1000, 'rwx') mem[0x0060b5d5] = '\xf9' cpu.CF = False cpu.RIP = 0x60b5d5 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x60b5d5], '\xf9') self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 6338006L) def test_STC_4(self): ''' Instruction STC_4 Groups: 0x52da4d: stc ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0052d000, 0x1000, 'rwx') mem[0x0052da4d] = '\xf9' cpu.CF = False cpu.RIP = 0x52da4d cpu.execute() #cpu.writeback() self.assertEqual(mem[0x52da4d], '\xf9') self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 5429838L) def test_STC_5(self): ''' Instruction STC_5 Groups: 0x56ba0e: stc ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0056b000, 0x1000, 'rwx') mem[0x0056ba0e] = '\xf9' cpu.CF = False cpu.RIP = 0x56ba0e cpu.execute() #cpu.writeback() self.assertEqual(mem[0x56ba0e], '\xf9') self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 5683727L) def test_STC_6(self): ''' Instruction STC_6 Groups: 0x61a7d6: stc ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0061a000, 0x1000, 'rwx') mem[0x0061a7d6] = '\xf9' cpu.CF = False cpu.RIP = 0x61a7d6 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x61a7d6], '\xf9') self.assertEqual(cpu.CF, True) self.assertEqual(cpu.RIP, 6399959L) def test_STOSD_1(self): ''' Instruction STOSD_1 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' mem[0x7fffffffda88] = '\x00' mem[0x7fffffffda89] = '\x00' mem[0x7fffffffda8a] = '\x00' mem[0x7fffffffda8b] = '\x00' mem[0x7fffffffda8c] = '\x00' mem[0x7fffffffda8d] = '\x00' mem[0x7fffffffda8e] = '\x00' mem[0x7fffffffda8f] = '\x00' mem[0x7fffffffdb70] = '\xa0' mem[0x7fffffffdb71] = '\xdb' mem[0x7fffffffdb72] = '\xff' mem[0x7fffffffdb73] = '\xff' mem[0x7fffffffdb74] = '\xff' mem[0x7fffffffdb75] = '\x7f' mem[0x7fffffffdb76] = '\x00' mem[0x7fffffffdb77] = '\x00' cpu.RDI = 0x7fffffffdb70 cpu.RCX = 0x6 cpu.RSI = 0x7fffffffda88 cpu.RIP = 0x5555555547c2 cpu.EAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x5555555547c2], '\xf3') self.assertEqual(mem[0x5555555547c3], '\xab') self.assertEqual(mem[0x7fffffffda88], '\x00') self.assertEqual(mem[0x7fffffffda89], '\x00') self.assertEqual(mem[0x7fffffffda8a], '\x00') self.assertEqual(mem[0x7fffffffda8b], '\x00') self.assertEqual(mem[0x7fffffffda8c], '\x00') self.assertEqual(mem[0x7fffffffda8d], '\x00') self.assertEqual(mem[0x7fffffffda8e], '\x00') self.assertEqual(mem[0x7fffffffda8f], '\x00') self.assertEqual(mem[0x7fffffffdb70], '\x00') self.assertEqual(mem[0x7fffffffdb71], '\x00') self.assertEqual(mem[0x7fffffffdb72], '\x00') self.assertEqual(mem[0x7fffffffdb73], '\x00') self.assertEqual(mem[0x7fffffffdb74], '\xff') self.assertEqual(mem[0x7fffffffdb75], '\x7f') self.assertEqual(mem[0x7fffffffdb76], '\x00') self.assertEqual(mem[0x7fffffffdb77], '\x00') self.assertEqual(cpu.RCX, 5L) self.assertEqual(cpu.RDI, 140737488345972L) self.assertEqual(cpu.RSI, 140737488345736L) self.assertEqual(cpu.RIP, 93824992233410L) self.assertEqual(cpu.EAX, 0L) def test_STOSD_2(self): ''' Instruction STOSD_2 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdb20] = '\x00' mem[0x7fffffffdb21] = '\x00' mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' mem[0x7fffffffda88] = '\x00' mem[0x7fffffffda89] = '\x00' mem[0x7fffffffda8a] = '\x00' mem[0x7fffffffda8b] = '\x00' mem[0x7fffffffda8c] = '\x00' mem[0x7fffffffdb22] = '\x00' mem[0x7fffffffda8e] = '\x00' mem[0x7fffffffda8d] = '\x00' mem[0x7fffffffdb23] = '\x00' mem[0x7fffffffda8f] = '\x00' mem[0x7fffffffdb1c] = '\x00' mem[0x7fffffffdb1d] = '\x00' mem[0x7fffffffdb1e] = '\x00' mem[0x7fffffffdb1f] = '\x00' cpu.RDI = 0x7fffffffdb1c cpu.RCX = 0x1b cpu.RSI = 0x7fffffffda88 cpu.RIP = 0x5555555547c2 cpu.EAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdb20], '\x00') self.assertEqual(mem[0x7fffffffdb21], '\x00') self.assertEqual(mem[0x5555555547c2], '\xf3') self.assertEqual(mem[0x5555555547c3], '\xab') self.assertEqual(mem[0x7fffffffda88], '\x00') self.assertEqual(mem[0x7fffffffda89], '\x00') self.assertEqual(mem[0x7fffffffda8a], '\x00') self.assertEqual(mem[0x7fffffffda8b], '\x00') self.assertEqual(mem[0x7fffffffda8c], '\x00') self.assertEqual(mem[0x7fffffffda8d], '\x00') self.assertEqual(mem[0x7fffffffda8e], '\x00') self.assertEqual(mem[0x7fffffffda8f], '\x00') self.assertEqual(mem[0x7fffffffdb23], '\x00') self.assertEqual(mem[0x7fffffffdb22], '\x00') self.assertEqual(mem[0x7fffffffdb1c], '\x00') self.assertEqual(mem[0x7fffffffdb1d], '\x00') self.assertEqual(mem[0x7fffffffdb1e], '\x00') self.assertEqual(mem[0x7fffffffdb1f], '\x00') self.assertEqual(cpu.RCX, 26L) self.assertEqual(cpu.RDI, 140737488345888L) self.assertEqual(cpu.RSI, 140737488345736L) self.assertEqual(cpu.RIP, 93824992233410L) self.assertEqual(cpu.EAX, 0L) def test_STOSD_3(self): ''' Instruction STOSD_3 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdaa0] = '&' mem[0x7fffffffdaa1] = '\xb0' mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' mem[0x7fffffffda88] = '\x00' mem[0x7fffffffda89] = '\x00' mem[0x7fffffffda8a] = '\x00' mem[0x7fffffffda8b] = '\x00' mem[0x7fffffffda8c] = '\x00' mem[0x7fffffffdaa2] = 'b' mem[0x7fffffffda8e] = '\x00' mem[0x7fffffffda8d] = '\x00' mem[0x7fffffffdaa3] = 'e' mem[0x7fffffffda8f] = '\x00' mem[0x7fffffffda9c] = '\xff' mem[0x7fffffffda9d] = '\x7f' mem[0x7fffffffda9e] = '\x00' mem[0x7fffffffda9f] = '\x00' cpu.RDI = 0x7fffffffda9c cpu.RCX = 0x3b cpu.RSI = 0x7fffffffda88 cpu.RIP = 0x5555555547c2 cpu.EAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdaa0], '&') self.assertEqual(mem[0x7fffffffdaa1], '\xb0') self.assertEqual(mem[0x5555555547c2], '\xf3') self.assertEqual(mem[0x5555555547c3], '\xab') self.assertEqual(mem[0x7fffffffda88], '\x00') self.assertEqual(mem[0x7fffffffda89], '\x00') self.assertEqual(mem[0x7fffffffda8a], '\x00') self.assertEqual(mem[0x7fffffffda8b], '\x00') self.assertEqual(mem[0x7fffffffda8c], '\x00') self.assertEqual(mem[0x7fffffffda8d], '\x00') self.assertEqual(mem[0x7fffffffda8e], '\x00') self.assertEqual(mem[0x7fffffffda8f], '\x00') self.assertEqual(mem[0x7fffffffdaa3], 'e') self.assertEqual(mem[0x7fffffffdaa2], 'b') self.assertEqual(mem[0x7fffffffda9c], '\x00') self.assertEqual(mem[0x7fffffffda9d], '\x00') self.assertEqual(mem[0x7fffffffda9e], '\x00') self.assertEqual(mem[0x7fffffffda9f], '\x00') self.assertEqual(cpu.RCX, 58L) self.assertEqual(cpu.RDI, 140737488345760L) self.assertEqual(cpu.RSI, 140737488345736L) self.assertEqual(cpu.RIP, 93824992233410L) self.assertEqual(cpu.EAX, 0L) def test_STOSD_4(self): ''' Instruction STOSD_4 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' mem[0x7fffffffdaec] = '\xff' mem[0x7fffffffda88] = '\x00' mem[0x7fffffffda89] = '\x00' mem[0x7fffffffda8a] = '\x00' mem[0x7fffffffda8b] = '\x00' mem[0x7fffffffda8c] = '\x00' mem[0x7fffffffda8d] = '\x00' mem[0x7fffffffdaee] = '\x00' mem[0x7fffffffdaed] = '\x7f' mem[0x7fffffffdaf0] = '\x00' mem[0x7fffffffdaf1] = '\x00' mem[0x7fffffffdaf2] = '\x00' mem[0x7fffffffdaf3] = '\x00' mem[0x7fffffffda8e] = '\x00' mem[0x7fffffffdaef] = '\x00' mem[0x7fffffffda8f] = '\x00' cpu.RDI = 0x7fffffffdaec cpu.RCX = 0x27 cpu.RSI = 0x7fffffffda88 cpu.RIP = 0x5555555547c2 cpu.EAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x5555555547c2], '\xf3') self.assertEqual(mem[0x5555555547c3], '\xab') self.assertEqual(mem[0x7fffffffdaec], '\x00') self.assertEqual(mem[0x7fffffffdaed], '\x00') self.assertEqual(mem[0x7fffffffda88], '\x00') self.assertEqual(mem[0x7fffffffda89], '\x00') self.assertEqual(mem[0x7fffffffda8a], '\x00') self.assertEqual(mem[0x7fffffffda8b], '\x00') self.assertEqual(mem[0x7fffffffda8c], '\x00') self.assertEqual(mem[0x7fffffffda8d], '\x00') self.assertEqual(mem[0x7fffffffda8e], '\x00') self.assertEqual(mem[0x7fffffffda8f], '\x00') self.assertEqual(mem[0x7fffffffdaf0], '\x00') self.assertEqual(mem[0x7fffffffdaf1], '\x00') self.assertEqual(mem[0x7fffffffdaf2], '\x00') self.assertEqual(mem[0x7fffffffdaf3], '\x00') self.assertEqual(mem[0x7fffffffdaee], '\x00') self.assertEqual(mem[0x7fffffffdaef], '\x00') self.assertEqual(cpu.RCX, 38L) self.assertEqual(cpu.RDI, 140737488345840L) self.assertEqual(cpu.RSI, 140737488345736L) self.assertEqual(cpu.RIP, 93824992233410L) self.assertEqual(cpu.EAX, 0L) def test_STOSD_5(self): ''' Instruction STOSD_5 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7fffffffdb80] = 'P' mem[0x7fffffffdb81] = 'I' mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' mem[0x7fffffffda88] = '\x00' mem[0x7fffffffda89] = '\x00' mem[0x7fffffffda8a] = '\x00' mem[0x7fffffffda8b] = '\x00' mem[0x7fffffffda8c] = '\x00' mem[0x7fffffffdb82] = 'U' mem[0x7fffffffda8e] = '\x00' mem[0x7fffffffda8d] = '\x00' mem[0x7fffffffdb83] = 'U' mem[0x7fffffffda8f] = '\x00' mem[0x7fffffffdb7c] = '\x00' mem[0x7fffffffdb7d] = '\x00' mem[0x7fffffffdb7e] = '\x00' mem[0x7fffffffdb7f] = '\x00' cpu.RDI = 0x7fffffffdb7c cpu.RCX = 0x3 cpu.RSI = 0x7fffffffda88 cpu.RIP = 0x5555555547c2 cpu.EAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffdb80], 'P') self.assertEqual(mem[0x7fffffffdb81], 'I') self.assertEqual(mem[0x5555555547c2], '\xf3') self.assertEqual(mem[0x5555555547c3], '\xab') self.assertEqual(mem[0x7fffffffda88], '\x00') self.assertEqual(mem[0x7fffffffda89], '\x00') self.assertEqual(mem[0x7fffffffda8a], '\x00') self.assertEqual(mem[0x7fffffffda8b], '\x00') self.assertEqual(mem[0x7fffffffda8c], '\x00') self.assertEqual(mem[0x7fffffffdb82], 'U') self.assertEqual(mem[0x7fffffffda8e], '\x00') self.assertEqual(mem[0x7fffffffda8d], '\x00') self.assertEqual(mem[0x7fffffffdb83], 'U') self.assertEqual(mem[0x7fffffffda8f], '\x00') self.assertEqual(mem[0x7fffffffdb7c], '\x00') self.assertEqual(mem[0x7fffffffdb7d], '\x00') self.assertEqual(mem[0x7fffffffdb7e], '\x00') self.assertEqual(mem[0x7fffffffdb7f], '\x00') self.assertEqual(cpu.RCX, 2L) self.assertEqual(cpu.RDI, 140737488345984L) self.assertEqual(cpu.RSI, 140737488345736L) self.assertEqual(cpu.RIP, 93824992233410L) self.assertEqual(cpu.EAX, 0L) def test_STOSD_6(self): ''' Instruction STOSD_6 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' mem[0x7fffffffda88] = '\x00' mem[0x7fffffffda89] = '\x00' mem[0x7fffffffda8a] = '\x00' mem[0x7fffffffda8b] = '\x00' mem[0x7fffffffda8c] = '\x00' mem[0x7fffffffda8d] = '\x00' mem[0x7fffffffda8e] = '\x00' mem[0x7fffffffda8f] = '\x00' mem[0x7fffffffdaf0] = '\x00' mem[0x7fffffffdaf1] = '\x00' mem[0x7fffffffdaf2] = '\x00' mem[0x7fffffffdaf3] = '\x00' mem[0x7fffffffdaf4] = '\x00' mem[0x7fffffffdaf5] = '\x00' mem[0x7fffffffdaf6] = '\x00' mem[0x7fffffffdaf7] = '\x00' cpu.RDI = 0x7fffffffdaf0 cpu.RCX = 0x26 cpu.RSI = 0x7fffffffda88 cpu.RIP = 0x5555555547c2 cpu.EAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x5555555547c2], '\xf3') self.assertEqual(mem[0x5555555547c3], '\xab') self.assertEqual(mem[0x7fffffffda88], '\x00') self.assertEqual(mem[0x7fffffffda89], '\x00') self.assertEqual(mem[0x7fffffffda8a], '\x00') self.assertEqual(mem[0x7fffffffda8b], '\x00') self.assertEqual(mem[0x7fffffffda8c], '\x00') self.assertEqual(mem[0x7fffffffda8d], '\x00') self.assertEqual(mem[0x7fffffffda8e], '\x00') self.assertEqual(mem[0x7fffffffda8f], '\x00') self.assertEqual(mem[0x7fffffffdaf0], '\x00') self.assertEqual(mem[0x7fffffffdaf1], '\x00') self.assertEqual(mem[0x7fffffffdaf2], '\x00') self.assertEqual(mem[0x7fffffffdaf3], '\x00') self.assertEqual(mem[0x7fffffffdaf4], '\x00') self.assertEqual(mem[0x7fffffffdaf5], '\x00') self.assertEqual(mem[0x7fffffffdaf6], '\x00') self.assertEqual(mem[0x7fffffffdaf7], '\x00') self.assertEqual(cpu.RCX, 37L) self.assertEqual(cpu.RDI, 140737488345844L) self.assertEqual(cpu.RSI, 140737488345736L) self.assertEqual(cpu.RIP, 93824992233410L) self.assertEqual(cpu.EAX, 0L) def test_STOSQ_1(self): ''' Instruction STOSQ_1 Groups: 0x7ffff7ded09b: rep stosq qword ptr [rdi], rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ded000, 0x1000, 'rwx') mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx') mem[0x7ffff7fd7700] = '\x00' mem[0x7ffff7fd7701] = '\x00' mem[0x7ffff7fd7702] = '\x00' mem[0x7ffff7fd7703] = '\x00' mem[0x7ffff7fd7704] = '\x00' mem[0x7ffff7fd7705] = '\x00' mem[0x7ffff7fd7706] = '\x00' mem[0x7ffff7fd7707] = '\x00' mem[0x7ffff7ded09c] = 'H' mem[0x7ffff7ded09d] = '\xab' mem[0x7ffff7ded09b] = '\xf3' mem[0x7ffff7fd7f38] = '\x00' mem[0x7ffff7fd7f39] = '\x00' mem[0x7ffff7fd7f3a] = '\x00' mem[0x7ffff7fd7f3b] = '\x00' mem[0x7ffff7fd7f3c] = '\x00' mem[0x7ffff7fd7f3d] = '\x00' mem[0x7ffff7fd7f3e] = '\x00' mem[0x7ffff7fd7f3f] = '\x00' cpu.RDI = 0x7ffff7fd7f38 cpu.RIP = 0x7ffff7ded09b cpu.RCX = 0x19 cpu.RSI = 0x7ffff7fd7700 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7fd7700], '\x00') self.assertEqual(mem[0x7ffff7fd7701], '\x00') self.assertEqual(mem[0x7ffff7fd7702], '\x00') self.assertEqual(mem[0x7ffff7fd7703], '\x00') self.assertEqual(mem[0x7ffff7fd7704], '\x00') self.assertEqual(mem[0x7ffff7fd7705], '\x00') self.assertEqual(mem[0x7ffff7fd7706], '\x00') self.assertEqual(mem[0x7ffff7fd7707], '\x00') self.assertEqual(mem[0x7ffff7fd7f3b], '\x00') self.assertEqual(mem[0x7ffff7fd7f3c], '\x00') self.assertEqual(mem[0x7ffff7fd7f3d], '\x00') self.assertEqual(mem[0x7ffff7fd7f38], '\x00') self.assertEqual(mem[0x7ffff7fd7f39], '\x00') self.assertEqual(mem[0x7ffff7fd7f3a], '\x00') self.assertEqual(mem[0x7ffff7ded09b], '\xf3') self.assertEqual(mem[0x7ffff7ded09c], 'H') self.assertEqual(mem[0x7ffff7ded09d], '\xab') self.assertEqual(mem[0x7ffff7fd7f3e], '\x00') self.assertEqual(mem[0x7ffff7fd7f3f], '\x00') self.assertEqual(cpu.RCX, 24L) self.assertEqual(cpu.RAX, 0L) self.assertEqual(cpu.RDI, 140737353973568L) self.assertEqual(cpu.RSI, 140737353971456L) self.assertEqual(cpu.RIP, 140737351962779L) def test_STOSQ_2(self): ''' Instruction STOSQ_2 Groups: 0x7ffff7ded09b: rep stosq qword ptr [rdi], rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ded000, 0x1000, 'rwx') mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx') mem[0x7ffff7fd7700] = '\x00' mem[0x7ffff7fd7701] = '\x00' mem[0x7ffff7fd7702] = '\x00' mem[0x7ffff7fd7703] = '\x00' mem[0x7ffff7fd7704] = '\x00' mem[0x7ffff7fd7705] = '\x00' mem[0x7ffff7fd7706] = '\x00' mem[0x7ffff7fd7707] = '\x00' mem[0x7ffff7ded09c] = 'H' mem[0x7ffff7ded09d] = '\xab' mem[0x7ffff7ded09b] = '\xf3' mem[0x7ffff7fd7cb8] = '\x00' mem[0x7ffff7fd7cb9] = '\x00' mem[0x7ffff7fd7cba] = '\x00' mem[0x7ffff7fd7cbb] = '\x00' mem[0x7ffff7fd7cbc] = '\x00' mem[0x7ffff7fd7cbd] = '\x00' mem[0x7ffff7fd7cbe] = '\x00' mem[0x7ffff7fd7cbf] = '\x00' cpu.RDI = 0x7ffff7fd7cb8 cpu.RIP = 0x7ffff7ded09b cpu.RCX = 0x69 cpu.RSI = 0x7ffff7fd7700 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7fd7700], '\x00') self.assertEqual(mem[0x7ffff7fd7701], '\x00') self.assertEqual(mem[0x7ffff7fd7702], '\x00') self.assertEqual(mem[0x7ffff7fd7703], '\x00') self.assertEqual(mem[0x7ffff7fd7704], '\x00') self.assertEqual(mem[0x7ffff7fd7705], '\x00') self.assertEqual(mem[0x7ffff7fd7706], '\x00') self.assertEqual(mem[0x7ffff7fd7707], '\x00') self.assertEqual(mem[0x7ffff7fd7cbc], '\x00') self.assertEqual(mem[0x7ffff7fd7cbd], '\x00') self.assertEqual(mem[0x7ffff7fd7cbb], '\x00') self.assertEqual(mem[0x7ffff7fd7cb8], '\x00') self.assertEqual(mem[0x7ffff7fd7cb9], '\x00') self.assertEqual(mem[0x7ffff7fd7cba], '\x00') self.assertEqual(mem[0x7ffff7ded09b], '\xf3') self.assertEqual(mem[0x7ffff7ded09c], 'H') self.assertEqual(mem[0x7ffff7ded09d], '\xab') self.assertEqual(mem[0x7ffff7fd7cbe], '\x00') self.assertEqual(mem[0x7ffff7fd7cbf], '\x00') self.assertEqual(cpu.RCX, 104L) self.assertEqual(cpu.RAX, 0L) self.assertEqual(cpu.RDI, 140737353972928L) self.assertEqual(cpu.RSI, 140737353971456L) self.assertEqual(cpu.RIP, 140737351962779L) def test_STOSQ_3(self): ''' Instruction STOSQ_3 Groups: 0x7ffff7de5ebf: rep stosq qword ptr [rdi], rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem.mmap(0x7ffff7ffe000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7de5ec0] = 'H' mem[0x7ffff7de5ec1] = '\xab' mem[0x7ffff7ffe4a2] = '\xff' mem[0x7ffff7ffe4a3] = '\xf7' mem[0x7ffff7ffe4a4] = '\xff' mem[0x7ffff7ffe4a5] = '\x7f' mem[0x7ffff7ffe4a6] = '\x00' mem[0x7ffff7ffe4a1] = '\xe4' mem[0x7fffffffda88] = '\x90' mem[0x7fffffffda89] = 'x' mem[0x7fffffffda8a] = '\x00' mem[0x7fffffffda8b] = '\x00' mem[0x7fffffffda8c] = '\x00' mem[0x7fffffffda8d] = '\x00' mem[0x7fffffffda8e] = '\x00' mem[0x7fffffffda8f] = '\x00' mem[0x7ffff7ffe4a0] = '\x00' mem[0x7ffff7ffe4a7] = '\x00' mem[0x7ffff7de5ebf] = '\xf3' cpu.RDI = 0x7fffffffda88 cpu.RIP = 0x7ffff7de5ebf cpu.RCX = 0x7 cpu.RSI = 0x7ffff7ffe4a0 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de5ec0], 'H') self.assertEqual(mem[0x7ffff7de5ec1], '\xab') self.assertEqual(mem[0x7ffff7ffe4a2], '\xff') self.assertEqual(mem[0x7ffff7ffe4a3], '\xf7') self.assertEqual(mem[0x7ffff7ffe4a4], '\xff') self.assertEqual(mem[0x7ffff7ffe4a5], '\x7f') self.assertEqual(mem[0x7ffff7ffe4a6], '\x00') self.assertEqual(mem[0x7ffff7ffe4a1], '\xe4') self.assertEqual(mem[0x7fffffffda88], '\x00') self.assertEqual(mem[0x7fffffffda89], '\x00') self.assertEqual(mem[0x7fffffffda8a], '\x00') self.assertEqual(mem[0x7fffffffda8b], '\x00') self.assertEqual(mem[0x7fffffffda8c], '\x00') self.assertEqual(mem[0x7fffffffda8d], '\x00') self.assertEqual(mem[0x7fffffffda8e], '\x00') self.assertEqual(mem[0x7fffffffda8f], '\x00') self.assertEqual(mem[0x7ffff7ffe4a0], '\x00') self.assertEqual(mem[0x7ffff7ffe4a7], '\x00') self.assertEqual(mem[0x7ffff7de5ebf], '\xf3') self.assertEqual(cpu.RCX, 6L) self.assertEqual(cpu.RAX, 0L) self.assertEqual(cpu.RDI, 140737488345744L) self.assertEqual(cpu.RSI, 140737354130592L) self.assertEqual(cpu.RIP, 140737351933631L) def test_STOSQ_4(self): ''' Instruction STOSQ_4 Groups: 0x7ffff7ded09b: rep stosq qword ptr [rdi], rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ded000, 0x1000, 'rwx') mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx') mem[0x7ffff7fd7700] = '\x00' mem[0x7ffff7fd7701] = '\x00' mem[0x7ffff7fd7702] = '\x00' mem[0x7ffff7fd7703] = '\x00' mem[0x7ffff7fd7704] = '\x00' mem[0x7ffff7fd7705] = '\x00' mem[0x7ffff7fd7706] = '\x00' mem[0x7ffff7fd7707] = '\x00' mem[0x7ffff7fd7730] = '\x00' mem[0x7ffff7fd7731] = '\x00' mem[0x7ffff7fd7732] = '\x00' mem[0x7ffff7fd7733] = '\x00' mem[0x7ffff7fd7734] = '\x00' mem[0x7ffff7fd7735] = '\x00' mem[0x7ffff7fd7736] = '\x00' mem[0x7ffff7fd7737] = '\x00' mem[0x7ffff7ded09b] = '\xf3' mem[0x7ffff7ded09c] = 'H' mem[0x7ffff7ded09d] = '\xab' cpu.RDI = 0x7ffff7fd7730 cpu.RIP = 0x7ffff7ded09b cpu.RCX = 0x11a cpu.RSI = 0x7ffff7fd7700 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7fd7700], '\x00') self.assertEqual(mem[0x7ffff7fd7701], '\x00') self.assertEqual(mem[0x7ffff7fd7702], '\x00') self.assertEqual(mem[0x7ffff7fd7703], '\x00') self.assertEqual(mem[0x7ffff7fd7704], '\x00') self.assertEqual(mem[0x7ffff7fd7705], '\x00') self.assertEqual(mem[0x7ffff7fd7706], '\x00') self.assertEqual(mem[0x7ffff7fd7707], '\x00') self.assertEqual(mem[0x7ffff7fd7730], '\x00') self.assertEqual(mem[0x7ffff7fd7731], '\x00') self.assertEqual(mem[0x7ffff7fd7732], '\x00') self.assertEqual(mem[0x7ffff7fd7733], '\x00') self.assertEqual(mem[0x7ffff7fd7734], '\x00') self.assertEqual(mem[0x7ffff7fd7735], '\x00') self.assertEqual(mem[0x7ffff7fd7736], '\x00') self.assertEqual(mem[0x7ffff7fd7737], '\x00') self.assertEqual(mem[0x7ffff7ded09b], '\xf3') self.assertEqual(mem[0x7ffff7ded09c], 'H') self.assertEqual(mem[0x7ffff7ded09d], '\xab') self.assertEqual(cpu.RCX, 281L) self.assertEqual(cpu.RAX, 0L) self.assertEqual(cpu.RDI, 140737353971512L) self.assertEqual(cpu.RSI, 140737353971456L) self.assertEqual(cpu.RIP, 140737351962779L) def test_STOSQ_5(self): ''' Instruction STOSQ_5 Groups: 0x555555554895: rep stosq qword ptr [rdi], rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x555555554896] = 'H' mem[0x7fffffffda95] = '\x00' mem[0x555555554897] = '\xab' mem[0x7fffffffda90] = '\x00' mem[0x7fffffffda91] = '\x00' mem[0x7fffffffda92] = '\x00' mem[0x7fffffffda93] = '\x00' mem[0x7fffffffda94] = '\x00' mem[0x555555554895] = '\xf3' mem[0x7fffffffda96] = '\x00' mem[0x7fffffffda97] = '\x00' mem[0x7fffffffdc98] = '\x1d' mem[0x7fffffffdc99] = '\xe0' mem[0x7fffffffdc9a] = '\xff' mem[0x7fffffffdc9b] = '\xff' mem[0x7fffffffdc9c] = '\xff' mem[0x7fffffffdc9d] = '\x7f' mem[0x7fffffffdc9e] = '\x00' mem[0x7fffffffdc9f] = '\x00' cpu.RDI = 0x7fffffffda90 cpu.RIP = 0x555555554895 cpu.RCX = 0x1e cpu.RSI = 0x7fffffffdc98 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffda96], '\x00') self.assertEqual(mem[0x7fffffffda95], '\x00') self.assertEqual(mem[0x7fffffffda97], '\x00') self.assertEqual(mem[0x7fffffffda90], '\x00') self.assertEqual(mem[0x7fffffffda91], '\x00') self.assertEqual(mem[0x7fffffffda92], '\x00') self.assertEqual(mem[0x7fffffffda93], '\x00') self.assertEqual(mem[0x7fffffffda94], '\x00') self.assertEqual(mem[0x555555554895], '\xf3') self.assertEqual(mem[0x555555554896], 'H') self.assertEqual(mem[0x555555554897], '\xab') self.assertEqual(mem[0x7fffffffdc98], '\x1d') self.assertEqual(mem[0x7fffffffdc99], '\xe0') self.assertEqual(mem[0x7fffffffdc9a], '\xff') self.assertEqual(mem[0x7fffffffdc9b], '\xff') self.assertEqual(mem[0x7fffffffdc9c], '\xff') self.assertEqual(mem[0x7fffffffdc9d], '\x7f') self.assertEqual(mem[0x7fffffffdc9e], '\x00') self.assertEqual(mem[0x7fffffffdc9f], '\x00') self.assertEqual(cpu.RCX, 29L) self.assertEqual(cpu.RAX, 0L) self.assertEqual(cpu.RDI, 140737488345752L) self.assertEqual(cpu.RSI, 140737488346264L) self.assertEqual(cpu.RIP, 93824992233621L) def test_STOSQ_6(self): ''' Instruction STOSQ_6 Groups: 0x7ffff7ded09b: rep stosq qword ptr [rdi], rax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ded000, 0x1000, 'rwx') mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx') mem[0x7ffff7fd7700] = '\x00' mem[0x7ffff7fd7701] = '\x00' mem[0x7ffff7fd7702] = '\x00' mem[0x7ffff7fd7703] = '\x00' mem[0x7ffff7fd7704] = '\x00' mem[0x7ffff7fd7705] = '\x00' mem[0x7ffff7fd7706] = '\x00' mem[0x7ffff7fd7707] = '\x00' mem[0x7ffff7fd7ef0] = '\x00' mem[0x7ffff7fd7ef1] = '\x00' mem[0x7ffff7fd7ef2] = '\x00' mem[0x7ffff7fd7ef3] = '\x00' mem[0x7ffff7fd7ef4] = '\x00' mem[0x7ffff7fd7ef5] = '\x00' mem[0x7ffff7fd7ef6] = '\x00' mem[0x7ffff7fd7ef7] = '\x00' mem[0x7ffff7ded09b] = '\xf3' mem[0x7ffff7ded09c] = 'H' mem[0x7ffff7ded09d] = '\xab' cpu.RDI = 0x7ffff7fd7ef0 cpu.RIP = 0x7ffff7ded09b cpu.RCX = 0x22 cpu.RSI = 0x7ffff7fd7700 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7fd7700], '\x00') self.assertEqual(mem[0x7ffff7fd7701], '\x00') self.assertEqual(mem[0x7ffff7fd7702], '\x00') self.assertEqual(mem[0x7ffff7fd7703], '\x00') self.assertEqual(mem[0x7ffff7fd7704], '\x00') self.assertEqual(mem[0x7ffff7fd7705], '\x00') self.assertEqual(mem[0x7ffff7fd7706], '\x00') self.assertEqual(mem[0x7ffff7fd7707], '\x00') self.assertEqual(mem[0x7ffff7fd7ef0], '\x00') self.assertEqual(mem[0x7ffff7fd7ef1], '\x00') self.assertEqual(mem[0x7ffff7fd7ef2], '\x00') self.assertEqual(mem[0x7ffff7fd7ef3], '\x00') self.assertEqual(mem[0x7ffff7fd7ef4], '\x00') self.assertEqual(mem[0x7ffff7fd7ef5], '\x00') self.assertEqual(mem[0x7ffff7fd7ef6], '\x00') self.assertEqual(mem[0x7ffff7fd7ef7], '\x00') self.assertEqual(mem[0x7ffff7ded09b], '\xf3') self.assertEqual(mem[0x7ffff7ded09c], 'H') self.assertEqual(mem[0x7ffff7ded09d], '\xab') self.assertEqual(cpu.RCX, 33L) self.assertEqual(cpu.RAX, 0L) self.assertEqual(cpu.RDI, 140737353973496L) self.assertEqual(cpu.RSI, 140737353971456L) self.assertEqual(cpu.RIP, 140737351962779L) def test_SUB_1(self): ''' Instruction SUB_1 Groups: 0x4326c3: sub rsp, 0x1020 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004326c3] = 'H' mem[0x004326c4] = '\x81' mem[0x004326c5] = '\xec' mem[0x004326c6] = ' ' mem[0x004326c7] = '\x10' mem[0x004326c8] = '\x00' mem[0x004326c9] = '\x00' cpu.PF = True cpu.AF = False cpu.OF = False cpu.ZF = False cpu.RSP = 0x7fffffffdab0 cpu.CF = False cpu.RIP = 0x4326c3 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4326c3], 'H') self.assertEqual(mem[0x4326c4], '\x81') self.assertEqual(mem[0x4326c5], '\xec') self.assertEqual(mem[0x4326c6], ' ') self.assertEqual(mem[0x4326c7], '\x10') self.assertEqual(mem[0x4326c8], '\x00') self.assertEqual(mem[0x4326c9], '\x00') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RSP, 140737488341648L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 4400842L) self.assertEqual(cpu.SF, False) def test_SUB_2(self): ''' Instruction SUB_2 Groups: 0x40b6dd: sub rsp, 0x1028 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0040b000, 0x1000, 'rwx') mem[0x0040b6e0] = '(' mem[0x0040b6e1] = '\x10' mem[0x0040b6e2] = '\x00' mem[0x0040b6e3] = '\x00' mem[0x0040b6dd] = 'H' mem[0x0040b6de] = '\x81' mem[0x0040b6df] = '\xec' cpu.PF = True cpu.AF = False cpu.OF = False cpu.ZF = True cpu.RSP = 0x7fffffffda18 cpu.CF = False cpu.RIP = 0x40b6dd cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x40b6e0], '(') self.assertEqual(mem[0x40b6e1], '\x10') self.assertEqual(mem[0x40b6e2], '\x00') self.assertEqual(mem[0x40b6e3], '\x00') self.assertEqual(mem[0x40b6dd], 'H') self.assertEqual(mem[0x40b6de], '\x81') self.assertEqual(mem[0x40b6df], '\xec') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RSP, 140737488341488L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 4241124L) self.assertEqual(cpu.SF, False) def test_SUB_3(self): ''' Instruction SUB_3 Groups: 0x7ffff7de406d: sub rsp, 8 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4070] = '\x08' mem[0x7ffff7de406d] = 'H' mem[0x7ffff7de406e] = '\x83' mem[0x7ffff7de406f] = '\xec' cpu.PF = False cpu.AF = True cpu.OF = False cpu.ZF = False cpu.RSP = 0x7fffffffd840 cpu.CF = False cpu.RIP = 0x7ffff7de406d cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de4070], '\x08') self.assertEqual(mem[0x7ffff7de406d], 'H') self.assertEqual(mem[0x7ffff7de406e], '\x83') self.assertEqual(mem[0x7ffff7de406f], '\xec') self.assertEqual(cpu.PF, False) self.assertEqual(cpu.AF, True) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RSP, 140737488345144L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925873L) self.assertEqual(cpu.SF, False) def test_SUB_4(self): ''' Instruction SUB_4 Groups: 0x7ffff7decc04: sub rsp, 0x1020 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7dec000, 0x1000, 'rwx') mem[0x7ffff7decc04] = 'H' mem[0x7ffff7decc05] = '\x81' mem[0x7ffff7decc06] = '\xec' mem[0x7ffff7decc07] = ' ' mem[0x7ffff7decc08] = '\x10' mem[0x7ffff7decc09] = '\x00' mem[0x7ffff7decc0a] = '\x00' cpu.PF = True cpu.AF = False cpu.OF = False cpu.ZF = True cpu.RSP = 0x7fffffffd0c0 cpu.CF = False cpu.RIP = 0x7ffff7decc04 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7decc04], 'H') self.assertEqual(mem[0x7ffff7decc05], '\x81') self.assertEqual(mem[0x7ffff7decc06], '\xec') self.assertEqual(mem[0x7ffff7decc07], ' ') self.assertEqual(mem[0x7ffff7decc08], '\x10') self.assertEqual(mem[0x7ffff7decc09], '\x00') self.assertEqual(mem[0x7ffff7decc0a], '\x00') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RSP, 140737488339104L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351961611L) self.assertEqual(cpu.SF, False) def test_SUB_5(self): ''' Instruction SUB_5 Groups: 0x7ffff7de060d: sub rsp, 0x1020 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de0000, 0x1000, 'rwx') mem[0x7ffff7de060d] = 'H' mem[0x7ffff7de060e] = '\x81' mem[0x7ffff7de060f] = '\xec' mem[0x7ffff7de0610] = ' ' mem[0x7ffff7de0611] = '\x10' mem[0x7ffff7de0612] = '\x00' mem[0x7ffff7de0613] = '\x00' cpu.PF = False cpu.AF = False cpu.OF = False cpu.ZF = False cpu.RSP = 0x7fffffffd2e0 cpu.CF = True cpu.RIP = 0x7ffff7de060d cpu.SF = True cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de060d], 'H') self.assertEqual(mem[0x7ffff7de060e], '\x81') self.assertEqual(mem[0x7ffff7de060f], '\xec') self.assertEqual(mem[0x7ffff7de0610], ' ') self.assertEqual(mem[0x7ffff7de0611], '\x10') self.assertEqual(mem[0x7ffff7de0612], '\x00') self.assertEqual(mem[0x7ffff7de0613], '\x00') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RSP, 140737488339648L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351910932L) self.assertEqual(cpu.SF, False) def test_SUB_6(self): ''' Instruction SUB_6 Groups: 0x7ffff7deb22d: sub rsp, 0x1078 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7deb000, 0x1000, 'rwx') mem[0x7ffff7deb22d] = 'H' mem[0x7ffff7deb22e] = '\x81' mem[0x7ffff7deb22f] = '\xec' mem[0x7ffff7deb230] = 'x' mem[0x7ffff7deb231] = '\x10' mem[0x7ffff7deb232] = '\x00' mem[0x7ffff7deb233] = '\x00' cpu.PF = False cpu.AF = True cpu.OF = False cpu.ZF = False cpu.RSP = 0x7fffffffd9f8 cpu.CF = False cpu.RIP = 0x7ffff7deb22d cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7deb22d], 'H') self.assertEqual(mem[0x7ffff7deb22e], '\x81') self.assertEqual(mem[0x7ffff7deb22f], '\xec') self.assertEqual(mem[0x7ffff7deb230], 'x') self.assertEqual(mem[0x7ffff7deb231], '\x10') self.assertEqual(mem[0x7ffff7deb232], '\x00') self.assertEqual(mem[0x7ffff7deb233], '\x00') self.assertEqual(cpu.PF, False) self.assertEqual(cpu.AF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.RSP, 140737488341376L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351954996L) self.assertEqual(cpu.SF, False) def test_TEST_1(self): ''' Instruction TEST_1 Groups: 0x7ffff7df459c: test al, al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df459c] = '\x84' mem[0x7ffff7df459d] = '\xc0' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7df459c cpu.AL = 0x6c cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df459c], '\x84') self.assertEqual(mem[0x7ffff7df459d], '\xc0') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351992734L) self.assertEqual(cpu.AL, 108L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_TEST_2(self): ''' Instruction TEST_2 Groups: 0x7ffff7df459c: test al, al ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df459c] = '\x84' mem[0x7ffff7df459d] = '\xc0' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7df459c cpu.AL = 0x5f cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df459c], '\x84') self.assertEqual(mem[0x7ffff7df459d], '\xc0') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351992734L) self.assertEqual(cpu.AL, 95L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_TEST_3(self): ''' Instruction TEST_3 Groups: 0x7ffff7de3892: test r15d, r15d ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3892] = 'E' mem[0x7ffff7de3893] = '\x85' mem[0x7ffff7de3894] = '\xff' cpu.R15D = 0x0 cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de3892 cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de3892], 'E') self.assertEqual(mem[0x7ffff7de3893], '\x85') self.assertEqual(mem[0x7ffff7de3894], '\xff') self.assertEqual(cpu.R15D, 0L) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351923861L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_TEST_4(self): ''' Instruction TEST_4 Groups: 0x7ffff7b58f07: test byte ptr [r8 - 4], 1 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a31000, 0x1000, 'rwx') mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f07] = 'A' mem[0x7ffff7b58f08] = '\xf6' mem[0x7ffff7b58f09] = '@' mem[0x7ffff7b58f0a] = '\xfc' mem[0x7ffff7b58f0b] = '\x01' mem[0x7ffff7a3193c] = '\xbc' cpu.OF = False cpu.ZF = False cpu.R8 = 0x7ffff7a31940 cpu.CF = False cpu.RIP = 0x7ffff7b58f07 cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7b58f07], 'A') self.assertEqual(mem[0x7ffff7b58f08], '\xf6') self.assertEqual(mem[0x7ffff7b58f09], '@') self.assertEqual(mem[0x7ffff7b58f0a], '\xfc') self.assertEqual(mem[0x7ffff7b58f0b], '\x01') self.assertEqual(mem[0x7ffff7a3193c], '\xbc') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.R8, 140737348049216L) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737349259020L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_TEST_5(self): ''' Instruction TEST_5 Groups: 0x7ffff7ddc6b7: test rdi, rdi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddc6b8] = '\x85' mem[0x7ffff7ddc6b9] = '\xff' mem[0x7ffff7ddc6b7] = 'H' cpu.OF = False cpu.ZF = True cpu.CF = False cpu.RIP = 0x7ffff7ddc6b7 cpu.PF = True cpu.RDI = 0x7ffff7ffa3a0 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7ddc6b8], '\x85') self.assertEqual(mem[0x7ffff7ddc6b9], '\xff') self.assertEqual(mem[0x7ffff7ddc6b7], 'H') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351894714L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.RDI, 140737354113952L) self.assertEqual(cpu.SF, False) def test_TEST_6(self): ''' Instruction TEST_6 Groups: 0x406e88: test rbx, rbx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x00406e88] = 'H' mem[0x00406e89] = '\x85' mem[0x00406e8a] = '\xdb' cpu.RBX = 0x7fffffffe927 cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x406e88 cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x406e88], 'H') self.assertEqual(mem[0x406e89], '\x85') self.assertEqual(mem[0x406e8a], '\xdb') self.assertEqual(cpu.RBX, 140737488349479L) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, False) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 4222603L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_VMOVD_1(self): ''' Instruction VMOVD_1 Groups: avx 0x432054: vmovd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432054] = '\xc5' mem[0x00432055] = '\xf9' mem[0x00432056] = 'n' mem[0x00432057] = '\xce' cpu.XMM1 = 0x0 cpu.RIP = 0x432054 cpu.ESI = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432054], '\xc5') self.assertEqual(mem[0x432055], '\xf9') self.assertEqual(mem[0x432056], 'n') self.assertEqual(mem[0x432057], '\xce') self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.ESI, 0L) self.assertEqual(cpu.RIP, 4399192L) def test_VMOVD_2(self): ''' Instruction VMOVD_2 Groups: avx 0x432154: vmovd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432154] = '\xc5' mem[0x00432155] = '\xf9' mem[0x00432156] = 'n' mem[0x00432157] = '\xce' cpu.XMM1 = 0x0 cpu.RIP = 0x432154 cpu.ESI = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432154], '\xc5') self.assertEqual(mem[0x432155], '\xf9') self.assertEqual(mem[0x432156], 'n') self.assertEqual(mem[0x432157], '\xce') self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.ESI, 0L) self.assertEqual(cpu.RIP, 4399448L) def test_VMOVD_3(self): ''' Instruction VMOVD_3 Groups: avx 0x432124: vmovd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432124] = '\xc5' mem[0x00432125] = '\xf9' mem[0x00432126] = 'n' mem[0x00432127] = '\xce' cpu.XMM1 = 0x0 cpu.RIP = 0x432124 cpu.ESI = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432124], '\xc5') self.assertEqual(mem[0x432125], '\xf9') self.assertEqual(mem[0x432126], 'n') self.assertEqual(mem[0x432127], '\xce') self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.ESI, 0L) self.assertEqual(cpu.RIP, 4399400L) def test_VMOVD_4(self): ''' Instruction VMOVD_4 Groups: avx 0x434cd4: vmovd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x00434cd4] = '\xc5' mem[0x00434cd5] = '\xf9' mem[0x00434cd6] = 'n' mem[0x00434cd7] = '\xce' cpu.XMM1 = 0x0 cpu.RIP = 0x434cd4 cpu.ESI = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x434cd4], '\xc5') self.assertEqual(mem[0x434cd5], '\xf9') self.assertEqual(mem[0x434cd6], 'n') self.assertEqual(mem[0x434cd7], '\xce') self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.ESI, 0L) self.assertEqual(cpu.RIP, 4410584L) def test_VMOVD_5(self): ''' Instruction VMOVD_5 Groups: avx 0x432134: vmovd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432134] = '\xc5' mem[0x00432135] = '\xf9' mem[0x00432136] = 'n' mem[0x00432137] = '\xce' cpu.XMM1 = 0x0 cpu.RIP = 0x432134 cpu.ESI = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432134], '\xc5') self.assertEqual(mem[0x432135], '\xf9') self.assertEqual(mem[0x432136], 'n') self.assertEqual(mem[0x432137], '\xce') self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.ESI, 0L) self.assertEqual(cpu.RIP, 4399416L) def test_VMOVD_6(self): ''' Instruction VMOVD_6 Groups: avx 0x432514: vmovd xmm1, esi ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432514] = '\xc5' mem[0x00432515] = '\xf9' mem[0x00432516] = 'n' mem[0x00432517] = '\xce' cpu.XMM1 = 0x0 cpu.RIP = 0x432514 cpu.ESI = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432514], '\xc5') self.assertEqual(mem[0x432515], '\xf9') self.assertEqual(mem[0x432516], 'n') self.assertEqual(mem[0x432517], '\xce') self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.ESI, 0L) self.assertEqual(cpu.RIP, 4400408L) def test_VPSHUFB_1(self): ''' Instruction VPSHUFB_1 Groups: avx 0x4321af: vpshufb xmm0, xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004321b0] = '\xe2' mem[0x004321b1] = 'q' mem[0x004321b2] = '\x00' mem[0x004321b3] = '\xc0' mem[0x004321af] = '\xc4' cpu.XMM0 = 0x0 cpu.XMM1 = 0x0 cpu.RIP = 0x4321af cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4321b0], '\xe2') self.assertEqual(mem[0x4321b1], 'q') self.assertEqual(mem[0x4321b2], '\x00') self.assertEqual(mem[0x4321b3], '\xc0') self.assertEqual(mem[0x4321af], '\xc4') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.RIP, 4399540L) def test_VPSHUFB_2(self): ''' Instruction VPSHUFB_2 Groups: avx 0x43215f: vpshufb xmm0, xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432160] = '\xe2' mem[0x00432161] = 'q' mem[0x00432162] = '\x00' mem[0x00432163] = '\xc0' mem[0x0043215f] = '\xc4' cpu.XMM0 = 0x0 cpu.XMM1 = 0x0 cpu.RIP = 0x43215f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432160], '\xe2') self.assertEqual(mem[0x432161], 'q') self.assertEqual(mem[0x432162], '\x00') self.assertEqual(mem[0x432163], '\xc0') self.assertEqual(mem[0x43215f], '\xc4') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.RIP, 4399460L) def test_VPSHUFB_3(self): ''' Instruction VPSHUFB_3 Groups: avx 0x43205f: vpshufb xmm0, xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432060] = '\xe2' mem[0x00432061] = 'q' mem[0x00432062] = '\x00' mem[0x00432063] = '\xc0' mem[0x0043205f] = '\xc4' cpu.XMM0 = 0x0 cpu.XMM1 = 0x0 cpu.RIP = 0x43205f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432060], '\xe2') self.assertEqual(mem[0x432061], 'q') self.assertEqual(mem[0x432062], '\x00') self.assertEqual(mem[0x432063], '\xc0') self.assertEqual(mem[0x43205f], '\xc4') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.RIP, 4399204L) def test_VPSHUFB_4(self): ''' Instruction VPSHUFB_4 Groups: avx 0x43212f: vpshufb xmm0, xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432130] = '\xe2' mem[0x00432131] = 'q' mem[0x00432132] = '\x00' mem[0x00432133] = '\xc0' mem[0x0043212f] = '\xc4' cpu.XMM0 = 0x0 cpu.XMM1 = 0x0 cpu.RIP = 0x43212f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432130], '\xe2') self.assertEqual(mem[0x432131], 'q') self.assertEqual(mem[0x432132], '\x00') self.assertEqual(mem[0x432133], '\xc0') self.assertEqual(mem[0x43212f], '\xc4') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.RIP, 4399412L) def test_VPSHUFB_5(self): ''' Instruction VPSHUFB_5 Groups: avx 0x43213f: vpshufb xmm0, xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432140] = '\xe2' mem[0x00432141] = 'q' mem[0x00432142] = '\x00' mem[0x00432143] = '\xc0' mem[0x0043213f] = '\xc4' cpu.XMM0 = 0x0 cpu.XMM1 = 0x0 cpu.RIP = 0x43213f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432140], '\xe2') self.assertEqual(mem[0x432141], 'q') self.assertEqual(mem[0x432142], '\x00') self.assertEqual(mem[0x432143], '\xc0') self.assertEqual(mem[0x43213f], '\xc4') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.RIP, 4399428L) def test_VPSHUFB_6(self): ''' Instruction VPSHUFB_6 Groups: avx 0x434cdf: vpshufb xmm0, xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x00434ce0] = '\xe2' mem[0x00434ce1] = 'q' mem[0x00434ce2] = '\x00' mem[0x00434ce3] = '\xc0' mem[0x00434cdf] = '\xc4' cpu.XMM0 = 0x0 cpu.XMM1 = 0x0 cpu.RIP = 0x434cdf cpu.execute() #cpu.writeback() self.assertEqual(mem[0x434ce0], '\xe2') self.assertEqual(mem[0x434ce1], 'q') self.assertEqual(mem[0x434ce2], '\x00') self.assertEqual(mem[0x434ce3], '\xc0') self.assertEqual(mem[0x434cdf], '\xc4') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.XMM1, 0) self.assertEqual(cpu.RIP, 4410596L) def test_VPXOR_1(self): ''' Instruction VPXOR_1 Groups: avx 0x4321a0: vpxor xmm0, xmm0, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004321a0] = '\xc5' mem[0x004321a1] = '\xf9' mem[0x004321a2] = '\xef' mem[0x004321a3] = '\xc0' cpu.XMM0 = 0x0 cpu.RIP = 0x4321a0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4321a0], '\xc5') self.assertEqual(mem[0x4321a1], '\xf9') self.assertEqual(mem[0x4321a2], '\xef') self.assertEqual(mem[0x4321a3], '\xc0') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.RIP, 4399524L) def test_VPXOR_2(self): ''' Instruction VPXOR_2 Groups: avx 0x432510: vpxor xmm0, xmm0, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432510] = '\xc5' mem[0x00432511] = '\xf9' mem[0x00432512] = '\xef' mem[0x00432513] = '\xc0' cpu.XMM0 = 0x0 cpu.RIP = 0x432510 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432510], '\xc5') self.assertEqual(mem[0x432511], '\xf9') self.assertEqual(mem[0x432512], '\xef') self.assertEqual(mem[0x432513], '\xc0') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.RIP, 4400404L) def test_VPXOR_3(self): ''' Instruction VPXOR_3 Groups: avx 0x432050: vpxor xmm0, xmm0, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432050] = '\xc5' mem[0x00432051] = '\xf9' mem[0x00432052] = '\xef' mem[0x00432053] = '\xc0' cpu.XMM0 = 0x0 cpu.RIP = 0x432050 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432050], '\xc5') self.assertEqual(mem[0x432051], '\xf9') self.assertEqual(mem[0x432052], '\xef') self.assertEqual(mem[0x432053], '\xc0') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.RIP, 4399188L) def test_VPXOR_4(self): ''' Instruction VPXOR_4 Groups: avx 0x432150: vpxor xmm0, xmm0, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432150] = '\xc5' mem[0x00432151] = '\xf9' mem[0x00432152] = '\xef' mem[0x00432153] = '\xc0' cpu.XMM0 = 0x0 cpu.RIP = 0x432150 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432150], '\xc5') self.assertEqual(mem[0x432151], '\xf9') self.assertEqual(mem[0x432152], '\xef') self.assertEqual(mem[0x432153], '\xc0') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.RIP, 4399444L) def test_VPXOR_5(self): ''' Instruction VPXOR_5 Groups: avx 0x432130: vpxor xmm0, xmm0, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432130] = '\xc5' mem[0x00432131] = '\xf9' mem[0x00432132] = '\xef' mem[0x00432133] = '\xc0' cpu.XMM0 = 0x0 cpu.RIP = 0x432130 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432130], '\xc5') self.assertEqual(mem[0x432131], '\xf9') self.assertEqual(mem[0x432132], '\xef') self.assertEqual(mem[0x432133], '\xc0') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.RIP, 4399412L) def test_VPXOR_6(self): ''' Instruction VPXOR_6 Groups: avx 0x432130: vpxor xmm0, xmm0, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432130] = '\xc5' mem[0x00432131] = '\xf9' mem[0x00432132] = '\xef' mem[0x00432133] = '\xc0' cpu.XMM0 = 0x0 cpu.RIP = 0x432130 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432130], '\xc5') self.assertEqual(mem[0x432131], '\xf9') self.assertEqual(mem[0x432132], '\xef') self.assertEqual(mem[0x432133], '\xc0') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.RIP, 4399412L) def test_VZEROUPPER_1(self): ''' Instruction VZEROUPPER_1 Groups: avx 0x4322a9: vzeroupper ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004322a9] = '\xc5' mem[0x004322aa] = '\xf8' mem[0x004322ab] = 'w' cpu.RIP = 0x4322a9 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4322a9], '\xc5') self.assertEqual(mem[0x4322aa], '\xf8') self.assertEqual(mem[0x4322ab], 'w') self.assertEqual(cpu.RIP, 4399788L) def test_VZEROUPPER_2(self): ''' Instruction VZEROUPPER_2 Groups: avx 0x432319: vzeroupper ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432319] = '\xc5' mem[0x0043231a] = '\xf8' mem[0x0043231b] = 'w' cpu.RIP = 0x432319 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432319], '\xc5') self.assertEqual(mem[0x43231a], '\xf8') self.assertEqual(mem[0x43231b], 'w') self.assertEqual(cpu.RIP, 4399900L) def test_VZEROUPPER_3(self): ''' Instruction VZEROUPPER_3 Groups: avx 0x4322c9: vzeroupper ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004322c9] = '\xc5' mem[0x004322ca] = '\xf8' mem[0x004322cb] = 'w' cpu.RIP = 0x4322c9 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4322c9], '\xc5') self.assertEqual(mem[0x4322ca], '\xf8') self.assertEqual(mem[0x4322cb], 'w') self.assertEqual(cpu.RIP, 4399820L) def test_VZEROUPPER_4(self): ''' Instruction VZEROUPPER_4 Groups: avx 0x432229: vzeroupper ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432229] = '\xc5' mem[0x0043222a] = '\xf8' mem[0x0043222b] = 'w' cpu.RIP = 0x432229 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432229], '\xc5') self.assertEqual(mem[0x43222a], '\xf8') self.assertEqual(mem[0x43222b], 'w') self.assertEqual(cpu.RIP, 4399660L) def test_VZEROUPPER_5(self): ''' Instruction VZEROUPPER_5 Groups: avx 0x4322a9: vzeroupper ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x004322a9] = '\xc5' mem[0x004322aa] = '\xf8' mem[0x004322ab] = 'w' cpu.RIP = 0x4322a9 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x4322a9], '\xc5') self.assertEqual(mem[0x4322aa], '\xf8') self.assertEqual(mem[0x4322ab], 'w') self.assertEqual(cpu.RIP, 4399788L) def test_VZEROUPPER_6(self): ''' Instruction VZEROUPPER_6 Groups: avx 0x432689: vzeroupper ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x00432689] = '\xc5' mem[0x0043268a] = '\xf8' mem[0x0043268b] = 'w' cpu.RIP = 0x432689 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x432689], '\xc5') self.assertEqual(mem[0x43268a], '\xf8') self.assertEqual(mem[0x43268b], 'w') self.assertEqual(cpu.RIP, 4400780L) def test_XGETBV_1(self): ''' Instruction XGETBV_1 Groups: 0x7ffff7a4eb1b: xgetbv ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4eb1b] = '\x0f' mem[0x7ffff7a4eb1c] = '\x01' mem[0x7ffff7a4eb1d] = '\xd0' cpu.RIP = 0x7ffff7a4eb1b cpu.RCX = 0x0 cpu.RDX = 0x0 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a4eb1b], '\x0f') self.assertEqual(mem[0x7ffff7a4eb1c], '\x01') self.assertEqual(mem[0x7ffff7a4eb1d], '\xd0') self.assertEqual(cpu.RAX, 7L) self.assertEqual(cpu.RCX, 0L) self.assertEqual(cpu.RDX, 0L) self.assertEqual(cpu.RIP, 140737348168478L) def test_XGETBV_2(self): ''' Instruction XGETBV_2 Groups: 0x437c0e: xgetbv ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00437000, 0x1000, 'rwx') mem[0x00437c10] = '\xd0' mem[0x00437c0e] = '\x0f' mem[0x00437c0f] = '\x01' cpu.RIP = 0x437c0e cpu.RCX = 0x0 cpu.RDX = 0x0 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x437c10], '\xd0') self.assertEqual(mem[0x437c0e], '\x0f') self.assertEqual(mem[0x437c0f], '\x01') self.assertEqual(cpu.RAX, 7L) self.assertEqual(cpu.RCX, 0L) self.assertEqual(cpu.RDX, 0L) self.assertEqual(cpu.RIP, 4422673L) def test_XGETBV_3(self): ''' Instruction XGETBV_3 Groups: 0x7ffff7a4eb1b: xgetbv ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4eb1b] = '\x0f' mem[0x7ffff7a4eb1c] = '\x01' mem[0x7ffff7a4eb1d] = '\xd0' cpu.RIP = 0x7ffff7a4eb1b cpu.RCX = 0x0 cpu.RDX = 0x0 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7a4eb1b], '\x0f') self.assertEqual(mem[0x7ffff7a4eb1c], '\x01') self.assertEqual(mem[0x7ffff7a4eb1d], '\xd0') self.assertEqual(cpu.RAX, 7L) self.assertEqual(cpu.RCX, 0L) self.assertEqual(cpu.RDX, 0L) self.assertEqual(cpu.RIP, 140737348168478L) def test_XGETBV_4(self): ''' Instruction XGETBV_4 Groups: 0x43a59e: xgetbv ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0043a000, 0x1000, 'rwx') mem[0x0043a5a0] = '\xd0' mem[0x0043a59e] = '\x0f' mem[0x0043a59f] = '\x01' cpu.RIP = 0x43a59e cpu.RCX = 0x0 cpu.RDX = 0x0 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x43a5a0], '\xd0') self.assertEqual(mem[0x43a59e], '\x0f') self.assertEqual(mem[0x43a59f], '\x01') self.assertEqual(cpu.RAX, 7L) self.assertEqual(cpu.RCX, 0L) self.assertEqual(cpu.RDX, 0L) self.assertEqual(cpu.RIP, 4433313L) def test_XGETBV_5(self): ''' Instruction XGETBV_5 Groups: 0x43791e: xgetbv ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00437000, 0x1000, 'rwx') mem[0x00437920] = '\xd0' mem[0x0043791e] = '\x0f' mem[0x0043791f] = '\x01' cpu.RIP = 0x43791e cpu.RCX = 0x0 cpu.RDX = 0x0 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x437920], '\xd0') self.assertEqual(mem[0x43791e], '\x0f') self.assertEqual(mem[0x43791f], '\x01') self.assertEqual(cpu.RAX, 7L) self.assertEqual(cpu.RCX, 0L) self.assertEqual(cpu.RDX, 0L) self.assertEqual(cpu.RIP, 4421921L) def test_XGETBV_6(self): ''' Instruction XGETBV_6 Groups: 0x437a6e: xgetbv ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00437000, 0x1000, 'rwx') mem[0x00437a70] = '\xd0' mem[0x00437a6e] = '\x0f' mem[0x00437a6f] = '\x01' cpu.RIP = 0x437a6e cpu.RCX = 0x0 cpu.RDX = 0x0 cpu.RAX = 0x0 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x437a70], '\xd0') self.assertEqual(mem[0x437a6e], '\x0f') self.assertEqual(mem[0x437a6f], '\x01') self.assertEqual(cpu.RAX, 7L) self.assertEqual(cpu.RCX, 0L) self.assertEqual(cpu.RDX, 0L) self.assertEqual(cpu.RIP, 4422257L) def test_XORPS_1(self): ''' Instruction XORPS_1 Groups: sse1 0x530d2f: xorps xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00530000, 0x1000, 'rwx') mem[0x00530d30] = 'W' mem[0x00530d31] = '\xc8' mem[0x00530d2f] = '\x0f' cpu.XMM0 = 0xfffffffe0000002100000040fffffffe cpu.XMM1 = 0xffffffbeffffffdf00000061ffffffbe cpu.RIP = 0x530d2f cpu.execute() #cpu.writeback() self.assertEqual(mem[0x530d30], 'W') self.assertEqual(mem[0x530d31], '\xc8') self.assertEqual(mem[0x530d2f], '\x0f') self.assertEqual(cpu.XMM0, 340282366762482139043588486956268388350L) self.assertEqual(cpu.XMM1, 5149830563390288455574671589440L) self.assertEqual(cpu.RIP, 5442866L) def test_XORPS_2(self): ''' Instruction XORPS_2 Groups: sse1 0x530a6c: xorps xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00530000, 0x1000, 'rwx') mem[0x00530a6c] = '\x0f' mem[0x00530a6d] = 'W' mem[0x00530a6e] = '\xc8' cpu.XMM0 = 0xfffffffe8000000100000040fffffffe cpu.XMM1 = 0xffffffbe7fffffff80000041ffffffbe cpu.RIP = 0x530a6c cpu.execute() #cpu.writeback() self.assertEqual(mem[0x530a6c], '\x0f') self.assertEqual(mem[0x530a6d], 'W') self.assertEqual(mem[0x530a6e], '\xc8') self.assertEqual(cpu.XMM0, 340282366802096219710424845394334711806L) self.assertEqual(cpu.XMM1, 5149830563399511827474087411776L) self.assertEqual(cpu.RIP, 5442159L) def test_XORPS_3(self): ''' Instruction XORPS_3 Groups: sse1 0x54f76a: xorps xmm0, xmmword ptr [rsp] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x0054f000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x0054f76a] = '\x0f' mem[0x0054f76b] = 'W' mem[0x0054f76c] = '\x04' mem[0x0054f76d] = '$' mem[0x7fffffffccb0] = '\x00' mem[0x7fffffffccb1] = '\x00' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x80' mem[0x7fffffffccb4] = '\xff' mem[0x7fffffffccb5] = '\x7f' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x7fffffffccb8] = '\xff' mem[0x7fffffffccb9] = '\x7f' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x00' mem[0x7fffffffccbc] = '\x00' mem[0x7fffffffccbd] = '\x00' mem[0x7fffffffccbe] = '\x00' mem[0x7fffffffccbf] = '\x80' cpu.XMM0 = 0x0 cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x54f76a cpu.execute() #cpu.writeback() self.assertEqual(mem[0x54f76a], '\x0f') self.assertEqual(mem[0x54f76b], 'W') self.assertEqual(mem[0x54f76c], '\x04') self.assertEqual(mem[0x54f76d], '$') self.assertEqual(mem[0x7fffffffccb0], '\x00') self.assertEqual(mem[0x7fffffffccb1], '\x00') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x80') self.assertEqual(mem[0x7fffffffccb4], '\xff') self.assertEqual(mem[0x7fffffffccb5], '\x7f') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccb8], '\xff') self.assertEqual(mem[0x7fffffffccb9], '\x7f') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccbb], '\x00') self.assertEqual(mem[0x7fffffffccbc], '\x00') self.assertEqual(mem[0x7fffffffccbd], '\x00') self.assertEqual(mem[0x7fffffffccbe], '\x00') self.assertEqual(mem[0x7fffffffccbf], '\x80') self.assertEqual(cpu.XMM0, 170141183460469836176150507692102778880L) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 5568366L) def test_XORPS_4(self): ''' Instruction XORPS_4 Groups: sse1 0x540f22: xorps xmm1, xmm0 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00540000, 0x1000, 'rwx') mem[0x00540f22] = '\x0f' mem[0x00540f23] = 'W' mem[0x00540f24] = '\xc8' cpu.XMM0 = 0x200000007f0000002100000020 cpu.XMM1 = 0x21000000200000007f00000021 cpu.RIP = 0x540f22 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x540f22], '\x0f') self.assertEqual(mem[0x540f23], 'W') self.assertEqual(mem[0x540f24], '\xc8') self.assertEqual(cpu.XMM0, 2535301202799195300496253386784L) self.assertEqual(cpu.XMM1, 79228164266705024999678279681L) self.assertEqual(cpu.RIP, 5508901L) def test_XORPS_5(self): ''' Instruction XORPS_5 Groups: sse1 0x560955: xorps xmm0, xmmword ptr [rsp] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00560000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7fffffffccb5] = '\x7f' mem[0x00560956] = 'W' mem[0x7fffffffccb8] = '!' mem[0x00560957] = '\x04' mem[0x7fffffffccb0] = '\xff' mem[0x7fffffffccb1] = '\xff' mem[0x7fffffffccb2] = '\xff' mem[0x7fffffffccb3] = '\xff' mem[0x7fffffffccb4] = '\xff' mem[0x00560955] = '\x0f' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x00560958] = '$' mem[0x7fffffffccb9] = 'C' mem[0x7fffffffccba] = 'e' mem[0x7fffffffccbb] = '\x87' mem[0x7fffffffccbc] = '\xff' mem[0x7fffffffccbd] = '\xff' mem[0x7fffffffccbe] = '\xff' mem[0x7fffffffccbf] = '\xff' cpu.XMM0 = 0xffffffff8765432100007fffffffffff cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x560955 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7fffffffccbb], '\x87') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccbf], '\xff') self.assertEqual(mem[0x7fffffffccb0], '\xff') self.assertEqual(mem[0x7fffffffccb1], '\xff') self.assertEqual(mem[0x7fffffffccb2], '\xff') self.assertEqual(mem[0x7fffffffccb3], '\xff') self.assertEqual(mem[0x7fffffffccb4], '\xff') self.assertEqual(mem[0x560955], '\x0f') self.assertEqual(mem[0x560956], 'W') self.assertEqual(mem[0x560957], '\x04') self.assertEqual(mem[0x560958], '$') self.assertEqual(mem[0x7fffffffccb9], 'C') self.assertEqual(mem[0x7fffffffccba], 'e') self.assertEqual(mem[0x7fffffffccb8], '!') self.assertEqual(mem[0x7fffffffccbc], '\xff') self.assertEqual(mem[0x7fffffffccbd], '\xff') self.assertEqual(mem[0x7fffffffccbe], '\xff') self.assertEqual(mem[0x7fffffffccb5], '\x7f') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 5638489L) def test_XORPS_6(self): ''' Instruction XORPS_6 Groups: sse1 0x551ec4: xorps xmm0, xmmword ptr [rsp] ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x00551000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x00551ec4] = '\x0f' mem[0x00551ec5] = 'W' mem[0x00551ec6] = '\x04' mem[0x00551ec7] = '$' mem[0x7fffffffccb0] = '\x00' mem[0x7fffffffccb1] = '\x00' mem[0x7fffffffccb2] = '\x00' mem[0x7fffffffccb3] = '\x80' mem[0x7fffffffccb4] = ' ' mem[0x7fffffffccb5] = '\x00' mem[0x7fffffffccb6] = '\x00' mem[0x7fffffffccb7] = '\x00' mem[0x7fffffffccb8] = ' ' mem[0x7fffffffccb9] = '\x00' mem[0x7fffffffccba] = '\x00' mem[0x7fffffffccbb] = '\x00' mem[0x7fffffffccbc] = '\x00' mem[0x7fffffffccbd] = '\x00' mem[0x7fffffffccbe] = '\x00' mem[0x7fffffffccbf] = '\x80' cpu.XMM0 = 0x80000000000000200000002080000000 cpu.RSP = 0x7fffffffccb0 cpu.RIP = 0x551ec4 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x551ec4], '\x0f') self.assertEqual(mem[0x551ec5], 'W') self.assertEqual(mem[0x551ec6], '\x04') self.assertEqual(mem[0x551ec7], '$') self.assertEqual(mem[0x7fffffffccb0], '\x00') self.assertEqual(mem[0x7fffffffccb1], '\x00') self.assertEqual(mem[0x7fffffffccb2], '\x00') self.assertEqual(mem[0x7fffffffccb3], '\x80') self.assertEqual(mem[0x7fffffffccb4], ' ') self.assertEqual(mem[0x7fffffffccb5], '\x00') self.assertEqual(mem[0x7fffffffccb6], '\x00') self.assertEqual(mem[0x7fffffffccb7], '\x00') self.assertEqual(mem[0x7fffffffccb8], ' ') self.assertEqual(mem[0x7fffffffccb9], '\x00') self.assertEqual(mem[0x7fffffffccba], '\x00') self.assertEqual(mem[0x7fffffffccbb], '\x00') self.assertEqual(mem[0x7fffffffccbc], '\x00') self.assertEqual(mem[0x7fffffffccbd], '\x00') self.assertEqual(mem[0x7fffffffccbe], '\x00') self.assertEqual(mem[0x7fffffffccbf], '\x80') self.assertEqual(cpu.XMM0, 0) self.assertEqual(cpu.RSP, 140737488342192L) self.assertEqual(cpu.RIP, 5578440L) def test_XOR_1(self): ''' Instruction XOR_1 Groups: 0x7ffff7de6223: xor eax, eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6223] = '1' mem[0x7ffff7de6224] = '\xc0' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de6223 cpu.EAX = 0xffffff00 cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de6223], '1') self.assertEqual(mem[0x7ffff7de6224], '\xc0') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351934501L) self.assertEqual(cpu.EAX, 0L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_XOR_2(self): ''' Instruction XOR_2 Groups: 0x7ffff7de405a: xor rdx, r13 ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de405a] = 'L' mem[0x7ffff7de405b] = '1' mem[0x7ffff7de405c] = '\xea' cpu.PF = True cpu.R13 = 0x7c96f087 cpu.SF = False cpu.OF = False cpu.ZF = True cpu.CF = False cpu.RIP = 0x7ffff7de405a cpu.RDX = 0x7c96f087 cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de405a], 'L') self.assertEqual(mem[0x7ffff7de405b], '1') self.assertEqual(mem[0x7ffff7de405c], '\xea') self.assertEqual(cpu.PF, True) self.assertEqual(cpu.R13, 2090266759L) self.assertEqual(cpu.SF, False) self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925853L) self.assertEqual(cpu.RDX, 0L) def test_XOR_3(self): ''' Instruction XOR_3 Groups: 0x7ffff7df45a0: xor eax, eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df45a0] = '1' mem[0x7ffff7df45a1] = '\xc0' cpu.OF = False cpu.ZF = True cpu.CF = False cpu.RIP = 0x7ffff7df45a0 cpu.EAX = 0xf7ff7c00 cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df45a0], '1') self.assertEqual(mem[0x7ffff7df45a1], '\xc0') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351992738L) self.assertEqual(cpu.EAX, 0L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_XOR_4(self): ''' Instruction XOR_4 Groups: 0x7ffff7de3ff6: xor edx, edx ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3ff6] = '1' mem[0x7ffff7de3ff7] = '\xd2' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de3ff6 cpu.PF = False cpu.EDX = 0x3f3 cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de3ff6], '1') self.assertEqual(mem[0x7ffff7de3ff7], '\xd2') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351925752L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.EDX, 0L) self.assertEqual(cpu.SF, False) def test_XOR_5(self): ''' Instruction XOR_5 Groups: 0x7ffff7df40cc: xor eax, eax ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df40cc] = '1' mem[0x7ffff7df40cd] = '\xc0' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7df40cc cpu.EAX = 0x3c340000 cpu.PF = False cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7df40cc], '1') self.assertEqual(mem[0x7ffff7df40cd], '\xc0') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351991502L) self.assertEqual(cpu.EAX, 0L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_XOR_6(self): ''' Instruction XOR_6 Groups: 0x7ffff7de3699: xor r10d, r10d ''' mem = Memory64() cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3699] = 'E' mem[0x7ffff7de369a] = '1' mem[0x7ffff7de369b] = '\xd2' cpu.OF = False cpu.ZF = False cpu.CF = False cpu.RIP = 0x7ffff7de3699 cpu.R10D = 0xf7a2e000 cpu.PF = True cpu.SF = False cpu.execute() #cpu.writeback() self.assertEqual(mem[0x7ffff7de3699], 'E') self.assertEqual(mem[0x7ffff7de369a], '1') self.assertEqual(mem[0x7ffff7de369b], '\xd2') self.assertEqual(cpu.OF, False) self.assertEqual(cpu.ZF, True) self.assertEqual(cpu.CF, False) self.assertEqual(cpu.RIP, 140737351923356L) self.assertEqual(cpu.R10D, 0L) self.assertEqual(cpu.PF, True) self.assertEqual(cpu.SF, False) def test_ADD_1_symbolic(self): ''' Instruction ADD_1 Groups: 0x7ffff7de438b: add rcx, 1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de438b] = 'H' mem[0x7ffff7de438c] = '\x83' mem[0x7ffff7de438d] = '\xc1' mem[0x7ffff7de438e] = '\x01' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x7ffff7ba0aba) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de438b cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438b, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438c, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438d, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438e, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RCX == 0x7ffff7ba0abb) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de438f) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ADD_2_symbolic(self): ''' Instruction ADD_2 Groups: 0x7ffff7de4396: add rax, rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4398] = '\xd0' mem[0x7ffff7de4396] = 'H' mem[0x7ffff7de4397] = '\x01' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x310ef63c39) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de4396 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x65) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4398, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4396, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4397, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.RAX == 0x310ef63c9e) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4399) condition = Operators.AND(condition, cpu.RDX == 0x65) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ADD_3_symbolic(self): ''' Instruction ADD_3 Groups: 0x7ffff7de6128: add rdx, 0x18 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6128] = 'H' mem[0x7ffff7de6129] = '\x83' mem[0x7ffff7de612a] = '\xc2' mem[0x7ffff7de612b] = '\x18' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6128 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x7ffff7a4c978) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6128, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6129, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de612a, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de612b, 8)== ord('\x18')) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.AF == True) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de612c) condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a4c990) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ADD_4_symbolic(self): ''' Instruction ADD_4 Groups: 0x7ffff7de3960: add r12, 1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3960] = 'I' mem[0x7ffff7de3961] = '\x83' mem[0x7ffff7de3962] = '\xc4' mem[0x7ffff7de3963] = '\x01' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.R12 = cs.new_bitvec(64) cs.add(cpu.R12 == 0x0) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de3960 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3960, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3961, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3962, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3963, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.R12 == 0x1) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3964) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ADD_5_symbolic(self): ''' Instruction ADD_5 Groups: 0x7ffff7de6124: add rax, qword ptr [rdx + 0x10] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a49000, 0x1000, 'rwx') mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a490d0) value = cs.new_bitvec(8) cs.add(value == 0x25) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a490d1) value = cs.new_bitvec(8) cs.add(value == 0x5b) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a490d2) value = cs.new_bitvec(8) cs.add(value == 0x17) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a490d3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a490d4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a490d5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a490d6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a490d7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de6124] = 'H' mem[0x7ffff7de6125] = '\x03' mem[0x7ffff7de6126] = 'B' mem[0x7ffff7de6127] = '\x10' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7ffff7a2e000) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6124 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x7ffff7a490c0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d0, 8)== ord('%')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d1, 8)== ord('[')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d2, 8)== ord('\x17')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6124, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6125, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6126, 8)== ord('B')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6127, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.RAX == 0x7ffff7ba3b25) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6128) condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a490c0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ADD_6_symbolic(self): ''' Instruction ADD_6 Groups: 0x7ffff7de6124: add rax, qword ptr [rdx + 0x10] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4b000, 0x1000, 'rwx') mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a4bcc8) value = cs.new_bitvec(8) cs.add(value == 0xc0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a4bcc9) value = cs.new_bitvec(8) cs.add(value == 0x88) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a4bcca) value = cs.new_bitvec(8) cs.add(value == 0x7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a4bccb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a4bccc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a4bccd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a4bcce) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a4bccf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de6124] = 'H' mem[0x7ffff7de6125] = '\x03' mem[0x7ffff7de6126] = 'B' mem[0x7ffff7de6127] = '\x10' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7ffff7a2e000) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6124 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x7ffff7a4bcb8) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bcc8, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bcc9, 8)== ord('\x88')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bcca, 8)== ord('\x07')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bccb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bccc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bccd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bcce, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bccf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6124, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6125, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6126, 8)== ord('B')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6127, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0x7ffff7aa68c0) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6128) condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a4bcb8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_AND_1_symbolic(self): ''' Instruction AND_1 Groups: 0x7ffff7b58f2f: and r9d, 0xf ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f30] = '\x83' mem[0x7ffff7b58f31] = '\xe1' mem[0x7ffff7b58f32] = '\x0f' mem[0x7ffff7b58f2f] = 'A' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7b58f2f cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.R9D = cs.new_bitvec(32) cs.add(cpu.R9D == 0x12) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f30, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f31, 8)== ord('\xe1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f32, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f2f, 8)== ord('A')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f33) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.R9D == 0x2) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_AND_2_symbolic(self): ''' Instruction AND_2 Groups: 0x7ffff7aa7bd0: and edx, 0x808 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7aa7000, 0x1000, 'rwx') mem[0x7ffff7aa7bd0] = '\x81' mem[0x7ffff7aa7bd1] = '\xe2' mem[0x7ffff7aa7bd2] = '\x08' mem[0x7ffff7aa7bd3] = '\x08' mem[0x7ffff7aa7bd4] = '\x00' mem[0x7ffff7aa7bd5] = '\x00' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7aa7bd0 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0xfbad2807) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd0, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd1, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd2, 8)== ord('\x08')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd3, 8)== ord('\x08')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa7bd6) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.EDX == 0x800) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_AND_3_symbolic(self): ''' Instruction AND_3 Groups: 0x7ffff7b58f2f: and r9d, 0xf ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f30] = '\x83' mem[0x7ffff7b58f31] = '\xe1' mem[0x7ffff7b58f32] = '\x0f' mem[0x7ffff7b58f2f] = 'A' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7b58f2f cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.R9D = cs.new_bitvec(32) cs.add(cpu.R9D == 0x12) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f30, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f31, 8)== ord('\xe1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f32, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f2f, 8)== ord('A')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f33) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.R9D == 0x2) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_AND_4_symbolic(self): ''' Instruction AND_4 Groups: 0x7ffff7de3930: and rax, rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3930] = 'H' mem[0x7ffff7de3931] = '!' mem[0x7ffff7de3932] = '\xf0' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x13) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x9) cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7de3930 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3930, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3931, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3932, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.RSI == 0x13) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RAX == 0x1) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3933) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_AND_5_symbolic(self): ''' Instruction AND_5 Groups: 0x7ffff7b58f2f: and r9d, 0xf ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f30] = '\x83' mem[0x7ffff7b58f31] = '\xe1' mem[0x7ffff7b58f32] = '\x0f' mem[0x7ffff7b58f2f] = 'A' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7b58f2f cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.R9D = cs.new_bitvec(32) cs.add(cpu.R9D == 0x12) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f30, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f31, 8)== ord('\xe1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f32, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f2f, 8)== ord('A')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f33) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.R9D == 0x2) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_AND_6_symbolic(self): ''' Instruction AND_6 Groups: 0x7ffff7de3909: and ecx, dword ptr [rbx + 0x2f0] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7ffff7ff7000, 0x1000, 'rwx') mem[0x7ffff7de390b] = '\xf0' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ff794a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ff7949) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ff7948) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value mem[0x7ffff7de3909] = '#' mem[0x7ffff7de390a] = '\x8b' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ff794b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de390c] = '\x02' mem[0x7ffff7de390d] = '\x00' mem[0x7ffff7de390e] = '\x00' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x7ffff7ff7658) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x1c5e843) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de3909 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff794b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff794a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff7949, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff7948, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3909, 8)== ord('#')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390a, 8)== ord('\x8b')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390b, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390c, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.RBX == 0x7ffff7ff7658) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.ECX == 0x43) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de390f) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSF_1_symbolic(self): ''' Instruction BSF_1 Groups: 0x4184cd: bsf eax, edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4184cd] = '\x0f' mem[0x4184ce] = '\xbc' mem[0x4184cf] = '\xc2' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x495045) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x80) cpu.RIP = 0x4184cd done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4184cd, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4184ce, 8)== ord('\xbc')) condition = Operators.AND(condition, cpu.read_int(0x4184cf, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.EAX == 0x7) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.EDX == 0x80) condition = Operators.AND(condition, cpu.RIP == 0x4184d0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSF_2_symbolic(self): ''' Instruction