52478 lines
1.9 MiB
52478 lines
1.9 MiB
|
|
import unittest
|
|
from manticore.core.cpu.x86 import *
|
|
from manticore.core.smtlib import *
|
|
from manticore.core.memory import *
|
|
|
|
class CPUTest(unittest.TestCase):
|
|
_multiprocess_can_split_ = True
|
|
class ROOperand(object):
|
|
''' Mocking class for operand ronly '''
|
|
def __init__(self, size, value):
|
|
self.size = size
|
|
self.value = value
|
|
def read(self):
|
|
return self.value & ((1<<self.size)-1)
|
|
|
|
class RWOperand(ROOperand):
|
|
''' Mocking class for operand rw '''
|
|
def write(self, value):
|
|
self.value = value & ((1<<self.size)-1)
|
|
return self.value
|
|
|
|
|
|
|
|
def test_ADD_1(self):
|
|
''' Instruction ADD_1
|
|
Groups:
|
|
0x7ffff7de438b: add rcx, 1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de438b] = 'H'
|
|
mem[0x7ffff7de438c] = '\x83'
|
|
mem[0x7ffff7de438d] = '\xc1'
|
|
mem[0x7ffff7de438e] = '\x01'
|
|
cpu.PF = True
|
|
cpu.RCX = 0x7ffff7ba0aba
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de438b
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de438b], 'H')
|
|
self.assertEqual(mem[0x7ffff7de438c], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de438d], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de438e], '\x01')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RCX, 140737349552827L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926671L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_ADD_2(self):
|
|
''' Instruction ADD_2
|
|
Groups:
|
|
0x7ffff7de4396: add rax, rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4398] = '\xd0'
|
|
mem[0x7ffff7de4396] = 'H'
|
|
mem[0x7ffff7de4397] = '\x01'
|
|
cpu.SF = False
|
|
cpu.PF = True
|
|
cpu.RAX = 0x310ef63c39
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de4396
|
|
cpu.RDX = 0x65
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4398], '\xd0')
|
|
self.assertEqual(mem[0x7ffff7de4396], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4397], '\x01')
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.RAX, 210704415902L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926681L)
|
|
self.assertEqual(cpu.RDX, 101L)
|
|
|
|
def test_ADD_3(self):
|
|
''' Instruction ADD_3
|
|
Groups:
|
|
0x7ffff7de6128: add rdx, 0x18
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6128] = 'H'
|
|
mem[0x7ffff7de6129] = '\x83'
|
|
mem[0x7ffff7de612a] = '\xc2'
|
|
mem[0x7ffff7de612b] = '\x18'
|
|
cpu.SF = False
|
|
cpu.PF = True
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6128
|
|
cpu.RDX = 0x7ffff7a4c978
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6128], 'H')
|
|
self.assertEqual(mem[0x7ffff7de6129], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de612a], '\xc2')
|
|
self.assertEqual(mem[0x7ffff7de612b], '\x18')
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.AF, True)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351934252L)
|
|
self.assertEqual(cpu.RDX, 140737348159888L)
|
|
|
|
def test_ADD_4(self):
|
|
''' Instruction ADD_4
|
|
Groups:
|
|
0x7ffff7de3960: add r12, 1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3960] = 'I'
|
|
mem[0x7ffff7de3961] = '\x83'
|
|
mem[0x7ffff7de3962] = '\xc4'
|
|
mem[0x7ffff7de3963] = '\x01'
|
|
cpu.PF = True
|
|
cpu.R12 = 0x0
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de3960
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3960], 'I')
|
|
self.assertEqual(mem[0x7ffff7de3961], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de3962], '\xc4')
|
|
self.assertEqual(mem[0x7ffff7de3963], '\x01')
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.R12, 1L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351924068L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_ADD_5(self):
|
|
''' Instruction ADD_5
|
|
Groups:
|
|
0x7ffff7de6124: add rax, qword ptr [rdx + 0x10]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a49000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a490d0] = '%'
|
|
mem[0x7ffff7a490d1] = '['
|
|
mem[0x7ffff7a490d2] = '\x17'
|
|
mem[0x7ffff7a490d3] = '\x00'
|
|
mem[0x7ffff7a490d4] = '\x00'
|
|
mem[0x7ffff7a490d5] = '\x00'
|
|
mem[0x7ffff7a490d6] = '\x00'
|
|
mem[0x7ffff7a490d7] = '\x00'
|
|
mem[0x7ffff7de6124] = 'H'
|
|
mem[0x7ffff7de6125] = '\x03'
|
|
mem[0x7ffff7de6126] = 'B'
|
|
mem[0x7ffff7de6127] = '\x10'
|
|
cpu.SF = False
|
|
cpu.PF = True
|
|
cpu.RAX = 0x7ffff7a2e000
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6124
|
|
cpu.RDX = 0x7ffff7a490c0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a490d0], '%')
|
|
self.assertEqual(mem[0x7ffff7a490d1], '[')
|
|
self.assertEqual(mem[0x7ffff7a490d2], '\x17')
|
|
self.assertEqual(mem[0x7ffff7a490d3], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a490d4], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a490d5], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a490d6], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a490d7], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de6124], 'H')
|
|
self.assertEqual(mem[0x7ffff7de6125], '\x03')
|
|
self.assertEqual(mem[0x7ffff7de6126], 'B')
|
|
self.assertEqual(mem[0x7ffff7de6127], '\x10')
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.RAX, 140737349565221L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351934248L)
|
|
self.assertEqual(cpu.RDX, 140737348145344L)
|
|
|
|
def test_ADD_6(self):
|
|
''' Instruction ADD_6
|
|
Groups:
|
|
0x7ffff7de6124: add rax, qword ptr [rdx + 0x10]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4b000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4bcc8] = '\xc0'
|
|
mem[0x7ffff7a4bcc9] = '\x88'
|
|
mem[0x7ffff7a4bcca] = '\x07'
|
|
mem[0x7ffff7a4bccb] = '\x00'
|
|
mem[0x7ffff7a4bccc] = '\x00'
|
|
mem[0x7ffff7a4bccd] = '\x00'
|
|
mem[0x7ffff7a4bcce] = '\x00'
|
|
mem[0x7ffff7a4bccf] = '\x00'
|
|
mem[0x7ffff7de6124] = 'H'
|
|
mem[0x7ffff7de6125] = '\x03'
|
|
mem[0x7ffff7de6126] = 'B'
|
|
mem[0x7ffff7de6127] = '\x10'
|
|
cpu.SF = False
|
|
cpu.PF = True
|
|
cpu.RAX = 0x7ffff7a2e000
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6124
|
|
cpu.RDX = 0x7ffff7a4bcb8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4bcc8], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7a4bcc9], '\x88')
|
|
self.assertEqual(mem[0x7ffff7a4bcca], '\x07')
|
|
self.assertEqual(mem[0x7ffff7a4bccb], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a4bccc], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a4bccd], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a4bcce], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a4bccf], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de6124], 'H')
|
|
self.assertEqual(mem[0x7ffff7de6125], '\x03')
|
|
self.assertEqual(mem[0x7ffff7de6126], 'B')
|
|
self.assertEqual(mem[0x7ffff7de6127], '\x10')
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 140737348528320L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351934248L)
|
|
self.assertEqual(cpu.RDX, 140737348156600L)
|
|
|
|
def test_AND_1(self):
|
|
''' Instruction AND_1
|
|
Groups:
|
|
0x7ffff7b58f2f: and r9d, 0xf
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f30] = '\x83'
|
|
mem[0x7ffff7b58f31] = '\xe1'
|
|
mem[0x7ffff7b58f32] = '\x0f'
|
|
mem[0x7ffff7b58f2f] = 'A'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7b58f2f
|
|
cpu.SF = False
|
|
cpu.PF = False
|
|
cpu.R9D = 0x12
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f30], '\x83')
|
|
self.assertEqual(mem[0x7ffff7b58f31], '\xe1')
|
|
self.assertEqual(mem[0x7ffff7b58f32], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7b58f2f], 'A')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737349259059L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.R9D, 2L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_AND_2(self):
|
|
''' Instruction AND_2
|
|
Groups:
|
|
0x7ffff7aa7bd0: and edx, 0x808
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa7bd0] = '\x81'
|
|
mem[0x7ffff7aa7bd1] = '\xe2'
|
|
mem[0x7ffff7aa7bd2] = '\x08'
|
|
mem[0x7ffff7aa7bd3] = '\x08'
|
|
mem[0x7ffff7aa7bd4] = '\x00'
|
|
mem[0x7ffff7aa7bd5] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7aa7bd0
|
|
cpu.PF = True
|
|
cpu.EDX = 0xfbad2807
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7aa7bd0], '\x81')
|
|
self.assertEqual(mem[0x7ffff7aa7bd1], '\xe2')
|
|
self.assertEqual(mem[0x7ffff7aa7bd2], '\x08')
|
|
self.assertEqual(mem[0x7ffff7aa7bd3], '\x08')
|
|
self.assertEqual(mem[0x7ffff7aa7bd4], '\x00')
|
|
self.assertEqual(mem[0x7ffff7aa7bd5], '\x00')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737348533206L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.EDX, 2048L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_AND_3(self):
|
|
''' Instruction AND_3
|
|
Groups:
|
|
0x7ffff7b58f2f: and r9d, 0xf
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f30] = '\x83'
|
|
mem[0x7ffff7b58f31] = '\xe1'
|
|
mem[0x7ffff7b58f32] = '\x0f'
|
|
mem[0x7ffff7b58f2f] = 'A'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7b58f2f
|
|
cpu.SF = False
|
|
cpu.PF = False
|
|
cpu.R9D = 0x12
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f30], '\x83')
|
|
self.assertEqual(mem[0x7ffff7b58f31], '\xe1')
|
|
self.assertEqual(mem[0x7ffff7b58f32], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7b58f2f], 'A')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737349259059L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.R9D, 2L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_AND_4(self):
|
|
''' Instruction AND_4
|
|
Groups:
|
|
0x7ffff7de3930: and rax, rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3930] = 'H'
|
|
mem[0x7ffff7de3931] = '!'
|
|
mem[0x7ffff7de3932] = '\xf0'
|
|
cpu.PF = True
|
|
cpu.RSI = 0x13
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RAX = 0x9
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7de3930
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3930], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3931], '!')
|
|
self.assertEqual(mem[0x7ffff7de3932], '\xf0')
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.RSI, 19L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RAX, 1L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351924019L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_AND_5(self):
|
|
''' Instruction AND_5
|
|
Groups:
|
|
0x7ffff7b58f2f: and r9d, 0xf
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f30] = '\x83'
|
|
mem[0x7ffff7b58f31] = '\xe1'
|
|
mem[0x7ffff7b58f32] = '\x0f'
|
|
mem[0x7ffff7b58f2f] = 'A'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7b58f2f
|
|
cpu.SF = False
|
|
cpu.PF = False
|
|
cpu.R9D = 0x12
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f30], '\x83')
|
|
self.assertEqual(mem[0x7ffff7b58f31], '\xe1')
|
|
self.assertEqual(mem[0x7ffff7b58f32], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7b58f2f], 'A')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737349259059L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.R9D, 2L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_AND_6(self):
|
|
''' Instruction AND_6
|
|
Groups:
|
|
0x7ffff7de3909: and ecx, dword ptr [rbx + 0x2f0]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ff7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de390b] = '\xf0'
|
|
mem[0x7ffff7ff794a] = '\x00'
|
|
mem[0x7ffff7ff7949] = '\x00'
|
|
mem[0x7ffff7ff7948] = '\xff'
|
|
mem[0x7ffff7de3909] = '#'
|
|
mem[0x7ffff7de390a] = '\x8b'
|
|
mem[0x7ffff7ff794b] = '\x00'
|
|
mem[0x7ffff7de390c] = '\x02'
|
|
mem[0x7ffff7de390d] = '\x00'
|
|
mem[0x7ffff7de390e] = '\x00'
|
|
cpu.PF = True
|
|
cpu.RBX = 0x7ffff7ff7658
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.ECX = 0x1c5e843
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de3909
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ff794b], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ff794a], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ff7949], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ff7948], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de3909], '#')
|
|
self.assertEqual(mem[0x7ffff7de390a], '\x8b')
|
|
self.assertEqual(mem[0x7ffff7de390b], '\xf0')
|
|
self.assertEqual(mem[0x7ffff7de390c], '\x02')
|
|
self.assertEqual(mem[0x7ffff7de390d], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de390e], '\x00')
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.RBX, 140737354102360L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.ECX, 67L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351923983L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_BSF_1(self):
|
|
''' Instruction BSF_1
|
|
Groups:
|
|
0x4184cd: bsf eax, edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004184cd] = '\x0f'
|
|
mem[0x004184ce] = '\xbc'
|
|
mem[0x004184cf] = '\xc2'
|
|
cpu.EAX = 0x495045
|
|
cpu.ZF = False
|
|
cpu.EDX = 0x80
|
|
cpu.RIP = 0x4184cd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4184cd], '\x0f')
|
|
self.assertEqual(mem[0x4184ce], '\xbc')
|
|
self.assertEqual(mem[0x4184cf], '\xc2')
|
|
self.assertEqual(cpu.EAX, 7L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.EDX, 128L)
|
|
self.assertEqual(cpu.RIP, 4293840L)
|
|
|
|
def test_BSF_2(self):
|
|
''' Instruction BSF_2
|
|
Groups:
|
|
0x4183ed: bsf eax, edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004183ed] = '\x0f'
|
|
mem[0x004183ee] = '\xbc'
|
|
mem[0x004183ef] = '\xc2'
|
|
cpu.EAX = 0x4a5301
|
|
cpu.ZF = False
|
|
cpu.EDX = 0x5
|
|
cpu.RIP = 0x4183ed
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4183ed], '\x0f')
|
|
self.assertEqual(mem[0x4183ee], '\xbc')
|
|
self.assertEqual(mem[0x4183ef], '\xc2')
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.EDX, 5L)
|
|
self.assertEqual(cpu.RIP, 4293616L)
|
|
|
|
def test_BSF_3(self):
|
|
''' Instruction BSF_3
|
|
Groups:
|
|
0x4184bd: bsf eax, edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004184bd] = '\x0f'
|
|
mem[0x004184be] = '\xbc'
|
|
mem[0x004184bf] = '\xc2'
|
|
cpu.EAX = 0x495085
|
|
cpu.ZF = False
|
|
cpu.EDX = 0x80
|
|
cpu.RIP = 0x4184bd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4184bd], '\x0f')
|
|
self.assertEqual(mem[0x4184be], '\xbc')
|
|
self.assertEqual(mem[0x4184bf], '\xc2')
|
|
self.assertEqual(cpu.EAX, 7L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.EDX, 128L)
|
|
self.assertEqual(cpu.RIP, 4293824L)
|
|
|
|
def test_BSF_4(self):
|
|
''' Instruction BSF_4
|
|
Groups:
|
|
0x41850a: bsf rax, rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x0041850a] = 'H'
|
|
mem[0x0041850b] = '\x0f'
|
|
mem[0x0041850c] = '\xbc'
|
|
mem[0x0041850d] = '\xc2'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x41850a
|
|
cpu.RAX = 0x495100
|
|
cpu.RDX = 0x800200020000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x41850a], 'H')
|
|
self.assertEqual(mem[0x41850b], '\x0f')
|
|
self.assertEqual(mem[0x41850c], '\xbc')
|
|
self.assertEqual(mem[0x41850d], '\xc2')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RAX, 17L)
|
|
self.assertEqual(cpu.RIP, 4293902L)
|
|
self.assertEqual(cpu.RDX, 140746078420992L)
|
|
|
|
def test_BSF_5(self):
|
|
''' Instruction BSF_5
|
|
Groups:
|
|
0x7ffff7ab5d0a: bsf rax, rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab5d0a] = 'H'
|
|
mem[0x7ffff7ab5d0b] = '\x0f'
|
|
mem[0x7ffff7ab5d0c] = '\xbc'
|
|
mem[0x7ffff7ab5d0d] = '\xc2'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7ab5d0a
|
|
cpu.RAX = 0x5555555549c0
|
|
cpu.RDX = 0xe0e0e0e0ee080000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab5d0a], 'H')
|
|
self.assertEqual(mem[0x7ffff7ab5d0b], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ab5d0c], '\xbc')
|
|
self.assertEqual(mem[0x7ffff7ab5d0d], '\xc2')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RAX, 19L)
|
|
self.assertEqual(cpu.RIP, 140737348590862L)
|
|
self.assertEqual(cpu.RDX, 16204198715949842432L)
|
|
|
|
def test_BSF_6(self):
|
|
''' Instruction BSF_6
|
|
Groups:
|
|
0x4183ed: bsf eax, edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004183ed] = '\x0f'
|
|
mem[0x004183ee] = '\xbc'
|
|
mem[0x004183ef] = '\xc2'
|
|
cpu.EAX = 0x494d05
|
|
cpu.ZF = False
|
|
cpu.EDX = 0x80
|
|
cpu.RIP = 0x4183ed
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4183ed], '\x0f')
|
|
self.assertEqual(mem[0x4183ee], '\xbc')
|
|
self.assertEqual(mem[0x4183ef], '\xc2')
|
|
self.assertEqual(cpu.EAX, 7L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.EDX, 128L)
|
|
self.assertEqual(cpu.RIP, 4293616L)
|
|
|
|
def test_BSR_1(self):
|
|
''' Instruction BSR_1
|
|
Groups:
|
|
0x4008b7: bsr esi, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x004008b8] = '\xbd'
|
|
mem[0x004008b9] = '\xf6'
|
|
mem[0x004008b7] = '\x0f'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x4008b7
|
|
cpu.ESI = 0xf
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4008b8], '\xbd')
|
|
self.assertEqual(mem[0x4008b9], '\xf6')
|
|
self.assertEqual(mem[0x4008b7], '\x0f')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.ESI, 3L)
|
|
self.assertEqual(cpu.RIP, 4196538L)
|
|
|
|
def test_BSR_2(self):
|
|
''' Instruction BSR_2
|
|
Groups:
|
|
0x400907: bsr esi, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400908] = '\xbd'
|
|
mem[0x00400909] = '\xf6'
|
|
mem[0x00400907] = '\x0f'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x400907
|
|
cpu.ESI = 0xf
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400908], '\xbd')
|
|
self.assertEqual(mem[0x400909], '\xf6')
|
|
self.assertEqual(mem[0x400907], '\x0f')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.ESI, 3L)
|
|
self.assertEqual(cpu.RIP, 4196618L)
|
|
|
|
def test_BSR_3(self):
|
|
''' Instruction BSR_3
|
|
Groups:
|
|
0x457ac8: bsr rsi, rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457ac8] = 'H'
|
|
mem[0x00457ac9] = '\x0f'
|
|
mem[0x00457aca] = '\xbd'
|
|
mem[0x00457acb] = '\xf6'
|
|
cpu.ZF = False
|
|
cpu.RSI = 0x4100800
|
|
cpu.RIP = 0x457ac8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457ac8], 'H')
|
|
self.assertEqual(mem[0x457ac9], '\x0f')
|
|
self.assertEqual(mem[0x457aca], '\xbd')
|
|
self.assertEqual(mem[0x457acb], '\xf6')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSI, 26L)
|
|
self.assertEqual(cpu.RIP, 4553420L)
|
|
|
|
def test_BSR_4(self):
|
|
''' Instruction BSR_4
|
|
Groups:
|
|
0x400847: bsr esi, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400848] = '\xbd'
|
|
mem[0x00400849] = '\xf6'
|
|
mem[0x00400847] = '\x0f'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x400847
|
|
cpu.ESI = 0xf
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400848], '\xbd')
|
|
self.assertEqual(mem[0x400849], '\xf6')
|
|
self.assertEqual(mem[0x400847], '\x0f')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.ESI, 3L)
|
|
self.assertEqual(cpu.RIP, 4196426L)
|
|
|
|
def test_BSR_5(self):
|
|
''' Instruction BSR_5
|
|
Groups:
|
|
0x457c18: bsr rsi, rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457c18] = 'H'
|
|
mem[0x00457c19] = '\x0f'
|
|
mem[0x00457c1a] = '\xbd'
|
|
mem[0x00457c1b] = '\xf6'
|
|
cpu.ZF = False
|
|
cpu.RSI = 0x41008000
|
|
cpu.RIP = 0x457c18
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457c18], 'H')
|
|
self.assertEqual(mem[0x457c19], '\x0f')
|
|
self.assertEqual(mem[0x457c1a], '\xbd')
|
|
self.assertEqual(mem[0x457c1b], '\xf6')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSI, 30L)
|
|
self.assertEqual(cpu.RIP, 4553756L)
|
|
|
|
def test_BSR_6(self):
|
|
''' Instruction BSR_6
|
|
Groups:
|
|
0x457db8: bsr rsi, rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457db8] = 'H'
|
|
mem[0x00457db9] = '\x0f'
|
|
mem[0x00457dba] = '\xbd'
|
|
mem[0x00457dbb] = '\xf6'
|
|
cpu.ZF = False
|
|
cpu.RSI = 0x4100800
|
|
cpu.RIP = 0x457db8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457db8], 'H')
|
|
self.assertEqual(mem[0x457db9], '\x0f')
|
|
self.assertEqual(mem[0x457dba], '\xbd')
|
|
self.assertEqual(mem[0x457dbb], '\xf6')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSI, 26L)
|
|
self.assertEqual(cpu.RIP, 4554172L)
|
|
|
|
def test_BT_1(self):
|
|
''' Instruction BT_1
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = 0x1
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = 0x467
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de36b8], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de36b5], 'A')
|
|
self.assertEqual(mem[0x7ffff7de36b6], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de36b7], '\xa3')
|
|
self.assertEqual(cpu.EAX, 1L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351923385L)
|
|
self.assertEqual(cpu.R8D, 1127L)
|
|
|
|
def test_BT_2(self):
|
|
''' Instruction BT_2
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = 0x2
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = 0x467
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de36b8], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de36b5], 'A')
|
|
self.assertEqual(mem[0x7ffff7de36b6], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de36b7], '\xa3')
|
|
self.assertEqual(cpu.EAX, 2L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351923385L)
|
|
self.assertEqual(cpu.R8D, 1127L)
|
|
|
|
def test_BT_3(self):
|
|
''' Instruction BT_3
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = 0x2
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = 0x467
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de36b8], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de36b5], 'A')
|
|
self.assertEqual(mem[0x7ffff7de36b6], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de36b7], '\xa3')
|
|
self.assertEqual(cpu.EAX, 2L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351923385L)
|
|
self.assertEqual(cpu.R8D, 1127L)
|
|
|
|
def test_BT_4(self):
|
|
''' Instruction BT_4
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = 0x1
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = 0x467
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de36b8], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de36b5], 'A')
|
|
self.assertEqual(mem[0x7ffff7de36b6], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de36b7], '\xa3')
|
|
self.assertEqual(cpu.EAX, 1L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351923385L)
|
|
self.assertEqual(cpu.R8D, 1127L)
|
|
|
|
def test_BT_5(self):
|
|
''' Instruction BT_5
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = 0x1
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = 0x467
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de36b8], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de36b5], 'A')
|
|
self.assertEqual(mem[0x7ffff7de36b6], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de36b7], '\xa3')
|
|
self.assertEqual(cpu.EAX, 1L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351923385L)
|
|
self.assertEqual(cpu.R8D, 1127L)
|
|
|
|
def test_BT_6(self):
|
|
''' Instruction BT_6
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = 0x2
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = 0x467
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de36b8], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de36b5], 'A')
|
|
self.assertEqual(mem[0x7ffff7de36b6], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de36b7], '\xa3')
|
|
self.assertEqual(cpu.EAX, 2L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351923385L)
|
|
self.assertEqual(cpu.R8D, 1127L)
|
|
|
|
def test_CALL_1(self):
|
|
''' Instruction CALL_1
|
|
Groups: call, mode64
|
|
0x7ffff7de447a: call 0x7ffff7de3800
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd880] = '\x00'
|
|
mem[0x7fffffffd881] = '\x00'
|
|
mem[0x7fffffffd882] = '\x00'
|
|
mem[0x7fffffffd883] = '\x00'
|
|
mem[0x7fffffffd884] = '\x00'
|
|
mem[0x7fffffffd885] = '\x00'
|
|
mem[0x7fffffffd886] = '\x00'
|
|
mem[0x7fffffffd887] = '\x00'
|
|
mem[0x7fffffffd888] = 'H'
|
|
mem[0x7ffff7de447a] = '\xe8'
|
|
mem[0x7ffff7de447b] = '\x81'
|
|
mem[0x7ffff7de447c] = '\xf3'
|
|
mem[0x7ffff7de447d] = '\xff'
|
|
mem[0x7ffff7de447e] = '\xff'
|
|
mem[0x7fffffffd878] = '\x7f'
|
|
mem[0x7fffffffd879] = 'D'
|
|
mem[0x7fffffffd87a] = '\xde'
|
|
mem[0x7fffffffd87b] = '\xf7'
|
|
mem[0x7fffffffd87c] = '\xff'
|
|
mem[0x7fffffffd87d] = '\x7f'
|
|
mem[0x7fffffffd87e] = '\x00'
|
|
mem[0x7fffffffd87f] = '\x00'
|
|
cpu.RSP = 0x7fffffffd880
|
|
cpu.RIP = 0x7ffff7de447a
|
|
cpu.RBP = 0x7fffffffd9a0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd880], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd881], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd882], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd883], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd884], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd885], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd886], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd887], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd888], 'H')
|
|
self.assertEqual(mem[0x7fffffffd87a], '\xde')
|
|
self.assertEqual(mem[0x7fffffffd87b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd87c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd87d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd87e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd878], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd879], 'D')
|
|
self.assertEqual(mem[0x7ffff7de447a], '\xe8')
|
|
self.assertEqual(mem[0x7ffff7de447b], '\x81')
|
|
self.assertEqual(mem[0x7ffff7de447c], '\xf3')
|
|
self.assertEqual(mem[0x7ffff7de447d], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de447e], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd87f], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345208L)
|
|
self.assertEqual(cpu.RIP, 140737351923712L)
|
|
self.assertEqual(cpu.RBP, 140737488345504L)
|
|
|
|
def test_CALL_2(self):
|
|
''' Instruction CALL_2
|
|
Groups: call, mode64
|
|
0x7ffff7a780e1: call qword ptr [r8 + 0x38]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd2000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffb000, 0x1000, 'rwx')
|
|
mem[0x7fffffffbdb8] = '\xa2'
|
|
mem[0x7fffffffbdb9] = '\x80'
|
|
mem[0x7fffffffbdba] = '\xa7'
|
|
mem[0x7fffffffbdbb] = '\xf7'
|
|
mem[0x7fffffffbdbc] = '\xff'
|
|
mem[0x7fffffffbdbd] = '\x7f'
|
|
mem[0x7fffffffbdbe] = '\x00'
|
|
mem[0x7fffffffbdbf] = '\x00'
|
|
mem[0x7fffffffbdc0] = '\x00'
|
|
mem[0x7fffffffbdc1] = '\x00'
|
|
mem[0x7fffffffbdc2] = '\x00'
|
|
mem[0x7fffffffbdc3] = '\x00'
|
|
mem[0x7fffffffbdc4] = '\x00'
|
|
mem[0x7fffffffbdc5] = '\x00'
|
|
mem[0x7fffffffbdc6] = '\x00'
|
|
mem[0x7fffffffbdc7] = '\x00'
|
|
mem[0x7fffffffbdc8] = '\x00'
|
|
mem[0x7ffff7a780e1] = 'A'
|
|
mem[0x7ffff7a780e2] = '\xff'
|
|
mem[0x7ffff7a780e3] = 'P'
|
|
mem[0x7ffff7a780e4] = '8'
|
|
mem[0x7ffff7dd2578] = '`'
|
|
mem[0x7ffff7dd2579] = '\x96'
|
|
mem[0x7ffff7dd257a] = '\xaa'
|
|
mem[0x7ffff7dd257b] = '\xf7'
|
|
mem[0x7ffff7dd257c] = '\xff'
|
|
mem[0x7ffff7dd257d] = '\x7f'
|
|
mem[0x7ffff7dd257e] = '\x00'
|
|
mem[0x7ffff7dd257f] = '\x00'
|
|
cpu.RSP = 0x7fffffffbdc0
|
|
cpu.R8 = 0x7ffff7dd2540
|
|
cpu.RIP = 0x7ffff7a780e1
|
|
cpu.RBP = 0x7fffffffc330
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffbdb8], '\xe5')
|
|
self.assertEqual(mem[0x7fffffffbdb9], '\x80')
|
|
self.assertEqual(mem[0x7fffffffbdba], '\xa7')
|
|
self.assertEqual(mem[0x7fffffffbdbb], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffbdbc], '\xff')
|
|
self.assertEqual(mem[0x7fffffffbdbd], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffbdbe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdbf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc4], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffbdc8], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a780e1], 'A')
|
|
self.assertEqual(mem[0x7ffff7a780e2], '\xff')
|
|
self.assertEqual(mem[0x7ffff7a780e3], 'P')
|
|
self.assertEqual(mem[0x7ffff7a780e4], '8')
|
|
self.assertEqual(mem[0x7ffff7dd2578], '`')
|
|
self.assertEqual(mem[0x7ffff7dd2579], '\x96')
|
|
self.assertEqual(mem[0x7ffff7dd257a], '\xaa')
|
|
self.assertEqual(mem[0x7ffff7dd257b], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7dd257c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7dd257d], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7dd257e], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd257f], '\x00')
|
|
self.assertEqual(cpu.R8, 140737351853376L)
|
|
self.assertEqual(cpu.RSP, 140737488338360L)
|
|
self.assertEqual(cpu.RIP, 140737348540000L)
|
|
self.assertEqual(cpu.RBP, 140737488339760L)
|
|
|
|
def test_CALL_3(self):
|
|
''' Instruction CALL_3
|
|
Groups: call, mode64
|
|
0x4554b0: call 0x45c7a0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00455000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda18] = '\xda'
|
|
mem[0x7fffffffda19] = 'S'
|
|
mem[0x7fffffffda1a] = 'E'
|
|
mem[0x7fffffffda1b] = '\x00'
|
|
mem[0x7fffffffda1c] = '\x00'
|
|
mem[0x7fffffffda1d] = '\x00'
|
|
mem[0x7fffffffda1e] = '\x00'
|
|
mem[0x7fffffffda1f] = '\x00'
|
|
mem[0x7fffffffda20] = '\x06'
|
|
mem[0x7fffffffda21] = '\x00'
|
|
mem[0x7fffffffda22] = '\x00'
|
|
mem[0x7fffffffda23] = '\x00'
|
|
mem[0x7fffffffda24] = '\x00'
|
|
mem[0x7fffffffda25] = '\x00'
|
|
mem[0x7fffffffda26] = '\x00'
|
|
mem[0x7fffffffda27] = '\x00'
|
|
mem[0x7fffffffda28] = '\x04'
|
|
mem[0x004554b0] = '\xe8'
|
|
mem[0x004554b1] = '\xeb'
|
|
mem[0x004554b2] = 'r'
|
|
mem[0x004554b3] = '\x00'
|
|
mem[0x004554b4] = '\x00'
|
|
cpu.RSP = 0x7fffffffda20
|
|
cpu.RIP = 0x4554b0
|
|
cpu.RBP = 0x7fffffffdad0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda18], '\xb5')
|
|
self.assertEqual(mem[0x7fffffffda19], 'T')
|
|
self.assertEqual(mem[0x7fffffffda1a], 'E')
|
|
self.assertEqual(mem[0x7fffffffda1b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda1c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda1d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda1e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda1f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda20], '\x06')
|
|
self.assertEqual(mem[0x7fffffffda21], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda22], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda23], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda24], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda25], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda26], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda27], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda28], '\x04')
|
|
self.assertEqual(mem[0x4554b0], '\xe8')
|
|
self.assertEqual(mem[0x4554b1], '\xeb')
|
|
self.assertEqual(mem[0x4554b2], 'r')
|
|
self.assertEqual(mem[0x4554b3], '\x00')
|
|
self.assertEqual(mem[0x4554b4], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345624L)
|
|
self.assertEqual(cpu.RIP, 4573088L)
|
|
self.assertEqual(cpu.RBP, 140737488345808L)
|
|
|
|
def test_CALL_4(self):
|
|
''' Instruction CALL_4
|
|
Groups: call, mode64
|
|
0x7ffff7de447a: call 0x7ffff7de3800
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd880] = '\x00'
|
|
mem[0x7fffffffd881] = '\x00'
|
|
mem[0x7fffffffd882] = '\x00'
|
|
mem[0x7fffffffd883] = '\x00'
|
|
mem[0x7fffffffd884] = '\x00'
|
|
mem[0x7fffffffd885] = '\x00'
|
|
mem[0x7fffffffd886] = '\x00'
|
|
mem[0x7fffffffd887] = '\x00'
|
|
mem[0x7fffffffd888] = 'H'
|
|
mem[0x7ffff7de447a] = '\xe8'
|
|
mem[0x7ffff7de447b] = '\x81'
|
|
mem[0x7ffff7de447c] = '\xf3'
|
|
mem[0x7ffff7de447d] = '\xff'
|
|
mem[0x7ffff7de447e] = '\xff'
|
|
mem[0x7fffffffd878] = '\x7f'
|
|
mem[0x7fffffffd879] = 'D'
|
|
mem[0x7fffffffd87a] = '\xde'
|
|
mem[0x7fffffffd87b] = '\xf7'
|
|
mem[0x7fffffffd87c] = '\xff'
|
|
mem[0x7fffffffd87d] = '\x7f'
|
|
mem[0x7fffffffd87e] = '\x00'
|
|
mem[0x7fffffffd87f] = '\x00'
|
|
cpu.RSP = 0x7fffffffd880
|
|
cpu.RIP = 0x7ffff7de447a
|
|
cpu.RBP = 0x7fffffffd9a0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd880], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd881], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd882], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd883], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd884], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd885], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd886], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd887], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd888], 'H')
|
|
self.assertEqual(mem[0x7fffffffd87a], '\xde')
|
|
self.assertEqual(mem[0x7fffffffd87b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd87c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd87d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd87e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd878], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd879], 'D')
|
|
self.assertEqual(mem[0x7ffff7de447a], '\xe8')
|
|
self.assertEqual(mem[0x7ffff7de447b], '\x81')
|
|
self.assertEqual(mem[0x7ffff7de447c], '\xf3')
|
|
self.assertEqual(mem[0x7ffff7de447d], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de447e], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd87f], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345208L)
|
|
self.assertEqual(cpu.RIP, 140737351923712L)
|
|
self.assertEqual(cpu.RBP, 140737488345504L)
|
|
|
|
def test_CALL_5(self):
|
|
''' Instruction CALL_5
|
|
Groups: call, mode64
|
|
0x7ffff7de40a6: call 0x7ffff7de3660
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd808] = '\xab'
|
|
mem[0x7fffffffd809] = '@'
|
|
mem[0x7fffffffd80a] = '\xde'
|
|
mem[0x7fffffffd80b] = '\xf7'
|
|
mem[0x7fffffffd80c] = '\xff'
|
|
mem[0x7fffffffd80d] = '\x7f'
|
|
mem[0x7fffffffd80e] = '\x00'
|
|
mem[0x7fffffffd80f] = '\x00'
|
|
mem[0x7fffffffd810] = '\xec'
|
|
mem[0x7fffffffd811] = '\x04'
|
|
mem[0x7fffffffd812] = '\x00'
|
|
mem[0x7fffffffd813] = '\x00'
|
|
mem[0x7fffffffd814] = '\x00'
|
|
mem[0x7fffffffd815] = '\x00'
|
|
mem[0x7fffffffd816] = '\x00'
|
|
mem[0x7fffffffd817] = '\x00'
|
|
mem[0x7fffffffd818] = '\xd8'
|
|
mem[0x7ffff7de40a6] = '\xe8'
|
|
mem[0x7ffff7de40a7] = '\xb5'
|
|
mem[0x7ffff7de40a8] = '\xf5'
|
|
mem[0x7ffff7de40a9] = '\xff'
|
|
mem[0x7ffff7de40aa] = '\xff'
|
|
cpu.RSP = 0x7fffffffd810
|
|
cpu.RIP = 0x7ffff7de40a6
|
|
cpu.RBP = 0x7fffffffd900
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd808], '\xab')
|
|
self.assertEqual(mem[0x7fffffffd809], '@')
|
|
self.assertEqual(mem[0x7fffffffd80a], '\xde')
|
|
self.assertEqual(mem[0x7fffffffd80b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd80c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd80d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd80e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd80f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd810], '\xec')
|
|
self.assertEqual(mem[0x7fffffffd811], '\x04')
|
|
self.assertEqual(mem[0x7fffffffd812], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd813], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd814], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd815], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd816], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd817], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd818], '\xd8')
|
|
self.assertEqual(mem[0x7ffff7de40a6], '\xe8')
|
|
self.assertEqual(mem[0x7ffff7de40a7], '\xb5')
|
|
self.assertEqual(mem[0x7ffff7de40a8], '\xf5')
|
|
self.assertEqual(mem[0x7ffff7de40a9], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de40aa], '\xff')
|
|
self.assertEqual(cpu.RSP, 140737488345096L)
|
|
self.assertEqual(cpu.RIP, 140737351923296L)
|
|
self.assertEqual(cpu.RBP, 140737488345344L)
|
|
|
|
def test_CALL_6(self):
|
|
''' Instruction CALL_6
|
|
Groups: call, mode64
|
|
0x45f878: call 0x413490
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0045f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdb00] = '\x01'
|
|
mem[0x7fffffffdb01] = 'S'
|
|
mem[0x7fffffffdb02] = 'J'
|
|
mem[0x7fffffffdb03] = '\x00'
|
|
mem[0x7fffffffdb04] = '\x00'
|
|
mem[0x7fffffffdb05] = '\x00'
|
|
mem[0x7fffffffdb06] = '\x00'
|
|
mem[0x7fffffffdb07] = '\x00'
|
|
mem[0x7fffffffdb08] = '\xf4'
|
|
mem[0x0045f878] = '\xe8'
|
|
mem[0x0045f879] = '\x13'
|
|
mem[0x0045f87a] = '<'
|
|
mem[0x0045f87b] = '\xfb'
|
|
mem[0x0045f87c] = '\xff'
|
|
mem[0x7fffffffdaf8] = '9'
|
|
mem[0x7fffffffdaf9] = '\xf8'
|
|
mem[0x7fffffffdafa] = 'E'
|
|
mem[0x7fffffffdafb] = '\x00'
|
|
mem[0x7fffffffdafc] = '\x00'
|
|
mem[0x7fffffffdafd] = '\x00'
|
|
mem[0x7fffffffdafe] = '\x00'
|
|
mem[0x7fffffffdaff] = '\x00'
|
|
cpu.RSP = 0x7fffffffdb00
|
|
cpu.RIP = 0x45f878
|
|
cpu.RBP = 0x7fffffffdb20
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdb00], '\x01')
|
|
self.assertEqual(mem[0x7fffffffdb01], 'S')
|
|
self.assertEqual(mem[0x7fffffffdb02], 'J')
|
|
self.assertEqual(mem[0x7fffffffdb03], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb04], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb05], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb06], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb07], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb08], '\xf4')
|
|
self.assertEqual(mem[0x7fffffffdaf8], '}')
|
|
self.assertEqual(mem[0x7fffffffdaf9], '\xf8')
|
|
self.assertEqual(mem[0x7fffffffdafa], 'E')
|
|
self.assertEqual(mem[0x7fffffffdafb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdafc], '\x00')
|
|
self.assertEqual(mem[0x45f878], '\xe8')
|
|
self.assertEqual(mem[0x45f879], '\x13')
|
|
self.assertEqual(mem[0x45f87a], '<')
|
|
self.assertEqual(mem[0x45f87b], '\xfb')
|
|
self.assertEqual(mem[0x45f87c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdafd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdafe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaff], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345848L)
|
|
self.assertEqual(cpu.RIP, 4273296L)
|
|
self.assertEqual(cpu.RBP, 140737488345888L)
|
|
|
|
def test_CDQE_1(self):
|
|
''' Instruction CDQE_1
|
|
Groups:
|
|
0x400aa0: cdqe
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400aa0] = 'H'
|
|
mem[0x00400aa1] = '\x98'
|
|
cpu.RIP = 0x400aa0
|
|
cpu.RAX = 0x92
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400aa0], 'H')
|
|
self.assertEqual(mem[0x400aa1], '\x98')
|
|
self.assertEqual(cpu.RAX, 146L)
|
|
self.assertEqual(cpu.RIP, 4197026L)
|
|
|
|
def test_CDQE_2(self):
|
|
''' Instruction CDQE_2
|
|
Groups:
|
|
0x400aa0: cdqe
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400aa0] = 'H'
|
|
mem[0x00400aa1] = '\x98'
|
|
cpu.RIP = 0x400aa0
|
|
cpu.RAX = 0x5a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400aa0], 'H')
|
|
self.assertEqual(mem[0x400aa1], '\x98')
|
|
self.assertEqual(cpu.RAX, 90L)
|
|
self.assertEqual(cpu.RIP, 4197026L)
|
|
|
|
def test_CDQE_3(self):
|
|
''' Instruction CDQE_3
|
|
Groups:
|
|
0x400aa0: cdqe
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400aa0] = 'H'
|
|
mem[0x00400aa1] = '\x98'
|
|
cpu.RIP = 0x400aa0
|
|
cpu.RAX = 0x80
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400aa0], 'H')
|
|
self.assertEqual(mem[0x400aa1], '\x98')
|
|
self.assertEqual(cpu.RAX, 128L)
|
|
self.assertEqual(cpu.RIP, 4197026L)
|
|
|
|
def test_CDQE_4(self):
|
|
''' Instruction CDQE_4
|
|
Groups:
|
|
0x400acf: cdqe
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400ad0] = '\x98'
|
|
mem[0x00400acf] = 'H'
|
|
cpu.RIP = 0x400acf
|
|
cpu.RAX = 0x98
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400ad0], '\x98')
|
|
self.assertEqual(mem[0x400acf], 'H')
|
|
self.assertEqual(cpu.RAX, 152L)
|
|
self.assertEqual(cpu.RIP, 4197073L)
|
|
|
|
def test_CDQE_5(self):
|
|
''' Instruction CDQE_5
|
|
Groups:
|
|
0x400aa0: cdqe
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400aa0] = 'H'
|
|
mem[0x00400aa1] = '\x98'
|
|
cpu.RIP = 0x400aa0
|
|
cpu.RAX = 0x73
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400aa0], 'H')
|
|
self.assertEqual(mem[0x400aa1], '\x98')
|
|
self.assertEqual(cpu.RAX, 115L)
|
|
self.assertEqual(cpu.RIP, 4197026L)
|
|
|
|
def test_CDQE_6(self):
|
|
''' Instruction CDQE_6
|
|
Groups:
|
|
0x400b07: cdqe
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400b08] = '\x98'
|
|
mem[0x00400b07] = 'H'
|
|
cpu.RIP = 0x400b07
|
|
cpu.RAX = 0xc6
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400b08], '\x98')
|
|
self.assertEqual(mem[0x400b07], 'H')
|
|
self.assertEqual(cpu.RAX, 198L)
|
|
self.assertEqual(cpu.RIP, 4197129L)
|
|
|
|
def test_CLC_1(self):
|
|
''' Instruction CLC_1
|
|
Groups:
|
|
0x46a9fc: clc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0046a000, 0x1000, 'rwx')
|
|
mem[0x0046a9fc] = '\xf8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x46a9fc
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x46a9fc], '\xf8')
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4631037L)
|
|
|
|
def test_CLC_2(self):
|
|
''' Instruction CLC_2
|
|
Groups:
|
|
0x7542c8: clc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00754000, 0x1000, 'rwx')
|
|
mem[0x007542c8] = '\xf8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7542c8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7542c8], '\xf8')
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 7684809L)
|
|
|
|
def test_CLC_3(self):
|
|
''' Instruction CLC_3
|
|
Groups:
|
|
0x4b473c: clc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004b4000, 0x1000, 'rwx')
|
|
mem[0x004b473c] = '\xf8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x4b473c
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4b473c], '\xf8')
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4933437L)
|
|
|
|
def test_CLC_4(self):
|
|
''' Instruction CLC_4
|
|
Groups:
|
|
0x49d4dd: clc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0049d000, 0x1000, 'rwx')
|
|
mem[0x0049d4dd] = '\xf8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x49d4dd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x49d4dd], '\xf8')
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4838622L)
|
|
|
|
def test_CLC_5(self):
|
|
''' Instruction CLC_5
|
|
Groups:
|
|
0x4fd621: clc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004fd000, 0x1000, 'rwx')
|
|
mem[0x004fd621] = '\xf8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x4fd621
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4fd621], '\xf8')
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 5232162L)
|
|
|
|
def test_CLC_6(self):
|
|
''' Instruction CLC_6
|
|
Groups:
|
|
0x4fadef: clc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004fa000, 0x1000, 'rwx')
|
|
mem[0x004fadef] = '\xf8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x4fadef
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4fadef], '\xf8')
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 5221872L)
|
|
|
|
def test_CMOVAE_1(self):
|
|
''' Instruction CMOVAE_1
|
|
Groups: cmov
|
|
0x4117e8: cmovae rax, r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x004117e8] = 'I'
|
|
mem[0x004117e9] = '\x0f'
|
|
mem[0x004117ea] = 'C'
|
|
mem[0x004117eb] = '\xc2'
|
|
cpu.RIP = 0x4117e8
|
|
cpu.CF = False
|
|
cpu.RAX = 0x20
|
|
cpu.R10 = 0x20
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4117e8], 'I')
|
|
self.assertEqual(mem[0x4117e9], '\x0f')
|
|
self.assertEqual(mem[0x4117ea], 'C')
|
|
self.assertEqual(mem[0x4117eb], '\xc2')
|
|
self.assertEqual(cpu.RAX, 32L)
|
|
self.assertEqual(cpu.RIP, 4265964L)
|
|
self.assertEqual(cpu.R10, 32L)
|
|
|
|
def test_CMOVAE_2(self):
|
|
''' Instruction CMOVAE_2
|
|
Groups: cmov
|
|
0x414318: cmovae rax, r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x00414318] = 'I'
|
|
mem[0x00414319] = '\x0f'
|
|
mem[0x0041431a] = 'C'
|
|
mem[0x0041431b] = '\xc2'
|
|
cpu.RIP = 0x414318
|
|
cpu.CF = False
|
|
cpu.RAX = 0x20
|
|
cpu.R10 = 0x20
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x414318], 'I')
|
|
self.assertEqual(mem[0x414319], '\x0f')
|
|
self.assertEqual(mem[0x41431a], 'C')
|
|
self.assertEqual(mem[0x41431b], '\xc2')
|
|
self.assertEqual(cpu.RAX, 32L)
|
|
self.assertEqual(cpu.RIP, 4277020L)
|
|
self.assertEqual(cpu.R10, 32L)
|
|
|
|
def test_CMOVAE_3(self):
|
|
''' Instruction CMOVAE_3
|
|
Groups: cmov
|
|
0x5555555662c8: cmovae rdx, rbx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555566000, 0x1000, 'rwx')
|
|
mem[0x5555555662c8] = 'H'
|
|
mem[0x5555555662c9] = '\x0f'
|
|
mem[0x5555555662ca] = 'C'
|
|
mem[0x5555555662cb] = '\xd3'
|
|
cpu.RDX = 0xffffffffffffffff
|
|
cpu.CF = False
|
|
cpu.RIP = 0x5555555662c8
|
|
cpu.RBX = 0x7
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5555555662c8], 'H')
|
|
self.assertEqual(mem[0x5555555662c9], '\x0f')
|
|
self.assertEqual(mem[0x5555555662ca], 'C')
|
|
self.assertEqual(mem[0x5555555662cb], '\xd3')
|
|
self.assertEqual(cpu.RDX, 7L)
|
|
self.assertEqual(cpu.RIP, 93824992305868L)
|
|
self.assertEqual(cpu.RBX, 7L)
|
|
|
|
def test_CMOVAE_4(self):
|
|
''' Instruction CMOVAE_4
|
|
Groups: cmov
|
|
0x411778: cmovae rax, r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x00411778] = 'I'
|
|
mem[0x00411779] = '\x0f'
|
|
mem[0x0041177a] = 'C'
|
|
mem[0x0041177b] = '\xc2'
|
|
cpu.RIP = 0x411778
|
|
cpu.CF = False
|
|
cpu.RAX = 0x20
|
|
cpu.R10 = 0x4a0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x411778], 'I')
|
|
self.assertEqual(mem[0x411779], '\x0f')
|
|
self.assertEqual(mem[0x41177a], 'C')
|
|
self.assertEqual(mem[0x41177b], '\xc2')
|
|
self.assertEqual(cpu.RAX, 1184L)
|
|
self.assertEqual(cpu.RIP, 4265852L)
|
|
self.assertEqual(cpu.R10, 1184L)
|
|
|
|
def test_CMOVAE_5(self):
|
|
''' Instruction CMOVAE_5
|
|
Groups: cmov
|
|
0x411778: cmovae rax, r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x00411778] = 'I'
|
|
mem[0x00411779] = '\x0f'
|
|
mem[0x0041177a] = 'C'
|
|
mem[0x0041177b] = '\xc2'
|
|
cpu.RIP = 0x411778
|
|
cpu.CF = False
|
|
cpu.RAX = 0x20
|
|
cpu.R10 = 0x20
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x411778], 'I')
|
|
self.assertEqual(mem[0x411779], '\x0f')
|
|
self.assertEqual(mem[0x41177a], 'C')
|
|
self.assertEqual(mem[0x41177b], '\xc2')
|
|
self.assertEqual(cpu.RAX, 32L)
|
|
self.assertEqual(cpu.RIP, 4265852L)
|
|
self.assertEqual(cpu.R10, 32L)
|
|
|
|
def test_CMOVAE_6(self):
|
|
''' Instruction CMOVAE_6
|
|
Groups: cmov
|
|
0x411b58: cmovae rax, r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x00411b58] = 'I'
|
|
mem[0x00411b59] = '\x0f'
|
|
mem[0x00411b5a] = 'C'
|
|
mem[0x00411b5b] = '\xc2'
|
|
cpu.RIP = 0x411b58
|
|
cpu.CF = False
|
|
cpu.RAX = 0x20
|
|
cpu.R10 = 0x50
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x411b58], 'I')
|
|
self.assertEqual(mem[0x411b59], '\x0f')
|
|
self.assertEqual(mem[0x411b5a], 'C')
|
|
self.assertEqual(mem[0x411b5b], '\xc2')
|
|
self.assertEqual(cpu.RAX, 80L)
|
|
self.assertEqual(cpu.RIP, 4266844L)
|
|
self.assertEqual(cpu.R10, 80L)
|
|
|
|
def test_CMOVA_1(self):
|
|
''' Instruction CMOVA_1
|
|
Groups: cmov
|
|
0x7ffff7de0ab0: cmova rax, r8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de0ab0] = 'I'
|
|
mem[0x7ffff7de0ab1] = '\x0f'
|
|
mem[0x7ffff7de0ab2] = 'G'
|
|
mem[0x7ffff7de0ab3] = '\xc0'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de0ab0
|
|
cpu.R8 = 0x7ffff7dd9398
|
|
cpu.CF = True
|
|
cpu.RAX = 0x7ffff7dd5000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de0ab0], 'I')
|
|
self.assertEqual(mem[0x7ffff7de0ab1], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de0ab2], 'G')
|
|
self.assertEqual(mem[0x7ffff7de0ab3], '\xc0')
|
|
self.assertEqual(cpu.R8, 140737351881624L)
|
|
self.assertEqual(cpu.RAX, 140737351864320L)
|
|
self.assertEqual(cpu.RIP, 140737351912116L)
|
|
|
|
def test_CMOVA_2(self):
|
|
''' Instruction CMOVA_2
|
|
Groups: cmov
|
|
0x7ffff7a9d404: cmova rbx, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a9d000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a9d404] = 'H'
|
|
mem[0x7ffff7a9d405] = '\x0f'
|
|
mem[0x7ffff7a9d406] = 'G'
|
|
mem[0x7ffff7a9d407] = '\xd8'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7a9d404
|
|
cpu.CF = True
|
|
cpu.RAX = 0x7fffffff
|
|
cpu.RBX = 0x14
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a9d404], 'H')
|
|
self.assertEqual(mem[0x7ffff7a9d405], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7a9d406], 'G')
|
|
self.assertEqual(mem[0x7ffff7a9d407], '\xd8')
|
|
self.assertEqual(cpu.RAX, 2147483647L)
|
|
self.assertEqual(cpu.RIP, 140737348490248L)
|
|
self.assertEqual(cpu.RBX, 20L)
|
|
|
|
def test_CMOVA_3(self):
|
|
''' Instruction CMOVA_3
|
|
Groups: cmov
|
|
0x4082a4: cmova rbx, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00408000, 0x1000, 'rwx')
|
|
mem[0x004082a4] = 'H'
|
|
mem[0x004082a5] = '\x0f'
|
|
mem[0x004082a6] = 'G'
|
|
mem[0x004082a7] = '\xd8'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x4082a4
|
|
cpu.CF = True
|
|
cpu.RAX = 0x7fffffff
|
|
cpu.RBX = 0xb
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4082a4], 'H')
|
|
self.assertEqual(mem[0x4082a5], '\x0f')
|
|
self.assertEqual(mem[0x4082a6], 'G')
|
|
self.assertEqual(mem[0x4082a7], '\xd8')
|
|
self.assertEqual(cpu.RAX, 2147483647L)
|
|
self.assertEqual(cpu.RIP, 4227752L)
|
|
self.assertEqual(cpu.RBX, 11L)
|
|
|
|
def test_CMOVA_4(self):
|
|
''' Instruction CMOVA_4
|
|
Groups: cmov
|
|
0x41462a: cmova rdx, r13
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x0041462a] = 'I'
|
|
mem[0x0041462b] = '\x0f'
|
|
mem[0x0041462c] = 'G'
|
|
mem[0x0041462d] = '\xd5'
|
|
cpu.RDX = 0x4a0
|
|
cpu.ZF = False
|
|
cpu.R13 = 0x21df0
|
|
cpu.RIP = 0x41462a
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x41462a], 'I')
|
|
self.assertEqual(mem[0x41462b], '\x0f')
|
|
self.assertEqual(mem[0x41462c], 'G')
|
|
self.assertEqual(mem[0x41462d], '\xd5')
|
|
self.assertEqual(cpu.RDX, 1184L)
|
|
self.assertEqual(cpu.RIP, 4277806L)
|
|
self.assertEqual(cpu.R13, 138736L)
|
|
|
|
def test_CMOVA_5(self):
|
|
''' Instruction CMOVA_5
|
|
Groups: cmov
|
|
0x41424a: cmova rdx, r13
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x0041424a] = 'I'
|
|
mem[0x0041424b] = '\x0f'
|
|
mem[0x0041424c] = 'G'
|
|
mem[0x0041424d] = '\xd5'
|
|
cpu.RDX = 0x4a0
|
|
cpu.ZF = False
|
|
cpu.R13 = 0x21df0
|
|
cpu.RIP = 0x41424a
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x41424a], 'I')
|
|
self.assertEqual(mem[0x41424b], '\x0f')
|
|
self.assertEqual(mem[0x41424c], 'G')
|
|
self.assertEqual(mem[0x41424d], '\xd5')
|
|
self.assertEqual(cpu.RDX, 1184L)
|
|
self.assertEqual(cpu.RIP, 4276814L)
|
|
self.assertEqual(cpu.R13, 138736L)
|
|
|
|
def test_CMOVA_6(self):
|
|
''' Instruction CMOVA_6
|
|
Groups: cmov
|
|
0x4142ba: cmova rdx, r13
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x004142ba] = 'I'
|
|
mem[0x004142bb] = '\x0f'
|
|
mem[0x004142bc] = 'G'
|
|
mem[0x004142bd] = '\xd5'
|
|
cpu.RDX = 0x4a0
|
|
cpu.ZF = False
|
|
cpu.R13 = 0x21df0
|
|
cpu.RIP = 0x4142ba
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4142ba], 'I')
|
|
self.assertEqual(mem[0x4142bb], '\x0f')
|
|
self.assertEqual(mem[0x4142bc], 'G')
|
|
self.assertEqual(mem[0x4142bd], '\xd5')
|
|
self.assertEqual(cpu.RDX, 1184L)
|
|
self.assertEqual(cpu.RIP, 4276926L)
|
|
self.assertEqual(cpu.R13, 138736L)
|
|
|
|
def test_CMOVBE_1(self):
|
|
''' Instruction CMOVBE_1
|
|
Groups: cmov
|
|
0x40d233: cmovbe rbx, r14
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040d000, 0x1000, 'rwx')
|
|
mem[0x0040d233] = 'I'
|
|
mem[0x0040d234] = '\x0f'
|
|
mem[0x0040d235] = 'F'
|
|
mem[0x0040d236] = '\xde'
|
|
cpu.ZF = False
|
|
cpu.RBX = 0x1000
|
|
cpu.R14 = 0x20
|
|
cpu.RIP = 0x40d233
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40d233], 'I')
|
|
self.assertEqual(mem[0x40d234], '\x0f')
|
|
self.assertEqual(mem[0x40d235], 'F')
|
|
self.assertEqual(mem[0x40d236], '\xde')
|
|
self.assertEqual(cpu.R14, 32L)
|
|
self.assertEqual(cpu.RIP, 4248119L)
|
|
self.assertEqual(cpu.RBX, 32L)
|
|
|
|
def test_CMOVBE_2(self):
|
|
''' Instruction CMOVBE_2
|
|
Groups: cmov
|
|
0x7ffff7aa96b3: cmovbe rbx, r14
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa96b3] = 'I'
|
|
mem[0x7ffff7aa96b4] = '\x0f'
|
|
mem[0x7ffff7aa96b5] = 'F'
|
|
mem[0x7ffff7aa96b6] = '\xde'
|
|
cpu.ZF = False
|
|
cpu.RBX = 0x2000
|
|
cpu.R14 = 0x4
|
|
cpu.RIP = 0x7ffff7aa96b3
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7aa96b3], 'I')
|
|
self.assertEqual(mem[0x7ffff7aa96b4], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7aa96b5], 'F')
|
|
self.assertEqual(mem[0x7ffff7aa96b6], '\xde')
|
|
self.assertEqual(cpu.R14, 4L)
|
|
self.assertEqual(cpu.RIP, 140737348540087L)
|
|
self.assertEqual(cpu.RBX, 4L)
|
|
|
|
def test_CMOVBE_3(self):
|
|
''' Instruction CMOVBE_3
|
|
Groups: cmov
|
|
0x7ffff7aa96b3: cmovbe rbx, r14
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa96b3] = 'I'
|
|
mem[0x7ffff7aa96b4] = '\x0f'
|
|
mem[0x7ffff7aa96b5] = 'F'
|
|
mem[0x7ffff7aa96b6] = '\xde'
|
|
cpu.ZF = False
|
|
cpu.RBX = 0x1000
|
|
cpu.R14 = 0x13
|
|
cpu.RIP = 0x7ffff7aa96b3
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7aa96b3], 'I')
|
|
self.assertEqual(mem[0x7ffff7aa96b4], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7aa96b5], 'F')
|
|
self.assertEqual(mem[0x7ffff7aa96b6], '\xde')
|
|
self.assertEqual(cpu.R14, 19L)
|
|
self.assertEqual(cpu.RIP, 140737348540087L)
|
|
self.assertEqual(cpu.RBX, 19L)
|
|
|
|
def test_CMOVBE_4(self):
|
|
''' Instruction CMOVBE_4
|
|
Groups: cmov
|
|
0x40d263: cmovbe rbx, r14
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040d000, 0x1000, 'rwx')
|
|
mem[0x0040d263] = 'I'
|
|
mem[0x0040d264] = '\x0f'
|
|
mem[0x0040d265] = 'F'
|
|
mem[0x0040d266] = '\xde'
|
|
cpu.ZF = False
|
|
cpu.RBX = 0x1000
|
|
cpu.R14 = 0x13
|
|
cpu.RIP = 0x40d263
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40d263], 'I')
|
|
self.assertEqual(mem[0x40d264], '\x0f')
|
|
self.assertEqual(mem[0x40d265], 'F')
|
|
self.assertEqual(mem[0x40d266], '\xde')
|
|
self.assertEqual(cpu.R14, 19L)
|
|
self.assertEqual(cpu.RIP, 4248167L)
|
|
self.assertEqual(cpu.RBX, 19L)
|
|
|
|
def test_CMOVBE_5(self):
|
|
''' Instruction CMOVBE_5
|
|
Groups: cmov
|
|
0x7ffff7aa96b3: cmovbe rbx, r14
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa96b3] = 'I'
|
|
mem[0x7ffff7aa96b4] = '\x0f'
|
|
mem[0x7ffff7aa96b5] = 'F'
|
|
mem[0x7ffff7aa96b6] = '\xde'
|
|
cpu.ZF = False
|
|
cpu.RBX = 0x1000
|
|
cpu.R14 = 0x13
|
|
cpu.RIP = 0x7ffff7aa96b3
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7aa96b3], 'I')
|
|
self.assertEqual(mem[0x7ffff7aa96b4], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7aa96b5], 'F')
|
|
self.assertEqual(mem[0x7ffff7aa96b6], '\xde')
|
|
self.assertEqual(cpu.R14, 19L)
|
|
self.assertEqual(cpu.RIP, 140737348540087L)
|
|
self.assertEqual(cpu.RBX, 19L)
|
|
|
|
def test_CMOVBE_6(self):
|
|
''' Instruction CMOVBE_6
|
|
Groups: cmov
|
|
0x40fde3: cmovbe rbx, r14
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040f000, 0x1000, 'rwx')
|
|
mem[0x0040fde3] = 'I'
|
|
mem[0x0040fde4] = '\x0f'
|
|
mem[0x0040fde5] = 'F'
|
|
mem[0x0040fde6] = '\xde'
|
|
cpu.ZF = False
|
|
cpu.RBX = 0x1000
|
|
cpu.R14 = 0x240
|
|
cpu.RIP = 0x40fde3
|
|
cpu.CF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40fde3], 'I')
|
|
self.assertEqual(mem[0x40fde4], '\x0f')
|
|
self.assertEqual(mem[0x40fde5], 'F')
|
|
self.assertEqual(mem[0x40fde6], '\xde')
|
|
self.assertEqual(cpu.R14, 576L)
|
|
self.assertEqual(cpu.RIP, 4259303L)
|
|
self.assertEqual(cpu.RBX, 576L)
|
|
|
|
def test_CMOVB_1(self):
|
|
''' Instruction CMOVB_1
|
|
Groups: cmov
|
|
0x7ffff7deb97f: cmovb r12d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7deb000, 0x1000, 'rwx')
|
|
mem[0x7ffff7deb980] = '\x0f'
|
|
mem[0x7ffff7deb981] = 'B'
|
|
mem[0x7ffff7deb982] = '\xe0'
|
|
mem[0x7ffff7deb97f] = 'D'
|
|
cpu.EAX = 0xa
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7deb97f
|
|
cpu.R12D = 0x1a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7deb980], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7deb981], 'B')
|
|
self.assertEqual(mem[0x7ffff7deb982], '\xe0')
|
|
self.assertEqual(mem[0x7ffff7deb97f], 'D')
|
|
self.assertEqual(cpu.EAX, 10L)
|
|
self.assertEqual(cpu.R12D, 26L)
|
|
self.assertEqual(cpu.RIP, 140737351956867L)
|
|
|
|
def test_CMOVB_2(self):
|
|
''' Instruction CMOVB_2
|
|
Groups: cmov
|
|
0x7ffff7df45ad: cmovb eax, ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45ad] = '\x0f'
|
|
mem[0x7ffff7df45ae] = 'B'
|
|
mem[0x7ffff7df45af] = '\xc1'
|
|
cpu.EAX = 0x1
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7df45ad
|
|
cpu.ECX = 0xffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df45ad], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df45ae], 'B')
|
|
self.assertEqual(mem[0x7ffff7df45af], '\xc1')
|
|
self.assertEqual(cpu.EAX, 4294967295L)
|
|
self.assertEqual(cpu.RIP, 140737351992752L)
|
|
self.assertEqual(cpu.ECX, 4294967295L)
|
|
|
|
def test_CMOVB_3(self):
|
|
''' Instruction CMOVB_3
|
|
Groups: cmov
|
|
0x7ffff7df45ad: cmovb eax, ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45ad] = '\x0f'
|
|
mem[0x7ffff7df45ae] = 'B'
|
|
mem[0x7ffff7df45af] = '\xc1'
|
|
cpu.EAX = 0x1
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df45ad
|
|
cpu.ECX = 0xffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df45ad], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df45ae], 'B')
|
|
self.assertEqual(mem[0x7ffff7df45af], '\xc1')
|
|
self.assertEqual(cpu.EAX, 1L)
|
|
self.assertEqual(cpu.RIP, 140737351992752L)
|
|
self.assertEqual(cpu.ECX, 4294967295L)
|
|
|
|
def test_CMOVB_4(self):
|
|
''' Instruction CMOVB_4
|
|
Groups: cmov
|
|
0x7ffff7deb97f: cmovb r12d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7deb000, 0x1000, 'rwx')
|
|
mem[0x7ffff7deb980] = '\x0f'
|
|
mem[0x7ffff7deb981] = 'B'
|
|
mem[0x7ffff7deb982] = '\xe0'
|
|
mem[0x7ffff7deb97f] = 'D'
|
|
cpu.EAX = 0x12
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7deb97f
|
|
cpu.R12D = 0x1a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7deb980], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7deb981], 'B')
|
|
self.assertEqual(mem[0x7ffff7deb982], '\xe0')
|
|
self.assertEqual(mem[0x7ffff7deb97f], 'D')
|
|
self.assertEqual(cpu.EAX, 18L)
|
|
self.assertEqual(cpu.R12D, 26L)
|
|
self.assertEqual(cpu.RIP, 140737351956867L)
|
|
|
|
def test_CMOVB_5(self):
|
|
''' Instruction CMOVB_5
|
|
Groups: cmov
|
|
0x7ffff7df45ad: cmovb eax, ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45ad] = '\x0f'
|
|
mem[0x7ffff7df45ae] = 'B'
|
|
mem[0x7ffff7df45af] = '\xc1'
|
|
cpu.EAX = 0x1
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df45ad
|
|
cpu.ECX = 0xffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df45ad], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df45ae], 'B')
|
|
self.assertEqual(mem[0x7ffff7df45af], '\xc1')
|
|
self.assertEqual(cpu.EAX, 1L)
|
|
self.assertEqual(cpu.RIP, 140737351992752L)
|
|
self.assertEqual(cpu.ECX, 4294967295L)
|
|
|
|
def test_CMOVB_6(self):
|
|
''' Instruction CMOVB_6
|
|
Groups: cmov
|
|
0x7ffff7df45ad: cmovb eax, ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45ad] = '\x0f'
|
|
mem[0x7ffff7df45ae] = 'B'
|
|
mem[0x7ffff7df45af] = '\xc1'
|
|
cpu.EAX = 0x1
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df45ad
|
|
cpu.ECX = 0xffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df45ad], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df45ae], 'B')
|
|
self.assertEqual(mem[0x7ffff7df45af], '\xc1')
|
|
self.assertEqual(cpu.EAX, 1L)
|
|
self.assertEqual(cpu.RIP, 140737351992752L)
|
|
self.assertEqual(cpu.ECX, 4294967295L)
|
|
|
|
def test_CMOVE_1(self):
|
|
''' Instruction CMOVE_1
|
|
Groups: cmov
|
|
0x7ffff7de625e: cmove r8, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6260] = 'D'
|
|
mem[0x7ffff7de6261] = '\xc0'
|
|
mem[0x7ffff7de625e] = 'L'
|
|
mem[0x7ffff7de625f] = '\x0f'
|
|
cpu.ZF = False
|
|
cpu.R8 = 0x7ffff7ff7c48
|
|
cpu.RIP = 0x7ffff7de625e
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6260], 'D')
|
|
self.assertEqual(mem[0x7ffff7de6261], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de625e], 'L')
|
|
self.assertEqual(mem[0x7ffff7de625f], '\x0f')
|
|
self.assertEqual(cpu.R8, 140737354103880L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934562L)
|
|
|
|
def test_CMOVE_2(self):
|
|
''' Instruction CMOVE_2
|
|
Groups: cmov
|
|
0x415f05: cmove rax, rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00415000, 0x1000, 'rwx')
|
|
mem[0x00415f08] = '\xc2'
|
|
mem[0x00415f05] = 'H'
|
|
mem[0x00415f06] = '\x0f'
|
|
mem[0x00415f07] = 'D'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x415f05
|
|
cpu.RAX = 0x6e01c0
|
|
cpu.RDX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x415f08], '\xc2')
|
|
self.assertEqual(mem[0x415f05], 'H')
|
|
self.assertEqual(mem[0x415f06], '\x0f')
|
|
self.assertEqual(mem[0x415f07], 'D')
|
|
self.assertEqual(cpu.RAX, 7209408L)
|
|
self.assertEqual(cpu.RIP, 4284169L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
|
|
def test_CMOVE_3(self):
|
|
''' Instruction CMOVE_3
|
|
Groups: cmov
|
|
0x7ffff7de625e: cmove r8, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6260] = 'D'
|
|
mem[0x7ffff7de6261] = '\xc0'
|
|
mem[0x7ffff7de625e] = 'L'
|
|
mem[0x7ffff7de625f] = '\x0f'
|
|
cpu.ZF = False
|
|
cpu.R8 = 0x7ffff7ff7c48
|
|
cpu.RIP = 0x7ffff7de625e
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6260], 'D')
|
|
self.assertEqual(mem[0x7ffff7de6261], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de625e], 'L')
|
|
self.assertEqual(mem[0x7ffff7de625f], '\x0f')
|
|
self.assertEqual(cpu.R8, 140737354103880L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934562L)
|
|
|
|
def test_CMOVE_4(self):
|
|
''' Instruction CMOVE_4
|
|
Groups: cmov
|
|
0x7ffff7df2822: cmove rdi, qword ptr [rip + 0x20b886]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ffe000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df2822] = 'H'
|
|
mem[0x7ffff7df2823] = '\x0f'
|
|
mem[0x7ffff7df2824] = 'D'
|
|
mem[0x7ffff7df2825] = '='
|
|
mem[0x7ffff7df2826] = '\x86'
|
|
mem[0x7ffff7df2827] = '\xb8'
|
|
mem[0x7ffff7df2828] = ' '
|
|
mem[0x7ffff7df2829] = '\x00'
|
|
mem[0x7ffff7ffe0b0] = '0'
|
|
mem[0x7ffff7ffe0b1] = '\x7f'
|
|
mem[0x7ffff7ffe0b2] = '\xff'
|
|
mem[0x7ffff7ffe0b3] = '\xf7'
|
|
mem[0x7ffff7ffe0b4] = '\xff'
|
|
mem[0x7ffff7ffe0b5] = '\x7f'
|
|
mem[0x7ffff7ffe0b6] = '\x00'
|
|
mem[0x7ffff7ffe0b7] = '\x00'
|
|
cpu.ZF = False
|
|
cpu.RDI = 0x7ffff7fd8000
|
|
cpu.RIP = 0x7ffff7df2822
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df2822], 'H')
|
|
self.assertEqual(mem[0x7ffff7df2823], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df2824], 'D')
|
|
self.assertEqual(mem[0x7ffff7df2825], '=')
|
|
self.assertEqual(mem[0x7ffff7df2826], '\x86')
|
|
self.assertEqual(mem[0x7ffff7df2827], '\xb8')
|
|
self.assertEqual(mem[0x7ffff7df2828], ' ')
|
|
self.assertEqual(mem[0x7ffff7df2829], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ffe0b0], '0')
|
|
self.assertEqual(mem[0x7ffff7ffe0b1], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7ffe0b2], '\xff')
|
|
self.assertEqual(mem[0x7ffff7ffe0b3], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7ffe0b4], '\xff')
|
|
self.assertEqual(mem[0x7ffff7ffe0b5], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7ffe0b6], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ffe0b7], '\x00')
|
|
self.assertEqual(cpu.RDI, 140737353973760L)
|
|
self.assertEqual(cpu.RIP, 140737351985194L)
|
|
|
|
def test_CMOVE_5(self):
|
|
''' Instruction CMOVE_5
|
|
Groups: cmov
|
|
0x7ffff7de625e: cmove r8, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6260] = 'D'
|
|
mem[0x7ffff7de6261] = '\xc0'
|
|
mem[0x7ffff7de625e] = 'L'
|
|
mem[0x7ffff7de625f] = '\x0f'
|
|
cpu.ZF = False
|
|
cpu.R8 = 0x7ffff7ff7c48
|
|
cpu.RIP = 0x7ffff7de625e
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6260], 'D')
|
|
self.assertEqual(mem[0x7ffff7de6261], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de625e], 'L')
|
|
self.assertEqual(mem[0x7ffff7de625f], '\x0f')
|
|
self.assertEqual(cpu.R8, 140737354103880L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934562L)
|
|
|
|
def test_CMOVE_6(self):
|
|
''' Instruction CMOVE_6
|
|
Groups: cmov
|
|
0x7ffff7de625e: cmove r8, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6260] = 'D'
|
|
mem[0x7ffff7de6261] = '\xc0'
|
|
mem[0x7ffff7de625e] = 'L'
|
|
mem[0x7ffff7de625f] = '\x0f'
|
|
cpu.ZF = False
|
|
cpu.R8 = 0x7ffff7ff7c48
|
|
cpu.RIP = 0x7ffff7de625e
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6260], 'D')
|
|
self.assertEqual(mem[0x7ffff7de6261], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de625e], 'L')
|
|
self.assertEqual(mem[0x7ffff7de625f], '\x0f')
|
|
self.assertEqual(cpu.R8, 140737354103880L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934562L)
|
|
|
|
def test_CMOVNE_1(self):
|
|
''' Instruction CMOVNE_1
|
|
Groups: cmov
|
|
0x462435: cmovne rbx, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00462000, 0x1000, 'rwx')
|
|
mem[0x00462438] = '\xd8'
|
|
mem[0x00462435] = 'H'
|
|
mem[0x00462436] = '\x0f'
|
|
mem[0x00462437] = 'E'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x462435
|
|
cpu.RAX = 0x4a5441
|
|
cpu.RBX = 0x6bf6b0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x462438], '\xd8')
|
|
self.assertEqual(mem[0x462435], 'H')
|
|
self.assertEqual(mem[0x462436], '\x0f')
|
|
self.assertEqual(mem[0x462437], 'E')
|
|
self.assertEqual(cpu.RAX, 4871233L)
|
|
self.assertEqual(cpu.RIP, 4596793L)
|
|
self.assertEqual(cpu.RBX, 7075504L)
|
|
|
|
def test_CMOVNE_2(self):
|
|
''' Instruction CMOVNE_2
|
|
Groups: cmov
|
|
0x7ffff7de5776: cmovne r14d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5778] = 'E'
|
|
mem[0x7ffff7de5779] = '\xf0'
|
|
mem[0x7ffff7de5776] = 'D'
|
|
mem[0x7ffff7de5777] = '\x0f'
|
|
cpu.EAX = 0x10
|
|
cpu.ZF = True
|
|
cpu.R14D = 0x0
|
|
cpu.RIP = 0x7ffff7de5776
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de5778], 'E')
|
|
self.assertEqual(mem[0x7ffff7de5779], '\xf0')
|
|
self.assertEqual(mem[0x7ffff7de5776], 'D')
|
|
self.assertEqual(mem[0x7ffff7de5777], '\x0f')
|
|
self.assertEqual(cpu.EAX, 16L)
|
|
self.assertEqual(cpu.R14D, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351931770L)
|
|
|
|
def test_CMOVNE_3(self):
|
|
''' Instruction CMOVNE_3
|
|
Groups: cmov
|
|
0x7ffff7de57f6: cmovne rbx, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de57f8] = 'E'
|
|
mem[0x7ffff7de57f9] = '\xd8'
|
|
mem[0x7ffff7de57f6] = 'H'
|
|
mem[0x7ffff7de57f7] = '\x0f'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de57f6
|
|
cpu.RAX = 0x7ffff7ff7640
|
|
cpu.RBX = 0x7ffff7ff7af1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de57f8], 'E')
|
|
self.assertEqual(mem[0x7ffff7de57f9], '\xd8')
|
|
self.assertEqual(mem[0x7ffff7de57f6], 'H')
|
|
self.assertEqual(mem[0x7ffff7de57f7], '\x0f')
|
|
self.assertEqual(cpu.RAX, 140737354102336L)
|
|
self.assertEqual(cpu.RIP, 140737351931898L)
|
|
self.assertEqual(cpu.RBX, 140737354102336L)
|
|
|
|
def test_CMOVNE_4(self):
|
|
''' Instruction CMOVNE_4
|
|
Groups: cmov
|
|
0x457ba4: cmovne rsi, rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457ba4] = 'H'
|
|
mem[0x00457ba5] = '\x0f'
|
|
mem[0x00457ba6] = 'E'
|
|
mem[0x00457ba7] = '\xf2'
|
|
cpu.ZF = False
|
|
cpu.RSI = 0x8201000080201021
|
|
cpu.RIP = 0x457ba4
|
|
cpu.RDX = 0x41008000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457ba4], 'H')
|
|
self.assertEqual(mem[0x457ba5], '\x0f')
|
|
self.assertEqual(mem[0x457ba6], 'E')
|
|
self.assertEqual(mem[0x457ba7], '\xf2')
|
|
self.assertEqual(cpu.RSI, 1090551808L)
|
|
self.assertEqual(cpu.RIP, 4553640L)
|
|
self.assertEqual(cpu.RDX, 1090551808L)
|
|
|
|
def test_CMOVNE_5(self):
|
|
''' Instruction CMOVNE_5
|
|
Groups: cmov
|
|
0x7ffff7de0910: cmovne esi, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de0910] = '\x0f'
|
|
mem[0x7ffff7de0911] = 'E'
|
|
mem[0x7ffff7de0912] = '\xf0'
|
|
cpu.EAX = 0x1
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de0910
|
|
cpu.ESI = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de0910], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de0911], 'E')
|
|
self.assertEqual(mem[0x7ffff7de0912], '\xf0')
|
|
self.assertEqual(cpu.EAX, 1L)
|
|
self.assertEqual(cpu.ESI, 1L)
|
|
self.assertEqual(cpu.RIP, 140737351911699L)
|
|
|
|
def test_CMOVNE_6(self):
|
|
''' Instruction CMOVNE_6
|
|
Groups: cmov
|
|
0x457db0: cmovne rcx, rdi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457db0] = 'H'
|
|
mem[0x00457db1] = '\x0f'
|
|
mem[0x00457db2] = 'E'
|
|
mem[0x00457db3] = '\xcf'
|
|
cpu.RCX = 0x7fffffffe01b
|
|
cpu.ZF = False
|
|
cpu.RDI = 0x7fffffffe040
|
|
cpu.RIP = 0x457db0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457db0], 'H')
|
|
self.assertEqual(mem[0x457db1], '\x0f')
|
|
self.assertEqual(mem[0x457db2], 'E')
|
|
self.assertEqual(mem[0x457db3], '\xcf')
|
|
self.assertEqual(cpu.RDI, 140737488347200L)
|
|
self.assertEqual(cpu.RCX, 140737488347200L)
|
|
self.assertEqual(cpu.RIP, 4554164L)
|
|
|
|
def test_CMOVNS_1(self):
|
|
''' Instruction CMOVNS_1
|
|
Groups: cmov
|
|
0x448555: cmovns rax, r11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00448000, 0x1000, 'rwx')
|
|
mem[0x00448558] = '\xc3'
|
|
mem[0x00448555] = 'I'
|
|
mem[0x00448556] = '\x0f'
|
|
mem[0x00448557] = 'I'
|
|
cpu.RIP = 0x448555
|
|
cpu.SF = False
|
|
cpu.RAX = 0x0
|
|
cpu.R11 = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x448558], '\xc3')
|
|
self.assertEqual(mem[0x448555], 'I')
|
|
self.assertEqual(mem[0x448556], '\x0f')
|
|
self.assertEqual(mem[0x448557], 'I')
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RIP, 4490585L)
|
|
self.assertEqual(cpu.R11, 0L)
|
|
|
|
def test_CMOVNS_2(self):
|
|
''' Instruction CMOVNS_2
|
|
Groups: cmov
|
|
0x448555: cmovns rax, r11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00448000, 0x1000, 'rwx')
|
|
mem[0x00448558] = '\xc3'
|
|
mem[0x00448555] = 'I'
|
|
mem[0x00448556] = '\x0f'
|
|
mem[0x00448557] = 'I'
|
|
cpu.RIP = 0x448555
|
|
cpu.SF = False
|
|
cpu.RAX = 0x0
|
|
cpu.R11 = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x448558], '\xc3')
|
|
self.assertEqual(mem[0x448555], 'I')
|
|
self.assertEqual(mem[0x448556], '\x0f')
|
|
self.assertEqual(mem[0x448557], 'I')
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RIP, 4490585L)
|
|
self.assertEqual(cpu.R11, 0L)
|
|
|
|
def test_CMPSB_1(self):
|
|
''' Instruction CMPSB_1
|
|
Groups:
|
|
0x40065b: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem.mmap(0x00491000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda80] = 'Z'
|
|
mem[0x7fffffffda81] = '\xed'
|
|
mem[0x7fffffffda82] = '\xcf'
|
|
mem[0x7fffffffda83] = '\xc2'
|
|
mem[0x00491604] = 'Z'
|
|
mem[0x00491605] = 'A'
|
|
mem[0x00491606] = 'R'
|
|
mem[0x00491607] = 'A'
|
|
mem[0x00491608] = 'Z'
|
|
mem[0x00491609] = 'A'
|
|
mem[0x0049160a] = '\x00'
|
|
mem[0x0049160b] = 'M'
|
|
mem[0x7fffffffda87] = '\xff'
|
|
mem[0x7fffffffda86] = '\x94'
|
|
mem[0x7fffffffda84] = '\xc0'
|
|
mem[0x0040065b] = '\xf3'
|
|
mem[0x0040065c] = '\xa6'
|
|
mem[0x7fffffffda85] = '\xe0'
|
|
cpu.RDI = 0x491604
|
|
cpu.RCX = 0x7
|
|
cpu.RSI = 0x7fffffffda80
|
|
cpu.RIP = 0x40065b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda80], 'Z')
|
|
self.assertEqual(mem[0x7fffffffda81], '\xed')
|
|
self.assertEqual(mem[0x7fffffffda82], '\xcf')
|
|
self.assertEqual(mem[0x7fffffffda83], '\xc2')
|
|
self.assertEqual(mem[0x491604], 'Z')
|
|
self.assertEqual(mem[0x491605], 'A')
|
|
self.assertEqual(mem[0x491606], 'R')
|
|
self.assertEqual(mem[0x491607], 'A')
|
|
self.assertEqual(mem[0x491608], 'Z')
|
|
self.assertEqual(mem[0x491609], 'A')
|
|
self.assertEqual(mem[0x49160a], '\x00')
|
|
self.assertEqual(mem[0x49160b], 'M')
|
|
self.assertEqual(mem[0x7fffffffda87], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda86], '\x94')
|
|
self.assertEqual(mem[0x7fffffffda84], '\xc0')
|
|
self.assertEqual(mem[0x40065b], '\xf3')
|
|
self.assertEqual(mem[0x40065c], '\xa6')
|
|
self.assertEqual(mem[0x7fffffffda85], '\xe0')
|
|
self.assertEqual(cpu.RCX, 6L)
|
|
self.assertEqual(cpu.RDI, 4789765L)
|
|
self.assertEqual(cpu.RSI, 140737488345729L)
|
|
self.assertEqual(cpu.RIP, 4195931L)
|
|
|
|
def test_CMPSB_2(self):
|
|
''' Instruction CMPSB_2
|
|
Groups:
|
|
0x400657: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem.mmap(0x00491000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
mem[0x00400658] = '\xa6'
|
|
mem[0x7fffffffe06a] = 'a'
|
|
mem[0x7fffffffe06b] = 'r'
|
|
mem[0x7fffffffe06c] = 'g'
|
|
mem[0x7fffffffe06d] = '1'
|
|
mem[0x7fffffffe06e] = '\x00'
|
|
mem[0x7fffffffe06f] = 'a'
|
|
mem[0x7fffffffe070] = 'r'
|
|
mem[0x7fffffffe071] = 'g'
|
|
mem[0x00400657] = '\xf3'
|
|
mem[0x00491818] = '-'
|
|
mem[0x00491819] = 'd'
|
|
mem[0x0049181a] = 'o'
|
|
mem[0x0049181b] = 's'
|
|
mem[0x0049181c] = 't'
|
|
mem[0x0049181d] = 'u'
|
|
mem[0x0049181e] = 'f'
|
|
mem[0x00491817] = '-'
|
|
cpu.RDI = 0x491817
|
|
cpu.RCX = 0xa
|
|
cpu.RSI = 0x7fffffffe06a
|
|
cpu.RIP = 0x400657
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffe06b], 'r')
|
|
self.assertEqual(mem[0x7fffffffe071], 'g')
|
|
self.assertEqual(mem[0x7fffffffe06a], 'a')
|
|
self.assertEqual(mem[0x400657], '\xf3')
|
|
self.assertEqual(mem[0x7fffffffe06c], 'g')
|
|
self.assertEqual(mem[0x7fffffffe06d], '1')
|
|
self.assertEqual(mem[0x7fffffffe06e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffe06f], 'a')
|
|
self.assertEqual(mem[0x7fffffffe070], 'r')
|
|
self.assertEqual(mem[0x491818], '-')
|
|
self.assertEqual(mem[0x491817], '-')
|
|
self.assertEqual(mem[0x400658], '\xa6')
|
|
self.assertEqual(mem[0x491819], 'd')
|
|
self.assertEqual(mem[0x49181a], 'o')
|
|
self.assertEqual(mem[0x49181b], 's')
|
|
self.assertEqual(mem[0x49181c], 't')
|
|
self.assertEqual(mem[0x49181d], 'u')
|
|
self.assertEqual(mem[0x49181e], 'f')
|
|
self.assertEqual(cpu.RCX, 9L)
|
|
self.assertEqual(cpu.RDI, 4790296L)
|
|
self.assertEqual(cpu.RSI, 140737488347243L)
|
|
self.assertEqual(cpu.RIP, 4195929L)
|
|
|
|
def test_CMPSB_3(self):
|
|
''' Instruction CMPSB_3
|
|
Groups:
|
|
0x40065b: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem.mmap(0x00491000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda81] = '\xed'
|
|
mem[0x7fffffffda82] = '\xcf'
|
|
mem[0x7fffffffda83] = '\xc2'
|
|
mem[0x7fffffffda84] = '\xc0'
|
|
mem[0x00491605] = 'A'
|
|
mem[0x00491606] = 'R'
|
|
mem[0x00491607] = 'A'
|
|
mem[0x00491608] = 'Z'
|
|
mem[0x00491609] = 'A'
|
|
mem[0x0049160a] = '\x00'
|
|
mem[0x0049160b] = 'M'
|
|
mem[0x0049160c] = 'e'
|
|
mem[0x7fffffffda86] = '\x94'
|
|
mem[0x7fffffffda88] = '\xea'
|
|
mem[0x7fffffffda87] = '\xff'
|
|
mem[0x0040065b] = '\xf3'
|
|
mem[0x0040065c] = '\xa6'
|
|
mem[0x7fffffffda85] = '\xe0'
|
|
cpu.RDI = 0x491605
|
|
cpu.RCX = 0x6
|
|
cpu.RSI = 0x7fffffffda81
|
|
cpu.RIP = 0x40065b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda81], '\xed')
|
|
self.assertEqual(mem[0x7fffffffda82], '\xcf')
|
|
self.assertEqual(mem[0x7fffffffda83], '\xc2')
|
|
self.assertEqual(mem[0x7fffffffda84], '\xc0')
|
|
self.assertEqual(mem[0x491605], 'A')
|
|
self.assertEqual(mem[0x491606], 'R')
|
|
self.assertEqual(mem[0x491607], 'A')
|
|
self.assertEqual(mem[0x491608], 'Z')
|
|
self.assertEqual(mem[0x491609], 'A')
|
|
self.assertEqual(mem[0x49160a], '\x00')
|
|
self.assertEqual(mem[0x49160b], 'M')
|
|
self.assertEqual(mem[0x49160c], 'e')
|
|
self.assertEqual(mem[0x7fffffffda86], '\x94')
|
|
self.assertEqual(mem[0x7fffffffda88], '\xea')
|
|
self.assertEqual(mem[0x7fffffffda87], '\xff')
|
|
self.assertEqual(mem[0x40065b], '\xf3')
|
|
self.assertEqual(mem[0x40065c], '\xa6')
|
|
self.assertEqual(mem[0x7fffffffda85], '\xe0')
|
|
self.assertEqual(cpu.RCX, 5L)
|
|
self.assertEqual(cpu.RDI, 4789766L)
|
|
self.assertEqual(cpu.RSI, 140737488345730L)
|
|
self.assertEqual(cpu.RIP, 4195933L)
|
|
|
|
def test_CMPSB_4(self):
|
|
''' Instruction CMPSB_4
|
|
Groups:
|
|
0x400657: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem.mmap(0x00491000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
mem[0x7fffffffe065] = 'a'
|
|
mem[0x7fffffffe066] = 'r'
|
|
mem[0x7fffffffe067] = 'g'
|
|
mem[0x7fffffffe068] = '1'
|
|
mem[0x7fffffffe069] = '\x00'
|
|
mem[0x7fffffffe06a] = 'a'
|
|
mem[0x7fffffffe06b] = 'r'
|
|
mem[0x7fffffffe06c] = 'g'
|
|
mem[0x00400658] = '\xa6'
|
|
mem[0x00400657] = '\xf3'
|
|
mem[0x00491818] = '-'
|
|
mem[0x00491819] = 'd'
|
|
mem[0x0049181a] = 'o'
|
|
mem[0x0049181b] = 's'
|
|
mem[0x0049181c] = 't'
|
|
mem[0x0049181d] = 'u'
|
|
mem[0x0049181e] = 'f'
|
|
mem[0x00491817] = '-'
|
|
cpu.RDI = 0x491817
|
|
cpu.RCX = 0xa
|
|
cpu.RSI = 0x7fffffffe065
|
|
cpu.RIP = 0x400657
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffe06b], 'r')
|
|
self.assertEqual(mem[0x7fffffffe065], 'a')
|
|
self.assertEqual(mem[0x7fffffffe066], 'r')
|
|
self.assertEqual(mem[0x7fffffffe067], 'g')
|
|
self.assertEqual(mem[0x7fffffffe068], '1')
|
|
self.assertEqual(mem[0x7fffffffe069], '\x00')
|
|
self.assertEqual(mem[0x7fffffffe06a], 'a')
|
|
self.assertEqual(mem[0x400657], '\xf3')
|
|
self.assertEqual(mem[0x7fffffffe06c], 'g')
|
|
self.assertEqual(mem[0x491818], '-')
|
|
self.assertEqual(mem[0x491817], '-')
|
|
self.assertEqual(mem[0x400658], '\xa6')
|
|
self.assertEqual(mem[0x491819], 'd')
|
|
self.assertEqual(mem[0x49181a], 'o')
|
|
self.assertEqual(mem[0x49181b], 's')
|
|
self.assertEqual(mem[0x49181c], 't')
|
|
self.assertEqual(mem[0x49181d], 'u')
|
|
self.assertEqual(mem[0x49181e], 'f')
|
|
self.assertEqual(cpu.RCX, 9L)
|
|
self.assertEqual(cpu.RDI, 4790296L)
|
|
self.assertEqual(cpu.RSI, 140737488347238L)
|
|
self.assertEqual(cpu.RIP, 4195929L)
|
|
|
|
def test_CMPSB_5(self):
|
|
''' Instruction CMPSB_5
|
|
Groups:
|
|
0x55555555478b: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda80] = '\xc6'
|
|
mem[0x7fffffffda81] = '\xd9'
|
|
mem[0x7fffffffda82] = 'P'
|
|
mem[0x7fffffffda83] = '%'
|
|
mem[0x7fffffffda84] = '\xc1'
|
|
mem[0x7fffffffda85] = '\xe2'
|
|
mem[0x7fffffffda86] = '\xc9'
|
|
mem[0x7fffffffda87] = '\x7f'
|
|
mem[0x55555555478b] = '\xf3'
|
|
mem[0x55555555478c] = '\xa6'
|
|
mem[0x555555554998] = 'Z'
|
|
mem[0x555555554999] = 'A'
|
|
mem[0x55555555499a] = 'R'
|
|
mem[0x55555555499b] = 'A'
|
|
mem[0x55555555499c] = 'Z'
|
|
mem[0x55555555499d] = 'A'
|
|
mem[0x55555555499e] = '\x00'
|
|
mem[0x55555555499f] = 'M'
|
|
cpu.RDI = 0x555555554998
|
|
cpu.RCX = 0x7
|
|
cpu.RSI = 0x7fffffffda80
|
|
cpu.RIP = 0x55555555478b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda80], '\xc6')
|
|
self.assertEqual(mem[0x7fffffffda81], '\xd9')
|
|
self.assertEqual(mem[0x7fffffffda82], 'P')
|
|
self.assertEqual(mem[0x7fffffffda83], '%')
|
|
self.assertEqual(mem[0x7fffffffda84], '\xc1')
|
|
self.assertEqual(mem[0x7fffffffda85], '\xe2')
|
|
self.assertEqual(mem[0x7fffffffda86], '\xc9')
|
|
self.assertEqual(mem[0x7fffffffda87], '\x7f')
|
|
self.assertEqual(mem[0x55555555478b], '\xf3')
|
|
self.assertEqual(mem[0x55555555478c], '\xa6')
|
|
self.assertEqual(mem[0x555555554998], 'Z')
|
|
self.assertEqual(mem[0x555555554999], 'A')
|
|
self.assertEqual(mem[0x55555555499a], 'R')
|
|
self.assertEqual(mem[0x55555555499b], 'A')
|
|
self.assertEqual(mem[0x55555555499c], 'Z')
|
|
self.assertEqual(mem[0x55555555499d], 'A')
|
|
self.assertEqual(mem[0x55555555499e], '\x00')
|
|
self.assertEqual(mem[0x55555555499f], 'M')
|
|
self.assertEqual(cpu.RCX, 6L)
|
|
self.assertEqual(cpu.RDI, 93824992233881L)
|
|
self.assertEqual(cpu.RSI, 140737488345729L)
|
|
self.assertEqual(cpu.RIP, 93824992233357L)
|
|
|
|
def test_CMPSB_6(self):
|
|
''' Instruction CMPSB_6
|
|
Groups:
|
|
0x5555555548c0: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x5555555548c0] = '\xf3'
|
|
mem[0x5555555548c1] = '\xa6'
|
|
mem[0x7fffffffda82] = '\xd2'
|
|
mem[0x7fffffffda83] = '\xd0'
|
|
mem[0x7fffffffda84] = '\x1f'
|
|
mem[0x7fffffffda85] = '\x1c'
|
|
mem[0x7fffffffda86] = '('
|
|
mem[0x7fffffffda81] = '\x04'
|
|
mem[0x5555555549a8] = 'Z'
|
|
mem[0x5555555549a9] = 'A'
|
|
mem[0x5555555549aa] = 'R'
|
|
mem[0x5555555549ab] = 'A'
|
|
mem[0x5555555549ac] = 'Z'
|
|
mem[0x5555555549ad] = 'A'
|
|
mem[0x5555555549ae] = '\x00'
|
|
mem[0x5555555549af] = 'M'
|
|
mem[0x7fffffffda87] = 'P'
|
|
mem[0x7fffffffda80] = '\x91'
|
|
cpu.RDI = 0x5555555549a8
|
|
cpu.RCX = 0x7
|
|
cpu.RSI = 0x7fffffffda80
|
|
cpu.RIP = 0x5555555548c0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5555555548c0], '\xf3')
|
|
self.assertEqual(mem[0x5555555548c1], '\xa6')
|
|
self.assertEqual(mem[0x7fffffffda82], '\xd2')
|
|
self.assertEqual(mem[0x7fffffffda83], '\xd0')
|
|
self.assertEqual(mem[0x7fffffffda84], '\x1f')
|
|
self.assertEqual(mem[0x7fffffffda85], '\x1c')
|
|
self.assertEqual(mem[0x7fffffffda86], '(')
|
|
self.assertEqual(mem[0x7fffffffda81], '\x04')
|
|
self.assertEqual(mem[0x5555555549a8], 'Z')
|
|
self.assertEqual(mem[0x5555555549a9], 'A')
|
|
self.assertEqual(mem[0x5555555549aa], 'R')
|
|
self.assertEqual(mem[0x7fffffffda87], 'P')
|
|
self.assertEqual(mem[0x5555555549ac], 'Z')
|
|
self.assertEqual(mem[0x5555555549ad], 'A')
|
|
self.assertEqual(mem[0x5555555549ae], '\x00')
|
|
self.assertEqual(mem[0x5555555549af], 'M')
|
|
self.assertEqual(mem[0x7fffffffda80], '\x91')
|
|
self.assertEqual(mem[0x5555555549ab], 'A')
|
|
self.assertEqual(cpu.RCX, 6L)
|
|
self.assertEqual(cpu.RDI, 93824992233897L)
|
|
self.assertEqual(cpu.RSI, 140737488345729L)
|
|
self.assertEqual(cpu.RIP, 93824992233666L)
|
|
|
|
def test_CMPXCHG8B_1(self):
|
|
''' Instruction CMPXCHG8B_1
|
|
Groups:
|
|
0x5c68cb: lock cmpxchg8b qword ptr [rsp + 4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x005c6000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x005c68cb] = '\xf0'
|
|
mem[0x005c68cc] = '\x0f'
|
|
mem[0x005c68cd] = '\xc7'
|
|
mem[0x005c68ce] = 'L'
|
|
mem[0x005c68cf] = '$'
|
|
mem[0x005c68d0] = '\x04'
|
|
mem[0x7fffffffccb4] = '\x80'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = '\x01'
|
|
mem[0x7fffffffccb9] = '\x80'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
cpu.EBX = 0x80000001
|
|
cpu.RIP = 0x5c68cb
|
|
cpu.EAX = 0x80000001
|
|
cpu.EDX = 0x8001
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.ECX = 0x80
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5c68cb], '\xf0')
|
|
self.assertEqual(mem[0x5c68cc], '\x0f')
|
|
self.assertEqual(mem[0x5c68cd], '\xc7')
|
|
self.assertEqual(mem[0x5c68ce], 'L')
|
|
self.assertEqual(mem[0x5c68cf], '$')
|
|
self.assertEqual(mem[0x5c68d0], '\x04')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 6056145L)
|
|
self.assertEqual(cpu.EAX, 128L)
|
|
self.assertEqual(cpu.EDX, 32769L)
|
|
self.assertEqual(cpu.EBX, 2147483649L)
|
|
self.assertEqual(cpu.ECX, 128L)
|
|
|
|
def test_CMPXCHG8B_2(self):
|
|
''' Instruction CMPXCHG8B_2
|
|
Groups:
|
|
0x5861a9: lock cmpxchg8b qword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00586000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x005861a9] = '\xf0'
|
|
mem[0x005861aa] = '\x0f'
|
|
mem[0x005861ab] = '\xc7'
|
|
mem[0x005861ac] = '\x0c'
|
|
mem[0x005861ad] = '$'
|
|
mem[0x7fffffffccb0] = '\x00'
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x80'
|
|
mem[0x7fffffffccb4] = '\x00'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x80'
|
|
cpu.EBX = 0x80000000
|
|
cpu.RIP = 0x5861a9
|
|
cpu.EAX = 0x80000000
|
|
cpu.EDX = 0xffffffff
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.ECX = 0x80000000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5861a9], '\xf0')
|
|
self.assertEqual(mem[0x5861aa], '\x0f')
|
|
self.assertEqual(mem[0x5861ab], '\xc7')
|
|
self.assertEqual(mem[0x5861ac], '\x0c')
|
|
self.assertEqual(mem[0x5861ad], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x80')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5792174L)
|
|
self.assertEqual(cpu.EAX, 2147483648L)
|
|
self.assertEqual(cpu.EDX, 2147483648L)
|
|
self.assertEqual(cpu.EBX, 2147483648L)
|
|
self.assertEqual(cpu.ECX, 2147483648L)
|
|
|
|
def test_CMPXCHG8B_3(self):
|
|
''' Instruction CMPXCHG8B_3
|
|
Groups:
|
|
0x58de05: lock cmpxchg8b qword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0058d000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x0058de05] = '\xf0'
|
|
mem[0x0058de06] = '\x0f'
|
|
mem[0x0058de07] = '\xc7'
|
|
mem[0x0058de08] = '\x0c'
|
|
mem[0x0058de09] = '$'
|
|
mem[0x7fffffffccb0] = '\x01'
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x80'
|
|
mem[0x7fffffffccb4] = '@'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
cpu.EBX = 0x80000001
|
|
cpu.RIP = 0x58de05
|
|
cpu.EAX = 0x80000001
|
|
cpu.EDX = 0x21
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.ECX = 0x40
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x58de05], '\xf0')
|
|
self.assertEqual(mem[0x58de06], '\x0f')
|
|
self.assertEqual(mem[0x58de07], '\xc7')
|
|
self.assertEqual(mem[0x58de08], '\x0c')
|
|
self.assertEqual(mem[0x58de09], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb4], '@')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5824010L)
|
|
self.assertEqual(cpu.EAX, 2147483649L)
|
|
self.assertEqual(cpu.EDX, 64L)
|
|
self.assertEqual(cpu.EBX, 2147483649L)
|
|
self.assertEqual(cpu.ECX, 64L)
|
|
|
|
def test_CMPXCHG8B_4(self):
|
|
''' Instruction CMPXCHG8B_4
|
|
Groups:
|
|
0x59b473: lock cmpxchg8b qword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0059b000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x0059b476] = '\x0c'
|
|
mem[0x0059b477] = '$'
|
|
mem[0x0059b473] = '\xf0'
|
|
mem[0x7fffffffccb0] = '\xff'
|
|
mem[0x7fffffffccb1] = '\xff'
|
|
mem[0x7fffffffccb2] = '\xff'
|
|
mem[0x7fffffffccb3] = '\xff'
|
|
mem[0x0059b474] = '\x0f'
|
|
mem[0x0059b475] = '\xc7'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb4] = '\x80'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
cpu.EBX = 0xffffffff
|
|
cpu.RIP = 0x59b473
|
|
cpu.EAX = 0xffffffff
|
|
cpu.EDX = 0x80
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.ECX = 0x80
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\xff')
|
|
self.assertEqual(mem[0x59b473], '\xf0')
|
|
self.assertEqual(mem[0x59b474], '\x0f')
|
|
self.assertEqual(mem[0x59b475], '\xc7')
|
|
self.assertEqual(mem[0x59b476], '\x0c')
|
|
self.assertEqual(mem[0x59b477], '$')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5878904L)
|
|
self.assertEqual(cpu.EAX, 4294967295L)
|
|
self.assertEqual(cpu.EDX, 128L)
|
|
self.assertEqual(cpu.EBX, 4294967295L)
|
|
self.assertEqual(cpu.ECX, 128L)
|
|
|
|
def test_CMPXCHG8B_5(self):
|
|
''' Instruction CMPXCHG8B_5
|
|
Groups:
|
|
0x624e14: lock cmpxchg8b qword ptr [rsp + 8]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00624000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x00624e14] = '\xf0'
|
|
mem[0x00624e15] = '\x0f'
|
|
mem[0x00624e16] = '\xc7'
|
|
mem[0x00624e17] = 'L'
|
|
mem[0x00624e18] = '$'
|
|
mem[0x00624e19] = '\x08'
|
|
mem[0x7fffffffccb8] = '\x00'
|
|
mem[0x7fffffffccb9] = '\x00'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x80'
|
|
mem[0x7fffffffccbc] = '@'
|
|
mem[0x7fffffffccbd] = '\x00'
|
|
mem[0x7fffffffccbe] = '\x00'
|
|
mem[0x7fffffffccbf] = '\x00'
|
|
cpu.EBX = 0x40
|
|
cpu.RIP = 0x624e14
|
|
cpu.EAX = 0x40
|
|
cpu.EDX = 0x80000000
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.ECX = 0x8001
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x624e14], '\xf0')
|
|
self.assertEqual(mem[0x624e15], '\x0f')
|
|
self.assertEqual(mem[0x624e16], '\xc7')
|
|
self.assertEqual(mem[0x624e17], 'L')
|
|
self.assertEqual(mem[0x624e18], '$')
|
|
self.assertEqual(mem[0x624e19], '\x08')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccbc], '@')
|
|
self.assertEqual(mem[0x7fffffffccbd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 6442522L)
|
|
self.assertEqual(cpu.EAX, 2147483648L)
|
|
self.assertEqual(cpu.EDX, 64L)
|
|
self.assertEqual(cpu.EBX, 64L)
|
|
self.assertEqual(cpu.ECX, 32769L)
|
|
|
|
def test_CMPXCHG8B_6(self):
|
|
''' Instruction CMPXCHG8B_6
|
|
Groups:
|
|
0x5bfa73: lock cmpxchg8b qword ptr [rsp + 4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x005bf000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffccb4] = '\x01'
|
|
mem[0x005bfa76] = 'L'
|
|
mem[0x005bfa77] = '$'
|
|
mem[0x7fffffffccb8] = '\x7f'
|
|
mem[0x005bfa73] = '\xf0'
|
|
mem[0x005bfa74] = '\x0f'
|
|
mem[0x005bfa75] = '\xc7'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x005bfa78] = '\x04'
|
|
mem[0x7fffffffccb9] = '\x00'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
mem[0x7fffffffccb5] = '\x80'
|
|
cpu.EBX = 0x80000000
|
|
cpu.RIP = 0x5bfa73
|
|
cpu.EAX = 0x80000000
|
|
cpu.EDX = 0x7f
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.ECX = 0x8001
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x5bfa78], '\x04')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x00')
|
|
self.assertEqual(mem[0x5bfa73], '\xf0')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x01')
|
|
self.assertEqual(mem[0x5bfa75], '\xc7')
|
|
self.assertEqual(mem[0x5bfa76], 'L')
|
|
self.assertEqual(mem[0x5bfa77], '$')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\x7f')
|
|
self.assertEqual(mem[0x5bfa74], '\x0f')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x80')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 6027897L)
|
|
self.assertEqual(cpu.EAX, 32769L)
|
|
self.assertEqual(cpu.EDX, 127L)
|
|
self.assertEqual(cpu.EBX, 2147483648L)
|
|
self.assertEqual(cpu.ECX, 32769L)
|
|
|
|
def test_CMPXCHG_1(self):
|
|
''' Instruction CMPXCHG_1
|
|
Groups:
|
|
0x7ffff7a65367: cmpxchg dword ptr [rip + 0x36fde2], esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7dd5150] = '\x00'
|
|
mem[0x7ffff7dd5151] = '\x00'
|
|
mem[0x7ffff7dd5152] = '\x00'
|
|
mem[0x7ffff7dd5153] = '\x00'
|
|
mem[0x7ffff7a65367] = '\x0f'
|
|
mem[0x7ffff7a65368] = '\xb1'
|
|
mem[0x7ffff7a65369] = '5'
|
|
mem[0x7ffff7a6536a] = '\xe2'
|
|
mem[0x7ffff7a6536b] = '\xfd'
|
|
mem[0x7ffff7a6536c] = '6'
|
|
mem[0x7ffff7a6536d] = '\x00'
|
|
cpu.PF = True
|
|
cpu.ESI = 0x1
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RAX = 0x0
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7a65367
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7dd5150], '\x01')
|
|
self.assertEqual(mem[0x7ffff7dd5151], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd5152], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd5153], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a65367], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7a65368], '\xb1')
|
|
self.assertEqual(mem[0x7ffff7a65369], '5')
|
|
self.assertEqual(mem[0x7ffff7a6536a], '\xe2')
|
|
self.assertEqual(mem[0x7ffff7a6536b], '\xfd')
|
|
self.assertEqual(mem[0x7ffff7a6536c], '6')
|
|
self.assertEqual(mem[0x7ffff7a6536d], '\x00')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.ESI, 1L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737348260718L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_CMPXCHG_2(self):
|
|
''' Instruction CMPXCHG_2
|
|
Groups:
|
|
0x40abbf: cmpxchg dword ptr [rdx], esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040a000, 0x1000, 'rwx')
|
|
mem.mmap(0x006be000, 0x1000, 'rwx')
|
|
mem[0x0040abc0] = '\xb1'
|
|
mem[0x0040abc1] = '2'
|
|
mem[0x006be762] = '\x00'
|
|
mem[0x006be763] = '\x00'
|
|
mem[0x006be761] = '\x00'
|
|
mem[0x006be760] = '\x00'
|
|
mem[0x0040abbf] = '\x0f'
|
|
cpu.SF = False
|
|
cpu.PF = True
|
|
cpu.ESI = 0x1
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RAX = 0x0
|
|
cpu.CF = False
|
|
cpu.RIP = 0x40abbf