BSF_2 Groups: 0x4183ed: bsf eax, edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4183ed] = '\x0f' mem[0x4183ee] = '\xbc' mem[0x4183ef] = '\xc2' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x4a5301) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x5) cpu.RIP = 0x4183ed done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4183ed, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4183ee, 8)== ord('\xbc')) condition = Operators.AND(condition, cpu.read_int(0x4183ef, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.EAX == 0x0) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.EDX == 0x5) condition = Operators.AND(condition, cpu.RIP == 0x4183f0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSF_3_symbolic(self): ''' Instruction BSF_3 Groups: 0x4184bd: bsf eax, edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4184bd] = '\x0f' mem[0x4184be] = '\xbc' mem[0x4184bf] = '\xc2' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x495085) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x80) cpu.RIP = 0x4184bd done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4184bd, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4184be, 8)== ord('\xbc')) condition = Operators.AND(condition, cpu.read_int(0x4184bf, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.EAX == 0x7) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.EDX == 0x80) condition = Operators.AND(condition, cpu.RIP == 0x4184c0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSF_4_symbolic(self): ''' Instruction BSF_4 Groups: 0x41850a: bsf rax, rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x41850a] = 'H' mem[0x41850b] = '\x0f' mem[0x41850c] = '\xbc' mem[0x41850d] = '\xc2' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x41850a cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x495100) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x800200020000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x41850a, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x41850b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41850c, 8)== ord('\xbc')) condition = Operators.AND(condition, cpu.read_int(0x41850d, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RAX == 0x11) condition = Operators.AND(condition, cpu.RIP == 0x41850e) condition = Operators.AND(condition, cpu.RDX == 0x800200020000) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSF_5_symbolic(self): ''' Instruction BSF_5 Groups: 0x7ffff7ab5d0a: bsf rax, rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx') mem[0x7ffff7ab5d0a] = 'H' mem[0x7ffff7ab5d0b] = '\x0f' mem[0x7ffff7ab5d0c] = '\xbc' mem[0x7ffff7ab5d0d] = '\xc2' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7ab5d0a cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x5555555549c0) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xe0e0e0e0ee080000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5d0a, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5d0b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5d0c, 8)== ord('\xbc')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5d0d, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RAX == 0x13) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab5d0e) condition = Operators.AND(condition, cpu.RDX == 0xe0e0e0e0ee080000) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSF_6_symbolic(self): ''' Instruction BSF_6 Groups: 0x4183ed: bsf eax, edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4183ed] = '\x0f' mem[0x4183ee] = '\xbc' mem[0x4183ef] = '\xc2' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x494d05) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x80) cpu.RIP = 0x4183ed done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4183ed, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4183ee, 8)== ord('\xbc')) condition = Operators.AND(condition, cpu.read_int(0x4183ef, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.EAX == 0x7) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.EDX == 0x80) condition = Operators.AND(condition, cpu.RIP == 0x4183f0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSR_1_symbolic(self): ''' Instruction BSR_1 Groups: 0x4008b7: bsr esi, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x4008b8] = '\xbd' mem[0x4008b9] = '\xf6' mem[0x4008b7] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x4008b7 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0xf) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4008b8, 8)== ord('\xbd')) condition = Operators.AND(condition, cpu.read_int(0x4008b9, 8)== ord('\xf6')) condition = Operators.AND(condition, cpu.read_int(0x4008b7, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.ESI == 0x3) condition = Operators.AND(condition, cpu.RIP == 0x4008ba) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSR_2_symbolic(self): ''' Instruction BSR_2 Groups: 0x400907: bsr esi, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400908] = '\xbd' mem[0x400909] = '\xf6' mem[0x400907] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x400907 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0xf) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400908, 8)== ord('\xbd')) condition = Operators.AND(condition, cpu.read_int(0x400909, 8)== ord('\xf6')) condition = Operators.AND(condition, cpu.read_int(0x400907, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.ESI == 0x3) condition = Operators.AND(condition, cpu.RIP == 0x40090a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSR_3_symbolic(self): ''' Instruction BSR_3 Groups: 0x457ac8: bsr rsi, rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457ac8] = 'H' mem[0x457ac9] = '\x0f' mem[0x457aca] = '\xbd' mem[0x457acb] = '\xf6' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x4100800) cpu.RIP = 0x457ac8 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457ac8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x457ac9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457aca, 8)== ord('\xbd')) condition = Operators.AND(condition, cpu.read_int(0x457acb, 8)== ord('\xf6')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSI == 0x1a) condition = Operators.AND(condition, cpu.RIP == 0x457acc) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSR_4_symbolic(self): ''' Instruction BSR_4 Groups: 0x400847: bsr esi, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400848] = '\xbd' mem[0x400849] = '\xf6' mem[0x400847] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x400847 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0xf) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400848, 8)== ord('\xbd')) condition = Operators.AND(condition, cpu.read_int(0x400849, 8)== ord('\xf6')) condition = Operators.AND(condition, cpu.read_int(0x400847, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.ESI == 0x3) condition = Operators.AND(condition, cpu.RIP == 0x40084a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSR_5_symbolic(self): ''' Instruction BSR_5 Groups: 0x457c18: bsr rsi, rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457c18] = 'H' mem[0x457c19] = '\x0f' mem[0x457c1a] = '\xbd' mem[0x457c1b] = '\xf6' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x41008000) cpu.RIP = 0x457c18 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457c18, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x457c19, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457c1a, 8)== ord('\xbd')) condition = Operators.AND(condition, cpu.read_int(0x457c1b, 8)== ord('\xf6')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSI == 0x1e) condition = Operators.AND(condition, cpu.RIP == 0x457c1c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BSR_6_symbolic(self): ''' Instruction BSR_6 Groups: 0x457db8: bsr rsi, rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457db8] = 'H' mem[0x457db9] = '\x0f' mem[0x457dba] = '\xbd' mem[0x457dbb] = '\xf6' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x4100800) cpu.RIP = 0x457db8 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457db8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x457db9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457dba, 8)== ord('\xbd')) condition = Operators.AND(condition, cpu.read_int(0x457dbb, 8)== ord('\xf6')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSI == 0x1a) condition = Operators.AND(condition, cpu.RIP == 0x457dbc) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BT_1_symbolic(self): ''' Instruction BT_1 Groups: 0x7ffff7de36b5: bt r8d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de36b8] = '\xc0' mem[0x7ffff7de36b5] = 'A' mem[0x7ffff7de36b6] = '\x0f' mem[0x7ffff7de36b7] = '\xa3' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de36b5 cpu.R8D = cs.new_bitvec(32) cs.add(cpu.R8D == 0x467) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3')) condition = Operators.AND(condition, cpu.EAX == 0x1) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9) condition = Operators.AND(condition, cpu.R8D == 0x467) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BT_2_symbolic(self): ''' Instruction BT_2 Groups: 0x7ffff7de36b5: bt r8d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de36b8] = '\xc0' mem[0x7ffff7de36b5] = 'A' mem[0x7ffff7de36b6] = '\x0f' mem[0x7ffff7de36b7] = '\xa3' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x2) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de36b5 cpu.R8D = cs.new_bitvec(32) cs.add(cpu.R8D == 0x467) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3')) condition = Operators.AND(condition, cpu.EAX == 0x2) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9) condition = Operators.AND(condition, cpu.R8D == 0x467) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BT_3_symbolic(self): ''' Instruction BT_3 Groups: 0x7ffff7de36b5: bt r8d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de36b8] = '\xc0' mem[0x7ffff7de36b5] = 'A' mem[0x7ffff7de36b6] = '\x0f' mem[0x7ffff7de36b7] = '\xa3' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x2) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de36b5 cpu.R8D = cs.new_bitvec(32) cs.add(cpu.R8D == 0x467) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3')) condition = Operators.AND(condition, cpu.EAX == 0x2) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9) condition = Operators.AND(condition, cpu.R8D == 0x467) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BT_4_symbolic(self): ''' Instruction BT_4 Groups: 0x7ffff7de36b5: bt r8d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de36b8] = '\xc0' mem[0x7ffff7de36b5] = 'A' mem[0x7ffff7de36b6] = '\x0f' mem[0x7ffff7de36b7] = '\xa3' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de36b5 cpu.R8D = cs.new_bitvec(32) cs.add(cpu.R8D == 0x467) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3')) condition = Operators.AND(condition, cpu.EAX == 0x1) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9) condition = Operators.AND(condition, cpu.R8D == 0x467) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BT_5_symbolic(self): ''' Instruction BT_5 Groups: 0x7ffff7de36b5: bt r8d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de36b8] = '\xc0' mem[0x7ffff7de36b5] = 'A' mem[0x7ffff7de36b6] = '\x0f' mem[0x7ffff7de36b7] = '\xa3' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de36b5 cpu.R8D = cs.new_bitvec(32) cs.add(cpu.R8D == 0x467) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3')) condition = Operators.AND(condition, cpu.EAX == 0x1) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9) condition = Operators.AND(condition, cpu.R8D == 0x467) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_BT_6_symbolic(self): ''' Instruction BT_6 Groups: 0x7ffff7de36b5: bt r8d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de36b8] = '\xc0' mem[0x7ffff7de36b5] = 'A' mem[0x7ffff7de36b6] = '\x0f' mem[0x7ffff7de36b7] = '\xa3' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x2) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de36b5 cpu.R8D = cs.new_bitvec(32) cs.add(cpu.R8D == 0x467) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3')) condition = Operators.AND(condition, cpu.EAX == 0x2) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9) condition = Operators.AND(condition, cpu.R8D == 0x467) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CALL_1_symbolic(self): ''' Instruction CALL_1 Groups: call, mode64 0x7ffff7de447a: call 0x7ffff7de3800 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd880) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd881) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd882) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd883) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd884) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd885) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd886) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd887) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd888) value = cs.new_bitvec(8) cs.add(value == 0x48) mem[addr] = value mem[0x7ffff7de447a] = '\xe8' mem[0x7ffff7de447b] = '\x81' mem[0x7ffff7de447c] = '\xf3' mem[0x7ffff7de447d] = '\xff' mem[0x7ffff7de447e] = '\xff' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd878) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd879) value = cs.new_bitvec(8) cs.add(value == 0x44) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87a) value = cs.new_bitvec(8) cs.add(value == 0xde) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd880) cpu.RIP = 0x7ffff7de447a cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd9a0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd880, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd881, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd882, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd883, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd884, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd885, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd886, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd887, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd888, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87a, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd878, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd879, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447a, 8)== ord('\xe8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447b, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447c, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447d, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447e, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd878) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3800) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9a0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CALL_2_symbolic(self): ''' Instruction CALL_2 Groups: call, mode64 0x7ffff7a780e1: call qword ptr [r8 + 0x38] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7dd2000, 0x1000, 'rwx') mem.mmap(0x7fffffffb000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdb8) value = cs.new_bitvec(8) cs.add(value == 0xa2) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdb9) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdba) value = cs.new_bitvec(8) cs.add(value == 0xa7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdbb) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdbc) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdbd) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdbf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffbdc8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a780e1] = 'A' mem[0x7ffff7a780e2] = '\xff' mem[0x7ffff7a780e3] = 'P' mem[0x7ffff7a780e4] = '8' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd2578) value = cs.new_bitvec(8) cs.add(value == 0x60) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd2579) value = cs.new_bitvec(8) cs.add(value == 0x96) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd257a) value = cs.new_bitvec(8) cs.add(value == 0xaa) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd257b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd257c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd257d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd257e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd257f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffbdc0) cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7dd2540) cpu.RIP = 0x7ffff7a780e1 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffc330) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdb8, 8)== ord('\xe5')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdb9, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdba, 8)== ord('\xa7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbb, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbc, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbd, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a780e1, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a780e2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a780e3, 8)== ord('P')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a780e4, 8)== ord('8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd2578, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd2579, 8)== ord('\x96')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257a, 8)== ord('\xaa')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7dd2540) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffbdb8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa9660) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffc330) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CALL_3_symbolic(self): ''' Instruction CALL_3 Groups: call, mode64 0x4554b0: call 0x45c7a0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00455000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda18) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda19) value = cs.new_bitvec(8) cs.add(value == 0x53) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda1a) value = cs.new_bitvec(8) cs.add(value == 0x45) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda1b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda1c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda1d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda1e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda1f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda20) value = cs.new_bitvec(8) cs.add(value == 0x6) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda21) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda22) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda23) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda24) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda25) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda26) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda27) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda28) value = cs.new_bitvec(8) cs.add(value == 0x4) mem[addr] = value mem[0x4554b0] = '\xe8' mem[0x4554b1] = '\xeb' mem[0x4554b2] = 'r' mem[0x4554b3] = '\x00' mem[0x4554b4] = '\x00' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffda20) cpu.RIP = 0x4554b0 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdad0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda18, 8)== ord('\xb5')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda19, 8)== ord('T')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1a, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda20, 8)== ord('\x06')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda21, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda22, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda23, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda24, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda25, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda26, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda27, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda28, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x4554b0, 8)== ord('\xe8')) condition = Operators.AND(condition, cpu.read_int(0x4554b1, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x4554b2, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x4554b3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4554b4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda18) condition = Operators.AND(condition, cpu.RIP == 0x45c7a0) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdad0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CALL_4_symbolic(self): ''' Instruction CALL_4 Groups: call, mode64 0x7ffff7de447a: call 0x7ffff7de3800 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd880) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd881) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd882) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd883) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd884) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd885) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd886) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd887) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd888) value = cs.new_bitvec(8) cs.add(value == 0x48) mem[addr] = value mem[0x7ffff7de447a] = '\xe8' mem[0x7ffff7de447b] = '\x81' mem[0x7ffff7de447c] = '\xf3' mem[0x7ffff7de447d] = '\xff' mem[0x7ffff7de447e] = '\xff' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd878) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd879) value = cs.new_bitvec(8) cs.add(value == 0x44) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87a) value = cs.new_bitvec(8) cs.add(value == 0xde) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd880) cpu.RIP = 0x7ffff7de447a cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd9a0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd880, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd881, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd882, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd883, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd884, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd885, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd886, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd887, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd888, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87a, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd878, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd879, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447a, 8)== ord('\xe8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447b, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447c, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447d, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447e, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd878) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3800) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9a0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CALL_5_symbolic(self): ''' Instruction CALL_5 Groups: call, mode64 0x7ffff7de40a6: call 0x7ffff7de3660 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd808) value = cs.new_bitvec(8) cs.add(value == 0xab) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd809) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd80a) value = cs.new_bitvec(8) cs.add(value == 0xde) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd80b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd80c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd80d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd80e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd80f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd810) value = cs.new_bitvec(8) cs.add(value == 0xec) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd811) value = cs.new_bitvec(8) cs.add(value == 0x4) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd812) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd813) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd814) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd815) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd816) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd817) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd818) value = cs.new_bitvec(8) cs.add(value == 0xd8) mem[addr] = value mem[0x7ffff7de40a6] = '\xe8' mem[0x7ffff7de40a7] = '\xb5' mem[0x7ffff7de40a8] = '\xf5' mem[0x7ffff7de40a9] = '\xff' mem[0x7ffff7de40aa] = '\xff' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd810) cpu.RIP = 0x7ffff7de40a6 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd900) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd808, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd809, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80a, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd810, 8)== ord('\xec')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd811, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd812, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd813, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd814, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd815, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd816, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd817, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd818, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40a6, 8)== ord('\xe8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40a7, 8)== ord('\xb5')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40a8, 8)== ord('\xf5')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40a9, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40aa, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd808) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3660) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd900) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CALL_6_symbolic(self): ''' Instruction CALL_6 Groups: call, mode64 0x45f878: call 0x413490 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0045f000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb00) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb01) value = cs.new_bitvec(8) cs.add(value == 0x53) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb02) value = cs.new_bitvec(8) cs.add(value == 0x4a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb03) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb04) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb05) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb06) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb07) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb08) value = cs.new_bitvec(8) cs.add(value == 0xf4) mem[addr] = value mem[0x45f878] = '\xe8' mem[0x45f879] = '\x13' mem[0x45f87a] = '<' mem[0x45f87b] = '\xfb' mem[0x45f87c] = '\xff' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf8) value = cs.new_bitvec(8) cs.add(value == 0x39) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf9) value = cs.new_bitvec(8) cs.add(value == 0xf8) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafa) value = cs.new_bitvec(8) cs.add(value == 0x45) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaff) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffdb00) cpu.RIP = 0x45f878 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdb20) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb00, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb01, 8)== ord('S')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb02, 8)== ord('J')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb03, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb04, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb05, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb06, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb07, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb08, 8)== ord('\xf4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf8, 8)== ord('}')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf9, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafa, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x45f878, 8)== ord('\xe8')) condition = Operators.AND(condition, cpu.read_int(0x45f879, 8)== ord('\x13')) condition = Operators.AND(condition, cpu.read_int(0x45f87a, 8)== ord('<')) condition = Operators.AND(condition, cpu.read_int(0x45f87b, 8)== ord('\xfb')) condition = Operators.AND(condition, cpu.read_int(0x45f87c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaff, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdaf8) condition = Operators.AND(condition, cpu.RIP == 0x413490) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb20) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CDQE_1_symbolic(self): ''' Instruction CDQE_1 Groups: 0x400aa0: cdqe ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400aa0] = 'H' mem[0x400aa1] = '\x98' cpu.RIP = 0x400aa0 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x92) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400aa0, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x400aa1, 8)== ord('\x98')) condition = Operators.AND(condition, cpu.RAX == 0x92) condition = Operators.AND(condition, cpu.RIP == 0x400aa2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CDQE_2_symbolic(self): ''' Instruction CDQE_2 Groups: 0x400aa0: cdqe ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400aa0] = 'H' mem[0x400aa1] = '\x98' cpu.RIP = 0x400aa0 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x5a) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400aa0, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x400aa1, 8)== ord('\x98')) condition = Operators.AND(condition, cpu.RAX == 0x5a) condition = Operators.AND(condition, cpu.RIP == 0x400aa2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CDQE_3_symbolic(self): ''' Instruction CDQE_3 Groups: 0x400aa0: cdqe ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400aa0] = 'H' mem[0x400aa1] = '\x98' cpu.RIP = 0x400aa0 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x80) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400aa0, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x400aa1, 8)== ord('\x98')) condition = Operators.AND(condition, cpu.RAX == 0x80) condition = Operators.AND(condition, cpu.RIP == 0x400aa2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CDQE_4_symbolic(self): ''' Instruction CDQE_4 Groups: 0x400acf: cdqe ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400ad0] = '\x98' mem[0x400acf] = 'H' cpu.RIP = 0x400acf cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x98) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400ad0, 8)== ord('\x98')) condition = Operators.AND(condition, cpu.read_int(0x400acf, 8)== ord('H')) condition = Operators.AND(condition, cpu.RAX == 0x98) condition = Operators.AND(condition, cpu.RIP == 0x400ad1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CDQE_5_symbolic(self): ''' Instruction CDQE_5 Groups: 0x400aa0: cdqe ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400aa0] = 'H' mem[0x400aa1] = '\x98' cpu.RIP = 0x400aa0 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x73) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400aa0, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x400aa1, 8)== ord('\x98')) condition = Operators.AND(condition, cpu.RAX == 0x73) condition = Operators.AND(condition, cpu.RIP == 0x400aa2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CDQE_6_symbolic(self): ''' Instruction CDQE_6 Groups: 0x400b07: cdqe ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400b08] = '\x98' mem[0x400b07] = 'H' cpu.RIP = 0x400b07 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0xc6) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400b08, 8)== ord('\x98')) condition = Operators.AND(condition, cpu.read_int(0x400b07, 8)== ord('H')) condition = Operators.AND(condition, cpu.RAX == 0xc6) condition = Operators.AND(condition, cpu.RIP == 0x400b09) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CLC_1_symbolic(self): ''' Instruction CLC_1 Groups: 0x46a9fc: clc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0046a000, 0x1000, 'rwx') mem[0x46a9fc] = '\xf8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x46a9fc done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x46a9fc, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x46a9fd) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CLC_2_symbolic(self): ''' Instruction CLC_2 Groups: 0x7542c8: clc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00754000, 0x1000, 'rwx') mem[0x7542c8] = '\xf8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7542c8 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7542c8, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7542c9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CLC_3_symbolic(self): ''' Instruction CLC_3 Groups: 0x4b473c: clc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004b4000, 0x1000, 'rwx') mem[0x4b473c] = '\xf8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x4b473c done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4b473c, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x4b473d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CLC_4_symbolic(self): ''' Instruction CLC_4 Groups: 0x49d4dd: clc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0049d000, 0x1000, 'rwx') mem[0x49d4dd] = '\xf8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x49d4dd done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x49d4dd, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x49d4de) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CLC_5_symbolic(self): ''' Instruction CLC_5 Groups: 0x4fd621: clc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004fd000, 0x1000, 'rwx') mem[0x4fd621] = '\xf8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x4fd621 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4fd621, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x4fd622) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CLC_6_symbolic(self): ''' Instruction CLC_6 Groups: 0x4fadef: clc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004fa000, 0x1000, 'rwx') mem[0x4fadef] = '\xf8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x4fadef done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4fadef, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x4fadf0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVAE_1_symbolic(self): ''' Instruction CMOVAE_1 Groups: cmov 0x4117e8: cmovae rax, r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x4117e8] = 'I' mem[0x4117e9] = '\x0f' mem[0x4117ea] = 'C' mem[0x4117eb] = '\xc2' cpu.RIP = 0x4117e8 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x20) cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0x20) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4117e8, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x4117e9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4117ea, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x4117eb, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.RAX == 0x20) condition = Operators.AND(condition, cpu.RIP == 0x4117ec) condition = Operators.AND(condition, cpu.R10 == 0x20) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVAE_2_symbolic(self): ''' Instruction CMOVAE_2 Groups: cmov 0x414318: cmovae rax, r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00414000, 0x1000, 'rwx') mem[0x414318] = 'I' mem[0x414319] = '\x0f' mem[0x41431a] = 'C' mem[0x41431b] = '\xc2' cpu.RIP = 0x414318 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x20) cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0x20) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x414318, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x414319, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41431a, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x41431b, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.RAX == 0x20) condition = Operators.AND(condition, cpu.RIP == 0x41431c) condition = Operators.AND(condition, cpu.R10 == 0x20) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVAE_3_symbolic(self): ''' Instruction CMOVAE_3 Groups: cmov 0x5555555662c8: cmovae rdx, rbx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555566000, 0x1000, 'rwx') mem[0x5555555662c8] = 'H' mem[0x5555555662c9] = '\x0f' mem[0x5555555662ca] = 'C' mem[0x5555555662cb] = '\xd3' cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xffffffffffffffff) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x5555555662c8 cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x7) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5555555662c8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x5555555662c9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x5555555662ca, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x5555555662cb, 8)== ord('\xd3')) condition = Operators.AND(condition, cpu.RDX == 0x7) condition = Operators.AND(condition, cpu.RIP == 0x5555555662cc) condition = Operators.AND(condition, cpu.RBX == 0x7) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVAE_4_symbolic(self): ''' Instruction CMOVAE_4 Groups: cmov 0x411778: cmovae rax, r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x411778] = 'I' mem[0x411779] = '\x0f' mem[0x41177a] = 'C' mem[0x41177b] = '\xc2' cpu.RIP = 0x411778 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x20) cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0x4a0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x411778, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x411779, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41177a, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x41177b, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.RAX == 0x4a0) condition = Operators.AND(condition, cpu.RIP == 0x41177c) condition = Operators.AND(condition, cpu.R10 == 0x4a0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVAE_5_symbolic(self): ''' Instruction CMOVAE_5 Groups: cmov 0x411778: cmovae rax, r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x411778] = 'I' mem[0x411779] = '\x0f' mem[0x41177a] = 'C' mem[0x41177b] = '\xc2' cpu.RIP = 0x411778 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x20) cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0x20) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x411778, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x411779, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41177a, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x41177b, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.RAX == 0x20) condition = Operators.AND(condition, cpu.RIP == 0x41177c) condition = Operators.AND(condition, cpu.R10 == 0x20) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVAE_6_symbolic(self): ''' Instruction CMOVAE_6 Groups: cmov 0x411b58: cmovae rax, r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x411b58] = 'I' mem[0x411b59] = '\x0f' mem[0x411b5a] = 'C' mem[0x411b5b] = '\xc2' cpu.RIP = 0x411b58 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x20) cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0x50) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x411b58, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x411b59, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x411b5a, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x411b5b, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.RAX == 0x50) condition = Operators.AND(condition, cpu.RIP == 0x411b5c) condition = Operators.AND(condition, cpu.R10 == 0x50) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVA_1_symbolic(self): ''' Instruction CMOVA_1 Groups: cmov 0x7ffff7de0ab0: cmova rax, r8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de0000, 0x1000, 'rwx') mem[0x7ffff7de0ab0] = 'I' mem[0x7ffff7de0ab1] = '\x0f' mem[0x7ffff7de0ab2] = 'G' mem[0x7ffff7de0ab3] = '\xc0' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de0ab0 cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7dd9398) cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7ffff7dd5000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0ab0, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0ab1, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0ab2, 8)== ord('G')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0ab3, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7dd9398) condition = Operators.AND(condition, cpu.RAX == 0x7ffff7dd5000) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de0ab4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVA_2_symbolic(self): ''' Instruction CMOVA_2 Groups: cmov 0x7ffff7a9d404: cmova rbx, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a9d000, 0x1000, 'rwx') mem[0x7ffff7a9d404] = 'H' mem[0x7ffff7a9d405] = '\x0f' mem[0x7ffff7a9d406] = 'G' mem[0x7ffff7a9d407] = '\xd8' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7a9d404 cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7fffffff) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x14) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a9d404, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a9d405, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a9d406, 8)== ord('G')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a9d407, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.RAX == 0x7fffffff) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a9d408) condition = Operators.AND(condition, cpu.RBX == 0x14) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVA_3_symbolic(self): ''' Instruction CMOVA_3 Groups: cmov 0x4082a4: cmova rbx, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00408000, 0x1000, 'rwx') mem[0x4082a4] = 'H' mem[0x4082a5] = '\x0f' mem[0x4082a6] = 'G' mem[0x4082a7] = '\xd8' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x4082a4 cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7fffffff) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0xb) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4082a4, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x4082a5, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4082a6, 8)== ord('G')) condition = Operators.AND(condition, cpu.read_int(0x4082a7, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.RAX == 0x7fffffff) condition = Operators.AND(condition, cpu.RIP == 0x4082a8) condition = Operators.AND(condition, cpu.RBX == 0xb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVA_4_symbolic(self): ''' Instruction CMOVA_4 Groups: cmov 0x41462a: cmova rdx, r13 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00414000, 0x1000, 'rwx') mem[0x41462a] = 'I' mem[0x41462b] = '\x0f' mem[0x41462c] = 'G' mem[0x41462d] = '\xd5' cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x4a0) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R13 = cs.new_bitvec(64) cs.add(cpu.R13 == 0x21df0) cpu.RIP = 0x41462a cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x41462a, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x41462b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41462c, 8)== ord('G')) condition = Operators.AND(condition, cpu.read_int(0x41462d, 8)== ord('\xd5')) condition = Operators.AND(condition, cpu.RDX == 0x4a0) condition = Operators.AND(condition, cpu.RIP == 0x41462e) condition = Operators.AND(condition, cpu.R13 == 0x21df0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVA_5_symbolic(self): ''' Instruction CMOVA_5 Groups: cmov 0x41424a: cmova rdx, r13 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00414000, 0x1000, 'rwx') mem[0x41424a] = 'I' mem[0x41424b] = '\x0f' mem[0x41424c] = 'G' mem[0x41424d] = '\xd5' cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x4a0) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R13 = cs.new_bitvec(64) cs.add(cpu.R13 == 0x21df0) cpu.RIP = 0x41424a cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x41424a, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x41424b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41424c, 8)== ord('G')) condition = Operators.AND(condition, cpu.read_int(0x41424d, 8)== ord('\xd5')) condition = Operators.AND(condition, cpu.RDX == 0x4a0) condition = Operators.AND(condition, cpu.RIP == 0x41424e) condition = Operators.AND(condition, cpu.R13 == 0x21df0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVA_6_symbolic(self): ''' Instruction CMOVA_6 Groups: cmov 0x4142ba: cmova rdx, r13 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00414000, 0x1000, 'rwx') mem[0x4142ba] = 'I' mem[0x4142bb] = '\x0f' mem[0x4142bc] = 'G' mem[0x4142bd] = '\xd5' cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x4a0) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R13 = cs.new_bitvec(64) cs.add(cpu.R13 == 0x21df0) cpu.RIP = 0x4142ba cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4142ba, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x4142bb, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4142bc, 8)== ord('G')) condition = Operators.AND(condition, cpu.read_int(0x4142bd, 8)== ord('\xd5')) condition = Operators.AND(condition, cpu.RDX == 0x4a0) condition = Operators.AND(condition, cpu.RIP == 0x4142be) condition = Operators.AND(condition, cpu.R13 == 0x21df0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVBE_1_symbolic(self): ''' Instruction CMOVBE_1 Groups: cmov 0x40d233: cmovbe rbx, r14 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040d000, 0x1000, 'rwx') mem[0x40d233] = 'I' mem[0x40d234] = '\x0f' mem[0x40d235] = 'F' mem[0x40d236] = '\xde' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x1000) cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x20) cpu.RIP = 0x40d233 cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40d233, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x40d234, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x40d235, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x40d236, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.R14 == 0x20) condition = Operators.AND(condition, cpu.RIP == 0x40d237) condition = Operators.AND(condition, cpu.RBX == 0x20) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVBE_2_symbolic(self): ''' Instruction CMOVBE_2 Groups: cmov 0x7ffff7aa96b3: cmovbe rbx, r14 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx') mem[0x7ffff7aa96b3] = 'I' mem[0x7ffff7aa96b4] = '\x0f' mem[0x7ffff7aa96b5] = 'F' mem[0x7ffff7aa96b6] = '\xde' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x2000) cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x4) cpu.RIP = 0x7ffff7aa96b3 cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b3, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b4, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b5, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b6, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.R14 == 0x4) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa96b7) condition = Operators.AND(condition, cpu.RBX == 0x4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVBE_3_symbolic(self): ''' Instruction CMOVBE_3 Groups: cmov 0x7ffff7aa96b3: cmovbe rbx, r14 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx') mem[0x7ffff7aa96b3] = 'I' mem[0x7ffff7aa96b4] = '\x0f' mem[0x7ffff7aa96b5] = 'F' mem[0x7ffff7aa96b6] = '\xde' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x1000) cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x13) cpu.RIP = 0x7ffff7aa96b3 cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b3, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b4, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b5, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b6, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.R14 == 0x13) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa96b7) condition = Operators.AND(condition, cpu.RBX == 0x13) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVBE_4_symbolic(self): ''' Instruction CMOVBE_4 Groups: cmov 0x40d263: cmovbe rbx, r14 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040d000, 0x1000, 'rwx') mem[0x40d263] = 'I' mem[0x40d264] = '\x0f' mem[0x40d265] = 'F' mem[0x40d266] = '\xde' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x1000) cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x13) cpu.RIP = 0x40d263 cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40d263, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x40d264, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x40d265, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x40d266, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.R14 == 0x13) condition = Operators.AND(condition, cpu.RIP == 0x40d267) condition = Operators.AND(condition, cpu.RBX == 0x13) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVBE_5_symbolic(self): ''' Instruction CMOVBE_5 Groups: cmov 0x7ffff7aa96b3: cmovbe rbx, r14 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx') mem[0x7ffff7aa96b3] = 'I' mem[0x7ffff7aa96b4] = '\x0f' mem[0x7ffff7aa96b5] = 'F' mem[0x7ffff7aa96b6] = '\xde' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x1000) cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x13) cpu.RIP = 0x7ffff7aa96b3 cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b3, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b4, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b5, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b6, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.R14 == 0x13) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa96b7) condition = Operators.AND(condition, cpu.RBX == 0x13) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVBE_6_symbolic(self): ''' Instruction CMOVBE_6 Groups: cmov 0x40fde3: cmovbe rbx, r14 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040f000, 0x1000, 'rwx') mem[0x40fde3] = 'I' mem[0x40fde4] = '\x0f' mem[0x40fde5] = 'F' mem[0x40fde6] = '\xde' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x1000) cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x240) cpu.RIP = 0x40fde3 cpu.CF = cs.new_bool() cs.add(cpu.CF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40fde3, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x40fde4, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x40fde5, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x40fde6, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.R14 == 0x240) condition = Operators.AND(condition, cpu.RIP == 0x40fde7) condition = Operators.AND(condition, cpu.RBX == 0x240) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVB_1_symbolic(self): ''' Instruction CMOVB_1 Groups: cmov 0x7ffff7deb97f: cmovb r12d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7deb000, 0x1000, 'rwx') mem[0x7ffff7deb980] = '\x0f' mem[0x7ffff7deb981] = 'B' mem[0x7ffff7deb982] = '\xe0' mem[0x7ffff7deb97f] = 'D' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0xa) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7deb97f cpu.R12D = cs.new_bitvec(32) cs.add(cpu.R12D == 0x1a) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb980, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb981, 8)== ord('B')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb982, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb97f, 8)== ord('D')) condition = Operators.AND(condition, cpu.EAX == 0xa) condition = Operators.AND(condition, cpu.R12D == 0x1a) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7deb983) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVB_2_symbolic(self): ''' Instruction CMOVB_2 Groups: cmov 0x7ffff7df45ad: cmovb eax, ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df45ad] = '\x0f' mem[0x7ffff7df45ae] = 'B' mem[0x7ffff7df45af] = '\xc1' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7df45ad cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0xffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ad, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ae, 8)== ord('B')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45af, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.EAX == 0xffffffff) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45b0) condition = Operators.AND(condition, cpu.ECX == 0xffffffff) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVB_3_symbolic(self): ''' Instruction CMOVB_3 Groups: cmov 0x7ffff7df45ad: cmovb eax, ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df45ad] = '\x0f' mem[0x7ffff7df45ae] = 'B' mem[0x7ffff7df45af] = '\xc1' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df45ad cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0xffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ad, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ae, 8)== ord('B')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45af, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.EAX == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45b0) condition = Operators.AND(condition, cpu.ECX == 0xffffffff) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVB_4_symbolic(self): ''' Instruction CMOVB_4 Groups: cmov 0x7ffff7deb97f: cmovb r12d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7deb000, 0x1000, 'rwx') mem[0x7ffff7deb980] = '\x0f' mem[0x7ffff7deb981] = 'B' mem[0x7ffff7deb982] = '\xe0' mem[0x7ffff7deb97f] = 'D' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x12) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7deb97f cpu.R12D = cs.new_bitvec(32) cs.add(cpu.R12D == 0x1a) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb980, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb981, 8)== ord('B')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb982, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb97f, 8)== ord('D')) condition = Operators.AND(condition, cpu.EAX == 0x12) condition = Operators.AND(condition, cpu.R12D == 0x1a) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7deb983) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVB_5_symbolic(self): ''' Instruction CMOVB_5 Groups: cmov 0x7ffff7df45ad: cmovb eax, ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df45ad] = '\x0f' mem[0x7ffff7df45ae] = 'B' mem[0x7ffff7df45af] = '\xc1' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df45ad cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0xffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ad, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ae, 8)== ord('B')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45af, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.EAX == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45b0) condition = Operators.AND(condition, cpu.ECX == 0xffffffff) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVB_6_symbolic(self): ''' Instruction CMOVB_6 Groups: cmov 0x7ffff7df45ad: cmovb eax, ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df45ad] = '\x0f' mem[0x7ffff7df45ae] = 'B' mem[0x7ffff7df45af] = '\xc1' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df45ad cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0xffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ad, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ae, 8)== ord('B')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45af, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.EAX == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45b0) condition = Operators.AND(condition, cpu.ECX == 0xffffffff) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVE_1_symbolic(self): ''' Instruction CMOVE_1 Groups: cmov 0x7ffff7de625e: cmove r8, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6260] = 'D' mem[0x7ffff7de6261] = '\xc0' mem[0x7ffff7de625e] = 'L' mem[0x7ffff7de625f] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7ff7c48) cpu.RIP = 0x7ffff7de625e cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6260, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6261, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625e, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625f, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7ff7c48) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6262) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVE_2_symbolic(self): ''' Instruction CMOVE_2 Groups: cmov 0x415f05: cmove rax, rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00415000, 0x1000, 'rwx') mem[0x415f08] = '\xc2' mem[0x415f05] = 'H' mem[0x415f06] = '\x0f' mem[0x415f07] = 'D' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x415f05 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x6e01c0) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x415f08, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.read_int(0x415f05, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x415f06, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x415f07, 8)== ord('D')) condition = Operators.AND(condition, cpu.RAX == 0x6e01c0) condition = Operators.AND(condition, cpu.RIP == 0x415f09) condition = Operators.AND(condition, cpu.RDX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVE_3_symbolic(self): ''' Instruction CMOVE_3 Groups: cmov 0x7ffff7de625e: cmove r8, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6260] = 'D' mem[0x7ffff7de6261] = '\xc0' mem[0x7ffff7de625e] = 'L' mem[0x7ffff7de625f] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7ff7c48) cpu.RIP = 0x7ffff7de625e cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6260, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6261, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625e, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625f, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7ff7c48) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6262) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVE_4_symbolic(self): ''' Instruction CMOVE_4 Groups: cmov 0x7ffff7df2822: cmove rdi, qword ptr [rip + 0x20b886] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem.mmap(0x7ffff7ffe000, 0x1000, 'rwx') mem[0x7ffff7df2822] = 'H' mem[0x7ffff7df2823] = '\x0f' mem[0x7ffff7df2824] = 'D' mem[0x7ffff7df2825] = '=' mem[0x7ffff7df2826] = '\x86' mem[0x7ffff7df2827] = '\xb8' mem[0x7ffff7df2828] = ' ' mem[0x7ffff7df2829] = '\x00' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe0b0) value = cs.new_bitvec(8) cs.add(value == 0x30) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe0b1) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe0b2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe0b3) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe0b4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe0b5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe0b6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe0b7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7fd8000) cpu.RIP = 0x7ffff7df2822 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2822, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2823, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2824, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2825, 8)== ord('=')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2826, 8)== ord('\x86')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2827, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2828, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2829, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b0, 8)== ord('0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b1, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b3, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd8000) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df282a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVE_5_symbolic(self): ''' Instruction CMOVE_5 Groups: cmov 0x7ffff7de625e: cmove r8, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6260] = 'D' mem[0x7ffff7de6261] = '\xc0' mem[0x7ffff7de625e] = 'L' mem[0x7ffff7de625f] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7ff7c48) cpu.RIP = 0x7ffff7de625e cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6260, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6261, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625e, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625f, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7ff7c48) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6262) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVE_6_symbolic(self): ''' Instruction CMOVE_6 Groups: cmov 0x7ffff7de625e: cmove r8, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6260] = 'D' mem[0x7ffff7de6261] = '\xc0' mem[0x7ffff7de625e] = 'L' mem[0x7ffff7de625f] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7ff7c48) cpu.RIP = 0x7ffff7de625e cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6260, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6261, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625e, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625f, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7ff7c48) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6262) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVNE_1_symbolic(self): ''' Instruction CMOVNE_1 Groups: cmov 0x462435: cmovne rbx, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00462000, 0x1000, 'rwx') mem[0x462438] = '\xd8' mem[0x462435] = 'H' mem[0x462436] = '\x0f' mem[0x462437] = 'E' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x462435 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x4a5441) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x6bf6b0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x462438, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x462435, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x462436, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x462437, 8)== ord('E')) condition = Operators.AND(condition, cpu.RAX == 0x4a5441) condition = Operators.AND(condition, cpu.RIP == 0x462439) condition = Operators.AND(condition, cpu.RBX == 0x6bf6b0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVNE_2_symbolic(self): ''' Instruction CMOVNE_2 Groups: cmov 0x7ffff7de5776: cmovne r14d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5778] = 'E' mem[0x7ffff7de5779] = '\xf0' mem[0x7ffff7de5776] = 'D' mem[0x7ffff7de5777] = '\x0f' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x10) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.R14D = cs.new_bitvec(32) cs.add(cpu.R14D == 0x0) cpu.RIP = 0x7ffff7de5776 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5778, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5779, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5776, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5777, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.EAX == 0x10) condition = Operators.AND(condition, cpu.R14D == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de577a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVNE_3_symbolic(self): ''' Instruction CMOVNE_3 Groups: cmov 0x7ffff7de57f6: cmovne rbx, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de57f8] = 'E' mem[0x7ffff7de57f9] = '\xd8' mem[0x7ffff7de57f6] = 'H' mem[0x7ffff7de57f7] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de57f6 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7ffff7ff7640) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x7ffff7ff7af1) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de57f8, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de57f9, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de57f6, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de57f7, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.RAX == 0x7ffff7ff7640) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de57fa) condition = Operators.AND(condition, cpu.RBX == 0x7ffff7ff7640) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVNE_4_symbolic(self): ''' Instruction CMOVNE_4 Groups: cmov 0x457ba4: cmovne rsi, rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457ba4] = 'H' mem[0x457ba5] = '\x0f' mem[0x457ba6] = 'E' mem[0x457ba7] = '\xf2' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x8201000080201021) cpu.RIP = 0x457ba4 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x41008000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457ba4, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x457ba5, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457ba6, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x457ba7, 8)== ord('\xf2')) condition = Operators.AND(condition, cpu.RSI == 0x41008000) condition = Operators.AND(condition, cpu.RIP == 0x457ba8) condition = Operators.AND(condition, cpu.RDX == 0x41008000) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVNE_5_symbolic(self): ''' Instruction CMOVNE_5 Groups: cmov 0x7ffff7de0910: cmovne esi, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de0000, 0x1000, 'rwx') mem[0x7ffff7de0910] = '\x0f' mem[0x7ffff7de0911] = 'E' mem[0x7ffff7de0912] = '\xf0' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de0910 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0910, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0911, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0912, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.EAX == 0x1) condition = Operators.AND(condition, cpu.ESI == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de0913) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVNE_6_symbolic(self): ''' Instruction CMOVNE_6 Groups: cmov 0x457db0: cmovne rcx, rdi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457db0] = 'H' mem[0x457db1] = '\x0f' mem[0x457db2] = 'E' mem[0x457db3] = '\xcf' cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x7fffffffe01b) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffe040) cpu.RIP = 0x457db0 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457db0, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x457db1, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457db2, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x457db3, 8)== ord('\xcf')) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffe040) condition = Operators.AND(condition, cpu.RCX == 0x7fffffffe040) condition = Operators.AND(condition, cpu.RIP == 0x457db4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVNS_1_symbolic(self): ''' Instruction CMOVNS_1 Groups: cmov 0x448555: cmovns rax, r11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00448000, 0x1000, 'rwx') mem[0x448558] = '\xc3' mem[0x448555] = 'I' mem[0x448556] = '\x0f' mem[0x448557] = 'I' cpu.RIP = 0x448555 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) cpu.R11 = cs.new_bitvec(64) cs.add(cpu.R11 == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x448558, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.read_int(0x448555, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x448556, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x448557, 8)== ord('I')) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x448559) condition = Operators.AND(condition, cpu.R11 == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMOVNS_2_symbolic(self): ''' Instruction CMOVNS_2 Groups: cmov 0x448555: cmovns rax, r11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00448000, 0x1000, 'rwx') mem[0x448558] = '\xc3' mem[0x448555] = 'I' mem[0x448556] = '\x0f' mem[0x448557] = 'I' cpu.RIP = 0x448555 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) cpu.R11 = cs.new_bitvec(64) cs.add(cpu.R11 == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x448558, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.read_int(0x448555, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x448556, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x448557, 8)== ord('I')) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x448559) condition = Operators.AND(condition, cpu.R11 == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPSB_1_symbolic(self): ''' Instruction CMPSB_1 Groups: 0x40065b: repe cmpsb byte ptr [rsi], byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem.mmap(0x00491000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda80) value = cs.new_bitvec(8) cs.add(value == 0x5a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda81) value = cs.new_bitvec(8) cs.add(value == 0xed) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda82) value = cs.new_bitvec(8) cs.add(value == 0xcf) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda83) value = cs.new_bitvec(8) cs.add(value == 0xc2) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491604) value = cs.new_bitvec(8) cs.add(value == 0x5a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491605) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491606) value = cs.new_bitvec(8) cs.add(value == 0x52) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491607) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491608) value = cs.new_bitvec(8) cs.add(value == 0x5a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491609) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49160a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49160b) value = cs.new_bitvec(8) cs.add(value == 0x4d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda87) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda86) value = cs.new_bitvec(8) cs.add(value == 0x94) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda84) value = cs.new_bitvec(8) cs.add(value == 0xc0) mem[addr] = value mem[0x40065b] = '\xf3' mem[0x40065c] = '\xa6' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda85) value = cs.new_bitvec(8) cs.add(value == 0xe0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x491604) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x7) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda80) cpu.RIP = 0x40065b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda80, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda81, 8)== ord('\xed')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda82, 8)== ord('\xcf')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda83, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.read_int(0x491604, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x491605, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x491606, 8)== ord('R')) condition = Operators.AND(condition, cpu.read_int(0x491607, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x491608, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x491609, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x49160a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x49160b, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda87, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda86, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda84, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x40065b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x40065c, 8)== ord('\xa6')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda85, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.RCX == 0x6) condition = Operators.AND(condition, cpu.RDI == 0x491605) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda81) condition = Operators.AND(condition, cpu.RIP == 0x40065b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPSB_2_symbolic(self): ''' Instruction CMPSB_2 Groups: 0x400657: repe cmpsb byte ptr [rsi], byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem.mmap(0x00491000, 0x1000, 'rwx') mem.mmap(0x7fffffffe000, 0x1000, 'rwx') mem[0x400658] = '\xa6' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06a) value = cs.new_bitvec(8) cs.add(value == 0x61) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06b) value = cs.new_bitvec(8) cs.add(value == 0x72) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06c) value = cs.new_bitvec(8) cs.add(value == 0x67) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06d) value = cs.new_bitvec(8) cs.add(value == 0x31) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06f) value = cs.new_bitvec(8) cs.add(value == 0x61) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe070) value = cs.new_bitvec(8) cs.add(value == 0x72) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe071) value = cs.new_bitvec(8) cs.add(value == 0x67) mem[addr] = value mem[0x400657] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x491818) value = cs.new_bitvec(8) cs.add(value == 0x2d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491819) value = cs.new_bitvec(8) cs.add(value == 0x64) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181a) value = cs.new_bitvec(8) cs.add(value == 0x6f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181b) value = cs.new_bitvec(8) cs.add(value == 0x73) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181c) value = cs.new_bitvec(8) cs.add(value == 0x74) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181d) value = cs.new_bitvec(8) cs.add(value == 0x75) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181e) value = cs.new_bitvec(8) cs.add(value == 0x66) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491817) value = cs.new_bitvec(8) cs.add(value == 0x2d) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x491817) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xa) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffe06a) cpu.RIP = 0x400657 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06b, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe071, 8)== ord('g')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06a, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x400657, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06c, 8)== ord('g')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06d, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06f, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe070, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x491818, 8)== ord('-')) condition = Operators.AND(condition, cpu.read_int(0x491817, 