|
|
cpu.RDX = 0x6be760
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40abc0], '\xb1')
|
|
self.assertEqual(mem[0x40abc1], '2')
|
|
self.assertEqual(mem[0x6be762], '\x00')
|
|
self.assertEqual(mem[0x6be763], '\x00')
|
|
self.assertEqual(mem[0x6be761], '\x00')
|
|
self.assertEqual(mem[0x40abbf], '\x0f')
|
|
self.assertEqual(mem[0x6be760], '\x01')
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.ESI, 1L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4238274L)
|
|
self.assertEqual(cpu.RDX, 7071584L)
|
|
|
|
def test_CMPXCHG_3(self):
|
|
''' Instruction CMPXCHG_3
|
|
Groups:
|
|
0x413646: cmpxchg dword ptr [rbx], esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00413000, 0x1000, 'rwx')
|
|
mem.mmap(0x006b9000, 0x1000, 'rwx')
|
|
mem[0x006b9840] = '\x00'
|
|
mem[0x006b9841] = '\x00'
|
|
mem[0x006b9842] = '\x00'
|
|
mem[0x006b9843] = '\x00'
|
|
mem[0x00413646] = '\x0f'
|
|
mem[0x00413647] = '\xb1'
|
|
mem[0x00413648] = '3'
|
|
cpu.PF = True
|
|
cpu.ESI = 0x1
|
|
cpu.RAX = 0x0
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RBX = 0x6b9840
|
|
cpu.CF = False
|
|
cpu.RIP = 0x413646
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x6b9840], '\x01')
|
|
self.assertEqual(mem[0x6b9841], '\x00')
|
|
self.assertEqual(mem[0x6b9842], '\x00')
|
|
self.assertEqual(mem[0x6b9843], '\x00')
|
|
self.assertEqual(mem[0x413646], '\x0f')
|
|
self.assertEqual(mem[0x413647], '\xb1')
|
|
self.assertEqual(mem[0x413648], '3')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.ESI, 1L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.RBX, 7051328L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4273737L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_CMPXCHG_4(self):
|
|
''' Instruction CMPXCHG_4
|
|
Groups:
|
|
0x435a25: cmpxchg qword ptr [rdx], rdi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00435000, 0x1000, 'rwx')
|
|
mem.mmap(0x006bd000, 0x1000, 'rwx')
|
|
mem[0x006bd380] = '\x00'
|
|
mem[0x006bd381] = '\x00'
|
|
mem[0x006bd382] = '\x00'
|
|
mem[0x006bd383] = '\x00'
|
|
mem[0x006bd384] = '\x00'
|
|
mem[0x006bd385] = '\x00'
|
|
mem[0x006bd386] = '\x00'
|
|
mem[0x006bd387] = '\x00'
|
|
mem[0x00435a25] = 'H'
|
|
mem[0x00435a26] = '\x0f'
|
|
mem[0x00435a27] = '\xb1'
|
|
mem[0x00435a28] = ':'
|
|
cpu.SF = False
|
|
cpu.PF = True
|
|
cpu.RAX = 0x0
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RDI = 0x6bb7c0
|
|
cpu.CF = False
|
|
cpu.RIP = 0x435a25
|
|
cpu.RDX = 0x6bd380
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x6bd380], '\xc0')
|
|
self.assertEqual(mem[0x6bd381], '\xb7')
|
|
self.assertEqual(mem[0x6bd382], 'k')
|
|
self.assertEqual(mem[0x6bd383], '\x00')
|
|
self.assertEqual(mem[0x6bd384], '\x00')
|
|
self.assertEqual(mem[0x6bd385], '\x00')
|
|
self.assertEqual(mem[0x6bd386], '\x00')
|
|
self.assertEqual(mem[0x6bd387], '\x00')
|
|
self.assertEqual(mem[0x435a25], 'H')
|
|
self.assertEqual(mem[0x435a26], '\x0f')
|
|
self.assertEqual(mem[0x435a27], '\xb1')
|
|
self.assertEqual(mem[0x435a28], ':')
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.RDI, 7059392L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4413993L)
|
|
self.assertEqual(cpu.RDX, 7066496L)
|
|
|
|
def test_CMPXCHG_5(self):
|
|
''' Instruction CMPXCHG_5
|
|
Groups:
|
|
0x41086e: cmpxchg dword ptr [rdx], ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00410000, 0x1000, 'rwx')
|
|
mem.mmap(0x006be000, 0x1000, 'rwx')
|
|
mem[0x006be760] = '\x00'
|
|
mem[0x006be761] = '\x00'
|
|
mem[0x006be762] = '\x00'
|
|
mem[0x006be763] = '\x00'
|
|
mem[0x0041086e] = '\x0f'
|
|
mem[0x0041086f] = '\xb1'
|
|
mem[0x00410870] = '\n'
|
|
cpu.SF = False
|
|
cpu.PF = True
|
|
cpu.RAX = 0x0
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.ECX = 0x1
|
|
cpu.CF = False
|
|
cpu.RIP = 0x41086e
|
|
cpu.RDX = 0x6be760
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x6be760], '\x01')
|
|
self.assertEqual(mem[0x6be761], '\x00')
|
|
self.assertEqual(mem[0x6be762], '\x00')
|
|
self.assertEqual(mem[0x6be763], '\x00')
|
|
self.assertEqual(mem[0x41086e], '\x0f')
|
|
self.assertEqual(mem[0x41086f], '\xb1')
|
|
self.assertEqual(mem[0x410870], '\n')
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.ECX, 1L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4262001L)
|
|
self.assertEqual(cpu.RDX, 7071584L)
|
|
|
|
def test_CMPXCHG_6(self):
|
|
''' Instruction CMPXCHG_6
|
|
Groups:
|
|
0x7ffff7aafa06: cmpxchg dword ptr [rbx], esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aaf000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7dd3b80] = '\x00'
|
|
mem[0x7ffff7dd3b81] = '\x00'
|
|
mem[0x7ffff7dd3b82] = '\x00'
|
|
mem[0x7ffff7dd3b83] = '\x00'
|
|
mem[0x7ffff7aafa06] = '\x0f'
|
|
mem[0x7ffff7aafa07] = '\xb1'
|
|
mem[0x7ffff7aafa08] = '3'
|
|
cpu.PF = True
|
|
cpu.ESI = 0x1
|
|
cpu.RAX = 0x0
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RBX = 0x7ffff7dd3b80
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7aafa06
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7dd3b80], '\x01')
|
|
self.assertEqual(mem[0x7ffff7dd3b81], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd3b82], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd3b83], '\x00')
|
|
self.assertEqual(mem[0x7ffff7aafa06], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7aafa07], '\xb1')
|
|
self.assertEqual(mem[0x7ffff7aafa08], '3')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.ESI, 1L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.RBX, 140737351859072L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737348565513L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_CMP_1(self):
|
|
''' Instruction CMP_1
|
|
Groups:
|
|
0x7ffff7b58f43: cmp r12, r9
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f43] = 'M'
|
|
mem[0x7ffff7b58f44] = '9'
|
|
mem[0x7ffff7b58f45] = '\xcc'
|
|
cpu.SF = False
|
|
cpu.PF = True
|
|
cpu.R12 = 0x7ffff7ab0f80
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7b58f43
|
|
cpu.R9 = 0x7ffff7b23c00
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f43], 'M')
|
|
self.assertEqual(mem[0x7ffff7b58f44], '9')
|
|
self.assertEqual(mem[0x7ffff7b58f45], '\xcc')
|
|
self.assertEqual(cpu.SF, True)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.R12, 140737348571008L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737349259078L)
|
|
self.assertEqual(cpu.R9, 140737349041152L)
|
|
|
|
def test_CMP_2(self):
|
|
''' Instruction CMP_2
|
|
Groups:
|
|
0x406e1d: cmp r14w, word ptr [rbx]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
mem[0x00406e20] = '3'
|
|
mem[0x7fffffffee69] = 'W'
|
|
mem[0x7fffffffee6a] = 'I'
|
|
mem[0x00406e1d] = 'f'
|
|
mem[0x00406e1e] = 'D'
|
|
mem[0x00406e1f] = ';'
|
|
cpu.R14W = 0x444c
|
|
cpu.PF = True
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RBX = 0x7fffffffee69
|
|
cpu.CF = False
|
|
cpu.RIP = 0x406e1d
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x406e20], '3')
|
|
self.assertEqual(mem[0x7fffffffee69], 'W')
|
|
self.assertEqual(mem[0x7fffffffee6a], 'I')
|
|
self.assertEqual(mem[0x406e1d], 'f')
|
|
self.assertEqual(mem[0x406e1e], 'D')
|
|
self.assertEqual(mem[0x406e1f], ';')
|
|
self.assertEqual(cpu.R14W, 17484L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RBX, 140737488350825L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4222497L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_CMP_3(self):
|
|
''' Instruction CMP_3
|
|
Groups:
|
|
0x40d167: cmp eax, 0xff
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040d000, 0x1000, 'rwx')
|
|
mem[0x0040d168] = '\xf8'
|
|
mem[0x0040d169] = '\xff'
|
|
mem[0x0040d167] = '\x83'
|
|
cpu.EAX = 0x1
|
|
cpu.PF = False
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x40d167
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40d168], '\xf8')
|
|
self.assertEqual(mem[0x40d169], '\xff')
|
|
self.assertEqual(mem[0x40d167], '\x83')
|
|
self.assertEqual(cpu.EAX, 1L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.AF, True)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4247914L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_CMP_4(self):
|
|
''' Instruction CMP_4
|
|
Groups:
|
|
0x7ffff7de4488: cmp qword ptr [rbp - 0x90], 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd9a0] = '\xe0'
|
|
mem[0x7fffffffd9a1] = 'M'
|
|
mem[0x7fffffffd9a2] = '\xa3'
|
|
mem[0x7fffffffd9a3] = '\xf7'
|
|
mem[0x7fffffffd9a4] = '\xff'
|
|
mem[0x7fffffffd9a5] = '\x7f'
|
|
mem[0x7fffffffd9a6] = '\x00'
|
|
mem[0x7fffffffd9a7] = '\x00'
|
|
mem[0x7ffff7de4488] = 'H'
|
|
mem[0x7ffff7de4489] = '\x83'
|
|
mem[0x7ffff7de448a] = '\xbd'
|
|
mem[0x7ffff7de448b] = 'p'
|
|
mem[0x7ffff7de448c] = '\xff'
|
|
mem[0x7ffff7de448d] = '\xff'
|
|
mem[0x7ffff7de448e] = '\xff'
|
|
mem[0x7ffff7de448f] = '\x00'
|
|
cpu.SF = False
|
|
cpu.PF = False
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de4488
|
|
cpu.RBP = 0x7fffffffda30
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd9a0], '\xe0')
|
|
self.assertEqual(mem[0x7fffffffd9a1], 'M')
|
|
self.assertEqual(mem[0x7fffffffd9a2], '\xa3')
|
|
self.assertEqual(mem[0x7fffffffd9a3], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd9a4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9a5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd9a6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9a7], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de4488], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4489], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de448a], '\xbd')
|
|
self.assertEqual(mem[0x7ffff7de448b], 'p')
|
|
self.assertEqual(mem[0x7ffff7de448c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de448d], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de448e], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de448f], '\x00')
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926928L)
|
|
self.assertEqual(cpu.RBP, 140737488345648L)
|
|
|
|
def test_CMP_5(self):
|
|
''' Instruction CMP_5
|
|
Groups:
|
|
0x7ffff7de6111: cmp rax, 0x26
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6111] = 'H'
|
|
mem[0x7ffff7de6112] = '\x83'
|
|
mem[0x7ffff7de6113] = '\xf8'
|
|
mem[0x7ffff7de6114] = '&'
|
|
cpu.PF = True
|
|
cpu.RAX = 0x8
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6111
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6111], 'H')
|
|
self.assertEqual(mem[0x7ffff7de6112], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de6113], '\xf8')
|
|
self.assertEqual(mem[0x7ffff7de6114], '&')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 8L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351934229L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_CMP_6(self):
|
|
''' Instruction CMP_6
|
|
Groups:
|
|
0x7ffff7de620b: cmp r12, 0x24
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de620b] = 'I'
|
|
mem[0x7ffff7de620c] = '\x83'
|
|
mem[0x7ffff7de620d] = '\xfc'
|
|
mem[0x7ffff7de620e] = '$'
|
|
cpu.PF = False
|
|
cpu.R12 = 0x6
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de620b
|
|
cpu.SF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de620b], 'I')
|
|
self.assertEqual(mem[0x7ffff7de620c], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de620d], '\xfc')
|
|
self.assertEqual(mem[0x7ffff7de620e], '$')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.R12, 6L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351934479L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_CQO_1(self):
|
|
''' Instruction CQO_1
|
|
Groups:
|
|
0x400794: cqo
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400794] = 'H'
|
|
mem[0x00400795] = '\x99'
|
|
cpu.RIP = 0x400794
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400794], 'H')
|
|
self.assertEqual(mem[0x400795], '\x99')
|
|
self.assertEqual(cpu.RAX, 6291456L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4196246L)
|
|
|
|
def test_CQO_2(self):
|
|
''' Instruction CQO_2
|
|
Groups:
|
|
0x4006d4: cqo
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x004006d4] = 'H'
|
|
mem[0x004006d5] = '\x99'
|
|
cpu.RIP = 0x4006d4
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4006d4], 'H')
|
|
self.assertEqual(mem[0x4006d5], '\x99')
|
|
self.assertEqual(cpu.RAX, 6291456L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4196054L)
|
|
|
|
def test_CQO_3(self):
|
|
''' Instruction CQO_3
|
|
Groups:
|
|
0x7ffff7a4e234: cqo
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e234] = 'H'
|
|
mem[0x7ffff7a4e235] = '\x99'
|
|
cpu.RIP = 0x7ffff7a4e234
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4e234], 'H')
|
|
self.assertEqual(mem[0x7ffff7a4e235], '\x99')
|
|
self.assertEqual(cpu.RAX, 6291456L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737348166198L)
|
|
|
|
def test_CQO_4(self):
|
|
''' Instruction CQO_4
|
|
Groups:
|
|
0x7ffff7a4e234: cqo
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e234] = 'H'
|
|
mem[0x7ffff7a4e235] = '\x99'
|
|
cpu.RIP = 0x7ffff7a4e234
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4e234], 'H')
|
|
self.assertEqual(mem[0x7ffff7a4e235], '\x99')
|
|
self.assertEqual(cpu.RAX, 6291456L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737348166198L)
|
|
|
|
def test_CQO_5(self):
|
|
''' Instruction CQO_5
|
|
Groups:
|
|
0x4006d4: cqo
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x004006d4] = 'H'
|
|
mem[0x004006d5] = '\x99'
|
|
cpu.RIP = 0x4006d4
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4006d4], 'H')
|
|
self.assertEqual(mem[0x4006d5], '\x99')
|
|
self.assertEqual(cpu.RAX, 6291456L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4196054L)
|
|
|
|
def test_CQO_6(self):
|
|
''' Instruction CQO_6
|
|
Groups:
|
|
0x7ffff7a4e234: cqo
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e234] = 'H'
|
|
mem[0x7ffff7a4e235] = '\x99'
|
|
cpu.RIP = 0x7ffff7a4e234
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4e234], 'H')
|
|
self.assertEqual(mem[0x7ffff7a4e235], '\x99')
|
|
self.assertEqual(cpu.RAX, 6291456L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737348166198L)
|
|
|
|
def test_DEC_1(self):
|
|
''' Instruction DEC_1
|
|
Groups: mode64
|
|
0x41e10a: dec ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0041e000, 0x1000, 'rwx')
|
|
mem[0x0041e10a] = '\xff'
|
|
mem[0x0041e10b] = '\xc9'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x41e10a
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.ECX = 0xd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x41e10a], '\xff')
|
|
self.assertEqual(mem[0x41e10b], '\xc9')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 4317452L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.ECX, 12L)
|
|
|
|
def test_DEC_2(self):
|
|
''' Instruction DEC_2
|
|
Groups: mode64
|
|
0x7ffff7df462c: dec ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df462c] = '\xff'
|
|
mem[0x7ffff7df462d] = '\xc9'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df462c
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.ECX = 0x4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df462c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df462d], '\xc9')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992878L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.ECX, 3L)
|
|
|
|
def test_DEC_3(self):
|
|
''' Instruction DEC_3
|
|
Groups: mode64
|
|
0x7ffff7df462c: dec ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df462c] = '\xff'
|
|
mem[0x7ffff7df462d] = '\xc9'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df462c
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.ECX = 0x2
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df462c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df462d], '\xc9')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992878L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.ECX, 1L)
|
|
|
|
def test_DEC_4(self):
|
|
''' Instruction DEC_4
|
|
Groups: mode64
|
|
0x7ffff7a65448: dec dword ptr [rip + 0x36fd02]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7dd5150] = '\x01'
|
|
mem[0x7ffff7dd5151] = '\x00'
|
|
mem[0x7ffff7dd5152] = '\x00'
|
|
mem[0x7ffff7dd5153] = '\x00'
|
|
mem[0x7ffff7a65448] = '\xff'
|
|
mem[0x7ffff7a65449] = '\r'
|
|
mem[0x7ffff7a6544a] = '\x02'
|
|
mem[0x7ffff7a6544b] = '\xfd'
|
|
mem[0x7ffff7a6544c] = '6'
|
|
mem[0x7ffff7a6544d] = '\x00'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x7ffff7a65448
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7dd5150], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd5151], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd5152], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd5153], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a65448], '\xff')
|
|
self.assertEqual(mem[0x7ffff7a65449], '\r')
|
|
self.assertEqual(mem[0x7ffff7a6544a], '\x02')
|
|
self.assertEqual(mem[0x7ffff7a6544b], '\xfd')
|
|
self.assertEqual(mem[0x7ffff7a6544c], '6')
|
|
self.assertEqual(mem[0x7ffff7a6544d], '\x00')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.RIP, 140737348260942L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_DEC_5(self):
|
|
''' Instruction DEC_5
|
|
Groups: mode64
|
|
0x7ffff7df462c: dec ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df462c] = '\xff'
|
|
mem[0x7ffff7df462d] = '\xc9'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df462c
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.ECX = 0x4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df462c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df462d], '\xc9')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992878L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.ECX, 3L)
|
|
|
|
def test_DEC_6(self):
|
|
''' Instruction DEC_6
|
|
Groups: mode64
|
|
0x7ffff7df462c: dec ecx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df462c] = '\xff'
|
|
mem[0x7ffff7df462d] = '\xc9'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df462c
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.ECX = 0x1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df462c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df462d], '\xc9')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.RIP, 140737351992878L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.ECX, 0L)
|
|
|
|
def test_DIV_1(self):
|
|
''' Instruction DIV_1
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = 0x3f3
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x3de00ec7
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3ff8], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3ff9], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de3ffa], '\xf1')
|
|
self.assertEqual(cpu.RAX, 1026799L)
|
|
self.assertEqual(cpu.RCX, 1011L)
|
|
self.assertEqual(cpu.RDX, 234L)
|
|
self.assertEqual(cpu.RIP, 140737351925755L)
|
|
|
|
def test_DIV_2(self):
|
|
''' Instruction DIV_2
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = 0x3f3
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x3de00ec7
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3ff8], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3ff9], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de3ffa], '\xf1')
|
|
self.assertEqual(cpu.RAX, 1026799L)
|
|
self.assertEqual(cpu.RCX, 1011L)
|
|
self.assertEqual(cpu.RDX, 234L)
|
|
self.assertEqual(cpu.RIP, 140737351925755L)
|
|
|
|
def test_DIV_3(self):
|
|
''' Instruction DIV_3
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = 0x3f3
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x9e7650bc
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3ff8], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3ff9], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de3ffa], '\xf1')
|
|
self.assertEqual(cpu.RAX, 2629628L)
|
|
self.assertEqual(cpu.RCX, 1011L)
|
|
self.assertEqual(cpu.RDX, 136L)
|
|
self.assertEqual(cpu.RIP, 140737351925755L)
|
|
|
|
def test_DIV_4(self):
|
|
''' Instruction DIV_4
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = 0x3f3
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x10a8b550
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3ff8], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3ff9], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de3ffa], '\xf1')
|
|
self.assertEqual(cpu.RAX, 276450L)
|
|
self.assertEqual(cpu.RCX, 1011L)
|
|
self.assertEqual(cpu.RDX, 970L)
|
|
self.assertEqual(cpu.RIP, 140737351925755L)
|
|
|
|
def test_DIV_5(self):
|
|
''' Instruction DIV_5
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = 0x32
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x3cbc6423
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3ff8], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3ff9], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de3ffa], '\xf1')
|
|
self.assertEqual(cpu.RAX, 20379587L)
|
|
self.assertEqual(cpu.RCX, 50L)
|
|
self.assertEqual(cpu.RDX, 13L)
|
|
self.assertEqual(cpu.RIP, 140737351925755L)
|
|
|
|
def test_DIV_6(self):
|
|
''' Instruction DIV_6
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = 0x3f3
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x2e8912d8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3ff8], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3ff9], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de3ffa], '\xf1')
|
|
self.assertEqual(cpu.RAX, 772240L)
|
|
self.assertEqual(cpu.RCX, 1011L)
|
|
self.assertEqual(cpu.RDX, 552L)
|
|
self.assertEqual(cpu.RIP, 140737351925755L)
|
|
|
|
def test_IDIV_1(self):
|
|
''' Instruction IDIV_1
|
|
Groups:
|
|
0x7ffff7a4e236: idiv r8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e238] = '\xf8'
|
|
mem[0x7ffff7a4e236] = 'I'
|
|
mem[0x7ffff7a4e237] = '\xf7'
|
|
cpu.RIP = 0x7ffff7a4e236
|
|
cpu.R8 = 0x8
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4e238], '\xf8')
|
|
self.assertEqual(mem[0x7ffff7a4e236], 'I')
|
|
self.assertEqual(mem[0x7ffff7a4e237], '\xf7')
|
|
self.assertEqual(cpu.RAX, 786432L)
|
|
self.assertEqual(cpu.R8, 8L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737348166201L)
|
|
|
|
def test_IDIV_2(self):
|
|
''' Instruction IDIV_2
|
|
Groups:
|
|
0x4006d6: idiv r8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x004006d8] = '\xf8'
|
|
mem[0x004006d6] = 'I'
|
|
mem[0x004006d7] = '\xf7'
|
|
cpu.RIP = 0x4006d6
|
|
cpu.R8 = 0x8
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4006d8], '\xf8')
|
|
self.assertEqual(mem[0x4006d6], 'I')
|
|
self.assertEqual(mem[0x4006d7], '\xf7')
|
|
self.assertEqual(cpu.RAX, 786432L)
|
|
self.assertEqual(cpu.R8, 8L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4196057L)
|
|
|
|
def test_IDIV_3(self):
|
|
''' Instruction IDIV_3
|
|
Groups:
|
|
0x7ffff7a4e236: idiv r8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e238] = '\xf8'
|
|
mem[0x7ffff7a4e236] = 'I'
|
|
mem[0x7ffff7a4e237] = '\xf7'
|
|
cpu.RIP = 0x7ffff7a4e236
|
|
cpu.R8 = 0x8
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4e238], '\xf8')
|
|
self.assertEqual(mem[0x7ffff7a4e236], 'I')
|
|
self.assertEqual(mem[0x7ffff7a4e237], '\xf7')
|
|
self.assertEqual(cpu.RAX, 786432L)
|
|
self.assertEqual(cpu.R8, 8L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737348166201L)
|
|
|
|
def test_IDIV_4(self):
|
|
''' Instruction IDIV_4
|
|
Groups:
|
|
0x4006d6: idiv r8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x004006d8] = '\xf8'
|
|
mem[0x004006d6] = 'I'
|
|
mem[0x004006d7] = '\xf7'
|
|
cpu.RIP = 0x4006d6
|
|
cpu.R8 = 0x8
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4006d8], '\xf8')
|
|
self.assertEqual(mem[0x4006d6], 'I')
|
|
self.assertEqual(mem[0x4006d7], '\xf7')
|
|
self.assertEqual(cpu.RAX, 786432L)
|
|
self.assertEqual(cpu.R8, 8L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4196057L)
|
|
|
|
def test_IDIV_5(self):
|
|
''' Instruction IDIV_5
|
|
Groups:
|
|
0x4006d6: idiv r8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x004006d8] = '\xf8'
|
|
mem[0x004006d6] = 'I'
|
|
mem[0x004006d7] = '\xf7'
|
|
cpu.RIP = 0x4006d6
|
|
cpu.R8 = 0x8
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4006d8], '\xf8')
|
|
self.assertEqual(mem[0x4006d6], 'I')
|
|
self.assertEqual(mem[0x4006d7], '\xf7')
|
|
self.assertEqual(cpu.RAX, 786432L)
|
|
self.assertEqual(cpu.R8, 8L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4196057L)
|
|
|
|
def test_IDIV_6(self):
|
|
''' Instruction IDIV_6
|
|
Groups:
|
|
0x7ffff7a4e236: idiv r8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e238] = '\xf8'
|
|
mem[0x7ffff7a4e236] = 'I'
|
|
mem[0x7ffff7a4e237] = '\xf7'
|
|
cpu.RIP = 0x7ffff7a4e236
|
|
cpu.R8 = 0x8
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4e238], '\xf8')
|
|
self.assertEqual(mem[0x7ffff7a4e236], 'I')
|
|
self.assertEqual(mem[0x7ffff7a4e237], '\xf7')
|
|
self.assertEqual(cpu.RAX, 786432L)
|
|
self.assertEqual(cpu.R8, 8L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737348166201L)
|
|
|
|
def test_IMUL_1(self):
|
|
''' Instruction IMUL_1
|
|
Groups:
|
|
0x7ffff7acfec4: imul eax, edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7acf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7acfec4] = '\x0f'
|
|
mem[0x7ffff7acfec5] = '\xaf'
|
|
mem[0x7ffff7acfec6] = '\xc2'
|
|
cpu.OF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7acfec4
|
|
cpu.RDX = 0x1
|
|
cpu.EAX = 0x600000
|
|
cpu.EDX = 0x1
|
|
cpu.RAX = 0x600000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7acfec4], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7acfec5], '\xaf')
|
|
self.assertEqual(mem[0x7ffff7acfec6], '\xc2')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737348697799L)
|
|
self.assertEqual(cpu.RDX, 1L)
|
|
self.assertEqual(cpu.EAX, 6291456L)
|
|
self.assertEqual(cpu.EDX, 1L)
|
|
self.assertEqual(cpu.RAX, 6291456L)
|
|
|
|
def test_IMUL_2(self):
|
|
''' Instruction IMUL_2
|
|
Groups:
|
|
0x7ffff7acfeb3: imul eax, edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7acf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7acfeb3] = '\x0f'
|
|
mem[0x7ffff7acfeb4] = '\xaf'
|
|
mem[0x7ffff7acfeb5] = '\xc2'
|
|
cpu.OF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7acfeb3
|
|
cpu.RDX = 0x8
|
|
cpu.EAX = 0x40
|
|
cpu.EDX = 0x8
|
|
cpu.RAX = 0x40
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7acfeb3], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7acfeb4], '\xaf')
|
|
self.assertEqual(mem[0x7ffff7acfeb5], '\xc2')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737348697782L)
|
|
self.assertEqual(cpu.RDX, 8L)
|
|
self.assertEqual(cpu.EAX, 512L)
|
|
self.assertEqual(cpu.EDX, 8L)
|
|
self.assertEqual(cpu.RAX, 512L)
|
|
|
|
def test_IMUL_3(self):
|
|
''' Instruction IMUL_3
|
|
Groups:
|
|
0x43230c: imul edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x0043230c] = '\xf7'
|
|
mem[0x0043230d] = '\xea'
|
|
cpu.OF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x43230c
|
|
cpu.RDX = 0x55555556
|
|
cpu.EDX = 0x55555556
|
|
cpu.RAX = 0x3
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x43230c], '\xf7')
|
|
self.assertEqual(mem[0x43230d], '\xea')
|
|
self.assertEqual(cpu.OF, True)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4399886L)
|
|
self.assertEqual(cpu.RDX, 1L)
|
|
self.assertEqual(cpu.EDX, 1L)
|
|
self.assertEqual(cpu.RAX, 2L)
|
|
|
|
def test_IMUL_4(self):
|
|
''' Instruction IMUL_4
|
|
Groups:
|
|
0x43230c: imul edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x0043230c] = '\xf7'
|
|
mem[0x0043230d] = '\xea'
|
|
cpu.OF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x43230c
|
|
cpu.RDX = 0x55555556
|
|
cpu.EDX = 0x55555556
|
|
cpu.RAX = 0x3
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x43230c], '\xf7')
|
|
self.assertEqual(mem[0x43230d], '\xea')
|
|
self.assertEqual(cpu.OF, True)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4399886L)
|
|
self.assertEqual(cpu.RDX, 1L)
|
|
self.assertEqual(cpu.EDX, 1L)
|
|
self.assertEqual(cpu.RAX, 2L)
|
|
|
|
def test_IMUL_5(self):
|
|
''' Instruction IMUL_5
|
|
Groups:
|
|
0x41403c: imul r12, rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x0041403c] = 'L'
|
|
mem[0x0041403d] = '\x0f'
|
|
mem[0x0041403e] = '\xaf'
|
|
mem[0x0041403f] = '\xe6'
|
|
cpu.R12 = 0x491
|
|
cpu.RSI = 0x1
|
|
cpu.OF = False
|
|
cpu.RDX = 0x491
|
|
cpu.RIP = 0x41403c
|
|
cpu.CF = False
|
|
cpu.RAX = 0xffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x41403c], 'L')
|
|
self.assertEqual(mem[0x41403d], '\x0f')
|
|
self.assertEqual(mem[0x41403e], '\xaf')
|
|
self.assertEqual(mem[0x41403f], '\xe6')
|
|
self.assertEqual(cpu.R12, 1169L)
|
|
self.assertEqual(cpu.RSI, 1L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4276288L)
|
|
self.assertEqual(cpu.RDX, 1169L)
|
|
self.assertEqual(cpu.RAX, 4294967295L)
|
|
|
|
def test_IMUL_6(self):
|
|
''' Instruction IMUL_6
|
|
Groups:
|
|
0x413fdc: imul r12, rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00413000, 0x1000, 'rwx')
|
|
mem[0x00413fdc] = 'L'
|
|
mem[0x00413fdd] = '\x0f'
|
|
mem[0x00413fde] = '\xaf'
|
|
mem[0x00413fdf] = '\xe6'
|
|
cpu.R12 = 0x491
|
|
cpu.RSI = 0x1
|
|
cpu.OF = False
|
|
cpu.RDX = 0x491
|
|
cpu.RIP = 0x413fdc
|
|
cpu.CF = False
|
|
cpu.RAX = 0xffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x413fdc], 'L')
|
|
self.assertEqual(mem[0x413fdd], '\x0f')
|
|
self.assertEqual(mem[0x413fde], '\xaf')
|
|
self.assertEqual(mem[0x413fdf], '\xe6')
|
|
self.assertEqual(cpu.R12, 1169L)
|
|
self.assertEqual(cpu.RSI, 1L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4276192L)
|
|
self.assertEqual(cpu.RDX, 1169L)
|
|
self.assertEqual(cpu.RAX, 4294967295L)
|
|
|
|
def test_INC_1(self):
|
|
''' Instruction INC_1
|
|
Groups:
|
|
0x7ffff7df4596: inc rdi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4598] = '\xc7'
|
|
mem[0x7ffff7df4596] = 'H'
|
|
mem[0x7ffff7df4597] = '\xff'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x7ffff7df4596
|
|
cpu.PF = True
|
|
cpu.RDI = 0x7ffff7a44729
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4598], '\xc7')
|
|
self.assertEqual(mem[0x7ffff7df4596], 'H')
|
|
self.assertEqual(mem[0x7ffff7df4597], '\xff')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992729L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.RDI, 140737348126506L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_INC_2(self):
|
|
''' Instruction INC_2
|
|
Groups:
|
|
0x7ffff7df4596: inc rdi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4598] = '\xc7'
|
|
mem[0x7ffff7df4596] = 'H'
|
|
mem[0x7ffff7df4597] = '\xff'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x7ffff7df4596
|
|
cpu.PF = True
|
|
cpu.RDI = 0x7ffff7dda5ec
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4598], '\xc7')
|
|
self.assertEqual(mem[0x7ffff7df4596], 'H')
|
|
self.assertEqual(mem[0x7ffff7df4597], '\xff')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992729L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RDI, 140737351886317L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_INC_3(self):
|
|
''' Instruction INC_3
|
|
Groups:
|
|
0x7ffff7df4599: inc rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4599] = 'H'
|
|
mem[0x7ffff7df459a] = '\xff'
|
|
mem[0x7ffff7df459b] = '\xc6'
|
|
cpu.RSI = 0x7ffff7a4472a
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df4599
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4599], 'H')
|
|
self.assertEqual(mem[0x7ffff7df459a], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df459b], '\xc6')
|
|
self.assertEqual(cpu.RSI, 140737348126507L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992732L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_INC_4(self):
|
|
''' Instruction INC_4
|
|
Groups:
|
|
0x7ffff7df4596: inc rdi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4598] = '\xc7'
|
|
mem[0x7ffff7df4596] = 'H'
|
|
mem[0x7ffff7df4597] = '\xff'
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x7ffff7df4596
|
|
cpu.PF = True
|
|
cpu.RDI = 0x7ffff7a4472e
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4598], '\xc7')
|
|
self.assertEqual(mem[0x7ffff7df4596], 'H')
|
|
self.assertEqual(mem[0x7ffff7df4597], '\xff')
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992729L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.RDI, 140737348126511L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_INC_5(self):
|
|
''' Instruction INC_5
|
|
Groups:
|
|
0x7ffff7df4599: inc rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4599] = 'H'
|
|
mem[0x7ffff7df459a] = '\xff'
|
|
mem[0x7ffff7df459b] = '\xc6'
|
|
cpu.RSI = 0x555555554cbb
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df4599
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4599], 'H')
|
|
self.assertEqual(mem[0x7ffff7df459a], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df459b], '\xc6')
|
|
self.assertEqual(cpu.RSI, 93824992234684L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992732L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_INC_6(self):
|
|
''' Instruction INC_6
|
|
Groups:
|
|
0x7ffff7df4599: inc rsi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4599] = 'H'
|
|
mem[0x7ffff7df459a] = '\xff'
|
|
mem[0x7ffff7df459b] = '\xc6'
|
|
cpu.RSI = 0x7ffff7a44726
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df4599
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4599], 'H')
|
|
self.assertEqual(mem[0x7ffff7df459a], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df459b], '\xc6')
|
|
self.assertEqual(cpu.RSI, 140737348126503L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992732L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_JAE_1(self):
|
|
''' Instruction JAE_1
|
|
Groups: jump
|
|
0x7ffff7aa96ab: jae 0x7ffff7aa96e8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa96ab] = 's'
|
|
mem[0x7ffff7aa96ac] = ';'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7aa96ab
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7aa96ab], 's')
|
|
self.assertEqual(mem[0x7ffff7aa96ac], ';')
|
|
self.assertEqual(cpu.RIP, 140737348540077L)
|
|
|
|
def test_JAE_2(self):
|
|
''' Instruction JAE_2
|
|
Groups: jump
|
|
0x400c11: jae 0x400c69
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400c11] = 's'
|
|
mem[0x00400c12] = 'V'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x400c11
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400c11], 's')
|
|
self.assertEqual(mem[0x400c12], 'V')
|
|
self.assertEqual(cpu.RIP, 4197481L)
|
|
|
|
def test_JAE_3(self):
|
|
''' Instruction JAE_3
|
|
Groups: jump
|
|
0x432400: jae 0x432440
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432400] = 's'
|
|
mem[0x00432401] = '>'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x432400
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432400], 's')
|
|
self.assertEqual(mem[0x432401], '>')
|
|
self.assertEqual(cpu.RIP, 4400130L)
|
|
|
|
def test_JAE_4(self):
|
|
''' Instruction JAE_4
|
|
Groups: jump
|
|
0x411d5b: jae 0x412155
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x00411d60] = '\x00'
|
|
mem[0x00411d5b] = '\x0f'
|
|
mem[0x00411d5c] = '\x83'
|
|
mem[0x00411d5d] = '\xf4'
|
|
mem[0x00411d5e] = '\x03'
|
|
mem[0x00411d5f] = '\x00'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x411d5b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x411d60], '\x00')
|
|
self.assertEqual(mem[0x411d5b], '\x0f')
|
|
self.assertEqual(mem[0x411d5c], '\x83')
|
|
self.assertEqual(mem[0x411d5d], '\xf4')
|
|
self.assertEqual(mem[0x411d5e], '\x03')
|
|
self.assertEqual(mem[0x411d5f], '\x00')
|
|
self.assertEqual(cpu.RIP, 4268373L)
|
|
|
|
def test_JAE_5(self):
|
|
''' Instruction JAE_5
|
|
Groups: jump
|
|
0x7ffff7b58f5d: jae 0x7ffff7b58f00
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f5d] = 's'
|
|
mem[0x7ffff7b58f5e] = '\xa1'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7b58f5d
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f5d], 's')
|
|
self.assertEqual(mem[0x7ffff7b58f5e], '\xa1')
|
|
self.assertEqual(cpu.RIP, 140737349259008L)
|
|
|
|
def test_JAE_6(self):
|
|
''' Instruction JAE_6
|
|
Groups: jump
|
|
0x400b82: jae 0x400b9f
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400b82] = 's'
|
|
mem[0x00400b83] = '\x1b'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x400b82
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400b82], 's')
|
|
self.assertEqual(mem[0x400b83], '\x1b')
|
|
self.assertEqual(cpu.RIP, 4197252L)
|
|
|
|
def test_JA_1(self):
|
|
''' Instruction JA_1
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6132
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6132], 'w')
|
|
self.assertEqual(mem[0x7ffff7de6133], '\xd4')
|
|
self.assertEqual(cpu.RIP, 140737351934216L)
|
|
|
|
def test_JA_2(self):
|
|
''' Instruction JA_2
|
|
Groups: jump
|
|
0x7ffff7ddf066: ja 0x7ffff7ddf0b2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddf066] = 'w'
|
|
mem[0x7ffff7ddf067] = 'J'
|
|
cpu.ZF = False
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7ddf066
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddf066], 'w')
|
|
self.assertEqual(mem[0x7ffff7ddf067], 'J')
|
|
self.assertEqual(cpu.RIP, 140737351905384L)
|
|
|
|
def test_JA_3(self):
|
|
''' Instruction JA_3
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6132
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6132], 'w')
|
|
self.assertEqual(mem[0x7ffff7de6133], '\xd4')
|
|
self.assertEqual(cpu.RIP, 140737351934216L)
|
|
|
|
def test_JA_4(self):
|
|
''' Instruction JA_4
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6132
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6132], 'w')
|
|
self.assertEqual(mem[0x7ffff7de6133], '\xd4')
|
|
self.assertEqual(cpu.RIP, 140737351934216L)
|
|
|
|
def test_JA_5(self):
|
|
''' Instruction JA_5
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6132
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6132], 'w')
|
|
self.assertEqual(mem[0x7ffff7de6133], '\xd4')
|
|
self.assertEqual(cpu.RIP, 140737351934216L)
|
|
|
|
def test_JA_6(self):
|
|
''' Instruction JA_6
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6132
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6132], 'w')
|
|
self.assertEqual(mem[0x7ffff7de6133], '\xd4')
|
|
self.assertEqual(cpu.RIP, 140737351934216L)
|
|
|
|
def test_JBE_1(self):
|
|
''' Instruction JBE_1
|
|
Groups: jump
|
|
0x41188d: jbe 0x411ec0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x0041188d] = '\x0f'
|
|
mem[0x0041188e] = '\x86'
|
|
mem[0x0041188f] = '-'
|
|
mem[0x00411890] = '\x06'
|
|
mem[0x00411891] = '\x00'
|
|
mem[0x00411892] = '\x00'
|
|
cpu.ZF = False
|
|
cpu.CF = True
|
|
cpu.RIP = 0x41188d
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x41188d], '\x0f')
|
|
self.assertEqual(mem[0x41188e], '\x86')
|
|
self.assertEqual(mem[0x41188f], '-')
|
|
self.assertEqual(mem[0x411890], '\x06')
|
|
self.assertEqual(mem[0x411891], '\x00')
|
|
self.assertEqual(mem[0x411892], '\x00')
|
|
self.assertEqual(cpu.RIP, 4267712L)
|
|
|
|
def test_JBE_2(self):
|
|
''' Instruction JBE_2
|
|
Groups: jump
|
|
0x4325e3: jbe 0x4326cf
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004325e3] = '\x0f'
|
|
mem[0x004325e4] = '\x86'
|
|
mem[0x004325e5] = '\xe6'
|
|
mem[0x004325e6] = '\x00'
|
|
mem[0x004325e7] = '\x00'
|
|
mem[0x004325e8] = '\x00'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4325e3
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4325e3], '\x0f')
|
|
self.assertEqual(mem[0x4325e4], '\x86')
|
|
self.assertEqual(mem[0x4325e5], '\xe6')
|
|
self.assertEqual(mem[0x4325e6], '\x00')
|
|
self.assertEqual(mem[0x4325e7], '\x00')
|
|
self.assertEqual(mem[0x4325e8], '\x00')
|
|
self.assertEqual(cpu.RIP, 4400617L)
|
|
|
|
def test_JBE_3(self):
|
|
''' Instruction JBE_3
|
|
Groups: jump
|
|
0x432388: jbe 0x4323aa
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432388] = 'v'
|
|
mem[0x00432389] = ' '
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x432388
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432388], 'v')
|
|
self.assertEqual(mem[0x432389], ' ')
|
|
self.assertEqual(cpu.RIP, 4400010L)
|
|
|
|
def test_JBE_4(self):
|
|
''' Instruction JBE_4
|
|
Groups: jump
|
|
0x4325e3: jbe 0x4326cf
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004325e3] = '\x0f'
|
|
mem[0x004325e4] = '\x86'
|
|
mem[0x004325e5] = '\xe6'
|
|
mem[0x004325e6] = '\x00'
|
|
mem[0x004325e7] = '\x00'
|
|
mem[0x004325e8] = '\x00'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4325e3
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4325e3], '\x0f')
|
|
self.assertEqual(mem[0x4325e4], '\x86')
|
|
self.assertEqual(mem[0x4325e5], '\xe6')
|
|
self.assertEqual(mem[0x4325e6], '\x00')
|
|
self.assertEqual(mem[0x4325e7], '\x00')
|
|
self.assertEqual(mem[0x4325e8], '\x00')
|
|
self.assertEqual(cpu.RIP, 4400617L)
|
|
|
|
def test_JBE_5(self):
|
|
''' Instruction JBE_5
|
|
Groups: jump
|
|
0x7ffff7df1269: jbe 0x7ffff7df1289
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1269] = 'v'
|
|
mem[0x7ffff7df126a] = '\x1e'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df1269
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1269], 'v')
|
|
self.assertEqual(mem[0x7ffff7df126a], '\x1e')
|
|
self.assertEqual(cpu.RIP, 140737351979627L)
|
|
|
|
def test_JBE_6(self):
|
|
''' Instruction JBE_6
|
|
Groups: jump
|
|
0x7ffff7acff53: jbe 0x7ffff7ad003f
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7acf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7acff53] = '\x0f'
|
|
mem[0x7ffff7acff54] = '\x86'
|
|
mem[0x7ffff7acff55] = '\xe6'
|
|
mem[0x7ffff7acff56] = '\x00'
|
|
mem[0x7ffff7acff57] = '\x00'
|
|
mem[0x7ffff7acff58] = '\x00'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7acff53
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7acff53], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7acff54], '\x86')
|
|
self.assertEqual(mem[0x7ffff7acff55], '\xe6')
|
|
self.assertEqual(mem[0x7ffff7acff56], '\x00')
|
|
self.assertEqual(mem[0x7ffff7acff57], '\x00')
|
|
self.assertEqual(mem[0x7ffff7acff58], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737348697945L)
|
|
|
|
def test_JB_1(self):
|
|
''' Instruction JB_1
|
|
Groups: jump
|
|
0x7ffff7b58f46: jb 0x7ffff7b58f00
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f46] = 'r'
|
|
mem[0x7ffff7b58f47] = '\xb8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7b58f46
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f46], 'r')
|
|
self.assertEqual(mem[0x7ffff7b58f47], '\xb8')
|
|
self.assertEqual(cpu.RIP, 140737349259008L)
|
|
|
|
def test_JB_2(self):
|
|
''' Instruction JB_2
|
|
Groups: jump
|
|
0x7ffff7b58f46: jb 0x7ffff7b58f00
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f46] = 'r'
|
|
mem[0x7ffff7b58f47] = '\xb8'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7b58f46
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f46], 'r')
|
|
self.assertEqual(mem[0x7ffff7b58f47], '\xb8')
|
|
self.assertEqual(cpu.RIP, 140737349259080L)
|
|
|
|
def test_JB_3(self):
|
|
''' Instruction JB_3
|
|
Groups: jump
|
|
0x400bab: jb 0x400ab4
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400bab] = '\x0f'
|
|
mem[0x00400bac] = '\x82'
|
|
mem[0x00400bad] = '\x03'
|
|
mem[0x00400bae] = '\xff'
|
|
mem[0x00400baf] = '\xff'
|
|
mem[0x00400bb0] = '\xff'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x400bab
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400bab], '\x0f')
|
|
self.assertEqual(mem[0x400bac], '\x82')
|
|
self.assertEqual(mem[0x400bad], '\x03')
|
|
self.assertEqual(mem[0x400bae], '\xff')
|
|
self.assertEqual(mem[0x400baf], '\xff')
|
|
self.assertEqual(mem[0x400bb0], '\xff')
|
|
self.assertEqual(cpu.RIP, 4197044L)
|
|
|
|
def test_JB_4(self):
|
|
''' Instruction JB_4
|
|
Groups: jump
|
|
0x7ffff7b58f46: jb 0x7ffff7b58f00
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f46] = 'r'
|
|
mem[0x7ffff7b58f47] = '\xb8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7b58f46
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f46], 'r')
|
|
self.assertEqual(mem[0x7ffff7b58f47], '\xb8')
|
|
self.assertEqual(cpu.RIP, 140737349259008L)
|
|
|
|
def test_JB_5(self):
|
|
''' Instruction JB_5
|
|
Groups: jump
|
|
0x7ffff7ddeff1: jb 0x7ffff7ddefd0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7dde000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddeff1] = 'r'
|
|
mem[0x7ffff7ddeff2] = '\xdd'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7ddeff1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddeff1], 'r')
|
|
self.assertEqual(mem[0x7ffff7ddeff2], '\xdd')
|
|
self.assertEqual(cpu.RIP, 140737351905232L)
|
|
|
|
def test_JB_6(self):
|
|
''' Instruction JB_6
|
|
Groups: jump
|
|
0x7ffff7b58f46: jb 0x7ffff7b58f00
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f46] = 'r'
|
|
mem[0x7ffff7b58f47] = '\xb8'
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7b58f46
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f46], 'r')
|
|
self.assertEqual(mem[0x7ffff7b58f47], '\xb8')
|
|
self.assertEqual(cpu.RIP, 140737349259008L)
|
|
|
|
def test_JE_1(self):
|
|
''' Instruction JE_1
|
|
Groups: jump
|
|
0x7ffff7de3a9d: je 0x7ffff7de3ed1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3aa0] = '\x04'
|
|
mem[0x7ffff7de3aa1] = '\x00'
|
|
mem[0x7ffff7de3aa2] = '\x00'
|
|
mem[0x7ffff7de3a9d] = '\x0f'
|
|
mem[0x7ffff7de3a9e] = '\x84'
|
|
mem[0x7ffff7de3a9f] = '.'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de3a9d
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3aa0], '\x04')
|
|
self.assertEqual(mem[0x7ffff7de3aa1], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de3aa2], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de3a9d], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de3a9e], '\x84')
|
|
self.assertEqual(mem[0x7ffff7de3a9f], '.')
|
|
self.assertEqual(cpu.RIP, 140737351924387L)
|
|
|
|
def test_JE_2(self):
|
|
''' Instruction JE_2
|
|
Groups: jump
|
|
0x7ffff7de61be: je 0x7ffff7de65b8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de61c0] = '\xf4'
|
|
mem[0x7ffff7de61c1] = '\x03'
|
|
mem[0x7ffff7de61c2] = '\x00'
|
|
mem[0x7ffff7de61c3] = '\x00'
|
|
mem[0x7ffff7de61be] = '\x0f'
|
|
mem[0x7ffff7de61bf] = '\x84'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de61be
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de61c0], '\xf4')
|
|
self.assertEqual(mem[0x7ffff7de61c1], '\x03')
|
|
self.assertEqual(mem[0x7ffff7de61c2], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de61c3], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de61be], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de61bf], '\x84')
|
|
self.assertEqual(cpu.RIP, 140737351934404L)
|
|
|
|
def test_JE_3(self):
|
|
''' Instruction JE_3
|
|
Groups: jump
|
|
0x7ffff7de38c6: je 0x7ffff7de3960
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de38c6] = '\x0f'
|
|
mem[0x7ffff7de38c7] = '\x84'
|
|
mem[0x7ffff7de38c8] = '\x94'
|
|
mem[0x7ffff7de38c9] = '\x00'
|
|
mem[0x7ffff7de38ca] = '\x00'
|
|
mem[0x7ffff7de38cb] = '\x00'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de38c6
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de38c6], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de38c7], '\x84')
|
|
self.assertEqual(mem[0x7ffff7de38c8], '\x94')
|
|
self.assertEqual(mem[0x7ffff7de38c9], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de38ca], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de38cb], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737351923916L)
|
|
|
|
def test_JE_4(self):
|
|
''' Instruction JE_4
|
|
Groups: jump
|
|
0x7ffff7de440b: je 0x7ffff7de4644
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de440b] = '\x0f'
|
|
mem[0x7ffff7de440c] = '\x84'
|
|
mem[0x7ffff7de440d] = '3'
|
|
mem[0x7ffff7de440e] = '\x02'
|
|
mem[0x7ffff7de440f] = '\x00'
|
|
mem[0x7ffff7de4410] = '\x00'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de440b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de440b], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de440c], '\x84')
|
|
self.assertEqual(mem[0x7ffff7de440d], '3')
|
|
self.assertEqual(mem[0x7ffff7de440e], '\x02')
|
|
self.assertEqual(mem[0x7ffff7de440f], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de4410], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737351926801L)
|
|
|
|
def test_JE_5(self):
|
|
''' Instruction JE_5
|
|
Groups: jump
|
|
0x7ffff7de6115: je 0x7ffff7de6121
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6115] = 't'
|
|
mem[0x7ffff7de6116] = '\n'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de6115
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6115], 't')
|
|
self.assertEqual(mem[0x7ffff7de6116], '\n')
|
|
self.assertEqual(cpu.RIP, 140737351934231L)
|
|
|
|
def test_JE_6(self):
|
|
''' Instruction JE_6
|
|
Groups: jump
|
|
0x406e0b: je 0x406dc6
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x00406e0b] = 't'
|
|
mem[0x00406e0c] = '\xb9'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x406e0b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x406e0b], 't')
|
|
self.assertEqual(mem[0x406e0c], '\xb9')
|
|
self.assertEqual(cpu.RIP, 4222477L)
|
|
|
|
def test_JGE_1(self):
|
|
''' Instruction JGE_1
|
|
Groups: jump
|
|
0x7ffff7ab5b02: jge 0x7ffff7ab5be0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab5b02] = '\x0f'
|
|
mem[0x7ffff7ab5b03] = '\x8d'
|
|
mem[0x7ffff7ab5b04] = '\xd8'
|
|
mem[0x7ffff7ab5b05] = '\x00'
|
|
mem[0x7ffff7ab5b06] = '\x00'
|
|
mem[0x7ffff7ab5b07] = '\x00'
|
|
cpu.OF = False
|
|
cpu.SF = True
|
|
cpu.RIP = 0x7ffff7ab5b02
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab5b02], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ab5b03], '\x8d')
|
|
self.assertEqual(mem[0x7ffff7ab5b04], '\xd8')
|
|
self.assertEqual(mem[0x7ffff7ab5b05], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ab5b06], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ab5b07], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737348590344L)
|
|
|
|
def test_JGE_2(self):
|
|
''' Instruction JGE_2
|
|
Groups: jump
|
|
0x7ffff7b09879: jge 0x7ffff7b0987f
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b09000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b09879] = '}'
|
|
mem[0x7ffff7b0987a] = '\x04'
|
|
cpu.OF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7b09879
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b09879], '}')
|
|
self.assertEqual(mem[0x7ffff7b0987a], '\x04')
|
|
self.assertEqual(cpu.RIP, 140737348933759L)
|
|
|
|
def test_JGE_3(self):
|
|
''' Instruction JGE_3
|
|
Groups: jump
|
|
0x7ffff7ab5b02: jge 0x7ffff7ab5be0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab5b02] = '\x0f'
|
|
mem[0x7ffff7ab5b03] = '\x8d'
|
|
mem[0x7ffff7ab5b04] = '\xd8'
|
|
mem[0x7ffff7ab5b05] = '\x00'
|
|
mem[0x7ffff7ab5b06] = '\x00'
|
|
mem[0x7ffff7ab5b07] = '\x00'
|
|
cpu.OF = False
|
|
cpu.SF = True
|
|
cpu.RIP = 0x7ffff7ab5b02
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab5b02], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ab5b03], '\x8d')
|
|
self.assertEqual(mem[0x7ffff7ab5b04], '\xd8')
|
|
self.assertEqual(mem[0x7ffff7ab5b05], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ab5b06], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ab5b07], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737348590344L)
|
|
|
|
def test_JG_1(self):
|
|
''' Instruction JG_1
|
|
Groups: jump
|
|
0x403684: jg 0x40361a
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00403000, 0x1000, 'rwx')
|
|
mem[0x00403684] = '\x7f'
|
|
mem[0x00403685] = '\x94'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x403684
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x403684], '\x7f')
|
|
self.assertEqual(mem[0x403685], '\x94')
|
|
self.assertEqual(cpu.RIP, 4208154L)
|
|
|
|
def test_JG_2(self):
|
|
''' Instruction JG_2
|
|
Groups: jump
|
|
0x40c120: jg 0x40c3f0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040c000, 0x1000, 'rwx')
|
|
mem[0x0040c120] = '\x0f'
|
|
mem[0x0040c121] = '\x8f'
|
|
mem[0x0040c122] = '\xca'
|
|
mem[0x0040c123] = '\x02'
|
|
mem[0x0040c124] = '\x00'
|
|
mem[0x0040c125] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = True
|
|
cpu.RIP = 0x40c120
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40c120], '\x0f')
|
|
self.assertEqual(mem[0x40c121], '\x8f')
|
|
self.assertEqual(mem[0x40c122], '\xca')
|
|
self.assertEqual(mem[0x40c123], '\x02')
|
|
self.assertEqual(mem[0x40c124], '\x00')
|
|
self.assertEqual(mem[0x40c125], '\x00')
|
|
self.assertEqual(cpu.RIP, 4243750L)
|
|
|
|
def test_JG_3(self):
|
|
''' Instruction JG_3
|
|
Groups: jump
|
|
0x7ffff7df1357: jg 0x7ffff7df13a0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1358] = 'G'
|
|
mem[0x7ffff7df1357] = '\x7f'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = True
|
|
cpu.RIP = 0x7ffff7df1357
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1358], 'G')
|
|
self.assertEqual(mem[0x7ffff7df1357], '\x7f')
|
|
self.assertEqual(cpu.RIP, 140737351979865L)
|
|
|
|
def test_JG_4(self):
|
|
''' Instruction JG_4
|
|
Groups: jump
|
|
0x7ffff7ddc9fb: jg 0x7ffff7ddce16
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddca00] = '\x00'
|
|
mem[0x7ffff7ddc9fb] = '\x0f'
|
|
mem[0x7ffff7ddc9fc] = '\x8f'
|
|
mem[0x7ffff7ddc9fd] = '\x15'
|
|
mem[0x7ffff7ddc9fe] = '\x04'
|
|
mem[0x7ffff7ddc9ff] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7ddc9fb
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddca00], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc9fb], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ddc9fc], '\x8f')
|
|
self.assertEqual(mem[0x7ffff7ddc9fd], '\x15')
|
|
self.assertEqual(mem[0x7ffff7ddc9fe], '\x04')
|
|
self.assertEqual(mem[0x7ffff7ddc9ff], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737351896598L)
|
|
|
|
def test_JG_5(self):
|
|
''' Instruction JG_5
|
|
Groups: jump
|
|
0x7ffff7ddc9fb: jg 0x7ffff7ddce16
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddca00] = '\x00'
|
|
mem[0x7ffff7ddc9fb] = '\x0f'
|
|
mem[0x7ffff7ddc9fc] = '\x8f'
|
|
mem[0x7ffff7ddc9fd] = '\x15'
|
|
mem[0x7ffff7ddc9fe] = '\x04'
|
|
mem[0x7ffff7ddc9ff] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7ddc9fb
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddca00], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc9fb], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ddc9fc], '\x8f')
|
|
self.assertEqual(mem[0x7ffff7ddc9fd], '\x15')
|
|
self.assertEqual(mem[0x7ffff7ddc9fe], '\x04')
|
|
self.assertEqual(mem[0x7ffff7ddc9ff], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737351896598L)
|
|
|
|
def test_JG_6(self):
|
|
''' Instruction JG_6
|
|
Groups: jump
|
|
0x40c2e4: jg 0x40c250
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040c000, 0x1000, 'rwx')
|
|
mem[0x0040c2e4] = '\x0f'
|
|
mem[0x0040c2e5] = '\x8f'
|
|
mem[0x0040c2e6] = 'f'
|
|
mem[0x0040c2e7] = '\xff'
|
|
mem[0x0040c2e8] = '\xff'
|
|
mem[0x0040c2e9] = '\xff'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = True
|
|
cpu.RIP = 0x40c2e4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40c2e4], '\x0f')
|
|
self.assertEqual(mem[0x40c2e5], '\x8f')
|
|
self.assertEqual(mem[0x40c2e6], 'f')
|
|
self.assertEqual(mem[0x40c2e7], '\xff')
|
|
self.assertEqual(mem[0x40c2e8], '\xff')
|
|
self.assertEqual(mem[0x40c2e9], '\xff')
|
|
self.assertEqual(cpu.RIP, 4244202L)
|
|
|
|
def test_JLE_1(self):
|
|
''' Instruction JLE_1
|
|
Groups: jump
|
|
0x400b2b: jle 0x400b01
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400b2b] = '~'
|
|
mem[0x00400b2c] = '\xd4'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = True
|
|
cpu.RIP = 0x400b2b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400b2b], '~')
|
|
self.assertEqual(mem[0x400b2c], '\xd4')
|
|
self.assertEqual(cpu.RIP, 4197121L)
|
|
|
|
def test_JLE_2(self):
|
|
''' Instruction JLE_2
|
|
Groups: jump
|
|
0x7ffff7a4e1cb: jle 0x7ffff7a4e429
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e1cb] = '\x0f'
|
|
mem[0x7ffff7a4e1cc] = '\x8e'
|
|
mem[0x7ffff7a4e1cd] = 'X'
|
|
mem[0x7ffff7a4e1ce] = '\x02'
|
|
mem[0x7ffff7a4e1cf] = '\x00'
|
|
mem[0x7ffff7a4e1d0] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7a4e1cb
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4e1cb], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7a4e1cc], '\x8e')
|
|
self.assertEqual(mem[0x7ffff7a4e1cd], 'X')
|
|
self.assertEqual(mem[0x7ffff7a4e1ce], '\x02')
|
|
self.assertEqual(mem[0x7ffff7a4e1cf], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a4e1d0], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737348166097L)
|
|
|
|
def test_JLE_3(self):
|
|
''' Instruction JLE_3
|
|
Groups: jump
|
|
0x437c08: jle 0x437c1f
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00437000, 0x1000, 'rwx')
|
|
mem[0x00437c08] = '~'
|
|
mem[0x00437c09] = '\x15'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x437c08
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x437c08], '~')
|
|
self.assertEqual(mem[0x437c09], '\x15')
|
|
self.assertEqual(cpu.RIP, 4422666L)
|
|
|
|
def test_JLE_4(self):
|
|
''' Instruction JLE_4
|
|
Groups: jump
|
|
0x7ffff7de4486: jle 0x7ffff7de4430
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4486] = '~'
|
|
mem[0x7ffff7de4487] = '\xa8'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7de4486
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4486], '~')
|
|
self.assertEqual(mem[0x7ffff7de4487], '\xa8')
|
|
self.assertEqual(cpu.RIP, 140737351926920L)
|
|
|
|
def test_JLE_5(self):
|
|
''' Instruction JLE_5
|
|
Groups: jump
|
|
0x7ffff7de4486: jle 0x7ffff7de4430
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4486] = '~'
|
|
mem[0x7ffff7de4487] = '\xa8'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7de4486
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4486], '~')
|
|
self.assertEqual(mem[0x7ffff7de4487], '\xa8')
|
|
self.assertEqual(cpu.RIP, 140737351926920L)
|
|
|
|
def test_JLE_6(self):
|
|
''' Instruction JLE_6
|
|
Groups: jump
|
|
0x7ffff7de4486: jle 0x7ffff7de4430
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4486] = '~'
|
|
mem[0x7ffff7de4487] = '\xa8'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7de4486
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4486], '~')
|
|
self.assertEqual(mem[0x7ffff7de4487], '\xa8')
|
|
self.assertEqual(cpu.RIP, 140737351926920L)
|
|
|
|
def test_JL_1(self):
|
|
''' Instruction JL_1
|
|
Groups: jump
|
|
0x555555556f00: jl 0x555555556ee2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem[0x555555556f00] = '|'
|
|
mem[0x555555556f01] = '\xe0'
|
|
cpu.OF = False
|
|
cpu.SF = True
|
|
cpu.RIP = 0x555555556f00
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555556f00], '|')
|
|
self.assertEqual(mem[0x555555556f01], '\xe0')
|
|
self.assertEqual(cpu.RIP, 93824992243426L)
|
|
|
|
def test_JL_2(self):
|
|
''' Instruction JL_2
|
|
Groups: jump
|
|
0x555555556f00: jl 0x555555556ee2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem[0x555555556f00] = '|'
|
|
mem[0x555555556f01] = '\xe0'
|
|
cpu.OF = False
|
|
cpu.SF = False
|
|
cpu.RIP = 0x555555556f00
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555556f00], '|')
|
|
self.assertEqual(mem[0x555555556f01], '\xe0')
|
|
self.assertEqual(cpu.RIP, 93824992243458L)
|
|
|
|
def test_JL_3(self):
|
|
''' Instruction JL_3
|
|
Groups: jump
|
|
0x555555556f00: jl 0x555555556ee2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem[0x555555556f00] = '|'
|
|
mem[0x555555556f01] = '\xe0'
|
|
cpu.OF = False
|
|
cpu.SF = True
|
|
cpu.RIP = 0x555555556f00
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555556f00], '|')
|
|
self.assertEqual(mem[0x555555556f01], '\xe0')
|
|
self.assertEqual(cpu.RIP, 93824992243426L)
|
|
|
|
def test_JMP_1(self):
|
|
''' Instruction JMP_1
|
|
Groups: jump
|
|
0x7ffff7de4279: jmp 0x7ffff7de3a98
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4279] = '\xe9'
|
|
mem[0x7ffff7de427a] = '\x1a'
|
|
mem[0x7ffff7de427b] = '\xf8'
|
|
mem[0x7ffff7de427c] = '\xff'
|
|
mem[0x7ffff7de427d] = '\xff'
|
|
cpu.RIP = 0x7ffff7de4279
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4279], '\xe9')
|
|
self.assertEqual(mem[0x7ffff7de427a], '\x1a')
|
|
self.assertEqual(mem[0x7ffff7de427b], '\xf8')
|
|
self.assertEqual(mem[0x7ffff7de427c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de427d], '\xff')
|
|
self.assertEqual(cpu.RIP, 140737351924376L)
|
|
|
|
def test_JMP_2(self):
|
|
''' Instruction JMP_2
|
|
Groups: jump
|
|
0x7ffff7b58ee7: jmp 0x7ffff7b58f10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58ee8] = "'"
|
|
mem[0x7ffff7b58ee7] = '\xeb'
|
|
cpu.RIP = 0x7ffff7b58ee7
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58ee8], "'")
|
|
self.assertEqual(mem[0x7ffff7b58ee7], '\xeb')
|
|
self.assertEqual(cpu.RIP, 140737349259024L)
|
|
|
|
def test_JMP_3(self):
|
|
''' Instruction JMP_3
|
|
Groups: jump
|
|
0x7ffff7df28e1: jmp 0x7ffff7ddaa00
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df28e1] = '\xe9'
|
|
mem[0x7ffff7df28e2] = '\x1a'
|
|
mem[0x7ffff7df28e3] = '\x81'
|
|
mem[0x7ffff7df28e4] = '\xfe'
|
|
mem[0x7ffff7df28e5] = '\xff'
|
|
cpu.RIP = 0x7ffff7df28e1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df28e1], '\xe9')
|
|
self.assertEqual(mem[0x7ffff7df28e2], '\x1a')
|
|
self.assertEqual(mem[0x7ffff7df28e3], '\x81')
|
|
self.assertEqual(mem[0x7ffff7df28e4], '\xfe')
|
|
self.assertEqual(mem[0x7ffff7df28e5], '\xff')
|
|
self.assertEqual(cpu.RIP, 140737351887360L)
|
|
|
|
def test_JMP_4(self):
|
|
''' Instruction JMP_4
|
|
Groups: mode64, jump
|
|
0x7ffff7de62ee: jmp rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de62ee] = '\xff'
|
|
mem[0x7ffff7de62ef] = '\xe2'
|
|
cpu.RDX = 0x7ffff7de63b8
|
|
cpu.RIP = 0x7ffff7de62ee
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de62ee], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de62ef], '\xe2')
|
|
self.assertEqual(cpu.RDX, 140737351934904L)
|
|
self.assertEqual(cpu.RIP, 140737351934904L)
|
|
|
|
def test_JMP_5(self):
|
|
''' Instruction JMP_5
|
|
Groups: jump
|
|
0x7ffff7de4042: jmp 0x7ffff7de4054
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4042] = '\xeb'
|
|
mem[0x7ffff7de4043] = '\x10'
|
|
cpu.RIP = 0x7ffff7de4042
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4042], '\xeb')
|
|
self.assertEqual(mem[0x7ffff7de4043], '\x10')
|
|
self.assertEqual(cpu.RIP, 140737351925844L)
|
|
|
|
def test_JMP_6(self):
|
|
''' Instruction JMP_6
|
|
Groups: jump
|
|
0x7ffff7b58ee7: jmp 0x7ffff7b58f10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58ee8] = "'"
|
|
mem[0x7ffff7b58ee7] = '\xeb'
|
|
cpu.RIP = 0x7ffff7b58ee7
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58ee8], "'")
|
|
self.assertEqual(mem[0x7ffff7b58ee7], '\xeb')
|
|
self.assertEqual(cpu.RIP, 140737349259024L)
|
|
|
|
def test_JNE_1(self):
|
|
''' Instruction JNE_1
|
|
Groups: jump
|
|
0x7ffff7df459e: jne 0x7ffff7df4590
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df459e] = 'u'
|
|
mem[0x7ffff7df459f] = '\xf0'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df459e
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df459e], 'u')
|
|
self.assertEqual(mem[0x7ffff7df459f], '\xf0')
|
|
self.assertEqual(cpu.RIP, 140737351992720L)
|
|
|
|
def test_JNE_2(self):
|
|
''' Instruction JNE_2
|
|
Groups: jump
|
|
0x7ffff7de5a4b: jne 0x7ffff7de5a40
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5a4b] = 'u'
|
|
mem[0x7ffff7de5a4c] = '\xf3'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de5a4b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de5a4b], 'u')
|
|
self.assertEqual(mem[0x7ffff7de5a4c], '\xf3')
|
|
self.assertEqual(cpu.RIP, 140737351932480L)
|
|
|
|
def test_JNE_3(self):
|
|
''' Instruction JNE_3
|
|
Groups: jump
|
|
0x7ffff7de611b: jne 0x7ffff7de73ad
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6120] = '\x00'
|
|
mem[0x7ffff7de611b] = '\x0f'
|
|
mem[0x7ffff7de611c] = '\x85'
|
|
mem[0x7ffff7de611d] = '\x8c'
|
|
mem[0x7ffff7de611e] = '\x12'
|
|
mem[0x7ffff7de611f] = '\x00'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x7ffff7de611b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6120], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de611b], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de611c], '\x85')
|
|
self.assertEqual(mem[0x7ffff7de611d], '\x8c')
|
|
self.assertEqual(mem[0x7ffff7de611e], '\x12')
|
|
self.assertEqual(mem[0x7ffff7de611f], '\x00')
|
|
self.assertEqual(cpu.RIP, 140737351934241L)
|
|
|
|
def test_JNE_4(self):
|
|
''' Instruction JNE_4
|
|
Groups: jump
|
|
0x7ffff7aab197: jne 0x7ffff7aab188
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aab000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aab198] = '\xef'
|
|
mem[0x7ffff7aab197] = 'u'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7aab197
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7aab198], '\xef')
|
|
self.assertEqual(mem[0x7ffff7aab197], 'u')
|
|
self.assertEqual(cpu.RIP, 140737348546952L)
|
|
|
|
def test_JNE_5(self):
|
|
''' Instruction JNE_5
|
|
Groups: jump
|
|
0x7ffff7df4594: jne 0x7ffff7df45a3
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4594] = 'u'
|
|
mem[0x7ffff7df4595] = '\r'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x7ffff7df4594
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4594], 'u')
|
|
self.assertEqual(mem[0x7ffff7df4595], '\r')
|
|
self.assertEqual(cpu.RIP, 140737351992726L)
|
|
|
|
def test_JNE_6(self):
|
|
''' Instruction JNE_6
|
|
Groups: jump
|
|
0x7ffff7df459e: jne 0x7ffff7df4590
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df459e] = 'u'
|
|
mem[0x7ffff7df459f] = '\xf0'
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7df459e
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df459e], 'u')
|
|
self.assertEqual(mem[0x7ffff7df459f], '\xf0')
|
|
self.assertEqual(cpu.RIP, 140737351992720L)
|
|
|
|
def test_JNS_1(self):
|
|
''' Instruction JNS_1
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = True
|
|
cpu.RIP = 0x7ffff7df138f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1390], '\xbf')
|
|
self.assertEqual(mem[0x7ffff7df138f], 'y')
|
|
self.assertEqual(cpu.RIP, 140737351979921L)
|
|
|
|
def test_JNS_2(self):
|
|
''' Instruction JNS_2
|
|
Groups: jump
|
|
0x555555565fb2: jns 0x5555555659ec
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem[0x555555565fb2] = '\x0f'
|
|
mem[0x555555565fb3] = '\x89'
|
|
mem[0x555555565fb4] = '4'
|
|
mem[0x555555565fb5] = '\xfa'
|
|
mem[0x555555565fb6] = '\xff'
|
|
mem[0x555555565fb7] = '\xff'
|
|
cpu.SF = False
|
|
cpu.RIP = 0x555555565fb2
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555565fb2], '\x0f')
|
|
self.assertEqual(mem[0x555555565fb3], '\x89')
|
|
self.assertEqual(mem[0x555555565fb4], '4')
|
|
self.assertEqual(mem[0x555555565fb5], '\xfa')
|
|
self.assertEqual(mem[0x555555565fb6], '\xff')
|
|
self.assertEqual(mem[0x555555565fb7], '\xff')
|
|
self.assertEqual(cpu.RIP, 93824992303596L)
|
|
|
|
def test_JNS_3(self):
|
|
''' Instruction JNS_3
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = True
|
|
cpu.RIP = 0x7ffff7df138f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1390], '\xbf')
|
|
self.assertEqual(mem[0x7ffff7df138f], 'y')
|
|
self.assertEqual(cpu.RIP, 140737351979921L)
|
|
|
|
def test_JNS_4(self):
|
|
''' Instruction JNS_4
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7df138f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1390], '\xbf')
|
|
self.assertEqual(mem[0x7ffff7df138f], 'y')
|
|
self.assertEqual(cpu.RIP, 140737351979856L)
|
|
|
|
def test_JNS_5(self):
|
|
''' Instruction JNS_5
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = True
|
|
cpu.RIP = 0x7ffff7df138f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1390], '\xbf')
|
|
self.assertEqual(mem[0x7ffff7df138f], 'y')
|
|
self.assertEqual(cpu.RIP, 140737351979921L)
|
|
|
|
def test_JNS_6(self):
|
|
''' Instruction JNS_6
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = False
|
|
cpu.RIP = 0x7ffff7df138f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1390], '\xbf')
|
|
self.assertEqual(mem[0x7ffff7df138f], 'y')
|
|
self.assertEqual(cpu.RIP, 140737351979856L)
|
|
|
|
def test_JS_1(self):
|
|
''' Instruction JS_1
|
|
Groups: jump
|
|
0x4326b2: js 0x4328fb
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004326b2] = '\x0f'
|
|
mem[0x004326b3] = '\x88'
|
|
mem[0x004326b4] = 'C'
|
|
mem[0x004326b5] = '\x02'
|
|
mem[0x004326b6] = '\x00'
|
|
mem[0x004326b7] = '\x00'
|
|
cpu.SF = False
|
|
cpu.RIP = 0x4326b2
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4326b2], '\x0f')
|
|
self.assertEqual(mem[0x4326b3], '\x88')
|
|
self.assertEqual(mem[0x4326b4], 'C')
|
|
self.assertEqual(mem[0x4326b5], '\x02')
|
|
self.assertEqual(mem[0x4326b6], '\x00')
|
|
self.assertEqual(mem[0x4326b7], '\x00')
|
|
self.assertEqual(cpu.RIP, 4400824L)
|
|
|
|
def test_JS_2(self):
|
|
''' Instruction JS_2
|
|
Groups: jump
|
|
0x4322d2: js 0x43251b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004322d2] = '\x0f'
|
|
mem[0x004322d3] = '\x88'
|
|
mem[0x004322d4] = 'C'
|
|
mem[0x004322d5] = '\x02'
|
|
mem[0x004322d6] = '\x00'
|
|
mem[0x004322d7] = '\x00'
|
|
cpu.SF = False
|
|
cpu.RIP = 0x4322d2
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4322d2], '\x0f')
|
|
self.assertEqual(mem[0x4322d3], '\x88')
|
|
self.assertEqual(mem[0x4322d4], 'C')
|
|
self.assertEqual(mem[0x4322d5], '\x02')
|
|
self.assertEqual(mem[0x4322d6], '\x00')
|
|
self.assertEqual(mem[0x4322d7], '\x00')
|
|
self.assertEqual(cpu.RIP, 4399832L)
|
|
|
|
def test_JS_3(self):
|
|
''' Instruction JS_3
|
|
Groups: jump
|
|
0x555555565075: js 0x555555566260
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem[0x555555565075] = '\x0f'
|
|
mem[0x555555565076] = '\x88'
|
|
mem[0x555555565077] = '\xe5'
|
|
mem[0x555555565078] = '\x11'
|
|
mem[0x555555565079] = '\x00'
|
|
mem[0x55555556507a] = '\x00'
|
|
cpu.SF = False
|
|
cpu.RIP = 0x555555565075
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555565075], '\x0f')
|
|
self.assertEqual(mem[0x555555565076], '\x88')
|
|
self.assertEqual(mem[0x555555565077], '\xe5')
|
|
self.assertEqual(mem[0x555555565078], '\x11')
|
|
self.assertEqual(mem[0x555555565079], '\x00')
|
|
self.assertEqual(mem[0x55555556507a], '\x00')
|
|
self.assertEqual(cpu.RIP, 93824992301179L)
|
|
|
|
def test_JS_4(self):
|
|
''' Instruction JS_4
|
|
Groups: jump
|
|
0x40dd40: js 0x40dd4c
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040d000, 0x1000, 'rwx')
|
|
mem[0x0040dd40] = 'x'
|
|
mem[0x0040dd41] = '\n'
|
|
cpu.SF = True
|
|
cpu.RIP = 0x40dd40
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40dd40], 'x')
|
|
self.assertEqual(mem[0x40dd41], '\n')
|
|
self.assertEqual(cpu.RIP, 4250956L)
|
|
|
|
def test_JS_5(self):
|
|
''' Instruction JS_5
|
|
Groups: jump
|
|
0x555555559cb6: js 0x555555559ccf
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555559000, 0x1000, 'rwx')
|
|
mem[0x555555559cb6] = 'x'
|
|
mem[0x555555559cb7] = '\x17'
|
|
cpu.SF = True
|
|
cpu.RIP = 0x555555559cb6
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555559cb6], 'x')
|
|
self.assertEqual(mem[0x555555559cb7], '\x17')
|
|
self.assertEqual(cpu.RIP, 93824992255183L)
|
|
|
|
def test_JS_6(self):
|
|
''' Instruction JS_6
|
|
Groups: jump
|
|
0x5555555673d5: js 0x555555567450
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555567000, 0x1000, 'rwx')
|
|
mem[0x5555555673d5] = 'x'
|
|
mem[0x5555555673d6] = 'y'
|
|
cpu.SF = False
|
|
cpu.RIP = 0x5555555673d5
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5555555673d5], 'x')
|
|
self.assertEqual(mem[0x5555555673d6], 'y')
|
|
self.assertEqual(cpu.RIP, 93824992310231L)
|
|
|
|
def test_LEAVE_1(self):
|
|
''' Instruction LEAVE_1
|
|
Groups: mode64
|
|
0x7ffff7b30c15: leave
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b30000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b30c15] = '\xc9'
|
|
mem[0x7fffffffda98] = '\xd0'
|
|
mem[0x7fffffffda99] = '\xda'
|
|
mem[0x7fffffffda9a] = '\xff'
|
|
mem[0x7fffffffda9b] = '\xff'
|
|
mem[0x7fffffffda9c] = '\xff'
|
|
mem[0x7fffffffda9d] = '\x7f'
|
|
mem[0x7fffffffda9e] = '\x00'
|
|
mem[0x7fffffffda9f] = '\x00'
|
|
mem[0x7fffffffdaa0] = '\xf0'
|
|
mem[0x7fffffffdaa1] = '\xda'
|
|
mem[0x7fffffffdaa2] = '\xff'
|
|
mem[0x7fffffffdaa3] = '\xff'
|
|
mem[0x7fffffffdaa4] = '\xff'
|
|
mem[0x7fffffffdaa5] = '\x7f'
|
|
mem[0x7fffffffdaa6] = '\x00'
|
|
mem[0x7fffffffdaa7] = '\x00'
|
|
mem[0x7fffffffdaa8] = 'H'
|
|
mem[0x7fffffffdaa9] = '\xe1'
|
|
mem[0x7fffffffdaaa] = '\xff'
|
|
mem[0x7fffffffdaab] = '\xf7'
|
|
mem[0x7fffffffdaac] = '\xff'
|
|
mem[0x7fffffffdaad] = '\x7f'
|
|
mem[0x7fffffffdaae] = '\x00'
|
|
mem[0x7fffffffdaaf] = '\x00'
|
|
mem[0x7fffffffdab0] = '\xc0'
|
|
mem[0x7fffffffdab1] = '\xda'
|
|
mem[0x7fffffffdab2] = '\xff'
|
|
mem[0x7fffffffdab3] = '\xff'
|
|
mem[0x7fffffffdab4] = '\xff'
|
|
mem[0x7fffffffdab5] = '\x7f'
|
|
mem[0x7fffffffdab6] = '\x00'
|
|
mem[0x7fffffffdab7] = '\x00'
|
|
mem[0x7fffffffdab8] = '\xb3'
|
|
cpu.RSP = 0x7fffffffdaa0
|
|
cpu.RIP = 0x7ffff7b30c15
|
|
cpu.RBP = 0x7fffffffdab0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b30c15], '\xc9')
|
|
self.assertEqual(mem[0x7fffffffda98], '\xd0')
|
|
self.assertEqual(mem[0x7fffffffda99], '\xda')
|
|
self.assertEqual(mem[0x7fffffffda9a], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda9b], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda9c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda9d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffda9e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda9f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaa0], '\xf0')
|
|
self.assertEqual(mem[0x7fffffffdaa1], '\xda')
|
|
self.assertEqual(mem[0x7fffffffdaa2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdaa3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdaa4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdaa5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdaa6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaa7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaa8], 'H')
|
|
self.assertEqual(mem[0x7fffffffdaa9], '\xe1')
|
|
self.assertEqual(mem[0x7fffffffdaaa], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdaab], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffdaac], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdaad], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdaae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaaf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdab0], '\xc0')
|
|
self.assertEqual(mem[0x7fffffffdab1], '\xda')
|
|
self.assertEqual(mem[0x7fffffffdab2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdab3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdab4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdab5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdab6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdab7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdab8], '\xb3')
|
|
self.assertEqual(cpu.RSP, 140737488345784L)
|
|
self.assertEqual(cpu.RIP, 140737349094422L)
|
|
self.assertEqual(cpu.RBP, 140737488345792L)
|
|
|
|
def test_LEAVE_2(self):
|
|
''' Instruction LEAVE_2
|
|
Groups: mode64
|
|
0x4176f4: leave
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00417000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcad8] = '\xf0'
|
|
mem[0x7fffffffcad9] = 'v'
|
|
mem[0x7fffffffcada] = 'A'
|
|
mem[0x7fffffffcadb] = '\x00'
|
|
mem[0x7fffffffcadc] = '\x00'
|
|
mem[0x7fffffffcadd] = '\x00'
|
|
mem[0x7fffffffcade] = '\x00'
|
|
mem[0x7fffffffcadf] = '\x00'
|
|
mem[0x7fffffffcae0] = '@'
|
|
mem[0x7fffffffcae1] = '\x00'
|
|
mem[0x7fffffffcae2] = '\x00'
|
|
mem[0x7fffffffcae3] = '\x00'
|
|
mem[0x7fffffffcae4] = '\x00'
|
|
mem[0x7fffffffcae5] = '\x00'
|
|
mem[0x7fffffffcae6] = '\x00'
|
|
mem[0x7fffffffcae7] = '\x00'
|
|
mem[0x7fffffffcae8] = 'A'
|
|
mem[0x7fffffffcae9] = '\x00'
|
|
mem[0x7fffffffcaea] = '\x00'
|
|
mem[0x7fffffffcaeb] = '\x00'
|
|
mem[0x7fffffffcaec] = '\x00'
|
|
mem[0x7fffffffcaed] = '\x00'
|
|
mem[0x7fffffffcaee] = '\x00'
|
|
mem[0x7fffffffcaef] = '\x00'
|
|
mem[0x7fffffffcaf0] = ' '
|
|
mem[0x7fffffffcaf1] = '\xdb'
|
|
mem[0x7fffffffcaf2] = '\xff'
|
|
mem[0x7fffffffcaf3] = '\xff'
|
|
mem[0x7fffffffcaf4] = '\xff'
|
|
mem[0x7fffffffcaf5] = '\x7f'
|
|
mem[0x7fffffffcaf6] = '\x00'
|
|
mem[0x7fffffffcaf7] = '\x00'
|
|
mem[0x7fffffffcaf8] = '+'
|
|
mem[0x004176f4] = '\xc9'
|
|
cpu.RSP = 0x7fffffffcae0
|
|
cpu.RIP = 0x4176f4
|
|
cpu.RBP = 0x7fffffffcaf0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcad8], '\xf0')
|
|
self.assertEqual(mem[0x7fffffffcad9], 'v')
|
|
self.assertEqual(mem[0x7fffffffcada], 'A')
|
|
self.assertEqual(mem[0x7fffffffcadb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcadc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcadd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcade], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcadf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcae0], '@')
|
|
self.assertEqual(mem[0x7fffffffcae1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcae2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcae3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcae4], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcae5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcae6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcae7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcae8], 'A')
|
|
self.assertEqual(mem[0x7fffffffcae9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaea], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaeb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaec], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaed], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaee], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaef], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaf0], ' ')
|
|
self.assertEqual(mem[0x7fffffffcaf1], '\xdb')
|
|
self.assertEqual(mem[0x7fffffffcaf2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffcaf3], '\xff')
|
|
self.assertEqual(mem[0x4176f4], '\xc9')
|
|
self.assertEqual(mem[0x7fffffffcaf5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffcaf6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaf7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcaf8], '+')
|
|
self.assertEqual(mem[0x7fffffffcaf4], '\xff')
|
|
self.assertEqual(cpu.RSP, 140737488341752L)
|
|
self.assertEqual(cpu.RIP, 4290293L)
|
|
self.assertEqual(cpu.RBP, 140737488345888L)
|
|
|
|
def test_LEAVE_3(self):
|
|
''' Instruction LEAVE_3
|
|
Groups: mode64
|
|
0x7ffff7b59b18: leave
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b59000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda08] = '\xd0'
|
|
mem[0x7fffffffda09] = '\xd4'
|
|
mem[0x7fffffffda0a] = '\xa4'
|
|
mem[0x7fffffffda0b] = '\xf7'
|
|
mem[0x7fffffffda0c] = '\xff'
|
|
mem[0x7fffffffda0d] = '\x7f'
|
|
mem[0x7fffffffda0e] = '\x00'
|
|
mem[0x7fffffffda0f] = '\x00'
|
|
mem[0x7fffffffda10] = '@'
|
|
mem[0x7fffffffda11] = '\xda'
|
|
mem[0x7fffffffda12] = '\xff'
|
|
mem[0x7fffffffda13] = '\xff'
|
|
mem[0x7fffffffda14] = '\xff'
|
|
mem[0x7fffffffda15] = '\x7f'
|
|
mem[0x7fffffffda16] = '\x00'
|
|
mem[0x7fffffffda17] = '\x00'
|
|
mem[0x7ffff7b59b18] = '\xc9'
|
|
mem[0x7fffffffd9d9] = '\x00'
|
|
mem[0x7fffffffd9da] = '\x00'
|
|
mem[0x7fffffffd9db] = '\x00'
|
|
mem[0x7fffffffd9dc] = '\x00'
|
|
mem[0x7fffffffd9dd] = '\x00'
|
|
mem[0x7fffffffd9de] = '\x00'
|
|
mem[0x7fffffffd9df] = '\x00'
|
|
mem[0x7fffffffd9e0] = '\x00'
|
|
mem[0x7fffffffd9e1] = '\x00'
|
|
mem[0x7fffffffd9e2] = '\x00'
|
|
mem[0x7fffffffd9e3] = '\x00'
|
|
mem[0x7fffffffd9d8] = '\x00'
|
|
mem[0x7fffffffd9e5] = '\x00'
|
|
mem[0x7fffffffda18] = "'"
|
|
mem[0x7fffffffd9e7] = '\x00'
|
|
mem[0x7fffffffd9e8] = '\xf0'
|
|
mem[0x7fffffffd9e6] = '\x00'
|
|
mem[0x7fffffffd9e4] = '\x00'
|
|
cpu.RSP = 0x7fffffffd9e0
|
|
cpu.RIP = 0x7ffff7b59b18
|
|
cpu.RBP = 0x7fffffffda10
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda08], '\xd0')
|
|
self.assertEqual(mem[0x7fffffffda09], '\xd4')
|
|
self.assertEqual(mem[0x7fffffffda0a], '\xa4')
|
|
self.assertEqual(mem[0x7fffffffda0b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffda0c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda0d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffda0e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda0f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda10], '@')
|
|
self.assertEqual(mem[0x7fffffffda11], '\xda')
|
|
self.assertEqual(mem[0x7fffffffda12], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda13], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda14], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda15], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffda16], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda17], '\x00')
|
|
self.assertEqual(mem[0x7ffff7b59b18], '\xc9')
|
|
self.assertEqual(mem[0x7fffffffd9d9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9da], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9db], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9dc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9dd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9de], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9df], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9e0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9e1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9e2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9e3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9d8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9e5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda18], "'")
|
|
self.assertEqual(mem[0x7fffffffd9e7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9e8], '\xf0')
|
|
self.assertEqual(mem[0x7fffffffd9e6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9e4], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345624L)
|
|
self.assertEqual(cpu.RIP, 140737349262105L)
|
|
self.assertEqual(cpu.RBP, 140737488345664L)
|
|
|
|
def test_LEAVE_4(self):
|
|
''' Instruction LEAVE_4
|
|
Groups: mode64
|
|
0x7ffff7b59b18: leave
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b59000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdb98] = '\x00'
|
|
mem[0x7fffffffdb71] = '\xdc'
|
|
mem[0x7ffff7b59b18] = '\xc9'
|
|
mem[0x7fffffffdb99] = '\x00'
|
|
mem[0x7fffffffdb9a] = '\x00'
|
|
mem[0x7fffffffdb9b] = '\x00'
|
|
mem[0x7fffffffdb9c] = '\x00'
|
|
mem[0x7fffffffdb9d] = '\x00'
|
|
mem[0x7fffffffdb9e] = '\x00'
|
|
mem[0x7fffffffdb9f] = '\x00'
|
|
mem[0x7fffffffdba0] = '\xf0'
|
|
mem[0x7fffffffdba1] = '\xdb'
|
|
mem[0x7fffffffdba2] = '\xff'
|
|
mem[0x7fffffffdba3] = '\xff'
|
|
mem[0x7fffffffdba4] = '\xff'
|
|
mem[0x7fffffffdba5] = '\x7f'
|
|
mem[0x7fffffffdba6] = '\x00'
|
|
mem[0x7fffffffdba7] = '\x00'
|
|
mem[0x7fffffffdba8] = ':'
|
|
mem[0x7fffffffdb69] = '\x00'
|
|
mem[0x7fffffffdb6a] = '\x00'
|
|
mem[0x7fffffffdb6b] = '\x00'
|
|
mem[0x7fffffffdb6c] = '\x00'
|
|
mem[0x7fffffffdb6d] = '\x00'
|
|
mem[0x7fffffffdb6e] = '\x00'
|
|
mem[0x7fffffffdb6f] = '\x00'
|
|
mem[0x7fffffffdb70] = '\xb8'
|
|
mem[0x7fffffffdb68] = '\x00'
|
|
mem[0x7fffffffdb72] = '\xff'
|
|
mem[0x7fffffffdb73] = '\xff'
|
|
mem[0x7fffffffdb74] = '\xff'
|
|
mem[0x7fffffffdb75] = '\x7f'
|
|
mem[0x7fffffffdb76] = '\x00'
|
|
mem[0x7fffffffdb77] = '\x00'
|
|
mem[0x7fffffffdb78] = 'P'
|
|
cpu.RSP = 0x7fffffffdb70
|
|
cpu.RIP = 0x7ffff7b59b18
|
|
cpu.RBP = 0x7fffffffdba0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b59b18], '\xc9')
|
|
self.assertEqual(mem[0x7fffffffdb71], '\xdc')
|
|
self.assertEqual(mem[0x7fffffffdb98], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb99], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba0], '\xf0')
|
|
self.assertEqual(mem[0x7fffffffdba1], '\xdb')
|
|
self.assertEqual(mem[0x7fffffffdba2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdba3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdba4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdba5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdba6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba8], ':')
|
|
self.assertEqual(mem[0x7fffffffdb69], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb70], '\xb8')
|
|
self.assertEqual(mem[0x7fffffffdb68], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb72], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb73], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb74], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb75], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdb76], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb77], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb78], 'P')
|
|
self.assertEqual(cpu.RSP, 140737488346024L)
|
|
self.assertEqual(cpu.RIP, 140737349262105L)
|
|
self.assertEqual(cpu.RBP, 140737488346096L)
|
|
|
|
def test_LEAVE_5(self):
|
|
''' Instruction LEAVE_5
|
|
Groups: mode64
|
|
0x7ffff7ae0541: leave
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ae0000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ae0541] = '\xc9'
|
|
mem[0x7fffffffd988] = '7'
|
|
mem[0x7fffffffd989] = '\x05'
|
|
mem[0x7fffffffd98a] = '\xae'
|
|
mem[0x7fffffffd98b] = '\xf7'
|
|
mem[0x7fffffffd98c] = '\xff'
|
|
mem[0x7fffffffd98d] = '\x7f'
|
|
mem[0x7fffffffd98e] = '\x00'
|
|
mem[0x7fffffffd98f] = '\x00'
|
|
mem[0x7fffffffd990] = '\xa8'
|
|
mem[0x7fffffffd991] = '\n'
|
|
mem[0x7fffffffd992] = '\xba'
|
|
mem[0x7fffffffd993] = '\xf7'
|
|
mem[0x7fffffffd994] = '\xff'
|
|
mem[0x7fffffffd995] = '\x7f'
|
|
mem[0x7fffffffd996] = '\x00'
|
|
mem[0x7fffffffd997] = '\x00'
|
|
mem[0x7fffffffd998] = '\xf6'
|
|
mem[0x7fffffffd9a8] = '\xe0'
|
|
mem[0x7fffffffd9a9] = '\xda'
|
|
mem[0x7fffffffd9aa] = '\xff'
|
|
mem[0x7fffffffd9ab] = '\xff'
|
|
mem[0x7fffffffd9ac] = '\xff'
|
|
mem[0x7fffffffd9ad] = '\x7f'
|
|
mem[0x7fffffffd9ae] = '\x00'
|
|
mem[0x7fffffffd9af] = '\x00'
|
|
mem[0x7fffffffd9b0] = '\xe0'
|
|
mem[0x7fffffffd9b1] = '\xda'
|
|
mem[0x7fffffffd9b2] = '\xff'
|
|
mem[0x7fffffffd9b3] = '\xff'
|
|
mem[0x7fffffffd9b4] = '\xff'
|
|
mem[0x7fffffffd9b5] = '\x7f'
|
|
mem[0x7fffffffd9b6] = '\x00'
|
|
mem[0x7fffffffd9b7] = '\x00'
|
|
mem[0x7fffffffd9b8] = '\xf8'
|
|
cpu.RSP = 0x7fffffffd990
|
|
cpu.RIP = 0x7ffff7ae0541
|
|
cpu.RBP = 0x7fffffffd9b0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ae0541], '\xc9')
|
|
self.assertEqual(mem[0x7fffffffd988], '7')
|
|
self.assertEqual(mem[0x7fffffffd989], '\x05')
|
|
self.assertEqual(mem[0x7fffffffd98a], '\xae')
|
|
self.assertEqual(mem[0x7fffffffd98b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd98c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd98d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd98e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd98f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd990], '\xa8')
|
|
self.assertEqual(mem[0x7fffffffd991], '\n')
|
|
self.assertEqual(mem[0x7fffffffd992], '\xba')
|
|
self.assertEqual(mem[0x7fffffffd993], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd994], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd995], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd996], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd997], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd998], '\xf6')
|
|
self.assertEqual(mem[0x7fffffffd9a8], '\xe0')
|
|
self.assertEqual(mem[0x7fffffffd9a9], '\xda')
|
|
self.assertEqual(mem[0x7fffffffd9aa], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9ab], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9ac], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9ad], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd9ae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9af], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9b0], '\xe0')
|
|
self.assertEqual(mem[0x7fffffffd9b1], '\xda')
|
|
self.assertEqual(mem[0x7fffffffd9b2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9b3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9b4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9b5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd9b6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9b7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9b8], '\xf8')
|
|
self.assertEqual(cpu.RSP, 140737488345528L)
|
|
self.assertEqual(cpu.RIP, 140737348764994L)
|
|
self.assertEqual(cpu.RBP, 140737488345824L)
|
|
|
|
def test_LEAVE_6(self):
|
|
''' Instruction LEAVE_6
|
|
Groups: mode64
|
|
0x7ffff7a626cd: leave
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a62000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda6c] = '\x00'
|
|
mem[0x7fffffffda6b] = '\x00'
|
|
mem[0x7fffffffda68] = '\x00'
|
|
mem[0x7ffff7a626cd] = '\xc9'
|
|
mem[0x7fffffffda6d] = '\x00'
|
|
mem[0x7fffffffda6e] = '\x00'
|
|
mem[0x7fffffffda6f] = '\x00'
|
|
mem[0x7fffffffda60] = '\x00'
|
|
mem[0x7fffffffda61] = '\x00'
|
|
mem[0x7fffffffda62] = '\x00'
|
|
mem[0x7fffffffda63] = '\x00'
|
|
mem[0x7fffffffda64] = '\x00'
|
|
mem[0x7fffffffda65] = '\x00'
|
|
mem[0x7fffffffda66] = '\x00'
|
|
mem[0x7fffffffda67] = '\x00'
|
|
mem[0x7fffffffdb28] = '\x00'
|
|
mem[0x7fffffffdb29] = '\x00'
|
|
mem[0x7fffffffdb2a] = '\x00'
|
|
mem[0x7fffffffdb2b] = '\x00'
|
|
mem[0x7fffffffdb2c] = '\x00'
|
|
mem[0x7fffffffdb2d] = '\x00'
|
|
mem[0x7fffffffdb2e] = '\x00'
|
|
mem[0x7fffffffdb2f] = '\x00'
|
|
mem[0x7fffffffdb30] = '0'
|
|
mem[0x7fffffffdb31] = '\xdc'
|
|
mem[0x7fffffffdb32] = '\xff'
|
|
mem[0x7fffffffdb33] = '\xff'
|
|
mem[0x7fffffffdb34] = '\xff'
|
|
mem[0x7fffffffdb35] = '\x7f'
|
|
mem[0x7fffffffdb36] = '\x00'
|
|
mem[0x7fffffffdb37] = '\x00'
|
|
mem[0x7fffffffdb38] = 'x'
|
|
mem[0x7fffffffda70] = '\x00'
|
|
mem[0x7fffffffda69] = '\x00'
|
|
mem[0x7fffffffda6a] = '\x00'
|
|
cpu.RSP = 0x7fffffffda68
|
|
cpu.RIP = 0x7ffff7a626cd
|
|
cpu.RBP = 0x7fffffffdb30
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda6c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda6b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda68], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a626cd], '\xc9')
|
|
self.assertEqual(mem[0x7fffffffda6d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda6e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda6f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda60], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda61], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda62], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda63], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda64], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda65], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda66], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda67], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb28], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb29], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb30], '0')
|
|
self.assertEqual(mem[0x7fffffffdb31], '\xdc')
|
|
self.assertEqual(mem[0x7fffffffdb32], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb33], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb34], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb35], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdb36], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb37], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb38], 'x')
|
|
self.assertEqual(mem[0x7fffffffda70], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda69], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda6a], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345912L)
|
|
self.assertEqual(cpu.RIP, 140737348249294L)
|
|
self.assertEqual(cpu.RBP, 140737488346160L)
|
|
|
|
def test_LEA_1(self):
|
|
''' Instruction LEA_1
|
|
Groups:
|
|
0x7ffff7de44f3: lea rsp, qword ptr [rbp - 0x28]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de44f3] = 'H'
|
|
mem[0x7ffff7de44f4] = '\x8d'
|
|
mem[0x7ffff7de44f5] = 'e'
|
|
mem[0x7ffff7de44f6] = '\xd8'
|
|
mem[0x7fffffffd978] = '\xc8'
|
|
mem[0x7fffffffd979] = '\xcd'
|
|
mem[0x7fffffffd97a] = '\xa4'
|
|
mem[0x7fffffffd97b] = '\xf7'
|
|
mem[0x7fffffffd97c] = '\xff'
|
|
mem[0x7fffffffd97d] = '\x7f'
|
|
mem[0x7fffffffd97e] = '\x00'
|
|
mem[0x7fffffffd97f] = '\x00'
|
|
cpu.RSP = 0x7fffffffd8b0
|
|
cpu.RIP = 0x7ffff7de44f3
|
|
cpu.RBP = 0x7fffffffd9a0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de44f3], 'H')
|
|
self.assertEqual(mem[0x7ffff7de44f4], '\x8d')
|
|
self.assertEqual(mem[0x7ffff7de44f5], 'e')
|
|
self.assertEqual(mem[0x7ffff7de44f6], '\xd8')
|
|
self.assertEqual(mem[0x7fffffffd978], '\xc8')
|
|
self.assertEqual(mem[0x7fffffffd979], '\xcd')
|
|
self.assertEqual(mem[0x7fffffffd97a], '\xa4')
|
|
self.assertEqual(mem[0x7fffffffd97b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd97c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd97d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd97e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd97f], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345464L)
|
|
self.assertEqual(cpu.RIP, 140737351927031L)
|
|
self.assertEqual(cpu.RBP, 140737488345504L)
|
|
|
|
def test_LEA_2(self):
|
|
''' Instruction LEA_2
|
|
Groups:
|
|
0x7ffff7b58ee3: lea r8, qword ptr [r8 + rdx*4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a2f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a2fde3] = '\xb2'
|
|
mem[0x7ffff7a2fde4] = '4'
|
|
mem[0x7ffff7a2fde5] = '\xd5'
|
|
mem[0x7ffff7a2fde0] = 'x'
|
|
mem[0x7ffff7a2fde1] = ')'
|
|
mem[0x7ffff7a2fde2] = '\xce'
|
|
mem[0x7ffff7b58ee3] = 'M'
|
|
mem[0x7ffff7b58ee4] = '\x8d'
|
|
mem[0x7ffff7b58ee5] = '\x04'
|
|
mem[0x7ffff7b58ee6] = '\x90'
|
|
mem[0x7ffff7a2fde7] = 'P'
|
|
mem[0x7ffff7a2fde6] = '\x92'
|
|
cpu.R8 = 0x7ffff7a2fa7c
|
|
cpu.RDX = 0xd9
|
|
cpu.RIP = 0x7ffff7b58ee3
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a2fde3], '\xb2')
|
|
self.assertEqual(mem[0x7ffff7a2fde4], '4')
|
|
self.assertEqual(mem[0x7ffff7a2fde5], '\xd5')
|
|
self.assertEqual(mem[0x7ffff7a2fde0], 'x')
|
|
self.assertEqual(mem[0x7ffff7a2fde1], ')')
|
|
self.assertEqual(mem[0x7ffff7a2fde2], '\xce')
|
|
self.assertEqual(mem[0x7ffff7b58ee3], 'M')
|
|
self.assertEqual(mem[0x7ffff7b58ee4], '\x8d')
|
|
self.assertEqual(mem[0x7ffff7b58ee5], '\x04')
|
|
self.assertEqual(mem[0x7ffff7b58ee6], '\x90')
|
|
self.assertEqual(mem[0x7ffff7a2fde7], 'P')
|
|
self.assertEqual(mem[0x7ffff7a2fde6], '\x92')
|
|
self.assertEqual(cpu.R8, 140737348042208L)
|
|
self.assertEqual(cpu.RDX, 217L)
|
|
self.assertEqual(cpu.RIP, 140737349258983L)
|
|
|
|
def test_LEA_3(self):
|
|
''' Instruction LEA_3
|
|
Groups:
|
|
0x7ffff7de3841: lea rsi, qword ptr [rbp - 0x3c]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3841] = 'H'
|
|
mem[0x7ffff7de3842] = '\x8d'
|
|
mem[0x7ffff7de3843] = 'u'
|
|
mem[0x7ffff7de3844] = '\xc4'
|
|
mem[0x7fffffffd8c5] = '\x00'
|
|
mem[0x7fffffffd8c6] = '\x00'
|
|
mem[0x7fffffffd8c7] = '\x00'
|
|
mem[0x7fffffffd8c8] = '\x00'
|
|
mem[0x7fffffffd8c9] = '\x00'
|
|
mem[0x7fffffffd8ca] = '\x00'
|
|
mem[0x7fffffffd8cb] = '\x00'
|
|
mem[0x7fffffffd8c4] = '\x00'
|
|
cpu.RSI = 0xbdd69f1b
|
|
cpu.RIP = 0x7ffff7de3841
|
|
cpu.RBP = 0x7fffffffd900
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3841], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3842], '\x8d')
|
|
self.assertEqual(mem[0x7ffff7de3843], 'u')
|
|
self.assertEqual(mem[0x7ffff7de3844], '\xc4')
|
|
self.assertEqual(mem[0x7fffffffd8c5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd8c6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd8c7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd8c8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd8c9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd8ca], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd8cb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd8c4], '\x00')
|
|
self.assertEqual(cpu.RSI, 140737488345284L)
|
|
self.assertEqual(cpu.RIP, 140737351923781L)
|
|
self.assertEqual(cpu.RBP, 140737488345344L)
|
|
|
|
def test_LEA_4(self):
|
|
''' Instruction LEA_4
|
|
Groups:
|
|
0x7ffff7b58f14: lea rdx, qword ptr [rbx + rdx*8]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a34000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f14] = 'H'
|
|
mem[0x7ffff7b58f15] = '\x8d'
|
|
mem[0x7ffff7b58f16] = '\x14'
|
|
mem[0x7ffff7b58f17] = '\xd3'
|
|
mem[0x7ffff7a34270] = '\xb5'
|
|
mem[0x7ffff7a34271] = '*'
|
|
mem[0x7ffff7a34272] = '\x00'
|
|
mem[0x7ffff7a34273] = '\x00'
|
|
mem[0x7ffff7a34274] = '\x1a'
|
|
mem[0x7ffff7a34275] = '\x00'
|
|
mem[0x7ffff7a34276] = '\x0b'
|
|
mem[0x7ffff7a34277] = '\x00'
|
|
cpu.RDX = 0x4a1
|
|
cpu.RIP = 0x7ffff7b58f14
|
|
cpu.RBX = 0x7ffff7a31d68
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f14], 'H')
|
|
self.assertEqual(mem[0x7ffff7b58f15], '\x8d')
|
|
self.assertEqual(mem[0x7ffff7b58f16], '\x14')
|
|
self.assertEqual(mem[0x7ffff7b58f17], '\xd3')
|
|
self.assertEqual(mem[0x7ffff7a34270], '\xb5')
|
|
self.assertEqual(mem[0x7ffff7a34271], '*')
|
|
self.assertEqual(mem[0x7ffff7a34272], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a34273], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a34274], '\x1a')
|
|
self.assertEqual(mem[0x7ffff7a34275], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a34276], '\x0b')
|
|
self.assertEqual(mem[0x7ffff7a34277], '\x00')
|
|
self.assertEqual(cpu.RDX, 140737348059760L)
|
|
self.assertEqual(cpu.RIP, 140737349259032L)
|
|
self.assertEqual(cpu.RBX, 140737348050280L)
|
|
|
|
def test_LEA_5(self):
|
|
''' Instruction LEA_5
|
|
Groups:
|
|
0x7ffff7a652b7: lea rsi, qword ptr [rip + 0x36e35a]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7dd3618] = '@'
|
|
mem[0x7ffff7dd3619] = 'M'
|
|
mem[0x7ffff7dd361a] = '\xdd'
|
|
mem[0x7ffff7dd361b] = '\xf7'
|
|
mem[0x7ffff7dd361c] = '\xff'
|
|
mem[0x7ffff7dd361d] = '\x7f'
|
|
mem[0x7ffff7dd361e] = '\x00'
|
|
mem[0x7ffff7dd361f] = '\x00'
|
|
mem[0x7ffff7a652b7] = 'H'
|
|
mem[0x7ffff7a652b8] = '\x8d'
|
|
mem[0x7ffff7a652b9] = '5'
|
|
mem[0x7ffff7a652ba] = 'Z'
|
|
mem[0x7ffff7a652bb] = '\xe3'
|
|
mem[0x7ffff7a652bc] = '6'
|
|
mem[0x7ffff7a652bd] = '\x00'
|
|
cpu.RSI = 0x555555554a00
|
|
cpu.RIP = 0x7ffff7a652b7
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7dd3618], '@')
|
|
self.assertEqual(mem[0x7ffff7dd3619], 'M')
|
|
self.assertEqual(mem[0x7ffff7dd361a], '\xdd')
|
|
self.assertEqual(mem[0x7ffff7dd361b], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7dd361c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7dd361d], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7dd361e], '\x00')
|
|
self.assertEqual(mem[0x7ffff7dd361f], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a652b7], 'H')
|
|
self.assertEqual(mem[0x7ffff7a652b8], '\x8d')
|
|
self.assertEqual(mem[0x7ffff7a652b9], '5')
|
|
self.assertEqual(mem[0x7ffff7a652ba], 'Z')
|
|
self.assertEqual(mem[0x7ffff7a652bb], '\xe3')
|
|
self.assertEqual(mem[0x7ffff7a652bc], '6')
|
|
self.assertEqual(mem[0x7ffff7a652bd], '\x00')
|
|
self.assertEqual(cpu.RSI, 140737351857688L)
|
|
self.assertEqual(cpu.RIP, 140737348260542L)
|
|
|
|
def test_LEA_6(self):
|
|
''' Instruction LEA_6
|
|
Groups:
|
|
0x7ffff7de4418: lea rdi, qword ptr [rbp - 0xa0]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd910] = '\xff'
|
|
mem[0x7fffffffd911] = '\xff'
|
|
mem[0x7fffffffd912] = '\xff'
|
|
mem[0x7fffffffd913] = '\xff'
|
|
mem[0x7fffffffd914] = '\x00'
|
|
mem[0x7fffffffd915] = '\x00'
|
|
mem[0x7fffffffd916] = '\x00'
|
|
mem[0x7fffffffd917] = '\x00'
|
|
mem[0x7ffff7de4418] = 'H'
|
|
mem[0x7ffff7de4419] = '\x8d'
|
|
mem[0x7ffff7de441a] = '\xbd'
|
|
mem[0x7ffff7de441b] = '`'
|
|
mem[0x7ffff7de441c] = '\xff'
|
|
mem[0x7ffff7de441d] = '\xff'
|
|
mem[0x7ffff7de441e] = '\xff'
|
|
cpu.RDI = 0x555555554548
|
|
cpu.RIP = 0x7ffff7de4418
|
|
cpu.RBP = 0x7fffffffd9b0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd910], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd911], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd912], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd913], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd914], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd915], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd916], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd917], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de4418], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4419], '\x8d')
|
|
self.assertEqual(mem[0x7ffff7de441a], '\xbd')
|
|
self.assertEqual(mem[0x7ffff7de441b], '`')
|
|
self.assertEqual(mem[0x7ffff7de441c], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de441d], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de441e], '\xff')
|
|
self.assertEqual(cpu.RDI, 140737488345360L)
|
|
self.assertEqual(cpu.RIP, 140737351926815L)
|
|
self.assertEqual(cpu.RBP, 140737488345520L)
|
|
|
|
def test_MOVABS_1(self):
|
|
''' Instruction MOVABS_1
|
|
Groups:
|
|
0x7ffff7ddc5df: movabs r8, 0x37ffff1a0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddc5e0] = '\xb8'
|
|
mem[0x7ffff7ddc5e1] = '\xa0'
|
|
mem[0x7ffff7ddc5e2] = '\xf1'
|
|
mem[0x7ffff7ddc5e3] = '\xff'
|
|
mem[0x7ffff7ddc5e4] = '\x7f'
|
|
mem[0x7ffff7ddc5e5] = '\x03'
|
|
mem[0x7ffff7ddc5e6] = '\x00'
|
|
mem[0x7ffff7ddc5e7] = '\x00'
|
|
mem[0x7ffff7ddc5e8] = '\x00'
|
|
mem[0x7ffff7ddc5df] = 'I'
|
|
cpu.R8 = 0x0
|
|
cpu.RIP = 0x7ffff7ddc5df
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddc5e0], '\xb8')
|
|
self.assertEqual(mem[0x7ffff7ddc5e1], '\xa0')
|
|
self.assertEqual(mem[0x7ffff7ddc5e2], '\xf1')
|
|
self.assertEqual(mem[0x7ffff7ddc5e3], '\xff')
|
|
self.assertEqual(mem[0x7ffff7ddc5e4], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7ddc5e5], '\x03')
|
|
self.assertEqual(mem[0x7ffff7ddc5e6], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5e7], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5e8], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5df], 'I')
|
|
self.assertEqual(cpu.R8, 15032381856L)
|
|
self.assertEqual(cpu.RIP, 140737351894505L)
|
|
|
|
def test_MOVABS_2(self):
|
|
''' Instruction MOVABS_2
|
|
Groups:
|
|
0x7ffff7ddc5df: movabs r8, 0x37ffff1a0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddc5e0] = '\xb8'
|
|
mem[0x7ffff7ddc5e1] = '\xa0'
|
|
mem[0x7ffff7ddc5e2] = '\xf1'
|
|
mem[0x7ffff7ddc5e3] = '\xff'
|
|
mem[0x7ffff7ddc5e4] = '\x7f'
|
|
mem[0x7ffff7ddc5e5] = '\x03'
|
|
mem[0x7ffff7ddc5e6] = '\x00'
|
|
mem[0x7ffff7ddc5e7] = '\x00'
|
|
mem[0x7ffff7ddc5e8] = '\x00'
|
|
mem[0x7ffff7ddc5df] = 'I'
|
|
cpu.R8 = 0x0
|
|
cpu.RIP = 0x7ffff7ddc5df
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddc5e0], '\xb8')
|
|
self.assertEqual(mem[0x7ffff7ddc5e1], '\xa0')
|
|
self.assertEqual(mem[0x7ffff7ddc5e2], '\xf1')
|
|
self.assertEqual(mem[0x7ffff7ddc5e3], '\xff')
|
|
self.assertEqual(mem[0x7ffff7ddc5e4], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7ddc5e5], '\x03')
|
|
self.assertEqual(mem[0x7ffff7ddc5e6], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5e7], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5e8], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5df], 'I')
|
|
self.assertEqual(cpu.R8, 15032381856L)
|
|
self.assertEqual(cpu.RIP, 140737351894505L)
|
|
|
|
def test_MOVABS_3(self):
|
|
''' Instruction MOVABS_3
|
|
Groups:
|
|
0x7ffff7df1435: movabs rcx, -0x8000000000000000
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1435] = 'H'
|
|
mem[0x7ffff7df1436] = '\xb9'
|
|
mem[0x7ffff7df1437] = '\x00'
|
|
mem[0x7ffff7df1438] = '\x00'
|
|
mem[0x7ffff7df1439] = '\x00'
|
|
mem[0x7ffff7df143a] = '\x00'
|
|
mem[0x7ffff7df143b] = '\x00'
|
|
mem[0x7ffff7df143c] = '\x00'
|
|
mem[0x7ffff7df143d] = '\x00'
|
|
mem[0x7ffff7df143e] = '\x80'
|
|
cpu.RCX = 0x31
|
|
cpu.RIP = 0x7ffff7df1435
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1435], 'H')
|
|
self.assertEqual(mem[0x7ffff7df1436], '\xb9')
|
|
self.assertEqual(mem[0x7ffff7df1437], '\x00')
|
|
self.assertEqual(mem[0x7ffff7df1438], '\x00')
|
|
self.assertEqual(mem[0x7ffff7df1439], '\x00')
|
|
self.assertEqual(mem[0x7ffff7df143a], '\x00')
|
|
self.assertEqual(mem[0x7ffff7df143b], '\x00')
|
|
self.assertEqual(mem[0x7ffff7df143c], '\x00')
|
|
self.assertEqual(mem[0x7ffff7df143d], '\x00')
|
|
self.assertEqual(mem[0x7ffff7df143e], '\x80')
|
|
self.assertEqual(cpu.RCX, 9223372036854775808L)
|
|
self.assertEqual(cpu.RIP, 140737351980095L)
|
|
|
|
def test_MOVABS_4(self):
|
|
''' Instruction MOVABS_4
|
|
Groups:
|
|
0x45f853: movabs rdx, -0x3333333333333333
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0045f000, 0x1000, 'rwx')
|
|
mem[0x0045f853] = 'H'
|
|
mem[0x0045f854] = '\xba'
|
|
mem[0x0045f855] = '\xcd'
|
|
mem[0x0045f856] = '\xcc'
|
|
mem[0x0045f857] = '\xcc'
|
|
mem[0x0045f858] = '\xcc'
|
|
mem[0x0045f859] = '\xcc'
|
|
mem[0x0045f85a] = '\xcc'
|
|
mem[0x0045f85b] = '\xcc'
|
|
mem[0x0045f85c] = '\xcc'
|
|
cpu.RDX = 0x6bf710
|
|
cpu.RIP = 0x45f853
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x45f853], 'H')
|
|
self.assertEqual(mem[0x45f854], '\xba')
|
|
self.assertEqual(mem[0x45f855], '\xcd')
|
|
self.assertEqual(mem[0x45f856], '\xcc')
|
|
self.assertEqual(mem[0x45f857], '\xcc')
|
|
self.assertEqual(mem[0x45f858], '\xcc')
|
|
self.assertEqual(mem[0x45f859], '\xcc')
|
|
self.assertEqual(mem[0x45f85a], '\xcc')
|
|
self.assertEqual(mem[0x45f85b], '\xcc')
|
|
self.assertEqual(mem[0x45f85c], '\xcc')
|
|
self.assertEqual(cpu.RDX, 14757395258967641293L)
|
|
self.assertEqual(cpu.RIP, 4585565L)
|
|
|
|
def test_MOVABS_5(self):
|
|
''' Instruction MOVABS_5
|
|
Groups:
|
|
0x7ffff7df4630: movabs r8, -0x101010101010101
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4630] = 'I'
|
|
mem[0x7ffff7df4631] = '\xb8'
|
|
mem[0x7ffff7df4632] = '\xff'
|
|
mem[0x7ffff7df4633] = '\xfe'
|
|
mem[0x7ffff7df4634] = '\xfe'
|
|
mem[0x7ffff7df4635] = '\xfe'
|
|
mem[0x7ffff7df4636] = '\xfe'
|
|
mem[0x7ffff7df4637] = '\xfe'
|
|
mem[0x7ffff7df4638] = '\xfe'
|
|
mem[0x7ffff7df4639] = '\xfe'
|
|
cpu.R8 = 0x7ffff7fdd5a0
|
|
cpu.RIP = 0x7ffff7df4630
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4630], 'I')
|
|
self.assertEqual(mem[0x7ffff7df4631], '\xb8')
|
|
self.assertEqual(mem[0x7ffff7df4632], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df4633], '\xfe')
|
|
self.assertEqual(mem[0x7ffff7df4634], '\xfe')
|
|
self.assertEqual(mem[0x7ffff7df4635], '\xfe')
|
|
self.assertEqual(mem[0x7ffff7df4636], '\xfe')
|
|
self.assertEqual(mem[0x7ffff7df4637], '\xfe')
|
|
self.assertEqual(mem[0x7ffff7df4638], '\xfe')
|
|
self.assertEqual(mem[0x7ffff7df4639], '\xfe')
|
|
self.assertEqual(cpu.R8, 18374403900871474943L)
|
|
self.assertEqual(cpu.RIP, 140737351992890L)
|
|
|
|
def test_MOVABS_6(self):
|
|
''' Instruction MOVABS_6
|
|
Groups:
|
|
0x7ffff7ddc5df: movabs r8, 0x37ffff1a0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddc5e0] = '\xb8'
|
|
mem[0x7ffff7ddc5e1] = '\xa0'
|
|
mem[0x7ffff7ddc5e2] = '\xf1'
|
|
mem[0x7ffff7ddc5e3] = '\xff'
|
|
mem[0x7ffff7ddc5e4] = '\x7f'
|
|
mem[0x7ffff7ddc5e5] = '\x03'
|
|
mem[0x7ffff7ddc5e6] = '\x00'
|
|
mem[0x7ffff7ddc5e7] = '\x00'
|
|
mem[0x7ffff7ddc5e8] = '\x00'
|
|
mem[0x7ffff7ddc5df] = 'I'
|
|
cpu.R8 = 0x0
|
|
cpu.RIP = 0x7ffff7ddc5df
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddc5e0], '\xb8')
|
|
self.assertEqual(mem[0x7ffff7ddc5e1], '\xa0')
|
|
self.assertEqual(mem[0x7ffff7ddc5e2], '\xf1')
|
|
self.assertEqual(mem[0x7ffff7ddc5e3], '\xff')
|
|
self.assertEqual(mem[0x7ffff7ddc5e4], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7ddc5e5], '\x03')
|
|
self.assertEqual(mem[0x7ffff7ddc5e6], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5e7], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5e8], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ddc5df], 'I')
|
|
self.assertEqual(cpu.R8, 15032381856L)
|
|
self.assertEqual(cpu.RIP, 140737351894505L)
|
|
|
|
def test_MOVDQA_1(self):
|
|
''' Instruction MOVDQA_1
|
|
Groups: sse2
|
|
0x7ffff7ac0b0b: movdqa xmm4, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0b0b] = 'f'
|
|
mem[0x7ffff7ac0b0c] = '\x0f'
|
|
mem[0x7ffff7ac0b0d] = 'o'
|
|
mem[0x7ffff7ac0b0e] = '\xe0'
|
|
cpu.XMM0 = 0x616572635f706374746e6c63000a7325
|
|
cpu.RIP = 0x7ffff7ac0b0b
|
|
cpu.XMM4 = 0xff0000000000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0b0b], 'f')
|
|
self.assertEqual(mem[0x7ffff7ac0b0c], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0b0d], 'o')
|
|
self.assertEqual(mem[0x7ffff7ac0b0e], '\xe0')
|
|
self.assertEqual(cpu.XMM0, 129461857641668707752067115693843837733L)
|
|
self.assertEqual(cpu.XMM4, 129461857641668707752067115693843837733L)
|
|
self.assertEqual(cpu.RIP, 140737348635407L)
|
|
|
|
def test_MOVDQA_2(self):
|
|
''' Instruction MOVDQA_2
|
|
Groups: sse2
|
|
0x457d38: movdqa xmm0, xmm2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457d38] = 'f'
|
|
mem[0x00457d39] = '\x0f'
|
|
mem[0x00457d3a] = 'o'
|
|
mem[0x00457d3b] = '\xc2'
|
|
cpu.XMM2 = 0x414d00323d524e54565f474458003267
|
|
cpu.XMM0 = 0xff0000
|
|
cpu.RIP = 0x457d38
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457d38], 'f')
|
|
self.assertEqual(mem[0x457d39], '\x0f')
|
|
self.assertEqual(mem[0x457d3a], 'o')
|
|
self.assertEqual(mem[0x457d3b], '\xc2')
|
|
self.assertEqual(cpu.XMM2, 86799630564512926596007573190145487463L)
|
|
self.assertEqual(cpu.XMM0, 86799630564512926596007573190145487463L)
|
|
self.assertEqual(cpu.RIP, 4554044L)
|
|
|
|
def test_MOVDQA_3(self):
|
|
''' Instruction MOVDQA_3
|
|
Groups: sse2
|
|
0x457aaf: movdqa xmm5, xmm3
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457ab0] = '\x0f'
|
|
mem[0x00457ab1] = 'o'
|
|
mem[0x00457ab2] = '\xeb'
|
|
mem[0x00457aaf] = 'f'
|
|
cpu.XMM3 = 0x726f74756365784563696c6f626d7953
|
|
cpu.RIP = 0x457aaf
|
|
cpu.XMM5 = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457ab0], '\x0f')
|
|
self.assertEqual(mem[0x457ab1], 'o')
|
|
self.assertEqual(mem[0x457ab2], '\xeb')
|
|
self.assertEqual(mem[0x457aaf], 'f')
|
|
self.assertEqual(cpu.XMM3, 152110698530748498584558466992035428691L)
|
|
self.assertEqual(cpu.RIP, 4553395L)
|
|
self.assertEqual(cpu.XMM5, 152110698530748498584558466992035428691L)
|
|
|
|
def test_MOVDQA_4(self):
|
|
''' Instruction MOVDQA_4
|
|
Groups: sse2
|
|
0x457a08: movdqa xmm2, xmmword ptr [rdi + 0x30]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
mem[0x00457a08] = 'f'
|
|
mem[0x00457a09] = '\x0f'
|
|
mem[0x00457a0a] = 'o'
|
|
mem[0x00457a0b] = 'W'
|
|
mem[0x00457a0c] = '0'
|
|
mem[0x7fffffffe070] = 'D'
|
|
mem[0x7fffffffe071] = 'G'
|
|
mem[0x7fffffffe072] = '_'
|
|
mem[0x7fffffffe073] = 'V'
|
|
mem[0x7fffffffe074] = 'T'
|
|
mem[0x7fffffffe075] = 'N'
|
|
mem[0x7fffffffe076] = 'R'
|
|
mem[0x7fffffffe077] = '='
|
|
mem[0x7fffffffe078] = '2'
|
|
mem[0x7fffffffe079] = '\x00'
|
|
mem[0x7fffffffe07a] = 'M'
|
|
mem[0x7fffffffe07b] = 'A'
|
|
mem[0x7fffffffe07c] = 'N'
|
|
mem[0x7fffffffe07d] = 'P'
|
|
mem[0x7fffffffe07e] = 'A'
|
|
mem[0x7fffffffe07f] = 'T'
|
|
cpu.XMM2 = 0x0
|
|
cpu.RDI = 0x7fffffffe040
|
|
cpu.RIP = 0x457a08
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457a08], 'f')
|
|
self.assertEqual(mem[0x457a09], '\x0f')
|
|
self.assertEqual(mem[0x457a0a], 'o')
|
|
self.assertEqual(mem[0x457a0b], 'W')
|
|
self.assertEqual(mem[0x457a0c], '0')
|
|
self.assertEqual(mem[0x7fffffffe070], 'D')
|
|
self.assertEqual(mem[0x7fffffffe071], 'G')
|
|
self.assertEqual(mem[0x7fffffffe072], '_')
|
|
self.assertEqual(mem[0x7fffffffe073], 'V')
|
|
self.assertEqual(mem[0x7fffffffe074], 'T')
|
|
self.assertEqual(mem[0x7fffffffe075], 'N')
|
|
self.assertEqual(mem[0x7fffffffe076], 'R')
|
|
self.assertEqual(mem[0x7fffffffe077], '=')
|
|
self.assertEqual(mem[0x7fffffffe078], '2')
|
|
self.assertEqual(mem[0x7fffffffe079], '\x00')
|
|
self.assertEqual(mem[0x7fffffffe07a], 'M')
|
|
self.assertEqual(mem[0x7fffffffe07b], 'A')
|
|
self.assertEqual(mem[0x7fffffffe07c], 'N')
|
|
self.assertEqual(mem[0x7fffffffe07d], 'P')
|
|
self.assertEqual(mem[0x7fffffffe07e], 'A')
|
|
self.assertEqual(mem[0x7fffffffe07f], 'T')
|
|
self.assertEqual(cpu.XMM2, 111994279734512279219280163309057165124L)
|
|
self.assertEqual(cpu.RDI, 140737488347200L)
|
|
self.assertEqual(cpu.RIP, 4553229L)
|
|
|
|
def test_MOVDQA_5(self):
|
|
''' Instruction MOVDQA_5
|
|
Groups: sse2
|
|
0x457b38: movdqa xmm0, xmm2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457b38] = 'f'
|
|
mem[0x00457b39] = '\x0f'
|
|
mem[0x00457b3a] = 'o'
|
|
mem[0x00457b3b] = '\xc2'
|
|
cpu.XMM2 = 0x504e414d00323d524e54565f47445800
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x457b38
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457b38], 'f')
|
|
self.assertEqual(mem[0x457b39], '\x0f')
|
|
self.assertEqual(mem[0x457b3a], 'o')
|
|
self.assertEqual(mem[0x457b3b], '\xc2')
|
|
self.assertEqual(cpu.XMM2, 106744563275012473217874926561820694528L)
|
|
self.assertEqual(cpu.XMM0, 106744563275012473217874926561820694528L)
|
|
self.assertEqual(cpu.RIP, 4553532L)
|
|
|
|
def test_MOVDQA_6(self):
|
|
''' Instruction MOVDQA_6
|
|
Groups: sse2
|
|
0x7ffff7ac0b0b: movdqa xmm4, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0b0b] = 'f'
|
|
mem[0x7ffff7ac0b0c] = '\x0f'
|
|
mem[0x7ffff7ac0b0d] = 'o'
|
|
mem[0x7ffff7ac0b0e] = '\xe0'
|
|
cpu.XMM0 = 0xcd202730fa0892a58d0000007fffff00
|
|
cpu.RIP = 0x7ffff7ac0b0b
|
|
cpu.XMM4 = 0xffffff000000ff0000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0b0b], 'f')
|
|
self.assertEqual(mem[0x7ffff7ac0b0c], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0b0d], 'o')
|
|
self.assertEqual(mem[0x7ffff7ac0b0e], '\xe0')
|
|
self.assertEqual(cpu.XMM0, 272658687529688827910500737779280903936L)
|
|
self.assertEqual(cpu.XMM4, 272658687529688827910500737779280903936L)
|
|
self.assertEqual(cpu.RIP, 140737348635407L)
|
|
|
|
def test_MOVDQU_1(self):
|
|
''' Instruction MOVDQU_1
|
|
Groups: sse2
|
|
0x6a74d4: movdqu xmm0, xmmword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x006a7000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb4] = '!'