8)== ord('-')) condition = Operators.AND(condition, cpu.read_int(0x400658, 8)== ord('\xa6')) condition = Operators.AND(condition, cpu.read_int(0x491819, 8)== ord('d')) condition = Operators.AND(condition, cpu.read_int(0x49181a, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x49181b, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x49181c, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x49181d, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x49181e, 8)== ord('f')) condition = Operators.AND(condition, cpu.RCX == 0x9) condition = Operators.AND(condition, cpu.RDI == 0x491818) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffe06b) condition = Operators.AND(condition, cpu.RIP == 0x400659) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPSB_3_symbolic(self): ''' Instruction CMPSB_3 Groups: 0x40065b: repe cmpsb byte ptr [rsi], byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem.mmap(0x00491000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda81) value = cs.new_bitvec(8) cs.add(value == 0xed) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda82) value = cs.new_bitvec(8) cs.add(value == 0xcf) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda83) value = cs.new_bitvec(8) cs.add(value == 0xc2) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda84) value = cs.new_bitvec(8) cs.add(value == 0xc0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491605) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491606) value = cs.new_bitvec(8) cs.add(value == 0x52) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491607) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491608) value = cs.new_bitvec(8) cs.add(value == 0x5a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491609) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49160a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49160b) value = cs.new_bitvec(8) cs.add(value == 0x4d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49160c) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda86) value = cs.new_bitvec(8) cs.add(value == 0x94) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda88) value = cs.new_bitvec(8) cs.add(value == 0xea) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda87) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value mem[0x40065b] = '\xf3' mem[0x40065c] = '\xa6' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda85) value = cs.new_bitvec(8) cs.add(value == 0xe0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x491605) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x6) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda81) cpu.RIP = 0x40065b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda81, 8)== ord('\xed')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda82, 8)== ord('\xcf')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda83, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda84, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x491605, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x491606, 8)== ord('R')) condition = Operators.AND(condition, cpu.read_int(0x491607, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x491608, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x491609, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x49160a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x49160b, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x49160c, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda86, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\xea')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda87, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x40065b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x40065c, 8)== ord('\xa6')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda85, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.RCX == 0x5) condition = Operators.AND(condition, cpu.RDI == 0x491606) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda82) condition = Operators.AND(condition, cpu.RIP == 0x40065d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPSB_4_symbolic(self): ''' Instruction CMPSB_4 Groups: 0x400657: repe cmpsb byte ptr [rsi], byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem.mmap(0x00491000, 0x1000, 'rwx') mem.mmap(0x7fffffffe000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe065) value = cs.new_bitvec(8) cs.add(value == 0x61) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe066) value = cs.new_bitvec(8) cs.add(value == 0x72) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe067) value = cs.new_bitvec(8) cs.add(value == 0x67) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe068) value = cs.new_bitvec(8) cs.add(value == 0x31) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe069) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06a) value = cs.new_bitvec(8) cs.add(value == 0x61) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06b) value = cs.new_bitvec(8) cs.add(value == 0x72) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe06c) value = cs.new_bitvec(8) cs.add(value == 0x67) mem[addr] = value mem[0x400658] = '\xa6' mem[0x400657] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x491818) value = cs.new_bitvec(8) cs.add(value == 0x2d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491819) value = cs.new_bitvec(8) cs.add(value == 0x64) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181a) value = cs.new_bitvec(8) cs.add(value == 0x6f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181b) value = cs.new_bitvec(8) cs.add(value == 0x73) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181c) value = cs.new_bitvec(8) cs.add(value == 0x74) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181d) value = cs.new_bitvec(8) cs.add(value == 0x75) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49181e) value = cs.new_bitvec(8) cs.add(value == 0x66) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x491817) value = cs.new_bitvec(8) cs.add(value == 0x2d) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x491817) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xa) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffe065) cpu.RIP = 0x400657 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06b, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe065, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe066, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe067, 8)== ord('g')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe068, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe069, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06a, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x400657, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06c, 8)== ord('g')) condition = Operators.AND(condition, cpu.read_int(0x491818, 8)== ord('-')) condition = Operators.AND(condition, cpu.read_int(0x491817, 8)== ord('-')) condition = Operators.AND(condition, cpu.read_int(0x400658, 8)== ord('\xa6')) condition = Operators.AND(condition, cpu.read_int(0x491819, 8)== ord('d')) condition = Operators.AND(condition, cpu.read_int(0x49181a, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x49181b, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x49181c, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x49181d, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x49181e, 8)== ord('f')) condition = Operators.AND(condition, cpu.RCX == 0x9) condition = Operators.AND(condition, cpu.RDI == 0x491818) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffe066) condition = Operators.AND(condition, cpu.RIP == 0x400659) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPSB_5_symbolic(self): ''' Instruction CMPSB_5 Groups: 0x55555555478b: repe cmpsb byte ptr [rsi], byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda80) value = cs.new_bitvec(8) cs.add(value == 0xc6) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda81) value = cs.new_bitvec(8) cs.add(value == 0xd9) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda82) value = cs.new_bitvec(8) cs.add(value == 0x50) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda83) value = cs.new_bitvec(8) cs.add(value == 0x25) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda84) value = cs.new_bitvec(8) cs.add(value == 0xc1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda85) value = cs.new_bitvec(8) cs.add(value == 0xe2) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda86) value = cs.new_bitvec(8) cs.add(value == 0xc9) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda87) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value mem[0x55555555478b] = '\xf3' mem[0x55555555478c] = '\xa6' addr = cs.new_bitvec(64) cs.add(addr == 0x555555554998) value = cs.new_bitvec(8) cs.add(value == 0x5a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x555555554999) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555555499a) value = cs.new_bitvec(8) cs.add(value == 0x52) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555555499b) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555555499c) value = cs.new_bitvec(8) cs.add(value == 0x5a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555555499d) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555555499e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555555499f) value = cs.new_bitvec(8) cs.add(value == 0x4d) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x555555554998) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x7) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda80) cpu.RIP = 0x55555555478b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda80, 8)== ord('\xc6')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda81, 8)== ord('\xd9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda82, 8)== ord('P')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda83, 8)== ord('%')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda84, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda85, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda86, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda87, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x55555555478b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x55555555478c, 8)== ord('\xa6')) condition = Operators.AND(condition, cpu.read_int(0x555555554998, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x555555554999, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x55555555499a, 8)== ord('R')) condition = Operators.AND(condition, cpu.read_int(0x55555555499b, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x55555555499c, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x55555555499d, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x55555555499e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555555499f, 8)== ord('M')) condition = Operators.AND(condition, cpu.RCX == 0x6) condition = Operators.AND(condition, cpu.RDI == 0x555555554999) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda81) condition = Operators.AND(condition, cpu.RIP == 0x55555555478d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPSB_6_symbolic(self): ''' Instruction CMPSB_6 Groups: 0x5555555548c0: repe cmpsb byte ptr [rsi], byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x5555555548c0] = '\xf3' mem[0x5555555548c1] = '\xa6' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda82) value = cs.new_bitvec(8) cs.add(value == 0xd2) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda83) value = cs.new_bitvec(8) cs.add(value == 0xd0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda84) value = cs.new_bitvec(8) cs.add(value == 0x1f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda85) value = cs.new_bitvec(8) cs.add(value == 0x1c) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda86) value = cs.new_bitvec(8) cs.add(value == 0x28) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda81) value = cs.new_bitvec(8) cs.add(value == 0x4) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x5555555549a8) value = cs.new_bitvec(8) cs.add(value == 0x5a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x5555555549a9) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x5555555549aa) value = cs.new_bitvec(8) cs.add(value == 0x52) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x5555555549ab) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x5555555549ac) value = cs.new_bitvec(8) cs.add(value == 0x5a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x5555555549ad) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x5555555549ae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x5555555549af) value = cs.new_bitvec(8) cs.add(value == 0x4d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda87) value = cs.new_bitvec(8) cs.add(value == 0x50) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda80) value = cs.new_bitvec(8) cs.add(value == 0x91) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x5555555549a8) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x7) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda80) cpu.RIP = 0x5555555548c0 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5555555548c0, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x5555555548c1, 8)== ord('\xa6')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda82, 8)== ord('\xd2')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda83, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda84, 8)== ord('\x1f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda85, 8)== ord('\x1c')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda86, 8)== ord('(')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda81, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x5555555549a8, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x5555555549a9, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x5555555549aa, 8)== ord('R')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda87, 8)== ord('P')) condition = Operators.AND(condition, cpu.read_int(0x5555555549ac, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x5555555549ad, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x5555555549ae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x5555555549af, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda80, 8)== ord('\x91')) condition = Operators.AND(condition, cpu.read_int(0x5555555549ab, 8)== ord('A')) condition = Operators.AND(condition, cpu.RCX == 0x6) condition = Operators.AND(condition, cpu.RDI == 0x5555555549a9) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda81) condition = Operators.AND(condition, cpu.RIP == 0x5555555548c2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG8B_1_symbolic(self): ''' Instruction CMPXCHG8B_1 Groups: 0x5c68cb: lock cmpxchg8b qword ptr [rsp + 4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x005c6000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x5c68cb] = '\xf0' mem[0x5c68cc] = '\x0f' mem[0x5c68cd] = '\xc7' mem[0x5c68ce] = 'L' mem[0x5c68cf] = '$' mem[0x5c68d0] = '\x04' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.EBX = cs.new_bitvec(32) cs.add(cpu.EBX == 0x80000001) cpu.RIP = 0x5c68cb cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x80000001) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x8001) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x80) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5c68cb, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x5c68cc, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x5c68cd, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x5c68ce, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x5c68cf, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x5c68d0, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x5c68d1) condition = Operators.AND(condition, cpu.EAX == 0x80) condition = Operators.AND(condition, cpu.EDX == 0x8001) condition = Operators.AND(condition, cpu.EBX == 0x80000001) condition = Operators.AND(condition, cpu.ECX == 0x80) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG8B_2_symbolic(self): ''' Instruction CMPXCHG8B_2 Groups: 0x5861a9: lock cmpxchg8b qword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00586000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x5861a9] = '\xf0' mem[0x5861aa] = '\x0f' mem[0x5861ab] = '\xc7' mem[0x5861ac] = '\x0c' mem[0x5861ad] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value cpu.EBX = cs.new_bitvec(32) cs.add(cpu.EBX == 0x80000000) cpu.RIP = 0x5861a9 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x80000000) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0xffffffff) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x80000000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5861a9, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x5861aa, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x5861ab, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x5861ac, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x5861ad, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x5861ae) condition = Operators.AND(condition, cpu.EAX == 0x80000000) condition = Operators.AND(condition, cpu.EDX == 0x80000000) condition = Operators.AND(condition, cpu.EBX == 0x80000000) condition = Operators.AND(condition, cpu.ECX == 0x80000000) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG8B_3_symbolic(self): ''' Instruction CMPXCHG8B_3 Groups: 0x58de05: lock cmpxchg8b qword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0058d000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x58de05] = '\xf0' mem[0x58de06] = '\x0f' mem[0x58de07] = '\xc7' mem[0x58de08] = '\x0c' mem[0x58de09] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.EBX = cs.new_bitvec(32) cs.add(cpu.EBX == 0x80000001) cpu.RIP = 0x58de05 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x80000001) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x21) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x40) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x58de05, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x58de06, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x58de07, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x58de08, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x58de09, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x58de0a) condition = Operators.AND(condition, cpu.EAX == 0x80000001) condition = Operators.AND(condition, cpu.EDX == 0x40) condition = Operators.AND(condition, cpu.EBX == 0x80000001) condition = Operators.AND(condition, cpu.ECX == 0x40) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG8B_4_symbolic(self): ''' Instruction CMPXCHG8B_4 Groups: 0x59b473: lock cmpxchg8b qword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0059b000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x59b476] = '\x0c' mem[0x59b477] = '$' mem[0x59b473] = '\xf0' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value mem[0x59b474] = '\x0f' mem[0x59b475] = '\xc7' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.EBX = cs.new_bitvec(32) cs.add(cpu.EBX == 0xffffffff) cpu.RIP = 0x59b473 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0xffffffff) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x80) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x80) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x59b473, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x59b474, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x59b475, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x59b476, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x59b477, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x59b478) condition = Operators.AND(condition, cpu.EAX == 0xffffffff) condition = Operators.AND(condition, cpu.EDX == 0x80) condition = Operators.AND(condition, cpu.EBX == 0xffffffff) condition = Operators.AND(condition, cpu.ECX == 0x80) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG8B_5_symbolic(self): ''' Instruction CMPXCHG8B_5 Groups: 0x624e14: lock cmpxchg8b qword ptr [rsp + 8] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00624000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x624e14] = '\xf0' mem[0x624e15] = '\x0f' mem[0x624e16] = '\xc7' mem[0x624e17] = 'L' mem[0x624e18] = '$' mem[0x624e19] = '\x08' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.EBX = cs.new_bitvec(32) cs.add(cpu.EBX == 0x40) cpu.RIP = 0x624e14 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x40) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x80000000) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x8001) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x624e14, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x624e15, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x624e16, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x624e17, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x624e18, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x624e19, 8)== ord('\x08')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x624e1a) condition = Operators.AND(condition, cpu.EAX == 0x80000000) condition = Operators.AND(condition, cpu.EDX == 0x40) condition = Operators.AND(condition, cpu.EBX == 0x40) condition = Operators.AND(condition, cpu.ECX == 0x8001) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG8B_6_symbolic(self): ''' Instruction CMPXCHG8B_6 Groups: 0x5bfa73: lock cmpxchg8b qword ptr [rsp + 4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x005bf000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value mem[0x5bfa76] = 'L' mem[0x5bfa77] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value mem[0x5bfa73] = '\xf0' mem[0x5bfa74] = '\x0f' mem[0x5bfa75] = '\xc7' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x5bfa78] = '\x04' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value cpu.EBX = cs.new_bitvec(32) cs.add(cpu.EBX == 0x80000000) cpu.RIP = 0x5bfa73 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x80000000) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x7f) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x8001) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x5bfa78, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x5bfa73, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x5bfa75, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x5bfa76, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x5bfa77, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x5bfa74, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x5bfa79) condition = Operators.AND(condition, cpu.EAX == 0x8001) condition = Operators.AND(condition, cpu.EDX == 0x7f) condition = Operators.AND(condition, cpu.EBX == 0x80000000) condition = Operators.AND(condition, cpu.ECX == 0x8001) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG_1_symbolic(self): ''' Instruction CMPXCHG_1 Groups: 0x7ffff7a65367: cmpxchg dword ptr [rip + 0x36fde2], esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a65000, 0x1000, 'rwx') mem.mmap(0x7ffff7dd5000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd5150) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd5151) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd5152) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd5153) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a65367] = '\x0f' mem[0x7ffff7a65368] = '\xb1' mem[0x7ffff7a65369] = '5' mem[0x7ffff7a6536a] = '\xe2' mem[0x7ffff7a6536b] = '\xfd' mem[0x7ffff7a6536c] = '6' mem[0x7ffff7a6536d] = '\x00' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x1) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7a65367 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5150, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5151, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5152, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5153, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65367, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65368, 8)== ord('\xb1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65369, 8)== ord('5')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6536a, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6536b, 8)== ord('\xfd')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6536c, 8)== ord('6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6536d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.ESI == 0x1) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a6536e) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG_2_symbolic(self): ''' Instruction CMPXCHG_2 Groups: 0x40abbf: cmpxchg dword ptr [rdx], esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040a000, 0x1000, 'rwx') mem.mmap(0x006be000, 0x1000, 'rwx') mem[0x40abc0] = '\xb1' mem[0x40abc1] = '2' addr = cs.new_bitvec(64) cs.add(addr == 0x6be762) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6be763) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6be761) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6be760) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x40abbf] = '\x0f' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x1) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x40abbf cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x6be760) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40abc0, 8)== ord('\xb1')) condition = Operators.AND(condition, cpu.read_int(0x40abc1, 8)== ord('2')) condition = Operators.AND(condition, cpu.read_int(0x6be762, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6be763, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6be761, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x40abbf, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x6be760, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.ESI == 0x1) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x40abc2) condition = Operators.AND(condition, cpu.RDX == 0x6be760) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG_3_symbolic(self): ''' Instruction CMPXCHG_3 Groups: 0x413646: cmpxchg dword ptr [rbx], esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00413000, 0x1000, 'rwx') mem.mmap(0x006b9000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x6b9840) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6b9841) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6b9842) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6b9843) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x413646] = '\x0f' mem[0x413647] = '\xb1' mem[0x413648] = '3' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x1) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x6b9840) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x413646 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x6b9840, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x6b9841, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6b9842, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6b9843, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x413646, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x413647, 8)== ord('\xb1')) condition = Operators.AND(condition, cpu.read_int(0x413648, 8)== ord('3')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.ESI == 0x1) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.RBX == 0x6b9840) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x413649) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG_4_symbolic(self): ''' Instruction CMPXCHG_4 Groups: 0x435a25: cmpxchg qword ptr [rdx], rdi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00435000, 0x1000, 'rwx') mem.mmap(0x006bd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x6bd380) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6bd381) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6bd382) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6bd383) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6bd384) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6bd385) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6bd386) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6bd387) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x435a25] = 'H' mem[0x435a26] = '\x0f' mem[0x435a27] = '\xb1' mem[0x435a28] = ':' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x6bb7c0) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x435a25 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x6bd380) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x6bd380, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x6bd381, 8)== ord('\xb7')) condition = Operators.AND(condition, cpu.read_int(0x6bd382, 8)== ord('k')) condition = Operators.AND(condition, cpu.read_int(0x6bd383, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6bd384, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6bd385, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6bd386, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6bd387, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x435a25, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x435a26, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x435a27, 8)== ord('\xb1')) condition = Operators.AND(condition, cpu.read_int(0x435a28, 8)== ord(':')) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.RDI == 0x6bb7c0) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x435a29) condition = Operators.AND(condition, cpu.RDX == 0x6bd380) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG_5_symbolic(self): ''' Instruction CMPXCHG_5 Groups: 0x41086e: cmpxchg dword ptr [rdx], ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00410000, 0x1000, 'rwx') mem.mmap(0x006be000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x6be760) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6be761) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6be762) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x6be763) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x41086e] = '\x0f' mem[0x41086f] = '\xb1' mem[0x410870] = '\n' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x1) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x41086e cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x6be760) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x6be760, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x6be761, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6be762, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6be763, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x41086e, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41086f, 8)== ord('\xb1')) condition = Operators.AND(condition, cpu.read_int(0x410870, 8)== ord('\n')) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.ECX == 0x1) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x410871) condition = Operators.AND(condition, cpu.RDX == 0x6be760) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMPXCHG_6_symbolic(self): ''' Instruction CMPXCHG_6 Groups: 0x7ffff7aafa06: cmpxchg dword ptr [rbx], esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7aaf000, 0x1000, 'rwx') mem.mmap(0x7ffff7dd3000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd3b80) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd3b81) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd3b82) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd3b83) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7aafa06] = '\x0f' mem[0x7ffff7aafa07] = '\xb1' mem[0x7ffff7aafa08] = '3' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x1) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x7ffff7dd3b80) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7aafa06 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3b80, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3b81, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3b82, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3b83, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aafa06, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aafa07, 8)== ord('\xb1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aafa08, 8)== ord('3')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.ESI == 0x1) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.RBX == 0x7ffff7dd3b80) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aafa09) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMP_1_symbolic(self): ''' Instruction CMP_1 Groups: 0x7ffff7b58f43: cmp r12, r9 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f43] = 'M' mem[0x7ffff7b58f44] = '9' mem[0x7ffff7b58f45] = '\xcc' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.R12 = cs.new_bitvec(64) cs.add(cpu.R12 == 0x7ffff7ab0f80) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7b58f43 cpu.R9 = cs.new_bitvec(64) cs.add(cpu.R9 == 0x7ffff7b23c00) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f43, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f44, 8)== ord('9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f45, 8)== ord('\xcc')) condition = Operators.AND(condition, cpu.SF == True) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.R12 == 0x7ffff7ab0f80) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f46) condition = Operators.AND(condition, cpu.R9 == 0x7ffff7b23c00) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMP_2_symbolic(self): ''' Instruction CMP_2 Groups: 0x406e1d: cmp r14w, word ptr [rbx] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem.mmap(0x7fffffffe000, 0x1000, 'rwx') mem[0x406e20] = '3' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffee69) value = cs.new_bitvec(8) cs.add(value == 0x57) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffee6a) value = cs.new_bitvec(8) cs.add(value == 0x49) mem[addr] = value mem[0x406e1d] = 'f' mem[0x406e1e] = 'D' mem[0x406e1f] = ';' cpu.R14W = cs.new_bitvec(16) cs.add(cpu.R14W == 0x444c) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x7fffffffee69) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x406e1d cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x406e20, 8)== ord('3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffee69, 8)== ord('W')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffee6a, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x406e1d, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x406e1e, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x406e1f, 8)== ord(';')) condition = Operators.AND(condition, cpu.R14W == 0x444c) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RBX == 0x7fffffffee69) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x406e21) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMP_3_symbolic(self): ''' Instruction CMP_3 Groups: 0x40d167: cmp eax, 0xff ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040d000, 0x1000, 'rwx') mem[0x40d168] = '\xf8' mem[0x40d169] = '\xff' mem[0x40d167] = '\x83' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x1) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x40d167 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40d168, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x40d169, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x40d167, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.EAX == 0x1) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.AF == True) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x40d16a) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMP_4_symbolic(self): ''' Instruction CMP_4 Groups: 0x7ffff7de4488: cmp qword ptr [rbp - 0x90], 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a0) value = cs.new_bitvec(8) cs.add(value == 0xe0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a1) value = cs.new_bitvec(8) cs.add(value == 0x4d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a2) value = cs.new_bitvec(8) cs.add(value == 0xa3) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a3) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de4488] = 'H' mem[0x7ffff7de4489] = '\x83' mem[0x7ffff7de448a] = '\xbd' mem[0x7ffff7de448b] = 'p' mem[0x7ffff7de448c] = '\xff' mem[0x7ffff7de448d] = '\xff' mem[0x7ffff7de448e] = '\xff' mem[0x7ffff7de448f] = '\x00' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de4488 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffda30) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a0, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a1, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a2, 8)== ord('\xa3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a3, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4488, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4489, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448a, 8)== ord('\xbd')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448b, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448d, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448e, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4490) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffda30) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMP_5_symbolic(self): ''' Instruction CMP_5 Groups: 0x7ffff7de6111: cmp rax, 0x26 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6111] = 'H' mem[0x7ffff7de6112] = '\x83' mem[0x7ffff7de6113] = '\xf8' mem[0x7ffff7de6114] = '&' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x8) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6111 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6111, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6112, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6113, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6114, 8)== ord('&')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0x8) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6115) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CMP_6_symbolic(self): ''' Instruction CMP_6 Groups: 0x7ffff7de620b: cmp r12, 0x24 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de620b] = 'I' mem[0x7ffff7de620c] = '\x83' mem[0x7ffff7de620d] = '\xfc' mem[0x7ffff7de620e] = '$' cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.R12 = cs.new_bitvec(64) cs.add(cpu.R12 == 0x6) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de620b cpu.SF = cs.new_bool() cs.add(cpu.SF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620b, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620c, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620d, 8)== ord('\xfc')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620e, 8)== ord('$')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.R12 == 0x6) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620f) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CQO_1_symbolic(self): ''' Instruction CQO_1 Groups: 0x400794: cqo ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400794] = 'H' mem[0x400795] = '\x99' cpu.RIP = 0x400794 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400794, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x400795, 8)== ord('\x99')) condition = Operators.AND(condition, cpu.RAX == 0x600000) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x400796) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CQO_2_symbolic(self): ''' Instruction CQO_2 Groups: 0x4006d4: cqo ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x4006d4] = 'H' mem[0x4006d5] = '\x99' cpu.RIP = 0x4006d4 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4006d4, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x4006d5, 8)== ord('\x99')) condition = Operators.AND(condition, cpu.RAX == 0x600000) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4006d6) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CQO_3_symbolic(self): ''' Instruction CQO_3 Groups: 0x7ffff7a4e234: cqo ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4e234] = 'H' mem[0x7ffff7a4e235] = '\x99' cpu.RIP = 0x7ffff7a4e234 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e234, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e235, 8)== ord('\x99')) condition = Operators.AND(condition, cpu.RAX == 0x600000) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e236) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CQO_4_symbolic(self): ''' Instruction CQO_4 Groups: 0x7ffff7a4e234: cqo ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4e234] = 'H' mem[0x7ffff7a4e235] = '\x99' cpu.RIP = 0x7ffff7a4e234 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e234, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e235, 8)== ord('\x99')) condition = Operators.AND(condition, cpu.RAX == 0x600000) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e236) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CQO_5_symbolic(self): ''' Instruction CQO_5 Groups: 0x4006d4: cqo ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x4006d4] = 'H' mem[0x4006d5] = '\x99' cpu.RIP = 0x4006d4 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4006d4, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x4006d5, 8)== ord('\x99')) condition = Operators.AND(condition, cpu.RAX == 0x600000) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4006d6) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_CQO_6_symbolic(self): ''' Instruction CQO_6 Groups: 0x7ffff7a4e234: cqo ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4e234] = 'H' mem[0x7ffff7a4e235] = '\x99' cpu.RIP = 0x7ffff7a4e234 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e234, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e235, 8)== ord('\x99')) condition = Operators.AND(condition, cpu.RAX == 0x600000) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e236) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DEC_1_symbolic(self): ''' Instruction DEC_1 Groups: mode64 0x41e10a: dec ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0041e000, 0x1000, 'rwx') mem[0x41e10a] = '\xff' mem[0x41e10b] = '\xc9' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x41e10a cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0xd) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x41e10a, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x41e10b, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x41e10c) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.ECX == 0xc) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DEC_2_symbolic(self): ''' Instruction DEC_2 Groups: mode64 0x7ffff7df462c: dec ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df462c] = '\xff' mem[0x7ffff7df462d] = '\xc9' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df462c cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x4) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462d, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df462e) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.ECX == 0x3) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DEC_3_symbolic(self): ''' Instruction DEC_3 Groups: mode64 0x7ffff7df462c: dec ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df462c] = '\xff' mem[0x7ffff7df462d] = '\xc9' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df462c cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x2) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462d, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df462e) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.ECX == 0x1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DEC_4_symbolic(self): ''' Instruction DEC_4 Groups: mode64 0x7ffff7a65448: dec dword ptr [rip + 0x36fd02] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a65000, 0x1000, 'rwx') mem.mmap(0x7ffff7dd5000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd5150) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd5151) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd5152) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd5153) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a65448] = '\xff' mem[0x7ffff7a65449] = '\r' mem[0x7ffff7a6544a] = '\x02' mem[0x7ffff7a6544b] = '\xfd' mem[0x7ffff7a6544c] = '6' mem[0x7ffff7a6544d] = '\x00' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x7ffff7a65448 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5150, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5151, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5152, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5153, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65448, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65449, 8)== ord('\r')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6544a, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6544b, 8)== ord('\xfd')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6544c, 8)== ord('6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6544d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a6544e) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DEC_5_symbolic(self): ''' Instruction DEC_5 Groups: mode64 0x7ffff7df462c: dec ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df462c] = '\xff' mem[0x7ffff7df462d] = '\xc9' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df462c cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x4) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462d, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df462e) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.ECX == 0x3) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DEC_6_symbolic(self): ''' Instruction DEC_6 Groups: mode64 0x7ffff7df462c: dec ecx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df462c] = '\xff' mem[0x7ffff7df462d] = '\xc9' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df462c cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x1) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462d, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df462e) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.ECX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DIV_1_symbolic(self): ''' Instruction DIV_1 Groups: 0x7ffff7de3ff8: div rcx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3ff8] = 'H' mem[0x7ffff7de3ff9] = '\xf7' mem[0x7ffff7de3ffa] = '\xf1' cpu.RIP = 0x7ffff7de3ff8 cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x3f3) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x3de00ec7) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.RAX == 0xfaaef) condition = Operators.AND(condition, cpu.RCX == 0x3f3) condition = Operators.AND(condition, cpu.RDX == 0xea) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DIV_2_symbolic(self): ''' Instruction DIV_2 Groups: 0x7ffff7de3ff8: div rcx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3ff8] = 'H' mem[0x7ffff7de3ff9] = '\xf7' mem[0x7ffff7de3ffa] = '\xf1' cpu.RIP = 0x7ffff7de3ff8 cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x3f3) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x3de00ec7) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.RAX == 0xfaaef) condition = Operators.AND(condition, cpu.RCX == 0x3f3) condition = Operators.AND(condition, cpu.RDX == 0xea) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DIV_3_symbolic(self): ''' Instruction DIV_3 Groups: 0x7ffff7de3ff8: div rcx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3ff8] = 'H' mem[0x7ffff7de3ff9] = '\xf7' mem[0x7ffff7de3ffa] = '\xf1' cpu.RIP = 0x7ffff7de3ff8 cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x3f3) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x9e7650bc) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.RAX == 0x281ffc) condition = Operators.AND(condition, cpu.RCX == 0x3f3) condition = Operators.AND(condition, cpu.RDX == 0x88) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DIV_4_symbolic(self): ''' Instruction DIV_4 Groups: 0x7ffff7de3ff8: div rcx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3ff8] = 'H' mem[0x7ffff7de3ff9] = '\xf7' mem[0x7ffff7de3ffa] = '\xf1' cpu.RIP = 0x7ffff7de3ff8 cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x3f3) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x10a8b550) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.RAX == 0x437e2) condition = Operators.AND(condition, cpu.RCX == 0x3f3) condition = Operators.AND(condition, cpu.RDX == 0x3ca) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DIV_5_symbolic(self): ''' Instruction DIV_5 Groups: 0x7ffff7de3ff8: div rcx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3ff8] = 'H' mem[0x7ffff7de3ff9] = '\xf7' mem[0x7ffff7de3ffa] = '\xf1' cpu.RIP = 0x7ffff7de3ff8 cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x32) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x3cbc6423) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.RAX == 0x136f7c3) condition = Operators.AND(condition, cpu.RCX == 0x32) condition = Operators.AND(condition, cpu.RDX == 0xd) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_DIV_6_symbolic(self): ''' Instruction DIV_6 Groups: 0x7ffff7de3ff8: div rcx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3ff8] = 'H' mem[0x7ffff7de3ff9] = '\xf7' mem[0x7ffff7de3ffa] = '\xf1' cpu.RIP = 0x7ffff7de3ff8 cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x3f3) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x2e8912d8) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.RAX == 0xbc890) condition = Operators.AND(condition, cpu.RCX == 0x3f3) condition = Operators.AND(condition, cpu.RDX == 0x228) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IDIV_1_symbolic(self): ''' Instruction IDIV_1 Groups: 0x7ffff7a4e236: idiv r8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4e238] = '\xf8' mem[0x7ffff7a4e236] = 'I' mem[0x7ffff7a4e237] = '\xf7' cpu.RIP = 0x7ffff7a4e236 cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e238, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e236, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e237, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.RAX == 0xc0000) condition = Operators.AND(condition, cpu.R8 == 0x8) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e239) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IDIV_2_symbolic(self): ''' Instruction IDIV_2 Groups: 0x4006d6: idiv r8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x4006d8] = '\xf8' mem[0x4006d6] = 'I' mem[0x4006d7] = '\xf7' cpu.RIP = 0x4006d6 cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4006d8, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x4006d6, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x4006d7, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.RAX == 0xc0000) condition = Operators.AND(condition, cpu.R8 == 0x8) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4006d9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IDIV_3_symbolic(self): ''' Instruction IDIV_3 Groups: 0x7ffff7a4e236: idiv r8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4e238] = '\xf8' mem[0x7ffff7a4e236] = 'I' mem[0x7ffff7a4e237] = '\xf7' cpu.RIP = 0x7ffff7a4e236 cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e238, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e236, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e237, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.RAX == 0xc0000) condition = Operators.AND(condition, cpu.R8 == 0x8) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e239) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IDIV_4_symbolic(self): ''' Instruction IDIV_4 Groups: 0x4006d6: idiv r8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x4006d8] = '\xf8' mem[0x4006d6] = 'I' mem[0x4006d7] = '\xf7' cpu.RIP = 0x4006d6 cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4006d8, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x4006d6, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x4006d7, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.RAX == 0xc0000) condition = Operators.AND(condition, cpu.R8 == 0x8) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4006d9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IDIV_5_symbolic(self): ''' Instruction IDIV_5 Groups: 0x4006d6: idiv r8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x4006d8] = '\xf8' mem[0x4006d6] = 'I' mem[0x4006d7] = '\xf7' cpu.RIP = 0x4006d6 cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4006d8, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x4006d6, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x4006d7, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.RAX == 0xc0000) condition = Operators.AND(condition, cpu.R8 == 0x8) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4006d9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IDIV_6_symbolic(self): ''' Instruction IDIV_6 Groups: 0x7ffff7a4e236: idiv r8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4e238] = '\xf8' mem[0x7ffff7a4e236] = 'I' mem[0x7ffff7a4e237] = '\xf7' cpu.RIP = 0x7ffff7a4e236 cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e238, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e236, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e237, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.RAX == 0xc0000) condition = Operators.AND(condition, cpu.R8 == 0x8) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e239) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IMUL_1_symbolic(self): ''' Instruction IMUL_1 Groups: 0x7ffff7acfec4: imul eax, edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7acf000, 0x1000, 'rwx') mem[0x7ffff7acfec4] = '\x0f' mem[0x7ffff7acfec5] = '\xaf' mem[0x7ffff7acfec6] = '\xc2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7acfec4 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x1) cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x600000) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x1) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x600000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfec4, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfec5, 8)== ord('\xaf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfec6, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7acfec7) condition = Operators.AND(condition, cpu.RDX == 0x1) condition = Operators.AND(condition, cpu.EAX == 0x600000) condition = Operators.AND(condition, cpu.EDX == 0x1) condition = Operators.AND(condition, cpu.RAX == 0x600000) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IMUL_2_symbolic(self): ''' Instruction IMUL_2 Groups: 0x7ffff7acfeb3: imul eax, edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7acf000, 0x1000, 'rwx') mem[0x7ffff7acfeb3] = '\x0f' mem[0x7ffff7acfeb4] = '\xaf' mem[0x7ffff7acfeb5] = '\xc2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7acfeb3 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x8) cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x40) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x8) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x40) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfeb3, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfeb4, 8)== ord('\xaf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfeb5, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7acfeb6) condition = Operators.AND(condition, cpu.RDX == 0x8) condition = Operators.AND(condition, cpu.EAX == 0x200) condition = Operators.AND(condition, cpu.EDX == 0x8) condition = Operators.AND(condition, cpu.RAX == 0x200) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IMUL_3_symbolic(self): ''' Instruction IMUL_3 Groups: 0x43230c: imul edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x43230c] = '\xf7' mem[0x43230d] = '\xea' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x43230c cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x55555556) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x55555556) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x3) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x43230c, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x43230d, 8)== ord('\xea')) condition = Operators.AND(condition, cpu.OF == True) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x43230e) condition = Operators.AND(condition, cpu.RDX == 0x1) condition = Operators.AND(condition, cpu.EDX == 0x1) condition = Operators.AND(condition, cpu.RAX == 0x2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IMUL_4_symbolic(self): ''' Instruction IMUL_4 Groups: 0x43230c: imul edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x43230c] = '\xf7' mem[0x43230d] = '\xea' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x43230c cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x55555556) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x55555556) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x3) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x43230c, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x43230d, 8)== ord('\xea')) condition = Operators.AND(condition, cpu.OF == True) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x43230e) condition = Operators.AND(condition, cpu.RDX == 0x1) condition = Operators.AND(condition, cpu.EDX == 0x1) condition = Operators.AND(condition, cpu.RAX == 0x2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IMUL_5_symbolic(self): ''' Instruction IMUL_5 Groups: 0x41403c: imul r12, rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00414000, 0x1000, 'rwx') mem[0x41403c] = 'L' mem[0x41403d] = '\x0f' mem[0x41403e] = '\xaf' mem[0x41403f] = '\xe6' cpu.R12 = cs.new_bitvec(64) cs.add(cpu.R12 == 0x491) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x1) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x491) cpu.RIP = 0x41403c cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0xffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x41403c, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x41403d, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41403e, 8)== ord('\xaf')) condition = Operators.AND(condition, cpu.read_int(0x41403f, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.R12 == 0x491) condition = Operators.AND(condition, cpu.RSI == 0x1) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x414040) condition = Operators.AND(condition, cpu.RDX == 0x491) condition = Operators.AND(condition, cpu.RAX == 0xffffffff) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_IMUL_6_symbolic(self): ''' Instruction IMUL_6 Groups: 0x413fdc: imul r12, rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00413000, 0x1000, 'rwx') mem[0x413fdc] = 'L' mem[0x413fdd] = '\x0f' mem[0x413fde] = '\xaf' mem[0x413fdf] = '\xe6' cpu.R12 = cs.new_bitvec(64) cs.add(cpu.R12 == 0x491) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x1) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x491) cpu.RIP = 0x413fdc cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0xffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x413fdc, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x413fdd, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x413fde, 8)== ord('\xaf')) condition = Operators.AND(condition, cpu.read_int(0x413fdf, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.R12 == 0x491) condition = Operators.AND(condition, cpu.RSI == 0x1) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x413fe0) condition = Operators.AND(condition, cpu.RDX == 0x491) condition = Operators.AND(condition, cpu.RAX == 0xffffffff) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_INC_1_symbolic(self): ''' Instruction INC_1 Groups: 0x7ffff7df4596: inc rdi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4598] = '\xc7' mem[0x7ffff7df4596] = 'H' mem[0x7ffff7df4597] = '\xff' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x7ffff7df4596 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7a44729) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4598, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4596, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4597, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4599) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7a4472a) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_INC_2_symbolic(self): ''' Instruction INC_2 Groups: 0x7ffff7df4596: inc rdi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4598] = '\xc7' mem[0x7ffff7df4596] = 'H' mem[0x7ffff7df4597] = '\xff' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x7ffff7df4596 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7dda5ec) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4598, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4596, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4597, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4599) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7dda5ed) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_INC_3_symbolic(self): ''' Instruction INC_3 Groups: 0x7ffff7df4599: inc rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4599] = 'H' mem[0x7ffff7df459a] = '\xff' mem[0x7ffff7df459b] = '\xc6' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7a4472a) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df4599 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4599, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459a, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459b, 8)== ord('\xc6')) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7a4472b) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459c) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_INC_4_symbolic(self): ''' Instruction INC_4 Groups: 0x7ffff7df4596: inc rdi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4598] = '\xc7' mem[0x7ffff7df4596] = 'H' mem[0x7ffff7df4597] = '\xff' cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x7ffff7df4596 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7a4472e) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4598, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4596, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4597, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4599) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7a4472f) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_INC_5_symbolic(self): ''' Instruction INC_5 Groups: 0x7ffff7df4599: inc rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4599] = 'H' mem[0x7ffff7df459a] = '\xff' mem[0x7ffff7df459b] = '\xc6' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x555555554cbb) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df4599 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4599, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459a, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459b, 8)== ord('\xc6')) condition = Operators.AND(condition, cpu.RSI == 0x555555554cbc) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459c) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_INC_6_symbolic(self): ''' Instruction INC_6 Groups: 0x7ffff7df4599: inc rsi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4599] = 'H' mem[0x7ffff7df459a] = '\xff' mem[0x7ffff7df459b] = '\xc6' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7a44726) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df4599 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4599, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459a, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459b, 8)== ord('\xc6')) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7a44727) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459c) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JAE_1_symbolic(self): ''' Instruction JAE_1 Groups: jump 0x7ffff7aa96ab: jae 0x7ffff7aa96e8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx') mem[0x7ffff7aa96ab] = 's' mem[0x7ffff7aa96ac] = ';' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7aa96ab done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96ab, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96ac, 8)== ord(';')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa96ad) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JAE_2_symbolic(self): ''' Instruction JAE_2 Groups: jump 0x400c11: jae 0x400c69 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400c11] = 's' mem[0x400c12] = 'V' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x400c11 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400c11, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x400c12, 8)== ord('V')) condition = Operators.AND(condition, cpu.RIP == 0x400c69) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JAE_3_symbolic(self): ''' Instruction JAE_3 Groups: jump 0x432400: jae 0x432440 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432400] = 's' mem[0x432401] = '>' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x432400 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432400, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x432401, 8)== ord('>')) condition = Operators.AND(condition, cpu.RIP == 0x432402) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JAE_4_symbolic(self): ''' Instruction JAE_4 Groups: jump 0x411d5b: jae 0x412155 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x411d60] = '\x00' mem[0x411d5b] = '\x0f' mem[0x411d5c] = '\x83' mem[0x411d5d] = '\xf4' mem[0x411d5e] = '\x03' mem[0x411d5f] = '\x00' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x411d5b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x411d60, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x411d5b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x411d5c, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x411d5d, 8)== ord('\xf4')) condition = Operators.AND(condition, cpu.read_int(0x411d5e, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x411d5f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x412155) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JAE_5_symbolic(self): ''' Instruction JAE_5 Groups: jump 0x7ffff7b58f5d: jae 0x7ffff7b58f00 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f5d] = 's' mem[0x7ffff7b58f5e] = '\xa1' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7b58f5d done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f5d, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f5e, 8)== ord('\xa1')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f00) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JAE_6_symbolic(self): ''' Instruction JAE_6 Groups: jump 0x400b82: jae 0x400b9f ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400b82] = 's' mem[0x400b83] = '\x1b' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x400b82 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400b82, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x400b83, 8)== ord('\x1b')) condition = Operators.AND(condition, cpu.RIP == 0x400b84) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JA_1_symbolic(self): ''' Instruction JA_1 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6132 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JA_2_symbolic(self): ''' Instruction JA_2 Groups: jump 0x7ffff7ddf066: ja 0x7ffff7ddf0b2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddf000, 0x1000, 'rwx') mem[0x7ffff7ddf066] = 'w' mem[0x7ffff7ddf067] = 'J' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7ddf066 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf066, 8)== ord('w')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf067, 8)== ord('J')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddf068) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JA_3_symbolic(self): ''' Instruction JA_3 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6132 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JA_4_symbolic(self): ''' Instruction JA_4 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6132 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JA_5_symbolic(self): ''' Instruction JA_5 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6132 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JA_6_symbolic(self): ''' Instruction JA_6 Groups: jump 0x7ffff7de6132: ja 0x7ffff7de6108 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6132] = 'w' mem[0x7ffff7de6133] = '\xd4' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6132 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JBE_1_symbolic(self): ''' Instruction JBE_1 Groups: jump 0x41188d: jbe 0x411ec0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x41188d] = '\x0f' mem[0x41188e] = '\x86' mem[0x41188f] = '-' mem[0x411890] = '\x06' mem[0x411891] = '\x00' mem[0x411892] = '\x00' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x41188d done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x41188d, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41188e, 8)== ord('\x86')) condition = Operators.AND(condition, cpu.read_int(0x41188f, 8)== ord('-')) condition = Operators.AND(condition, cpu.read_int(0x411890, 8)== ord('\x06')) condition = Operators.AND(condition, cpu.read_int(0x411891, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x411892, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x411ec0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JBE_2_symbolic(self): ''' Instruction JBE_2 Groups: jump 0x4325e3: jbe 0x4326cf ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4325e3] = '\x0f' mem[0x4325e4] = '\x86' mem[0x4325e5] = '\xe6' mem[0x4325e6] = '\x00' mem[0x4325e7] = '\x00' mem[0x4325e8] = '\x00' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4325e3 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4325e3, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4325e4, 8)== ord('\x86')) condition = Operators.AND(condition, cpu.read_int(0x4325e5, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x4325e6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4325e7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4325e8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x4325e9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JBE_3_symbolic(self): ''' Instruction JBE_3 Groups: jump 0x432388: jbe 0x4323aa ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432388] = 'v' mem[0x432389] = ' ' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x432388 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432388, 8)== ord('v')) condition = Operators.AND(condition, cpu.read_int(0x432389, 8)== ord(' ')) condition = Operators.AND(condition, cpu.RIP == 0x43238a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JBE_4_symbolic(self): ''' Instruction JBE_4 Groups: jump 0x4325e3: jbe 0x4326cf ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4325e3] = '\x0f' mem[0x4325e4] = '\x86' mem[0x4325e5] = '\xe6' mem[0x4325e6] = '\x00' mem[0x4325e7] = '\x00' mem[0x4325e8] = '\x00' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4325e3 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4325e3, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4325e4, 8)== ord('\x86')) condition = Operators.AND(condition, cpu.read_int(0x4325e5, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x4325e6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4325e7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4325e8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x4325e9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JBE_5_symbolic(self): ''' Instruction JBE_5 Groups: jump 0x7ffff7df1269: jbe 0x7ffff7df1289 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1269] = 'v' mem[0x7ffff7df126a] = '\x1e' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df1269 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1269, 8)== ord('v')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df126a, 8)== ord('\x1e')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df126b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JBE_6_symbolic(self): ''' Instruction JBE_6 Groups: jump 0x7ffff7acff53: jbe 0x7ffff7ad003f ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7acf000, 0x1000, 'rwx') mem[0x7ffff7acff53] = '\x0f' mem[0x7ffff7acff54] = '\x86' mem[0x7ffff7acff55] = '\xe6' mem[0x7ffff7acff56] = '\x00' mem[0x7ffff7acff57] = '\x00' mem[0x7ffff7acff58] = '\x00' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7acff53 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff53, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff54, 8)== ord('\x86')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff55, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff56, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff57, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff58, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7acff59) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JB_1_symbolic(self): ''' Instruction JB_1 Groups: jump 0x7ffff7b58f46: jb 0x7ffff7b58f00 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f46] = 'r' mem[0x7ffff7b58f47] = '\xb8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7b58f46 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f46, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f47, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f00) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JB_2_symbolic(self): ''' Instruction JB_2 Groups: jump 0x7ffff7b58f46: jb 0x7ffff7b58f00 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f46] = 'r' mem[0x7ffff7b58f47] = '\xb8' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7b58f46 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f46, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f47, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f48) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JB_3_symbolic(self): ''' Instruction JB_3 Groups: jump 0x400bab: jb 0x400ab4 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400bab] = '\x0f' mem[0x400bac] = '\x82' mem[0x400bad] = '\x03' mem[0x400bae] = '\xff' mem[0x400baf] = '\xff' mem[0x400bb0] = '\xff' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x400bab done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400bab, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x400bac, 8)== ord('\x82')) condition = Operators.AND(condition, cpu.read_int(0x400bad, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x400bae, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x400baf, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x400bb0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.RIP == 0x400ab4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JB_4_symbolic(self): ''' Instruction JB_4 Groups: jump 0x7ffff7b58f46: jb 0x7ffff7b58f00 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f46] = 'r' mem[0x7ffff7b58f47] = '\xb8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7b58f46 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f46, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f47, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f00) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JB_5_symbolic(self): ''' Instruction JB_5 Groups: jump 0x7ffff7ddeff1: jb 0x7ffff7ddefd0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7dde000, 0x1000, 'rwx') mem[0x7ffff7ddeff1] = 'r' mem[0x7ffff7ddeff2] = '\xdd' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7ddeff1 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddeff1, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddeff2, 8)== ord('\xdd')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddefd0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JB_6_symbolic(self): ''' Instruction JB_6 Groups: jump 0x7ffff7b58f46: jb 0x7ffff7b58f00 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f46] = 'r' mem[0x7ffff7b58f47] = '\xb8' cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7b58f46 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f46, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f47, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f00) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JE_1_symbolic(self): ''' Instruction JE_1 Groups: jump 0x7ffff7de3a9d: je 0x7ffff7de3ed1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3aa0] = '\x04' mem[0x7ffff7de3aa1] = '\x00' mem[0x7ffff7de3aa2] = '\x00' mem[0x7ffff7de3a9d] = '\x0f' mem[0x7ffff7de3a9e] = '\x84' mem[0x7ffff7de3a9f] = '.' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de3a9d done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa0, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3a9d, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3a9e, 8)== ord('\x84')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3a9f, 8)== ord('.')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3aa3) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JE_2_symbolic(self): ''' Instruction JE_2 Groups: jump 0x7ffff7de61be: je 0x7ffff7de65b8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de61c0] = '\xf4' mem[0x7ffff7de61c1] = '\x03' mem[0x7ffff7de61c2] = '\x00' mem[0x7ffff7de61c3] = '\x00' mem[0x7ffff7de61be] = '\x0f' mem[0x7ffff7de61bf] = '\x84' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de61be done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61c0, 8)== ord('\xf4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61c1, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61c2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61c3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61be, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61bf, 8)== ord('\x84')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de61c4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JE_3_symbolic(self): ''' Instruction JE_3 Groups: jump 0x7ffff7de38c6: je 0x7ffff7de3960 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de38c6] = '\x0f' mem[0x7ffff7de38c7] = '\x84' mem[0x7ffff7de38c8] = '\x94' mem[0x7ffff7de38c9] = '\x00' mem[0x7ffff7de38ca] = '\x00' mem[0x7ffff7de38cb] = '\x00' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de38c6 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38c6, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38c7, 8)== ord('\x84')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38c8, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38c9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38ca, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38cb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de38cc) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JE_4_symbolic(self): ''' Instruction JE_4 Groups: jump 0x7ffff7de440b: je 0x7ffff7de4644 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de440b] = '\x0f' mem[0x7ffff7de440c] = '\x84' mem[0x7ffff7de440d] = '3' mem[0x7ffff7de440e] = '\x02' mem[0x7ffff7de440f] = '\x00' mem[0x7ffff7de4410] = '\x00' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de440b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440c, 8)== ord('\x84')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440d, 8)== ord('3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440e, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4410, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4411) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JE_5_symbolic(self): ''' Instruction JE_5 Groups: jump 0x7ffff7de6115: je 0x7ffff7de6121 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6115] = 't' mem[0x7ffff7de6116] = '\n' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de6115 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6115, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6116, 8)== ord('\n')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6117) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JE_6_symbolic(self): ''' Instruction JE_6 Groups: jump 0x406e0b: je 0x406dc6 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x406e0b] = 't' mem[0x406e0c] = '\xb9' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x406e0b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x406e0b, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x406e0c, 8)== ord('\xb9')) condition = Operators.AND(condition, cpu.RIP == 0x406e0d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JGE_1_symbolic(self): ''' Instruction JGE_1 Groups: jump 0x7ffff7ab5b02: jge 0x7ffff7ab5be0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx') mem[0x7ffff7ab5b02] = '\x0f' mem[0x7ffff7ab5b03] = '\x8d' mem[0x7ffff7ab5b04] = '\xd8' mem[0x7ffff7ab5b05] = '\x00' mem[0x7ffff7ab5b06] = '\x00' mem[0x7ffff7ab5b07] = '\x00' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x7ffff7ab5b02 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b02, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b03, 8)== ord('\x8d')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b04, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b05, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b06, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b07, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab5b08) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JGE_2_symbolic(self): ''' Instruction JGE_2 Groups: jump 0x7ffff7b09879: jge 0x7ffff7b0987f ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b09000, 0x1000, 'rwx') mem[0x7ffff7b09879] = '}' mem[0x7ffff7b0987a] = '\x04' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7b09879 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b09879, 8)== ord('}')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b0987a, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b0987f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JGE_3_symbolic(self): ''' Instruction JGE_3 Groups: jump 0x7ffff7ab5b02: jge 0x7ffff7ab5be0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx') mem[0x7ffff7ab5b02] = '\x0f' mem[0x7ffff7ab5b03] = '\x8d' mem[0x7ffff7ab5b04] = '\xd8' mem[0x7ffff7ab5b05] = '\x00' mem[0x7ffff7ab5b06] = '\x00' mem[0x7ffff7ab5b07] = '\x00' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x7ffff7ab5b02 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b02, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b03, 8)== ord('\x8d')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b04, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b05, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b06, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b07, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab5b08) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JG_1_symbolic(self): ''' Instruction JG_1 Groups: jump 0x403684: jg 0x40361a ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00403000, 0x1000, 'rwx') mem[0x403684] = '\x7f' mem[0x403685] = '\x94' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x403684 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x403684, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x403685, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.RIP == 0x40361a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JG_2_symbolic(self): ''' Instruction JG_2 Groups: jump 0x40c120: jg 0x40c3f0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040c000, 0x1000, 'rwx') mem[0x40c120] = '\x0f' mem[0x40c121] = '\x8f' mem[0x40c122] = '\xca' mem[0x40c123] = '\x02' mem[0x40c124] = '\x00' mem[0x40c125] = '\x00' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x40c120 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40c120, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x40c121, 8)== ord('\x8f')) condition = Operators.AND(condition, cpu.read_int(0x40c122, 8)== ord('\xca')) condition = Operators.AND(condition, cpu.read_int(0x40c123, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x40c124, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x40c125, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x40c126) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JG_3_symbolic(self): ''' Instruction JG_3 Groups: jump 0x7ffff7df1357: jg 0x7ffff7df13a0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1358] = 'G' mem[0x7ffff7df1357] = '\x7f' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x7ffff7df1357 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1358, 8)== ord('G')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1357, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1359) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JG_4_symbolic(self): ''' Instruction JG_4 Groups: jump 0x7ffff7ddc9fb: jg 0x7ffff7ddce16 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddca00] = '\x00' mem[0x7ffff7ddc9fb] = '\x0f' mem[0x7ffff7ddc9fc] = '\x8f' mem[0x7ffff7ddc9fd] = '\x15' mem[0x7ffff7ddc9fe] = '\x04' mem[0x7ffff7ddc9ff] = '\x00' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7ddc9fb done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddca00, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fb, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fc, 8)== ord('\x8f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fd, 8)== ord('\x15')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fe, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9ff, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddce16) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JG_5_symbolic(self): ''' Instruction JG_5 Groups: jump 0x7ffff7ddc9fb: jg 0x7ffff7ddce16 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddca00] = '\x00' mem[0x7ffff7ddc9fb] = '\x0f' mem[0x7ffff7ddc9fc] = '\x8f' mem[0x7ffff7ddc9fd] = '\x15' mem[0x7ffff7ddc9fe] = '\x04' mem[0x7ffff7ddc9ff] = '\x00' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7ddc9fb done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddca00, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fb, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fc, 8)== ord('\x8f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fd, 8)== ord('\x15')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fe, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9ff, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddce16) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JG_6_symbolic(self): ''' Instruction JG_6 Groups: jump 0x40c2e4: jg 0x40c250 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040c000, 0x1000, 'rwx') mem[0x40c2e4] = '\x0f' mem[0x40c2e5] = '\x8f' mem[0x40c2e6] = 'f' mem[0x40c2e7] = '\xff' mem[0x40c2e8] = '\xff' mem[0x40c2e9] = '\xff' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x40c2e4 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40c2e4, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x40c2e5, 8)== ord('\x8f')) condition = Operators.AND(condition, cpu.read_int(0x40c2e6, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x40c2e7, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x40c2e8, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x40c2e9, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.RIP == 0x40c2ea) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JLE_1_symbolic(self): ''' Instruction JLE_1 Groups: jump 0x400b2b: jle 0x400b01 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400b2b] = '~' mem[0x400b2c] = '\xd4' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x400b2b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400b2b, 8)== ord('~')) condition = Operators.AND(condition, cpu.read_int(0x400b2c, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.RIP == 0x400b01) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JLE_2_symbolic(self): ''' Instruction JLE_2 Groups: jump 0x7ffff7a4e1cb: jle 0x7ffff7a4e429 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4e1cb] = '\x0f' mem[0x7ffff7a4e1cc] = '\x8e' mem[0x7ffff7a4e1cd] = 'X' mem[0x7ffff7a4e1ce] = '\x02' mem[0x7ffff7a4e1cf] = '\x00' mem[0x7ffff7a4e1d0] = '\x00' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7a4e1cb done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1cb, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1cc, 8)== ord('\x8e')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1cd, 8)== ord('X')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1ce, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1cf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1d0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e1d1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JLE_3_symbolic(self): ''' Instruction JLE_3 Groups: jump 0x437c08: jle 0x437c1f ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00437000, 0x1000, 'rwx') mem[0x437c08] = '~' mem[0x437c09] = '\x15' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x437c08 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x437c08, 8)== ord('~')) condition = Operators.AND(condition, cpu.read_int(0x437c09, 8)== ord('\x15')) condition = Operators.AND(condition, cpu.RIP == 0x437c0a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JLE_4_symbolic(self): ''' Instruction JLE_4 Groups: jump 0x7ffff7de4486: jle 0x7ffff7de4430 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4486] = '~' mem[0x7ffff7de4487] = '\xa8' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7de4486 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4486, 8)== ord('~')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4487, 8)== ord('\xa8')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4488) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JLE_5_symbolic(self): ''' Instruction JLE_5 Groups: jump 0x7ffff7de4486: jle 0x7ffff7de4430 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4486] = '~' mem[0x7ffff7de4487] = '\xa8' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7de4486 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4486, 8)== ord('~')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4487, 8)== ord('\xa8')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4488) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JLE_6_symbolic(self): ''' Instruction JLE_6 Groups: jump 0x7ffff7de4486: jle 0x7ffff7de4430 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4486] = '~' mem[0x7ffff7de4487] = '\xa8' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7de4486 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4486, 8)== ord('~')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4487, 8)== ord('\xa8')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4488) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JL_1_symbolic(self): ''' Instruction JL_1 Groups: jump 0x555555556f00: jl 0x555555556ee2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem[0x555555556f00] = '|' mem[0x555555556f01] = '\xe0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x555555556f00 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555556f00, 8)== ord('|')) condition = Operators.AND(condition, cpu.read_int(0x555555556f01, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.RIP == 0x555555556ee2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JL_2_symbolic(self): ''' Instruction JL_2 Groups: jump 0x555555556f00: jl 0x555555556ee2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem[0x555555556f00] = '|' mem[0x555555556f01] = '\xe0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x555555556f00 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555556f00, 8)== ord('|')) condition = Operators.AND(condition, cpu.read_int(0x555555556f01, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.RIP == 0x555555556f02) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JL_3_symbolic(self): ''' Instruction JL_3 Groups: jump 0x555555556f00: jl 0x555555556ee2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem[0x555555556f00] = '|' mem[0x555555556f01] = '\xe0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x555555556f00 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555556f00, 8)== ord('|')) condition = Operators.AND(condition, cpu.read_int(0x555555556f01, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.RIP == 0x555555556ee2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JMP_1_symbolic(self): ''' Instruction JMP_1 Groups: jump 0x7ffff7de4279: jmp 0x7ffff7de3a98 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4279] = '\xe9' mem[0x7ffff7de427a] = '\x1a' mem[0x7ffff7de427b] = '\xf8' mem[0x7ffff7de427c] = '\xff' mem[0x7ffff7de427d] = '\xff' cpu.RIP = 0x7ffff7de4279 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4279, 8)== ord('\xe9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de427a, 8)== ord('\x1a')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de427b, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de427c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de427d, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3a98) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JMP_2_symbolic(self): ''' Instruction JMP_2 Groups: jump 0x7ffff7b58ee7: jmp 0x7ffff7b58f10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58ee8] = "'" mem[0x7ffff7b58ee7] = '\xeb' cpu.RIP = 0x7ffff7b58ee7 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee8, 8)== ord("'")) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee7, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f10) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JMP_3_symbolic(self): ''' Instruction JMP_3 Groups: jump 0x7ffff7df28e1: jmp 0x7ffff7ddaa00 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem[0x7ffff7df28e1] = '\xe9' mem[0x7ffff7df28e2] = '\x1a' mem[0x7ffff7df28e3] = '\x81' mem[0x7ffff7df28e4] = '\xfe' mem[0x7ffff7df28e5] = '\xff' cpu.RIP = 0x7ffff7df28e1 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e1, 8)== ord('\xe9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e2, 8)== ord('\x1a')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e3, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e4, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e5, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddaa00) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JMP_4_symbolic(self): ''' Instruction JMP_4 Groups: mode64, jump 0x7ffff7de62ee: jmp rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de62ee] = '\xff' mem[0x7ffff7de62ef] = '\xe2' cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x7ffff7de63b8) cpu.RIP = 0x7ffff7de62ee done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62ee, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62ef, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.RDX == 0x7ffff7de63b8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de63b8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JMP_5_symbolic(self): ''' Instruction JMP_5 Groups: jump 0x7ffff7de4042: jmp 0x7ffff7de4054 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4042] = '\xeb' mem[0x7ffff7de4043] = '\x10' cpu.RIP = 0x7ffff7de4042 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4042, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4043, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4054) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JMP_6_symbolic(self): ''' Instruction JMP_6 Groups: jump 0x7ffff7b58ee7: jmp 0x7ffff7b58f10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58ee8] = "'" mem[0x7ffff7b58ee7] = '\xeb' cpu.RIP = 0x7ffff7b58ee7 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee8, 8)== ord("'")) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee7, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f10) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNE_1_symbolic(self): ''' Instruction JNE_1 Groups: jump 0x7ffff7df459e: jne 0x7ffff7df4590 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df459e] = 'u' mem[0x7ffff7df459f] = '\xf0' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df459e done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459e, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459f, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4590) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNE_2_symbolic(self): ''' Instruction JNE_2 Groups: jump 0x7ffff7de5a4b: jne 0x7ffff7de5a40 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5a4b] = 'u' mem[0x7ffff7de5a4c] = '\xf3' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de5a4b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5a4b, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5a4c, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5a40) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNE_3_symbolic(self): ''' Instruction JNE_3 Groups: jump 0x7ffff7de611b: jne 0x7ffff7de73ad ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6120] = '\x00' mem[0x7ffff7de611b] = '\x0f' mem[0x7ffff7de611c] = '\x85' mem[0x7ffff7de611d] = '\x8c' mem[0x7ffff7de611e] = '\x12' mem[0x7ffff7de611f] = '\x00' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x7ffff7de611b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6120, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611c, 8)== ord('\x85')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611d, 8)== ord('\x8c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611e, 8)== ord('\x12')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6121) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNE_4_symbolic(self): ''' Instruction JNE_4 Groups: jump 0x7ffff7aab197: jne 0x7ffff7aab188 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7aab000, 0x1000, 'rwx') mem[0x7ffff7aab198] = '\xef' mem[0x7ffff7aab197] = 'u' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7aab197 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7aab198, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7aab197, 8)== ord('u')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aab188) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNE_5_symbolic(self): ''' Instruction JNE_5 Groups: jump 0x7ffff7df4594: jne 0x7ffff7df45a3 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4594] = 'u' mem[0x7ffff7df4595] = '\r' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x7ffff7df4594 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4594, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4595, 8)== ord('\r')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4596) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNE_6_symbolic(self): ''' Instruction JNE_6 Groups: jump 0x7ffff7df459e: jne 0x7ffff7df4590 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df459e] = 'u' mem[0x7ffff7df459f] = '\xf0' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7df459e done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459e, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459f, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4590) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNS_1_symbolic(self): ''' Instruction JNS_1 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x7ffff7df138f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1391) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNS_2_symbolic(self): ''' Instruction JNS_2 Groups: jump 0x555555565fb2: jns 0x5555555659ec ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem[0x555555565fb2] = '\x0f' mem[0x555555565fb3] = '\x89' mem[0x555555565fb4] = '4' mem[0x555555565fb5] = '\xfa' mem[0x555555565fb6] = '\xff' mem[0x555555565fb7] = '\xff' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x555555565fb2 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555565fb2, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x555555565fb3, 8)== ord('\x89')) condition = Operators.AND(condition, cpu.read_int(0x555555565fb4, 8)== ord('4')) condition = Operators.AND(condition, cpu.read_int(0x555555565fb5, 8)== ord('\xfa')) condition = Operators.AND(condition, cpu.read_int(0x555555565fb6, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x555555565fb7, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.RIP == 0x5555555659ec) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNS_3_symbolic(self): ''' Instruction JNS_3 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x7ffff7df138f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1391) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNS_4_symbolic(self): ''' Instruction JNS_4 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7df138f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1350) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNS_5_symbolic(self): ''' Instruction JNS_5 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x7ffff7df138f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1391) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JNS_6_symbolic(self): ''' Instruction JNS_6 Groups: jump 0x7ffff7df138f: jns 0x7ffff7df1350 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1390] = '\xbf' mem[0x7ffff7df138f] = 'y' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x7ffff7df138f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y')) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1350) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JS_1_symbolic(self): ''' Instruction JS_1 Groups: jump 0x4326b2: js 0x4328fb ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4326b2] = '\x0f' mem[0x4326b3] = '\x88' mem[0x4326b4] = 'C' mem[0x4326b5] = '\x02' mem[0x4326b6] = '\x00' mem[0x4326b7] = '\x00' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x4326b2 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4326b2, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4326b3, 8)== ord('\x88')) condition = Operators.AND(condition, cpu.read_int(0x4326b4, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x4326b5, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x4326b6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4326b7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x4326b8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JS_2_symbolic(self): ''' Instruction JS_2 Groups: jump 0x4322d2: js 0x43251b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4322d2] = '\x0f' mem[0x4322d3] = '\x88' mem[0x4322d4] = 'C' mem[0x4322d5] = '\x02' mem[0x4322d6] = '\x00' mem[0x4322d7] = '\x00' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x4322d2 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4322d2, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4322d3, 8)== ord('\x88')) condition = Operators.AND(condition, cpu.read_int(0x4322d4, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x4322d5, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x4322d6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4322d7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x4322d8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JS_3_symbolic(self): ''' Instruction JS_3 Groups: jump 0x555555565075: js 0x555555566260 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem[0x555555565075] = '\x0f' mem[0x555555565076] = '\x88' mem[0x555555565077] = '\xe5' mem[0x555555565078] = '\x11' mem[0x555555565079] = '\x00' mem[0x55555556507a] = '\x00' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x555555565075 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555565075, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x555555565076, 8)== ord('\x88')) condition = Operators.AND(condition, cpu.read_int(0x555555565077, 8)== ord('\xe5')) condition = Operators.AND(condition, cpu.read_int(0x555555565078, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.read_int(0x555555565079, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555556507a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RIP == 0x55555556507b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JS_4_symbolic(self): ''' Instruction JS_4 Groups: jump 0x40dd40: js 0x40dd4c ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040d000, 0x1000, 'rwx') mem[0x40dd40] = 'x' mem[0x40dd41] = '\n' cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x40dd40 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40dd40, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x40dd41, 8)== ord('\n')) condition = Operators.AND(condition, cpu.RIP == 0x40dd4c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JS_5_symbolic(self): ''' Instruction JS_5 Groups: jump 0x555555559cb6: js 0x555555559ccf ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555559000, 0x1000, 'rwx') mem[0x555555559cb6] = 'x' mem[0x555555559cb7] = '\x17' cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x555555559cb6 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555559cb6, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x555555559cb7, 8)== ord('\x17')) condition = Operators.AND(condition, cpu.RIP == 0x555555559ccf) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_JS_6_symbolic(self): ''' Instruction JS_6 Groups: jump 0x5555555673d5: js 0x555555567450 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555567000, 0x1000, 'rwx') mem[0x5555555673d5] = 'x' mem[0x5555555673d6] = 'y' cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x5555555673d5 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5555555673d5, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x5555555673d6, 8)== ord('y')) condition = Operators.AND(condition, cpu.RIP == 0x5555555673d7) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEAVE_1_symbolic(self): ''' Instruction LEAVE_1 Groups: mode64 0x7ffff7b30c15: leave ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b30000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7b30c15] = '\xc9' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda98) value = cs.new_bitvec(8) cs.add(value == 0xd0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda99) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9a) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9b) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa0) value = cs.new_bitvec(8) cs.add(value == 0xf0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa1) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa8) value = cs.new_bitvec(8) cs.add(value == 0x48) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa9) value = cs.new_bitvec(8) cs.add(value == 0xe1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaaa) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaab) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaac) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaad) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab0) value = cs.new_bitvec(8) cs.add(value == 0xc0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab1) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdab8) value = cs.new_bitvec(8) cs.add(value == 0xb3) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffdaa0) cpu.RIP = 0x7ffff7b30c15 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdab0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b30c15, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda98, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda99, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9a, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9b, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa0, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa1, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa8, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa9, 8)== ord('\xe1')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaaa, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaab, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaac, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaad, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab0, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab1, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab8, 8)== ord('\xb3')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdab8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b30c16) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdac0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEAVE_2_symbolic(self): ''' Instruction LEAVE_2 Groups: mode64 0x4176f4: leave ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00417000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcad8) value = cs.new_bitvec(8) cs.add(value == 0xf0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcad9) value = cs.new_bitvec(8) cs.add(value == 0x76) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcada) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcadb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcadc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcadd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcade) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcadf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae0) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae8) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcae9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaea) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaeb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaec) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaed) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaee) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaef) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf0) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf1) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcaf8) value = cs.new_bitvec(8) cs.add(value == 0x2b) mem[addr] = value mem[0x4176f4] = '\xc9' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffcae0) cpu.RIP = 0x4176f4 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffcaf0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcad8, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcad9, 8)== ord('v')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcada, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcadb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcadc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcadd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcade, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcadf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae0, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae8, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaea, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaeb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaec, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaed, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaee, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaef, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf0, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf1, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x4176f4, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf8, 8)== ord('+')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcaf8) condition = Operators.AND(condition, cpu.RIP == 0x4176f5) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb20) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEAVE_3_symbolic(self): ''' Instruction LEAVE_3 Groups: mode64 0x7ffff7b59b18: leave ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b59000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda08) value = cs.new_bitvec(8) cs.add(value == 0xd0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda09) value = cs.new_bitvec(8) cs.add(value == 0xd4) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0a) value = cs.new_bitvec(8) cs.add(value == 0xa4) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda10) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda11) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda12) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda13) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda14) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda15) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda16) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda17) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7b59b18] = '\xc9' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9d9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9da) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9db) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9dc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9dd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9de) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9df) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9d8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda18) value = cs.new_bitvec(8) cs.add(value == 0x27) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e8) value = cs.new_bitvec(8) cs.add(value == 0xf0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9e4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd9e0) cpu.RIP = 0x7ffff7b59b18 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffda10) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda08, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda09, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0a, 8)== ord('\xa4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda10, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda11, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda12, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda13, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda14, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda15, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda16, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda17, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b59b18, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9d9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9da, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9db, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9dc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9dd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9de, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9df, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9d8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda18, 8)== ord("'")) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e8, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda18) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b59b19) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffda40) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEAVE_4_symbolic(self): ''' Instruction LEAVE_4 Groups: mode64 0x7ffff7b59b18: leave ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7b59000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb98) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb71) value = cs.new_bitvec(8) cs.add(value == 0xdc) mem[addr] = value mem[0x7ffff7b59b18] = '\xc9' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb99) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba0) value = cs.new_bitvec(8) cs.add(value == 0xf0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba1) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba8) value = cs.new_bitvec(8) cs.add(value == 0x3a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb69) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb70) value = cs.new_bitvec(8) cs.add(value == 0xb8) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb68) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb72) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb73) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb74) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb75) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb76) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb77) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb78) value = cs.new_bitvec(8) cs.add(value == 0x50) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffdb70) cpu.RIP = 0x7ffff7b59b18 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdba0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b59b18, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb71, 8)== ord('\xdc')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb98, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb99, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba0, 8)== ord('\xf0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba1, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba8, 8)== ord(':')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb69, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb70, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb68, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb72, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb73, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb74, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb75, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb76, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb77, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb78, 8)== ord('P')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdba8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b59b19) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdbf0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEAVE_5_symbolic(self): ''' Instruction LEAVE_5 Groups: mode64 0x7ffff7ae0541: leave ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ae0000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7ae0541] = '\xc9' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd988) value = cs.new_bitvec(8) cs.add(value == 0x37) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd989) value = cs.new_bitvec(8) cs.add(value == 0x5) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd98a) value = cs.new_bitvec(8) cs.add(value == 0xae) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd98b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd98c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd98d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd98e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd98f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd990) value = cs.new_bitvec(8) cs.add(value == 0xa8) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd991) value = cs.new_bitvec(8) cs.add(value == 0xa) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd992) value = cs.new_bitvec(8) cs.add(value == 0xba) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd993) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd994) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd995) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd996) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd997) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd998) value = cs.new_bitvec(8) cs.add(value == 0xf6) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a8) value = cs.new_bitvec(8) cs.add(value == 0xe0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9a9) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9aa) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9ab) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9ac) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9ad) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9ae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9af) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b0) value = cs.new_bitvec(8) cs.add(value == 0xe0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b1) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9b8) value = cs.new_bitvec(8) cs.add(value == 0xf8) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd990) cpu.RIP = 0x7ffff7ae0541 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd9b0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ae0541, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd988, 8)== ord('7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd989, 8)== ord('\x05')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98a, 8)== ord('\xae')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd990, 8)== ord('\xa8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd991, 8)== ord('\n')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd992, 8)== ord('\xba')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd993, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd994, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd995, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd996, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd997, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd998, 8)== ord('\xf6')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a8, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a9, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9aa, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ab, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ac, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ad, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9af, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b0, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b1, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b8, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd9b8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ae0542) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdae0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEAVE_6_symbolic(self): ''' Instruction LEAVE_6 Groups: mode64 0x7ffff7a626cd: leave ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a62000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda6c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda6b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda68) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a626cd] = '\xc9' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda6d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda6e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda6f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda60) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda61) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda62) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda63) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda64) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda65) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda66) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda67) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb28) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb29) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb30) value = cs.new_bitvec(8) cs.add(value == 0x30) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb31) value = cs.new_bitvec(8) cs.add(value == 0xdc) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb32) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb33) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb34) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb35) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb36) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb37) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb38) value = cs.new_bitvec(8) cs.add(value == 0x78) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda70) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda69) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda6a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffda68) cpu.RIP = 0x7ffff7a626cd cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdb30) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda68, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a626cd, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda60, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda61, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda62, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda63, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda64, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda65, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda66, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda67, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb28, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb29, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb30, 8)== ord('0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb31, 8)== ord('\xdc')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb32, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb33, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb34, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb35, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb36, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb37, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb38, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda70, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda69, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdb38) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a626ce) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdc30) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEA_1_symbolic(self): ''' Instruction LEA_1 Groups: 0x7ffff7de44f3: lea rsp, qword ptr [rbp - 0x28] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7de44f3] = 'H' mem[0x7ffff7de44f4] = '\x8d' mem[0x7ffff7de44f5] = 'e' mem[0x7ffff7de44f6] = '\xd8' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd978) value = cs.new_bitvec(8) cs.add(value == 0xc8) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd979) value = cs.new_bitvec(8) cs.add(value == 0xcd) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd97a) value = cs.new_bitvec(8) cs.add(value == 0xa4) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd97b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd97c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd97d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd97e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd97f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd8b0) cpu.RIP = 0x7ffff7de44f3 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd9a0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de44f3, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de44f4, 8)== ord('\x8d')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de44f5, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de44f6, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd978, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd979, 8)== ord('\xcd')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97a, 8)== ord('\xa4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd978) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de44f7) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9a0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEA_2_symbolic(self): ''' Instruction LEA_2 Groups: 0x7ffff7b58ee3: lea r8, qword ptr [r8 + rdx*4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a2f000, 0x1000, 'rwx') mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a2fde3) value = cs.new_bitvec(8) cs.add(value == 0xb2) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a2fde4) value = cs.new_bitvec(8) cs.add(value == 0x34) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a2fde5) value = cs.new_bitvec(8) cs.add(value == 0xd5) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a2fde0) value = cs.new_bitvec(8) cs.add(value == 0x78) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a2fde1) value = cs.new_bitvec(8) cs.add(value == 0x29) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a2fde2) value = cs.new_bitvec(8) cs.add(value == 0xce) mem[addr] = value mem[0x7ffff7b58ee3] = 'M' mem[0x7ffff7b58ee4] = '\x8d' mem[0x7ffff7b58ee5] = '\x04' mem[0x7ffff7b58ee6] = '\x90' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a2fde7) value = cs.new_bitvec(8) cs.add(value == 0x50) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a2fde6) value = cs.new_bitvec(8) cs.add(value == 0x92) mem[addr] = value cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7a2fa7c) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xd9) cpu.RIP = 0x7ffff7b58ee3 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde3, 8)== ord('\xb2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde4, 8)== ord('4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde5, 8)== ord('\xd5')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde0, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde1, 8)== ord(')')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde2, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee3, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee4, 8)== ord('\x8d')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee5, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee6, 8)== ord('\x90')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde7, 8)== ord('P')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde6, 8)== ord('\x92')) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7a2fde0) condition = Operators.AND(condition, cpu.RDX == 0xd9) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58ee7) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEA_3_symbolic(self): ''' Instruction LEA_3 Groups: 0x7ffff7de3841: lea rsi, qword ptr [rbp - 0x3c] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7de3841] = 'H' mem[0x7ffff7de3842] = '\x8d' mem[0x7ffff7de3843] = 'u' mem[0x7ffff7de3844] = '\xc4' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd8c5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd8c6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd8c7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd8c8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd8c9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd8ca) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd8cb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd8c4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0xbdd69f1b) cpu.RIP = 0x7ffff7de3841 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd900) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3841, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3842, 8)== ord('\x8d')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3843, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3844, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8ca, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8cb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffd8c4) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3845) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd900) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEA_4_symbolic(self): ''' Instruction LEA_4 Groups: 0x7ffff7b58f14: lea rdx, qword ptr [rbx + rdx*8] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a34000, 0x1000, 'rwx') mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f14] = 'H' mem[0x7ffff7b58f15] = '\x8d' mem[0x7ffff7b58f16] = '\x14' mem[0x7ffff7b58f17] = '\xd3' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a34270) value = cs.new_bitvec(8) cs.add(value == 0xb5) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a34271) value = cs.new_bitvec(8) cs.add(value == 0x2a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a34272) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a34273) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a34274) value = cs.new_bitvec(8) cs.add(value == 0x1a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a34275) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a34276) value = cs.new_bitvec(8) cs.add(value == 0xb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a34277) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x4a1) cpu.RIP = 0x7ffff7b58f14 cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x7ffff7a31d68) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f14, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f15, 8)== ord('\x8d')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f16, 8)== ord('\x14')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f17, 8)== ord('\xd3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34270, 8)== ord('\xb5')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34271, 8)== ord('*')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34272, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34273, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34274, 8)== ord('\x1a')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34275, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34276, 8)== ord('\x0b')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34277, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a34270) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f18) condition = Operators.AND(condition, cpu.RBX == 0x7ffff7a31d68) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEA_5_symbolic(self): ''' Instruction LEA_5 Groups: 0x7ffff7a652b7: lea rsi, qword ptr [rip + 0x36e35a] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a65000, 0x1000, 'rwx') mem.mmap(0x7ffff7dd3000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd3618) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd3619) value = cs.new_bitvec(8) cs.add(value == 0x4d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd361a) value = cs.new_bitvec(8) cs.add(value == 0xdd) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd361b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd361c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd361d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd361e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7dd361f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a652b7] = 'H' mem[0x7ffff7a652b8] = '\x8d' mem[0x7ffff7a652b9] = '5' mem[0x7ffff7a652ba] = 'Z' mem[0x7ffff7a652bb] = '\xe3' mem[0x7ffff7a652bc] = '6' mem[0x7ffff7a652bd] = '\x00' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x555555554a00) cpu.RIP = 0x7ffff7a652b7 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3618, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3619, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361a, 8)== ord('\xdd')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652b7, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652b8, 8)== ord('\x8d')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652b9, 8)== ord('5')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652ba, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652bb, 8)== ord('\xe3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652bc, 8)== ord('6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652bd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7dd3618) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a652be) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_LEA_6_symbolic(self): ''' Instruction LEA_6 Groups: 0x7ffff7de4418: lea rdi, qword ptr [rbp - 0xa0] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd910) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd911) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd912) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd913) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd914) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd915) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd916) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd917) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de4418] = 'H' mem[0x7ffff7de4419] = '\x8d' mem[0x7ffff7de441a] = '\xbd' mem[0x7ffff7de441b] = '`' mem[0x7ffff7de441c] = '\xff' mem[0x7ffff7de441d] = '\xff' mem[0x7ffff7de441e] = '\xff' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x555555554548) cpu.RIP = 0x7ffff7de4418 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd9b0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd910, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd911, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd912, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd913, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd914, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd915, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd916, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd917, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4418, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4419, 8)== ord('\x8d')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441a, 8)== ord('\xbd')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441b, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441d, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441e, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffd910) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de441f) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9b0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVABS_1_symbolic(self): ''' Instruction MOVABS_1 Groups: 0x7ffff7ddc5df: movabs r8, 0x37ffff1a0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddc5e0] = '\xb8' mem[0x7ffff7ddc5e1] = '\xa0' mem[0x7ffff7ddc5e2] = '\xf1' mem[0x7ffff7ddc5e3] = '\xff' mem[0x7ffff7ddc5e4] = '\x7f' mem[0x7ffff7ddc5e5] = '\x03' mem[0x7ffff7ddc5e6] = '\x00' mem[0x7ffff7ddc5e7] = '\x00' mem[0x7ffff7ddc5e8] = '\x00' mem[0x7ffff7ddc5df] = 'I' cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x0) cpu.RIP = 0x7ffff7ddc5df done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e0, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e1, 8)== ord('\xa0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e2, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e4, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e5, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5df, 8)== ord('I')) condition = Operators.AND(condition, cpu.R8 == 0x37ffff1a0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddc5e9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVABS_2_symbolic(self): ''' Instruction MOVABS_2 Groups: 0x7ffff7ddc5df: movabs r8, 0x37ffff1a0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddc5e0] = '\xb8' mem[0x7ffff7ddc5e1] = '\xa0' mem[0x7ffff7ddc5e2] = '\xf1' mem[0x7ffff7ddc5e3] = '\xff' mem[0x7ffff7ddc5e4] = '\x7f' mem[0x7ffff7ddc5e5] = '\x03' mem[0x7ffff7ddc5e6] = '\x00' mem[0x7ffff7ddc5e7] = '\x00' mem[0x7ffff7ddc5e8] = '\x00' mem[0x7ffff7ddc5df] = 'I' cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x0) cpu.RIP = 0x7ffff7ddc5df done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e0, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e1, 8)== ord('\xa0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e2, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e4, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e5, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5df, 8)== ord('I')) condition = Operators.AND(condition, cpu.R8 == 0x37ffff1a0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddc5e9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVABS_3_symbolic(self): ''' Instruction MOVABS_3 Groups: 0x7ffff7df1435: movabs rcx, -0x8000000000000000 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1435] = 'H' mem[0x7ffff7df1436] = '\xb9' mem[0x7ffff7df1437] = '\x00' mem[0x7ffff7df1438] = '\x00' mem[0x7ffff7df1439] = '\x00' mem[0x7ffff7df143a] = '\x00' mem[0x7ffff7df143b] = '\x00' mem[0x7ffff7df143c] = '\x00' mem[0x7ffff7df143d] = '\x00' mem[0x7ffff7df143e] = '\x80' cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x31) cpu.RIP = 0x7ffff7df1435 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1435, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1436, 8)== ord('\xb9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1437, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1438, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1439, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143e, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.RCX == 0x8000000000000000) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df143f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVABS_4_symbolic(self): ''' Instruction MOVABS_4 Groups: 0x45f853: movabs rdx, -0x3333333333333333 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0045f000, 0x1000, 'rwx') mem[0x45f853] = 'H' mem[0x45f854] = '\xba' mem[0x45f855] = '\xcd' mem[0x45f856] = '\xcc' mem[0x45f857] = '\xcc' mem[0x45f858] = '\xcc' mem[0x45f859] = '\xcc' mem[0x45f85a] = '\xcc' mem[0x45f85b] = '\xcc' mem[0x45f85c] = '\xcc' cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x6bf710) cpu.RIP = 0x45f853 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x45f853, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x45f854, 8)== ord('\xba')) condition = Operators.AND(condition, cpu.read_int(0x45f855, 8)== ord('\xcd')) condition = Operators.AND(condition, cpu.read_int(0x45f856, 8)== ord('\xcc')) condition = Operators.AND(condition, cpu.read_int(0x45f857, 8)== ord('\xcc')) condition = Operators.AND(condition, cpu.read_int(0x45f858, 8)== ord('\xcc')) condition = Operators.AND(condition, cpu.read_int(0x45f859, 8)== ord('\xcc')) condition = Operators.AND(condition, cpu.read_int(0x45f85a, 8)== ord('\xcc')) condition = Operators.AND(condition, cpu.read_int(0x45f85b, 8)== ord('\xcc')) condition = Operators.AND(condition, cpu.read_int(0x45f85c, 8)== ord('\xcc')) condition = Operators.AND(condition, cpu.RDX == 0xcccccccccccccccd) condition = Operators.AND(condition, cpu.RIP == 0x45f85d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVABS_5_symbolic(self): ''' Instruction MOVABS_5 Groups: 0x7ffff7df4630: movabs r8, -0x101010101010101 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4630] = 'I' mem[0x7ffff7df4631] = '\xb8' mem[0x7ffff7df4632] = '\xff' mem[0x7ffff7df4633] = '\xfe' mem[0x7ffff7df4634] = '\xfe' mem[0x7ffff7df4635] = '\xfe' mem[0x7ffff7df4636] = '\xfe' mem[0x7ffff7df4637] = '\xfe' mem[0x7ffff7df4638] = '\xfe' mem[0x7ffff7df4639] = '\xfe' cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7fdd5a0) cpu.RIP = 0x7ffff7df4630 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4630, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4631, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4632, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4633, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4634, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4635, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4636, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4637, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4638, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4639, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.R8 == 0xfefefefefefefeff) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df463a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVABS_6_symbolic(self): ''' Instruction MOVABS_6 Groups: 0x7ffff7ddc5df: movabs r8, 0x37ffff1a0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddc5e0] = '\xb8' mem[0x7ffff7ddc5e1] = '\xa0' mem[0x7ffff7ddc5e2] = '\xf1' mem[0x7ffff7ddc5e3] = '\xff' mem[0x7ffff7ddc5e4] = '\x7f' mem[0x7ffff7ddc5e5] = '\x03' mem[0x7ffff7ddc5e6] = '\x00' mem[0x7ffff7ddc5e7] = '\x00' mem[0x7ffff7ddc5e8] = '\x00' mem[0x7ffff7ddc5df] = 'I' cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x0) cpu.RIP = 0x7ffff7ddc5df done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e0, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e1, 8)== ord('\xa0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e2, 8)== ord('\xf1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e4, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e5, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5df, 8)== ord('I')) condition = Operators.AND(condition, cpu.R8 == 0x37ffff1a0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddc5e9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQA_1_symbolic(self): ''' Instruction MOVDQA_1 Groups: sse2 0x7ffff7ac0b0b: movdqa xmm4, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0b0b] = 'f' mem[0x7ffff7ac0b0c] = '\x0f' mem[0x7ffff7ac0b0d] = 'o' mem[0x7ffff7ac0b0e] = '\xe0' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x616572635f706374746e6c63000a7325) cpu.RIP = 0x7ffff7ac0b0b cpu.XMM4 = cs.new_bitvec(128) cs.add(cpu.XMM4 == 0xff0000000000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0b, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0c, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0d, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0e, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.XMM0 == 0x616572635f706374746e6c63000a7325) condition = Operators.AND(condition, cpu.XMM4 == 0x616572635f706374746e6c63000a7325) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0b0f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQA_2_symbolic(self): ''' Instruction MOVDQA_2 Groups: sse2 0x457d38: movdqa xmm0, xmm2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457d38] = 'f' mem[0x457d39] = '\x0f' mem[0x457d3a] = 'o' mem[0x457d3b] = '\xc2' cpu.XMM2 = cs.new_bitvec(128) cs.add(cpu.XMM2 == 0x414d00323d524e54565f474458003267) cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0xff0000) cpu.RIP = 0x457d38 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457d38, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457d39, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457d3a, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x457d3b, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.XMM2 == 0x414d00323d524e54565f474458003267) condition = Operators.AND(condition, cpu.XMM0 == 0x414d00323d524e54565f474458003267) condition = Operators.AND(condition, cpu.RIP == 0x457d3c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQA_3_symbolic(self): ''' Instruction MOVDQA_3 Groups: sse2 0x457aaf: movdqa xmm5, xmm3 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457ab0] = '\x0f' mem[0x457ab1] = 'o' mem[0x457ab2] = '\xeb' mem[0x457aaf] = 'f' cpu.XMM3 = cs.new_bitvec(128) cs.add(cpu.XMM3 == 0x726f74756365784563696c6f626d7953) cpu.RIP = 0x457aaf cpu.XMM5 = cs.new_bitvec(128) cs.add(cpu.XMM5 == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457ab0, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457ab1, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x457ab2, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x457aaf, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM3 == 0x726f74756365784563696c6f626d7953) condition = Operators.AND(condition, cpu.RIP == 0x457ab3) condition = Operators.AND(condition, cpu.XMM5 == 0x726f74756365784563696c6f626d7953) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQA_4_symbolic(self): ''' Instruction MOVDQA_4 Groups: sse2 0x457a08: movdqa xmm2, xmmword ptr [rdi + 0x30] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem.mmap(0x7fffffffe000, 0x1000, 'rwx') mem[0x457a08] = 'f' mem[0x457a09] = '\x0f' mem[0x457a0a] = 'o' mem[0x457a0b] = 'W' mem[0x457a0c] = '0' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe070) value = cs.new_bitvec(8) cs.add(value == 0x44) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe071) value = cs.new_bitvec(8) cs.add(value == 0x47) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe072) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe073) value = cs.new_bitvec(8) cs.add(value == 0x56) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe074) value = cs.new_bitvec(8) cs.add(value == 0x54) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe075) value = cs.new_bitvec(8) cs.add(value == 0x4e) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe076) value = cs.new_bitvec(8) cs.add(value == 0x52) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe077) value = cs.new_bitvec(8) cs.add(value == 0x3d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe078) value = cs.new_bitvec(8) cs.add(value == 0x32) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe079) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe07a) value = cs.new_bitvec(8) cs.add(value == 0x4d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe07b) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe07c) value = cs.new_bitvec(8) cs.add(value == 0x4e) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe07d) value = cs.new_bitvec(8) cs.add(value == 0x50) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe07e) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe07f) value = cs.new_bitvec(8) cs.add(value == 0x54) mem[addr] = value cpu.XMM2 = cs.new_bitvec(128) cs.add(cpu.XMM2 == 