|
|
mem[0x006a74d6] = 'o'
|
|
mem[0x7fffffffccb8] = '\x01'
|
|
mem[0x006a74d7] = '\x04'
|
|
mem[0x7fffffffccb0] = '\xff'
|
|
mem[0x7fffffffccb1] = '\x7f'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x00'
|
|
mem[0x006a74d4] = '\xf3'
|
|
mem[0x006a74d5] = '\x0f'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x006a74d8] = '$'
|
|
mem[0x7fffffffccb9] = '\x00'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x80'
|
|
mem[0x7fffffffccbc] = '\xff'
|
|
mem[0x7fffffffccbd] = '\x7f'
|
|
mem[0x7fffffffccbe] = '\x00'
|
|
mem[0x7fffffffccbf] = '\x00'
|
|
cpu.XMM0 = 0x7fff800000000000002100007fff
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x6a74d4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x00')
|
|
self.assertEqual(mem[0x6a74d4], '\xf3')
|
|
self.assertEqual(mem[0x6a74d5], '\x0f')
|
|
self.assertEqual(mem[0x6a74d6], 'o')
|
|
self.assertEqual(mem[0x6a74d7], '\x04')
|
|
self.assertEqual(mem[0x6a74d8], '$')
|
|
self.assertEqual(mem[0x7fffffffccb4], '!')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccbc], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccbd], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccbe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(cpu.XMM0, 2596108815186175128840666836140031L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 6976729L)
|
|
|
|
def test_MOVDQU_2(self):
|
|
''' Instruction MOVDQU_2
|
|
Groups: sse2
|
|
0x568fac: movdqu xmm0, xmmword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00568000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x00568fb0] = '$'
|
|
mem[0x00568fac] = '\xf3'
|
|
mem[0x00568fad] = '\x0f'
|
|
mem[0x00568fae] = 'o'
|
|
mem[0x00568faf] = '\x04'
|
|
mem[0x7fffffffccb0] = 'x'
|
|
mem[0x7fffffffccb1] = 'V'
|
|
mem[0x7fffffffccb2] = '4'
|
|
mem[0x7fffffffccb3] = '\x12'
|
|
mem[0x7fffffffccb4] = '\xff'
|
|
mem[0x7fffffffccb5] = '\x7f'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = '\x01'
|
|
mem[0x7fffffffccb9] = '\x80'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
mem[0x7fffffffccbc] = 'x'
|
|
mem[0x7fffffffccbd] = 'V'
|
|
mem[0x7fffffffccbe] = '4'
|
|
mem[0x7fffffffccbf] = '\x12'
|
|
cpu.XMM0 = 0x1234567800007fff00007fff12345678
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x568fac
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffccb0], 'x')
|
|
self.assertEqual(mem[0x568fac], '\xf3')
|
|
self.assertEqual(mem[0x568fad], '\x0f')
|
|
self.assertEqual(mem[0x568fae], 'o')
|
|
self.assertEqual(mem[0x568faf], '\x04')
|
|
self.assertEqual(mem[0x568fb0], '$')
|
|
self.assertEqual(mem[0x7fffffffccb1], 'V')
|
|
self.assertEqual(mem[0x7fffffffccb2], '4')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x12')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbc], 'x')
|
|
self.assertEqual(mem[0x7fffffffccbd], 'V')
|
|
self.assertEqual(mem[0x7fffffffccbe], '4')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x12')
|
|
self.assertEqual(cpu.XMM0, 24197857155378316985685775704845997688L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5672881L)
|
|
|
|
def test_MOVDQU_3(self):
|
|
''' Instruction MOVDQU_3
|
|
Groups: sse2
|
|
0x6f4c12: movdqu xmm1, xmmword ptr [rsp + 4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x006f4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x006f4c12] = '\xf3'
|
|
mem[0x006f4c13] = '\x0f'
|
|
mem[0x006f4c14] = 'o'
|
|
mem[0x006f4c15] = 'L'
|
|
mem[0x006f4c16] = '$'
|
|
mem[0x006f4c17] = '\x04'
|
|
mem[0x7fffffffccb4] = '\xff'
|
|
mem[0x7fffffffccb5] = '\x7f'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = ' '
|
|
mem[0x7fffffffccb9] = '\x00'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
mem[0x7fffffffccbc] = '!'
|
|
mem[0x7fffffffccbd] = '\x00'
|
|
mem[0x7fffffffccbe] = '\x00'
|
|
mem[0x7fffffffccbf] = '\x00'
|
|
mem[0x7fffffffccc0] = '\xff'
|
|
mem[0x7fffffffccc1] = '\x7f'
|
|
mem[0x7fffffffccc2] = '\x00'
|
|
mem[0x7fffffffccc3] = '\x00'
|
|
cpu.XMM1 = 0x7fff000000210000002100007fff
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x6f4c12
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x6f4c12], '\xf3')
|
|
self.assertEqual(mem[0x6f4c13], '\x0f')
|
|
self.assertEqual(mem[0x6f4c14], 'o')
|
|
self.assertEqual(mem[0x6f4c15], 'L')
|
|
self.assertEqual(mem[0x6f4c16], '$')
|
|
self.assertEqual(mem[0x6f4c17], '\x04')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], ' ')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbc], '!')
|
|
self.assertEqual(mem[0x7fffffffccbd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccc0], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccc1], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccc2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccc3], '\x00')
|
|
self.assertEqual(cpu.XMM1, 2596069201105508292482224474849279L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 7293976L)
|
|
|
|
def test_MOVDQU_4(self):
|
|
''' Instruction MOVDQU_4
|
|
Groups: sse2
|
|
0x56fa50: movdqu xmm1, xmmword ptr [rsp + 4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0056f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffccb4] = ' '
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = '!'
|
|
mem[0x7fffffffccb9] = '\x00'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
mem[0x7fffffffccbc] = '!'
|
|
mem[0x7fffffffccbd] = 'C'
|
|
mem[0x7fffffffccbe] = 'e'
|
|
mem[0x7fffffffccbf] = '\x87'
|
|
mem[0x7fffffffccc0] = ' '
|
|
mem[0x7fffffffccc1] = '\x00'
|
|
mem[0x7fffffffccc2] = '\x00'
|
|
mem[0x7fffffffccc3] = '\x00'
|
|
mem[0x0056fa50] = '\xf3'
|
|
mem[0x0056fa51] = '\x0f'
|
|
mem[0x0056fa52] = 'o'
|
|
mem[0x0056fa53] = 'L'
|
|
mem[0x0056fa54] = '$'
|
|
mem[0x0056fa55] = '\x04'
|
|
cpu.XMM1 = 0x20876543218765432100000020
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x56fa50
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffccb4], ' ')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], '!')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbc], '!')
|
|
self.assertEqual(mem[0x7fffffffccbd], 'C')
|
|
self.assertEqual(mem[0x7fffffffccbe], 'e')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x87')
|
|
self.assertEqual(mem[0x7fffffffccc0], ' ')
|
|
self.assertEqual(mem[0x7fffffffccc1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccc2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccc3], '\x00')
|
|
self.assertEqual(mem[0x56fa50], '\xf3')
|
|
self.assertEqual(mem[0x56fa51], '\x0f')
|
|
self.assertEqual(mem[0x56fa52], 'o')
|
|
self.assertEqual(mem[0x56fa53], 'L')
|
|
self.assertEqual(mem[0x56fa54], '$')
|
|
self.assertEqual(mem[0x56fa55], '\x04')
|
|
self.assertEqual(cpu.XMM1, 2577204095297418371658275618848L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5700182L)
|
|
|
|
def test_MOVDQU_5(self):
|
|
''' Instruction MOVDQU_5
|
|
Groups: sse2
|
|
0x606649: movdqu xmm1, xmmword ptr [rsp + 4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00606000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffccb4] = '\xff'
|
|
mem[0x7fffffffccb5] = '\xff'
|
|
mem[0x7fffffffccb6] = '\xff'
|
|
mem[0x7fffffffccb7] = '\xff'
|
|
mem[0x7fffffffccb8] = '\x01'
|
|
mem[0x7fffffffccb9] = '\x80'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
mem[0x7fffffffccbc] = '\x01'
|
|
mem[0x7fffffffccbd] = '\x80'
|
|
mem[0x7fffffffccbe] = '\x00'
|
|
mem[0x7fffffffccbf] = '\x00'
|
|
mem[0x7fffffffccc0] = '\xff'
|
|
mem[0x7fffffffccc1] = '\xff'
|
|
mem[0x7fffffffccc2] = '\xff'
|
|
mem[0x7fffffffccc3] = '\xff'
|
|
mem[0x00606649] = '\xf3'
|
|
mem[0x0060664a] = '\x0f'
|
|
mem[0x0060664b] = 'o'
|
|
mem[0x0060664c] = 'L'
|
|
mem[0x0060664d] = '$'
|
|
mem[0x0060664e] = '\x04'
|
|
cpu.XMM1 = 0xffffffff0000800100007fffffffffff
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x606649
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffccb4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbc], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccbd], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccbe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccc0], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccc1], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccc2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccc3], '\xff')
|
|
self.assertEqual(mem[0x606649], '\xf3')
|
|
self.assertEqual(mem[0x60664a], '\x0f')
|
|
self.assertEqual(mem[0x60664b], 'o')
|
|
self.assertEqual(mem[0x60664c], 'L')
|
|
self.assertEqual(mem[0x60664d], '$')
|
|
self.assertEqual(mem[0x60664e], '\x04')
|
|
self.assertEqual(cpu.XMM1, 340282366841710905430466961972599455743L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 6317647L)
|
|
|
|
def test_MOVDQU_6(self):
|
|
''' Instruction MOVDQU_6
|
|
Groups: sse2
|
|
0x6fc91e: movdqu xmm0, xmmword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x006fc000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x006fc920] = 'o'
|
|
mem[0x006fc921] = '\x04'
|
|
mem[0x006fc922] = '$'
|
|
mem[0x006fc91f] = '\x0f'
|
|
mem[0x006fc91e] = '\xf3'
|
|
mem[0x7fffffffccb0] = '@'
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x00'
|
|
mem[0x7fffffffccb4] = '\x01'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x80'
|
|
mem[0x7fffffffccb8] = '\x01'
|
|
mem[0x7fffffffccb9] = '\x00'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x80'
|
|
mem[0x7fffffffccbc] = '@'
|
|
mem[0x7fffffffccbd] = '\x00'
|
|
mem[0x7fffffffccbe] = '\x00'
|
|
mem[0x7fffffffccbf] = '\x00'
|
|
cpu.XMM0 = 0x40800000008000000100000040
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x6fc91e
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x6fc920], 'o')
|
|
self.assertEqual(mem[0x6fc921], '\x04')
|
|
self.assertEqual(mem[0x6fc922], '$')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '@')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccbc], '@')
|
|
self.assertEqual(mem[0x7fffffffccbd], '\x00')
|
|
self.assertEqual(mem[0x6fc91e], '\xf3')
|
|
self.assertEqual(mem[0x6fc91f], '\x0f')
|
|
self.assertEqual(cpu.XMM0, 5110216482197719890898444091456L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 7325987L)
|
|
|
|
def test_MOVD_1(self):
|
|
''' Instruction MOVD_1
|
|
Groups: sse2
|
|
0x7ffff7df4370: movd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4370] = 'f'
|
|
mem[0x7ffff7df4371] = '\x0f'
|
|
mem[0x7ffff7df4372] = 'n'
|
|
mem[0x7ffff7df4373] = '\xce'
|
|
cpu.XMM1 = 0x24242424242424242424242424242424
|
|
cpu.RIP = 0x7ffff7df4370
|
|
cpu.ESI = 0x2f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4370], 'f')
|
|
self.assertEqual(mem[0x7ffff7df4371], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df4372], 'n')
|
|
self.assertEqual(mem[0x7ffff7df4373], '\xce')
|
|
self.assertEqual(cpu.XMM1, 47)
|
|
self.assertEqual(cpu.ESI, 47L)
|
|
self.assertEqual(cpu.RIP, 140737351992180L)
|
|
|
|
def test_MOVD_2(self):
|
|
''' Instruction MOVD_2
|
|
Groups: sse2
|
|
0x7ffff7ab7980: movd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab7980] = 'f'
|
|
mem[0x7ffff7ab7981] = '\x0f'
|
|
mem[0x7ffff7ab7982] = 'n'
|
|
mem[0x7ffff7ab7983] = '\xce'
|
|
cpu.XMM1 = 0x24242424242424242424242424242424
|
|
cpu.RIP = 0x7ffff7ab7980
|
|
cpu.ESI = 0x2f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab7980], 'f')
|
|
self.assertEqual(mem[0x7ffff7ab7981], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ab7982], 'n')
|
|
self.assertEqual(mem[0x7ffff7ab7983], '\xce')
|
|
self.assertEqual(cpu.XMM1, 47)
|
|
self.assertEqual(cpu.ESI, 47L)
|
|
self.assertEqual(cpu.RIP, 140737348598148L)
|
|
|
|
def test_MOVD_3(self):
|
|
''' Instruction MOVD_3
|
|
Groups: sse2
|
|
0x4578e0: movd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x004578e0] = 'f'
|
|
mem[0x004578e1] = '\x0f'
|
|
mem[0x004578e2] = 'n'
|
|
mem[0x004578e3] = '\xce'
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x4578e0
|
|
cpu.ESI = 0x2f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4578e0], 'f')
|
|
self.assertEqual(mem[0x4578e1], '\x0f')
|
|
self.assertEqual(mem[0x4578e2], 'n')
|
|
self.assertEqual(mem[0x4578e3], '\xce')
|
|
self.assertEqual(cpu.XMM1, 47)
|
|
self.assertEqual(cpu.ESI, 47L)
|
|
self.assertEqual(cpu.RIP, 4552932L)
|
|
|
|
def test_MOVD_4(self):
|
|
''' Instruction MOVD_4
|
|
Groups: sse2
|
|
0x421b10: movd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00421000, 0x1000, 'rwx')
|
|
mem[0x00421b10] = 'f'
|
|
mem[0x00421b11] = '\x0f'
|
|
mem[0x00421b12] = 'n'
|
|
mem[0x00421b13] = '\xce'
|
|
cpu.XMM1 = 0x25252525252525252525252525252525
|
|
cpu.RIP = 0x421b10
|
|
cpu.ESI = 0x25
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x421b10], 'f')
|
|
self.assertEqual(mem[0x421b11], '\x0f')
|
|
self.assertEqual(mem[0x421b12], 'n')
|
|
self.assertEqual(mem[0x421b13], '\xce')
|
|
self.assertEqual(cpu.XMM1, 37)
|
|
self.assertEqual(cpu.ESI, 37L)
|
|
self.assertEqual(cpu.RIP, 4332308L)
|
|
|
|
def test_MOVD_5(self):
|
|
''' Instruction MOVD_5
|
|
Groups: sse2
|
|
0x457da0: movd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457da0] = 'f'
|
|
mem[0x00457da1] = '\x0f'
|
|
mem[0x00457da2] = 'n'
|
|
mem[0x00457da3] = '\xce'
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x457da0
|
|
cpu.ESI = 0x2f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457da0], 'f')
|
|
self.assertEqual(mem[0x457da1], '\x0f')
|
|
self.assertEqual(mem[0x457da2], 'n')
|
|
self.assertEqual(mem[0x457da3], '\xce')
|
|
self.assertEqual(cpu.XMM1, 47)
|
|
self.assertEqual(cpu.ESI, 47L)
|
|
self.assertEqual(cpu.RIP, 4554148L)
|
|
|
|
def test_MOVD_6(self):
|
|
''' Instruction MOVD_6
|
|
Groups: sse2
|
|
0x7ffff7ac0ae0: movd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0ae0] = 'f'
|
|
mem[0x7ffff7ac0ae1] = '\x0f'
|
|
mem[0x7ffff7ac0ae2] = 'n'
|
|
mem[0x7ffff7ac0ae3] = '\xce'
|
|
cpu.XMM1 = 0x25252525252525252525252525252525
|
|
cpu.RIP = 0x7ffff7ac0ae0
|
|
cpu.ESI = 0x25
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0ae0], 'f')
|
|
self.assertEqual(mem[0x7ffff7ac0ae1], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0ae2], 'n')
|
|
self.assertEqual(mem[0x7ffff7ac0ae3], '\xce')
|
|
self.assertEqual(cpu.XMM1, 37)
|
|
self.assertEqual(cpu.ESI, 37L)
|
|
self.assertEqual(cpu.RIP, 140737348635364L)
|
|
|
|
def test_MOVLPD_1(self):
|
|
''' Instruction MOVLPD_1
|
|
Groups: sse2
|
|
0x50f61f: movlpd xmm1, qword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0050f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x0050f61f] = 'f'
|
|
mem[0x0050f620] = '\x0f'
|
|
mem[0x0050f621] = '\x12'
|
|
mem[0x0050f622] = '\x0c'
|
|
mem[0x0050f623] = '$'
|
|
mem[0x7fffffffccb0] = '@'
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x00'
|
|
mem[0x7fffffffccb4] = '\x80'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
cpu.XMM1 = 0x80000000400000008000000040
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x50f61f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x50f61f], 'f')
|
|
self.assertEqual(mem[0x50f620], '\x0f')
|
|
self.assertEqual(mem[0x50f621], '\x12')
|
|
self.assertEqual(mem[0x50f622], '\x0c')
|
|
self.assertEqual(mem[0x50f623], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '@')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(cpu.XMM1, 10141204803006426833240792760384L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5305892L)
|
|
|
|
def test_MOVLPD_2(self):
|
|
''' Instruction MOVLPD_2
|
|
Groups: sse2
|
|
0x4aa891: movlpd qword ptr [rsp], xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004aa000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x004aa891] = 'f'
|
|
mem[0x004aa892] = '\x0f'
|
|
mem[0x004aa893] = '\x13'
|
|
mem[0x004aa894] = '\x0c'
|
|
mem[0x004aa895] = '$'
|
|
mem[0x7fffffffccb0] = '!'
|
|
mem[0x7fffffffccb1] = 'C'
|
|
mem[0x7fffffffccb2] = 'e'
|
|
mem[0x7fffffffccb3] = '\x87'
|
|
mem[0x7fffffffccb4] = '@'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
cpu.XMM1 = 0x87654321800000000000004087654321
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x4aa891
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4aa891], 'f')
|
|
self.assertEqual(mem[0x4aa892], '\x0f')
|
|
self.assertEqual(mem[0x4aa893], '\x13')
|
|
self.assertEqual(mem[0x4aa894], '\x0c')
|
|
self.assertEqual(mem[0x4aa895], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '!')
|
|
self.assertEqual(mem[0x7fffffffccb1], 'C')
|
|
self.assertEqual(mem[0x7fffffffccb2], 'e')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x87')
|
|
self.assertEqual(mem[0x7fffffffccb4], '@')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(cpu.XMM1, 179971562989262549322269247393805714209L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 4892822L)
|
|
|
|
def test_MOVLPD_3(self):
|
|
''' Instruction MOVLPD_3
|
|
Groups: sse2
|
|
0x4adf87: movlpd qword ptr [rsp], xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004ad000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x004adf87] = 'f'
|
|
mem[0x004adf88] = '\x0f'
|
|
mem[0x004adf89] = '\x13'
|
|
mem[0x004adf8a] = '\x0c'
|
|
mem[0x004adf8b] = '$'
|
|
mem[0x7fffffffccb0] = '\xfe'
|
|
mem[0x7fffffffccb1] = '\xff'
|
|
mem[0x7fffffffccb2] = '\xff'
|
|
mem[0x7fffffffccb3] = '\xff'
|
|
mem[0x7fffffffccb4] = '\x01'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x80'
|
|
cpu.XMM1 = 0xfffffffe8000000180000001fffffffe
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x4adf87
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4adf87], 'f')
|
|
self.assertEqual(mem[0x4adf88], '\x0f')
|
|
self.assertEqual(mem[0x4adf89], '\x13')
|
|
self.assertEqual(mem[0x4adf8a], '\x0c')
|
|
self.assertEqual(mem[0x4adf8b], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xfe')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x80')
|
|
self.assertEqual(cpu.XMM1, 340282366802096219719648217160606547966L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 4906892L)
|
|
|
|
def test_MOVLPD_4(self):
|
|
''' Instruction MOVLPD_4
|
|
Groups: sse2
|
|
0x4acf88: movlpd qword ptr [rsp], xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004ac000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x004acf88] = 'f'
|
|
mem[0x004acf89] = '\x0f'
|
|
mem[0x004acf8a] = '\x13'
|
|
mem[0x004acf8b] = '\x0c'
|
|
mem[0x004acf8c] = '$'
|
|
mem[0x7fffffffccb0] = '\xff'
|
|
mem[0x7fffffffccb1] = '\x7f'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x00'
|
|
mem[0x7fffffffccb4] = '\x01'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x80'
|
|
cpu.XMM1 = 0x7fff800000018000000100007fff
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x4acf88
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4acf88], 'f')
|
|
self.assertEqual(mem[0x4acf89], '\x0f')
|
|
self.assertEqual(mem[0x4acf8a], '\x13')
|
|
self.assertEqual(mem[0x4acf8b], '\x0c')
|
|
self.assertEqual(mem[0x4acf8c], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x01')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x80')
|
|
self.assertEqual(cpu.XMM1, 2596108815186184352212566251962367L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 4902797L)
|
|
|
|
def test_MOVLPD_5(self):
|
|
''' Instruction MOVLPD_5
|
|
Groups: sse2
|
|
0x50a2c7: movlpd xmm1, qword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0050a000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x0050a2c7] = 'f'
|
|
mem[0x0050a2c8] = '\x0f'
|
|
mem[0x0050a2c9] = '\x12'
|
|
mem[0x0050a2ca] = '\x0c'
|
|
mem[0x0050a2cb] = '$'
|
|
mem[0x7fffffffccb0] = ' '
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x00'
|
|
mem[0x7fffffffccb4] = '!'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
cpu.XMM1 = 0x21000000200000004000000021
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x50a2c7
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x50a2c7], 'f')
|
|
self.assertEqual(mem[0x50a2c8], '\x0f')
|
|
self.assertEqual(mem[0x50a2c9], '\x12')
|
|
self.assertEqual(mem[0x50a2ca], '\x0c')
|
|
self.assertEqual(mem[0x50a2cb], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], ' ')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb4], '!')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(cpu.XMM1, 2614529363561018951087389933600L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5284556L)
|
|
|
|
def test_MOVLPD_6(self):
|
|
''' Instruction MOVLPD_6
|
|
Groups: sse2
|
|
0x4d851b: movlpd qword ptr [rsp], xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004d8000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x004d851b] = 'f'
|
|
mem[0x004d851c] = '\x0f'
|
|
mem[0x004d851d] = '\x13'
|
|
mem[0x004d851e] = '\x0c'
|
|
mem[0x004d851f] = '$'
|
|
mem[0x7fffffffccb0] = '\xff'
|
|
mem[0x7fffffffccb1] = '\x7f'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x00'
|
|
mem[0x7fffffffccb4] = '\xff'
|
|
mem[0x7fffffffccb5] = '\x7f'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
cpu.XMM1 = 0x7fff0000008000007fff00007fff
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x4d851b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4d851b], 'f')
|
|
self.assertEqual(mem[0x4d851c], '\x0f')
|
|
self.assertEqual(mem[0x4d851d], '\x13')
|
|
self.assertEqual(mem[0x4d851e], '\x0c')
|
|
self.assertEqual(mem[0x4d851f], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(cpu.XMM1, 2596069201107260733309822636687359L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5080352L)
|
|
|
|
def test_MOVSD_1(self):
|
|
''' Instruction MOVSD_1
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdba0] = '\x10'
|
|
mem[0x7fffffffdba1] = '\xdb'
|
|
mem[0x7fffffffdba2] = '\xff'
|
|
mem[0x7fffffffdba3] = '\xff'
|
|
mem[0x7fffffffdba4] = '\xff'
|
|
mem[0x7fffffffdba5] = '\x7f'
|
|
mem[0x7fffffffdba6] = '\x00'
|
|
mem[0x7fffffffdba7] = '\x00'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
mem[0x55555576e63b] = '\x00'
|
|
mem[0x55555576e638] = '\x00'
|
|
mem[0x55555576e639] = '\x00'
|
|
mem[0x55555576e63a] = '\x00'
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x55555576e63c] = '\x00'
|
|
mem[0x55555576e63d] = '\x00'
|
|
mem[0x55555576e63e] = '\x00'
|
|
mem[0x55555576e63f] = '\x00'
|
|
cpu.RDI = 0x7fffffffdba0
|
|
cpu.RCX = 0x12
|
|
cpu.RSI = 0x55555576e638
|
|
cpu.RIP = 0x555555556e3b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdba0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdba5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdba6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba7], '\x00')
|
|
self.assertEqual(mem[0x55555576e63c], '\x00')
|
|
self.assertEqual(mem[0x555555556e3b], '\xf3')
|
|
self.assertEqual(mem[0x55555576e638], '\x00')
|
|
self.assertEqual(mem[0x55555576e639], '\x00')
|
|
self.assertEqual(mem[0x55555576e63a], '\x00')
|
|
self.assertEqual(mem[0x55555576e63b], '\x00')
|
|
self.assertEqual(mem[0x555555556e3c], '\xa5')
|
|
self.assertEqual(mem[0x55555576e63d], '\x00')
|
|
self.assertEqual(mem[0x55555576e63e], '\x00')
|
|
self.assertEqual(mem[0x55555576e63f], '\x00')
|
|
self.assertEqual(cpu.RCX, 17L)
|
|
self.assertEqual(cpu.RDI, 140737488346020L)
|
|
self.assertEqual(cpu.RSI, 93824994436668L)
|
|
self.assertEqual(cpu.RIP, 93824992243259L)
|
|
|
|
def test_MOVSD_2(self):
|
|
''' Instruction MOVSD_2
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x55555576e620] = '\x00'
|
|
mem[0x55555576e621] = '\x00'
|
|
mem[0x55555576e622] = '\x00'
|
|
mem[0x55555576e623] = '\x00'
|
|
mem[0x7fffffffdb84] = 'U'
|
|
mem[0x7fffffffdb85] = 'U'
|
|
mem[0x7fffffffdb86] = '\x00'
|
|
mem[0x7fffffffdb87] = '\x00'
|
|
mem[0x7fffffffdb88] = '\x00'
|
|
mem[0x7fffffffdb89] = '\x00'
|
|
mem[0x7fffffffdb8a] = '\x00'
|
|
mem[0x7fffffffdb8b] = '\x00'
|
|
mem[0x55555576e61c] = '\x00'
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
mem[0x55555576e61d] = '\x00'
|
|
mem[0x55555576e61e] = '\x00'
|
|
mem[0x55555576e61f] = '\x00'
|
|
cpu.RDI = 0x7fffffffdb84
|
|
cpu.RCX = 0x19
|
|
cpu.RSI = 0x55555576e61c
|
|
cpu.RIP = 0x555555556e3b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x55555576e620], '\x00')
|
|
self.assertEqual(mem[0x55555576e621], '\x00')
|
|
self.assertEqual(mem[0x55555576e622], '\x00')
|
|
self.assertEqual(mem[0x55555576e623], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb84], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb85], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb86], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb87], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb88], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb89], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb8a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb8b], '\x00')
|
|
self.assertEqual(mem[0x555555556e3c], '\xa5')
|
|
self.assertEqual(mem[0x555555556e3b], '\xf3')
|
|
self.assertEqual(mem[0x55555576e61c], '\x00')
|
|
self.assertEqual(mem[0x55555576e61d], '\x00')
|
|
self.assertEqual(mem[0x55555576e61e], '\x00')
|
|
self.assertEqual(mem[0x55555576e61f], '\x00')
|
|
self.assertEqual(cpu.RCX, 24L)
|
|
self.assertEqual(cpu.RDI, 140737488345992L)
|
|
self.assertEqual(cpu.RSI, 93824994436640L)
|
|
self.assertEqual(cpu.RIP, 93824992243259L)
|
|
|
|
def test_MOVSD_3(self):
|
|
''' Instruction MOVSD_3
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x55555576e64c] = '\x00'
|
|
mem[0x55555576e64d] = '\x00'
|
|
mem[0x55555576e64e] = '\x00'
|
|
mem[0x55555576e64f] = '\x00'
|
|
mem[0x55555576e650] = '\x00'
|
|
mem[0x55555576e651] = '\x00'
|
|
mem[0x55555576e652] = '\x00'
|
|
mem[0x55555576e653] = '\x00'
|
|
mem[0x7fffffffdbb4] = '\xff'
|
|
mem[0x7fffffffdbb5] = '\x7f'
|
|
mem[0x7fffffffdbb6] = '\x00'
|
|
mem[0x7fffffffdbb7] = '\x00'
|
|
mem[0x7fffffffdbb8] = '\x00'
|
|
mem[0x7fffffffdbb9] = '\x00'
|
|
mem[0x7fffffffdbba] = '\x00'
|
|
mem[0x7fffffffdbbb] = '\x00'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
cpu.RDI = 0x7fffffffdbb4
|
|
cpu.RCX = 0xd
|
|
cpu.RSI = 0x55555576e64c
|
|
cpu.RIP = 0x555555556e3b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdbbb], '\x00')
|
|
self.assertEqual(mem[0x55555576e64c], '\x00')
|
|
self.assertEqual(mem[0x55555576e64d], '\x00')
|
|
self.assertEqual(mem[0x55555576e64e], '\x00')
|
|
self.assertEqual(mem[0x55555576e64f], '\x00')
|
|
self.assertEqual(mem[0x55555576e650], '\x00')
|
|
self.assertEqual(mem[0x55555576e651], '\x00')
|
|
self.assertEqual(mem[0x55555576e652], '\x00')
|
|
self.assertEqual(mem[0x55555576e653], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbb4], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbb8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbb9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbba], '\x00')
|
|
self.assertEqual(mem[0x555555556e3b], '\xf3')
|
|
self.assertEqual(mem[0x555555556e3c], '\xa5')
|
|
self.assertEqual(cpu.RCX, 12L)
|
|
self.assertEqual(cpu.RDI, 140737488346040L)
|
|
self.assertEqual(cpu.RSI, 93824994436688L)
|
|
self.assertEqual(cpu.RIP, 93824992243259L)
|
|
|
|
def test_MOVSD_4(self):
|
|
''' Instruction MOVSD_4
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x55555576e640] = '\x00'
|
|
mem[0x55555576e641] = '\x00'
|
|
mem[0x55555576e642] = '\x00'
|
|
mem[0x55555576e643] = '\x00'
|
|
mem[0x55555576e644] = '\x00'
|
|
mem[0x55555576e645] = '\x00'
|
|
mem[0x55555576e646] = '\x00'
|
|
mem[0x55555576e647] = '\x00'
|
|
mem[0x7fffffffdba8] = 'g'
|
|
mem[0x7fffffffdba9] = '\xa8'
|
|
mem[0x7fffffffdbaa] = '\xb0'
|
|
mem[0x7fffffffdbab] = '\xf7'
|
|
mem[0x7fffffffdbac] = '\xff'
|
|
mem[0x7fffffffdbad] = '\x7f'
|
|
mem[0x7fffffffdbae] = '\x00'
|
|
mem[0x7fffffffdbaf] = '\x00'
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
cpu.RDI = 0x7fffffffdba8
|
|
cpu.RCX = 0x10
|
|
cpu.RSI = 0x55555576e640
|
|
cpu.RIP = 0x555555556e3b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x55555576e640], '\x00')
|
|
self.assertEqual(mem[0x55555576e641], '\x00')
|
|
self.assertEqual(mem[0x55555576e642], '\x00')
|
|
self.assertEqual(mem[0x55555576e643], '\x00')
|
|
self.assertEqual(mem[0x55555576e644], '\x00')
|
|
self.assertEqual(mem[0x55555576e645], '\x00')
|
|
self.assertEqual(mem[0x55555576e646], '\x00')
|
|
self.assertEqual(mem[0x55555576e647], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdba9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbaa], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbab], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbac], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdbad], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdbae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdbaf], '\x00')
|
|
self.assertEqual(mem[0x555555556e3b], '\xf3')
|
|
self.assertEqual(mem[0x555555556e3c], '\xa5')
|
|
self.assertEqual(cpu.RCX, 15L)
|
|
self.assertEqual(cpu.RDI, 140737488346028L)
|
|
self.assertEqual(cpu.RSI, 93824994436676L)
|
|
self.assertEqual(cpu.RIP, 93824992243259L)
|
|
|
|
def test_MOVSD_5(self):
|
|
''' Instruction MOVSD_5
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdba0] = '\x10'
|
|
mem[0x7fffffffdba1] = '\xdb'
|
|
mem[0x7fffffffdba2] = '\xff'
|
|
mem[0x7fffffffdba3] = '\xff'
|
|
mem[0x7fffffffdb9c] = '\x00'
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x55555576e634] = '\x00'
|
|
mem[0x55555576e635] = '\x00'
|
|
mem[0x55555576e636] = '\x00'
|
|
mem[0x55555576e637] = '\x00'
|
|
mem[0x55555576e638] = '\x00'
|
|
mem[0x55555576e639] = '\x00'
|
|
mem[0x55555576e63a] = '\x00'
|
|
mem[0x55555576e63b] = '\x00'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
mem[0x7fffffffdb9d] = '\x00'
|
|
mem[0x7fffffffdb9e] = '\x00'
|
|
mem[0x7fffffffdb9f] = '\x00'
|
|
cpu.RDI = 0x7fffffffdb9c
|
|
cpu.RCX = 0x13
|
|
cpu.RSI = 0x55555576e634
|
|
cpu.RIP = 0x555555556e3b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdba0], '\x10')
|
|
self.assertEqual(mem[0x7fffffffdba1], '\xdb')
|
|
self.assertEqual(mem[0x7fffffffdba2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdba3], '\xff')
|
|
self.assertEqual(mem[0x55555576e63b], '\x00')
|
|
self.assertEqual(mem[0x555555556e3c], '\xa5')
|
|
self.assertEqual(mem[0x55555576e634], '\x00')
|
|
self.assertEqual(mem[0x55555576e635], '\x00')
|
|
self.assertEqual(mem[0x55555576e636], '\x00')
|
|
self.assertEqual(mem[0x55555576e637], '\x00')
|
|
self.assertEqual(mem[0x55555576e638], '\x00')
|
|
self.assertEqual(mem[0x55555576e639], '\x00')
|
|
self.assertEqual(mem[0x55555576e63a], '\x00')
|
|
self.assertEqual(mem[0x555555556e3b], '\xf3')
|
|
self.assertEqual(mem[0x7fffffffdb9c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb9f], '\x00')
|
|
self.assertEqual(cpu.RCX, 18L)
|
|
self.assertEqual(cpu.RDI, 140737488346016L)
|
|
self.assertEqual(cpu.RSI, 93824994436664L)
|
|
self.assertEqual(cpu.RIP, 93824992243259L)
|
|
|
|
def test_MOVSD_6(self):
|
|
''' Instruction MOVSD_6
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x55555576e604] = '\x00'
|
|
mem[0x55555576e605] = '\x00'
|
|
mem[0x55555576e606] = '\x00'
|
|
mem[0x55555576e607] = '\x00'
|
|
mem[0x55555576e608] = '\x00'
|
|
mem[0x55555576e609] = '\x00'
|
|
mem[0x55555576e60a] = '\x00'
|
|
mem[0x55555576e60b] = '\x00'
|
|
mem[0x7fffffffdb6c] = '\x00'
|
|
mem[0x7fffffffdb6d] = '\x00'
|
|
mem[0x7fffffffdb6e] = '\x00'
|
|
mem[0x7fffffffdb6f] = '\x00'
|
|
mem[0x7fffffffdb70] = '\xe0'
|
|
mem[0x7fffffffdb71] = '\xdb'
|
|
mem[0x7fffffffdb72] = '\xff'
|
|
mem[0x7fffffffdb73] = '\xff'
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
cpu.RDI = 0x7fffffffdb6c
|
|
cpu.RCX = 0x1f
|
|
cpu.RSI = 0x55555576e604
|
|
cpu.RIP = 0x555555556e3b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x55555576e604], '\x00')
|
|
self.assertEqual(mem[0x55555576e605], '\x00')
|
|
self.assertEqual(mem[0x55555576e606], '\x00')
|
|
self.assertEqual(mem[0x55555576e607], '\x00')
|
|
self.assertEqual(mem[0x55555576e608], '\x00')
|
|
self.assertEqual(mem[0x55555576e609], '\x00')
|
|
self.assertEqual(mem[0x55555576e60a], '\x00')
|
|
self.assertEqual(mem[0x55555576e60b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb6f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb70], '\xe0')
|
|
self.assertEqual(mem[0x7fffffffdb71], '\xdb')
|
|
self.assertEqual(mem[0x7fffffffdb72], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb73], '\xff')
|
|
self.assertEqual(mem[0x555555556e3b], '\xf3')
|
|
self.assertEqual(mem[0x555555556e3c], '\xa5')
|
|
self.assertEqual(cpu.RCX, 30L)
|
|
self.assertEqual(cpu.RDI, 140737488345968L)
|
|
self.assertEqual(cpu.RSI, 93824994436616L)
|
|
self.assertEqual(cpu.RIP, 93824992243259L)
|
|
|
|
def test_MOVSXD_1(self):
|
|
''' Instruction MOVSXD_1
|
|
Groups:
|
|
0x466083: movsxd rdi, edi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00466000, 0x1000, 'rwx')
|
|
mem[0x00466083] = 'H'
|
|
mem[0x00466084] = 'c'
|
|
mem[0x00466085] = '\xff'
|
|
cpu.EDI = 0x41
|
|
cpu.RDI = 0x41
|
|
cpu.RIP = 0x466083
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x466083], 'H')
|
|
self.assertEqual(mem[0x466084], 'c')
|
|
self.assertEqual(mem[0x466085], '\xff')
|
|
self.assertEqual(cpu.EDI, 65L)
|
|
self.assertEqual(cpu.RDI, 65L)
|
|
self.assertEqual(cpu.RIP, 4612230L)
|
|
|
|
def test_MOVSXD_2(self):
|
|
''' Instruction MOVSXD_2
|
|
Groups:
|
|
0x7ffff7ddf068: movsxd rdx, dword ptr [r8 + rbx*4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddf000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddf068] = 'I'
|
|
mem[0x7ffff7ddf069] = 'c'
|
|
mem[0x7ffff7ddf06a] = '\x14'
|
|
mem[0x7ffff7ddf06b] = '\x98'
|
|
mem[0x7ffff7df5f1c] = '\x8f'
|
|
mem[0x7ffff7df5f1d] = '\x91'
|
|
mem[0x7ffff7df5f1e] = '\xfe'
|
|
mem[0x7ffff7df5f1f] = '\xff'
|
|
cpu.R8 = 0x7ffff7df5f1c
|
|
cpu.RDX = 0x2
|
|
cpu.RIP = 0x7ffff7ddf068
|
|
cpu.RBX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddf068], 'I')
|
|
self.assertEqual(mem[0x7ffff7ddf069], 'c')
|
|
self.assertEqual(mem[0x7ffff7ddf06a], '\x14')
|
|
self.assertEqual(mem[0x7ffff7ddf06b], '\x98')
|
|
self.assertEqual(mem[0x7ffff7df5f1c], '\x8f')
|
|
self.assertEqual(mem[0x7ffff7df5f1d], '\x91')
|
|
self.assertEqual(mem[0x7ffff7df5f1e], '\xfe')
|
|
self.assertEqual(mem[0x7ffff7df5f1f], '\xff')
|
|
self.assertEqual(cpu.R8, 140737351999260L)
|
|
self.assertEqual(cpu.RDX, 18446744073709457807L)
|
|
self.assertEqual(cpu.RIP, 140737351905388L)
|
|
self.assertEqual(cpu.RBX, 0L)
|
|
|
|
def test_MOVSXD_3(self):
|
|
''' Instruction MOVSXD_3
|
|
Groups:
|
|
0x436902: movsxd rax, dword ptr [rdx + rax*4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00436000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
mem[0x00494cf0] = '\xa0'
|
|
mem[0x00494cf1] = '\x1c'
|
|
mem[0x00436902] = 'H'
|
|
mem[0x00436903] = 'c'
|
|
mem[0x00436904] = '\x04'
|
|
mem[0x00436905] = '\x82'
|
|
mem[0x00494cf3] = '\xff'
|
|
mem[0x00494cf2] = '\xfa'
|
|
cpu.RIP = 0x436902
|
|
cpu.RAX = 0x1c
|
|
cpu.RDX = 0x494c80
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x494cf0], '\xa0')
|
|
self.assertEqual(mem[0x494cf1], '\x1c')
|
|
self.assertEqual(mem[0x436902], 'H')
|
|
self.assertEqual(mem[0x436903], 'c')
|
|
self.assertEqual(mem[0x436904], '\x04')
|
|
self.assertEqual(mem[0x436905], '\x82')
|
|
self.assertEqual(mem[0x494cf3], '\xff')
|
|
self.assertEqual(mem[0x494cf2], '\xfa')
|
|
self.assertEqual(cpu.RAX, 18446744073709165728L)
|
|
self.assertEqual(cpu.RIP, 4417798L)
|
|
self.assertEqual(cpu.RDX, 4803712L)
|
|
|
|
def test_MOVSXD_4(self):
|
|
''' Instruction MOVSXD_4
|
|
Groups:
|
|
0x7ffff7df214a: movsxd rax, dword ptr [rcx + rax*4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df674f] = '\xff'
|
|
mem[0x7ffff7df674c] = '0'
|
|
mem[0x7ffff7df214a] = 'H'
|
|
mem[0x7ffff7df214b] = 'c'
|
|
mem[0x7ffff7df214c] = '\x04'
|
|
mem[0x7ffff7df214d] = '\x81'
|
|
mem[0x7ffff7df674e] = '\xff'
|
|
mem[0x7ffff7df674d] = '\xbb'
|
|
cpu.RCX = 0x7ffff7df6740
|
|
cpu.RIP = 0x7ffff7df214a
|
|
cpu.RAX = 0x3
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df674f], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df214c], '\x04')
|
|
self.assertEqual(mem[0x7ffff7df214a], 'H')
|
|
self.assertEqual(mem[0x7ffff7df214b], 'c')
|
|
self.assertEqual(mem[0x7ffff7df674c], '0')
|
|
self.assertEqual(mem[0x7ffff7df214d], '\x81')
|
|
self.assertEqual(mem[0x7ffff7df674e], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df674d], '\xbb')
|
|
self.assertEqual(cpu.RCX, 140737352001344L)
|
|
self.assertEqual(cpu.RAX, 18446744073709534000L)
|
|
self.assertEqual(cpu.RIP, 140737351983438L)
|
|
|
|
def test_MOVSXD_5(self):
|
|
''' Instruction MOVSXD_5
|
|
Groups:
|
|
0x436b12: movsxd rax, dword ptr [rdx + rax*4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00436000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
mem[0x00494ea0] = '\x10'
|
|
mem[0x00494ea1] = '\x1d'
|
|
mem[0x00494ea2] = '\xfa'
|
|
mem[0x00494ea3] = '\xff'
|
|
mem[0x00436b14] = '\x04'
|
|
mem[0x00436b15] = '\x82'
|
|
mem[0x00436b13] = 'c'
|
|
mem[0x00436b12] = 'H'
|
|
cpu.RIP = 0x436b12
|
|
cpu.RAX = 0x8
|
|
cpu.RDX = 0x494e80
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x494ea0], '\x10')
|
|
self.assertEqual(mem[0x494ea1], '\x1d')
|
|
self.assertEqual(mem[0x494ea2], '\xfa')
|
|
self.assertEqual(mem[0x494ea3], '\xff')
|
|
self.assertEqual(mem[0x436b14], '\x04')
|
|
self.assertEqual(mem[0x436b15], '\x82')
|
|
self.assertEqual(mem[0x436b13], 'c')
|
|
self.assertEqual(mem[0x436b12], 'H')
|
|
self.assertEqual(cpu.RAX, 18446744073709165840L)
|
|
self.assertEqual(cpu.RIP, 4418326L)
|
|
self.assertEqual(cpu.RDX, 4804224L)
|
|
|
|
def test_MOVSXD_6(self):
|
|
''' Instruction MOVSXD_6
|
|
Groups:
|
|
0x7ffff7de62e7: movsxd rdx, dword ptr [rax + r12*4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df6458] = 'x'
|
|
mem[0x7ffff7df6459] = '\xff'
|
|
mem[0x7ffff7de62e7] = 'J'
|
|
mem[0x7ffff7de62e8] = 'c'
|
|
mem[0x7ffff7de62e9] = '\x14'
|
|
mem[0x7ffff7de62ea] = '\xa0'
|
|
mem[0x7ffff7df645b] = '\xff'
|
|
mem[0x7ffff7df645a] = '\xfe'
|
|
cpu.RIP = 0x7ffff7de62e7
|
|
cpu.R12 = 0x6
|
|
cpu.RDX = 0x7ffff7a32fe0
|
|
cpu.RAX = 0x7ffff7df6440
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df6458], 'x')
|
|
self.assertEqual(mem[0x7ffff7df6459], '\xff')
|
|
self.assertEqual(mem[0x7ffff7de62e7], 'J')
|
|
self.assertEqual(mem[0x7ffff7de62e8], 'c')
|
|
self.assertEqual(mem[0x7ffff7de62e9], '\x14')
|
|
self.assertEqual(mem[0x7ffff7de62ea], '\xa0')
|
|
self.assertEqual(mem[0x7ffff7df645b], '\xff')
|
|
self.assertEqual(mem[0x7ffff7df645a], '\xfe')
|
|
self.assertEqual(cpu.RAX, 140737352000576L)
|
|
self.assertEqual(cpu.R12, 6L)
|
|
self.assertEqual(cpu.RDX, 18446744073709485944L)
|
|
self.assertEqual(cpu.RIP, 140737351934699L)
|
|
|
|
def test_MOVSX_1(self):
|
|
''' Instruction MOVSX_1
|
|
Groups:
|
|
0x7ffff7df1273: movsx edx, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1273] = '\x0f'
|
|
mem[0x7ffff7df1274] = '\xbe'
|
|
mem[0x7ffff7df1275] = '\x17'
|
|
mem[0x555555554435] = '.'