0x0) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffe040) cpu.RIP = 0x457a08 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457a08, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457a09, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457a0a, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x457a0b, 8)== ord('W')) condition = Operators.AND(condition, cpu.read_int(0x457a0c, 8)== ord('0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe070, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe071, 8)== ord('G')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe072, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe073, 8)== ord('V')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe074, 8)== ord('T')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe075, 8)== ord('N')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe076, 8)== ord('R')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe077, 8)== ord('=')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe078, 8)== ord('2')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe079, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07a, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07b, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07c, 8)== ord('N')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07d, 8)== ord('P')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07e, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07f, 8)== ord('T')) condition = Operators.AND(condition, cpu.XMM2 == 0x5441504e414d00323d524e54565f4744) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffe040) condition = Operators.AND(condition, cpu.RIP == 0x457a0d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQA_5_symbolic(self): ''' Instruction MOVDQA_5 Groups: sse2 0x457b38: movdqa xmm0, xmm2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457b38] = 'f' mem[0x457b39] = '\x0f' mem[0x457b3a] = 'o' mem[0x457b3b] = '\xc2' cpu.XMM2 = cs.new_bitvec(128) cs.add(cpu.XMM2 == 0x504e414d00323d524e54565f47445800) cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x457b38 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457b38, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457b39, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457b3a, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x457b3b, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.XMM2 == 0x504e414d00323d524e54565f47445800) condition = Operators.AND(condition, cpu.XMM0 == 0x504e414d00323d524e54565f47445800) condition = Operators.AND(condition, cpu.RIP == 0x457b3c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQA_6_symbolic(self): ''' Instruction MOVDQA_6 Groups: sse2 0x7ffff7ac0b0b: movdqa xmm4, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0b0b] = 'f' mem[0x7ffff7ac0b0c] = '\x0f' mem[0x7ffff7ac0b0d] = 'o' mem[0x7ffff7ac0b0e] = '\xe0' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0xcd202730fa0892a58d0000007fffff00) cpu.RIP = 0x7ffff7ac0b0b cpu.XMM4 = cs.new_bitvec(128) cs.add(cpu.XMM4 == 0xffffff000000ff0000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0b, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0c, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0d, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0e, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.XMM0 == 0xcd202730fa0892a58d0000007fffff00) condition = Operators.AND(condition, cpu.XMM4 == 0xcd202730fa0892a58d0000007fffff00) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0b0f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQU_1_symbolic(self): ''' Instruction MOVDQU_1 Groups: sse2 0x6a74d4: movdqu xmm0, xmmword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x006a7000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value mem[0x6a74d6] = 'o' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value mem[0x6a74d7] = '\x04' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x6a74d4] = '\xf3' mem[0x6a74d5] = '\x0f' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x6a74d8] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x7fff800000000000002100007fff) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x6a74d4 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6a74d4, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x6a74d5, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x6a74d6, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x6a74d7, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x6a74d8, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM0 == 0x7fff800000010000002100007fff) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x6a74d9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQU_2_symbolic(self): ''' Instruction MOVDQU_2 Groups: sse2 0x568fac: movdqu xmm0, xmmword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00568000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x568fb0] = '$' mem[0x568fac] = '\xf3' mem[0x568fad] = '\x0f' mem[0x568fae] = 'o' mem[0x568faf] = '\x04' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x78) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x56) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x34) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x12) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x78) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x56) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x34) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x12) mem[addr] = value cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x1234567800007fff00007fff12345678) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x568fac done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x568fac, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x568fad, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x568fae, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x568faf, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x568fb0, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('V')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x12')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('V')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x12')) condition = Operators.AND(condition, cpu.XMM0 == 0x123456780000800100007fff12345678) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x568fb1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQU_3_symbolic(self): ''' Instruction MOVDQU_3 Groups: sse2 0x6f4c12: movdqu xmm1, xmmword ptr [rsp + 4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x006f4000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x6f4c12] = '\xf3' mem[0x6f4c13] = '\x0f' mem[0x6f4c14] = 'o' mem[0x6f4c15] = 'L' mem[0x6f4c16] = '$' mem[0x6f4c17] = '\x04' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc0) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc1) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x7fff000000210000002100007fff) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x6f4c12 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x6f4c12, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x6f4c13, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x6f4c14, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x6f4c15, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x6f4c16, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x6f4c17, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc1, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x7fff000000210000002000007fff) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x6f4c18) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQU_4_symbolic(self): ''' Instruction MOVDQU_4 Groups: sse2 0x56fa50: movdqu xmm1, xmmword ptr [rsp + 4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0056f000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x43) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x87) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc0) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x56fa50] = '\xf3' mem[0x56fa51] = '\x0f' mem[0x56fa52] = 'o' mem[0x56fa53] = 'L' mem[0x56fa54] = '$' mem[0x56fa55] = '\x04' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x20876543218765432100000020) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x56fa50 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x87')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc0, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x56fa50, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x56fa51, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x56fa52, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x56fa53, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x56fa54, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x56fa55, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.XMM1 == 0x20876543210000002100000020) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x56fa56) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQU_5_symbolic(self): ''' Instruction MOVDQU_5 Groups: sse2 0x606649: movdqu xmm1, xmmword ptr [rsp + 4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00606000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc0) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc1) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccc3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value mem[0x606649] = '\xf3' mem[0x60664a] = '\x0f' mem[0x60664b] = 'o' mem[0x60664c] = 'L' mem[0x60664d] = '$' mem[0x60664e] = '\x04' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0xffffffff0000800100007fffffffffff) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x606649 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc1, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x606649, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x60664a, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x60664b, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x60664c, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x60664d, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x60664e, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.XMM1 == 0xffffffff0000800100008001ffffffff) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x60664f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVDQU_6_symbolic(self): ''' Instruction MOVDQU_6 Groups: sse2 0x6fc91e: movdqu xmm0, xmmword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x006fc000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x6fc920] = 'o' mem[0x6fc921] = '\x04' mem[0x6fc922] = '$' mem[0x6fc91f] = '\x0f' mem[0x6fc91e] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x40800000008000000100000040) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x6fc91e done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x6fc920, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x6fc921, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x6fc922, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x6fc91e, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x6fc91f, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM0 == 0x40800000018000000100000040) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x6fc923) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVD_1_symbolic(self): ''' Instruction MOVD_1 Groups: sse2 0x7ffff7df4370: movd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4370] = 'f' mem[0x7ffff7df4371] = '\x0f' mem[0x7ffff7df4372] = 'n' mem[0x7ffff7df4373] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x24242424242424242424242424242424) cpu.RIP = 0x7ffff7df4370 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x2f) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4370, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4371, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4372, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4373, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f) condition = Operators.AND(condition, cpu.ESI == 0x2f) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4374) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVD_2_symbolic(self): ''' Instruction MOVD_2 Groups: sse2 0x7ffff7ab7980: movd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab7980] = 'f' mem[0x7ffff7ab7981] = '\x0f' mem[0x7ffff7ab7982] = 'n' mem[0x7ffff7ab7983] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x24242424242424242424242424242424) cpu.RIP = 0x7ffff7ab7980 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x2f) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7980, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7981, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7982, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7983, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f) condition = Operators.AND(condition, cpu.ESI == 0x2f) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab7984) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVD_3_symbolic(self): ''' Instruction MOVD_3 Groups: sse2 0x4578e0: movd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x4578e0] = 'f' mem[0x4578e1] = '\x0f' mem[0x4578e2] = 'n' mem[0x4578e3] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x4578e0 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x2f) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4578e0, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4578e1, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4578e2, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x4578e3, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f) condition = Operators.AND(condition, cpu.ESI == 0x2f) condition = Operators.AND(condition, cpu.RIP == 0x4578e4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVD_4_symbolic(self): ''' Instruction MOVD_4 Groups: sse2 0x421b10: movd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00421000, 0x1000, 'rwx') mem[0x421b10] = 'f' mem[0x421b11] = '\x0f' mem[0x421b12] = 'n' mem[0x421b13] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x25252525252525252525252525252525) cpu.RIP = 0x421b10 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x25) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x421b10, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x421b11, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x421b12, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x421b13, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x25) condition = Operators.AND(condition, cpu.ESI == 0x25) condition = Operators.AND(condition, cpu.RIP == 0x421b14) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVD_5_symbolic(self): ''' Instruction MOVD_5 Groups: sse2 0x457da0: movd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457da0] = 'f' mem[0x457da1] = '\x0f' mem[0x457da2] = 'n' mem[0x457da3] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x457da0 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x2f) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457da0, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457da1, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457da2, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x457da3, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f) condition = Operators.AND(condition, cpu.ESI == 0x2f) condition = Operators.AND(condition, cpu.RIP == 0x457da4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVD_6_symbolic(self): ''' Instruction MOVD_6 Groups: sse2 0x7ffff7ac0ae0: movd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0ae0] = 'f' mem[0x7ffff7ac0ae1] = '\x0f' mem[0x7ffff7ac0ae2] = 'n' mem[0x7ffff7ac0ae3] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x25252525252525252525252525252525) cpu.RIP = 0x7ffff7ac0ae0 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x25) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0ae0, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0ae1, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0ae2, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0ae3, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x25) condition = Operators.AND(condition, cpu.ESI == 0x25) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0ae4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVLPD_1_symbolic(self): ''' Instruction MOVLPD_1 Groups: sse2 0x50f61f: movlpd xmm1, qword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0050f000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x50f61f] = 'f' mem[0x50f620] = '\x0f' mem[0x50f621] = '\x12' mem[0x50f622] = '\x0c' mem[0x50f623] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x80000000400000008000000040) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x50f61f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x50f61f, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x50f620, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x50f621, 8)== ord('\x12')) condition = Operators.AND(condition, cpu.read_int(0x50f622, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x50f623, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x80000000400000008000000040) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x50f624) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVLPD_2_symbolic(self): ''' Instruction MOVLPD_2 Groups: sse2 0x4aa891: movlpd qword ptr [rsp], xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004aa000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x4aa891] = 'f' mem[0x4aa892] = '\x0f' mem[0x4aa893] = '\x13' mem[0x4aa894] = '\x0c' mem[0x4aa895] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x43) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x87) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x87654321800000000000004087654321) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x4aa891 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4aa891, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4aa892, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4aa893, 8)== ord('\x13')) condition = Operators.AND(condition, cpu.read_int(0x4aa894, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x4aa895, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x87')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x87654321800000000000004087654321) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x4aa896) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVLPD_3_symbolic(self): ''' Instruction MOVLPD_3 Groups: sse2 0x4adf87: movlpd qword ptr [rsp], xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004ad000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x4adf87] = 'f' mem[0x4adf88] = '\x0f' mem[0x4adf89] = '\x13' mem[0x4adf8a] = '\x0c' mem[0x4adf8b] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xfe) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0xfffffffe8000000180000001fffffffe) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x4adf87 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4adf87, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4adf88, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4adf89, 8)== ord('\x13')) condition = Operators.AND(condition, cpu.read_int(0x4adf8a, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x4adf8b, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.XMM1 == 0xfffffffe8000000180000001fffffffe) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x4adf8c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVLPD_4_symbolic(self): ''' Instruction MOVLPD_4 Groups: sse2 0x4acf88: movlpd qword ptr [rsp], xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004ac000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x4acf88] = 'f' mem[0x4acf89] = '\x0f' mem[0x4acf8a] = '\x13' mem[0x4acf8b] = '\x0c' mem[0x4acf8c] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x7fff800000018000000100007fff) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x4acf88 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4acf88, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4acf89, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4acf8a, 8)== ord('\x13')) condition = Operators.AND(condition, cpu.read_int(0x4acf8b, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x4acf8c, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.XMM1 == 0x7fff800000018000000100007fff) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x4acf8d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVLPD_5_symbolic(self): ''' Instruction MOVLPD_5 Groups: sse2 0x50a2c7: movlpd xmm1, qword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0050a000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x50a2c7] = 'f' mem[0x50a2c8] = '\x0f' mem[0x50a2c9] = '\x12' mem[0x50a2ca] = '\x0c' mem[0x50a2cb] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x21000000200000004000000021) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x50a2c7 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x50a2c7, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x50a2c8, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x50a2c9, 8)== ord('\x12')) condition = Operators.AND(condition, cpu.read_int(0x50a2ca, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x50a2cb, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x21000000200000002100000020) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x50a2cc) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVLPD_6_symbolic(self): ''' Instruction MOVLPD_6 Groups: sse2 0x4d851b: movlpd qword ptr [rsp], xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004d8000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x4d851b] = 'f' mem[0x4d851c] = '\x0f' mem[0x4d851d] = '\x13' mem[0x4d851e] = '\x0c' mem[0x4d851f] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x7fff0000008000007fff00007fff) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x4d851b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4d851b, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4d851c, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4d851d, 8)== ord('\x13')) condition = Operators.AND(condition, cpu.read_int(0x4d851e, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x4d851f, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x7fff0000008000007fff00007fff) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x4d8520) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSD_1_symbolic(self): ''' Instruction MOVSD_1 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba0) value = cs.new_bitvec(8) cs.add(value == 0x10) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba1) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555556e3c] = '\xa5' addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e63b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e638) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e639) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e63a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555556e3b] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e63c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e63d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e63e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e63f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdba0) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x12) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x55555576e638) cpu.RIP = 0x555555556e3b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e63c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x55555576e638, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e639, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e63a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e63b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5')) condition = Operators.AND(condition, cpu.read_int(0x55555576e63d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e63e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e63f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x11) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdba4) condition = Operators.AND(condition, cpu.RSI == 0x55555576e63c) condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSD_2_symbolic(self): ''' Instruction MOVSD_2 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e620) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e621) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e622) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e623) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb84) value = cs.new_bitvec(8) cs.add(value == 0x55) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb85) value = cs.new_bitvec(8) cs.add(value == 0x55) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb86) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb87) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb88) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb89) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb8a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb8b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e61c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555556e3b] = '\xf3' mem[0x555555556e3c] = '\xa5' addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e61d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e61e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e61f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdb84) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x19) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x55555576e61c) cpu.RIP = 0x555555556e3b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x55555576e620, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e621, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e622, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e623, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb84, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb85, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb86, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb87, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb88, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb89, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb8a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb8b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x55555576e61c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e61d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e61e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e61f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x18) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb88) condition = Operators.AND(condition, cpu.RSI == 0x55555576e620) condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSD_3_symbolic(self): ''' Instruction MOVSD_3 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x555555556e3b] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e64c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e64d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e64e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e64f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e650) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e651) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e652) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e653) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbb4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbb5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbb8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555556e3c] = '\xa5' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdbb4) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xd) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x55555576e64c) cpu.RIP = 0x555555556e3b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e64c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e64d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e64e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e64f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e650, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e651, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e652, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e653, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5')) condition = Operators.AND(condition, cpu.RCX == 0xc) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdbb8) condition = Operators.AND(condition, cpu.RSI == 0x55555576e650) condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSD_4_symbolic(self): ''' Instruction MOVSD_4 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e640) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e641) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e642) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e643) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e644) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e645) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e646) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e647) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba8) value = cs.new_bitvec(8) cs.add(value == 0x67) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba9) value = cs.new_bitvec(8) cs.add(value == 0xa8) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbaa) value = cs.new_bitvec(8) cs.add(value == 0xb0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbab) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbac) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbad) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdbaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555556e3b] = '\xf3' mem[0x555555556e3c] = '\xa5' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdba8) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x10) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x55555576e640) cpu.RIP = 0x555555556e3b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x55555576e640, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e641, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e642, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e643, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e644, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e645, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e646, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e647, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbaa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbab, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbac, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbad, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5')) condition = Operators.AND(condition, cpu.RCX == 0xf) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdbac) condition = Operators.AND(condition, cpu.RSI == 0x55555576e644) condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSD_5_symbolic(self): ''' Instruction MOVSD_5 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba0) value = cs.new_bitvec(8) cs.add(value == 0x10) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba1) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdba3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555556e3b] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e634) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e635) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e636) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e637) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e638) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e639) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e63a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e63b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555556e3c] = '\xa5' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb9f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdb9c) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x13) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x55555576e634) cpu.RIP = 0x555555556e3b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba0, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba1, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x55555576e63b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5')) condition = Operators.AND(condition, cpu.read_int(0x55555576e634, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e635, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e636, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e637, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e638, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e639, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e63a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x12) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdba0) condition = Operators.AND(condition, cpu.RSI == 0x55555576e638) condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSD_6_symbolic(self): ''' Instruction MOVSD_6 Groups: 0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555556000, 0x1000, 'rwx') mem.mmap(0x55555576e000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e604) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e605) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e606) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e607) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e608) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e609) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e60a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x55555576e60b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb6f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb70) value = cs.new_bitvec(8) cs.add(value == 0xe0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb71) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb72) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb73) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value mem[0x555555556e3b] = '\xf3' mem[0x555555556e3c] = '\xa5' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdb6c) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x1f) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x55555576e604) cpu.RIP = 0x555555556e3b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x55555576e604, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e605, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e606, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e607, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e608, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e609, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e60a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555576e60b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb70, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb71, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb72, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb73, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5')) condition = Operators.AND(condition, cpu.RCX == 0x1e) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb70) condition = Operators.AND(condition, cpu.RSI == 0x55555576e608) condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSXD_1_symbolic(self): ''' Instruction MOVSXD_1 Groups: 0x466083: movsxd rdi, edi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00466000, 0x1000, 'rwx') mem[0x466083] = 'H' mem[0x466084] = 'c' mem[0x466085] = '\xff' cpu.EDI = cs.new_bitvec(32) cs.add(cpu.EDI == 0x41) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x41) cpu.RIP = 0x466083 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x466083, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x466084, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x466085, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.EDI == 0x41) condition = Operators.AND(condition, cpu.RDI == 0x41) condition = Operators.AND(condition, cpu.RIP == 0x466086) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSXD_2_symbolic(self): ''' Instruction MOVSXD_2 Groups: 0x7ffff7ddf068: movsxd rdx, dword ptr [r8 + rbx*4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddf000, 0x1000, 'rwx') mem.mmap(0x7ffff7df5000, 0x1000, 'rwx') mem[0x7ffff7ddf068] = 'I' mem[0x7ffff7ddf069] = 'c' mem[0x7ffff7ddf06a] = '\x14' mem[0x7ffff7ddf06b] = '\x98' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df5f1c) value = cs.new_bitvec(8) cs.add(value == 0x8f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df5f1d) value = cs.new_bitvec(8) cs.add(value == 0x91) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df5f1e) value = cs.new_bitvec(8) cs.add(value == 0xfe) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df5f1f) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7df5f1c) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x2) cpu.RIP = 0x7ffff7ddf068 cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf068, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf069, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf06a, 8)== ord('\x14')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf06b, 8)== ord('\x98')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df5f1c, 8)== ord('\x8f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df5f1d, 8)== ord('\x91')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df5f1e, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df5f1f, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7df5f1c) condition = Operators.AND(condition, cpu.RDX == 0xfffffffffffe918f) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddf06c) condition = Operators.AND(condition, cpu.RBX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSXD_3_symbolic(self): ''' Instruction MOVSXD_3 Groups: 0x436902: movsxd rax, dword ptr [rdx + rax*4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00436000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x494cf0) value = cs.new_bitvec(8) cs.add(value == 0xa0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494cf1) value = cs.new_bitvec(8) cs.add(value == 0x1c) mem[addr] = value mem[0x436902] = 'H' mem[0x436903] = 'c' mem[0x436904] = '\x04' mem[0x436905] = '\x82' addr = cs.new_bitvec(64) cs.add(addr == 0x494cf3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494cf2) value = cs.new_bitvec(8) cs.add(value == 0xfa) mem[addr] = value cpu.RIP = 0x436902 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x1c) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x494c80) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x494cf0, 8)== ord('\xa0')) condition = Operators.AND(condition, cpu.read_int(0x494cf1, 8)== ord('\x1c')) condition = Operators.AND(condition, cpu.read_int(0x436902, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x436903, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x436904, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x436905, 8)== ord('\x82')) condition = Operators.AND(condition, cpu.read_int(0x494cf3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x494cf2, 8)== ord('\xfa')) condition = Operators.AND(condition, cpu.RAX == 0xfffffffffffa1ca0) condition = Operators.AND(condition, cpu.RIP == 0x436906) condition = Operators.AND(condition, cpu.RDX == 0x494c80) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSXD_4_symbolic(self): ''' Instruction MOVSXD_4 Groups: 0x7ffff7df214a: movsxd rax, dword ptr [rcx + rax*4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem.mmap(0x7ffff7df6000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df674f) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df674c) value = cs.new_bitvec(8) cs.add(value == 0x30) mem[addr] = value mem[0x7ffff7df214a] = 'H' mem[0x7ffff7df214b] = 'c' mem[0x7ffff7df214c] = '\x04' mem[0x7ffff7df214d] = '\x81' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df674e) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df674d) value = cs.new_bitvec(8) cs.add(value == 0xbb) mem[addr] = value cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x7ffff7df6740) cpu.RIP = 0x7ffff7df214a cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x3) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df674f, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df214c, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df214a, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df214b, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df674c, 8)== ord('0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df214d, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df674e, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df674d, 8)== ord('\xbb')) condition = Operators.AND(condition, cpu.RCX == 0x7ffff7df6740) condition = Operators.AND(condition, cpu.RAX == 0xffffffffffffbb30) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df214e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSXD_5_symbolic(self): ''' Instruction MOVSXD_5 Groups: 0x436b12: movsxd rax, dword ptr [rdx + rax*4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00436000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x494ea0) value = cs.new_bitvec(8) cs.add(value == 0x10) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494ea1) value = cs.new_bitvec(8) cs.add(value == 0x1d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494ea2) value = cs.new_bitvec(8) cs.add(value == 0xfa) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494ea3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value mem[0x436b14] = '\x04' mem[0x436b15] = '\x82' mem[0x436b13] = 'c' mem[0x436b12] = 'H' cpu.RIP = 0x436b12 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x494e80) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x494ea0, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.read_int(0x494ea1, 8)== ord('\x1d')) condition = Operators.AND(condition, cpu.read_int(0x494ea2, 8)== ord('\xfa')) condition = Operators.AND(condition, cpu.read_int(0x494ea3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x436b14, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x436b15, 8)== ord('\x82')) condition = Operators.AND(condition, cpu.read_int(0x436b13, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x436b12, 8)== ord('H')) condition = Operators.AND(condition, cpu.RAX == 0xfffffffffffa1d10) condition = Operators.AND(condition, cpu.RIP == 0x436b16) condition = Operators.AND(condition, cpu.RDX == 0x494e80) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSXD_6_symbolic(self): ''' Instruction MOVSXD_6 Groups: 0x7ffff7de62e7: movsxd rdx, dword ptr [rax + r12*4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem.mmap(0x7ffff7df6000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df6458) value = cs.new_bitvec(8) cs.add(value == 0x78) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df6459) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value mem[0x7ffff7de62e7] = 'J' mem[0x7ffff7de62e8] = 'c' mem[0x7ffff7de62e9] = '\x14' mem[0x7ffff7de62ea] = '\xa0' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df645b) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7df645a) value = cs.new_bitvec(8) cs.add(value == 0xfe) mem[addr] = value cpu.RIP = 0x7ffff7de62e7 cpu.R12 = cs.new_bitvec(64) cs.add(cpu.R12 == 0x6) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x7ffff7a32fe0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7ffff7df6440) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df6458, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df6459, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62e7, 8)== ord('J')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62e8, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62e9, 8)== ord('\x14')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62ea, 8)== ord('\xa0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df645b, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df645a, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.RAX == 0x7ffff7df6440) condition = Operators.AND(condition, cpu.R12 == 0x6) condition = Operators.AND(condition, cpu.RDX == 0xfffffffffffeff78) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de62eb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSX_1_symbolic(self): ''' Instruction MOVSX_1 Groups: 0x7ffff7df1273: movsx edx, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1273] = '\x0f' mem[0x7ffff7df1274] = '\xbe' mem[0x7ffff7df1275] = '\x17' addr = cs.new_bitvec(64) cs.add(addr == 0x555555554435) value = cs.new_bitvec(8) cs.add(value == 0x2e) mem[addr] = value cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x63) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x555555554435) cpu.RIP = 0x7ffff7df1273 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1273, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1274, 8)== ord('\xbe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1275, 8)== ord('\x17')) condition = Operators.AND(condition, cpu.read_int(0x555555554435, 8)== ord('.')) condition = Operators.AND(condition, cpu.EDX == 0x2e) condition = Operators.AND(condition, cpu.RDI == 0x555555554435) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1276) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSX_2_symbolic(self): ''' Instruction MOVSX_2 Groups: 0x7ffff7df1273: movsx edx, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1273] = '\x0f' mem[0x7ffff7df1274] = '\xbe' mem[0x7ffff7df1275] = '\x17' addr = cs.new_bitvec(64) cs.add(addr == 0x55555555444d) value = cs.new_bitvec(8) cs.add(value == 0x2e) mem[addr] = value cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x63) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x55555555444d) cpu.RIP = 0x7ffff7df1273 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1273, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1274, 8)== ord('\xbe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1275, 8)== ord('\x17')) condition = Operators.AND(condition, cpu.read_int(0x55555555444d, 8)== ord('.')) condition = Operators.AND(condition, cpu.EDX == 0x2e) condition = Operators.AND(condition, cpu.RDI == 0x55555555444d) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1276) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSX_3_symbolic(self): ''' Instruction MOVSX_3 Groups: 0x7ffff7df1260: movsx eax, byte ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem.mmap(0x7ffff7ff2000, 0x1000, 'rwx') mem[0x7ffff7df1260] = '\x0f' mem[0x7ffff7df1261] = '\xbe' mem[0x7ffff7df1262] = '\x06' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ff23b6) value = cs.new_bitvec(8) cs.add(value == 0x6c) mem[addr] = value cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x3c) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7ff23b6) cpu.RIP = 0x7ffff7df1260 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1260, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1261, 8)== ord('\xbe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1262, 8)== ord('\x06')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff23b6, 8)== ord('l')) condition = Operators.AND(condition, cpu.EAX == 0x6c) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7ff23b6) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1263) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSX_4_symbolic(self): ''' Instruction MOVSX_4 Groups: 0x7ffff7df1260: movsx eax, byte ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem.mmap(0x7ffff7fed000, 0x1000, 'rwx') mem[0x7ffff7df1260] = '\x0f' mem[0x7ffff7df1261] = '\xbe' mem[0x7ffff7df1262] = '\x06' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fede8e) value = cs.new_bitvec(8) cs.add(value == 0x69) mem[addr] = value cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x39) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7fede8e) cpu.RIP = 0x7ffff7df1260 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1260, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1261, 8)== ord('\xbe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1262, 8)== ord('\x06')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fede8e, 8)== ord('i')) condition = Operators.AND(condition, cpu.EAX == 0x69) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fede8e) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1263) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSX_5_symbolic(self): ''' Instruction MOVSX_5 Groups: 0x7ffff7df1260: movsx eax, byte ptr [rsi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem.mmap(0x7ffff7fed000, 0x1000, 'rwx') mem[0x7ffff7df1260] = '\x0f' mem[0x7ffff7df1261] = '\xbe' mem[0x7ffff7df1262] = '\x06' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fede8f) value = cs.new_bitvec(8) cs.add(value == 0x62) mem[addr] = value cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x32) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7fede8f) cpu.RIP = 0x7ffff7df1260 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1260, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1261, 8)== ord('\xbe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1262, 8)== ord('\x06')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fede8f, 8)== ord('b')) condition = Operators.AND(condition, cpu.EAX == 0x62) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fede8f) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1263) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVSX_6_symbolic(self): ''' Instruction MOVSX_6 Groups: 0x7ffff7df1273: movsx edx, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df1274] = '\xbe' mem[0x7ffff7df1273] = '\x0f' addr = cs.new_bitvec(64) cs.add(addr == 0x555555554434) value = cs.new_bitvec(8) cs.add(value == 0x63) mem[addr] = value mem[0x7ffff7df1275] = '\x17' cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x62) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x555555554434) cpu.RIP = 0x7ffff7df1273 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555554434, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1273, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1274, 8)== ord('\xbe')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1275, 8)== ord('\x17')) condition = Operators.AND(condition, cpu.EDX == 0x63) condition = Operators.AND(condition, cpu.RDI == 0x555555554434) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1276) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVZX_1_symbolic(self): ''' Instruction MOVZX_1 Groups: 0x7ffff7de3aa3: movzx edx, byte ptr [rcx + 4] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a32000, 0x1000, 'rwx') mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3aa4] = '\xb6' mem[0x7ffff7de3aa3] = '\x0f' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a324bc) value = cs.new_bitvec(8) cs.add(value == 0x11) mem[addr] = value mem[0x7ffff7de3aa5] = 'Q' mem[0x7ffff7de3aa6] = '\x04' cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x6) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x7ffff7a324b8) cpu.RIP = 0x7ffff7de3aa3 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a324bc, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa3, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa4, 8)== ord('\xb6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa5, 8)== ord('Q')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa6, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.EDX == 0x11) condition = Operators.AND(condition, cpu.RCX == 0x7ffff7a324b8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3aa7) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVZX_2_symbolic(self): ''' Instruction MOVZX_2 Groups: 0x7ffff7de4399: movzx edx, byte ptr [rcx] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4399] = '\x0f' mem[0x7ffff7de439a] = '\xb6' mem[0x7ffff7de439b] = '\x11' addr = cs.new_bitvec(64) cs.add(addr == 0x555555554e44) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x6c) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x555555554e44) cpu.RIP = 0x7ffff7de4399 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4399, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de439a, 8)== ord('\xb6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de439b, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.read_int(0x555555554e44, 8)== ord('_')) condition = Operators.AND(condition, cpu.EDX == 0x5f) condition = Operators.AND(condition, cpu.RCX == 0x555555554e44) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de439c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVZX_3_symbolic(self): ''' Instruction MOVZX_3 Groups: 0x400aaa: movzx eax, al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x400aaa] = '\x0f' mem[0x400aab] = '\xb6' mem[0x400aac] = '\xc0' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x79) cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x79) cpu.RIP = 0x400aaa done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x400aaa, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x400aab, 8)== ord('\xb6')) condition = Operators.AND(condition, cpu.read_int(0x400aac, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.EAX == 0x79) condition = Operators.AND(condition, cpu.AL == 0x79) condition = Operators.AND(condition, cpu.RIP == 0x400aad) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVZX_4_symbolic(self): ''' Instruction MOVZX_4 Groups: 0x7ffff7b58f18: movzx r10d, word ptr [rdx + 6] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a35000, 0x1000, 'rwx') mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f18] = 'D' mem[0x7ffff7b58f19] = '\x0f' mem[0x7ffff7b58f1a] = '\xb7' mem[0x7ffff7b58f1b] = 'R' mem[0x7ffff7b58f1c] = '\x06' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a3575e) value = cs.new_bitvec(8) cs.add(value == 0xb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a3575f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x7ffff7a35758) cpu.RIP = 0x7ffff7b58f18 cpu.R10D = cs.new_bitvec(32) cs.add(cpu.R10D == 0x24) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f18, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f19, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f1a, 8)== ord('\xb7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f1b, 8)== ord('R')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f1c, 8)== ord('\x06')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a3575e, 8)== ord('\x0b')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a3575f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a35758) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f1d) condition = Operators.AND(condition, cpu.R10D == 0xb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVZX_5_symbolic(self): ''' Instruction MOVZX_5 Groups: 0x7ffff7de6219: movzx r9d, r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6219] = 'E' mem[0x7ffff7de621a] = '\x0f' mem[0x7ffff7de621b] = '\xb6' mem[0x7ffff7de621c] = '\xc9' cpu.R9D = cs.new_bitvec(32) cs.add(cpu.R9D == 0xffffff00) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x0) cpu.RIP = 0x7ffff7de6219 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6219, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de621a, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de621b, 8)== ord('\xb6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de621c, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.R9D == 0x0) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de621d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOVZX_6_symbolic(self): ''' Instruction MOVZX_6 Groups: 0x7ffff7de3929: movzx ecx, byte ptr [rbp - 0x78] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd808) value = cs.new_bitvec(8) cs.add(value == 0x38) mem[addr] = value mem[0x7ffff7de3929] = '\x0f' mem[0x7ffff7de392a] = '\xb6' mem[0x7ffff7de392b] = 'M' mem[0x7ffff7de392c] = '\x88' cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x2917737) cpu.RIP = 0x7ffff7de3929 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd880) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd808, 8)== ord('8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3929, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de392a, 8)== ord('\xb6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de392b, 8)== ord('M')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de392c, 8)== ord('\x88')) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd880) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de392d) condition = Operators.AND(condition, cpu.ECX == 0x38) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOV_1_symbolic(self): ''' Instruction MOV_1 Groups: 0x737287: mov ebx, 0x40 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00737000, 0x1000, 'rwx') mem[0x737288] = '@' mem[0x737289] = '\x00' mem[0x73728a] = '\x00' mem[0x73728b] = '\x00' mem[0x737287] = '\xbb' cpu.EBX = cs.new_bitvec(32) cs.add(cpu.EBX == 0x40) cpu.RIP = 0x737287 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x737288, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x737289, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x73728a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x73728b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x737287, 8)== ord('\xbb')) condition = Operators.AND(condition, cpu.EBX == 0x40) condition = Operators.AND(condition, cpu.RIP == 0x73728c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOV_2_symbolic(self): ''' Instruction MOV_2 Groups: 0x7ffff7de6121: mov rax, r13 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6121] = 'L' mem[0x7ffff7de6122] = '\x89' mem[0x7ffff7de6123] = '\xe8' cpu.RIP = 0x7ffff7de6121 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x8) cpu.R13 = cs.new_bitvec(64) cs.add(cpu.R13 == 0x7ffff7a2e000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6121, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6122, 8)== ord('\x89')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6123, 8)== ord('\xe8')) condition = Operators.AND(condition, cpu.RAX == 0x7ffff7a2e000) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6124) condition = Operators.AND(condition, cpu.R13 == 0x7ffff7a2e000) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOV_3_symbolic(self): ''' Instruction MOV_3 Groups: 0x74dced: mov dword ptr [rsp], 0x7fff ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0074d000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x74dced] = '\xc7' mem[0x74dcf0] = '\xff' mem[0x74dcf1] = '\x7f' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x74dcee] = '\x04' mem[0x74dcef] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value mem[0x74dcf2] = '\x00' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x74dcf3] = '\x00' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x74dced done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x74dced, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x74dcee, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x74dcef, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x74dcf0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x74dcf1, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x74dcf2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x74dcf3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x74dcf4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOV_4_symbolic(self): ''' Instruction MOV_4 Groups: 0x4b00dc: mov dword ptr [rsp + 4], 0x80 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004b0000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x4b00dc] = '\xc7' mem[0x4b00dd] = 'D' mem[0x4b00de] = '$' mem[0x4b00df] = '\x04' mem[0x4b00e0] = '\x80' mem[0x4b00e1] = '\x00' mem[0x4b00e2] = '\x00' mem[0x4b00e3] = '\x00' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x4b00dc done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4b00dc, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x4b00dd, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x4b00de, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x4b00df, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x4b00e0, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x4b00e1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4b00e2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4b00e3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x4b00e4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOV_5_symbolic(self): ''' Instruction MOV_5 Groups: 0x7776d9: mov dword ptr [rsp + 8], 0x80000000 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00777000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7776d9] = '\xc7' mem[0x7776da] = 'D' mem[0x7776db] = '$' mem[0x7776dc] = '\x08' mem[0x7776dd] = '\x00' mem[0x7776de] = '\x00' mem[0x7776df] = '\x00' mem[0x7776e0] = '\x80' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x7776d9 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7776d9, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x7776da, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x7776db, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7776dc, 8)== ord('\x08')) condition = Operators.AND(condition, cpu.read_int(0x7776dd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7776de, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7776df, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7776e0, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x7776e1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MOV_6_symbolic(self): ''' Instruction MOV_6 Groups: 0x4c3b88: mov dword ptr [rsp + 0xc], 0x12345678 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x004c3000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x4c3b88] = '\xc7' mem[0x4c3b89] = 'D' mem[0x4c3b8a] = '$' mem[0x4c3b8b] = '\x0c' mem[0x4c3b8c] = 'x' mem[0x4c3b8d] = 'V' mem[0x4c3b8e] = '4' mem[0x4c3b8f] = '\x12' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x78) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x56) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x34) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x12) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x4c3b88 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4c3b88, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x4c3b89, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x4c3b8a, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x4c3b8b, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x4c3b8c, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x4c3b8d, 8)== ord('V')) condition = Operators.AND(condition, cpu.read_int(0x4c3b8e, 8)== ord('4')) condition = Operators.AND(condition, cpu.read_int(0x4c3b8f, 8)== ord('\x12')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('V')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x12')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x4c3b90) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MUL_1_symbolic(self): ''' Instruction MUL_1 Groups: 0x7ffff7de253f: mul rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de2000, 0x1000, 'rwx') mem[0x7ffff7de2540] = '\xf7' mem[0x7ffff7de2541] = '\xe2' mem[0x7ffff7de253f] = 'H' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x7ffff7de253f cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x5f) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xcccccccccccccccd) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2540, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2541, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de253f, 8)== ord('H')) condition = Operators.AND(condition, cpu.OF == True) condition = Operators.AND(condition, cpu.RAX == 0x13) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de2542) condition = Operators.AND(condition, cpu.RDX == 0x4c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MUL_2_symbolic(self): ''' Instruction MUL_2 Groups: 0x7ffff7de253f: mul rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de2000, 0x1000, 'rwx') mem[0x7ffff7de2540] = '\xf7' mem[0x7ffff7de2541] = '\xe2' mem[0x7ffff7de253f] = 'H' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x7ffff7de253f cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x5f) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xcccccccccccccccd) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2540, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2541, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de253f, 8)== ord('H')) condition = Operators.AND(condition, cpu.OF == True) condition = Operators.AND(condition, cpu.RAX == 0x13) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de2542) condition = Operators.AND(condition, cpu.RDX == 0x4c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MUL_3_symbolic(self): ''' Instruction MUL_3 Groups: 0x7ffff7de253f: mul rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de2000, 0x1000, 'rwx') mem[0x7ffff7de2540] = '\xf7' mem[0x7ffff7de2541] = '\xe2' mem[0x7ffff7de253f] = 'H' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x7ffff7de253f cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x5f) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xcccccccccccccccd) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2540, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2541, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de253f, 8)== ord('H')) condition = Operators.AND(condition, cpu.OF == True) condition = Operators.AND(condition, cpu.RAX == 0x13) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de2542) condition = Operators.AND(condition, cpu.RDX == 0x4c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MUL_4_symbolic(self): ''' Instruction MUL_4 Groups: 0x45f865: mul rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0045f000, 0x1000, 'rwx') mem[0x45f865] = 'H' mem[0x45f866] = '\xf7' mem[0x45f867] = '\xe2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x45f865 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x57) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xcccccccccccccccd) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x45f865, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x45f866, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x45f867, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.OF == True) condition = Operators.AND(condition, cpu.RAX == 0x99999999999999ab) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x45f868) condition = Operators.AND(condition, cpu.RDX == 0x45) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MUL_5_symbolic(self): ''' Instruction MUL_5 Groups: 0x4624e5: mul rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00462000, 0x1000, 'rwx') mem[0x4624e5] = 'H' mem[0x4624e6] = '\xf7' mem[0x4624e7] = '\xe2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x4624e5 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x57) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xcccccccccccccccd) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4624e5, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x4624e6, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x4624e7, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.OF == True) condition = Operators.AND(condition, cpu.RAX == 0x99999999999999ab) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x4624e8) condition = Operators.AND(condition, cpu.RDX == 0x45) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_MUL_6_symbolic(self): ''' Instruction MUL_6 Groups: 0x443dc7: mul r9 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00443000, 0x1000, 'rwx') mem[0x443dc8] = '\xf7' mem[0x443dc9] = '\xe1' mem[0x443dc7] = 'I' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.R9 = cs.new_bitvec(64) cs.add(cpu.R9 == 0xcccccccccccccccd) cpu.RIP = 0x443dc7 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0xa) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x3) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x443dc8, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x443dc9, 8)== ord('\xe1')) condition = Operators.AND(condition, cpu.read_int(0x443dc7, 8)== ord('I')) condition = Operators.AND(condition, cpu.RDX == 0x2) condition = Operators.AND(condition, cpu.OF == True) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x443dca) condition = Operators.AND(condition, cpu.R9 == 0xcccccccccccccccd) condition = Operators.AND(condition, cpu.RAX == 0x6666666666666667) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NEG_1_symbolic(self): ''' Instruction NEG_1 Groups: 0x7ffff7df27cf: neg rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem[0x7ffff7df27d0] = '\xf7' mem[0x7ffff7df27d1] = '\xd8' mem[0x7ffff7df27cf] = 'H' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7ffff7ffeb78) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7df27cf cpu.SF = cs.new_bool() cs.add(cpu.SF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27d0, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27d1, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27cf, 8)== ord('H')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0xffff800008001488) condition = Operators.AND(condition, cpu.AF == True) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df27d2) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NEG_2_symbolic(self): ''' Instruction NEG_2 Groups: 0x7ffff7de5c54: neg rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5c54] = 'H' mem[0x7ffff7de5c55] = '\xf7' mem[0x7ffff7de5c56] = '\xd8' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x1000) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de5c54 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5c54, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5c55, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5c56, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RAX == 0xfffffffffffff000) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5c57) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NEG_3_symbolic(self): ''' Instruction NEG_3 Groups: 0x40baad: neg eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040b000, 0x1000, 'rwx') mem[0x40baad] = '\xf7' mem[0x40baae] = '\xd8' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x0) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x40baad cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40baad, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x40baae, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.EAX == 0x0) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x40baaf) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NEG_4_symbolic(self): ''' Instruction NEG_4 Groups: 0x7ffff7df27b6: neg rdi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem[0x7ffff7df27b8] = '\xdf' mem[0x7ffff7df27b6] = 'H' mem[0x7ffff7df27b7] = '\xf7' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x8) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df27b6 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b8, 8)== ord('\xdf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b6, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b7, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.AF == True) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RDI == 0xfffffffffffffff8) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df27b9) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NEG_5_symbolic(self): ''' Instruction NEG_5 Groups: 0x411176: neg r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem[0x411178] = '\xda' mem[0x411176] = 'I' mem[0x411177] = '\xf7' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0x1000) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x411176 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x411178, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x411176, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x411177, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.R10 == 0xfffffffffffff000) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x411179) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NEG_6_symbolic(self): ''' Instruction NEG_6 Groups: 0x7ffff7df27b6: neg rdi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df2000, 0x1000, 'rwx') mem[0x7ffff7df27b8] = '\xdf' mem[0x7ffff7df27b6] = 'H' mem[0x7ffff7df27b7] = '\xf7' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x8) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df27b6 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b8, 8)== ord('\xdf')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b6, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b7, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.AF == True) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RDI == 0xfffffffffffffff8) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df27b9) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NOT_1_symbolic(self): ''' Instruction NOT_1 Groups: 0x7ffff7df144a: not rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df1000, 0x1000, 'rwx') mem[0x7ffff7df144a] = 'H' mem[0x7ffff7df144b] = '\xf7' mem[0x7ffff7df144c] = '\xd0' cpu.RIP = 0x7ffff7df144a cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x8000000000000000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df144a, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df144b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df144c, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.RAX == 0x7fffffffffffffff) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df144d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NOT_2_symbolic(self): ''' Instruction NOT_2 Groups: 0x4008f7: not esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00400000, 0x1000, 'rwx') mem[0x4008f8] = '\xd6' mem[0x4008f7] = '\xf7' cpu.RIP = 0x4008f7 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0xfffffff0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4008f8, 8)== ord('\xd6')) condition = Operators.AND(condition, cpu.read_int(0x4008f7, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.ESI == 0xf) condition = Operators.AND(condition, cpu.RIP == 0x4008f9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NOT_3_symbolic(self): ''' Instruction NOT_3 Groups: 0x7ffff7a78242: not rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem[0x7ffff7a78242] = 'H' mem[0x7ffff7a78243] = '\xf7' mem[0x7ffff7a78244] = '\xd0' cpu.RIP = 0x7ffff7a78242 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0xfffffffffffffffc) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78242, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78243, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78244, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.RAX == 0x3) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78245) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NOT_4_symbolic(self): ''' Instruction NOT_4 Groups: 0x7ffff7de5765: not r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5765] = 'I' mem[0x7ffff7de5766] = '\xf7' mem[0x7ffff7de5767] = '\xd2' cpu.RIP = 0x7ffff7de5765 cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0xffffffffffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5765, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5766, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5767, 8)== ord('\xd2')) condition = Operators.AND(condition, cpu.R10 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5768) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NOT_5_symbolic(self): ''' Instruction NOT_5 Groups: 0x7ffff7de5765: not r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5765] = 'I' mem[0x7ffff7de5766] = '\xf7' mem[0x7ffff7de5767] = '\xd2' cpu.RIP = 0x7ffff7de5765 cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0xffffffffffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5765, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5766, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5767, 8)== ord('\xd2')) condition = Operators.AND(condition, cpu.R10 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5768) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_NOT_6_symbolic(self): ''' Instruction NOT_6 Groups: 0x7ffff7de5765: not r10 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5765] = 'I' mem[0x7ffff7de5766] = '\xf7' mem[0x7ffff7de5767] = '\xd2' cpu.RIP = 0x7ffff7de5765 cpu.R10 = cs.new_bitvec(64) cs.add(cpu.R10 == 0xffffffffffffffff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5765, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5766, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5767, 8)== ord('\xd2')) condition = Operators.AND(condition, cpu.R10 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5768) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_OR_1_symbolic(self): ''' Instruction OR_1 Groups: 0x7ffff7de6235: or r9d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6235] = 'A' mem[0x7ffff7de6236] = '\t' mem[0x7ffff7de6237] = '\xc1' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x0) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6235 cpu.R9D = cs.new_bitvec(32) cs.add(cpu.R9D == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6235, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6236, 8)== ord('\t')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6237, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.EAX == 0x0) condition = Operators.AND(condition, cpu.R9D == 0x0) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6238) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_OR_2_symbolic(self): ''' Instruction OR_2 Groups: 0x7ffff7de4344: or qword ptr [rsp], 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7ffff7de4344] = 'H' mem[0x7ffff7de4345] = '\x83' mem[0x7ffff7de4346] = '\x0c' mem[0x7ffff7de4347] = '$' mem[0x7ffff7de4348] = '\x00' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc920) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc921) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc922) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc923) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc924) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc925) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc926) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc927) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de4344 cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffc920) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4344, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4345, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4346, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4347, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4348, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc920, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc921, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc922, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc923, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc924, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc925, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc926, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc927, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4349) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc920) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_OR_3_symbolic(self): ''' Instruction OR_3 Groups: 0x7ffff7de3814: or qword ptr [rsp], 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7ffff7de3816] = '\x0c' mem[0x7ffff7de3817] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc790) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc791) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc792) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc793) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de3814] = 'H' mem[0x7ffff7de3815] = '\x83' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc796) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc797) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de3818] = '\x00' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc794) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc795) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de3814 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffc790) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffc796, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc797, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc790, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc791, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc792, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc793, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3814, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3815, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3816, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3817, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3818, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc794, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc795, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3819) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc790) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_OR_4_symbolic(self): ''' Instruction OR_4 Groups: 0x7ffff7de3814: or qword ptr [rsp], 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x7ffff7de3816] = '\x0c' mem[0x7ffff7de3817] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc790) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc791) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc792) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc793) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de3814] = 'H' mem[0x7ffff7de3815] = '\x83' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc796) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc797) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de3818] = '\x00' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc794) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc795) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de3814 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffc790) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffc796, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc797, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc790, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc791, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc792, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc793, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3814, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3815, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3816, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3817, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3818, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc794, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc795, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3819) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc790) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_OR_5_symbolic(self): ''' Instruction OR_5 Groups: 0x40a38c: or qword ptr [rsp], 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040a000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcb00) value = cs.new_bitvec(8) cs.add(value == 0x2f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcb01) value = cs.new_bitvec(8) cs.add(value == 0x68) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcb02) value = cs.new_bitvec(8) cs.add(value == 0x6f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcb03) value = cs.new_bitvec(8) cs.add(value == 0x6d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcb04) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcb05) value = cs.new_bitvec(8) cs.add(value == 0x2f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcb06) value = cs.new_bitvec(8) cs.add(value == 0x66) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcb07) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value mem[0x40a38c] = 'H' mem[0x40a38d] = '\x83' mem[0x40a38e] = '\x0c' mem[0x40a38f] = '$' mem[0x40a390] = '\x00' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x40a38c cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffcb00) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb00, 8)== ord('/')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb01, 8)== ord('h')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb02, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb03, 8)== ord('m')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb04, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb05, 8)== ord('/')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb06, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb07, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x40a38c, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x40a38d, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x40a38e, 8)== ord('\x0c')) condition = Operators.AND(condition, cpu.read_int(0x40a38f, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x40a390, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x40a391) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcb00) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_OR_6_symbolic(self): ''' Instruction OR_6 Groups: 0x7ffff7de6212: or r9d, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6212] = 'A' mem[0x7ffff7de6213] = '\t' mem[0x7ffff7de6214] = '\xc1' cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0xffffff00) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7de6212 cpu.R9D = cs.new_bitvec(32) cs.add(cpu.R9D == 0xf7ff7600) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6212, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6213, 8)== ord('\t')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6214, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.EAX == 0xffffff00) condition = Operators.AND(condition, cpu.R9D == 0xffffff00) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6215) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PCMPEQB_1_symbolic(self): ''' Instruction PCMPEQB_1 Groups: sse2 0x457e12: pcmpeqb xmm5, xmm2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457e12] = 'f' mem[0x457e13] = '\x0f' mem[0x457e14] = 't' mem[0x457e15] = '\xea' cpu.XMM2 = cs.new_bitvec(128) cs.add(cpu.XMM2 == 0x0) cpu.RIP = 0x457e12 cpu.XMM5 = cs.new_bitvec(128) cs.add(cpu.XMM5 == 0x2f65726f6369746e614d2f737463656a) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457e12, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457e13, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457e14, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x457e15, 8)== ord('\xea')) condition = Operators.AND(condition, cpu.XMM2 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x457e16) condition = Operators.AND(condition, cpu.XMM5 == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PCMPEQB_2_symbolic(self): ''' Instruction PCMPEQB_2 Groups: sse2 0x4184bf: pcmpeqb xmm12, xmm8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4184c0] = 'E' mem[0x4184c1] = '\x0f' mem[0x4184c2] = 't' mem[0x4184c3] = '\xe0' mem[0x4184bf] = 'f' cpu.XMM12 = cs.new_bitvec(128) cs.add(cpu.XMM12 == 0x6e696874796e61206f642074276e6f44) cpu.XMM8 = cs.new_bitvec(128) cs.add(cpu.XMM8 == 0x0) cpu.RIP = 0x4184bf done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4184c0, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x4184c1, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4184c2, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x4184c3, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.read_int(0x4184bf, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM12 == 0x0) condition = Operators.AND(condition, cpu.XMM8 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4184c4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PCMPEQB_3_symbolic(self): ''' Instruction PCMPEQB_3 Groups: sse2 0x457a26: pcmpeqb xmm0, xmm7 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457a28] = 't' mem[0x457a29] = '\xc7' mem[0x457a26] = 'f' mem[0x457a27] = '\x0f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x5400324e2f2f00313d524e00455f4744) cpu.XMM7 = cs.new_bitvec(128) cs.add(cpu.XMM7 == 0x0) cpu.RIP = 0x457a26 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457a28, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x457a29, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x457a26, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457a27, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM0 == 0xff00000000ff00000000ff00000000) condition = Operators.AND(condition, cpu.XMM7 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x457a2a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PCMPEQB_4_symbolic(self): ''' Instruction PCMPEQB_4 Groups: sse2 0x4579e8: pcmpeqb xmm0, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x4579e8] = 'f' mem[0x4579e9] = '\x0f' mem[0x4579ea] = 't' mem[0x4579eb] = '\xc1' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x2f78756e696c2f73656c706d6178652f) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f) cpu.RIP = 0x4579e8 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4579e8, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4579e9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4579ea, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x4579eb, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.XMM0 == 0xff0000000000ff0000000000000000ff) condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f) condition = Operators.AND(condition, cpu.RIP == 0x4579ec) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PCMPEQB_5_symbolic(self): ''' Instruction PCMPEQB_5 Groups: sse2 0x7ffff7ab7ac6: pcmpeqb xmm0, xmm7 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab7ac8] = 't' mem[0x7ffff7ab7ac9] = '\xc7' mem[0x7ffff7ab7ac6] = 'f' mem[0x7ffff7ab7ac7] = '\x0f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x322f2f4d00313d522f00565f474458) cpu.XMM7 = cs.new_bitvec(128) cs.add(cpu.XMM7 == 0x0) cpu.RIP = 0x7ffff7ab7ac6 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac8, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac9, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac6, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac7, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM0 == 0xff00000000ff00000000ff0000000000) condition = Operators.AND(condition, cpu.XMM7 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab7aca) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PCMPEQB_6_symbolic(self): ''' Instruction PCMPEQB_6 Groups: sse2 0x7ffff7ab79b1: pcmpeqb xmm0, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab79b1] = 'f' mem[0x7ffff7ab79b2] = '\x0f' mem[0x7ffff7ab79b3] = 't' mem[0x7ffff7ab79b4] = '\xc1' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x6f72502f6570696c65662f656d6f682f) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f) cpu.RIP = 0x7ffff7ab79b1 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab79b1, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab79b2, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab79b3, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab79b4, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.XMM0 == 0xff000000000000ff00000000ff) condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab79b5) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMINUB_1_symbolic(self): ''' Instruction PMINUB_1 Groups: sse2 0x41b15f: pminub xmm8, xmmword ptr [rax + 0x10] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0041b000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x494290) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494291) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494292) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494293) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494294) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494295) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494296) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494297) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494298) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x494299) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49429a) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49429b) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49429c) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49429d) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49429e) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x49429f) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value mem[0x41b15f] = 'f' mem[0x41b160] = 'D' mem[0x41b161] = '\x0f' mem[0x41b162] = '\xda' mem[0x41b163] = '@' mem[0x41b164] = '\x10' cpu.XMM8 = cs.new_bitvec(128) cs.add(cpu.XMM8 == 0x5f5f5f5f5f200a2e646574726f706572) cpu.RIP = 0x41b15f cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x494280) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x494290, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494291, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494292, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494293, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494294, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494295, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494296, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494297, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494298, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x494299, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x49429a, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x49429b, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x49429c, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x49429d, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x49429e, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x49429f, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x41b15f, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x41b160, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x41b161, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41b162, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x41b163, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x41b164, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.XMM8 == 0x2020202020200a202020202020202020) condition = Operators.AND(condition, cpu.RAX == 0x494280) condition = Operators.AND(condition, cpu.RIP == 0x41b165) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMINUB_2_symbolic(self): ''' Instruction PMINUB_2 Groups: sse2 0x41b142: pminub xmm8, xmmword ptr [rax + 0x70] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0041b000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') mem[0x41b142] = 'f' mem[0x41b143] = 'D' mem[0x41b144] = '\x0f' mem[0x41b145] = '\xda' mem[0x41b146] = '@' mem[0x41b147] = 'p' addr = cs.new_bitvec(64) cs.add(addr == 0x4942f0) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f1) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f2) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f3) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f4) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f5) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f6) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f7) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f8) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942f9) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942fa) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942fb) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942fc) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942fd) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942fe) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4942ff) value = cs.new_bitvec(8) cs.add(value == 0x5f) mem[addr] = value cpu.XMM8 = cs.new_bitvec(128) cs.add(cpu.XMM8 == 0x2020202020202020202020200a202020) cpu.RIP = 0x41b142 cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x494280) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x41b142, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x41b143, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x41b144, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41b145, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x41b146, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x41b147, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x4942f0, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x4942f1, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x4942f2, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x4942f3, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4942f4, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x4942f5, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x4942f6, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x4942f7, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x4942f8, 8)== ord('_')) condition = Operators.AND(condition, cpu.read_int(0x4942f9, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4942fa, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4942fb, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4942fc, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4942fd, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4942fe, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4942ff, 8)== ord('_')) condition = Operators.AND(condition, cpu.XMM8 == 0x2020202020202020202020200a202020) condition = Operators.AND(condition, cpu.RAX == 0x494280) condition = Operators.AND(condition, cpu.RIP == 0x41b148) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMINUB_3_symbolic(self): ''' Instruction PMINUB_3 Groups: sse2 0x457af6: pminub xmm0, xmm2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457af8] = '\xda' mem[0x457af9] = '\xc2' mem[0x457af6] = 'f' mem[0x457af7] = '\x0f' cpu.XMM2 = cs.new_bitvec(128) cs.add(cpu.XMM2 == 0x504e414d00323d524e54565f47445800) cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x32677261003167726100706d636e7274) cpu.RIP = 0x457af6 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457af8, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x457af9, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.read_int(0x457af6, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457af7, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM2 == 0x504e414d00323d524e54565f47445800) condition = Operators.AND(condition, cpu.XMM0 == 0x324e414d00313d524e00565f47445800) condition = Operators.AND(condition, cpu.RIP == 0x457afa) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMINUB_4_symbolic(self): ''' Instruction PMINUB_4 Groups: sse2 0x41b13c: pminub xmm8, xmmword ptr [rax + 0x60] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0041b000, 0x1000, 'rwx') mem.mmap(0x00494000, 0x1000, 'rwx') mem[0x41b13c] = 'f' mem[0x41b13d] = 'D' mem[0x41b13e] = '\x0f' mem[0x41b13f] = '\xda' mem[0x41b140] = '@' mem[0x41b141] = '`' addr = cs.new_bitvec(64) cs.add(addr == 0x4941e0) value = cs.new_bitvec(8) cs.add(value == 0x68) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e1) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e2) value = cs.new_bitvec(8) cs.add(value == 0x63) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e3) value = cs.new_bitvec(8) cs.add(value == 0x6b) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e4) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e5) value = cs.new_bitvec(8) cs.add(value == 0x64) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e6) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e7) value = cs.new_bitvec(8) cs.add(value == 0x62) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e8) value = cs.new_bitvec(8) cs.add(value == 0x79) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941e9) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941ea) value = cs.new_bitvec(8) cs.add(value == 0x73) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941eb) value = cs.new_bitvec(8) cs.add(value == 0x79) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941ec) value = cs.new_bitvec(8) cs.add(value == 0x73) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941ed) value = cs.new_bitvec(8) cs.add(value == 0x74) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941ee) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x4941ef) value = cs.new_bitvec(8) cs.add(value == 0x6d) mem[addr] = value cpu.XMM8 = cs.new_bitvec(128) cs.add(cpu.XMM8 == 0x632067676f6120736720720a646e6120) cpu.RIP = 0x41b13c cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x494180) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x41b13c, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x41b13d, 8)== ord('D')) condition = Operators.AND(condition, cpu.read_int(0x41b13e, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x41b13f, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x41b140, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x41b141, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x4941e0, 8)== ord('h')) condition = Operators.AND(condition, cpu.read_int(0x4941e1, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x4941e2, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x4941e3, 8)== ord('k')) condition = Operators.AND(condition, cpu.read_int(0x4941e4, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x4941e5, 8)== ord('d')) condition = Operators.AND(condition, cpu.read_int(0x4941e6, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4941e7, 8)== ord('b')) condition = Operators.AND(condition, cpu.read_int(0x4941e8, 8)== ord('y')) condition = Operators.AND(condition, cpu.read_int(0x4941e9, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4941ea, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x4941eb, 8)== ord('y')) condition = Operators.AND(condition, cpu.read_int(0x4941ec, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x4941ed, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x4941ee, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x4941ef, 8)== ord('m')) condition = Operators.AND(condition, cpu.XMM8 == 0x632067676f6120736220640a64636120) condition = Operators.AND(condition, cpu.RAX == 0x494180) condition = Operators.AND(condition, cpu.RIP == 0x41b142) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMINUB_5_symbolic(self): ''' Instruction PMINUB_5 Groups: sse2 0x457ee2: pminub xmm0, xmm5 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457ee2] = 'f' mem[0x457ee3] = '\x0f' mem[0x457ee4] = '\xda' mem[0x457ee5] = '\xc5' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x4d00313d524e00565f472f2f00326763) cpu.RIP = 0x457ee2 cpu.XMM5 = cs.new_bitvec(128) cs.add(cpu.XMM5 == 0x65784563696c6f626d79532f65726f63) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457ee2, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457ee3, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457ee4, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x457ee5, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.XMM0 == 0x4d00313d524e00565f472f2f00326763) condition = Operators.AND(condition, cpu.RIP == 0x457ee6) condition = Operators.AND(condition, cpu.XMM5 == 0x65784563696c6f626d79532f65726f63) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMINUB_6_symbolic(self): ''' Instruction PMINUB_6 Groups: sse2 0x7ffff7ab7abe: pminub xmm0, xmm4 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab7ac0] = '\xda' mem[0x7ffff7ab7ac1] = '\xc4' mem[0x7ffff7ab7abe] = 'f' mem[0x7ffff7ab7abf] = '\x0f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x324e414d00313d524e00565f474458) cpu.RIP = 0x7ffff7ab7abe cpu.XMM4 = cs.new_bitvec(128) cs.add(cpu.XMM4 == 0x7274732f78756e696c2f73656c706d61) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac0, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac1, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7abe, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7abf, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM0 == 0x324e2f4d00313d522f00565f474458) condition = Operators.AND(condition, cpu.XMM4 == 0x7274732f78756e696c2f73656c706d61) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab7ac2) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMOVMSKB_1_symbolic(self): ''' Instruction PMOVMSKB_1 Groups: sse2 0x4184f1: pmovmskb ecx, xmm11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4184f1] = 'f' mem[0x4184f2] = 'A' mem[0x4184f3] = '\x0f' mem[0x4184f4] = '\xd7' mem[0x4184f5] = '\xcb' cpu.XMM11 = cs.new_bitvec(128) cs.add(cpu.XMM11 == 0x0) cpu.RIP = 0x4184f1 cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0x10e) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4184f1, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4184f2, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x4184f3, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4184f4, 8)== ord('\xd7')) condition = Operators.AND(condition, cpu.read_int(0x4184f5, 8)== ord('\xcb')) condition = Operators.AND(condition, cpu.XMM11 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4184f6) condition = Operators.AND(condition, cpu.ECX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMOVMSKB_2_symbolic(self): ''' Instruction PMOVMSKB_2 Groups: sse2 0x457d6e: pmovmskb r10d, xmm3 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457d70] = '\x0f' mem[0x457d71] = '\xd7' mem[0x457d72] = '\xd3' mem[0x457d6e] = 'f' mem[0x457d6f] = 'D' cpu.XMM3 = cs.new_bitvec(128) cs.add(cpu.XMM3 == 0xff00000000ff0000000000000000) cpu.RIP = 0x457d6e cpu.R10D = cs.new_bitvec(32) cs.add(cpu.R10D == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457d70, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457d71, 8)== ord('\xd7')) condition = Operators.AND(condition, cpu.read_int(0x457d72, 8)== ord('\xd3')) condition = Operators.AND(condition, cpu.read_int(0x457d6e, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457d6f, 8)== ord('D')) condition = Operators.AND(condition, cpu.XMM3 == 0xff00000000ff0000000000000000) condition = Operators.AND(condition, cpu.RIP == 0x457d73) condition = Operators.AND(condition, cpu.R10D == 0x2100) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMOVMSKB_3_symbolic(self): ''' Instruction PMOVMSKB_3 Groups: sse2 0x457ddd: pmovmskb edx, xmm3 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457de0] = '\xd3' mem[0x457ddd] = 'f' mem[0x457dde] = '\x0f' mem[0x457ddf] = '\xd7' cpu.XMM3 = cs.new_bitvec(128) cs.add(cpu.XMM3 == 0x0) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0xffffdcc8) cpu.RIP = 0x457ddd done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457de0, 8)== ord('\xd3')) condition = Operators.AND(condition, cpu.read_int(0x457ddd, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457dde, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x457ddf, 8)== ord('\xd7')) condition = Operators.AND(condition, cpu.XMM3 == 0x0) condition = Operators.AND(condition, cpu.EDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x457de1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMOVMSKB_4_symbolic(self): ''' Instruction PMOVMSKB_4 Groups: sse2 0x7ffff7ab5ce1: pmovmskb ecx, xmm11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx') mem[0x7ffff7ab5ce1] = 'f' mem[0x7ffff7ab5ce2] = 'A' mem[0x7ffff7ab5ce3] = '\x0f' mem[0x7ffff7ab5ce4] = '\xd7' mem[0x7ffff7ab5ce5] = '\xcb' cpu.XMM11 = cs.new_bitvec(128) cs.add(cpu.XMM11 == 0xffffff0000000000ffffff0000000000) cpu.RIP = 0x7ffff7ab5ce1 cpu.ECX = cs.new_bitvec(32) cs.add(cpu.ECX == 0xa00) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce1, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce2, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce3, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce4, 8)== ord('\xd7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce5, 8)== ord('\xcb')) condition = Operators.AND(condition, cpu.XMM11 == 0xffffff0000000000ffffff0000000000) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab5ce6) condition = Operators.AND(condition, cpu.ECX == 0xe0e0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMOVMSKB_5_symbolic(self): ''' Instruction PMOVMSKB_5 Groups: sse2 0x4184e7: pmovmskb edx, xmm9 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4184e8] = 'A' mem[0x4184e9] = '\x0f' mem[0x4184ea] = '\xd7' mem[0x4184eb] = '\xd1' mem[0x4184e7] = 'f' cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x0) cpu.XMM9 = cs.new_bitvec(128) cs.add(cpu.XMM9 == 0xff00000000000000000000000000) cpu.RIP = 0x4184e7 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4184e8, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x4184e9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4184ea, 8)== ord('\xd7')) condition = Operators.AND(condition, cpu.read_int(0x4184eb, 8)== ord('\xd1')) condition = Operators.AND(condition, cpu.read_int(0x4184e7, 8)== ord('f')) condition = Operators.AND(condition, cpu.EDX == 0x2000) condition = Operators.AND(condition, cpu.XMM9 == 0xff00000000000000000000000000) condition = Operators.AND(condition, cpu.RIP == 0x4184ec) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PMOVMSKB_6_symbolic(self): ''' Instruction PMOVMSKB_6 Groups: sse2 0x4184c4: pmovmskb edx, xmm12 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4184c8] = '\xd4' mem[0x4184c4] = 'f' mem[0x4184c5] = 'A' mem[0x4184c6] = '\x0f' mem[0x4184c7] = '\xd7' cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x100) cpu.XMM12 = cs.new_bitvec(128) cs.add(cpu.XMM12 == 0x0) cpu.RIP = 0x4184c4 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4184c8, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.read_int(0x4184c4, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4184c5, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x4184c6, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4184c7, 8)== ord('\xd7')) condition = Operators.AND(condition, cpu.EDX == 0x0) condition = Operators.AND(condition, cpu.XMM12 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4184c9) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POP_1_symbolic(self): ''' Instruction POP_1 Groups: mode64 0x7ffff7de3b0b: pop rbp ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd880) value = cs.new_bitvec(8) cs.add(value == 0xb0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd881) value = cs.new_bitvec(8) cs.add(value == 0xd9) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd882) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd883) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd884) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd885) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd886) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd887) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd888) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value mem[0x7ffff7de3b0b] = ']' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd878) value = cs.new_bitvec(8) cs.add(value == 0x70) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd879) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87a) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87b) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd87f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd880) cpu.RIP = 0x7ffff7de3b0b cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd880) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd880, 8)== ord('\xb0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd881, 8)== ord('\xd9')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd882, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd883, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd884, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd885, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd886, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd887, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd888, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3b0b, 8)== ord(']')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd878, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd879, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87a, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87b, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd888) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3b0c) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9b0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POP_2_symbolic(self): ''' Instruction POP_2 Groups: mode64 0x7ffff7dea3ad: pop r14 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7dea000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda08) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda09) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7dea3ad] = 'A' mem[0x7ffff7dea3ae] = '^' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda10) value = cs.new_bitvec(8) cs.add(value == 0x30) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda11) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda12) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda13) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda14) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda16) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda17) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda18) value = cs.new_bitvec(8) cs.add(value == 0x60) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda0f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda15) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x4) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffda10) cpu.RIP = 0x7ffff7dea3ad cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffda20) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7dea3ae, 8)== ord('^')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda08, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda09, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda10, 8)== ord('0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda11, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda12, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda13, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda14, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda15, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda16, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda17, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda18, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7dea3ad, 8)== ord('A')) condition = Operators.AND(condition, cpu.R14 == 0x7fffffffda30) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda18) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7dea3af) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffda20) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POP_3_symbolic(self): ''' Instruction POP_3 Groups: mode64 0x4624e4: pop r12 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00462000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb00) value = cs.new_bitvec(8) cs.add(value == 0x48) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb01) value = cs.new_bitvec(8) cs.add(value == 0xd4) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb02) value = cs.new_bitvec(8) cs.add(value == 0x6b) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb03) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x4624e4] = 'A' mem[0x4624e5] = '\\' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb06) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb07) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb08) value = cs.new_bitvec(8) cs.add(value == 0xb8) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaff) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf8) value = cs.new_bitvec(8) cs.add(value == 0x3) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb04) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafa) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdafe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb05) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffdb00) cpu.R12 = cs.new_bitvec(64) cs.add(cpu.R12 == 0x1) cpu.RIP = 0x4624e4 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdb20) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb00, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb01, 8)== ord('\xd4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb02, 8)== ord('k')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb03, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb04, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb05, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb06, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb07, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb08, 8)== ord('\xb8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaff, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf8, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x4624e4, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4624e5, 8)== ord('\\')) condition = Operators.AND(condition, cpu.R12 == 0x6bd448) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdb08) condition = Operators.AND(condition, cpu.RIP == 0x4624e6) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb20) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POP_4_symbolic(self): ''' Instruction POP_4 Groups: mode64 0x6ff233: pop rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x006ff000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca8) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaa) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccab) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccac) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccad) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value mem[0x6ff233] = 'Z' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffcca8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x80000001) cpu.RIP = 0x6ff233 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x6ff233, 8)== ord('Z')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RDX == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x6ff234) condition = Operators.AND(condition, cpu.RBP == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POP_5_symbolic(self): ''' Instruction POP_5 Groups: mode64 0x632f8a: pop rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00632000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x632f8a] = 'Z' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccab) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccac) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccad) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaa) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffcca8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x7f) cpu.RIP = 0x632f8a cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x632f8a, 8)== ord('Z')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RDX == 0x80000000) condition = Operators.AND(condition, cpu.RIP == 0x632f8b) condition = Operators.AND(condition, cpu.RBP == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POP_6_symbolic(self): ''' Instruction POP_6 Groups: mode64 0x737db3: pop rdx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00737000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca9) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaa) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccab) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccac) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccad) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value mem[0x737db3] = 'Z' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffcca8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x40) cpu.RIP = 0x737db3 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x737db3, 8)== ord('Z')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RDX == 0xff00) condition = Operators.AND(condition, cpu.RIP == 0x737db4) condition = Operators.AND(condition, cpu.RBP == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POR_1_symbolic(self): ''' Instruction POR_1 Groups: sse2 0x7ffff7df43a7: por xmm0, xmm4 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df43a8] = '\x0f' mem[0x7ffff7df43a9] = '\xeb' mem[0x7ffff7df43aa] = '\xc4' mem[0x7ffff7df43a7] = 'f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x7ffff7df43a7 cpu.XMM4 = cs.new_bitvec(128) cs.add(cpu.XMM4 == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a8, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a9, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43aa, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a7, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM4 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df43ab) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POR_2_symbolic(self): ''' Instruction POR_2 Groups: sse2 0x7ffff7df43a7: por xmm0, xmm4 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df43a8] = '\x0f' mem[0x7ffff7df43a9] = '\xeb' mem[0x7ffff7df43aa] = '\xc4' mem[0x7ffff7df43a7] = 'f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x7ffff7df43a7 cpu.XMM4 = cs.new_bitvec(128) cs.add(cpu.XMM4 == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a8, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a9, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43aa, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a7, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM4 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df43ab) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POR_3_symbolic(self): ''' Instruction POR_3 Groups: sse2 0x7ffff7df43a7: por xmm0, xmm4 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df43a8] = '\x0f' mem[0x7ffff7df43a9] = '\xeb' mem[0x7ffff7df43aa] = '\xc4' mem[0x7ffff7df43a7] = 'f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x7ffff7df43a7 cpu.XMM4 = cs.new_bitvec(128) cs.add(cpu.XMM4 == 0xff00000000ff000000000000000000) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a8, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a9, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43aa, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a7, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM0 == 0xff00000000ff000000000000000000) condition = Operators.AND(condition, cpu.XMM4 == 0xff00000000ff000000000000000000) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df43ab) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POR_4_symbolic(self): ''' Instruction POR_4 Groups: sse2 0x7ffff7df43a7: por xmm0, xmm4 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df43a8] = '\x0f' mem[0x7ffff7df43a9] = '\xeb' mem[0x7ffff7df43aa] = '\xc4' mem[0x7ffff7df43a7] = 'f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x7ffff7df43a7 cpu.XMM4 = cs.new_bitvec(128) cs.add(cpu.XMM4 == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a8, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a9, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43aa, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a7, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM4 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df43ab) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POR_5_symbolic(self): ''' Instruction POR_5 Groups: sse2 0x7ffff7df4412: por xmm0, xmm3 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4412] = 'f' mem[0x7ffff7df4413] = '\x0f' mem[0x7ffff7df4414] = '\xeb' mem[0x7ffff7df4415] = '\xc3' cpu.XMM3 = cs.new_bitvec(128) cs.add(cpu.XMM3 == 0xff000000000000) cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x7ffff7df4412 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4412, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4413, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4414, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4415, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.XMM3 == 0xff000000000000) condition = Operators.AND(condition, cpu.XMM0 == 0xff000000000000) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4416) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_POR_6_symbolic(self): ''' Instruction POR_6 Groups: sse2 0x7ffff7ac0b17: por xmm0, xmm4 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0b18] = '\x0f' mem[0x7ffff7ac0b19] = '\xeb' mem[0x7ffff7ac0b1a] = '\xc4' mem[0x7ffff7ac0b17] = 'f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x7ffff7ac0b17 cpu.XMM4 = cs.new_bitvec(128) cs.add(cpu.XMM4 == 0xffffff000000ff) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b18, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b19, 8)== ord('\xeb')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b1a, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b17, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM0 == 0xffffff000000ff) condition = Operators.AND(condition, cpu.XMM4 == 0xffffff000000ff) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0b1b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PSHUFD_1_symbolic(self): ''' Instruction PSHUFD_1 Groups: sse2 0x7ffff7ac0af8: pshufd xmm1, xmm1, 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0af8] = 'f' mem[0x7ffff7ac0af9] = '\x0f' mem[0x7ffff7ac0afa] = 'p' mem[0x7ffff7ac0afb] = '\xc9' mem[0x7ffff7ac0afc] = '\x00' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x25252525) cpu.RIP = 0x7ffff7ac0af8 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af8, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afa, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afb, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x25252525252525252525252525252525) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0afd) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PSHUFD_2_symbolic(self): ''' Instruction PSHUFD_2 Groups: sse2 0x7ffff7ac0af8: pshufd xmm1, xmm1, 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0af8] = 'f' mem[0x7ffff7ac0af9] = '\x0f' mem[0x7ffff7ac0afa] = 'p' mem[0x7ffff7ac0afb] = '\xc9' mem[0x7ffff7ac0afc] = '\x00' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x25252525) cpu.RIP = 0x7ffff7ac0af8 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af8, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afa, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afb, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x25252525252525252525252525252525) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0afd) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PSHUFD_3_symbolic(self): ''' Instruction PSHUFD_3 Groups: sse2 0x7ffff7df4388: pshufd xmm1, xmm1, 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4388] = 'f' mem[0x7ffff7df4389] = '\x0f' mem[0x7ffff7df438a] = 'p' mem[0x7ffff7df438b] = '\xc9' mem[0x7ffff7df438c] = '\x00' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x24242424) cpu.RIP = 0x7ffff7df4388 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4388, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4389, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438a, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438b, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x24242424242424242424242424242424) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df438d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PSHUFD_4_symbolic(self): ''' Instruction PSHUFD_4 Groups: sse2 0x7ffff7ab799a: pshufd xmm1, xmm1, 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab799a] = 'f' mem[0x7ffff7ab799b] = '\x0f' mem[0x7ffff7ab799c] = 'p' mem[0x7ffff7ab799d] = '\xc9' mem[0x7ffff7ab799e] = '\x00' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2f2f2f2f) cpu.RIP = 0x7ffff7ab799a done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799a, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799c, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799d, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab799f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PSHUFD_5_symbolic(self): ''' Instruction PSHUFD_5 Groups: sse2 0x7ffff7df4388: pshufd xmm1, xmm1, 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4388] = 'f' mem[0x7ffff7df4389] = '\x0f' mem[0x7ffff7df438a] = 'p' mem[0x7ffff7df438b] = '\xc9' mem[0x7ffff7df438c] = '\x00' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x24242424) cpu.RIP = 0x7ffff7df4388 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4388, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4389, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438a, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438b, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x24242424242424242424242424242424) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df438d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PSHUFD_6_symbolic(self): ''' Instruction PSHUFD_6 Groups: sse2 0x7ffff7ab799a: pshufd xmm1, xmm1, 0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx') mem[0x7ffff7ab799a] = 'f' mem[0x7ffff7ab799b] = '\x0f' mem[0x7ffff7ab799c] = 'p' mem[0x7ffff7ab799d] = '\xc9' mem[0x7ffff7ab799e] = '\x00' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2f2f2f2f) cpu.RIP = 0x7ffff7ab799a done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799a, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799c, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799d, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab799f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLBW_1_symbolic(self): ''' Instruction PUNPCKLBW_1 Groups: sse2 0x7ffff7df437b: punpcklbw xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df437b] = 'f' mem[0x7ffff7df437c] = '\x0f' mem[0x7ffff7df437d] = '`' mem[0x7ffff7df437e] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x24) cpu.RIP = 0x7ffff7df437b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437b, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437c, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437d, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437e, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x2424) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df437f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLBW_2_symbolic(self): ''' Instruction PUNPCKLBW_2 Groups: sse2 0x7ffff7ac0aeb: punpcklbw xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0aeb] = 'f' mem[0x7ffff7ac0aec] = '\x0f' mem[0x7ffff7ac0aed] = '`' mem[0x7ffff7ac0aee] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x25) cpu.RIP = 0x7ffff7ac0aeb done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aeb, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aec, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aed, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aee, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x2525) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0aef) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLBW_3_symbolic(self): ''' Instruction PUNPCKLBW_3 Groups: sse2 0x7ffff7ac0aeb: punpcklbw xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0aeb] = 'f' mem[0x7ffff7ac0aec] = '\x0f' mem[0x7ffff7ac0aed] = '`' mem[0x7ffff7ac0aee] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x25) cpu.RIP = 0x7ffff7ac0aeb done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aeb, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aec, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aed, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aee, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x2525) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0aef) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLBW_4_symbolic(self): ''' Instruction PUNPCKLBW_4 Groups: sse2 0x4579cc: punpcklbw xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x4579cc] = 'f' mem[0x4579cd] = '\x0f' mem[0x4579ce] = '`' mem[0x4579cf] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2f) cpu.RIP = 0x4579cc done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4579cc, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4579cd, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4579ce, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x4579cf, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f) condition = Operators.AND(condition, cpu.RIP == 0x4579d0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLBW_5_symbolic(self): ''' Instruction PUNPCKLBW_5 Groups: sse2 0x45794c: punpcklbw xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x45794c] = 'f' mem[0x45794d] = '\x0f' mem[0x45794e] = '`' mem[0x45794f] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2f) cpu.RIP = 0x45794c done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x45794c, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x45794d, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x45794e, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x45794f, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f) condition = Operators.AND(condition, cpu.RIP == 0x457950) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLBW_6_symbolic(self): ''' Instruction PUNPCKLBW_6 Groups: sse2 0x7ffff7df437b: punpcklbw xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df437b] = 'f' mem[0x7ffff7df437c] = '\x0f' mem[0x7ffff7df437d] = '`' mem[0x7ffff7df437e] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x24) cpu.RIP = 0x7ffff7df437b done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437b, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437c, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437d, 8)== ord('`')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437e, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x2424) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df437f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLWD_1_symbolic(self): ''' Instruction PUNPCKLWD_1 Groups: sse2 0x457a46: punpcklwd xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00457000, 0x1000, 'rwx') mem[0x457a48] = 'a' mem[0x457a49] = '\xc9' mem[0x457a46] = 'f' mem[0x457a47] = '\x0f' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2f2f) cpu.RIP = 0x457a46 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x457a48, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x457a49, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x457a46, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x457a47, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f) condition = Operators.AND(condition, cpu.RIP == 0x457a4a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLWD_2_symbolic(self): ''' Instruction PUNPCKLWD_2 Groups: sse2 0x421b24: punpcklwd xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00421000, 0x1000, 'rwx') mem[0x421b24] = 'f' mem[0x421b25] = '\x0f' mem[0x421b26] = 'a' mem[0x421b27] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2525) cpu.RIP = 0x421b24 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x421b24, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x421b25, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x421b26, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x421b27, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x25252525) condition = Operators.AND(condition, cpu.RIP == 0x421b28) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLWD_3_symbolic(self): ''' Instruction PUNPCKLWD_3 Groups: sse2 0x7ffff7df4384: punpcklwd xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4384] = 'f' mem[0x7ffff7df4385] = '\x0f' mem[0x7ffff7df4386] = 'a' mem[0x7ffff7df4387] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2424) cpu.RIP = 0x7ffff7df4384 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4384, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4385, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4386, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4387, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x24242424) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4388) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLWD_4_symbolic(self): ''' Instruction PUNPCKLWD_4 Groups: sse2 0x7ffff7df4384: punpcklwd xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4384] = 'f' mem[0x7ffff7df4385] = '\x0f' mem[0x7ffff7df4386] = 'a' mem[0x7ffff7df4387] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2424) cpu.RIP = 0x7ffff7df4384 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4384, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4385, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4386, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4387, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x24242424) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4388) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLWD_5_symbolic(self): ''' Instruction PUNPCKLWD_5 Groups: sse2 0x45a576: punpcklwd xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0045a000, 0x1000, 'rwx') mem[0x45a578] = 'a' mem[0x45a579] = '\xc9' mem[0x45a576] = 'f' mem[0x45a577] = '\x0f' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2f2f) cpu.RIP = 0x45a576 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x45a578, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x45a579, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x45a576, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x45a577, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f) condition = Operators.AND(condition, cpu.RIP == 0x45a57a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUNPCKLWD_6_symbolic(self): ''' Instruction PUNPCKLWD_6 Groups: sse2 0x7ffff7ac0af4: punpcklwd xmm1, xmm1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx') mem[0x7ffff7ac0af4] = 'f' mem[0x7ffff7ac0af5] = '\x0f' mem[0x7ffff7ac0af6] = 'a' mem[0x7ffff7ac0af7] = '\xc9' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x2525) cpu.RIP = 0x7ffff7ac0af4 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af4, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af5, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af6, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af7, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.XMM1 == 0x25252525) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0af8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUSH_1_symbolic(self): ''' Instruction PUSH_1 Groups: mode64 0x7ffff7de407a: push r12 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd7a0) value = cs.new_bitvec(8) cs.add(value == 0x34) mem[addr] = value mem[0x7ffff7de407b] = 'T' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd79a) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd790) value = cs.new_bitvec(8) cs.add(value == 0x58) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd791) value = cs.new_bitvec(8) cs.add(value == 0x76) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd792) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd793) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd794) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd795) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd796) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd797) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd798) value = cs.new_bitvec(8) cs.add(value == 0x38) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd799) value = cs.new_bitvec(8) cs.add(value == 0xd8) mem[addr] = value mem[0x7ffff7de407a] = 'A' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd79b) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd79c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd79d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd79e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd79f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd798) cpu.R12 = cs.new_bitvec(64) cs.add(cpu.R12 == 0x7ffff7ff7658) cpu.RIP = 0x7ffff7de407a cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd870) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd7a0, 8)== ord('4')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de407b, 8)== ord('T')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de407a, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd790, 8)== ord('X')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd791, 8)== ord('v')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd792, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd793, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd794, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd795, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd796, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd797, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd798, 8)== ord('8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd799, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79a, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79b, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.R12 == 0x7ffff7ff7658) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd790) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de407c) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd870) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUSH_2_symbolic(self): ''' Instruction PUSH_2 Groups: mode64 0x722546: push 0xff00 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00722000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca9) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaa) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccab) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccac) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccad) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xfe) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0xfe) mem[addr] = value mem[0x722546] = 'h' mem[0x722547] = '\x00' mem[0x722548] = '\xff' mem[0x722549] = '\x00' mem[0x72254a] = '\x00' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x722546 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x722546, 8)== ord('h')) condition = Operators.AND(condition, cpu.read_int(0x722547, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x722548, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x722549, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x72254a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcca8) condition = Operators.AND(condition, cpu.RIP == 0x72254b) condition = Operators.AND(condition, cpu.RBP == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUSH_3_symbolic(self): ''' Instruction PUSH_3 Groups: mode64 0x744c3e: push 0xf00aabb ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00744000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca8) value = cs.new_bitvec(8) cs.add(value == 0xbb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca9) value = cs.new_bitvec(8) cs.add(value == 0xaa) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaa) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccab) value = cs.new_bitvec(8) cs.add(value == 0xf) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccac) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccad) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x43) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x87) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value mem[0x744c3e] = 'h' mem[0x744c3f] = '\xbb' mem[0x744c40] = '\xaa' mem[0x744c41] = '\x00' mem[0x744c42] = '\x0f' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x744c3e cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\xbb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\xaa')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x87')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x744c3e, 8)== ord('h')) condition = Operators.AND(condition, cpu.read_int(0x744c3f, 8)== ord('\xbb')) condition = Operators.AND(condition, cpu.read_int(0x744c40, 8)== ord('\xaa')) condition = Operators.AND(condition, cpu.read_int(0x744c41, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x744c42, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcca8) condition = Operators.AND(condition, cpu.RIP == 0x744c43) condition = Operators.AND(condition, cpu.RBP == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUSH_4_symbolic(self): ''' Instruction PUSH_4 Groups: mode64 0x6651fa: push rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00665000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca8) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaa) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccab) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccac) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccad) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value mem[0x6651fa] = 'P' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x6651fa cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7f) cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x6651fa, 8)== ord('P')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcca8) condition = Operators.AND(condition, cpu.RAX == 0x7f) condition = Operators.AND(condition, cpu.RIP == 0x6651fb) condition = Operators.AND(condition, cpu.RBP == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUSH_5_symbolic(self): ''' Instruction PUSH_5 Groups: mode64 0x7ffff7de4330: push rbp ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda40) value = cs.new_bitvec(8) cs.add(value == 0x1) mem[addr] = value mem[0x7ffff7de4330] = 'U' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda30) value = cs.new_bitvec(8) cs.add(value == 0x70) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda31) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda32) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda33) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda34) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda35) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda36) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda37) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda38) value = cs.new_bitvec(8) cs.add(value == 0x94) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda39) value = cs.new_bitvec(8) cs.add(value == 0x62) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda3a) value = cs.new_bitvec(8) cs.add(value == 0xde) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda3b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda3c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda3d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda3e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda3f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffda38) cpu.RIP = 0x7ffff7de4330 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdb70) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda40, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda30, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4330, 8)== ord('U')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda31, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda32, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda33, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda34, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda35, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda36, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda37, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda38, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda39, 8)== ord('b')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3a, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda30) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4331) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb70) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PUSH_6_symbolic(self): ''' Instruction PUSH_6 Groups: mode64 0x75c167: push 0xf00aabb ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0075c000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca8) value = cs.new_bitvec(8) cs.add(value == 0xbb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffcca9) value = cs.new_bitvec(8) cs.add(value == 0xaa) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaa) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccab) value = cs.new_bitvec(8) cs.add(value == 