|
|
cpu.EDX = 0x63
|
|
cpu.RDI = 0x555555554435
|
|
cpu.RIP = 0x7ffff7df1273
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1273], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df1274], '\xbe')
|
|
self.assertEqual(mem[0x7ffff7df1275], '\x17')
|
|
self.assertEqual(mem[0x555555554435], '.')
|
|
self.assertEqual(cpu.EDX, 46L)
|
|
self.assertEqual(cpu.RDI, 93824992232501L)
|
|
self.assertEqual(cpu.RIP, 140737351979638L)
|
|
|
|
def test_MOVSX_2(self):
|
|
''' Instruction MOVSX_2
|
|
Groups:
|
|
0x7ffff7df1273: movsx edx, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1273] = '\x0f'
|
|
mem[0x7ffff7df1274] = '\xbe'
|
|
mem[0x7ffff7df1275] = '\x17'
|
|
mem[0x55555555444d] = '.'
|
|
cpu.EDX = 0x63
|
|
cpu.RDI = 0x55555555444d
|
|
cpu.RIP = 0x7ffff7df1273
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1273], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df1274], '\xbe')
|
|
self.assertEqual(mem[0x7ffff7df1275], '\x17')
|
|
self.assertEqual(mem[0x55555555444d], '.')
|
|
self.assertEqual(cpu.EDX, 46L)
|
|
self.assertEqual(cpu.RDI, 93824992232525L)
|
|
self.assertEqual(cpu.RIP, 140737351979638L)
|
|
|
|
def test_MOVSX_3(self):
|
|
''' Instruction MOVSX_3
|
|
Groups:
|
|
0x7ffff7df1260: movsx eax, byte ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ff2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1260] = '\x0f'
|
|
mem[0x7ffff7df1261] = '\xbe'
|
|
mem[0x7ffff7df1262] = '\x06'
|
|
mem[0x7ffff7ff23b6] = 'l'
|
|
cpu.EAX = 0x3c
|
|
cpu.RSI = 0x7ffff7ff23b6
|
|
cpu.RIP = 0x7ffff7df1260
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1260], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df1261], '\xbe')
|
|
self.assertEqual(mem[0x7ffff7df1262], '\x06')
|
|
self.assertEqual(mem[0x7ffff7ff23b6], 'l')
|
|
self.assertEqual(cpu.EAX, 108L)
|
|
self.assertEqual(cpu.RSI, 140737354081206L)
|
|
self.assertEqual(cpu.RIP, 140737351979619L)
|
|
|
|
def test_MOVSX_4(self):
|
|
''' Instruction MOVSX_4
|
|
Groups:
|
|
0x7ffff7df1260: movsx eax, byte ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fed000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1260] = '\x0f'
|
|
mem[0x7ffff7df1261] = '\xbe'
|
|
mem[0x7ffff7df1262] = '\x06'
|
|
mem[0x7ffff7fede8e] = 'i'
|
|
cpu.EAX = 0x39
|
|
cpu.RSI = 0x7ffff7fede8e
|
|
cpu.RIP = 0x7ffff7df1260
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1260], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df1261], '\xbe')
|
|
self.assertEqual(mem[0x7ffff7df1262], '\x06')
|
|
self.assertEqual(mem[0x7ffff7fede8e], 'i')
|
|
self.assertEqual(cpu.EAX, 105L)
|
|
self.assertEqual(cpu.RSI, 140737354063502L)
|
|
self.assertEqual(cpu.RIP, 140737351979619L)
|
|
|
|
def test_MOVSX_5(self):
|
|
''' Instruction MOVSX_5
|
|
Groups:
|
|
0x7ffff7df1260: movsx eax, byte ptr [rsi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fed000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1260] = '\x0f'
|
|
mem[0x7ffff7df1261] = '\xbe'
|
|
mem[0x7ffff7df1262] = '\x06'
|
|
mem[0x7ffff7fede8f] = 'b'
|
|
cpu.EAX = 0x32
|
|
cpu.RSI = 0x7ffff7fede8f
|
|
cpu.RIP = 0x7ffff7df1260
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df1260], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df1261], '\xbe')
|
|
self.assertEqual(mem[0x7ffff7df1262], '\x06')
|
|
self.assertEqual(mem[0x7ffff7fede8f], 'b')
|
|
self.assertEqual(cpu.EAX, 98L)
|
|
self.assertEqual(cpu.RSI, 140737354063503L)
|
|
self.assertEqual(cpu.RIP, 140737351979619L)
|
|
|
|
def test_MOVSX_6(self):
|
|
''' Instruction MOVSX_6
|
|
Groups:
|
|
0x7ffff7df1273: movsx edx, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1274] = '\xbe'
|
|
mem[0x7ffff7df1273] = '\x0f'
|
|
mem[0x555555554434] = 'c'
|
|
mem[0x7ffff7df1275] = '\x17'
|
|
cpu.EDX = 0x62
|
|
cpu.RDI = 0x555555554434
|
|
cpu.RIP = 0x7ffff7df1273
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555554434], 'c')
|
|
self.assertEqual(mem[0x7ffff7df1273], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df1274], '\xbe')
|
|
self.assertEqual(mem[0x7ffff7df1275], '\x17')
|
|
self.assertEqual(cpu.EDX, 99L)
|
|
self.assertEqual(cpu.RDI, 93824992232500L)
|
|
self.assertEqual(cpu.RIP, 140737351979638L)
|
|
|
|
def test_MOVZX_1(self):
|
|
''' Instruction MOVZX_1
|
|
Groups:
|
|
0x7ffff7de3aa3: movzx edx, byte ptr [rcx + 4]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a32000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3aa4] = '\xb6'
|
|
mem[0x7ffff7de3aa3] = '\x0f'
|
|
mem[0x7ffff7a324bc] = '\x11'
|
|
mem[0x7ffff7de3aa5] = 'Q'
|
|
mem[0x7ffff7de3aa6] = '\x04'
|
|
cpu.EDX = 0x6
|
|
cpu.RCX = 0x7ffff7a324b8
|
|
cpu.RIP = 0x7ffff7de3aa3
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a324bc], '\x11')
|
|
self.assertEqual(mem[0x7ffff7de3aa3], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de3aa4], '\xb6')
|
|
self.assertEqual(mem[0x7ffff7de3aa5], 'Q')
|
|
self.assertEqual(mem[0x7ffff7de3aa6], '\x04')
|
|
self.assertEqual(cpu.EDX, 17L)
|
|
self.assertEqual(cpu.RCX, 140737348052152L)
|
|
self.assertEqual(cpu.RIP, 140737351924391L)
|
|
|
|
def test_MOVZX_2(self):
|
|
''' Instruction MOVZX_2
|
|
Groups:
|
|
0x7ffff7de4399: movzx edx, byte ptr [rcx]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4399] = '\x0f'
|
|
mem[0x7ffff7de439a] = '\xb6'
|
|
mem[0x7ffff7de439b] = '\x11'
|
|
mem[0x555555554e44] = '_'
|
|
cpu.EDX = 0x6c
|
|
cpu.RCX = 0x555555554e44
|
|
cpu.RIP = 0x7ffff7de4399
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4399], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de439a], '\xb6')
|
|
self.assertEqual(mem[0x7ffff7de439b], '\x11')
|
|
self.assertEqual(mem[0x555555554e44], '_')
|
|
self.assertEqual(cpu.EDX, 95L)
|
|
self.assertEqual(cpu.RCX, 93824992235076L)
|
|
self.assertEqual(cpu.RIP, 140737351926684L)
|
|
|
|
def test_MOVZX_3(self):
|
|
''' Instruction MOVZX_3
|
|
Groups:
|
|
0x400aaa: movzx eax, al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x00400aaa] = '\x0f'
|
|
mem[0x00400aab] = '\xb6'
|
|
mem[0x00400aac] = '\xc0'
|
|
cpu.EAX = 0x79
|
|
cpu.AL = 0x79
|
|
cpu.RIP = 0x400aaa
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x400aaa], '\x0f')
|
|
self.assertEqual(mem[0x400aab], '\xb6')
|
|
self.assertEqual(mem[0x400aac], '\xc0')
|
|
self.assertEqual(cpu.EAX, 121L)
|
|
self.assertEqual(cpu.AL, 121L)
|
|
self.assertEqual(cpu.RIP, 4197037L)
|
|
|
|
def test_MOVZX_4(self):
|
|
''' Instruction MOVZX_4
|
|
Groups:
|
|
0x7ffff7b58f18: movzx r10d, word ptr [rdx + 6]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a35000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f18] = 'D'
|
|
mem[0x7ffff7b58f19] = '\x0f'
|
|
mem[0x7ffff7b58f1a] = '\xb7'
|
|
mem[0x7ffff7b58f1b] = 'R'
|
|
mem[0x7ffff7b58f1c] = '\x06'
|
|
mem[0x7ffff7a3575e] = '\x0b'
|
|
mem[0x7ffff7a3575f] = '\x00'
|
|
cpu.RDX = 0x7ffff7a35758
|
|
cpu.RIP = 0x7ffff7b58f18
|
|
cpu.R10D = 0x24
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f18], 'D')
|
|
self.assertEqual(mem[0x7ffff7b58f19], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7b58f1a], '\xb7')
|
|
self.assertEqual(mem[0x7ffff7b58f1b], 'R')
|
|
self.assertEqual(mem[0x7ffff7b58f1c], '\x06')
|
|
self.assertEqual(mem[0x7ffff7a3575e], '\x0b')
|
|
self.assertEqual(mem[0x7ffff7a3575f], '\x00')
|
|
self.assertEqual(cpu.RDX, 140737348065112L)
|
|
self.assertEqual(cpu.RIP, 140737349259037L)
|
|
self.assertEqual(cpu.R10D, 11L)
|
|
|
|
def test_MOVZX_5(self):
|
|
''' Instruction MOVZX_5
|
|
Groups:
|
|
0x7ffff7de6219: movzx r9d, r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6219] = 'E'
|
|
mem[0x7ffff7de621a] = '\x0f'
|
|
mem[0x7ffff7de621b] = '\xb6'
|
|
mem[0x7ffff7de621c] = '\xc9'
|
|
cpu.R9D = 0xffffff00
|
|
cpu.R9B = 0x0
|
|
cpu.RIP = 0x7ffff7de6219
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6219], 'E')
|
|
self.assertEqual(mem[0x7ffff7de621a], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de621b], '\xb6')
|
|
self.assertEqual(mem[0x7ffff7de621c], '\xc9')
|
|
self.assertEqual(cpu.R9D, 0L)
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934493L)
|
|
|
|
def test_MOVZX_6(self):
|
|
''' Instruction MOVZX_6
|
|
Groups:
|
|
0x7ffff7de3929: movzx ecx, byte ptr [rbp - 0x78]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd808] = '8'
|
|
mem[0x7ffff7de3929] = '\x0f'
|
|
mem[0x7ffff7de392a] = '\xb6'
|
|
mem[0x7ffff7de392b] = 'M'
|
|
mem[0x7ffff7de392c] = '\x88'
|
|
cpu.ECX = 0x2917737
|
|
cpu.RIP = 0x7ffff7de3929
|
|
cpu.RBP = 0x7fffffffd880
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd808], '8')
|
|
self.assertEqual(mem[0x7ffff7de3929], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de392a], '\xb6')
|
|
self.assertEqual(mem[0x7ffff7de392b], 'M')
|
|
self.assertEqual(mem[0x7ffff7de392c], '\x88')
|
|
self.assertEqual(cpu.RBP, 140737488345216L)
|
|
self.assertEqual(cpu.RIP, 140737351924013L)
|
|
self.assertEqual(cpu.ECX, 56L)
|
|
|
|
def test_MOV_1(self):
|
|
''' Instruction MOV_1
|
|
Groups:
|
|
0x737287: mov ebx, 0x40
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00737000, 0x1000, 'rwx')
|
|
mem[0x00737288] = '@'
|
|
mem[0x00737289] = '\x00'
|
|
mem[0x0073728a] = '\x00'
|
|
mem[0x0073728b] = '\x00'
|
|
mem[0x00737287] = '\xbb'
|
|
cpu.EBX = 0x40
|
|
cpu.RIP = 0x737287
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x737288], '@')
|
|
self.assertEqual(mem[0x737289], '\x00')
|
|
self.assertEqual(mem[0x73728a], '\x00')
|
|
self.assertEqual(mem[0x73728b], '\x00')
|
|
self.assertEqual(mem[0x737287], '\xbb')
|
|
self.assertEqual(cpu.EBX, 64L)
|
|
self.assertEqual(cpu.RIP, 7565964L)
|
|
|
|
def test_MOV_2(self):
|
|
''' Instruction MOV_2
|
|
Groups:
|
|
0x7ffff7de6121: mov rax, r13
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6121] = 'L'
|
|
mem[0x7ffff7de6122] = '\x89'
|
|
mem[0x7ffff7de6123] = '\xe8'
|
|
cpu.RIP = 0x7ffff7de6121
|
|
cpu.RAX = 0x8
|
|
cpu.R13 = 0x7ffff7a2e000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6121], 'L')
|
|
self.assertEqual(mem[0x7ffff7de6122], '\x89')
|
|
self.assertEqual(mem[0x7ffff7de6123], '\xe8')
|
|
self.assertEqual(cpu.RAX, 140737348034560L)
|
|
self.assertEqual(cpu.RIP, 140737351934244L)
|
|
self.assertEqual(cpu.R13, 140737348034560L)
|
|
|
|
def test_MOV_3(self):
|
|
''' Instruction MOV_3
|
|
Groups:
|
|
0x74dced: mov dword ptr [rsp], 0x7fff
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0074d000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x0074dced] = '\xc7'
|
|
mem[0x0074dcf0] = '\xff'
|
|
mem[0x0074dcf1] = '\x7f'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x0074dcee] = '\x04'
|
|
mem[0x0074dcef] = '$'
|
|
mem[0x7fffffffccb0] = '\xff'
|
|
mem[0x7fffffffccb1] = '\x7f'
|
|
mem[0x0074dcf2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x00'
|
|
mem[0x0074dcf3] = '\x00'
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x74dced
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x74dced], '\xc7')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x74dcee], '\x04')
|
|
self.assertEqual(mem[0x74dcef], '$')
|
|
self.assertEqual(mem[0x74dcf0], '\xff')
|
|
self.assertEqual(mem[0x74dcf1], '\x7f')
|
|
self.assertEqual(mem[0x74dcf2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x00')
|
|
self.assertEqual(mem[0x74dcf3], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 7658740L)
|
|
|
|
def test_MOV_4(self):
|
|
''' Instruction MOV_4
|
|
Groups:
|
|
0x4b00dc: mov dword ptr [rsp + 4], 0x80
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004b0000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x004b00dc] = '\xc7'
|
|
mem[0x004b00dd] = 'D'
|
|
mem[0x004b00de] = '$'
|
|
mem[0x004b00df] = '\x04'
|
|
mem[0x004b00e0] = '\x80'
|
|
mem[0x004b00e1] = '\x00'
|
|
mem[0x004b00e2] = '\x00'
|
|
mem[0x004b00e3] = '\x00'
|
|
mem[0x7fffffffccb4] = '\xff'
|
|
mem[0x7fffffffccb5] = '\xff'
|
|
mem[0x7fffffffccb6] = '\xff'
|
|
mem[0x7fffffffccb7] = '\xff'
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x4b00dc
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4b00dc], '\xc7')
|
|
self.assertEqual(mem[0x4b00dd], 'D')
|
|
self.assertEqual(mem[0x4b00de], '$')
|
|
self.assertEqual(mem[0x4b00df], '\x04')
|
|
self.assertEqual(mem[0x4b00e0], '\x80')
|
|
self.assertEqual(mem[0x4b00e1], '\x00')
|
|
self.assertEqual(mem[0x4b00e2], '\x00')
|
|
self.assertEqual(mem[0x4b00e3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 4915428L)
|
|
|
|
def test_MOV_5(self):
|
|
''' Instruction MOV_5
|
|
Groups:
|
|
0x7776d9: mov dword ptr [rsp + 8], 0x80000000
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00777000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x007776d9] = '\xc7'
|
|
mem[0x007776da] = 'D'
|
|
mem[0x007776db] = '$'
|
|
mem[0x007776dc] = '\x08'
|
|
mem[0x007776dd] = '\x00'
|
|
mem[0x007776de] = '\x00'
|
|
mem[0x007776df] = '\x00'
|
|
mem[0x007776e0] = '\x80'
|
|
mem[0x7fffffffccb8] = '\x7f'
|
|
mem[0x7fffffffccb9] = '\x00'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x7776d9
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7776d9], '\xc7')
|
|
self.assertEqual(mem[0x7776da], 'D')
|
|
self.assertEqual(mem[0x7776db], '$')
|
|
self.assertEqual(mem[0x7776dc], '\x08')
|
|
self.assertEqual(mem[0x7776dd], '\x00')
|
|
self.assertEqual(mem[0x7776de], '\x00')
|
|
self.assertEqual(mem[0x7776df], '\x00')
|
|
self.assertEqual(mem[0x7776e0], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x80')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 7829217L)
|
|
|
|
def test_MOV_6(self):
|
|
''' Instruction MOV_6
|
|
Groups:
|
|
0x4c3b88: mov dword ptr [rsp + 0xc], 0x12345678
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004c3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x004c3b88] = '\xc7'
|
|
mem[0x004c3b89] = 'D'
|
|
mem[0x004c3b8a] = '$'
|
|
mem[0x004c3b8b] = '\x0c'
|
|
mem[0x004c3b8c] = 'x'
|
|
mem[0x004c3b8d] = 'V'
|
|
mem[0x004c3b8e] = '4'
|
|
mem[0x004c3b8f] = '\x12'
|
|
mem[0x7fffffffccbc] = 'x'
|
|
mem[0x7fffffffccbd] = 'V'
|
|
mem[0x7fffffffccbe] = '4'
|
|
mem[0x7fffffffccbf] = '\x12'
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x4c3b88
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4c3b88], '\xc7')
|
|
self.assertEqual(mem[0x4c3b89], 'D')
|
|
self.assertEqual(mem[0x4c3b8a], '$')
|
|
self.assertEqual(mem[0x4c3b8b], '\x0c')
|
|
self.assertEqual(mem[0x4c3b8c], 'x')
|
|
self.assertEqual(mem[0x4c3b8d], 'V')
|
|
self.assertEqual(mem[0x4c3b8e], '4')
|
|
self.assertEqual(mem[0x4c3b8f], '\x12')
|
|
self.assertEqual(mem[0x7fffffffccbc], 'x')
|
|
self.assertEqual(mem[0x7fffffffccbd], 'V')
|
|
self.assertEqual(mem[0x7fffffffccbe], '4')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x12')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 4995984L)
|
|
|
|
def test_MUL_1(self):
|
|
''' Instruction MUL_1
|
|
Groups:
|
|
0x7ffff7de253f: mul rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de2540] = '\xf7'
|
|
mem[0x7ffff7de2541] = '\xe2'
|
|
mem[0x7ffff7de253f] = 'H'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x7ffff7de253f
|
|
cpu.CF = False
|
|
cpu.RAX = 0x5f
|
|
cpu.RDX = 0xcccccccccccccccd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de2540], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de2541], '\xe2')
|
|
self.assertEqual(mem[0x7ffff7de253f], 'H')
|
|
self.assertEqual(cpu.OF, True)
|
|
self.assertEqual(cpu.RAX, 19L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351918914L)
|
|
self.assertEqual(cpu.RDX, 76L)
|
|
|
|
def test_MUL_2(self):
|
|
''' Instruction MUL_2
|
|
Groups:
|
|
0x7ffff7de253f: mul rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de2540] = '\xf7'
|
|
mem[0x7ffff7de2541] = '\xe2'
|
|
mem[0x7ffff7de253f] = 'H'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x7ffff7de253f
|
|
cpu.CF = False
|
|
cpu.RAX = 0x5f
|
|
cpu.RDX = 0xcccccccccccccccd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de2540], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de2541], '\xe2')
|
|
self.assertEqual(mem[0x7ffff7de253f], 'H')
|
|
self.assertEqual(cpu.OF, True)
|
|
self.assertEqual(cpu.RAX, 19L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351918914L)
|
|
self.assertEqual(cpu.RDX, 76L)
|
|
|
|
def test_MUL_3(self):
|
|
''' Instruction MUL_3
|
|
Groups:
|
|
0x7ffff7de253f: mul rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de2540] = '\xf7'
|
|
mem[0x7ffff7de2541] = '\xe2'
|
|
mem[0x7ffff7de253f] = 'H'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x7ffff7de253f
|
|
cpu.CF = False
|
|
cpu.RAX = 0x5f
|
|
cpu.RDX = 0xcccccccccccccccd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de2540], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de2541], '\xe2')
|
|
self.assertEqual(mem[0x7ffff7de253f], 'H')
|
|
self.assertEqual(cpu.OF, True)
|
|
self.assertEqual(cpu.RAX, 19L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351918914L)
|
|
self.assertEqual(cpu.RDX, 76L)
|
|
|
|
def test_MUL_4(self):
|
|
''' Instruction MUL_4
|
|
Groups:
|
|
0x45f865: mul rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0045f000, 0x1000, 'rwx')
|
|
mem[0x0045f865] = 'H'
|
|
mem[0x0045f866] = '\xf7'
|
|
mem[0x0045f867] = '\xe2'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x45f865
|
|
cpu.CF = False
|
|
cpu.RAX = 0x57
|
|
cpu.RDX = 0xcccccccccccccccd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x45f865], 'H')
|
|
self.assertEqual(mem[0x45f866], '\xf7')
|
|
self.assertEqual(mem[0x45f867], '\xe2')
|
|
self.assertEqual(cpu.OF, True)
|
|
self.assertEqual(cpu.RAX, 11068046444225730987L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4585576L)
|
|
self.assertEqual(cpu.RDX, 69L)
|
|
|
|
def test_MUL_5(self):
|
|
''' Instruction MUL_5
|
|
Groups:
|
|
0x4624e5: mul rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00462000, 0x1000, 'rwx')
|
|
mem[0x004624e5] = 'H'
|
|
mem[0x004624e6] = '\xf7'
|
|
mem[0x004624e7] = '\xe2'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x4624e5
|
|
cpu.CF = False
|
|
cpu.RAX = 0x57
|
|
cpu.RDX = 0xcccccccccccccccd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4624e5], 'H')
|
|
self.assertEqual(mem[0x4624e6], '\xf7')
|
|
self.assertEqual(mem[0x4624e7], '\xe2')
|
|
self.assertEqual(cpu.OF, True)
|
|
self.assertEqual(cpu.RAX, 11068046444225730987L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4596968L)
|
|
self.assertEqual(cpu.RDX, 69L)
|
|
|
|
def test_MUL_6(self):
|
|
''' Instruction MUL_6
|
|
Groups:
|
|
0x443dc7: mul r9
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00443000, 0x1000, 'rwx')
|
|
mem[0x00443dc8] = '\xf7'
|
|
mem[0x00443dc9] = '\xe1'
|
|
mem[0x00443dc7] = 'I'
|
|
cpu.OF = False
|
|
cpu.R9 = 0xcccccccccccccccd
|
|
cpu.RIP = 0x443dc7
|
|
cpu.RDX = 0xa
|
|
cpu.CF = False
|
|
cpu.RAX = 0x3
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x443dc8], '\xf7')
|
|
self.assertEqual(mem[0x443dc9], '\xe1')
|
|
self.assertEqual(mem[0x443dc7], 'I')
|
|
self.assertEqual(cpu.RDX, 2L)
|
|
self.assertEqual(cpu.OF, True)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4472266L)
|
|
self.assertEqual(cpu.R9, 14757395258967641293L)
|
|
self.assertEqual(cpu.RAX, 7378697629483820647L)
|
|
|
|
def test_NEG_1(self):
|
|
''' Instruction NEG_1
|
|
Groups:
|
|
0x7ffff7df27cf: neg rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df27d0] = '\xf7'
|
|
mem[0x7ffff7df27d1] = '\xd8'
|
|
mem[0x7ffff7df27cf] = 'H'
|
|
cpu.PF = True
|
|
cpu.RAX = 0x7ffff7ffeb78
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7df27cf
|
|
cpu.SF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df27d0], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7df27d1], '\xd8')
|
|
self.assertEqual(mem[0x7ffff7df27cf], 'H')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 18446603336355419272L)
|
|
self.assertEqual(cpu.AF, True)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351985106L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_NEG_2(self):
|
|
''' Instruction NEG_2
|
|
Groups:
|
|
0x7ffff7de5c54: neg rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5c54] = 'H'
|
|
mem[0x7ffff7de5c55] = '\xf7'
|
|
mem[0x7ffff7de5c56] = '\xd8'
|
|
cpu.PF = True
|
|
cpu.RAX = 0x1000
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de5c54
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de5c54], 'H')
|
|
self.assertEqual(mem[0x7ffff7de5c55], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de5c56], '\xd8')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RAX, 18446744073709547520L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351933015L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_NEG_3(self):
|
|
''' Instruction NEG_3
|
|
Groups:
|
|
0x40baad: neg eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040b000, 0x1000, 'rwx')
|
|
mem[0x0040baad] = '\xf7'
|
|
mem[0x0040baae] = '\xd8'
|
|
cpu.EAX = 0x0
|
|
cpu.PF = False
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x40baad
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40baad], '\xf7')
|
|
self.assertEqual(mem[0x40baae], '\xd8')
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4242095L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_NEG_4(self):
|
|
''' Instruction NEG_4
|
|
Groups:
|
|
0x7ffff7df27b6: neg rdi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df27b8] = '\xdf'
|
|
mem[0x7ffff7df27b6] = 'H'
|
|
mem[0x7ffff7df27b7] = '\xf7'
|
|
cpu.PF = True
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RDI = 0x8
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df27b6
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df27b8], '\xdf')
|
|
self.assertEqual(mem[0x7ffff7df27b6], 'H')
|
|
self.assertEqual(mem[0x7ffff7df27b7], '\xf7')
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.AF, True)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RDI, 18446744073709551608L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351985081L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_NEG_5(self):
|
|
''' Instruction NEG_5
|
|
Groups:
|
|
0x411176: neg r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x00411178] = '\xda'
|
|
mem[0x00411176] = 'I'
|
|
mem[0x00411177] = '\xf7'
|
|
cpu.PF = True
|
|
cpu.R10 = 0x1000
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x411176
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x411178], '\xda')
|
|
self.assertEqual(mem[0x411176], 'I')
|
|
self.assertEqual(mem[0x411177], '\xf7')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.R10, 18446744073709547520L)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4264313L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_NEG_6(self):
|
|
''' Instruction NEG_6
|
|
Groups:
|
|
0x7ffff7df27b6: neg rdi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df27b8] = '\xdf'
|
|
mem[0x7ffff7df27b6] = 'H'
|
|
mem[0x7ffff7df27b7] = '\xf7'
|
|
cpu.PF = True
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RDI = 0x8
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df27b6
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df27b8], '\xdf')
|
|
self.assertEqual(mem[0x7ffff7df27b6], 'H')
|
|
self.assertEqual(mem[0x7ffff7df27b7], '\xf7')
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.AF, True)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RDI, 18446744073709551608L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351985081L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_NOT_1(self):
|
|
''' Instruction NOT_1
|
|
Groups:
|
|
0x7ffff7df144a: not rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df144a] = 'H'
|
|
mem[0x7ffff7df144b] = '\xf7'
|
|
mem[0x7ffff7df144c] = '\xd0'
|
|
cpu.RIP = 0x7ffff7df144a
|
|
cpu.RAX = 0x8000000000000000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df144a], 'H')
|
|
self.assertEqual(mem[0x7ffff7df144b], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7df144c], '\xd0')
|
|
self.assertEqual(cpu.RAX, 9223372036854775807L)
|
|
self.assertEqual(cpu.RIP, 140737351980109L)
|
|
|
|
def test_NOT_2(self):
|
|
''' Instruction NOT_2
|
|
Groups:
|
|
0x4008f7: not esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x004008f8] = '\xd6'
|
|
mem[0x004008f7] = '\xf7'
|
|
cpu.RIP = 0x4008f7
|
|
cpu.ESI = 0xfffffff0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4008f8], '\xd6')
|
|
self.assertEqual(mem[0x4008f7], '\xf7')
|
|
self.assertEqual(cpu.ESI, 15L)
|
|
self.assertEqual(cpu.RIP, 4196601L)
|
|
|
|
def test_NOT_3(self):
|
|
''' Instruction NOT_3
|
|
Groups:
|
|
0x7ffff7a78242: not rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a78242] = 'H'
|
|
mem[0x7ffff7a78243] = '\xf7'
|
|
mem[0x7ffff7a78244] = '\xd0'
|
|
cpu.RIP = 0x7ffff7a78242
|
|
cpu.RAX = 0xfffffffffffffffc
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a78242], 'H')
|
|
self.assertEqual(mem[0x7ffff7a78243], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7a78244], '\xd0')
|
|
self.assertEqual(cpu.RAX, 3L)
|
|
self.assertEqual(cpu.RIP, 140737348338245L)
|
|
|
|
def test_NOT_4(self):
|
|
''' Instruction NOT_4
|
|
Groups:
|
|
0x7ffff7de5765: not r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5765] = 'I'
|
|
mem[0x7ffff7de5766] = '\xf7'
|
|
mem[0x7ffff7de5767] = '\xd2'
|
|
cpu.RIP = 0x7ffff7de5765
|
|
cpu.R10 = 0xffffffffffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de5765], 'I')
|
|
self.assertEqual(mem[0x7ffff7de5766], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de5767], '\xd2')
|
|
self.assertEqual(cpu.R10, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351931752L)
|
|
|
|
def test_NOT_5(self):
|
|
''' Instruction NOT_5
|
|
Groups:
|
|
0x7ffff7de5765: not r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5765] = 'I'
|
|
mem[0x7ffff7de5766] = '\xf7'
|
|
mem[0x7ffff7de5767] = '\xd2'
|
|
cpu.RIP = 0x7ffff7de5765
|
|
cpu.R10 = 0xffffffffffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de5765], 'I')
|
|
self.assertEqual(mem[0x7ffff7de5766], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de5767], '\xd2')
|
|
self.assertEqual(cpu.R10, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351931752L)
|
|
|
|
def test_NOT_6(self):
|
|
''' Instruction NOT_6
|
|
Groups:
|
|
0x7ffff7de5765: not r10
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5765] = 'I'
|
|
mem[0x7ffff7de5766] = '\xf7'
|
|
mem[0x7ffff7de5767] = '\xd2'
|
|
cpu.RIP = 0x7ffff7de5765
|
|
cpu.R10 = 0xffffffffffffffff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de5765], 'I')
|
|
self.assertEqual(mem[0x7ffff7de5766], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7de5767], '\xd2')
|
|
self.assertEqual(cpu.R10, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351931752L)
|
|
|
|
def test_OR_1(self):
|
|
''' Instruction OR_1
|
|
Groups:
|
|
0x7ffff7de6235: or r9d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6235] = 'A'
|
|
mem[0x7ffff7de6236] = '\t'
|
|
mem[0x7ffff7de6237] = '\xc1'
|
|
cpu.EAX = 0x0
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6235
|
|
cpu.R9D = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6235], 'A')
|
|
self.assertEqual(mem[0x7ffff7de6236], '\t')
|
|
self.assertEqual(mem[0x7ffff7de6237], '\xc1')
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
self.assertEqual(cpu.R9D, 0L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351934520L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_OR_2(self):
|
|
''' Instruction OR_2
|
|
Groups:
|
|
0x7ffff7de4344: or qword ptr [rsp], 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4344] = 'H'
|
|
mem[0x7ffff7de4345] = '\x83'
|
|
mem[0x7ffff7de4346] = '\x0c'
|
|
mem[0x7ffff7de4347] = '$'
|
|
mem[0x7ffff7de4348] = '\x00'
|
|
mem[0x7fffffffc920] = '\x00'
|
|
mem[0x7fffffffc921] = '\x00'
|
|
mem[0x7fffffffc922] = '\x00'
|
|
mem[0x7fffffffc923] = '\x00'
|
|
mem[0x7fffffffc924] = '\x00'
|
|
mem[0x7fffffffc925] = '\x00'
|
|
mem[0x7fffffffc926] = '\x00'
|
|
mem[0x7fffffffc927] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de4344
|
|
cpu.PF = False
|
|
cpu.RSP = 0x7fffffffc920
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4344], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4345], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de4346], '\x0c')
|
|
self.assertEqual(mem[0x7ffff7de4347], '$')
|
|
self.assertEqual(mem[0x7ffff7de4348], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc920], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc921], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc922], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc923], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc924], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc925], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc926], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc927], '\x00')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926601L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RSP, 140737488341280L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_OR_3(self):
|
|
''' Instruction OR_3
|
|
Groups:
|
|
0x7ffff7de3814: or qword ptr [rsp], 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3816] = '\x0c'
|
|
mem[0x7ffff7de3817] = '$'
|
|
mem[0x7fffffffc790] = '\x00'
|
|
mem[0x7fffffffc791] = '\x00'
|
|
mem[0x7fffffffc792] = '\x00'
|
|
mem[0x7fffffffc793] = '\x00'
|
|
mem[0x7ffff7de3814] = 'H'
|
|
mem[0x7ffff7de3815] = '\x83'
|
|
mem[0x7fffffffc796] = '\x00'
|
|
mem[0x7fffffffc797] = '\x00'
|
|
mem[0x7ffff7de3818] = '\x00'
|
|
mem[0x7fffffffc794] = '\x00'
|
|
mem[0x7fffffffc795] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de3814
|
|
cpu.PF = True
|
|
cpu.RSP = 0x7fffffffc790
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffc796], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc797], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc790], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc791], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc792], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc793], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de3814], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3815], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de3816], '\x0c')
|
|
self.assertEqual(mem[0x7ffff7de3817], '$')
|
|
self.assertEqual(mem[0x7ffff7de3818], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc794], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc795], '\x00')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351923737L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RSP, 140737488340880L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_OR_4(self):
|
|
''' Instruction OR_4
|
|
Groups:
|
|
0x7ffff7de3814: or qword ptr [rsp], 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3816] = '\x0c'
|
|
mem[0x7ffff7de3817] = '$'
|
|
mem[0x7fffffffc790] = '\x00'
|
|
mem[0x7fffffffc791] = '\x00'
|
|
mem[0x7fffffffc792] = '\x00'
|
|
mem[0x7fffffffc793] = '\x00'
|
|
mem[0x7ffff7de3814] = 'H'
|
|
mem[0x7ffff7de3815] = '\x83'
|
|
mem[0x7fffffffc796] = '\x00'
|
|
mem[0x7fffffffc797] = '\x00'
|
|
mem[0x7ffff7de3818] = '\x00'
|
|
mem[0x7fffffffc794] = '\x00'
|
|
mem[0x7fffffffc795] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de3814
|
|
cpu.PF = True
|
|
cpu.RSP = 0x7fffffffc790
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffc796], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc797], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc790], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc791], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc792], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc793], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de3814], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3815], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de3816], '\x0c')
|
|
self.assertEqual(mem[0x7ffff7de3817], '$')
|
|
self.assertEqual(mem[0x7ffff7de3818], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc794], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc795], '\x00')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351923737L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RSP, 140737488340880L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_OR_5(self):
|
|
''' Instruction OR_5
|
|
Groups:
|
|
0x40a38c: or qword ptr [rsp], 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040a000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcb00] = '/'
|
|
mem[0x7fffffffcb01] = 'h'
|
|
mem[0x7fffffffcb02] = 'o'
|
|
mem[0x7fffffffcb03] = 'm'
|
|
mem[0x7fffffffcb04] = 'e'
|
|
mem[0x7fffffffcb05] = '/'
|
|
mem[0x7fffffffcb06] = 'f'
|
|
mem[0x7fffffffcb07] = 'e'
|
|
mem[0x0040a38c] = 'H'
|
|
mem[0x0040a38d] = '\x83'
|
|
mem[0x0040a38e] = '\x0c'
|
|
mem[0x0040a38f] = '$'
|
|
mem[0x0040a390] = '\x00'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x40a38c
|
|
cpu.PF = True
|
|
cpu.RSP = 0x7fffffffcb00
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcb00], '/')
|
|
self.assertEqual(mem[0x7fffffffcb01], 'h')
|
|
self.assertEqual(mem[0x7fffffffcb02], 'o')
|
|
self.assertEqual(mem[0x7fffffffcb03], 'm')
|
|
self.assertEqual(mem[0x7fffffffcb04], 'e')
|
|
self.assertEqual(mem[0x7fffffffcb05], '/')
|
|
self.assertEqual(mem[0x7fffffffcb06], 'f')
|
|
self.assertEqual(mem[0x7fffffffcb07], 'e')
|
|
self.assertEqual(mem[0x40a38c], 'H')
|
|
self.assertEqual(mem[0x40a38d], '\x83')
|
|
self.assertEqual(mem[0x40a38e], '\x0c')
|
|
self.assertEqual(mem[0x40a38f], '$')
|
|
self.assertEqual(mem[0x40a390], '\x00')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4236177L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.RSP, 140737488341760L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_OR_6(self):
|
|
''' Instruction OR_6
|
|
Groups:
|
|
0x7ffff7de6212: or r9d, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6212] = 'A'
|
|
mem[0x7ffff7de6213] = '\t'
|
|
mem[0x7ffff7de6214] = '\xc1'
|
|
cpu.EAX = 0xffffff00
|
|
cpu.PF = True
|
|
cpu.SF = True
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7de6212
|
|
cpu.R9D = 0xf7ff7600
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6212], 'A')
|
|
self.assertEqual(mem[0x7ffff7de6213], '\t')
|
|
self.assertEqual(mem[0x7ffff7de6214], '\xc1')
|
|
self.assertEqual(cpu.EAX, 4294967040L)
|
|
self.assertEqual(cpu.R9D, 4294967040L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351934485L)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_PCMPEQB_1(self):
|
|
''' Instruction PCMPEQB_1
|
|
Groups: sse2
|
|
0x457e12: pcmpeqb xmm5, xmm2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457e12] = 'f'
|
|
mem[0x00457e13] = '\x0f'
|
|
mem[0x00457e14] = 't'
|
|
mem[0x00457e15] = '\xea'
|
|
cpu.XMM2 = 0x0
|
|
cpu.RIP = 0x457e12
|
|
cpu.XMM5 = 0x2f65726f6369746e614d2f737463656a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457e12], 'f')
|
|
self.assertEqual(mem[0x457e13], '\x0f')
|
|
self.assertEqual(mem[0x457e14], 't')
|
|
self.assertEqual(mem[0x457e15], '\xea')
|
|
self.assertEqual(cpu.XMM2, 0)
|
|
self.assertEqual(cpu.RIP, 4554262L)
|
|
self.assertEqual(cpu.XMM5, 0)
|
|
|
|
def test_PCMPEQB_2(self):
|
|
''' Instruction PCMPEQB_2
|
|
Groups: sse2
|
|
0x4184bf: pcmpeqb xmm12, xmm8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004184c0] = 'E'
|
|
mem[0x004184c1] = '\x0f'
|
|
mem[0x004184c2] = 't'
|
|
mem[0x004184c3] = '\xe0'
|
|
mem[0x004184bf] = 'f'
|
|
cpu.XMM12 = 0x6e696874796e61206f642074276e6f44
|
|
cpu.XMM8 = 0x0
|
|
cpu.RIP = 0x4184bf
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4184c0], 'E')
|
|
self.assertEqual(mem[0x4184c1], '\x0f')
|
|
self.assertEqual(mem[0x4184c2], 't')
|
|
self.assertEqual(mem[0x4184c3], '\xe0')
|
|
self.assertEqual(mem[0x4184bf], 'f')
|
|
self.assertEqual(cpu.XMM12, 0)
|
|
self.assertEqual(cpu.XMM8, 0)
|
|
self.assertEqual(cpu.RIP, 4293828L)
|
|
|
|
def test_PCMPEQB_3(self):
|
|
''' Instruction PCMPEQB_3
|
|
Groups: sse2
|
|
0x457a26: pcmpeqb xmm0, xmm7
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457a28] = 't'
|
|
mem[0x00457a29] = '\xc7'
|
|
mem[0x00457a26] = 'f'
|
|
mem[0x00457a27] = '\x0f'
|
|
cpu.XMM0 = 0x5400324e2f2f00313d524e00455f4744
|
|
cpu.XMM7 = 0x0
|
|
cpu.RIP = 0x457a26
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457a28], 't')
|
|
self.assertEqual(mem[0x457a29], '\xc7')
|
|
self.assertEqual(mem[0x457a26], 'f')
|
|
self.assertEqual(mem[0x457a27], '\x0f')
|
|
self.assertEqual(cpu.XMM0, 1324035698927585248728409418697277440L)
|
|
self.assertEqual(cpu.XMM7, 0)
|
|
self.assertEqual(cpu.RIP, 4553258L)
|
|
|
|
def test_PCMPEQB_4(self):
|
|
''' Instruction PCMPEQB_4
|
|
Groups: sse2
|
|
0x4579e8: pcmpeqb xmm0, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x004579e8] = 'f'
|
|
mem[0x004579e9] = '\x0f'
|
|
mem[0x004579ea] = 't'
|
|
mem[0x004579eb] = '\xc1'
|
|
cpu.XMM0 = 0x2f78756e696c2f73656c706d6178652f
|
|
cpu.XMM1 = 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f
|
|
cpu.RIP = 0x4579e8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4579e8], 'f')
|
|
self.assertEqual(mem[0x4579e9], '\x0f')
|
|
self.assertEqual(mem[0x4579ea], 't')
|
|
self.assertEqual(mem[0x4579eb], '\xc1')
|
|
self.assertEqual(cpu.XMM0, 338953138925154751793923932131017359615L)
|
|
self.assertEqual(cpu.XMM1, 62718710765820030520700417840365121327L)
|
|
self.assertEqual(cpu.RIP, 4553196L)
|
|
|
|
def test_PCMPEQB_5(self):
|
|
''' Instruction PCMPEQB_5
|
|
Groups: sse2
|
|
0x7ffff7ab7ac6: pcmpeqb xmm0, xmm7
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab7ac8] = 't'
|
|
mem[0x7ffff7ab7ac9] = '\xc7'
|
|
mem[0x7ffff7ab7ac6] = 'f'
|
|
mem[0x7ffff7ab7ac7] = '\x0f'
|
|
cpu.XMM0 = 0x322f2f4d00313d522f00565f474458
|
|
cpu.XMM7 = 0x0
|
|
cpu.RIP = 0x7ffff7ab7ac6
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab7ac8], 't')
|
|
self.assertEqual(mem[0x7ffff7ab7ac9], '\xc7')
|
|
self.assertEqual(mem[0x7ffff7ab7ac6], 'f')
|
|
self.assertEqual(mem[0x7ffff7ab7ac7], '\x0f')
|
|
self.assertEqual(cpu.XMM0, 338953138925461823674472811186503024640L)
|
|
self.assertEqual(cpu.XMM7, 0)
|
|
self.assertEqual(cpu.RIP, 140737348598474L)
|
|
|
|
def test_PCMPEQB_6(self):
|
|
''' Instruction PCMPEQB_6
|
|
Groups: sse2
|
|
0x7ffff7ab79b1: pcmpeqb xmm0, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab79b1] = 'f'
|
|
mem[0x7ffff7ab79b2] = '\x0f'
|
|
mem[0x7ffff7ab79b3] = 't'
|
|
mem[0x7ffff7ab79b4] = '\xc1'
|
|
cpu.XMM0 = 0x6f72502f6570696c65662f656d6f682f
|
|
cpu.XMM1 = 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f
|
|
cpu.RIP = 0x7ffff7ab79b1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab79b1], 'f')
|
|
self.assertEqual(mem[0x7ffff7ab79b2], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ab79b3], 't')
|
|
self.assertEqual(mem[0x7ffff7ab79b4], '\xc1')
|
|
self.assertEqual(cpu.XMM0, 20203181441137406366729172418815L)
|
|
self.assertEqual(cpu.XMM1, 62718710765820030520700417840365121327L)
|
|
self.assertEqual(cpu.RIP, 140737348598197L)
|
|
|
|
def test_PMINUB_1(self):
|
|
''' Instruction PMINUB_1
|
|
Groups: sse2
|
|
0x41b15f: pminub xmm8, xmmword ptr [rax + 0x10]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0041b000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
mem[0x00494290] = ' '
|
|
mem[0x00494291] = ' '
|
|
mem[0x00494292] = ' '
|
|
mem[0x00494293] = ' '
|
|
mem[0x00494294] = ' '
|
|
mem[0x00494295] = ' '
|
|
mem[0x00494296] = ' '
|
|
mem[0x00494297] = ' '
|
|
mem[0x00494298] = ' '
|
|
mem[0x00494299] = ' '
|
|
mem[0x0049429a] = ' '
|
|
mem[0x0049429b] = ' '
|
|
mem[0x0049429c] = ' '
|
|
mem[0x0049429d] = ' '
|
|
mem[0x0049429e] = ' '
|
|
mem[0x0049429f] = ' '
|
|
mem[0x0041b15f] = 'f'
|
|
mem[0x0041b160] = 'D'
|
|
mem[0x0041b161] = '\x0f'
|
|
mem[0x0041b162] = '\xda'
|
|
mem[0x0041b163] = '@'
|
|
mem[0x0041b164] = '\x10'
|
|
cpu.XMM8 = 0x5f5f5f5f5f200a2e646574726f706572
|
|
cpu.RIP = 0x41b15f
|
|
cpu.RAX = 0x494280
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x494290], ' ')
|
|
self.assertEqual(mem[0x494291], ' ')
|
|
self.assertEqual(mem[0x494292], ' ')
|
|
self.assertEqual(mem[0x494293], ' ')
|
|
self.assertEqual(mem[0x494294], ' ')
|
|
self.assertEqual(mem[0x494295], ' ')
|
|
self.assertEqual(mem[0x494296], ' ')
|
|
self.assertEqual(mem[0x494297], ' ')
|
|
self.assertEqual(mem[0x494298], ' ')
|
|
self.assertEqual(mem[0x494299], ' ')
|
|
self.assertEqual(mem[0x49429a], ' ')
|
|
self.assertEqual(mem[0x49429b], ' ')
|
|
self.assertEqual(mem[0x49429c], ' ')
|
|
self.assertEqual(mem[0x49429d], ' ')
|
|
self.assertEqual(mem[0x49429e], ' ')
|
|
self.assertEqual(mem[0x49429f], ' ')
|
|
self.assertEqual(mem[0x41b15f], 'f')
|
|
self.assertEqual(mem[0x41b160], 'D')
|
|
self.assertEqual(mem[0x41b161], '\x0f')
|
|
self.assertEqual(mem[0x41b162], '\xda')
|
|
self.assertEqual(mem[0x41b163], '@')
|
|
self.assertEqual(mem[0x41b164], '\x10')
|
|
self.assertEqual(cpu.XMM8, 42702100946941193483733406035713466400L)
|
|
self.assertEqual(cpu.RAX, 4801152L)
|
|
self.assertEqual(cpu.RIP, 4305253L)
|
|
|
|
def test_PMINUB_2(self):
|
|
''' Instruction PMINUB_2
|
|
Groups: sse2
|
|
0x41b142: pminub xmm8, xmmword ptr [rax + 0x70]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0041b000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
mem[0x0041b142] = 'f'
|
|
mem[0x0041b143] = 'D'
|
|
mem[0x0041b144] = '\x0f'
|
|
mem[0x0041b145] = '\xda'
|
|
mem[0x0041b146] = '@'
|
|
mem[0x0041b147] = 'p'
|
|
mem[0x004942f0] = '_'
|
|
mem[0x004942f1] = '_'
|
|
mem[0x004942f2] = '_'
|
|
mem[0x004942f3] = ' '
|
|
mem[0x004942f4] = '_'
|
|
mem[0x004942f5] = '_'
|
|
mem[0x004942f6] = '_'
|
|
mem[0x004942f7] = '_'
|
|
mem[0x004942f8] = '_'
|
|
mem[0x004942f9] = ' '
|
|
mem[0x004942fa] = ' '
|
|
mem[0x004942fb] = ' '
|
|
mem[0x004942fc] = ' '
|
|
mem[0x004942fd] = ' '
|
|
mem[0x004942fe] = ' '
|
|
mem[0x004942ff] = '_'
|
|
cpu.XMM8 = 0x2020202020202020202020200a202020
|
|
cpu.RIP = 0x41b142
|
|
cpu.RAX = 0x494280
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x41b142], 'f')
|
|
self.assertEqual(mem[0x41b143], 'D')
|
|
self.assertEqual(mem[0x41b144], '\x0f')
|
|
self.assertEqual(mem[0x41b145], '\xda')
|
|
self.assertEqual(mem[0x41b146], '@')
|
|
self.assertEqual(mem[0x41b147], 'p')
|
|
self.assertEqual(mem[0x4942f0], '_')
|
|
self.assertEqual(mem[0x4942f1], '_')
|
|
self.assertEqual(mem[0x4942f2], '_')
|
|
self.assertEqual(mem[0x4942f3], ' ')
|
|
self.assertEqual(mem[0x4942f4], '_')
|
|
self.assertEqual(mem[0x4942f5], '_')
|
|
self.assertEqual(mem[0x4942f6], '_')
|
|
self.assertEqual(mem[0x4942f7], '_')
|
|
self.assertEqual(mem[0x4942f8], '_')
|
|
self.assertEqual(mem[0x4942f9], ' ')
|
|
self.assertEqual(mem[0x4942fa], ' ')
|
|
self.assertEqual(mem[0x4942fb], ' ')
|
|
self.assertEqual(mem[0x4942fc], ' ')
|
|
self.assertEqual(mem[0x4942fd], ' ')
|
|
self.assertEqual(mem[0x4942fe], ' ')
|
|
self.assertEqual(mem[0x4942ff], '_')
|
|
self.assertEqual(cpu.XMM8, 42702100946941297375796029167539068960L)
|
|
self.assertEqual(cpu.RAX, 4801152L)
|
|
self.assertEqual(cpu.RIP, 4305224L)
|
|
|
|
def test_PMINUB_3(self):
|
|
''' Instruction PMINUB_3
|
|
Groups: sse2
|
|
0x457af6: pminub xmm0, xmm2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457af8] = '\xda'
|
|
mem[0x00457af9] = '\xc2'
|
|
mem[0x00457af6] = 'f'
|
|
mem[0x00457af7] = '\x0f'
|
|
cpu.XMM2 = 0x504e414d00323d524e54565f47445800
|
|
cpu.XMM0 = 0x32677261003167726100706d636e7274
|
|
cpu.RIP = 0x457af6
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457af8], '\xda')
|
|
self.assertEqual(mem[0x457af9], '\xc2')
|
|
self.assertEqual(mem[0x457af6], 'f')
|
|
self.assertEqual(mem[0x457af7], '\x0f')
|
|
self.assertEqual(cpu.XMM2, 106744563275012473217874926561820694528L)
|
|
self.assertEqual(cpu.XMM0, 66867723401463788104917456226191955968L)
|
|
self.assertEqual(cpu.RIP, 4553466L)
|
|
|
|
def test_PMINUB_4(self):
|
|
''' Instruction PMINUB_4
|
|
Groups: sse2
|
|
0x41b13c: pminub xmm8, xmmword ptr [rax + 0x60]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0041b000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
mem[0x0041b13c] = 'f'
|
|
mem[0x0041b13d] = 'D'
|
|
mem[0x0041b13e] = '\x0f'
|
|
mem[0x0041b13f] = '\xda'
|
|
mem[0x0041b140] = '@'
|
|
mem[0x0041b141] = '`'
|
|
mem[0x004941e0] = 'h'
|
|
mem[0x004941e1] = 'e'
|
|
mem[0x004941e2] = 'c'
|
|
mem[0x004941e3] = 'k'
|
|
mem[0x004941e4] = 'e'
|
|
mem[0x004941e5] = 'd'
|
|
mem[0x004941e6] = ' '
|
|
mem[0x004941e7] = 'b'
|
|
mem[0x004941e8] = 'y'
|
|
mem[0x004941e9] = ' '
|
|
mem[0x004941ea] = 's'
|
|
mem[0x004941eb] = 'y'
|
|
mem[0x004941ec] = 's'
|
|
mem[0x004941ed] = 't'
|
|
mem[0x004941ee] = 'e'
|
|
mem[0x004941ef] = 'm'
|
|
cpu.XMM8 = 0x632067676f6120736720720a646e6120
|
|
cpu.RIP = 0x41b13c
|
|
cpu.RAX = 0x494180
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x41b13c], 'f')
|
|
self.assertEqual(mem[0x41b13d], 'D')
|
|
self.assertEqual(mem[0x41b13e], '\x0f')
|
|
self.assertEqual(mem[0x41b13f], '\xda')
|
|
self.assertEqual(mem[0x41b140], '@')
|
|
self.assertEqual(mem[0x41b141], '`')
|
|
self.assertEqual(mem[0x4941e0], 'h')
|
|
self.assertEqual(mem[0x4941e1], 'e')
|
|
self.assertEqual(mem[0x4941e2], 'c')
|
|
self.assertEqual(mem[0x4941e3], 'k')
|
|
self.assertEqual(mem[0x4941e4], 'e')
|
|
self.assertEqual(mem[0x4941e5], 'd')
|
|
self.assertEqual(mem[0x4941e6], ' ')
|
|
self.assertEqual(mem[0x4941e7], 'b')
|
|
self.assertEqual(mem[0x4941e8], 'y')
|
|
self.assertEqual(mem[0x4941e9], ' ')
|
|
self.assertEqual(mem[0x4941ea], 's')
|
|
self.assertEqual(mem[0x4941eb], 'y')
|
|
self.assertEqual(mem[0x4941ec], 's')
|
|
self.assertEqual(mem[0x4941ed], 't')
|
|
self.assertEqual(mem[0x4941ee], 'e')
|
|
self.assertEqual(mem[0x4941ef], 'm')
|
|
self.assertEqual(cpu.XMM8, 131761822365339956131716016926609334560L)
|
|
self.assertEqual(cpu.RAX, 4800896L)
|
|
self.assertEqual(cpu.RIP, 4305218L)
|
|
|
|
def test_PMINUB_5(self):
|
|
''' Instruction PMINUB_5
|
|
Groups: sse2
|
|
0x457ee2: pminub xmm0, xmm5
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457ee2] = 'f'
|
|
mem[0x00457ee3] = '\x0f'
|
|
mem[0x00457ee4] = '\xda'
|
|
mem[0x00457ee5] = '\xc5'
|
|
cpu.XMM0 = 0x4d00313d524e00565f472f2f00326763
|
|
cpu.RIP = 0x457ee2
|
|
cpu.XMM5 = 0x65784563696c6f626d79532f65726f63
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457ee2], 'f')
|
|
self.assertEqual(mem[0x457ee3], '\x0f')
|
|
self.assertEqual(mem[0x457ee4], '\xda')
|
|
self.assertEqual(mem[0x457ee5], '\xc5')
|
|
self.assertEqual(cpu.XMM0, 102351554371899083128134245349023967075L)
|
|
self.assertEqual(cpu.RIP, 4554470L)
|
|
self.assertEqual(cpu.XMM5, 134876510559778439374245404375482789731L)
|
|
|
|
def test_PMINUB_6(self):
|
|
''' Instruction PMINUB_6
|
|
Groups: sse2
|
|
0x7ffff7ab7abe: pminub xmm0, xmm4
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab7ac0] = '\xda'
|
|
mem[0x7ffff7ab7ac1] = '\xc4'
|
|
mem[0x7ffff7ab7abe] = 'f'
|
|
mem[0x7ffff7ab7abf] = '\x0f'
|
|
cpu.XMM0 = 0x324e414d00313d524e00565f474458
|
|
cpu.RIP = 0x7ffff7ab7abe
|
|
cpu.XMM4 = 0x7274732f78756e696c2f73656c706d61
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab7ac0], '\xda')
|
|
self.assertEqual(mem[0x7ffff7ab7ac1], '\xc4')
|
|
self.assertEqual(mem[0x7ffff7ab7abe], 'f')
|
|
self.assertEqual(mem[0x7ffff7ab7abf], '\x0f')
|
|
self.assertEqual(cpu.XMM0, 261200618430042665518031405314425944L)
|
|
self.assertEqual(cpu.XMM4, 152136634193178674532939302896952962401L)
|
|
self.assertEqual(cpu.RIP, 140737348598466L)
|
|
|
|
def test_PMOVMSKB_1(self):
|
|
''' Instruction PMOVMSKB_1
|
|
Groups: sse2
|
|
0x4184f1: pmovmskb ecx, xmm11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004184f1] = 'f'
|
|
mem[0x004184f2] = 'A'
|
|
mem[0x004184f3] = '\x0f'
|
|
mem[0x004184f4] = '\xd7'
|
|
mem[0x004184f5] = '\xcb'
|
|
cpu.XMM11 = 0x0
|
|
cpu.RIP = 0x4184f1
|
|
cpu.ECX = 0x10e
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4184f1], 'f')
|
|
self.assertEqual(mem[0x4184f2], 'A')
|
|
self.assertEqual(mem[0x4184f3], '\x0f')
|
|
self.assertEqual(mem[0x4184f4], '\xd7')
|
|
self.assertEqual(mem[0x4184f5], '\xcb')
|
|
self.assertEqual(cpu.XMM11, 0)
|
|
self.assertEqual(cpu.RIP, 4293878L)
|
|
self.assertEqual(cpu.ECX, 0L)
|
|
|
|
def test_PMOVMSKB_2(self):
|
|
''' Instruction PMOVMSKB_2
|
|
Groups: sse2
|
|
0x457d6e: pmovmskb r10d, xmm3
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457d70] = '\x0f'
|
|
mem[0x00457d71] = '\xd7'
|
|
mem[0x00457d72] = '\xd3'
|
|
mem[0x00457d6e] = 'f'
|
|
mem[0x00457d6f] = 'D'
|
|
cpu.XMM3 = 0xff00000000ff0000000000000000
|
|
cpu.RIP = 0x457d6e
|
|
cpu.R10D = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457d70], '\x0f')
|
|
self.assertEqual(mem[0x457d71], '\xd7')
|
|
self.assertEqual(mem[0x457d72], '\xd3')
|
|
self.assertEqual(mem[0x457d6e], 'f')
|
|
self.assertEqual(mem[0x457d6f], 'D')
|
|
self.assertEqual(cpu.XMM3, 5172014448935879877845345013596160L)
|
|
self.assertEqual(cpu.RIP, 4554099L)
|
|
self.assertEqual(cpu.R10D, 8448L)
|
|
|
|
def test_PMOVMSKB_3(self):
|
|
''' Instruction PMOVMSKB_3
|
|
Groups: sse2
|
|
0x457ddd: pmovmskb edx, xmm3
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457de0] = '\xd3'
|
|
mem[0x00457ddd] = 'f'
|
|
mem[0x00457dde] = '\x0f'
|
|
mem[0x00457ddf] = '\xd7'
|
|
cpu.XMM3 = 0x0
|
|
cpu.EDX = 0xffffdcc8
|
|
cpu.RIP = 0x457ddd
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457de0], '\xd3')
|
|
self.assertEqual(mem[0x457ddd], 'f')
|
|
self.assertEqual(mem[0x457dde], '\x0f')
|
|
self.assertEqual(mem[0x457ddf], '\xd7')
|
|
self.assertEqual(cpu.XMM3, 0)
|
|
self.assertEqual(cpu.EDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4554209L)
|
|
|
|
def test_PMOVMSKB_4(self):
|
|
''' Instruction PMOVMSKB_4
|
|
Groups: sse2
|
|
0x7ffff7ab5ce1: pmovmskb ecx, xmm11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab5ce1] = 'f'
|
|
mem[0x7ffff7ab5ce2] = 'A'
|
|
mem[0x7ffff7ab5ce3] = '\x0f'
|
|
mem[0x7ffff7ab5ce4] = '\xd7'
|
|
mem[0x7ffff7ab5ce5] = '\xcb'
|
|
cpu.XMM11 = 0xffffff0000000000ffffff0000000000
|
|
cpu.RIP = 0x7ffff7ab5ce1
|
|
cpu.ECX = 0xa00
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab5ce1], 'f')
|
|
self.assertEqual(mem[0x7ffff7ab5ce2], 'A')
|
|
self.assertEqual(mem[0x7ffff7ab5ce3], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ab5ce4], '\xd7')
|
|
self.assertEqual(mem[0x7ffff7ab5ce5], '\xcb')
|
|
self.assertEqual(cpu.XMM11, 340282346638528859830150926458714849280L)
|
|
self.assertEqual(cpu.RIP, 140737348590822L)
|
|
self.assertEqual(cpu.ECX, 57568L)
|
|
|
|
def test_PMOVMSKB_5(self):
|
|
''' Instruction PMOVMSKB_5
|
|
Groups: sse2
|
|
0x4184e7: pmovmskb edx, xmm9
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004184e8] = 'A'
|
|
mem[0x004184e9] = '\x0f'
|
|
mem[0x004184ea] = '\xd7'
|
|
mem[0x004184eb] = '\xd1'
|
|
mem[0x004184e7] = 'f'
|
|
cpu.EDX = 0x0
|
|
cpu.XMM9 = 0xff00000000000000000000000000
|
|
cpu.RIP = 0x4184e7
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4184e8], 'A')
|
|
self.assertEqual(mem[0x4184e9], '\x0f')
|
|
self.assertEqual(mem[0x4184ea], '\xd7')
|
|
self.assertEqual(mem[0x4184eb], '\xd1')
|
|
self.assertEqual(mem[0x4184e7], 'f')
|
|
self.assertEqual(cpu.EDX, 8192L)
|
|
self.assertEqual(cpu.XMM9, 5172014448931175958106549077934080L)
|
|
self.assertEqual(cpu.RIP, 4293868L)
|
|
|
|
def test_PMOVMSKB_6(self):
|
|
''' Instruction PMOVMSKB_6
|
|
Groups: sse2
|
|
0x4184c4: pmovmskb edx, xmm12
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004184c8] = '\xd4'
|
|
mem[0x004184c4] = 'f'
|
|
mem[0x004184c5] = 'A'
|
|
mem[0x004184c6] = '\x0f'
|
|
mem[0x004184c7] = '\xd7'
|
|
cpu.EDX = 0x100
|
|
cpu.XMM12 = 0x0
|
|
cpu.RIP = 0x4184c4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4184c8], '\xd4')
|
|
self.assertEqual(mem[0x4184c4], 'f')
|
|
self.assertEqual(mem[0x4184c5], 'A')
|
|
self.assertEqual(mem[0x4184c6], '\x0f')
|
|
self.assertEqual(mem[0x4184c7], '\xd7')
|
|
self.assertEqual(cpu.EDX, 0L)
|
|
self.assertEqual(cpu.XMM12, 0)
|
|
self.assertEqual(cpu.RIP, 4293833L)
|
|
|
|
def test_POP_1(self):
|
|
''' Instruction POP_1
|
|
Groups: mode64
|
|
0x7ffff7de3b0b: pop rbp
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd880] = '\xb0'
|
|
mem[0x7fffffffd881] = '\xd9'
|
|
mem[0x7fffffffd882] = '\xff'
|
|
mem[0x7fffffffd883] = '\xff'
|
|
mem[0x7fffffffd884] = '\xff'
|
|
mem[0x7fffffffd885] = '\x7f'
|
|
mem[0x7fffffffd886] = '\x00'
|
|
mem[0x7fffffffd887] = '\x00'
|
|
mem[0x7fffffffd888] = '\x7f'
|
|
mem[0x7ffff7de3b0b] = ']'
|
|
mem[0x7fffffffd878] = 'p'
|
|
mem[0x7fffffffd879] = '\xda'
|
|
mem[0x7fffffffd87a] = '\xff'
|
|
mem[0x7fffffffd87b] = '\xff'
|
|
mem[0x7fffffffd87c] = '\xff'
|
|
mem[0x7fffffffd87d] = '\x7f'
|
|
mem[0x7fffffffd87e] = '\x00'
|
|
mem[0x7fffffffd87f] = '\x00'
|
|
cpu.RSP = 0x7fffffffd880
|
|
cpu.RIP = 0x7ffff7de3b0b
|
|
cpu.RBP = 0x7fffffffd880
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd880], '\xb0')
|
|
self.assertEqual(mem[0x7fffffffd881], '\xd9')
|
|
self.assertEqual(mem[0x7fffffffd882], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd883], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd884], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd885], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd886], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd887], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd888], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7de3b0b], ']')
|
|
self.assertEqual(mem[0x7fffffffd878], 'p')
|
|
self.assertEqual(mem[0x7fffffffd879], '\xda')
|
|
self.assertEqual(mem[0x7fffffffd87a], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd87b], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd87c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd87d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd87e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd87f], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345224L)
|
|
self.assertEqual(cpu.RIP, 140737351924492L)
|
|
self.assertEqual(cpu.RBP, 140737488345520L)
|
|
|
|
def test_POP_2(self):
|
|
''' Instruction POP_2
|
|
Groups: mode64
|
|
0x7ffff7dea3ad: pop r14
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7dea000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda08] = '\x01'
|
|
mem[0x7fffffffda09] = '\x00'
|
|
mem[0x7fffffffda0a] = '\x00'
|
|
mem[0x7fffffffda0b] = '\x00'
|
|
mem[0x7fffffffda0c] = '\x00'
|
|
mem[0x7ffff7dea3ad] = 'A'
|
|
mem[0x7ffff7dea3ae] = '^'
|
|
mem[0x7fffffffda0d] = '\x00'
|
|
mem[0x7fffffffda10] = '0'
|
|
mem[0x7fffffffda11] = '\xda'
|
|
mem[0x7fffffffda12] = '\xff'
|
|
mem[0x7fffffffda13] = '\xff'
|
|
mem[0x7fffffffda14] = '\xff'
|
|
mem[0x7fffffffda0e] = '\x00'
|
|
mem[0x7fffffffda16] = '\x00'
|
|
mem[0x7fffffffda17] = '\x00'
|
|
mem[0x7fffffffda18] = '`'
|
|
mem[0x7fffffffda0f] = '\x00'
|
|
mem[0x7fffffffda15] = '\x7f'
|
|
cpu.R14 = 0x4
|
|
cpu.RSP = 0x7fffffffda10
|
|
cpu.RIP = 0x7ffff7dea3ad
|
|
cpu.RBP = 0x7fffffffda20
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7dea3ae], '^')
|
|
self.assertEqual(mem[0x7fffffffda08], '\x01')
|
|
self.assertEqual(mem[0x7fffffffda09], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda0a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda0b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda0c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda0d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda0e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda0f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda10], '0')
|
|
self.assertEqual(mem[0x7fffffffda11], '\xda')
|
|
self.assertEqual(mem[0x7fffffffda12], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda13], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda14], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda15], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffda16], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda17], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda18], '`')
|
|
self.assertEqual(mem[0x7ffff7dea3ad], 'A')
|
|
self.assertEqual(cpu.R14, 140737488345648L)
|
|
self.assertEqual(cpu.RSP, 140737488345624L)
|
|
self.assertEqual(cpu.RIP, 140737351951279L)
|
|
self.assertEqual(cpu.RBP, 140737488345632L)
|
|
|
|
def test_POP_3(self):
|
|
''' Instruction POP_3
|
|
Groups: mode64
|
|
0x4624e4: pop r12
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00462000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdb00] = 'H'
|
|
mem[0x7fffffffdb01] = '\xd4'
|
|
mem[0x7fffffffdb02] = 'k'
|
|
mem[0x7fffffffdb03] = '\x00'
|
|
mem[0x004624e4] = 'A'
|
|
mem[0x004624e5] = '\\'
|
|
mem[0x7fffffffdb06] = '\x00'
|
|
mem[0x7fffffffdb07] = '\x00'
|
|
mem[0x7fffffffdb08] = '\xb8'
|
|
mem[0x7fffffffdaff] = '\x00'
|
|
mem[0x7fffffffdaf9] = '\x00'
|
|
mem[0x7fffffffdaf8] = '\x03'
|
|
mem[0x7fffffffdb04] = '\x00'
|
|
mem[0x7fffffffdafa] = '\x00'
|
|
mem[0x7fffffffdafb] = '\x00'
|
|
mem[0x7fffffffdafc] = '\x00'
|
|
mem[0x7fffffffdafd] = '\x00'
|
|
mem[0x7fffffffdafe] = '\x00'
|
|
mem[0x7fffffffdb05] = '\x00'
|
|
cpu.RSP = 0x7fffffffdb00
|
|
cpu.R12 = 0x1
|
|
cpu.RIP = 0x4624e4
|
|
cpu.RBP = 0x7fffffffdb20
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdb00], 'H')
|
|
self.assertEqual(mem[0x7fffffffdb01], '\xd4')
|
|
self.assertEqual(mem[0x7fffffffdb02], 'k')
|
|
self.assertEqual(mem[0x7fffffffdb03], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb04], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb05], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb06], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb07], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb08], '\xb8')
|
|
self.assertEqual(mem[0x7fffffffdaff], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf8], '\x03')
|
|
self.assertEqual(mem[0x4624e4], 'A')
|
|
self.assertEqual(mem[0x7fffffffdafa], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdafb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdafc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdafd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdafe], '\x00')
|
|
self.assertEqual(mem[0x4624e5], '\\')
|
|
self.assertEqual(cpu.R12, 7066696L)
|
|
self.assertEqual(cpu.RSP, 140737488345864L)
|
|
self.assertEqual(cpu.RIP, 4596966L)
|
|
self.assertEqual(cpu.RBP, 140737488345888L)
|
|
|
|
def test_POP_4(self):
|
|
''' Instruction POP_4
|
|
Groups: mode64
|
|
0x6ff233: pop rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x006ff000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcca0] = '\x00'
|
|
mem[0x7fffffffcca1] = '\x00'
|
|
mem[0x7fffffffcca2] = '\x00'
|
|
mem[0x7fffffffcca3] = '\x00'
|
|
mem[0x7fffffffcca4] = '\x00'
|
|
mem[0x7fffffffcca5] = '\x00'
|
|
mem[0x7fffffffcca6] = '\x00'
|
|
mem[0x7fffffffcca7] = '\x00'
|
|
mem[0x7fffffffcca8] = '\x01'
|
|
mem[0x7fffffffcca9] = '\x00'
|
|
mem[0x7fffffffccaa] = '\x00'
|
|
mem[0x7fffffffccab] = '\x00'
|
|
mem[0x7fffffffccac] = '\x00'
|
|
mem[0x7fffffffccad] = '\x00'
|
|
mem[0x7fffffffccae] = '\x00'
|
|
mem[0x7fffffffccaf] = '\x00'
|
|
mem[0x7fffffffccb0] = '@'
|
|
mem[0x006ff233] = 'Z'
|
|
cpu.RSP = 0x7fffffffcca8
|
|
cpu.RDX = 0x80000001
|
|
cpu.RIP = 0x6ff233
|
|
cpu.RBP = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcca0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca4], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca8], '\x01')
|
|
self.assertEqual(mem[0x7fffffffcca9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaa], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccab], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccac], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccad], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '@')
|
|
self.assertEqual(mem[0x6ff233], 'Z')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RDX, 1L)
|
|
self.assertEqual(cpu.RIP, 7336500L)
|
|
self.assertEqual(cpu.RBP, 0L)
|
|
|
|
def test_POP_5(self):
|
|
''' Instruction POP_5
|
|
Groups: mode64
|
|
0x632f8a: pop rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00632000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcca0] = '\x00'
|
|
mem[0x7fffffffcca1] = '\x00'
|
|
mem[0x7fffffffcca2] = '\x00'
|
|
mem[0x7fffffffcca3] = '\x00'
|
|
mem[0x7fffffffcca4] = '\x00'
|
|
mem[0x7fffffffcca5] = '\x00'
|
|
mem[0x7fffffffcca6] = '\x00'
|
|
mem[0x7fffffffcca7] = '\x00'
|
|
mem[0x7fffffffcca8] = '\x00'
|
|
mem[0x7fffffffcca9] = '\x00'
|
|
mem[0x00632f8a] = 'Z'
|
|
mem[0x7fffffffccab] = '\x80'
|
|
mem[0x7fffffffccac] = '\x00'
|
|
mem[0x7fffffffccad] = '\x00'
|
|
mem[0x7fffffffccae] = '\x00'
|
|
mem[0x7fffffffccaf] = '\x00'
|
|
mem[0x7fffffffccb0] = '\x00'
|
|
mem[0x7fffffffccaa] = '\x00'
|
|
cpu.RSP = 0x7fffffffcca8
|
|
cpu.RDX = 0x7f
|
|
cpu.RIP = 0x632f8a
|
|
cpu.RBP = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcca0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca4], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca9], '\x00')
|
|
self.assertEqual(mem[0x632f8a], 'Z')
|
|
self.assertEqual(mem[0x7fffffffccab], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccac], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccad], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaa], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RDX, 2147483648L)
|
|
self.assertEqual(cpu.RIP, 6500235L)
|
|
self.assertEqual(cpu.RBP, 0L)
|
|
|
|
def test_POP_6(self):
|
|
''' Instruction POP_6
|
|
Groups: mode64
|
|
0x737db3: pop rdx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00737000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcca0] = '\x00'
|
|
mem[0x7fffffffcca1] = '\x00'
|
|
mem[0x7fffffffcca2] = '\x00'
|
|
mem[0x7fffffffcca3] = '\x00'
|
|
mem[0x7fffffffcca4] = '\x00'
|
|
mem[0x7fffffffcca5] = '\x00'
|
|
mem[0x7fffffffcca6] = '\x00'
|
|
mem[0x7fffffffcca7] = '\x00'
|
|
mem[0x7fffffffcca8] = '\x00'
|
|
mem[0x7fffffffcca9] = '\xff'
|
|
mem[0x7fffffffccaa] = '\x00'
|
|
mem[0x7fffffffccab] = '\x00'
|
|
mem[0x7fffffffccac] = '\x00'
|
|
mem[0x7fffffffccad] = '\x00'
|
|
mem[0x7fffffffccae] = '\x00'
|
|
mem[0x7fffffffccaf] = '\x00'
|
|
mem[0x7fffffffccb0] = '@'
|
|
mem[0x00737db3] = 'Z'
|
|
cpu.RSP = 0x7fffffffcca8
|
|
cpu.RDX = 0x40
|
|
cpu.RIP = 0x737db3
|
|
cpu.RBP = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcca0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca4], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca9], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccaa], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccab], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccac], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccad], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '@')
|
|
self.assertEqual(mem[0x737db3], 'Z')
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RDX, 65280L)
|
|
self.assertEqual(cpu.RIP, 7568820L)
|
|
self.assertEqual(cpu.RBP, 0L)
|
|
|
|
def test_POR_1(self):
|
|
''' Instruction POR_1
|
|
Groups: sse2
|
|
0x7ffff7df43a7: por xmm0, xmm4
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df43a8] = '\x0f'
|
|
mem[0x7ffff7df43a9] = '\xeb'
|
|
mem[0x7ffff7df43aa] = '\xc4'
|
|
mem[0x7ffff7df43a7] = 'f'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x7ffff7df43a7
|
|
cpu.XMM4 = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df43a8], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df43a9], '\xeb')
|
|
self.assertEqual(mem[0x7ffff7df43aa], '\xc4')
|
|
self.assertEqual(mem[0x7ffff7df43a7], 'f')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM4, 0)
|
|
self.assertEqual(cpu.RIP, 140737351992235L)
|
|
|
|
def test_POR_2(self):
|
|
''' Instruction POR_2
|
|
Groups: sse2
|
|
0x7ffff7df43a7: por xmm0, xmm4
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df43a8] = '\x0f'
|
|
mem[0x7ffff7df43a9] = '\xeb'
|
|
mem[0x7ffff7df43aa] = '\xc4'
|
|
mem[0x7ffff7df43a7] = 'f'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x7ffff7df43a7
|
|
cpu.XMM4 = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df43a8], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df43a9], '\xeb')
|
|
self.assertEqual(mem[0x7ffff7df43aa], '\xc4')
|
|
self.assertEqual(mem[0x7ffff7df43a7], 'f')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM4, 0)
|
|
self.assertEqual(cpu.RIP, 140737351992235L)
|
|
|
|
def test_POR_3(self):
|
|
''' Instruction POR_3
|
|
Groups: sse2
|
|
0x7ffff7df43a7: por xmm0, xmm4
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df43a8] = '\x0f'
|
|
mem[0x7ffff7df43a9] = '\xeb'
|
|
mem[0x7ffff7df43aa] = '\xc4'
|
|
mem[0x7ffff7df43a7] = 'f'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x7ffff7df43a7
|
|
cpu.XMM4 = 0xff00000000ff000000000000000000
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df43a8], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df43a9], '\xeb')
|
|
self.assertEqual(mem[0x7ffff7df43aa], '\xc4')
|
|
self.assertEqual(mem[0x7ffff7df43a7], 'f')
|
|
self.assertEqual(cpu.XMM0, 1324035698927585248728408323480616960L)
|
|
self.assertEqual(cpu.XMM4, 1324035698927585248728408323480616960L)
|
|
self.assertEqual(cpu.RIP, 140737351992235L)
|
|
|
|
def test_POR_4(self):
|
|
''' Instruction POR_4
|
|
Groups: sse2
|
|
0x7ffff7df43a7: por xmm0, xmm4
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df43a8] = '\x0f'
|
|
mem[0x7ffff7df43a9] = '\xeb'
|
|
mem[0x7ffff7df43aa] = '\xc4'
|
|
mem[0x7ffff7df43a7] = 'f'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x7ffff7df43a7
|
|
cpu.XMM4 = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df43a8], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df43a9], '\xeb')
|
|
self.assertEqual(mem[0x7ffff7df43aa], '\xc4')
|
|
self.assertEqual(mem[0x7ffff7df43a7], 'f')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM4, 0)
|
|
self.assertEqual(cpu.RIP, 140737351992235L)
|
|
|
|
def test_POR_5(self):
|
|
''' Instruction POR_5
|
|
Groups: sse2
|
|
0x7ffff7df4412: por xmm0, xmm3
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4412] = 'f'
|
|
mem[0x7ffff7df4413] = '\x0f'
|
|
mem[0x7ffff7df4414] = '\xeb'
|
|
mem[0x7ffff7df4415] = '\xc3'
|
|
cpu.XMM3 = 0xff000000000000
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x7ffff7df4412
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4412], 'f')
|
|
self.assertEqual(mem[0x7ffff7df4413], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df4414], '\xeb')
|
|
self.assertEqual(mem[0x7ffff7df4415], '\xc3')
|
|
self.assertEqual(cpu.XMM3, 71776119061217280)
|
|
self.assertEqual(cpu.XMM0, 71776119061217280)
|
|
self.assertEqual(cpu.RIP, 140737351992342L)
|
|
|
|
def test_POR_6(self):
|
|
''' Instruction POR_6
|
|
Groups: sse2
|
|
0x7ffff7ac0b17: por xmm0, xmm4
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0b18] = '\x0f'
|
|
mem[0x7ffff7ac0b19] = '\xeb'
|
|
mem[0x7ffff7ac0b1a] = '\xc4'
|
|
mem[0x7ffff7ac0b17] = 'f'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x7ffff7ac0b17
|
|
cpu.XMM4 = 0xffffff000000ff
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0b18], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0b19], '\xeb')
|
|
self.assertEqual(mem[0x7ffff7ac0b1a], '\xc4')
|
|
self.assertEqual(mem[0x7ffff7ac0b17], 'f')
|
|
self.assertEqual(cpu.XMM0, 72057589742960895)
|
|
self.assertEqual(cpu.XMM4, 72057589742960895)
|
|
self.assertEqual(cpu.RIP, 140737348635419L)
|
|
|
|
def test_PSHUFD_1(self):
|
|
''' Instruction PSHUFD_1
|
|
Groups: sse2
|
|
0x7ffff7ac0af8: pshufd xmm1, xmm1, 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0af8] = 'f'
|
|
mem[0x7ffff7ac0af9] = '\x0f'
|
|
mem[0x7ffff7ac0afa] = 'p'
|
|
mem[0x7ffff7ac0afb] = '\xc9'
|
|
mem[0x7ffff7ac0afc] = '\x00'
|
|
cpu.XMM1 = 0x25252525
|
|
cpu.RIP = 0x7ffff7ac0af8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0af8], 'f')
|
|
self.assertEqual(mem[0x7ffff7ac0af9], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0afa], 'p')
|
|
self.assertEqual(mem[0x7ffff7ac0afb], '\xc9')
|
|
self.assertEqual(mem[0x7ffff7ac0afc], '\x00')
|
|
self.assertEqual(cpu.XMM1, 49374304219900875090764158725393818917L)
|
|
self.assertEqual(cpu.RIP, 140737348635389L)
|
|
|
|
def test_PSHUFD_2(self):
|
|
''' Instruction PSHUFD_2
|
|
Groups: sse2
|
|
0x7ffff7ac0af8: pshufd xmm1, xmm1, 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0af8] = 'f'
|
|
mem[0x7ffff7ac0af9] = '\x0f'
|
|
mem[0x7ffff7ac0afa] = 'p'
|
|
mem[0x7ffff7ac0afb] = '\xc9'
|
|
mem[0x7ffff7ac0afc] = '\x00'
|
|
cpu.XMM1 = 0x25252525
|
|
cpu.RIP = 0x7ffff7ac0af8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0af8], 'f')
|
|
self.assertEqual(mem[0x7ffff7ac0af9], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0afa], 'p')
|
|
self.assertEqual(mem[0x7ffff7ac0afb], '\xc9')
|
|
self.assertEqual(mem[0x7ffff7ac0afc], '\x00')
|
|
self.assertEqual(cpu.XMM1, 49374304219900875090764158725393818917L)
|
|
self.assertEqual(cpu.RIP, 140737348635389L)
|
|
|
|
def test_PSHUFD_3(self):
|
|
''' Instruction PSHUFD_3
|
|
Groups: sse2
|
|
0x7ffff7df4388: pshufd xmm1, xmm1, 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4388] = 'f'
|
|
mem[0x7ffff7df4389] = '\x0f'
|
|
mem[0x7ffff7df438a] = 'p'
|
|
mem[0x7ffff7df438b] = '\xc9'
|
|
mem[0x7ffff7df438c] = '\x00'
|
|
cpu.XMM1 = 0x24242424
|
|
cpu.RIP = 0x7ffff7df4388
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4388], 'f')
|
|
self.assertEqual(mem[0x7ffff7df4389], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df438a], 'p')
|
|
self.assertEqual(mem[0x7ffff7df438b], '\xc9')
|
|
self.assertEqual(mem[0x7ffff7df438c], '\x00')
|
|
self.assertEqual(cpu.XMM1, 48039863565308959547770532813896688676L)
|
|
self.assertEqual(cpu.RIP, 140737351992205L)
|
|
|
|
def test_PSHUFD_4(self):
|
|
''' Instruction PSHUFD_4
|
|
Groups: sse2
|
|
0x7ffff7ab799a: pshufd xmm1, xmm1, 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab799a] = 'f'
|
|
mem[0x7ffff7ab799b] = '\x0f'
|
|
mem[0x7ffff7ab799c] = 'p'
|
|
mem[0x7ffff7ab799d] = '\xc9'
|
|
mem[0x7ffff7ab799e] = '\x00'
|
|
cpu.XMM1 = 0x2f2f2f2f
|
|
cpu.RIP = 0x7ffff7ab799a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab799a], 'f')
|
|
self.assertEqual(mem[0x7ffff7ab799b], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ab799c], 'p')
|
|
self.assertEqual(mem[0x7ffff7ab799d], '\xc9')
|
|
self.assertEqual(mem[0x7ffff7ab799e], '\x00')
|
|
self.assertEqual(cpu.XMM1, 62718710765820030520700417840365121327L)
|
|
self.assertEqual(cpu.RIP, 140737348598175L)
|
|
|
|
def test_PSHUFD_5(self):
|
|
''' Instruction PSHUFD_5
|
|
Groups: sse2
|
|
0x7ffff7df4388: pshufd xmm1, xmm1, 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4388] = 'f'
|
|
mem[0x7ffff7df4389] = '\x0f'
|
|
mem[0x7ffff7df438a] = 'p'
|
|
mem[0x7ffff7df438b] = '\xc9'
|
|
mem[0x7ffff7df438c] = '\x00'
|
|
cpu.XMM1 = 0x24242424
|
|
cpu.RIP = 0x7ffff7df4388
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4388], 'f')
|
|
self.assertEqual(mem[0x7ffff7df4389], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df438a], 'p')
|
|
self.assertEqual(mem[0x7ffff7df438b], '\xc9')
|
|
self.assertEqual(mem[0x7ffff7df438c], '\x00')
|
|
self.assertEqual(cpu.XMM1, 48039863565308959547770532813896688676L)
|
|
self.assertEqual(cpu.RIP, 140737351992205L)
|
|
|
|
def test_PSHUFD_6(self):
|
|
''' Instruction PSHUFD_6
|
|
Groups: sse2
|
|
0x7ffff7ab799a: pshufd xmm1, xmm1, 0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab799a] = 'f'
|
|
mem[0x7ffff7ab799b] = '\x0f'
|
|
mem[0x7ffff7ab799c] = 'p'
|
|
mem[0x7ffff7ab799d] = '\xc9'
|
|
mem[0x7ffff7ab799e] = '\x00'
|
|
cpu.XMM1 = 0x2f2f2f2f
|
|
cpu.RIP = 0x7ffff7ab799a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ab799a], 'f')
|
|
self.assertEqual(mem[0x7ffff7ab799b], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ab799c], 'p')
|
|
self.assertEqual(mem[0x7ffff7ab799d], '\xc9')
|
|
self.assertEqual(mem[0x7ffff7ab799e], '\x00')
|
|
self.assertEqual(cpu.XMM1, 62718710765820030520700417840365121327L)
|
|
self.assertEqual(cpu.RIP, 140737348598175L)
|
|
|
|
def test_PUNPCKLBW_1(self):
|
|
''' Instruction PUNPCKLBW_1
|
|
Groups: sse2
|
|
0x7ffff7df437b: punpcklbw xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df437b] = 'f'
|
|
mem[0x7ffff7df437c] = '\x0f'
|
|
mem[0x7ffff7df437d] = '`'
|
|
mem[0x7ffff7df437e] = '\xc9'
|
|
cpu.XMM1 = 0x24
|
|
cpu.RIP = 0x7ffff7df437b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df437b], 'f')
|
|
self.assertEqual(mem[0x7ffff7df437c], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df437d], '`')
|
|
self.assertEqual(mem[0x7ffff7df437e], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 9252)
|
|
self.assertEqual(cpu.RIP, 140737351992191L)
|
|
|
|
def test_PUNPCKLBW_2(self):
|
|
''' Instruction PUNPCKLBW_2
|
|
Groups: sse2
|
|
0x7ffff7ac0aeb: punpcklbw xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0aeb] = 'f'
|
|
mem[0x7ffff7ac0aec] = '\x0f'
|
|
mem[0x7ffff7ac0aed] = '`'
|
|
mem[0x7ffff7ac0aee] = '\xc9'
|
|
cpu.XMM1 = 0x25
|
|
cpu.RIP = 0x7ffff7ac0aeb
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0aeb], 'f')
|
|
self.assertEqual(mem[0x7ffff7ac0aec], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0aed], '`')
|
|
self.assertEqual(mem[0x7ffff7ac0aee], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 9509)
|
|
self.assertEqual(cpu.RIP, 140737348635375L)
|
|
|
|
def test_PUNPCKLBW_3(self):
|
|
''' Instruction PUNPCKLBW_3
|
|
Groups: sse2
|
|
0x7ffff7ac0aeb: punpcklbw xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0aeb] = 'f'
|
|
mem[0x7ffff7ac0aec] = '\x0f'
|
|
mem[0x7ffff7ac0aed] = '`'
|
|
mem[0x7ffff7ac0aee] = '\xc9'
|
|
cpu.XMM1 = 0x25
|
|
cpu.RIP = 0x7ffff7ac0aeb
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0aeb], 'f')
|
|
self.assertEqual(mem[0x7ffff7ac0aec], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0aed], '`')
|
|
self.assertEqual(mem[0x7ffff7ac0aee], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 9509)
|
|
self.assertEqual(cpu.RIP, 140737348635375L)
|
|
|
|
def test_PUNPCKLBW_4(self):
|
|
''' Instruction PUNPCKLBW_4
|
|
Groups: sse2
|
|
0x4579cc: punpcklbw xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x004579cc] = 'f'
|
|
mem[0x004579cd] = '\x0f'
|
|
mem[0x004579ce] = '`'
|
|
mem[0x004579cf] = '\xc9'
|
|
cpu.XMM1 = 0x2f
|
|
cpu.RIP = 0x4579cc
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4579cc], 'f')
|
|
self.assertEqual(mem[0x4579cd], '\x0f')
|
|
self.assertEqual(mem[0x4579ce], '`')
|
|
self.assertEqual(mem[0x4579cf], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 12079)
|
|
self.assertEqual(cpu.RIP, 4553168L)
|
|
|
|
def test_PUNPCKLBW_5(self):
|
|
''' Instruction PUNPCKLBW_5
|
|
Groups: sse2
|
|
0x45794c: punpcklbw xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x0045794c] = 'f'
|
|
mem[0x0045794d] = '\x0f'
|
|
mem[0x0045794e] = '`'
|
|
mem[0x0045794f] = '\xc9'
|
|
cpu.XMM1 = 0x2f
|
|
cpu.RIP = 0x45794c
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x45794c], 'f')
|
|
self.assertEqual(mem[0x45794d], '\x0f')
|
|
self.assertEqual(mem[0x45794e], '`')
|
|
self.assertEqual(mem[0x45794f], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 12079)
|
|
self.assertEqual(cpu.RIP, 4553040L)
|
|
|
|
def test_PUNPCKLBW_6(self):
|
|
''' Instruction PUNPCKLBW_6
|
|
Groups: sse2
|
|
0x7ffff7df437b: punpcklbw xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df437b] = 'f'
|
|
mem[0x7ffff7df437c] = '\x0f'
|
|
mem[0x7ffff7df437d] = '`'
|
|
mem[0x7ffff7df437e] = '\xc9'
|
|
cpu.XMM1 = 0x24
|
|
cpu.RIP = 0x7ffff7df437b
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df437b], 'f')
|
|
self.assertEqual(mem[0x7ffff7df437c], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df437d], '`')
|
|
self.assertEqual(mem[0x7ffff7df437e], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 9252)
|
|
self.assertEqual(cpu.RIP, 140737351992191L)
|
|
|
|
def test_PUNPCKLWD_1(self):
|
|
''' Instruction PUNPCKLWD_1
|
|
Groups: sse2
|
|
0x457a46: punpcklwd xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x00457a48] = 'a'
|
|
mem[0x00457a49] = '\xc9'
|
|
mem[0x00457a46] = 'f'
|
|
mem[0x00457a47] = '\x0f'
|
|
cpu.XMM1 = 0x2f2f
|
|
cpu.RIP = 0x457a46
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x457a48], 'a')
|
|
self.assertEqual(mem[0x457a49], '\xc9')
|
|
self.assertEqual(mem[0x457a46], 'f')
|
|
self.assertEqual(mem[0x457a47], '\x0f')
|
|
self.assertEqual(cpu.XMM1, 791621423)
|
|
self.assertEqual(cpu.RIP, 4553290L)
|
|
|
|
def test_PUNPCKLWD_2(self):
|
|
''' Instruction PUNPCKLWD_2
|
|
Groups: sse2
|
|
0x421b24: punpcklwd xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00421000, 0x1000, 'rwx')
|
|
mem[0x00421b24] = 'f'
|
|
mem[0x00421b25] = '\x0f'
|
|
mem[0x00421b26] = 'a'
|
|
mem[0x00421b27] = '\xc9'
|
|
cpu.XMM1 = 0x2525
|
|
cpu.RIP = 0x421b24
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x421b24], 'f')
|
|
self.assertEqual(mem[0x421b25], '\x0f')
|
|
self.assertEqual(mem[0x421b26], 'a')
|
|
self.assertEqual(mem[0x421b27], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 623191333)
|
|
self.assertEqual(cpu.RIP, 4332328L)
|
|
|
|
def test_PUNPCKLWD_3(self):
|
|
''' Instruction PUNPCKLWD_3
|
|
Groups: sse2
|
|
0x7ffff7df4384: punpcklwd xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4384] = 'f'
|
|
mem[0x7ffff7df4385] = '\x0f'
|
|
mem[0x7ffff7df4386] = 'a'
|
|
mem[0x7ffff7df4387] = '\xc9'
|
|
cpu.XMM1 = 0x2424
|
|
cpu.RIP = 0x7ffff7df4384
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4384], 'f')
|
|
self.assertEqual(mem[0x7ffff7df4385], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df4386], 'a')
|
|
self.assertEqual(mem[0x7ffff7df4387], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 606348324)
|
|
self.assertEqual(cpu.RIP, 140737351992200L)
|
|
|
|
def test_PUNPCKLWD_4(self):
|
|
''' Instruction PUNPCKLWD_4
|
|
Groups: sse2
|
|
0x7ffff7df4384: punpcklwd xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4384] = 'f'
|
|
mem[0x7ffff7df4385] = '\x0f'
|
|
mem[0x7ffff7df4386] = 'a'
|
|
mem[0x7ffff7df4387] = '\xc9'
|
|
cpu.XMM1 = 0x2424
|
|
cpu.RIP = 0x7ffff7df4384
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4384], 'f')
|
|
self.assertEqual(mem[0x7ffff7df4385], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7df4386], 'a')
|
|
self.assertEqual(mem[0x7ffff7df4387], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 606348324)
|
|
self.assertEqual(cpu.RIP, 140737351992200L)
|
|
|
|
def test_PUNPCKLWD_5(self):
|
|
''' Instruction PUNPCKLWD_5
|
|
Groups: sse2
|
|
0x45a576: punpcklwd xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0045a000, 0x1000, 'rwx')
|
|
mem[0x0045a578] = 'a'
|
|
mem[0x0045a579] = '\xc9'
|
|
mem[0x0045a576] = 'f'
|
|
mem[0x0045a577] = '\x0f'
|
|
cpu.XMM1 = 0x2f2f
|
|
cpu.RIP = 0x45a576
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x45a578], 'a')
|
|
self.assertEqual(mem[0x45a579], '\xc9')
|
|
self.assertEqual(mem[0x45a576], 'f')
|
|
self.assertEqual(mem[0x45a577], '\x0f')
|
|
self.assertEqual(cpu.XMM1, 791621423)
|
|
self.assertEqual(cpu.RIP, 4564346L)
|
|
|
|
def test_PUNPCKLWD_6(self):
|
|
''' Instruction PUNPCKLWD_6
|
|
Groups: sse2
|
|
0x7ffff7ac0af4: punpcklwd xmm1, xmm1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0af4] = 'f'
|
|
mem[0x7ffff7ac0af5] = '\x0f'
|
|
mem[0x7ffff7ac0af6] = 'a'
|
|
mem[0x7ffff7ac0af7] = '\xc9'
|
|
cpu.XMM1 = 0x2525
|
|
cpu.RIP = 0x7ffff7ac0af4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ac0af4], 'f')
|
|
self.assertEqual(mem[0x7ffff7ac0af5], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7ac0af6], 'a')
|
|
self.assertEqual(mem[0x7ffff7ac0af7], '\xc9')
|
|
self.assertEqual(cpu.XMM1, 623191333)
|
|
self.assertEqual(cpu.RIP, 140737348635384L)
|
|
|
|
def test_PUSH_1(self):
|
|
''' Instruction PUSH_1
|
|
Groups: mode64
|
|
0x7ffff7de407a: push r12
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd7a0] = '4'
|
|
mem[0x7ffff7de407b] = 'T'
|
|
mem[0x7fffffffd79a] = '\xff'
|
|
mem[0x7fffffffd790] = 'X'
|
|
mem[0x7fffffffd791] = 'v'
|
|
mem[0x7fffffffd792] = '\xff'
|
|
mem[0x7fffffffd793] = '\xf7'
|
|
mem[0x7fffffffd794] = '\xff'
|
|
mem[0x7fffffffd795] = '\x7f'
|
|
mem[0x7fffffffd796] = '\x00'
|
|
mem[0x7fffffffd797] = '\x00'
|
|
mem[0x7fffffffd798] = '8'
|
|
mem[0x7fffffffd799] = '\xd8'
|
|
mem[0x7ffff7de407a] = 'A'
|
|
mem[0x7fffffffd79b] = '\xff'
|
|
mem[0x7fffffffd79c] = '\xff'
|
|
mem[0x7fffffffd79d] = '\x7f'
|
|
mem[0x7fffffffd79e] = '\x00'
|
|
mem[0x7fffffffd79f] = '\x00'
|
|
cpu.RSP = 0x7fffffffd798
|
|
cpu.R12 = 0x7ffff7ff7658
|
|
cpu.RIP = 0x7ffff7de407a
|
|
cpu.RBP = 0x7fffffffd870
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd7a0], '4')
|
|
self.assertEqual(mem[0x7ffff7de407b], 'T')
|
|
self.assertEqual(mem[0x7ffff7de407a], 'A')
|
|
self.assertEqual(mem[0x7fffffffd790], 'X')
|
|
self.assertEqual(mem[0x7fffffffd791], 'v')
|
|
self.assertEqual(mem[0x7fffffffd792], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd793], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd794], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd795], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd796], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd797], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd798], '8')
|
|
self.assertEqual(mem[0x7fffffffd799], '\xd8')
|
|
self.assertEqual(mem[0x7fffffffd79a], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd79b], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd79c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd79d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd79e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd79f], '\x00')
|
|
self.assertEqual(cpu.R12, 140737354102360L)
|
|
self.assertEqual(cpu.RSP, 140737488344976L)
|
|
self.assertEqual(cpu.RIP, 140737351925884L)
|
|
self.assertEqual(cpu.RBP, 140737488345200L)
|
|
|
|
def test_PUSH_2(self):
|
|
''' Instruction PUSH_2
|
|
Groups: mode64
|
|
0x722546: push 0xff00
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00722000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcca8] = '\x00'
|
|
mem[0x7fffffffcca9] = '\xff'
|
|
mem[0x7fffffffccaa] = '\x00'
|
|
mem[0x7fffffffccab] = '\x00'
|
|
mem[0x7fffffffccac] = '\x00'
|
|
mem[0x7fffffffccad] = '\x00'
|
|
mem[0x7fffffffccae] = '\x00'
|
|
mem[0x7fffffffccaf] = '\x00'
|
|
mem[0x7fffffffccb0] = '\xfe'
|
|
mem[0x7fffffffccb1] = '\xff'
|
|
mem[0x7fffffffccb2] = '\xff'
|
|
mem[0x7fffffffccb3] = '\xff'
|
|
mem[0x7fffffffccb4] = '@'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = '\xfe'
|
|
mem[0x00722546] = 'h'
|
|
mem[0x00722547] = '\x00'
|
|
mem[0x00722548] = '\xff'
|
|
mem[0x00722549] = '\x00'
|
|
mem[0x0072254a] = '\x00'
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x722546
|
|
cpu.RBP = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcca8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffcca9], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccaa], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccab], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccac], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccad], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xfe')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb4], '@')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\xfe')
|
|
self.assertEqual(mem[0x722546], 'h')
|
|
self.assertEqual(mem[0x722547], '\x00')
|
|
self.assertEqual(mem[0x722548], '\xff')
|
|
self.assertEqual(mem[0x722549], '\x00')
|
|
self.assertEqual(mem[0x72254a], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488342184L)
|
|
self.assertEqual(cpu.RIP, 7480651L)
|
|
self.assertEqual(cpu.RBP, 0L)
|
|
|
|
def test_PUSH_3(self):
|
|
''' Instruction PUSH_3
|
|
Groups: mode64
|
|
0x744c3e: push 0xf00aabb
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00744000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcca8] = '\xbb'
|
|
mem[0x7fffffffcca9] = '\xaa'
|
|
mem[0x7fffffffccaa] = '\x00'
|
|
mem[0x7fffffffccab] = '\x0f'
|
|
mem[0x7fffffffccac] = '\x00'
|
|
mem[0x7fffffffccad] = '\x00'
|
|
mem[0x7fffffffccae] = '\x00'
|
|
mem[0x7fffffffccaf] = '\x00'
|
|
mem[0x7fffffffccb0] = '\x00'
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x80'
|
|
mem[0x7fffffffccb4] = '!'
|
|
mem[0x7fffffffccb5] = 'C'
|
|
mem[0x7fffffffccb6] = 'e'
|
|
mem[0x7fffffffccb7] = '\x87'
|
|
mem[0x7fffffffccb8] = '@'
|
|
mem[0x00744c3e] = 'h'
|
|
mem[0x00744c3f] = '\xbb'
|
|
mem[0x00744c40] = '\xaa'
|
|
mem[0x00744c41] = '\x00'
|
|
mem[0x00744c42] = '\x0f'
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x744c3e
|
|
cpu.RBP = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcca8], '\xbb')
|
|
self.assertEqual(mem[0x7fffffffcca9], '\xaa')
|
|
self.assertEqual(mem[0x7fffffffccaa], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccab], '\x0f')
|
|
self.assertEqual(mem[0x7fffffffccac], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccad], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb4], '!')
|
|
self.assertEqual(mem[0x7fffffffccb5], 'C')
|
|
self.assertEqual(mem[0x7fffffffccb6], 'e')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x87')
|
|
self.assertEqual(mem[0x7fffffffccb8], '@')
|
|
self.assertEqual(mem[0x744c3e], 'h')
|
|
self.assertEqual(mem[0x744c3f], '\xbb')
|
|
self.assertEqual(mem[0x744c40], '\xaa')
|
|
self.assertEqual(mem[0x744c41], '\x00')
|
|
self.assertEqual(mem[0x744c42], '\x0f')
|
|
self.assertEqual(cpu.RSP, 140737488342184L)
|
|
self.assertEqual(cpu.RIP, 7621699L)
|
|
self.assertEqual(cpu.RBP, 0L)
|
|
|
|
def test_PUSH_4(self):
|
|
''' Instruction PUSH_4
|
|
Groups: mode64
|
|
0x6651fa: push rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00665000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcca8] = '\x7f'
|
|
mem[0x7fffffffcca9] = '\x00'
|
|
mem[0x7fffffffccaa] = '\x00'
|
|
mem[0x7fffffffccab] = '\x00'
|
|
mem[0x7fffffffccac] = '\x00'
|
|
mem[0x7fffffffccad] = '\x00'
|
|
mem[0x7fffffffccae] = '\x00'
|
|
mem[0x7fffffffccaf] = '\x00'
|
|
mem[0x7fffffffccb0] = '\x7f'
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x00'
|
|
mem[0x7fffffffccb4] = ' '
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = '!'
|
|
mem[0x006651fa] = 'P'
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x6651fa
|
|
cpu.RAX = 0x7f
|
|
cpu.RBP = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcca8], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffcca9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaa], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccab], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccac], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccad], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb4], ' ')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], '!')