0xf) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccac) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccad) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccae) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccaf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xfe) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x78) mem[addr] = value mem[0x75c167] = 'h' mem[0x75c168] = '\xbb' mem[0x75c169] = '\xaa' mem[0x75c16a] = '\x00' mem[0x75c16b] = '\x0f' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x75c167 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\xbb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\xaa')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xfe')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x75c167, 8)== ord('h')) condition = Operators.AND(condition, cpu.read_int(0x75c168, 8)== ord('\xbb')) condition = Operators.AND(condition, cpu.read_int(0x75c169, 8)== ord('\xaa')) condition = Operators.AND(condition, cpu.read_int(0x75c16a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x75c16b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcca8) condition = Operators.AND(condition, cpu.RIP == 0x75c16c) condition = Operators.AND(condition, cpu.RBP == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PXOR_1_symbolic(self): ''' Instruction PXOR_1 Groups: sse2 0x418490: pxor xmm8, xmm8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x418490] = 'f' mem[0x418491] = 'E' mem[0x418492] = '\x0f' mem[0x418493] = '\xef' mem[0x418494] = '\xc0' cpu.XMM8 = cs.new_bitvec(128) cs.add(cpu.XMM8 == 0x0) cpu.RIP = 0x418490 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x418490, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x418491, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x418492, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x418493, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x418494, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.XMM8 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x418495) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PXOR_2_symbolic(self): ''' Instruction PXOR_2 Groups: sse2 0x41848f: pxor xmm11, xmm11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x418490] = 'E' mem[0x418491] = '\x0f' mem[0x418492] = '\xef' mem[0x418493] = '\xdb' mem[0x41848f] = 'f' cpu.XMM11 = cs.new_bitvec(128) cs.add(cpu.XMM11 == 0x0) cpu.RIP = 0x41848f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x418490, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x418491, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x418492, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x418493, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x41848f, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM11 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x418494) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PXOR_3_symbolic(self): ''' Instruction PXOR_3 Groups: sse2 0x4184bf: pxor xmm11, xmm11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4184c0] = 'E' mem[0x4184c1] = '\x0f' mem[0x4184c2] = '\xef' mem[0x4184c3] = '\xdb' mem[0x4184bf] = 'f' cpu.XMM11 = cs.new_bitvec(128) cs.add(cpu.XMM11 == 0x0) cpu.RIP = 0x4184bf done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4184c0, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x4184c1, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4184c2, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x4184c3, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x4184bf, 8)== ord('f')) condition = Operators.AND(condition, cpu.XMM11 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4184c4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PXOR_4_symbolic(self): ''' Instruction PXOR_4 Groups: sse2 0x418480: pxor xmm8, xmm8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x418480] = 'f' mem[0x418481] = 'E' mem[0x418482] = '\x0f' mem[0x418483] = '\xef' mem[0x418484] = '\xc0' cpu.XMM8 = cs.new_bitvec(128) cs.add(cpu.XMM8 == 0x0) cpu.RIP = 0x418480 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x418480, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x418481, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x418482, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x418483, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x418484, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.XMM8 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x418485) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PXOR_5_symbolic(self): ''' Instruction PXOR_5 Groups: sse2 0x4183b5: pxor xmm9, xmm9 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x4183b8] = '\xef' mem[0x4183b9] = '\xc9' mem[0x4183b5] = 'f' mem[0x4183b6] = 'E' mem[0x4183b7] = '\x0f' cpu.XMM9 = cs.new_bitvec(128) cs.add(cpu.XMM9 == 0x0) cpu.RIP = 0x4183b5 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4183b8, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x4183b9, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x4183b5, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x4183b6, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x4183b7, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM9 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4183ba) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_PXOR_6_symbolic(self): ''' Instruction PXOR_6 Groups: sse2 0x418495: pxor xmm9, xmm9 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00418000, 0x1000, 'rwx') mem[0x418498] = '\xef' mem[0x418499] = '\xc9' mem[0x418495] = 'f' mem[0x418496] = 'E' mem[0x418497] = '\x0f' cpu.XMM9 = cs.new_bitvec(128) cs.add(cpu.XMM9 == 0x0) cpu.RIP = 0x418495 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x418498, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x418499, 8)== ord('\xc9')) condition = Operators.AND(condition, cpu.read_int(0x418495, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x418496, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x418497, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM9 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x41849a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_RET_1_symbolic(self): ''' Instruction RET_1 Groups: ret, mode64 0x7ffff7de3748: ret ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd780) value = cs.new_bitvec(8) cs.add(value == 0x5d) mem[addr] = value mem[0x7ffff7de3748] = '\xc3' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd770) value = cs.new_bitvec(8) cs.add(value == 0x70) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd771) value = cs.new_bitvec(8) cs.add(value == 0xd8) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd772) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd773) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd774) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd775) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd776) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd777) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd778) value = cs.new_bitvec(8) cs.add(value == 0xab) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd779) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd77a) value = cs.new_bitvec(8) cs.add(value == 0xde) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd77b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd77c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd77d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd77e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd77f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd778) cpu.RIP = 0x7ffff7de3748 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd870) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd780, 8)== ord(']')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3748, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd770, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd771, 8)== ord('\xd8')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd772, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd773, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd774, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd775, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd776, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd777, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd778, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd779, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77a, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd780) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de40ab) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd870) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_RET_2_symbolic(self): ''' Instruction RET_2 Groups: ret, mode64 0x7ffff7df537f: ret ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df5000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd840) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7df537f] = '\xc3' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd830) value = cs.new_bitvec(8) cs.add(value == 0x3) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd831) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd832) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd833) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd834) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd835) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd836) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd837) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd838) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd839) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd83a) value = cs.new_bitvec(8) cs.add(value == 0xde) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd83b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd83c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd83d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd83e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd83f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd838) cpu.RIP = 0x7ffff7df537f cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdae0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd840, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd830, 8)== ord('\x03')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd831, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd832, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd833, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd834, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd835, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd836, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd837, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd838, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd839, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83a, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df537f, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd840) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de7fdb) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdae0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_RET_3_symbolic(self): ''' Instruction RET_3 Groups: ret, mode64 0x406e67: ret ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb20) value = cs.new_bitvec(8) cs.add(value == 0x70) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb21) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb22) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb23) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb24) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb25) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb26) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x406e67] = '\xc3' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb28) value = cs.new_bitvec(8) cs.add(value == 0x4e) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb29) value = cs.new_bitvec(8) cs.add(value == 0x6f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2a) value = cs.new_bitvec(8) cs.add(value == 0x43) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb27) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb30) value = cs.new_bitvec(8) cs.add(value == 0x40) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb2b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffdb28) cpu.RIP = 0x406e67 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdb70) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb20, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb21, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb22, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb23, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb24, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb25, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb26, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x406e67, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb28, 8)== ord('N')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb29, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2a, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb30, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb27, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdb30) condition = Operators.AND(condition, cpu.RIP == 0x436f4e) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb70) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_RET_4_symbolic(self): ''' Instruction RET_4 Groups: ret, mode64 0x7ffff7de2af3: ret ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de2000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd700) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd701) value = cs.new_bitvec(8) cs.add(value == 0xd7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd702) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd703) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd704) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd705) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd706) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd707) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd708) value = cs.new_bitvec(8) cs.add(value == 0x29) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd709) value = cs.new_bitvec(8) cs.add(value == 0x75) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd70a) value = cs.new_bitvec(8) cs.add(value == 0xde) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd70b) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd70c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd70d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd70e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd70f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd710) value = cs.new_bitvec(8) cs.add(value == 0xb0) mem[addr] = value mem[0x7ffff7de2af3] = '\xc3' cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd708) cpu.RIP = 0x7ffff7de2af3 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffd720) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffd700, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd701, 8)== ord('\xd7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd702, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd703, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd704, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd705, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd706, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd707, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd708, 8)== ord(')')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd709, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70a, 8)== ord('\xde')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70b, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd710, 8)== ord('\xb0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2af3, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd710) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de7529) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd720) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_RET_5_symbolic(self): ''' Instruction RET_5 Groups: ret, mode64 0x4118a1: ret ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00411000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x4118a1] = '\xc3' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae1) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae8) value = cs.new_bitvec(8) cs.add(value == 0x1c) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae9) value = cs.new_bitvec(8) cs.add(value == 0x36) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaea) value = cs.new_bitvec(8) cs.add(value == 0x41) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdae7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaec) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaed) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaee) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaef) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf0) value = cs.new_bitvec(8) cs.add(value == 0x2) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaeb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffdae8) cpu.RIP = 0x4118a1 cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdb00) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae1, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4118a1, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae8, 8)== ord('\x1c')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae9, 8)== ord('6')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaea, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaec, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaed, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaee, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaef, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf0, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaeb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdaf0) condition = Operators.AND(condition, cpu.RIP == 0x41361c) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb00) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_RET_6_symbolic(self): ''' Instruction RET_6 Groups: ret, mode64 0x40fc8d: ret ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040f000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda00) value = cs.new_bitvec(8) cs.add(value == 0x6) mem[addr] = value mem[0x40fc8d] = '\xc3' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f0) value = cs.new_bitvec(8) cs.add(value == 0xb0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f1) value = cs.new_bitvec(8) cs.add(value == 0xda) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f8) value = cs.new_bitvec(8) cs.add(value == 0xee) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9f9) value = cs.new_bitvec(8) cs.add(value == 0x7d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9fa) value = cs.new_bitvec(8) cs.add(value == 0x45) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9fb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9fc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9fd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9fe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffd9ff) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd9f8) cpu.RIP = 0x40fc8d cpu.RBP = cs.new_bitvec(64) cs.add(cpu.RBP == 0x7fffffffdab0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda00, 8)== ord('\x06')) condition = Operators.AND(condition, cpu.read_int(0x40fc8d, 8)== ord('\xc3')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f0, 8)== ord('\xb0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f1, 8)== ord('\xda')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f8, 8)== ord('\xee')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f9, 8)== ord('}')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fa, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ff, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda00) condition = Operators.AND(condition, cpu.RIP == 0x457dee) condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdab0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROL_1_symbolic(self): ''' Instruction ROL_1 Groups: 0x44272a: rol rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00442000, 0x1000, 'rwx') mem[0x44272a] = 'H' mem[0x44272b] = '\xc1' mem[0x44272c] = '\xc0' mem[0x44272d] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x44272a cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x69fd1b8f25bea73) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x44272a, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x44272b, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x44272c, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x44272d, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0xa371e4b7d4e60d3f) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x44272e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROL_2_symbolic(self): ''' Instruction ROL_2 Groups: 0x7ffff7df408d: rol rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df4090] = '\x11' mem[0x7ffff7df408d] = 'H' mem[0x7ffff7df408e] = '\xc1' mem[0x7ffff7df408f] = '\xc0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x7ffff7df408d cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x7fffffffd9b0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4090, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df408d, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df408e, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df408f, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0xffffffffb3600000) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4091) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROL_3_symbolic(self): ''' Instruction ROL_3 Groups: 0x409c7a: rol rdi, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00409000, 0x1000, 'rwx') mem[0x409c7a] = 'H' mem[0x409c7b] = '\xc1' mem[0x409c7c] = '\xc7' mem[0x409c7d] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x4fb19f79d00a9c7e) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x409c7a done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x409c7a, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x409c7b, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x409c7c, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x409c7d, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RDI == 0x3ef3a01538fc9f63) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x409c7e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROL_4_symbolic(self): ''' Instruction ROL_4 Groups: 0x40725a: rol rdi, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00407000, 0x1000, 'rwx') mem[0x40725a] = 'H' mem[0x40725b] = '\xc1' mem[0x40725c] = '\xc7' mem[0x40725d] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x1d13aa75a9fb0505) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x40725a done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40725a, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x40725b, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x40725c, 8)== ord('\xc7')) condition = Operators.AND(condition, cpu.read_int(0x40725d, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RDI == 0x54eb53f60a0a3a27) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x40725e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROL_5_symbolic(self): ''' Instruction ROL_5 Groups: 0x4452b5: rol rdx, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00445000, 0x1000, 'rwx') mem[0x4452b8] = '\x11' mem[0x4452b5] = 'H' mem[0x4452b6] = '\xc1' mem[0x4452b7] = '\xc2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4452b5 cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x4fb1e0862fb57b2e) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4452b8, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.read_int(0x4452b5, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x4452b6, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x4452b7, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x4452b9) condition = Operators.AND(condition, cpu.RDX == 0xc10c5f6af65c9f63) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROL_6_symbolic(self): ''' Instruction ROL_6 Groups: 0x7ffff7a6220a: rol rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a62000, 0x1000, 'rwx') mem[0x7ffff7a6220a] = 'H' mem[0x7ffff7a6220b] = '\xc1' mem[0x7ffff7a6220c] = '\xc0' mem[0x7ffff7a6220d] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x7ffff7a6220a cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x4d168f8071dccc80) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6220a, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6220b, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6220c, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6220d, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0x1f00e3b999009a2d) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a6220e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROR_1_symbolic(self): ''' Instruction ROR_1 Groups: 0x406f53: ror rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x406f53] = 'H' mem[0x406f54] = '\xc1' mem[0x406f55] = '\xc8' mem[0x406f56] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x406f53 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x9287e74ad78292fc) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x406f53, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x406f54, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x406f55, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.read_int(0x406f56, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0x497e4943f3a56bc1) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x406f57) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROR_2_symbolic(self): ''' Instruction ROR_2 Groups: 0x7ffff7a65253: ror rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a65000, 0x1000, 'rwx') mem[0x7ffff7a65253] = 'H' mem[0x7ffff7a65254] = '\xc1' mem[0x7ffff7a65255] = '\xc8' mem[0x7ffff7a65256] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x7ffff7a65253 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x42002153efdd741e) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65253, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65254, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65255, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65256, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0xba0f210010a9f7ee) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a65257) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROR_3_symbolic(self): ''' Instruction ROR_3 Groups: 0x406fd3: ror rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x406fd3] = 'H' mem[0x406fd4] = '\xc1' mem[0x406fd5] = '\xc8' mem[0x406fd6] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x406fd3 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x4a02228a32751a47) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x406fd3, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x406fd4, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x406fd5, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.read_int(0x406fd6, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0x8d23a5011145193a) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x406fd7) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROR_4_symbolic(self): ''' Instruction ROR_4 Groups: 0x7ffff7a65253: ror rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a65000, 0x1000, 'rwx') mem[0x7ffff7a65253] = 'H' mem[0x7ffff7a65254] = '\xc1' mem[0x7ffff7a65255] = '\xc8' mem[0x7ffff7a65256] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x7ffff7a65253 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x1b65e4b049796683) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65253, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65254, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65255, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65256, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0xb3418db2f25824bc) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a65257) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROR_5_symbolic(self): ''' Instruction ROR_5 Groups: 0x406f53: ror rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x406f53] = 'H' mem[0x406f54] = '\xc1' mem[0x406f55] = '\xc8' mem[0x406f56] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x406f53 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x54eb53f60a0a3a27) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x406f53, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x406f54, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x406f55, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.read_int(0x406f56, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0x1d13aa75a9fb0505) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x406f57) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_ROR_6_symbolic(self): ''' Instruction ROR_6 Groups: 0x406fc3: ror rax, 0x11 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x406fc3] = 'H' mem[0x406fc4] = '\xc1' mem[0x406fc5] = '\xc8' mem[0x406fc6] = '\x11' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.RIP = 0x406fc3 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0xf69983477b463caa) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x406fc3, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x406fc4, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x406fc5, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.read_int(0x406fc6, 8)== ord('\x11')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.RAX == 0x1e557b4cc1a3bda3) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x406fc7) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SAR_1_symbolic(self): ''' Instruction SAR_1 Groups: 0x7ffff7de4085: sar rax, 2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de4085 cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x15c8) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.RAX == 0x572) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SAR_2_symbolic(self): ''' Instruction SAR_2 Groups: 0x7ffff7acfc78: sar r8d, 0x1f ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7acf000, 0x1000, 'rwx') mem[0x7ffff7acfc78] = 'A' mem[0x7ffff7acfc79] = '\xc1' mem[0x7ffff7acfc7a] = '\xf8' mem[0x7ffff7acfc7b] = '\x1f' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7acfc78 cpu.R8D = cs.new_bitvec(32) cs.add(cpu.R8D == 0x9) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfc78, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfc79, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfc7a, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfc7b, 8)== ord('\x1f')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7acfc7c) condition = Operators.AND(condition, cpu.R8D == 0x0) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SAR_3_symbolic(self): ''' Instruction SAR_3 Groups: 0x7ffff7de4085: sar rax, 2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de4085 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x1290) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.RAX == 0x4a4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SAR_4_symbolic(self): ''' Instruction SAR_4 Groups: 0x7ffff7de4085: sar rax, 2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de4085 cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x1450) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.RAX == 0x514) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SAR_5_symbolic(self): ''' Instruction SAR_5 Groups: 0x7ffff7de4085: sar rax, 2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de4085 cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x1420) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.RAX == 0x508) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SAR_6_symbolic(self): ''' Instruction SAR_6 Groups: 0x7ffff7de4085: sar rax, 2 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4088] = '\x02' mem[0x7ffff7de4085] = 'H' mem[0x7ffff7de4086] = '\xc1' mem[0x7ffff7de4087] = '\xf8' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de4085 cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x1070) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.RAX == 0x41c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SCASB_1_symbolic(self): ''' Instruction SCASB_1 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') mem[0x7ffff7a78234] = '\xae' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c8) value = cs.new_bitvec(8) cs.add(value == 0x46) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c9) value = cs.new_bitvec(8) cs.add(value == 0x7b) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ca) value = cs.new_bitvec(8) cs.add(value == 0xaa) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cb) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cc) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cd) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ce) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a78233] = '\xf2' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b4) value = cs.new_bitvec(8) cs.add(value == 0x74) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b5) value = cs.new_bitvec(8) cs.add(value == 0x6f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b6) value = cs.new_bitvec(8) cs.add(value == 0x72) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b7) value = cs.new_bitvec(8) cs.add(value == 0x79) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b9) value = cs.new_bitvec(8) cs.add(value == 0x4e) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14ba) value = cs.new_bitvec(8) cs.add(value == 0x6f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14bb) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7ba14b4) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xffffffffffffffea) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffa9c8) cpu.RIP = 0x7ffff7a78233 cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b9, 8)== ord('N')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('{')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\xaa')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b5, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b6, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b7, 8)== ord('y')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b4, 8)== ord('t')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14ba, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14bb, 8)== ord(' ')) condition = Operators.AND(condition, cpu.RCX == 0xffffffffffffffe9) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ba14b5) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233) condition = Operators.AND(condition, cpu.AL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SCASB_2_symbolic(self): ''' Instruction SCASB_2 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a1) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a2) value = cs.new_bitvec(8) cs.add(value == 0x73) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a3) value = cs.new_bitvec(8) cs.add(value == 0x75) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a4) value = cs.new_bitvec(8) cs.add(value == 0x63) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a5) value = cs.new_bitvec(8) cs.add(value == 0x68) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a6) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a7) value = cs.new_bitvec(8) cs.add(value == 0x66) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a8) value = cs.new_bitvec(8) cs.add(value == 0x69) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ca) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ce) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7a78234] = '\xae' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7ba14a1) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xfffffffffffffffd) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffa9c8) cpu.RIP = 0x7ffff7a78233 cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a1, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a2, 8)== ord('s')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a3, 8)== ord('u')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a4, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a5, 8)== ord('h')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a6, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a7, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a8, 8)== ord('i')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae')) condition = Operators.AND(condition, cpu.RCX == 0xfffffffffffffffc) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ba14a2) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233) condition = Operators.AND(condition, cpu.AL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SCASB_3_symbolic(self): ''' Instruction SCASB_3 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') mem[0x7ffff7a78234] = '\xae' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ca) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ce) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a78233] = '\xf2' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b2) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b3) value = cs.new_bitvec(8) cs.add(value == 0x63) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b4) value = cs.new_bitvec(8) cs.add(value == 0x74) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b5) value = cs.new_bitvec(8) cs.add(value == 0x6f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b6) value = cs.new_bitvec(8) cs.add(value == 0x72) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b7) value = cs.new_bitvec(8) cs.add(value == 0x79) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14b9) value = cs.new_bitvec(8) cs.add(value == 0x4e) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7ba14b2) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xffffffffffffffec) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffa9c8) cpu.RIP = 0x7ffff7a78233 cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b9, 8)== ord('N')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b3, 8)== ord('c')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b2, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b5, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b6, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b7, 8)== ord('y')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b4, 8)== ord('t')) condition = Operators.AND(condition, cpu.RCX == 0xffffffffffffffeb) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ba14b3) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233) condition = Operators.AND(condition, cpu.AL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SCASB_4_symbolic(self): ''' Instruction SCASB_4 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem.mmap(0x7fffffffe000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe0a5) value = cs.new_bitvec(8) cs.add(value == 0x67) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe0a6) value = cs.new_bitvec(8) cs.add(value == 0x7a) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe0a7) value = cs.new_bitvec(8) cs.add(value == 0x69) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe0a8) value = cs.new_bitvec(8) cs.add(value == 0x70) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe0a9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe0aa) value = cs.new_bitvec(8) cs.add(value == 0x61) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe0ab) value = cs.new_bitvec(8) cs.add(value == 0x72) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffe0ac) value = cs.new_bitvec(8) cs.add(value == 0x67) mem[addr] = value mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7a78234] = '\xae' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc2f8) value = cs.new_bitvec(8) cs.add(value == 0x1f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc2f9) value = cs.new_bitvec(8) cs.add(value == 0xd5) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc2fa) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc2fb) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc2fc) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc2fd) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc2fe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc2ff) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffe0a5) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xffffffffffffffff) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffc2f8) cpu.RIP = 0x7ffff7a78233 cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a5, 8)== ord('g')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a6, 8)== ord('z')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a7, 8)== ord('i')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a8, 8)== ord('p')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0aa, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0ab, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0ac, 8)== ord('g')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2f8, 8)== ord('\x1f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2f9, 8)== ord('\xd5')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fa, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fb, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fc, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fd, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2ff, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0xfffffffffffffffe) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffe0a6) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffc2f8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233) condition = Operators.AND(condition, cpu.AL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SCASB_5_symbolic(self): ''' Instruction SCASB_5 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14ab) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a5) value = cs.new_bitvec(8) cs.add(value == 0x68) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a6) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a7) value = cs.new_bitvec(8) cs.add(value == 0x66) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a8) value = cs.new_bitvec(8) cs.add(value == 0x69) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14a9) value = cs.new_bitvec(8) cs.add(value == 0x6c) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14aa) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ba14ac) value = cs.new_bitvec(8) cs.add(value == 0x6f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ce) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7a78234] = '\xae' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ca) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7ba14a5) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xfffffffffffffff9) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffa9c8) cpu.RIP = 0x7ffff7a78233 cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14ab, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a5, 8)== ord('h')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a6, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a7, 8)== ord('f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a8, 8)== ord('i')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14ac, 8)== ord('o')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a9, 8)== ord('l')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14aa, 8)== ord('e')) condition = Operators.AND(condition, cpu.RCX == 0xfffffffffffffff8) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ba14a6) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233) condition = Operators.AND(condition, cpu.AL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SCASB_6_symbolic(self): ''' Instruction SCASB_6 Groups: 0x7ffff7a78233: repne scasb al, byte ptr [rdi] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555771000, 0x1000, 'rwx') mem.mmap(0x7ffff7a78000, 0x1000, 'rwx') mem.mmap(0x7fffffffa000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x555555771dc0) value = cs.new_bitvec(8) cs.add(value == 0x61) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x555555771dc1) value = cs.new_bitvec(8) cs.add(value == 0x72) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x555555771dc2) value = cs.new_bitvec(8) cs.add(value == 0x67) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x555555771dc3) value = cs.new_bitvec(8) cs.add(value == 0x31) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x555555771dc4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x555555771dc5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x555555771dc6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x555555771dc7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9c9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ca) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9ce) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffa9cf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7a78233] = '\xf2' mem[0x7ffff7a78234] = '\xae' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x555555771dc0) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0xffffffffffffffff) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffa9c8) cpu.RIP = 0x7ffff7a78233 cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555771dc0, 8)== ord('a')) condition = Operators.AND(condition, cpu.read_int(0x555555771dc1, 8)== ord('r')) condition = Operators.AND(condition, cpu.read_int(0x555555771dc2, 8)== ord('g')) condition = Operators.AND(condition, cpu.read_int(0x555555771dc3, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x555555771dc4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555771dc5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555771dc6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555771dc7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae')) condition = Operators.AND(condition, cpu.RCX == 0xfffffffffffffffe) condition = Operators.AND(condition, cpu.RDI == 0x555555771dc1) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233) condition = Operators.AND(condition, cpu.AL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETA_1_symbolic(self): ''' Instruction SETA_1 Groups: 0x5555555548c2: seta dl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem[0x5555555548c2] = '\x0f' mem[0x5555555548c3] = '\x97' mem[0x5555555548c4] = '\xc2' cpu.DL = cs.new_bitvec(8) cs.add(cpu.DL == 0x0) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x5555555548c2 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5555555548c2, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x5555555548c3, 8)== ord('\x97')) condition = Operators.AND(condition, cpu.read_int(0x5555555548c4, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.DL == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x5555555548c5) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETBE_1_symbolic(self): ''' Instruction SETBE_1 Groups: 0x7ffff7de6207: setbe r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x58) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6207 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETBE_2_symbolic(self): ''' Instruction SETBE_2 Groups: 0x7ffff7de6207: setbe r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x58) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6207 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETBE_3_symbolic(self): ''' Instruction SETBE_3 Groups: 0x7ffff7de6207: setbe r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x58) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6207 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETBE_4_symbolic(self): ''' Instruction SETBE_4 Groups: 0x7ffff7de6207: setbe r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x58) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6207 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETBE_5_symbolic(self): ''' Instruction SETBE_5 Groups: 0x7ffff7de6207: setbe r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x58) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6207 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETBE_6_symbolic(self): ''' Instruction SETBE_6 Groups: 0x7ffff7de6207: setbe r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6208] = '\x0f' mem[0x7ffff7de6209] = '\x96' mem[0x7ffff7de620a] = '\xc1' mem[0x7ffff7de6207] = 'A' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x58) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6207 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETB_1_symbolic(self): ''' Instruction SETB_1 Groups: 0x4342ea: setb al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x4342ea] = '\x0f' mem[0x4342eb] = '\x92' mem[0x4342ec] = '\xc0' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4342ea cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0xc0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4342ea, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4342eb, 8)== ord('\x92')) condition = Operators.AND(condition, cpu.read_int(0x4342ec, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4342ed) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETB_2_symbolic(self): ''' Instruction SETB_2 Groups: 0x43426a: setb al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x43426a] = '\x0f' mem[0x43426b] = '\x92' mem[0x43426c] = '\xc0' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x43426a cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0xc0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x43426a, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x43426b, 8)== ord('\x92')) condition = Operators.AND(condition, cpu.read_int(0x43426c, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x43426d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETB_3_symbolic(self): ''' Instruction SETB_3 Groups: 0x4346ca: setb al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x4346ca] = '\x0f' mem[0x4346cb] = '\x92' mem[0x4346cc] = '\xc0' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4346ca cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0xc0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4346ca, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4346cb, 8)== ord('\x92')) condition = Operators.AND(condition, cpu.read_int(0x4346cc, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4346cd) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETB_4_symbolic(self): ''' Instruction SETB_4 Groups: 0x4342ea: setb al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x4342ea] = '\x0f' mem[0x4342eb] = '\x92' mem[0x4342ec] = '\xc0' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4342ea cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0xc0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4342ea, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4342eb, 8)== ord('\x92')) condition = Operators.AND(condition, cpu.read_int(0x4342ec, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4342ed) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETB_5_symbolic(self): ''' Instruction SETB_5 Groups: 0x4342ea: setb al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x4342ea] = '\x0f' mem[0x4342eb] = '\x92' mem[0x4342ec] = '\xc0' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4342ea cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4342ea, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4342eb, 8)== ord('\x92')) condition = Operators.AND(condition, cpu.read_int(0x4342ec, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4342ed) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETB_6_symbolic(self): ''' Instruction SETB_6 Groups: 0x43430a: setb al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x43430a] = '\x0f' mem[0x43430b] = '\x92' mem[0x43430c] = '\xc0' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x43430a cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0xc0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x43430a, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x43430b, 8)== ord('\x92')) condition = Operators.AND(condition, cpu.read_int(0x43430c, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x43430d) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETE_1_symbolic(self): ''' Instruction SETE_1 Groups: 0x7ffff7de36a2: sete r10b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de36a2] = 'A' mem[0x7ffff7de36a3] = '\x0f' mem[0x7ffff7de36a4] = '\x94' mem[0x7ffff7de36a5] = '\xc2' cpu.R10B = cs.new_bitvec(8) cs.add(cpu.R10B == 0x0) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RIP = 0x7ffff7de36a2 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36a2, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36a3, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36a4, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36a5, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.R10B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36a6) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETE_2_symbolic(self): ''' Instruction SETE_2 Groups: 0x7ffff7de620f: sete al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6210] = '\x94' mem[0x7ffff7de6211] = '\xc0' mem[0x7ffff7de620f] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0xf5) cpu.RIP = 0x7ffff7de620f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6210, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6211, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620f, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6212) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETE_3_symbolic(self): ''' Instruction SETE_3 Groups: 0x7ffff7de6229: sete al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6229] = '\x0f' mem[0x7ffff7de622a] = '\x94' mem[0x7ffff7de622b] = '\xc0' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) cpu.RIP = 0x7ffff7de6229 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6229, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de622a, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de622b, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de622c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETE_4_symbolic(self): ''' Instruction SETE_4 Groups: 0x7ffff7de6229: sete al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6229] = '\x0f' mem[0x7ffff7de622a] = '\x94' mem[0x7ffff7de622b] = '\xc0' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) cpu.RIP = 0x7ffff7de6229 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6229, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de622a, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de622b, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de622c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETE_5_symbolic(self): ''' Instruction SETE_5 Groups: 0x432458: sete r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432458] = 'A' mem[0x432459] = '\x0f' mem[0x43245a] = '\x94' mem[0x43245b] = '\xc1' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x30) cpu.RIP = 0x432458 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432458, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x432459, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x43245a, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x43245b, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x43245c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETE_6_symbolic(self): ''' Instruction SETE_6 Groups: 0x7ffff7de620f: sete al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6210] = '\x94' mem[0x7ffff7de6211] = '\xc0' mem[0x7ffff7de620f] = '\x0f' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0xf5) cpu.RIP = 0x7ffff7de620f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6210, 8)== ord('\x94')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6211, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620f, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6212) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETG_1_symbolic(self): ''' Instruction SETG_1 Groups: 0x555555567df4: setg r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555567000, 0x1000, 'rwx') mem[0x555555567df4] = 'A' mem[0x555555567df5] = '\x0f' mem[0x555555567df6] = '\x9f' mem[0x555555567df7] = '\xc1' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x0) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x555555567df4 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555567df4, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x555555567df5, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x555555567df6, 8)== ord('\x9f')) condition = Operators.AND(condition, cpu.read_int(0x555555567df7, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x555555567df8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETG_2_symbolic(self): ''' Instruction SETG_2 Groups: 0x555555567df4: setg r9b ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555567000, 0x1000, 'rwx') mem[0x555555567df4] = 'A' mem[0x555555567df5] = '\x0f' mem[0x555555567df6] = '\x9f' mem[0x555555567df7] = '\xc1' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R9B = cs.new_bitvec(8) cs.add(cpu.R9B == 0x0) cpu.SF = cs.new_bool() cs.add(cpu.SF == True) cpu.RIP = 0x555555567df4 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x555555567df4, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x555555567df5, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x555555567df6, 8)== ord('\x9f')) condition = Operators.AND(condition, cpu.read_int(0x555555567df7, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.R9B == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x555555567df8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETLE_1_symbolic(self): ''' Instruction SETLE_1 Groups: 0x448ae0: setle dl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00448000, 0x1000, 'rwx') mem[0x448ae0] = '\x0f' mem[0x448ae1] = '\x9e' mem[0x448ae2] = '\xc2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x448ae0 cpu.DL = cs.new_bitvec(8) cs.add(cpu.DL == 0x1) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x448ae0, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x448ae1, 8)== ord('\x9e')) condition = Operators.AND(condition, cpu.read_int(0x448ae2, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.DL == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x448ae3) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETLE_2_symbolic(self): ''' Instruction SETLE_2 Groups: 0x448ae0: setle dl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00448000, 0x1000, 'rwx') mem[0x448ae0] = '\x0f' mem[0x448ae1] = '\x9e' mem[0x448ae2] = '\xc2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RIP = 0x448ae0 cpu.DL = cs.new_bitvec(8) cs.add(cpu.DL == 0x1) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x448ae0, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x448ae1, 8)== ord('\x9e')) condition = Operators.AND(condition, cpu.read_int(0x448ae2, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.DL == 0x1) condition = Operators.AND(condition, cpu.RIP == 0x448ae3) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETNE_1_symbolic(self): ''' Instruction SETNE_1 Groups: 0x410ee5: setne cl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00410000, 0x1000, 'rwx') mem[0x410ee5] = '\x0f' mem[0x410ee6] = '\x95' mem[0x410ee7] = '\xc1' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x410ee5 cpu.CL = cs.new_bitvec(8) cs.add(cpu.CL == 0x6) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x410ee5, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x410ee6, 8)== ord('\x95')) condition = Operators.AND(condition, cpu.read_int(0x410ee7, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.RIP == 0x410ee8) condition = Operators.AND(condition, cpu.CL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETNE_2_symbolic(self): ''' Instruction SETNE_2 Groups: 0x436d20: setne dl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00436000, 0x1000, 'rwx') mem[0x436d20] = '\x0f' mem[0x436d21] = '\x95' mem[0x436d22] = '\xc2' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.DL = cs.new_bitvec(8) cs.add(cpu.DL == 0x0) cpu.RIP = 0x436d20 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x436d20, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x436d21, 8)== ord('\x95')) condition = Operators.AND(condition, cpu.read_int(0x436d22, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.DL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x436d23) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETNE_3_symbolic(self): ''' Instruction SETNE_3 Groups: 0x410f05: setne cl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00410000, 0x1000, 'rwx') mem[0x410f05] = '\x0f' mem[0x410f06] = '\x95' mem[0x410f07] = '\xc1' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x410f05 cpu.CL = cs.new_bitvec(8) cs.add(cpu.CL == 0x6) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x410f05, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x410f06, 8)== ord('\x95')) condition = Operators.AND(condition, cpu.read_int(0x410f07, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.RIP == 0x410f08) condition = Operators.AND(condition, cpu.CL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETNE_4_symbolic(self): ''' Instruction SETNE_4 Groups: 0x436f20: setne dl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00436000, 0x1000, 'rwx') mem[0x436f20] = '\x0f' mem[0x436f21] = '\x95' mem[0x436f22] = '\xc2' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.DL = cs.new_bitvec(8) cs.add(cpu.DL == 0x0) cpu.RIP = 0x436f20 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x436f20, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x436f21, 8)== ord('\x95')) condition = Operators.AND(condition, cpu.read_int(0x436f22, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.DL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x436f23) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETNE_5_symbolic(self): ''' Instruction SETNE_5 Groups: 0x4120f9: setne cl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00412000, 0x1000, 'rwx') mem[0x4120f9] = '\x0f' mem[0x4120fa] = '\x95' mem[0x4120fb] = '\xc1' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RIP = 0x4120f9 cpu.CL = cs.new_bitvec(8) cs.add(cpu.CL == 0x40) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4120f9, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x4120fa, 8)== ord('\x95')) condition = Operators.AND(condition, cpu.read_int(0x4120fb, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.RIP == 0x4120fc) condition = Operators.AND(condition, cpu.CL == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SETNE_6_symbolic(self): ''' Instruction SETNE_6 Groups: 0x7ffff7de5de4: setne al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem[0x7ffff7de5de4] = '\x0f' mem[0x7ffff7de5de5] = '\x95' mem[0x7ffff7de5de6] = '\xc0' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x0) cpu.RIP = 0x7ffff7de5de4 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5de4, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5de5, 8)== ord('\x95')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5de6, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.AL == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5de7) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHLX_1_symbolic(self): ''' Instruction SHLX_1 Groups: bmi2 0x55555556594d: shlx rax, qword ptr [r14 + 0x50], rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc800) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc801) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc802) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc803) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc804) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc805) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc806) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc807) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x55555556594d] = '\xc4' mem[0x55555556594e] = '\xc2' mem[0x55555556594f] = '\xf9' mem[0x555555565950] = '\xf7' mem[0x555555565951] = 'F' mem[0x555555565952] = 'P' cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x7fffffffc7b0) cpu.RIP = 0x55555556594d cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x5) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffc800, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc801, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc802, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc803, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc804, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc805, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc806, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc807, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555556594d, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x55555556594e, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.read_int(0x55555556594f, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x555555565950, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x555555565951, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x555555565952, 8)== ord('P')) condition = Operators.AND(condition, cpu.R14 == 0x7fffffffc7b0) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x555555565953) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHLX_2_symbolic(self): ''' Instruction SHLX_2 Groups: bmi2 0x55555556544a: shlx rax, rdx, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem[0x55555556544a] = '\xc4' mem[0x55555556544b] = '\xe2' mem[0x55555556544c] = '\xf9' mem[0x55555556544d] = '\xf7' mem[0x55555556544e] = '\xc2' cpu.RIP = 0x55555556544a cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x1) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x55555556544a, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x55555556544b, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x55555556544c, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x55555556544d, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x55555556544e, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.RAX == 0x100) condition = Operators.AND(condition, cpu.RIP == 0x55555556544f) condition = Operators.AND(condition, cpu.RDX == 0x1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHLX_3_symbolic(self): ''' Instruction SHLX_3 Groups: bmi2 0x55555556544a: shlx rax, rdx, rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem[0x55555556544a] = '\xc4' mem[0x55555556544b] = '\xe2' mem[0x55555556544c] = '\xf9' mem[0x55555556544d] = '\xf7' mem[0x55555556544e] = '\xc2' cpu.RIP = 0x55555556544a cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x8) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x1) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x55555556544a, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x55555556544b, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x55555556544c, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x55555556544d, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x55555556544e, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.RAX == 0x100) condition = Operators.AND(condition, cpu.RIP == 0x55555556544f) condition = Operators.AND(condition, cpu.RDX == 0x1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHLX_4_symbolic(self): ''' Instruction SHLX_4 Groups: bmi2 0x55555556594d: shlx rax, qword ptr [r14 + 0x50], rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555565000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc800) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc801) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc802) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc803) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc804) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc805) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc806) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffc807) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x55555556594d] = '\xc4' mem[0x55555556594e] = '\xc2' mem[0x55555556594f] = '\xf9' mem[0x555555565950] = '\xf7' mem[0x555555565951] = 'F' mem[0x555555565952] = 'P' cpu.R14 = cs.new_bitvec(64) cs.add(cpu.R14 == 0x7fffffffc7b0) cpu.RIP = 0x55555556594d cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x5) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffc800, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc801, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc802, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc803, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc804, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc805, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc806, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffc807, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x55555556594d, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.read_int(0x55555556594e, 8)== ord('\xc2')) condition = Operators.AND(condition, cpu.read_int(0x55555556594f, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x555555565950, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x555555565951, 8)== ord('F')) condition = Operators.AND(condition, cpu.read_int(0x555555565952, 8)== ord('P')) condition = Operators.AND(condition, cpu.R14 == 0x7fffffffc7b0) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x555555565953) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHL_1_symbolic(self): ''' Instruction SHL_1 Groups: 0x7ffff7de438f: shl rsi, 5 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x597904) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de438f cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H')) condition = Operators.AND(condition, cpu.RSI == 0xb2f2080) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHL_2_symbolic(self): ''' Instruction SHL_2 Groups: 0x7ffff7de438f: shl rsi, 5 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7144b72823ea49e0) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de438f cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H')) condition = Operators.AND(condition, cpu.RSI == 0x2896e5047d493c00) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHL_3_symbolic(self): ''' Instruction SHL_3 Groups: 0x7ffff7de438f: shl rsi, 5 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0xcc5c406168309853) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de438f cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H')) condition = Operators.AND(condition, cpu.RSI == 0x8b880c2d06130a60) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == True) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHL_4_symbolic(self): ''' Instruction SHL_4 Groups: 0x7ffff7de438f: shl rsi, 5 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x726f9570cfb9645b) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de438f cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H')) condition = Operators.AND(condition, cpu.RSI == 0x4df2ae19f72c8b60) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHL_5_symbolic(self): ''' Instruction SHL_5 Groups: 0x7ffff7de438f: shl rsi, 5 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x2b60c) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de438f cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H')) condition = Operators.AND(condition, cpu.RSI == 0x56c180) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHL_6_symbolic(self): ''' Instruction SHL_6 Groups: 0x7ffff7de438f: shl rsi, 5 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4390] = '\xc1' mem[0x7ffff7de4391] = '\xe6' mem[0x7ffff7de4392] = '\x05' mem[0x7ffff7de438f] = 'H' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x377beb912d8eae5) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de438f cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H')) condition = Operators.AND(condition, cpu.RSI == 0x6ef7d7225b1d5ca0) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHR_1_symbolic(self): ''' Instruction SHR_1 Groups: 0x7ffff7de405d: shr rdx, 1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de405d] = 'H' mem[0x7ffff7de405e] = '\xd1' mem[0x7ffff7de405f] = '\xea' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x144a5ad4) cpu.RIP = 0x7ffff7de405d cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405d, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405e, 8)== ord('\xd1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405f, 8)== ord('\xea')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4060) condition = Operators.AND(condition, cpu.RDX == 0xa252d6a) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHR_2_symbolic(self): ''' Instruction SHR_2 Groups: 0x7ffff7de391d: shr rsi, cl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de391d] = 'H' mem[0x7ffff7de391e] = '\xd3' mem[0x7ffff7de391f] = '\xee' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x20ce23f6) cpu.CL = cs.new_bitvec(8) cs.add(cpu.CL == 0x6) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de391d cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391d, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391e, 8)== ord('\xd3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391f, 8)== ord('\xee')) condition = Operators.AND(condition, cpu.RSI == 0x83388f) condition = Operators.AND(condition, cpu.CL == 0x6) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3920) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHR_3_symbolic(self): ''' Instruction SHR_3 Groups: 0x7ffff7de3926: shr rsi, cl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3928] = '\xee' mem[0x7ffff7de3926] = 'H' mem[0x7ffff7de3927] = '\xd3' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x800000001204088) cpu.CL = cs.new_bitvec(8) cs.add(cpu.CL == 0xda) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de3926 cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3928, 8)== ord('\xee')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3926, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3927, 8)== ord('\xd3')) condition = Operators.AND(condition, cpu.RSI == 0x200000000) condition = Operators.AND(condition, cpu.CL == 0xda) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3929) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHR_4_symbolic(self): ''' Instruction SHR_4 Groups: 0x7ffff7de61d2: shr al, 4 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de61d2] = '\xc0' mem[0x7ffff7de61d3] = '\xe8' mem[0x7ffff7de61d4] = '\x04' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x22) cpu.RIP = 0x7ffff7de61d2 cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61d2, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61d3, 8)== ord('\xe8')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61d4, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de61d5) condition = Operators.AND(condition, cpu.AL == 0x2) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHR_5_symbolic(self): ''' Instruction SHR_5 Groups: 0x7ffff7de391d: shr rsi, cl ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de391d] = 'H' mem[0x7ffff7de391e] = '\xd3' mem[0x7ffff7de391f] = '\xee' cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7c967e3f) cpu.CL = cs.new_bitvec(8) cs.add(cpu.CL == 0xe) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de391d cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391d, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391e, 8)== ord('\xd3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391f, 8)== ord('\xee')) condition = Operators.AND(condition, cpu.RSI == 0x1f259) condition = Operators.AND(condition, cpu.CL == 0xe) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3920) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SHR_6_symbolic(self): ''' Instruction SHR_6 Groups: 0x4322bd: shr rax, 1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4322bd] = 'H' mem[0x4322be] = '\xd1' mem[0x4322bf] = '\xe8' cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4322bd cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x1) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4322bd, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x4322be, 8)== ord('\xd1')) condition = Operators.AND(condition, cpu.read_int(0x4322bf, 8)== ord('\xe8')) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x4322c0) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.RAX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STC_1_symbolic(self): ''' Instruction STC_1 Groups: 0x5667fa: stc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00566000, 0x1000, 'rwx') mem[0x5667fa] = '\xf9' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x5667fa done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5667fa, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x5667fb) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STC_2_symbolic(self): ''' Instruction STC_2 Groups: 0x42a889: stc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0042a000, 0x1000, 'rwx') mem[0x42a889] = '\xf9' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x42a889 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x42a889, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x42a88a) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STC_3_symbolic(self): ''' Instruction STC_3 Groups: 0x60b5d5: stc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0060b000, 0x1000, 'rwx') mem[0x60b5d5] = '\xf9' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x60b5d5 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x60b5d5, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x60b5d6) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STC_4_symbolic(self): ''' Instruction STC_4 Groups: 0x52da4d: stc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0052d000, 0x1000, 'rwx') mem[0x52da4d] = '\xf9' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x52da4d done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x52da4d, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x52da4e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STC_5_symbolic(self): ''' Instruction STC_5 Groups: 0x56ba0e: stc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0056b000, 0x1000, 'rwx') mem[0x56ba0e] = '\xf9' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x56ba0e done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x56ba0e, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x56ba0f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STC_6_symbolic(self): ''' Instruction STC_6 Groups: 0x61a7d6: stc ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0061a000, 0x1000, 'rwx') mem[0x61a7d6] = '\xf9' cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x61a7d6 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x61a7d6, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.CF == True) condition = Operators.AND(condition, cpu.RIP == 0x61a7d7) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSD_1_symbolic(self): ''' Instruction STOSD_1 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda88) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda89) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb70) value = cs.new_bitvec(8) cs.add(value == 0xa0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb71) value = cs.new_bitvec(8) cs.add(value == 0xdb) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb72) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb73) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb74) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb75) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb76) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb77) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdb70) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x6) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda88) cpu.RIP = 0x5555555547c2 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb70, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb71, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb72, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb73, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb74, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb75, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb76, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb77, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x5) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb74) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88) condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2) condition = Operators.AND(condition, cpu.EAX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSD_2_symbolic(self): ''' Instruction STOSD_2 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb20) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb21) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda88) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda89) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb22) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb23) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb1c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb1d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb1e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb1f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdb1c) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x1b) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda88) cpu.RIP = 0x5555555547c2 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb20, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb21, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb23, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb22, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb1c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb1d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb1e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb1f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x1a) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb20) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88) condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2) condition = Operators.AND(condition, cpu.EAX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSD_3_symbolic(self): ''' Instruction STOSD_3 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa0) value = cs.new_bitvec(8) cs.add(value == 0x26) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa1) value = cs.new_bitvec(8) cs.add(value == 0xb0) mem[addr] = value mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda88) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda89) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa2) value = cs.new_bitvec(8) cs.add(value == 0x62) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaa3) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda9f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffda9c) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x3b) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda88) cpu.RIP = 0x5555555547c2 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa0, 8)== ord('&')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa1, 8)== ord('\xb0')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa3, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa2, 8)== ord('b')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x3a) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdaa0) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88) condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2) condition = Operators.AND(condition, cpu.EAX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSD_4_symbolic(self): ''' Instruction STOSD_4 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaec) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda88) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda89) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaee) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaed) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaef) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdaec) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x27) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda88) cpu.RIP = 0x5555555547c2 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaec, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaed, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaee, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaef, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x26) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdaf0) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88) condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2) condition = Operators.AND(condition, cpu.EAX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSD_5_symbolic(self): ''' Instruction STOSD_5 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb80) value = cs.new_bitvec(8) cs.add(value == 0x50) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb81) value = cs.new_bitvec(8) cs.add(value == 0x49) mem[addr] = value mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda88) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda89) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb82) value = cs.new_bitvec(8) cs.add(value == 0x55) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb83) value = cs.new_bitvec(8) cs.add(value == 0x55) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb7c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb7d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb7e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdb7f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdb7c) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x3) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda88) cpu.RIP = 0x5555555547c2 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb80, 8)== ord('P')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb81, 8)== ord('I')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb82, 8)== ord('U')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb83, 8)== ord('U')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb7c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb7d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb7e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb7f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x2) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb80) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88) condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2) condition = Operators.AND(condition, cpu.EAX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSD_6_symbolic(self): ''' Instruction STOSD_6 Groups: 0x5555555547c2: rep stosd dword ptr [rdi], eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x5555555547c2] = '\xf3' mem[0x5555555547c3] = '\xab' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda88) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda89) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdaf7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffdaf0) cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x26) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffda88) cpu.RIP = 0x5555555547c2 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x25) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdaf4) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88) condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2) condition = Operators.AND(condition, cpu.EAX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSQ_1_symbolic(self): ''' Instruction STOSQ_1 Groups: 0x7ffff7ded09b: rep stosq qword ptr [rdi], rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ded000, 0x1000, 'rwx') mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7700) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7701) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7702) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7703) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7704) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7705) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7706) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7707) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7ded09c] = 'H' mem[0x7ffff7ded09d] = '\xab' mem[0x7ffff7ded09b] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7f38) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7f39) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7f3a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7f3b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7f3c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7f3d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7f3e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7f3f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7fd7f38) cpu.RIP = 0x7ffff7ded09b cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x19) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7fd7700) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7700, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7701, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7702, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7703, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7704, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7705, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7706, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7707, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f38, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f39, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09c, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09d, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x18) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd7f40) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fd7700) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ded09b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSQ_2_symbolic(self): ''' Instruction STOSQ_2 Groups: 0x7ffff7ded09b: rep stosq qword ptr [rdi], rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ded000, 0x1000, 'rwx') mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7700) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7701) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7702) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7703) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7704) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7705) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7706) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7707) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7ded09c] = 'H' mem[0x7ffff7ded09d] = '\xab' mem[0x7ffff7ded09b] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7cb8) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7cb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7cba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7cbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7cbc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7cbd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7cbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7cbf) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7fd7cb8) cpu.RIP = 0x7ffff7ded09b cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x69) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7fd7700) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7700, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7701, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7702, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7703, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7704, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7705, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7706, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7707, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cb8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09c, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09d, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbf, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x68) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd7cc0) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fd7700) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ded09b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSQ_3_symbolic(self): ''' Instruction STOSQ_3 Groups: 0x7ffff7de5ebf: rep stosq qword ptr [rdi], rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de5000, 0x1000, 'rwx') mem.mmap(0x7ffff7ffe000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x7ffff7de5ec0] = 'H' mem[0x7ffff7de5ec1] = '\xab' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe4a2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe4a3) value = cs.new_bitvec(8) cs.add(value == 0xf7) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe4a4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe4a5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe4a6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe4a1) value = cs.new_bitvec(8) cs.add(value == 0xe4) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda88) value = cs.new_bitvec(8) cs.add(value == 0x90) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda89) value = cs.new_bitvec(8) cs.add(value == 0x78) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8a) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8b) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8c) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8d) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda8f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe4a0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7ffe4a7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7de5ebf] = '\xf3' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffda88) cpu.RIP = 0x7ffff7de5ebf cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x7) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7ffe4a0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5ec0, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5ec1, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a3, 8)== ord('\xf7')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a1, 8)== ord('\xe4')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5ebf, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.RCX == 0x6) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffda90) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7ffe4a0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5ebf) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSQ_4_symbolic(self): ''' Instruction STOSQ_4 Groups: 0x7ffff7ded09b: rep stosq qword ptr [rdi], rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ded000, 0x1000, 'rwx') mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7700) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7701) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7702) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7703) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7704) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7705) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7706) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7707) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7730) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7731) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7732) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7733) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7734) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7735) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7736) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7737) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7ded09b] = '\xf3' mem[0x7ffff7ded09c] = 'H' mem[0x7ffff7ded09d] = '\xab' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7fd7730) cpu.RIP = 0x7ffff7ded09b cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x11a) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7fd7700) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7700, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7701, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7702, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7703, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7704, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7705, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7706, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7707, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7730, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7731, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7732, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7733, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7734, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7735, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7736, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7737, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09c, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09d, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.RCX == 0x119) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd7738) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fd7700) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ded09b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSQ_5_symbolic(self): ''' Instruction STOSQ_5 Groups: 0x555555554895: rep stosq qword ptr [rdi], rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x555555554000, 0x1000, 'rwx') mem.mmap(0x7fffffffd000, 0x1000, 'rwx') mem[0x555555554896] = 'H' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda95) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555554897] = '\xab' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda90) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda91) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda92) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda93) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda94) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x555555554895] = '\xf3' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda96) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffda97) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdc98) value = cs.new_bitvec(8) cs.add(value == 0x1d) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdc99) value = cs.new_bitvec(8) cs.add(value == 0xe0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdc9a) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdc9b) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdc9c) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdc9d) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdc9e) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffdc9f) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7fffffffda90) cpu.RIP = 0x555555554895 cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x1e) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7fffffffdc98) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffda96, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda95, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda97, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda90, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda91, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda92, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda93, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffda94, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x555555554895, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x555555554896, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x555555554897, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc98, 8)== ord('\x1d')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc99, 8)== ord('\xe0')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9a, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9b, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9c, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9d, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9e, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9f, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.RCX == 0x1d) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RDI == 0x7fffffffda98) condition = Operators.AND(condition, cpu.RSI == 0x7fffffffdc98) condition = Operators.AND(condition, cpu.RIP == 0x555555554895) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_STOSQ_6_symbolic(self): ''' Instruction STOSQ_6 Groups: 0x7ffff7ded09b: rep stosq qword ptr [rdi], rax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ded000, 0x1000, 'rwx') mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7700) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7701) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7702) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7703) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7704) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7705) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7706) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7707) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7ef0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7ef1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7ef2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7ef3) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7ef4) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7ef5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7ef6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7fd7ef7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x7ffff7ded09b] = '\xf3' mem[0x7ffff7ded09c] = 'H' mem[0x7ffff7ded09d] = '\xab' cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7fd7ef0) cpu.RIP = 0x7ffff7ded09b cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x22) cpu.RSI = cs.new_bitvec(64) cs.add(cpu.RSI == 0x7ffff7fd7700) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7700, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7701, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7702, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7703, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7704, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7705, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7706, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7707, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef4, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09b, 8)== ord('\xf3')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09c, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09d, 8)== ord('\xab')) condition = Operators.AND(condition, cpu.RCX == 0x21) condition = Operators.AND(condition, cpu.RAX == 0x0) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd7ef8) condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fd7700) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ded09b) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SUB_1_symbolic(self): ''' Instruction SUB_1 Groups: 0x4326c3: sub rsp, 0x1020 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4326c3] = 'H' mem[0x4326c4] = '\x81' mem[0x4326c5] = '\xec' mem[0x4326c6] = ' ' mem[0x4326c7] = '\x10' mem[0x4326c8] = '\x00' mem[0x4326c9] = '\x00' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffdab0) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x4326c3 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4326c3, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x4326c4, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x4326c5, 8)== ord('\xec')) condition = Operators.AND(condition, cpu.read_int(0x4326c6, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x4326c7, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.read_int(0x4326c8, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4326c9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffca90) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x4326ca) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SUB_2_symbolic(self): ''' Instruction SUB_2 Groups: 0x40b6dd: sub rsp, 0x1028 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0040b000, 0x1000, 'rwx') mem[0x40b6e0] = '(' mem[0x40b6e1] = '\x10' mem[0x40b6e2] = '\x00' mem[0x40b6e3] = '\x00' mem[0x40b6dd] = 'H' mem[0x40b6de] = '\x81' mem[0x40b6df] = '\xec' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffda18) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x40b6dd cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x40b6e0, 8)== ord('(')) condition = Operators.AND(condition, cpu.read_int(0x40b6e1, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.read_int(0x40b6e2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x40b6e3, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x40b6dd, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x40b6de, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x40b6df, 8)== ord('\xec')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc9f0) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x40b6e4) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SUB_3_symbolic(self): ''' Instruction SUB_3 Groups: 0x7ffff7de406d: sub rsp, 8 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de4070] = '\x08' mem[0x7ffff7de406d] = 'H' mem[0x7ffff7de406e] = '\x83' mem[0x7ffff7de406f] = '\xec' cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.AF = cs.new_bool() cs.add(cpu.AF == True) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd840) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de406d cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4070, 8)== ord('\x08')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de406d, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de406e, 8)== ord('\x83')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de406f, 8)== ord('\xec')) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.AF == True) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd838) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4071) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SUB_4_symbolic(self): ''' Instruction SUB_4 Groups: 0x7ffff7decc04: sub rsp, 0x1020 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7dec000, 0x1000, 'rwx') mem[0x7ffff7decc04] = 'H' mem[0x7ffff7decc05] = '\x81' mem[0x7ffff7decc06] = '\xec' mem[0x7ffff7decc07] = ' ' mem[0x7ffff7decc08] = '\x10' mem[0x7ffff7decc09] = '\x00' mem[0x7ffff7decc0a] = '\x00' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd0c0) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7decc04 cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc04, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc05, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc06, 8)== ord('\xec')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc07, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc08, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc09, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc0a, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc0a0) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7decc0b) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SUB_5_symbolic(self): ''' Instruction SUB_5 Groups: 0x7ffff7de060d: sub rsp, 0x1020 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de0000, 0x1000, 'rwx') mem[0x7ffff7de060d] = 'H' mem[0x7ffff7de060e] = '\x81' mem[0x7ffff7de060f] = '\xec' mem[0x7ffff7de0610] = ' ' mem[0x7ffff7de0611] = '\x10' mem[0x7ffff7de0612] = '\x00' mem[0x7ffff7de0613] = '\x00' cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.AF = cs.new_bool() cs.add(cpu.AF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd2e0) cpu.CF = cs.new_bool() cs.add(cpu.CF == True) cpu.RIP = 0x7ffff7de060d cpu.SF = cs.new_bool() cs.add(cpu.SF == True) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de060d, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de060e, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de060f, 8)== ord('\xec')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0610, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0611, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0612, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0613, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc2c0) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de0614) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_SUB_6_symbolic(self): ''' Instruction SUB_6 Groups: 0x7ffff7deb22d: sub rsp, 0x1078 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7deb000, 0x1000, 'rwx') mem[0x7ffff7deb22d] = 'H' mem[0x7ffff7deb22e] = '\x81' mem[0x7ffff7deb22f] = '\xec' mem[0x7ffff7deb230] = 'x' mem[0x7ffff7deb231] = '\x10' mem[0x7ffff7deb232] = '\x00' mem[0x7ffff7deb233] = '\x00' cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.AF = cs.new_bool() cs.add(cpu.AF == True) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffd9f8) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7deb22d cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb22d, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb22e, 8)== ord('\x81')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb22f, 8)== ord('\xec')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb230, 8)== ord('x')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb231, 8)== ord('\x10')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb232, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb233, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.PF == False) condition = Operators.AND(condition, cpu.AF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc980) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7deb234) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_TEST_1_symbolic(self): ''' Instruction TEST_1 Groups: 0x7ffff7df459c: test al, al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df459c] = '\x84' mem[0x7ffff7df459d] = '\xc0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df459c cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x6c) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459c, 8)== ord('\x84')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459d, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459e) condition = Operators.AND(condition, cpu.AL == 0x6c) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_TEST_2_symbolic(self): ''' Instruction TEST_2 Groups: 0x7ffff7df459c: test al, al ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df459c] = '\x84' mem[0x7ffff7df459d] = '\xc0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df459c cpu.AL = cs.new_bitvec(8) cs.add(cpu.AL == 0x5f) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459c, 8)== ord('\x84')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459d, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459e) condition = Operators.AND(condition, cpu.AL == 0x5f) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_TEST_3_symbolic(self): ''' Instruction TEST_3 Groups: 0x7ffff7de3892: test r15d, r15d ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3892] = 'E' mem[0x7ffff7de3893] = '\x85' mem[0x7ffff7de3894] = '\xff' cpu.R15D = cs.new_bitvec(32) cs.add(cpu.R15D == 0x0) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de3892 cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3892, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3893, 8)== ord('\x85')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3894, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.R15D == 0x0) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3895) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_TEST_4_symbolic(self): ''' Instruction TEST_4 Groups: 0x7ffff7b58f07: test byte ptr [r8 - 4], 1 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a31000, 0x1000, 'rwx') mem.mmap(0x7ffff7b58000, 0x1000, 'rwx') mem[0x7ffff7b58f07] = 'A' mem[0x7ffff7b58f08] = '\xf6' mem[0x7ffff7b58f09] = '@' mem[0x7ffff7b58f0a] = '\xfc' mem[0x7ffff7b58f0b] = '\x01' addr = cs.new_bitvec(64) cs.add(addr == 0x7ffff7a3193c) value = cs.new_bitvec(8) cs.add(value == 0xbc) mem[addr] = value cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.R8 = cs.new_bitvec(64) cs.add(cpu.R8 == 0x7ffff7a31940) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7b58f07 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f07, 8)== ord('A')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f08, 8)== ord('\xf6')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f09, 8)== ord('@')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f0a, 8)== ord('\xfc')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f0b, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a3193c, 8)== ord('\xbc')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.R8 == 0x7ffff7a31940) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f0c) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_TEST_5_symbolic(self): ''' Instruction TEST_5 Groups: 0x7ffff7ddc6b7: test rdi, rdi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx') mem[0x7ffff7ddc6b8] = '\x85' mem[0x7ffff7ddc6b9] = '\xff' mem[0x7ffff7ddc6b7] = 'H' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7ddc6b7 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.RDI = cs.new_bitvec(64) cs.add(cpu.RDI == 0x7ffff7ffa3a0) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc6b8, 8)== ord('\x85')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc6b9, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc6b7, 8)== ord('H')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddc6ba) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ffa3a0) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_TEST_6_symbolic(self): ''' Instruction TEST_6 Groups: 0x406e88: test rbx, rbx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00406000, 0x1000, 'rwx') mem[0x406e88] = 'H' mem[0x406e89] = '\x85' mem[0x406e8a] = '\xdb' cpu.RBX = cs.new_bitvec(64) cs.add(cpu.RBX == 0x7fffffffe927) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x406e88 cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x406e88, 8)== ord('H')) condition = Operators.AND(condition, cpu.read_int(0x406e89, 8)== ord('\x85')) condition = Operators.AND(condition, cpu.read_int(0x406e8a, 8)== ord('\xdb')) condition = Operators.AND(condition, cpu.RBX == 0x7fffffffe927) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == False) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x406e8b) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VMOVD_1_symbolic(self): ''' Instruction VMOVD_1 Groups: avx 0x432054: vmovd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432054] = '\xc5' mem[0x432055] = '\xf9' mem[0x432056] = 'n' mem[0x432057] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x432054 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432054, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432055, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432056, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x432057, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.ESI == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432058) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VMOVD_2_symbolic(self): ''' Instruction VMOVD_2 Groups: avx 0x432154: vmovd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432154] = '\xc5' mem[0x432155] = '\xf9' mem[0x432156] = 'n' mem[0x432157] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x432154 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432154, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432155, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432156, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x432157, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.ESI == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432158) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VMOVD_3_symbolic(self): ''' Instruction VMOVD_3 Groups: avx 0x432124: vmovd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432124] = '\xc5' mem[0x432125] = '\xf9' mem[0x432126] = 'n' mem[0x432127] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x432124 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432124, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432125, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432126, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x432127, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.ESI == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432128) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VMOVD_4_symbolic(self): ''' Instruction VMOVD_4 Groups: avx 0x434cd4: vmovd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x434cd4] = '\xc5' mem[0x434cd5] = '\xf9' mem[0x434cd6] = 'n' mem[0x434cd7] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x434cd4 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x434cd4, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x434cd5, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x434cd6, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x434cd7, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.ESI == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x434cd8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VMOVD_5_symbolic(self): ''' Instruction VMOVD_5 Groups: avx 0x432134: vmovd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432134] = '\xc5' mem[0x432135] = '\xf9' mem[0x432136] = 'n' mem[0x432137] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x432134 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432134, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432135, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432136, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x432137, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.ESI == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432138) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VMOVD_6_symbolic(self): ''' Instruction VMOVD_6 Groups: avx 0x432514: vmovd xmm1, esi ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432514] = '\xc5' mem[0x432515] = '\xf9' mem[0x432516] = 'n' mem[0x432517] = '\xce' cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x432514 cpu.ESI = cs.new_bitvec(32) cs.add(cpu.ESI == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432514, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432515, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432516, 8)== ord('n')) condition = Operators.AND(condition, cpu.read_int(0x432517, 8)== ord('\xce')) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.ESI == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432518) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPSHUFB_1_symbolic(self): ''' Instruction VPSHUFB_1 Groups: avx 0x4321af: vpshufb xmm0, xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4321b0] = '\xe2' mem[0x4321b1] = 'q' mem[0x4321b2] = '\x00' mem[0x4321b3] = '\xc0' mem[0x4321af] = '\xc4' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x4321af done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4321b0, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x4321b1, 8)== ord('q')) condition = Operators.AND(condition, cpu.read_int(0x4321b2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x4321b3, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x4321af, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4321b4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPSHUFB_2_symbolic(self): ''' Instruction VPSHUFB_2 Groups: avx 0x43215f: vpshufb xmm0, xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432160] = '\xe2' mem[0x432161] = 'q' mem[0x432162] = '\x00' mem[0x432163] = '\xc0' mem[0x43215f] = '\xc4' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x43215f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432160, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x432161, 8)== ord('q')) condition = Operators.AND(condition, cpu.read_int(0x432162, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x432163, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x43215f, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432164) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPSHUFB_3_symbolic(self): ''' Instruction VPSHUFB_3 Groups: avx 0x43205f: vpshufb xmm0, xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432060] = '\xe2' mem[0x432061] = 'q' mem[0x432062] = '\x00' mem[0x432063] = '\xc0' mem[0x43205f] = '\xc4' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x43205f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432060, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x432061, 8)== ord('q')) condition = Operators.AND(condition, cpu.read_int(0x432062, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x432063, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x43205f, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432064) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPSHUFB_4_symbolic(self): ''' Instruction VPSHUFB_4 Groups: avx 0x43212f: vpshufb xmm0, xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432130] = '\xe2' mem[0x432131] = 'q' mem[0x432132] = '\x00' mem[0x432133] = '\xc0' mem[0x43212f] = '\xc4' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x43212f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432130, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x432131, 8)== ord('q')) condition = Operators.AND(condition, cpu.read_int(0x432132, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x432133, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x43212f, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432134) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPSHUFB_5_symbolic(self): ''' Instruction VPSHUFB_5 Groups: avx 0x43213f: vpshufb xmm0, xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432140] = '\xe2' mem[0x432141] = 'q' mem[0x432142] = '\x00' mem[0x432143] = '\xc0' mem[0x43213f] = '\xc4' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x43213f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432140, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x432141, 8)== ord('q')) condition = Operators.AND(condition, cpu.read_int(0x432142, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x432143, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x43213f, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432144) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPSHUFB_6_symbolic(self): ''' Instruction VPSHUFB_6 Groups: avx 0x434cdf: vpshufb xmm0, xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00434000, 0x1000, 'rwx') mem[0x434ce0] = '\xe2' mem[0x434ce1] = 'q' mem[0x434ce2] = '\x00' mem[0x434ce3] = '\xc0' mem[0x434cdf] = '\xc4' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x0) cpu.RIP = 0x434cdf done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x434ce0, 8)== ord('\xe2')) condition = Operators.AND(condition, cpu.read_int(0x434ce1, 8)== ord('q')) condition = Operators.AND(condition, cpu.read_int(0x434ce2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x434ce3, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.read_int(0x434cdf, 8)== ord('\xc4')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.XMM1 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x434ce4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPXOR_1_symbolic(self): ''' Instruction VPXOR_1 Groups: avx 0x4321a0: vpxor xmm0, xmm0, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4321a0] = '\xc5' mem[0x4321a1] = '\xf9' mem[0x4321a2] = '\xef' mem[0x4321a3] = '\xc0' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x4321a0 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4321a0, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x4321a1, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x4321a2, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x4321a3, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x4321a4) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPXOR_2_symbolic(self): ''' Instruction VPXOR_2 Groups: avx 0x432510: vpxor xmm0, xmm0, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432510] = '\xc5' mem[0x432511] = '\xf9' mem[0x432512] = '\xef' mem[0x432513] = '\xc0' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x432510 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432510, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432511, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432512, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x432513, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432514) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPXOR_3_symbolic(self): ''' Instruction VPXOR_3 Groups: avx 0x432050: vpxor xmm0, xmm0, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432050] = '\xc5' mem[0x432051] = '\xf9' mem[0x432052] = '\xef' mem[0x432053] = '\xc0' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x432050 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432050, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432051, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432052, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x432053, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432054) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPXOR_4_symbolic(self): ''' Instruction VPXOR_4 Groups: avx 0x432150: vpxor xmm0, xmm0, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432150] = '\xc5' mem[0x432151] = '\xf9' mem[0x432152] = '\xef' mem[0x432153] = '\xc0' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x432150 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432150, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432151, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432152, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x432153, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432154) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPXOR_5_symbolic(self): ''' Instruction VPXOR_5 Groups: avx 0x432130: vpxor xmm0, xmm0, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432130] = '\xc5' mem[0x432131] = '\xf9' mem[0x432132] = '\xef' mem[0x432133] = '\xc0' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x432130 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432130, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432131, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432132, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x432133, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432134) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VPXOR_6_symbolic(self): ''' Instruction VPXOR_6 Groups: avx 0x432130: vpxor xmm0, xmm0, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432130] = '\xc5' mem[0x432131] = '\xf9' mem[0x432132] = '\xef' mem[0x432133] = '\xc0' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RIP = 0x432130 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432130, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x432131, 8)== ord('\xf9')) condition = Operators.AND(condition, cpu.read_int(0x432132, 8)== ord('\xef')) condition = Operators.AND(condition, cpu.read_int(0x432133, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x432134) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VZEROUPPER_1_symbolic(self): ''' Instruction VZEROUPPER_1 Groups: avx 0x4322a9: vzeroupper ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4322a9] = '\xc5' mem[0x4322aa] = '\xf8' mem[0x4322ab] = 'w' cpu.RIP = 0x4322a9 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4322a9, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x4322aa, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x4322ab, 8)== ord('w')) condition = Operators.AND(condition, cpu.RIP == 0x4322ac) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VZEROUPPER_2_symbolic(self): ''' Instruction VZEROUPPER_2 Groups: avx 0x432319: vzeroupper ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432319] = '\xc5' mem[0x43231a] = '\xf8' mem[0x43231b] = 'w' cpu.RIP = 0x432319 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432319, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x43231a, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x43231b, 8)== ord('w')) condition = Operators.AND(condition, cpu.RIP == 0x43231c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VZEROUPPER_3_symbolic(self): ''' Instruction VZEROUPPER_3 Groups: avx 0x4322c9: vzeroupper ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4322c9] = '\xc5' mem[0x4322ca] = '\xf8' mem[0x4322cb] = 'w' cpu.RIP = 0x4322c9 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4322c9, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x4322ca, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x4322cb, 8)== ord('w')) condition = Operators.AND(condition, cpu.RIP == 0x4322cc) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VZEROUPPER_4_symbolic(self): ''' Instruction VZEROUPPER_4 Groups: avx 0x432229: vzeroupper ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432229] = '\xc5' mem[0x43222a] = '\xf8' mem[0x43222b] = 'w' cpu.RIP = 0x432229 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432229, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x43222a, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x43222b, 8)== ord('w')) condition = Operators.AND(condition, cpu.RIP == 0x43222c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VZEROUPPER_5_symbolic(self): ''' Instruction VZEROUPPER_5 Groups: avx 0x4322a9: vzeroupper ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x4322a9] = '\xc5' mem[0x4322aa] = '\xf8' mem[0x4322ab] = 'w' cpu.RIP = 0x4322a9 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x4322a9, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x4322aa, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x4322ab, 8)== ord('w')) condition = Operators.AND(condition, cpu.RIP == 0x4322ac) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_VZEROUPPER_6_symbolic(self): ''' Instruction VZEROUPPER_6 Groups: avx 0x432689: vzeroupper ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00432000, 0x1000, 'rwx') mem[0x432689] = '\xc5' mem[0x43268a] = '\xf8' mem[0x43268b] = 'w' cpu.RIP = 0x432689 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x432689, 8)== ord('\xc5')) condition = Operators.AND(condition, cpu.read_int(0x43268a, 8)== ord('\xf8')) condition = Operators.AND(condition, cpu.read_int(0x43268b, 8)== ord('w')) condition = Operators.AND(condition, cpu.RIP == 0x43268c) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XGETBV_1_symbolic(self): ''' Instruction XGETBV_1 Groups: 0x7ffff7a4eb1b: xgetbv ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4eb1b] = '\x0f' mem[0x7ffff7a4eb1c] = '\x01' mem[0x7ffff7a4eb1d] = '\xd0' cpu.RIP = 0x7ffff7a4eb1b cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x0) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1c, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1d, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.RAX == 0x7) condition = Operators.AND(condition, cpu.RCX == 0x0) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4eb1e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XGETBV_2_symbolic(self): ''' Instruction XGETBV_2 Groups: 0x437c0e: xgetbv ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00437000, 0x1000, 'rwx') mem[0x437c10] = '\xd0' mem[0x437c0e] = '\x0f' mem[0x437c0f] = '\x01' cpu.RIP = 0x437c0e cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x0) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x437c10, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.read_int(0x437c0e, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x437c0f, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.RAX == 0x7) condition = Operators.AND(condition, cpu.RCX == 0x0) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x437c11) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XGETBV_3_symbolic(self): ''' Instruction XGETBV_3 Groups: 0x7ffff7a4eb1b: xgetbv ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx') mem[0x7ffff7a4eb1b] = '\x0f' mem[0x7ffff7a4eb1c] = '\x01' mem[0x7ffff7a4eb1d] = '\xd0' cpu.RIP = 0x7ffff7a4eb1b cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x0) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1b, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1c, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1d, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.RAX == 0x7) condition = Operators.AND(condition, cpu.RCX == 0x0) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4eb1e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XGETBV_4_symbolic(self): ''' Instruction XGETBV_4 Groups: 0x43a59e: xgetbv ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0043a000, 0x1000, 'rwx') mem[0x43a5a0] = '\xd0' mem[0x43a59e] = '\x0f' mem[0x43a59f] = '\x01' cpu.RIP = 0x43a59e cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x0) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x43a5a0, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.read_int(0x43a59e, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x43a59f, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.RAX == 0x7) condition = Operators.AND(condition, cpu.RCX == 0x0) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x43a5a1) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XGETBV_5_symbolic(self): ''' Instruction XGETBV_5 Groups: 0x43791e: xgetbv ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00437000, 0x1000, 'rwx') mem[0x437920] = '\xd0' mem[0x43791e] = '\x0f' mem[0x43791f] = '\x01' cpu.RIP = 0x43791e cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x0) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x437920, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.read_int(0x43791e, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x43791f, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.RAX == 0x7) condition = Operators.AND(condition, cpu.RCX == 0x0) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x437921) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XGETBV_6_symbolic(self): ''' Instruction XGETBV_6 Groups: 0x437a6e: xgetbv ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00437000, 0x1000, 'rwx') mem[0x437a70] = '\xd0' mem[0x437a6e] = '\x0f' mem[0x437a6f] = '\x01' cpu.RIP = 0x437a6e cpu.RCX = cs.new_bitvec(64) cs.add(cpu.RCX == 0x0) cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x0) cpu.RAX = cs.new_bitvec(64) cs.add(cpu.RAX == 0x0) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x437a70, 8)== ord('\xd0')) condition = Operators.AND(condition, cpu.read_int(0x437a6e, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x437a6f, 8)== ord('\x01')) condition = Operators.AND(condition, cpu.RAX == 0x7) condition = Operators.AND(condition, cpu.RCX == 0x0) condition = Operators.AND(condition, cpu.RDX == 0x0) condition = Operators.AND(condition, cpu.RIP == 0x437a71) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XORPS_1_symbolic(self): ''' Instruction XORPS_1 Groups: sse1 0x530d2f: xorps xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00530000, 0x1000, 'rwx') mem[0x530d30] = 'W' mem[0x530d31] = '\xc8' mem[0x530d2f] = '\x0f' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0xfffffffe0000002100000040fffffffe) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0xffffffbeffffffdf00000061ffffffbe) cpu.RIP = 0x530d2f done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x530d30, 8)== ord('W')) condition = Operators.AND(condition, cpu.read_int(0x530d31, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.read_int(0x530d2f, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.XMM0 == 0xfffffffe0000002100000040fffffffe) condition = Operators.AND(condition, cpu.XMM1 == 0x40fffffffe0000002100000040) condition = Operators.AND(condition, cpu.RIP == 0x530d32) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XORPS_2_symbolic(self): ''' Instruction XORPS_2 Groups: sse1 0x530a6c: xorps xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00530000, 0x1000, 'rwx') mem[0x530a6c] = '\x0f' mem[0x530a6d] = 'W' mem[0x530a6e] = '\xc8' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0xfffffffe8000000100000040fffffffe) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0xffffffbe7fffffff80000041ffffffbe) cpu.RIP = 0x530a6c done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x530a6c, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x530a6d, 8)== ord('W')) condition = Operators.AND(condition, cpu.read_int(0x530a6e, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.XMM0 == 0xfffffffe8000000100000040fffffffe) condition = Operators.AND(condition, cpu.XMM1 == 0x40fffffffe8000000100000040) condition = Operators.AND(condition, cpu.RIP == 0x530a6f) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XORPS_3_symbolic(self): ''' Instruction XORPS_3 Groups: sse1 0x54f76a: xorps xmm0, xmmword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x0054f000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x54f76a] = '\x0f' mem[0x54f76b] = 'W' mem[0x54f76c] = '\x04' mem[0x54f76d] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x0) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x54f76a done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x54f76a, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x54f76b, 8)== ord('W')) condition = Operators.AND(condition, cpu.read_int(0x54f76c, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x54f76d, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.XMM0 == 0x8000000000007fff00007fff80000000) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x54f76e) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XORPS_4_symbolic(self): ''' Instruction XORPS_4 Groups: sse1 0x540f22: xorps xmm1, xmm0 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00540000, 0x1000, 'rwx') mem[0x540f22] = '\x0f' mem[0x540f23] = 'W' mem[0x540f24] = '\xc8' cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x200000007f0000002100000020) cpu.XMM1 = cs.new_bitvec(128) cs.add(cpu.XMM1 == 0x21000000200000007f00000021) cpu.RIP = 0x540f22 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x540f22, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x540f23, 8)== ord('W')) condition = Operators.AND(condition, cpu.read_int(0x540f24, 8)== ord('\xc8')) condition = Operators.AND(condition, cpu.XMM0 == 0x200000007f0000002100000020) condition = Operators.AND(condition, cpu.XMM1 == 0x10000005f0000005e00000001) condition = Operators.AND(condition, cpu.RIP == 0x540f25) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XORPS_5_symbolic(self): ''' Instruction XORPS_5 Groups: sse1 0x560955: xorps xmm0, xmmword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00560000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x7f) mem[addr] = value mem[0x560956] = 'W' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x21) mem[addr] = value mem[0x560957] = '\x04' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value mem[0x560955] = '\x0f' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value mem[0x560958] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x43) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x65) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x87) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0xff) mem[addr] = value cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0xffffffff8765432100007fffffffffff) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x560955 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x87')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x560955, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x560956, 8)== ord('W')) condition = Operators.AND(condition, cpu.read_int(0x560957, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x560958, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('C')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('e')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('!')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\xff')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x560959) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XORPS_6_symbolic(self): ''' Instruction XORPS_6 Groups: sse1 0x551ec4: xorps xmm0, xmmword ptr [rsp] ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x00551000, 0x1000, 'rwx') mem.mmap(0x7fffffffc000, 0x1000, 'rwx') mem[0x551ec4] = '\x0f' mem[0x551ec5] = 'W' mem[0x551ec6] = '\x04' mem[0x551ec7] = '$' addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb0) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb1) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb2) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb3) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb4) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb5) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb6) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb7) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb8) value = cs.new_bitvec(8) cs.add(value == 0x20) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccb9) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccba) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbb) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbc) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbd) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbe) value = cs.new_bitvec(8) cs.add(value == 0x0) mem[addr] = value addr = cs.new_bitvec(64) cs.add(addr == 0x7fffffffccbf) value = cs.new_bitvec(8) cs.add(value == 0x80) mem[addr] = value cpu.XMM0 = cs.new_bitvec(128) cs.add(cpu.XMM0 == 0x80000000000000200000002080000000) cpu.RSP = cs.new_bitvec(64) cs.add(cpu.RSP == 0x7fffffffccb0) cpu.RIP = 0x551ec4 done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x551ec4, 8)== ord('\x0f')) condition = Operators.AND(condition, cpu.read_int(0x551ec5, 8)== ord('W')) condition = Operators.AND(condition, cpu.read_int(0x551ec6, 8)== ord('\x04')) condition = Operators.AND(condition, cpu.read_int(0x551ec7, 8)== ord('$')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord(' ')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00')) condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x80')) condition = Operators.AND(condition, cpu.XMM0 == 0x0) condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0) condition = Operators.AND(condition, cpu.RIP == 0x551ec8) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XOR_1_symbolic(self): ''' Instruction XOR_1 Groups: 0x7ffff7de6223: xor eax, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de6000, 0x1000, 'rwx') mem[0x7ffff7de6223] = '1' mem[0x7ffff7de6224] = '\xc0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de6223 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0xffffff00) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6223, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6224, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6225) condition = Operators.AND(condition, cpu.EAX == 0x0) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XOR_2_symbolic(self): ''' Instruction XOR_2 Groups: 0x7ffff7de405a: xor rdx, r13 ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de4000, 0x1000, 'rwx') mem[0x7ffff7de405a] = 'L' mem[0x7ffff7de405b] = '1' mem[0x7ffff7de405c] = '\xea' cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.R13 = cs.new_bitvec(64) cs.add(cpu.R13 == 0x7c96f087) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de405a cpu.RDX = cs.new_bitvec(64) cs.add(cpu.RDX == 0x7c96f087) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405a, 8)== ord('L')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405b, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405c, 8)== ord('\xea')) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.R13 == 0x7c96f087) condition = Operators.AND(condition, cpu.SF == False) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de405d) condition = Operators.AND(condition, cpu.RDX == 0x0) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XOR_3_symbolic(self): ''' Instruction XOR_3 Groups: 0x7ffff7df45a0: xor eax, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df45a0] = '1' mem[0x7ffff7df45a1] = '\xc0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == True) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df45a0 cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0xf7ff7c00) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45a0, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45a1, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45a2) condition = Operators.AND(condition, cpu.EAX == 0x0) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XOR_4_symbolic(self): ''' Instruction XOR_4 Groups: 0x7ffff7de3ff6: xor edx, edx ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3ff6] = '1' mem[0x7ffff7de3ff7] = '\xd2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de3ff6 cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.EDX = cs.new_bitvec(32) cs.add(cpu.EDX == 0x3f3) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff6, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff7, 8)== ord('\xd2')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ff8) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.EDX == 0x0) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XOR_5_symbolic(self): ''' Instruction XOR_5 Groups: 0x7ffff7df40cc: xor eax, eax ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7df4000, 0x1000, 'rwx') mem[0x7ffff7df40cc] = '1' mem[0x7ffff7df40cd] = '\xc0' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7df40cc cpu.EAX = cs.new_bitvec(32) cs.add(cpu.EAX == 0x3c340000) cpu.PF = cs.new_bool() cs.add(cpu.PF == False) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7df40cc, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7df40cd, 8)== ord('\xc0')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df40ce) condition = Operators.AND(condition, cpu.EAX == 0x0) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) def test_XOR_6_symbolic(self): ''' Instruction XOR_6 Groups: 0x7ffff7de3699: xor r10d, r10d ''' cs = ConstraintSet() mem = SMemory64(cs) cpu = AMD64Cpu(mem) mem.mmap(0x7ffff7de3000, 0x1000, 'rwx') mem[0x7ffff7de3699] = 'E' mem[0x7ffff7de369a] = '1' mem[0x7ffff7de369b] = '\xd2' cpu.OF = cs.new_bool() cs.add(cpu.OF == False) cpu.ZF = cs.new_bool() cs.add(cpu.ZF == False) cpu.CF = cs.new_bool() cs.add(cpu.CF == False) cpu.RIP = 0x7ffff7de3699 cpu.R10D = cs.new_bitvec(32) cs.add(cpu.R10D == 0xf7a2e000) cpu.PF = cs.new_bool() cs.add(cpu.PF == True) cpu.SF = cs.new_bool() cs.add(cpu.SF == False) done = False while not done: try: cpu.execute() #cpu.writeback() done = True except ConcretizeRegister,e: symbol = getattr(cpu, e.reg_name) values = solver.get_all_values(cs, symbol) self.assertEqual(len(values), 1) setattr(cpu, e.reg_name, values[0]) condition = True condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3699, 8)== ord('E')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de369a, 8)== ord('1')) condition = Operators.AND(condition, cpu.read_int(0x7ffff7de369b, 8)== ord('\xd2')) condition = Operators.AND(condition, cpu.OF == False) condition = Operators.AND(condition, cpu.ZF == True) condition = Operators.AND(condition, cpu.CF == False) condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de369c) condition = Operators.AND(condition, cpu.R10D == 0x0) condition = Operators.AND(condition, cpu.PF == True) condition = Operators.AND(condition, cpu.SF == False) with cs as temp_cs: temp_cs.add(condition) self.assertTrue(solver.check(temp_cs)) with cs as temp_cs: temp_cs.add(condition == False) self.assertFalse(solver.check(temp_cs)) if __name__ == '__main__': unittest.main()