|
|
self.assertEqual(mem[0x6651fa], 'P')
|
|
self.assertEqual(cpu.RSP, 140737488342184L)
|
|
self.assertEqual(cpu.RAX, 127L)
|
|
self.assertEqual(cpu.RIP, 6705659L)
|
|
self.assertEqual(cpu.RBP, 0L)
|
|
|
|
def test_PUSH_5(self):
|
|
''' Instruction PUSH_5
|
|
Groups: mode64
|
|
0x7ffff7de4330: push rbp
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda40] = '\x01'
|
|
mem[0x7ffff7de4330] = 'U'
|
|
mem[0x7fffffffda30] = 'p'
|
|
mem[0x7fffffffda31] = '\xdb'
|
|
mem[0x7fffffffda32] = '\xff'
|
|
mem[0x7fffffffda33] = '\xff'
|
|
mem[0x7fffffffda34] = '\xff'
|
|
mem[0x7fffffffda35] = '\x7f'
|
|
mem[0x7fffffffda36] = '\x00'
|
|
mem[0x7fffffffda37] = '\x00'
|
|
mem[0x7fffffffda38] = '\x94'
|
|
mem[0x7fffffffda39] = 'b'
|
|
mem[0x7fffffffda3a] = '\xde'
|
|
mem[0x7fffffffda3b] = '\xf7'
|
|
mem[0x7fffffffda3c] = '\xff'
|
|
mem[0x7fffffffda3d] = '\x7f'
|
|
mem[0x7fffffffda3e] = '\x00'
|
|
mem[0x7fffffffda3f] = '\x00'
|
|
cpu.RSP = 0x7fffffffda38
|
|
cpu.RIP = 0x7ffff7de4330
|
|
cpu.RBP = 0x7fffffffdb70
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda40], '\x01')
|
|
self.assertEqual(mem[0x7fffffffda30], 'p')
|
|
self.assertEqual(mem[0x7ffff7de4330], 'U')
|
|
self.assertEqual(mem[0x7fffffffda31], '\xdb')
|
|
self.assertEqual(mem[0x7fffffffda32], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda33], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda34], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda35], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffda36], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda37], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda38], '\x94')
|
|
self.assertEqual(mem[0x7fffffffda39], 'b')
|
|
self.assertEqual(mem[0x7fffffffda3a], '\xde')
|
|
self.assertEqual(mem[0x7fffffffda3b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffda3c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffda3d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffda3e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda3f], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345648L)
|
|
self.assertEqual(cpu.RIP, 140737351926577L)
|
|
self.assertEqual(cpu.RBP, 140737488345968L)
|
|
|
|
def test_PUSH_6(self):
|
|
''' Instruction PUSH_6
|
|
Groups: mode64
|
|
0x75c167: push 0xf00aabb
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0075c000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffcca8] = '\xbb'
|
|
mem[0x7fffffffcca9] = '\xaa'
|
|
mem[0x7fffffffccaa] = '\x00'
|
|
mem[0x7fffffffccab] = '\x0f'
|
|
mem[0x7fffffffccac] = '\x00'
|
|
mem[0x7fffffffccad] = '\x00'
|
|
mem[0x7fffffffccae] = '\x00'
|
|
mem[0x7fffffffccaf] = '\x00'
|
|
mem[0x7fffffffccb0] = '\xfe'
|
|
mem[0x7fffffffccb1] = '\xff'
|
|
mem[0x7fffffffccb2] = '\xff'
|
|
mem[0x7fffffffccb3] = '\xff'
|
|
mem[0x7fffffffccb4] = '\x80'
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = 'x'
|
|
mem[0x0075c167] = 'h'
|
|
mem[0x0075c168] = '\xbb'
|
|
mem[0x0075c169] = '\xaa'
|
|
mem[0x0075c16a] = '\x00'
|
|
mem[0x0075c16b] = '\x0f'
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x75c167
|
|
cpu.RBP = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffcca8], '\xbb')
|
|
self.assertEqual(mem[0x7fffffffcca9], '\xaa')
|
|
self.assertEqual(mem[0x7fffffffccaa], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccab], '\x0f')
|
|
self.assertEqual(mem[0x7fffffffccac], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccad], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccae], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccaf], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xfe')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], 'x')
|
|
self.assertEqual(mem[0x75c167], 'h')
|
|
self.assertEqual(mem[0x75c168], '\xbb')
|
|
self.assertEqual(mem[0x75c169], '\xaa')
|
|
self.assertEqual(mem[0x75c16a], '\x00')
|
|
self.assertEqual(mem[0x75c16b], '\x0f')
|
|
self.assertEqual(cpu.RSP, 140737488342184L)
|
|
self.assertEqual(cpu.RIP, 7717228L)
|
|
self.assertEqual(cpu.RBP, 0L)
|
|
|
|
def test_PXOR_1(self):
|
|
''' Instruction PXOR_1
|
|
Groups: sse2
|
|
0x418490: pxor xmm8, xmm8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x00418490] = 'f'
|
|
mem[0x00418491] = 'E'
|
|
mem[0x00418492] = '\x0f'
|
|
mem[0x00418493] = '\xef'
|
|
mem[0x00418494] = '\xc0'
|
|
cpu.XMM8 = 0x0
|
|
cpu.RIP = 0x418490
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x418490], 'f')
|
|
self.assertEqual(mem[0x418491], 'E')
|
|
self.assertEqual(mem[0x418492], '\x0f')
|
|
self.assertEqual(mem[0x418493], '\xef')
|
|
self.assertEqual(mem[0x418494], '\xc0')
|
|
self.assertEqual(cpu.XMM8, 0)
|
|
self.assertEqual(cpu.RIP, 4293781L)
|
|
|
|
def test_PXOR_2(self):
|
|
''' Instruction PXOR_2
|
|
Groups: sse2
|
|
0x41848f: pxor xmm11, xmm11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x00418490] = 'E'
|
|
mem[0x00418491] = '\x0f'
|
|
mem[0x00418492] = '\xef'
|
|
mem[0x00418493] = '\xdb'
|
|
mem[0x0041848f] = 'f'
|
|
cpu.XMM11 = 0x0
|
|
cpu.RIP = 0x41848f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x418490], 'E')
|
|
self.assertEqual(mem[0x418491], '\x0f')
|
|
self.assertEqual(mem[0x418492], '\xef')
|
|
self.assertEqual(mem[0x418493], '\xdb')
|
|
self.assertEqual(mem[0x41848f], 'f')
|
|
self.assertEqual(cpu.XMM11, 0)
|
|
self.assertEqual(cpu.RIP, 4293780L)
|
|
|
|
def test_PXOR_3(self):
|
|
''' Instruction PXOR_3
|
|
Groups: sse2
|
|
0x4184bf: pxor xmm11, xmm11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004184c0] = 'E'
|
|
mem[0x004184c1] = '\x0f'
|
|
mem[0x004184c2] = '\xef'
|
|
mem[0x004184c3] = '\xdb'
|
|
mem[0x004184bf] = 'f'
|
|
cpu.XMM11 = 0x0
|
|
cpu.RIP = 0x4184bf
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4184c0], 'E')
|
|
self.assertEqual(mem[0x4184c1], '\x0f')
|
|
self.assertEqual(mem[0x4184c2], '\xef')
|
|
self.assertEqual(mem[0x4184c3], '\xdb')
|
|
self.assertEqual(mem[0x4184bf], 'f')
|
|
self.assertEqual(cpu.XMM11, 0)
|
|
self.assertEqual(cpu.RIP, 4293828L)
|
|
|
|
def test_PXOR_4(self):
|
|
''' Instruction PXOR_4
|
|
Groups: sse2
|
|
0x418480: pxor xmm8, xmm8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x00418480] = 'f'
|
|
mem[0x00418481] = 'E'
|
|
mem[0x00418482] = '\x0f'
|
|
mem[0x00418483] = '\xef'
|
|
mem[0x00418484] = '\xc0'
|
|
cpu.XMM8 = 0x0
|
|
cpu.RIP = 0x418480
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x418480], 'f')
|
|
self.assertEqual(mem[0x418481], 'E')
|
|
self.assertEqual(mem[0x418482], '\x0f')
|
|
self.assertEqual(mem[0x418483], '\xef')
|
|
self.assertEqual(mem[0x418484], '\xc0')
|
|
self.assertEqual(cpu.XMM8, 0)
|
|
self.assertEqual(cpu.RIP, 4293765L)
|
|
|
|
def test_PXOR_5(self):
|
|
''' Instruction PXOR_5
|
|
Groups: sse2
|
|
0x4183b5: pxor xmm9, xmm9
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x004183b8] = '\xef'
|
|
mem[0x004183b9] = '\xc9'
|
|
mem[0x004183b5] = 'f'
|
|
mem[0x004183b6] = 'E'
|
|
mem[0x004183b7] = '\x0f'
|
|
cpu.XMM9 = 0x0
|
|
cpu.RIP = 0x4183b5
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4183b8], '\xef')
|
|
self.assertEqual(mem[0x4183b9], '\xc9')
|
|
self.assertEqual(mem[0x4183b5], 'f')
|
|
self.assertEqual(mem[0x4183b6], 'E')
|
|
self.assertEqual(mem[0x4183b7], '\x0f')
|
|
self.assertEqual(cpu.XMM9, 0)
|
|
self.assertEqual(cpu.RIP, 4293562L)
|
|
|
|
def test_PXOR_6(self):
|
|
''' Instruction PXOR_6
|
|
Groups: sse2
|
|
0x418495: pxor xmm9, xmm9
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x00418498] = '\xef'
|
|
mem[0x00418499] = '\xc9'
|
|
mem[0x00418495] = 'f'
|
|
mem[0x00418496] = 'E'
|
|
mem[0x00418497] = '\x0f'
|
|
cpu.XMM9 = 0x0
|
|
cpu.RIP = 0x418495
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x418498], '\xef')
|
|
self.assertEqual(mem[0x418499], '\xc9')
|
|
self.assertEqual(mem[0x418495], 'f')
|
|
self.assertEqual(mem[0x418496], 'E')
|
|
self.assertEqual(mem[0x418497], '\x0f')
|
|
self.assertEqual(cpu.XMM9, 0)
|
|
self.assertEqual(cpu.RIP, 4293786L)
|
|
|
|
def test_RET_1(self):
|
|
''' Instruction RET_1
|
|
Groups: ret, mode64
|
|
0x7ffff7de3748: ret
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd780] = ']'
|
|
mem[0x7ffff7de3748] = '\xc3'
|
|
mem[0x7fffffffd770] = 'p'
|
|
mem[0x7fffffffd771] = '\xd8'
|
|
mem[0x7fffffffd772] = '\xff'
|
|
mem[0x7fffffffd773] = '\xff'
|
|
mem[0x7fffffffd774] = '\xff'
|
|
mem[0x7fffffffd775] = '\x7f'
|
|
mem[0x7fffffffd776] = '\x00'
|
|
mem[0x7fffffffd777] = '\x00'
|
|
mem[0x7fffffffd778] = '\xab'
|
|
mem[0x7fffffffd779] = '@'
|
|
mem[0x7fffffffd77a] = '\xde'
|
|
mem[0x7fffffffd77b] = '\xf7'
|
|
mem[0x7fffffffd77c] = '\xff'
|
|
mem[0x7fffffffd77d] = '\x7f'
|
|
mem[0x7fffffffd77e] = '\x00'
|
|
mem[0x7fffffffd77f] = '\x00'
|
|
cpu.RSP = 0x7fffffffd778
|
|
cpu.RIP = 0x7ffff7de3748
|
|
cpu.RBP = 0x7fffffffd870
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd780], ']')
|
|
self.assertEqual(mem[0x7ffff7de3748], '\xc3')
|
|
self.assertEqual(mem[0x7fffffffd770], 'p')
|
|
self.assertEqual(mem[0x7fffffffd771], '\xd8')
|
|
self.assertEqual(mem[0x7fffffffd772], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd773], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd774], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd775], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd776], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd777], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd778], '\xab')
|
|
self.assertEqual(mem[0x7fffffffd779], '@')
|
|
self.assertEqual(mem[0x7fffffffd77a], '\xde')
|
|
self.assertEqual(mem[0x7fffffffd77b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd77c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd77d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd77e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd77f], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488344960L)
|
|
self.assertEqual(cpu.RIP, 140737351925931L)
|
|
self.assertEqual(cpu.RBP, 140737488345200L)
|
|
|
|
def test_RET_2(self):
|
|
''' Instruction RET_2
|
|
Groups: ret, mode64
|
|
0x7ffff7df537f: ret
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df5000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd840] = '\x00'
|
|
mem[0x7ffff7df537f] = '\xc3'
|
|
mem[0x7fffffffd830] = '\x03'
|
|
mem[0x7fffffffd831] = '\x00'
|
|
mem[0x7fffffffd832] = '\x00'
|
|
mem[0x7fffffffd833] = '\x00'
|
|
mem[0x7fffffffd834] = '\x00'
|
|
mem[0x7fffffffd835] = '\x00'
|
|
mem[0x7fffffffd836] = '\x00'
|
|
mem[0x7fffffffd837] = '\x00'
|
|
mem[0x7fffffffd838] = '\xdb'
|
|
mem[0x7fffffffd839] = '\x7f'
|
|
mem[0x7fffffffd83a] = '\xde'
|
|
mem[0x7fffffffd83b] = '\xf7'
|
|
mem[0x7fffffffd83c] = '\xff'
|
|
mem[0x7fffffffd83d] = '\x7f'
|
|
mem[0x7fffffffd83e] = '\x00'
|
|
mem[0x7fffffffd83f] = '\x00'
|
|
cpu.RSP = 0x7fffffffd838
|
|
cpu.RIP = 0x7ffff7df537f
|
|
cpu.RBP = 0x7fffffffdae0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd840], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd83f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd830], '\x03')
|
|
self.assertEqual(mem[0x7fffffffd831], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd832], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd833], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd834], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd835], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd836], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd837], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd838], '\xdb')
|
|
self.assertEqual(mem[0x7fffffffd839], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd83a], '\xde')
|
|
self.assertEqual(mem[0x7fffffffd83b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd83c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd83d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd83e], '\x00')
|
|
self.assertEqual(mem[0x7ffff7df537f], '\xc3')
|
|
self.assertEqual(cpu.RSP, 140737488345152L)
|
|
self.assertEqual(cpu.RIP, 140737351942107L)
|
|
self.assertEqual(cpu.RBP, 140737488345824L)
|
|
|
|
def test_RET_3(self):
|
|
''' Instruction RET_3
|
|
Groups: ret, mode64
|
|
0x406e67: ret
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdb20] = 'p'
|
|
mem[0x7fffffffdb21] = '\xdb'
|
|
mem[0x7fffffffdb22] = '\xff'
|
|
mem[0x7fffffffdb23] = '\xff'
|
|
mem[0x7fffffffdb24] = '\xff'
|
|
mem[0x7fffffffdb25] = '\x7f'
|
|
mem[0x7fffffffdb26] = '\x00'
|
|
mem[0x00406e67] = '\xc3'
|
|
mem[0x7fffffffdb28] = 'N'
|
|
mem[0x7fffffffdb29] = 'o'
|
|
mem[0x7fffffffdb2a] = 'C'
|
|
mem[0x7fffffffdb27] = '\x00'
|
|
mem[0x7fffffffdb2c] = '\x00'
|
|
mem[0x7fffffffdb2d] = '\x00'
|
|
mem[0x7fffffffdb2e] = '\x00'
|
|
mem[0x7fffffffdb2f] = '\x00'
|
|
mem[0x7fffffffdb30] = '@'
|
|
mem[0x7fffffffdb2b] = '\x00'
|
|
cpu.RSP = 0x7fffffffdb28
|
|
cpu.RIP = 0x406e67
|
|
cpu.RBP = 0x7fffffffdb70
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdb20], 'p')
|
|
self.assertEqual(mem[0x7fffffffdb21], '\xdb')
|
|
self.assertEqual(mem[0x7fffffffdb22], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb23], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb24], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb25], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdb26], '\x00')
|
|
self.assertEqual(mem[0x406e67], '\xc3')
|
|
self.assertEqual(mem[0x7fffffffdb28], 'N')
|
|
self.assertEqual(mem[0x7fffffffdb29], 'o')
|
|
self.assertEqual(mem[0x7fffffffdb2a], 'C')
|
|
self.assertEqual(mem[0x7fffffffdb2b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb2f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb30], '@')
|
|
self.assertEqual(mem[0x7fffffffdb27], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345904L)
|
|
self.assertEqual(cpu.RIP, 4419406L)
|
|
self.assertEqual(cpu.RBP, 140737488345968L)
|
|
|
|
def test_RET_4(self):
|
|
''' Instruction RET_4
|
|
Groups: ret, mode64
|
|
0x7ffff7de2af3: ret
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de2000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffd700] = ' '
|
|
mem[0x7fffffffd701] = '\xd7'
|
|
mem[0x7fffffffd702] = '\xff'
|
|
mem[0x7fffffffd703] = '\xff'
|
|
mem[0x7fffffffd704] = '\xff'
|
|
mem[0x7fffffffd705] = '\x7f'
|
|
mem[0x7fffffffd706] = '\x00'
|
|
mem[0x7fffffffd707] = '\x00'
|
|
mem[0x7fffffffd708] = ')'
|
|
mem[0x7fffffffd709] = 'u'
|
|
mem[0x7fffffffd70a] = '\xde'
|
|
mem[0x7fffffffd70b] = '\xf7'
|
|
mem[0x7fffffffd70c] = '\xff'
|
|
mem[0x7fffffffd70d] = '\x7f'
|
|
mem[0x7fffffffd70e] = '\x00'
|
|
mem[0x7fffffffd70f] = '\x00'
|
|
mem[0x7fffffffd710] = '\xb0'
|
|
mem[0x7ffff7de2af3] = '\xc3'
|
|
cpu.RSP = 0x7fffffffd708
|
|
cpu.RIP = 0x7ffff7de2af3
|
|
cpu.RBP = 0x7fffffffd720
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffd700], ' ')
|
|
self.assertEqual(mem[0x7fffffffd701], '\xd7')
|
|
self.assertEqual(mem[0x7fffffffd702], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd703], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd704], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd705], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd706], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd707], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd708], ')')
|
|
self.assertEqual(mem[0x7fffffffd709], 'u')
|
|
self.assertEqual(mem[0x7fffffffd70a], '\xde')
|
|
self.assertEqual(mem[0x7fffffffd70b], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffd70c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd70d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd70e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd70f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd710], '\xb0')
|
|
self.assertEqual(mem[0x7ffff7de2af3], '\xc3')
|
|
self.assertEqual(cpu.RSP, 140737488344848L)
|
|
self.assertEqual(cpu.RIP, 140737351939369L)
|
|
self.assertEqual(cpu.RBP, 140737488344864L)
|
|
|
|
def test_RET_5(self):
|
|
''' Instruction RET_5
|
|
Groups: ret, mode64
|
|
0x4118a1: ret
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdae0] = '\x00'
|
|
mem[0x004118a1] = '\xc3'
|
|
mem[0x7fffffffdae2] = '\xff'
|
|
mem[0x7fffffffdae3] = '\xff'
|
|
mem[0x7fffffffdae4] = '\xff'
|
|
mem[0x7fffffffdae5] = '\x7f'
|
|
mem[0x7fffffffdae6] = '\x00'
|
|
mem[0x7fffffffdae1] = '\xdb'
|
|
mem[0x7fffffffdae8] = '\x1c'
|
|
mem[0x7fffffffdae9] = '6'
|
|
mem[0x7fffffffdaea] = 'A'
|
|
mem[0x7fffffffdae7] = '\x00'
|
|
mem[0x7fffffffdaec] = '\x00'
|
|
mem[0x7fffffffdaed] = '\x00'
|
|
mem[0x7fffffffdaee] = '\x00'
|
|
mem[0x7fffffffdaef] = '\x00'
|
|
mem[0x7fffffffdaf0] = '\x02'
|
|
mem[0x7fffffffdaeb] = '\x00'
|
|
cpu.RSP = 0x7fffffffdae8
|
|
cpu.RIP = 0x4118a1
|
|
cpu.RBP = 0x7fffffffdb00
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdae0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdae1], '\xdb')
|
|
self.assertEqual(mem[0x7fffffffdae2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdae3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdae4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdae5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdae6], '\x00')
|
|
self.assertEqual(mem[0x4118a1], '\xc3')
|
|
self.assertEqual(mem[0x7fffffffdae8], '\x1c')
|
|
self.assertEqual(mem[0x7fffffffdae9], '6')
|
|
self.assertEqual(mem[0x7fffffffdaea], 'A')
|
|
self.assertEqual(mem[0x7fffffffdae7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaec], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaed], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaee], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaef], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf0], '\x02')
|
|
self.assertEqual(mem[0x7fffffffdaeb], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345840L)
|
|
self.assertEqual(cpu.RIP, 4273692L)
|
|
self.assertEqual(cpu.RBP, 140737488345856L)
|
|
|
|
def test_RET_6(self):
|
|
''' Instruction RET_6
|
|
Groups: ret, mode64
|
|
0x40fc8d: ret
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffda00] = '\x06'
|
|
mem[0x0040fc8d] = '\xc3'
|
|
mem[0x7fffffffd9f0] = '\xb0'
|
|
mem[0x7fffffffd9f1] = '\xda'
|
|
mem[0x7fffffffd9f2] = '\xff'
|
|
mem[0x7fffffffd9f3] = '\xff'
|
|
mem[0x7fffffffd9f4] = '\xff'
|
|
mem[0x7fffffffd9f5] = '\x7f'
|
|
mem[0x7fffffffd9f6] = '\x00'
|
|
mem[0x7fffffffd9f7] = '\x00'
|
|
mem[0x7fffffffd9f8] = '\xee'
|
|
mem[0x7fffffffd9f9] = '}'
|
|
mem[0x7fffffffd9fa] = 'E'
|
|
mem[0x7fffffffd9fb] = '\x00'
|
|
mem[0x7fffffffd9fc] = '\x00'
|
|
mem[0x7fffffffd9fd] = '\x00'
|
|
mem[0x7fffffffd9fe] = '\x00'
|
|
mem[0x7fffffffd9ff] = '\x00'
|
|
cpu.RSP = 0x7fffffffd9f8
|
|
cpu.RIP = 0x40fc8d
|
|
cpu.RBP = 0x7fffffffdab0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda00], '\x06')
|
|
self.assertEqual(mem[0x40fc8d], '\xc3')
|
|
self.assertEqual(mem[0x7fffffffd9f0], '\xb0')
|
|
self.assertEqual(mem[0x7fffffffd9f1], '\xda')
|
|
self.assertEqual(mem[0x7fffffffd9f2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9f3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9f4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffd9f5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffd9f6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9f7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9f8], '\xee')
|
|
self.assertEqual(mem[0x7fffffffd9f9], '}')
|
|
self.assertEqual(mem[0x7fffffffd9fa], 'E')
|
|
self.assertEqual(mem[0x7fffffffd9fb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9fc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9fd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9fe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffd9ff], '\x00')
|
|
self.assertEqual(cpu.RSP, 140737488345600L)
|
|
self.assertEqual(cpu.RIP, 4554222L)
|
|
self.assertEqual(cpu.RBP, 140737488345776L)
|
|
|
|
def test_ROL_1(self):
|
|
''' Instruction ROL_1
|
|
Groups:
|
|
0x44272a: rol rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00442000, 0x1000, 'rwx')
|
|
mem[0x0044272a] = 'H'
|
|
mem[0x0044272b] = '\xc1'
|
|
mem[0x0044272c] = '\xc0'
|
|
mem[0x0044272d] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x44272a
|
|
cpu.CF = False
|
|
cpu.RAX = 0x69fd1b8f25bea73
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x44272a], 'H')
|
|
self.assertEqual(mem[0x44272b], '\xc1')
|
|
self.assertEqual(mem[0x44272c], '\xc0')
|
|
self.assertEqual(mem[0x44272d], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 11777445978752552255L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4466478L)
|
|
|
|
def test_ROL_2(self):
|
|
''' Instruction ROL_2
|
|
Groups:
|
|
0x7ffff7df408d: rol rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4090] = '\x11'
|
|
mem[0x7ffff7df408d] = 'H'
|
|
mem[0x7ffff7df408e] = '\xc1'
|
|
mem[0x7ffff7df408f] = '\xc0'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x7ffff7df408d
|
|
cpu.CF = False
|
|
cpu.RAX = 0x7fffffffd9b0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df4090], '\x11')
|
|
self.assertEqual(mem[0x7ffff7df408d], 'H')
|
|
self.assertEqual(mem[0x7ffff7df408e], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7df408f], '\xc0')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 18446744072423997440L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351991441L)
|
|
|
|
def test_ROL_3(self):
|
|
''' Instruction ROL_3
|
|
Groups:
|
|
0x409c7a: rol rdi, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00409000, 0x1000, 'rwx')
|
|
mem[0x00409c7a] = 'H'
|
|
mem[0x00409c7b] = '\xc1'
|
|
mem[0x00409c7c] = '\xc7'
|
|
mem[0x00409c7d] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RDI = 0x4fb19f79d00a9c7e
|
|
cpu.CF = False
|
|
cpu.RIP = 0x409c7a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x409c7a], 'H')
|
|
self.assertEqual(mem[0x409c7b], '\xc1')
|
|
self.assertEqual(mem[0x409c7c], '\xc7')
|
|
self.assertEqual(mem[0x409c7d], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RDI, 4536145262703058787L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4234366L)
|
|
|
|
def test_ROL_4(self):
|
|
''' Instruction ROL_4
|
|
Groups:
|
|
0x40725a: rol rdi, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00407000, 0x1000, 'rwx')
|
|
mem[0x0040725a] = 'H'
|
|
mem[0x0040725b] = '\xc1'
|
|
mem[0x0040725c] = '\xc7'
|
|
mem[0x0040725d] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RDI = 0x1d13aa75a9fb0505
|
|
cpu.CF = False
|
|
cpu.RIP = 0x40725a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40725a], 'H')
|
|
self.assertEqual(mem[0x40725b], '\xc1')
|
|
self.assertEqual(mem[0x40725c], '\xc7')
|
|
self.assertEqual(mem[0x40725d], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RDI, 6119076834908453415L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4223582L)
|
|
|
|
def test_ROL_5(self):
|
|
''' Instruction ROL_5
|
|
Groups:
|
|
0x4452b5: rol rdx, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00445000, 0x1000, 'rwx')
|
|
mem[0x004452b8] = '\x11'
|
|
mem[0x004452b5] = 'H'
|
|
mem[0x004452b6] = '\xc1'
|
|
mem[0x004452b7] = '\xc2'
|
|
cpu.OF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4452b5
|
|
cpu.RDX = 0x4fb1e0862fb57b2e
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4452b8], '\x11')
|
|
self.assertEqual(mem[0x4452b5], 'H')
|
|
self.assertEqual(mem[0x4452b6], '\xc1')
|
|
self.assertEqual(mem[0x4452b7], '\xc2')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4477625L)
|
|
self.assertEqual(cpu.RDX, 13910598262045056867L)
|
|
|
|
def test_ROL_6(self):
|
|
''' Instruction ROL_6
|
|
Groups:
|
|
0x7ffff7a6220a: rol rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a62000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a6220a] = 'H'
|
|
mem[0x7ffff7a6220b] = '\xc1'
|
|
mem[0x7ffff7a6220c] = '\xc0'
|
|
mem[0x7ffff7a6220d] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x7ffff7a6220a
|
|
cpu.CF = False
|
|
cpu.RAX = 0x4d168f8071dccc80
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a6220a], 'H')
|
|
self.assertEqual(mem[0x7ffff7a6220b], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7a6220c], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7a6220d], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 2234035801451174445L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737348248078L)
|
|
|
|
def test_ROR_1(self):
|
|
''' Instruction ROR_1
|
|
Groups:
|
|
0x406f53: ror rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x00406f53] = 'H'
|
|
mem[0x00406f54] = '\xc1'
|
|
mem[0x00406f55] = '\xc8'
|
|
mem[0x00406f56] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x406f53
|
|
cpu.CF = False
|
|
cpu.RAX = 0x9287e74ad78292fc
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x406f53], 'H')
|
|
self.assertEqual(mem[0x406f54], '\xc1')
|
|
self.assertEqual(mem[0x406f55], '\xc8')
|
|
self.assertEqual(mem[0x406f56], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 5295750768033622977L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4222807L)
|
|
|
|
def test_ROR_2(self):
|
|
''' Instruction ROR_2
|
|
Groups:
|
|
0x7ffff7a65253: ror rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a65253] = 'H'
|
|
mem[0x7ffff7a65254] = '\xc1'
|
|
mem[0x7ffff7a65255] = '\xc8'
|
|
mem[0x7ffff7a65256] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x7ffff7a65253
|
|
cpu.CF = False
|
|
cpu.RAX = 0x42002153efdd741e
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a65253], 'H')
|
|
self.assertEqual(mem[0x7ffff7a65254], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7a65255], '\xc8')
|
|
self.assertEqual(mem[0x7ffff7a65256], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 13406970899868547054L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737348260439L)
|
|
|
|
def test_ROR_3(self):
|
|
''' Instruction ROR_3
|
|
Groups:
|
|
0x406fd3: ror rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x00406fd3] = 'H'
|
|
mem[0x00406fd4] = '\xc1'
|
|
mem[0x00406fd5] = '\xc8'
|
|
mem[0x00406fd6] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x406fd3
|
|
cpu.CF = False
|
|
cpu.RAX = 0x4a02228a32751a47
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x406fd3], 'H')
|
|
self.assertEqual(mem[0x406fd4], '\xc1')
|
|
self.assertEqual(mem[0x406fd5], '\xc8')
|
|
self.assertEqual(mem[0x406fd6], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 10170153807536003386L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4222935L)
|
|
|
|
def test_ROR_4(self):
|
|
''' Instruction ROR_4
|
|
Groups:
|
|
0x7ffff7a65253: ror rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a65253] = 'H'
|
|
mem[0x7ffff7a65254] = '\xc1'
|
|
mem[0x7ffff7a65255] = '\xc8'
|
|
mem[0x7ffff7a65256] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x7ffff7a65253
|
|
cpu.CF = False
|
|
cpu.RAX = 0x1b65e4b049796683
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a65253], 'H')
|
|
self.assertEqual(mem[0x7ffff7a65254], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7a65255], '\xc8')
|
|
self.assertEqual(mem[0x7ffff7a65256], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 12916761005984851132L)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737348260439L)
|
|
|
|
def test_ROR_5(self):
|
|
''' Instruction ROR_5
|
|
Groups:
|
|
0x406f53: ror rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x00406f53] = 'H'
|
|
mem[0x00406f54] = '\xc1'
|
|
mem[0x00406f55] = '\xc8'
|
|
mem[0x00406f56] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x406f53
|
|
cpu.CF = False
|
|
cpu.RAX = 0x54eb53f60a0a3a27
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x406f53], 'H')
|
|
self.assertEqual(mem[0x406f54], '\xc1')
|
|
self.assertEqual(mem[0x406f55], '\xc8')
|
|
self.assertEqual(mem[0x406f56], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 2095205673997108485L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4222807L)
|
|
|
|
def test_ROR_6(self):
|
|
''' Instruction ROR_6
|
|
Groups:
|
|
0x406fc3: ror rax, 0x11
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x00406fc3] = 'H'
|
|
mem[0x00406fc4] = '\xc1'
|
|
mem[0x00406fc5] = '\xc8'
|
|
mem[0x00406fc6] = '\x11'
|
|
cpu.OF = False
|
|
cpu.RIP = 0x406fc3
|
|
cpu.CF = False
|
|
cpu.RAX = 0xf69983477b463caa
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x406fc3], 'H')
|
|
self.assertEqual(mem[0x406fc4], '\xc1')
|
|
self.assertEqual(mem[0x406fc5], '\xc8')
|
|
self.assertEqual(mem[0x406fc6], '\x11')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.RAX, 2185788763754708387L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4222919L)
|
|
|
|
def test_SAR_1(self):
|
|
''' Instruction SAR_1
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.RAX = 0x15c8
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4088], '\x02')
|
|
self.assertEqual(mem[0x7ffff7de4085], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4086], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4087], '\xf8')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925897L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.RAX, 1394L)
|
|
|
|
def test_SAR_2(self):
|
|
''' Instruction SAR_2
|
|
Groups:
|
|
0x7ffff7acfc78: sar r8d, 0x1f
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7acf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7acfc78] = 'A'
|
|
mem[0x7ffff7acfc79] = '\xc1'
|
|
mem[0x7ffff7acfc7a] = '\xf8'
|
|
mem[0x7ffff7acfc7b] = '\x1f'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7acfc78
|
|
cpu.R8D = 0x9
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7acfc78], 'A')
|
|
self.assertEqual(mem[0x7ffff7acfc79], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7acfc7a], '\xf8')
|
|
self.assertEqual(mem[0x7ffff7acfc7b], '\x1f')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737348697212L)
|
|
self.assertEqual(cpu.R8D, 0L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SAR_3(self):
|
|
''' Instruction SAR_3
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.RAX = 0x1290
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4088], '\x02')
|
|
self.assertEqual(mem[0x7ffff7de4085], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4086], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4087], '\xf8')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925897L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.RAX, 1188L)
|
|
|
|
def test_SAR_4(self):
|
|
''' Instruction SAR_4
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.RAX = 0x1450
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4088], '\x02')
|
|
self.assertEqual(mem[0x7ffff7de4085], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4086], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4087], '\xf8')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925897L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.RAX, 1300L)
|
|
|
|
def test_SAR_5(self):
|
|
''' Instruction SAR_5
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.RAX = 0x1420
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4088], '\x02')
|
|
self.assertEqual(mem[0x7ffff7de4085], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4086], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4087], '\xf8')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925897L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.RAX, 1288L)
|
|
|
|
def test_SAR_6(self):
|
|
''' Instruction SAR_6
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.RAX = 0x1070
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4088], '\x02')
|
|
self.assertEqual(mem[0x7ffff7de4085], 'H')
|
|
self.assertEqual(mem[0x7ffff7de4086], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4087], '\xf8')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925897L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.RAX, 1052L)
|
|
|
|
def test_SCASB_1(self):
|
|
''' Instruction SCASB_1
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
mem[0x7fffffffa9c8] = 'F'
|
|
mem[0x7fffffffa9c9] = '{'
|
|
mem[0x7fffffffa9ca] = '\xaa'
|
|
mem[0x7fffffffa9cb] = '\xf7'
|
|
mem[0x7fffffffa9cc] = '\xff'
|
|
mem[0x7fffffffa9cd] = '\x7f'
|
|
mem[0x7fffffffa9ce] = '\x00'
|
|
mem[0x7fffffffa9cf] = '\x00'
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7ba14b4] = 't'
|
|
mem[0x7ffff7ba14b5] = 'o'
|
|
mem[0x7ffff7ba14b6] = 'r'
|
|
mem[0x7ffff7ba14b7] = 'y'
|
|
mem[0x7ffff7ba14b8] = '\x00'
|
|
mem[0x7ffff7ba14b9] = 'N'
|
|
mem[0x7ffff7ba14ba] = 'o'
|
|
mem[0x7ffff7ba14bb] = ' '
|
|
cpu.RDI = 0x7ffff7ba14b4
|
|
cpu.RCX = 0xffffffffffffffea
|
|
cpu.RSI = 0x7fffffffa9c8
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ba14b9], 'N')
|
|
self.assertEqual(mem[0x7fffffffa9c8], 'F')
|
|
self.assertEqual(mem[0x7fffffffa9c9], '{')
|
|
self.assertEqual(mem[0x7fffffffa9ca], '\xaa')
|
|
self.assertEqual(mem[0x7fffffffa9cb], '\xf7')
|
|
self.assertEqual(mem[0x7fffffffa9cc], '\xff')
|
|
self.assertEqual(mem[0x7fffffffa9cd], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffa9ce], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cf], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a78233], '\xf2')
|
|
self.assertEqual(mem[0x7ffff7a78234], '\xae')
|
|
self.assertEqual(mem[0x7ffff7ba14b5], 'o')
|
|
self.assertEqual(mem[0x7ffff7ba14b6], 'r')
|
|
self.assertEqual(mem[0x7ffff7ba14b7], 'y')
|
|
self.assertEqual(mem[0x7ffff7ba14b8], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ba14b4], 't')
|
|
self.assertEqual(mem[0x7ffff7ba14ba], 'o')
|
|
self.assertEqual(mem[0x7ffff7ba14bb], ' ')
|
|
self.assertEqual(cpu.RCX, 18446744073709551593L)
|
|
self.assertEqual(cpu.RDI, 140737349555381L)
|
|
self.assertEqual(cpu.RSI, 140737488333256L)
|
|
self.assertEqual(cpu.RIP, 140737348338227L)
|
|
self.assertEqual(cpu.AL, 0L)
|
|
|
|
def test_SCASB_2(self):
|
|
''' Instruction SCASB_2
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ba14a1] = ' '
|
|
mem[0x7ffff7ba14a2] = 's'
|
|
mem[0x7ffff7ba14a3] = 'u'
|
|
mem[0x7ffff7ba14a4] = 'c'
|
|
mem[0x7ffff7ba14a5] = 'h'
|
|
mem[0x7ffff7ba14a6] = ' '
|
|
mem[0x7ffff7ba14a7] = 'f'
|
|
mem[0x7ffff7ba14a8] = 'i'
|
|
mem[0x7fffffffa9c9] = '\x00'
|
|
mem[0x7fffffffa9ca] = '\x00'
|
|
mem[0x7fffffffa9cb] = '\x00'
|
|
mem[0x7fffffffa9cc] = '\x00'
|
|
mem[0x7fffffffa9cd] = '\x00'
|
|
mem[0x7fffffffa9ce] = '\x00'
|
|
mem[0x7fffffffa9cf] = '\x00'
|
|
mem[0x7fffffffa9c8] = '\x00'
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
cpu.RDI = 0x7ffff7ba14a1
|
|
cpu.RCX = 0xfffffffffffffffd
|
|
cpu.RSI = 0x7fffffffa9c8
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ba14a1], ' ')
|
|
self.assertEqual(mem[0x7ffff7ba14a2], 's')
|
|
self.assertEqual(mem[0x7ffff7ba14a3], 'u')
|
|
self.assertEqual(mem[0x7ffff7ba14a4], 'c')
|
|
self.assertEqual(mem[0x7ffff7ba14a5], 'h')
|
|
self.assertEqual(mem[0x7ffff7ba14a6], ' ')
|
|
self.assertEqual(mem[0x7ffff7ba14a7], 'f')
|
|
self.assertEqual(mem[0x7fffffffa9c8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9c9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9ca], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9ce], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cf], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ba14a8], 'i')
|
|
self.assertEqual(mem[0x7ffff7a78233], '\xf2')
|
|
self.assertEqual(mem[0x7ffff7a78234], '\xae')
|
|
self.assertEqual(cpu.RCX, 18446744073709551612L)
|
|
self.assertEqual(cpu.RDI, 140737349555362L)
|
|
self.assertEqual(cpu.RSI, 140737488333256L)
|
|
self.assertEqual(cpu.RIP, 140737348338227L)
|
|
self.assertEqual(cpu.AL, 0L)
|
|
|
|
def test_SCASB_3(self):
|
|
''' Instruction SCASB_3
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
mem[0x7fffffffa9c8] = '\x00'
|
|
mem[0x7fffffffa9c9] = '\x00'
|
|
mem[0x7fffffffa9ca] = '\x00'
|
|
mem[0x7fffffffa9cb] = '\x00'
|
|
mem[0x7fffffffa9cc] = '\x00'
|
|
mem[0x7fffffffa9cd] = '\x00'
|
|
mem[0x7fffffffa9ce] = '\x00'
|
|
mem[0x7fffffffa9cf] = '\x00'
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7ba14b2] = 'e'
|
|
mem[0x7ffff7ba14b3] = 'c'
|
|
mem[0x7ffff7ba14b4] = 't'
|
|
mem[0x7ffff7ba14b5] = 'o'
|
|
mem[0x7ffff7ba14b6] = 'r'
|
|
mem[0x7ffff7ba14b7] = 'y'
|
|
mem[0x7ffff7ba14b8] = '\x00'
|
|
mem[0x7ffff7ba14b9] = 'N'
|
|
cpu.RDI = 0x7ffff7ba14b2
|
|
cpu.RCX = 0xffffffffffffffec
|
|
cpu.RSI = 0x7fffffffa9c8
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ba14b9], 'N')
|
|
self.assertEqual(mem[0x7ffff7ba14b3], 'c')
|
|
self.assertEqual(mem[0x7fffffffa9c8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9c9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9ca], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9ce], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cf], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ba14b2], 'e')
|
|
self.assertEqual(mem[0x7ffff7a78233], '\xf2')
|
|
self.assertEqual(mem[0x7ffff7a78234], '\xae')
|
|
self.assertEqual(mem[0x7ffff7ba14b5], 'o')
|
|
self.assertEqual(mem[0x7ffff7ba14b6], 'r')
|
|
self.assertEqual(mem[0x7ffff7ba14b7], 'y')
|
|
self.assertEqual(mem[0x7ffff7ba14b8], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ba14b4], 't')
|
|
self.assertEqual(cpu.RCX, 18446744073709551595L)
|
|
self.assertEqual(cpu.RDI, 140737349555379L)
|
|
self.assertEqual(cpu.RSI, 140737488333256L)
|
|
self.assertEqual(cpu.RIP, 140737348338227L)
|
|
self.assertEqual(cpu.AL, 0L)
|
|
|
|
def test_SCASB_4(self):
|
|
''' Instruction SCASB_4
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
mem[0x7fffffffe0a5] = 'g'
|
|
mem[0x7fffffffe0a6] = 'z'
|
|
mem[0x7fffffffe0a7] = 'i'
|
|
mem[0x7fffffffe0a8] = 'p'
|
|
mem[0x7fffffffe0a9] = '\x00'
|
|
mem[0x7fffffffe0aa] = 'a'
|
|
mem[0x7fffffffe0ab] = 'r'
|
|
mem[0x7fffffffe0ac] = 'g'
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
mem[0x7fffffffc2f8] = '\x1f'
|
|
mem[0x7fffffffc2f9] = '\xd5'
|
|
mem[0x7fffffffc2fa] = '\xff'
|
|
mem[0x7fffffffc2fb] = '\xff'
|
|
mem[0x7fffffffc2fc] = '\xff'
|
|
mem[0x7fffffffc2fd] = '\x7f'
|
|
mem[0x7fffffffc2fe] = '\x00'
|
|
mem[0x7fffffffc2ff] = '\x00'
|
|
cpu.RDI = 0x7fffffffe0a5
|
|
cpu.RCX = 0xffffffffffffffff
|
|
cpu.RSI = 0x7fffffffc2f8
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffe0a5], 'g')
|
|
self.assertEqual(mem[0x7fffffffe0a6], 'z')
|
|
self.assertEqual(mem[0x7fffffffe0a7], 'i')
|
|
self.assertEqual(mem[0x7fffffffe0a8], 'p')
|
|
self.assertEqual(mem[0x7fffffffe0a9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffe0aa], 'a')
|
|
self.assertEqual(mem[0x7fffffffe0ab], 'r')
|
|
self.assertEqual(mem[0x7fffffffe0ac], 'g')
|
|
self.assertEqual(mem[0x7ffff7a78233], '\xf2')
|
|
self.assertEqual(mem[0x7ffff7a78234], '\xae')
|
|
self.assertEqual(mem[0x7fffffffc2f8], '\x1f')
|
|
self.assertEqual(mem[0x7fffffffc2f9], '\xd5')
|
|
self.assertEqual(mem[0x7fffffffc2fa], '\xff')
|
|
self.assertEqual(mem[0x7fffffffc2fb], '\xff')
|
|
self.assertEqual(mem[0x7fffffffc2fc], '\xff')
|
|
self.assertEqual(mem[0x7fffffffc2fd], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffc2fe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc2ff], '\x00')
|
|
self.assertEqual(cpu.RCX, 18446744073709551614L)
|
|
self.assertEqual(cpu.RDI, 140737488347302L)
|
|
self.assertEqual(cpu.RSI, 140737488339704L)
|
|
self.assertEqual(cpu.RIP, 140737348338227L)
|
|
self.assertEqual(cpu.AL, 0L)
|
|
|
|
def test_SCASB_5(self):
|
|
''' Instruction SCASB_5
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ba14ab] = ' '
|
|
mem[0x7ffff7ba14a5] = 'h'
|
|
mem[0x7ffff7ba14a6] = ' '
|
|
mem[0x7ffff7ba14a7] = 'f'
|
|
mem[0x7ffff7ba14a8] = 'i'
|
|
mem[0x7ffff7ba14a9] = 'l'
|
|
mem[0x7ffff7ba14aa] = 'e'
|
|
mem[0x7fffffffa9cb] = '\x00'
|
|
mem[0x7ffff7ba14ac] = 'o'
|
|
mem[0x7fffffffa9cd] = '\x00'
|
|
mem[0x7fffffffa9ce] = '\x00'
|
|
mem[0x7fffffffa9cf] = '\x00'
|
|
mem[0x7fffffffa9c8] = '\x00'
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
mem[0x7fffffffa9c9] = '\x00'
|
|
mem[0x7fffffffa9cc] = '\x00'
|
|
mem[0x7fffffffa9ca] = '\x00'
|
|
cpu.RDI = 0x7ffff7ba14a5
|
|
cpu.RCX = 0xfffffffffffffff9
|
|
cpu.RSI = 0x7fffffffa9c8
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ba14ab], ' ')
|
|
self.assertEqual(mem[0x7ffff7ba14a5], 'h')
|
|
self.assertEqual(mem[0x7ffff7ba14a6], ' ')
|
|
self.assertEqual(mem[0x7ffff7ba14a7], 'f')
|
|
self.assertEqual(mem[0x7fffffffa9c8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9c9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9ca], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9ce], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cf], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ba14a8], 'i')
|
|
self.assertEqual(mem[0x7ffff7ba14ac], 'o')
|
|
self.assertEqual(mem[0x7ffff7a78234], '\xae')
|
|
self.assertEqual(mem[0x7ffff7a78233], '\xf2')
|
|
self.assertEqual(mem[0x7ffff7ba14a9], 'l')
|
|
self.assertEqual(mem[0x7ffff7ba14aa], 'e')
|
|
self.assertEqual(cpu.RCX, 18446744073709551608L)
|
|
self.assertEqual(cpu.RDI, 140737349555366L)
|
|
self.assertEqual(cpu.RSI, 140737488333256L)
|
|
self.assertEqual(cpu.RIP, 140737348338227L)
|
|
self.assertEqual(cpu.AL, 0L)
|
|
|
|
def test_SCASB_6(self):
|
|
''' Instruction SCASB_6
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555771000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
mem[0x555555771dc0] = 'a'
|
|
mem[0x555555771dc1] = 'r'
|
|
mem[0x555555771dc2] = 'g'
|
|
mem[0x555555771dc3] = '1'
|
|
mem[0x555555771dc4] = '\x00'
|
|
mem[0x555555771dc5] = '\x00'
|
|
mem[0x555555771dc6] = '\x00'
|
|
mem[0x555555771dc7] = '\x00'
|
|
mem[0x7fffffffa9c8] = '\x00'
|
|
mem[0x7fffffffa9c9] = '\x00'
|
|
mem[0x7fffffffa9ca] = '\x00'
|
|
mem[0x7fffffffa9cb] = '\x00'
|
|
mem[0x7fffffffa9cc] = '\x00'
|
|
mem[0x7fffffffa9cd] = '\x00'
|
|
mem[0x7fffffffa9ce] = '\x00'
|
|
mem[0x7fffffffa9cf] = '\x00'
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
cpu.RDI = 0x555555771dc0
|
|
cpu.RCX = 0xffffffffffffffff
|
|
cpu.RSI = 0x7fffffffa9c8
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555771dc0], 'a')
|
|
self.assertEqual(mem[0x555555771dc1], 'r')
|
|
self.assertEqual(mem[0x555555771dc2], 'g')
|
|
self.assertEqual(mem[0x555555771dc3], '1')
|
|
self.assertEqual(mem[0x555555771dc4], '\x00')
|
|
self.assertEqual(mem[0x555555771dc5], '\x00')
|
|
self.assertEqual(mem[0x555555771dc6], '\x00')
|
|
self.assertEqual(mem[0x555555771dc7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9c8], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9c9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9ca], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9ce], '\x00')
|
|
self.assertEqual(mem[0x7fffffffa9cf], '\x00')
|
|
self.assertEqual(mem[0x7ffff7a78233], '\xf2')
|
|
self.assertEqual(mem[0x7ffff7a78234], '\xae')
|
|
self.assertEqual(cpu.RCX, 18446744073709551614L)
|
|
self.assertEqual(cpu.RDI, 93824994450881L)
|
|
self.assertEqual(cpu.RSI, 140737488333256L)
|
|
self.assertEqual(cpu.RIP, 140737348338227L)
|
|
self.assertEqual(cpu.AL, 0L)
|
|
|
|
def test_SETA_1(self):
|
|
''' Instruction SETA_1
|
|
Groups:
|
|
0x5555555548c2: seta dl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem[0x5555555548c2] = '\x0f'
|
|
mem[0x5555555548c3] = '\x97'
|
|
mem[0x5555555548c4] = '\xc2'
|
|
cpu.DL = 0x0
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x5555555548c2
|
|
cpu.CF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5555555548c2], '\x0f')
|
|
self.assertEqual(mem[0x5555555548c3], '\x97')
|
|
self.assertEqual(mem[0x5555555548c4], '\xc2')
|
|
self.assertEqual(cpu.DL, 1L)
|
|
self.assertEqual(cpu.RIP, 93824992233669L)
|
|
|
|
def test_SETBE_1(self):
|
|
''' Instruction SETBE_1
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x58
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6207
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6208], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de6209], '\x96')
|
|
self.assertEqual(mem[0x7ffff7de620a], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de6207], 'A')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934475L)
|
|
|
|
def test_SETBE_2(self):
|
|
''' Instruction SETBE_2
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x58
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6207
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6208], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de6209], '\x96')
|
|
self.assertEqual(mem[0x7ffff7de620a], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de6207], 'A')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934475L)
|
|
|
|
def test_SETBE_3(self):
|
|
''' Instruction SETBE_3
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x58
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6207
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6208], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de6209], '\x96')
|
|
self.assertEqual(mem[0x7ffff7de620a], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de6207], 'A')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934475L)
|
|
|
|
def test_SETBE_4(self):
|
|
''' Instruction SETBE_4
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x58
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6207
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6208], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de6209], '\x96')
|
|
self.assertEqual(mem[0x7ffff7de620a], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de6207], 'A')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934475L)
|
|
|
|
def test_SETBE_5(self):
|
|
''' Instruction SETBE_5
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x58
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6207
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6208], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de6209], '\x96')
|
|
self.assertEqual(mem[0x7ffff7de620a], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de6207], 'A')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934475L)
|
|
|
|
def test_SETBE_6(self):
|
|
''' Instruction SETBE_6
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x58
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6207
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6208], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de6209], '\x96')
|
|
self.assertEqual(mem[0x7ffff7de620a], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de6207], 'A')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934475L)
|
|
|
|
def test_SETB_1(self):
|
|
''' Instruction SETB_1
|
|
Groups:
|
|
0x4342ea: setb al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x004342ea] = '\x0f'
|
|
mem[0x004342eb] = '\x92'
|
|
mem[0x004342ec] = '\xc0'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4342ea
|
|
cpu.AL = 0xc0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4342ea], '\x0f')
|
|
self.assertEqual(mem[0x4342eb], '\x92')
|
|
self.assertEqual(mem[0x4342ec], '\xc0')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 4408045L)
|
|
|
|
def test_SETB_2(self):
|
|
''' Instruction SETB_2
|
|
Groups:
|
|
0x43426a: setb al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x0043426a] = '\x0f'
|
|
mem[0x0043426b] = '\x92'
|
|
mem[0x0043426c] = '\xc0'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x43426a
|
|
cpu.AL = 0xc0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x43426a], '\x0f')
|
|
self.assertEqual(mem[0x43426b], '\x92')
|
|
self.assertEqual(mem[0x43426c], '\xc0')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 4407917L)
|
|
|
|
def test_SETB_3(self):
|
|
''' Instruction SETB_3
|
|
Groups:
|
|
0x4346ca: setb al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x004346ca] = '\x0f'
|
|
mem[0x004346cb] = '\x92'
|
|
mem[0x004346cc] = '\xc0'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4346ca
|
|
cpu.AL = 0xc0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4346ca], '\x0f')
|
|
self.assertEqual(mem[0x4346cb], '\x92')
|
|
self.assertEqual(mem[0x4346cc], '\xc0')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 4409037L)
|
|
|
|
def test_SETB_4(self):
|
|
''' Instruction SETB_4
|
|
Groups:
|
|
0x4342ea: setb al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x004342ea] = '\x0f'
|
|
mem[0x004342eb] = '\x92'
|
|
mem[0x004342ec] = '\xc0'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4342ea
|
|
cpu.AL = 0xc0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4342ea], '\x0f')
|
|
self.assertEqual(mem[0x4342eb], '\x92')
|
|
self.assertEqual(mem[0x4342ec], '\xc0')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 4408045L)
|
|
|
|
def test_SETB_5(self):
|
|
''' Instruction SETB_5
|
|
Groups:
|
|
0x4342ea: setb al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x004342ea] = '\x0f'
|
|
mem[0x004342eb] = '\x92'
|
|
mem[0x004342ec] = '\xc0'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4342ea
|
|
cpu.AL = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4342ea], '\x0f')
|
|
self.assertEqual(mem[0x4342eb], '\x92')
|
|
self.assertEqual(mem[0x4342ec], '\xc0')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 4408045L)
|
|
|
|
def test_SETB_6(self):
|
|
''' Instruction SETB_6
|
|
Groups:
|
|
0x43430a: setb al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x0043430a] = '\x0f'
|
|
mem[0x0043430b] = '\x92'
|
|
mem[0x0043430c] = '\xc0'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x43430a
|
|
cpu.AL = 0xc0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x43430a], '\x0f')
|
|
self.assertEqual(mem[0x43430b], '\x92')
|
|
self.assertEqual(mem[0x43430c], '\xc0')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 4408077L)
|
|
|
|
def test_SETE_1(self):
|
|
''' Instruction SETE_1
|
|
Groups:
|
|
0x7ffff7de36a2: sete r10b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36a2] = 'A'
|
|
mem[0x7ffff7de36a3] = '\x0f'
|
|
mem[0x7ffff7de36a4] = '\x94'
|
|
mem[0x7ffff7de36a5] = '\xc2'
|
|
cpu.R10B = 0x0
|
|
cpu.ZF = False
|
|
cpu.RIP = 0x7ffff7de36a2
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de36a2], 'A')
|
|
self.assertEqual(mem[0x7ffff7de36a3], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de36a4], '\x94')
|
|
self.assertEqual(mem[0x7ffff7de36a5], '\xc2')
|
|
self.assertEqual(cpu.R10B, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351923366L)
|
|
|
|
def test_SETE_2(self):
|
|
''' Instruction SETE_2
|
|
Groups:
|
|
0x7ffff7de620f: sete al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6210] = '\x94'
|
|
mem[0x7ffff7de6211] = '\xc0'
|
|
mem[0x7ffff7de620f] = '\x0f'
|
|
cpu.ZF = False
|
|
cpu.AL = 0xf5
|
|
cpu.RIP = 0x7ffff7de620f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6210], '\x94')
|
|
self.assertEqual(mem[0x7ffff7de6211], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de620f], '\x0f')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934482L)
|
|
|
|
def test_SETE_3(self):
|
|
''' Instruction SETE_3
|
|
Groups:
|
|
0x7ffff7de6229: sete al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6229] = '\x0f'
|
|
mem[0x7ffff7de622a] = '\x94'
|
|
mem[0x7ffff7de622b] = '\xc0'
|
|
cpu.ZF = True
|
|
cpu.AL = 0x0
|
|
cpu.RIP = 0x7ffff7de6229
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6229], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de622a], '\x94')
|
|
self.assertEqual(mem[0x7ffff7de622b], '\xc0')
|
|
self.assertEqual(cpu.AL, 1L)
|
|
self.assertEqual(cpu.RIP, 140737351934508L)
|
|
|
|
def test_SETE_4(self):
|
|
''' Instruction SETE_4
|
|
Groups:
|
|
0x7ffff7de6229: sete al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6229] = '\x0f'
|
|
mem[0x7ffff7de622a] = '\x94'
|
|
mem[0x7ffff7de622b] = '\xc0'
|
|
cpu.ZF = True
|
|
cpu.AL = 0x0
|
|
cpu.RIP = 0x7ffff7de6229
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6229], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de622a], '\x94')
|
|
self.assertEqual(mem[0x7ffff7de622b], '\xc0')
|
|
self.assertEqual(cpu.AL, 1L)
|
|
self.assertEqual(cpu.RIP, 140737351934508L)
|
|
|
|
def test_SETE_5(self):
|
|
''' Instruction SETE_5
|
|
Groups:
|
|
0x432458: sete r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432458] = 'A'
|
|
mem[0x00432459] = '\x0f'
|
|
mem[0x0043245a] = '\x94'
|
|
mem[0x0043245b] = '\xc1'
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x30
|
|
cpu.RIP = 0x432458
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432458], 'A')
|
|
self.assertEqual(mem[0x432459], '\x0f')
|
|
self.assertEqual(mem[0x43245a], '\x94')
|
|
self.assertEqual(mem[0x43245b], '\xc1')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 4400220L)
|
|
|
|
def test_SETE_6(self):
|
|
''' Instruction SETE_6
|
|
Groups:
|
|
0x7ffff7de620f: sete al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6210] = '\x94'
|
|
mem[0x7ffff7de6211] = '\xc0'
|
|
mem[0x7ffff7de620f] = '\x0f'
|
|
cpu.ZF = False
|
|
cpu.AL = 0xf5
|
|
cpu.RIP = 0x7ffff7de620f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6210], '\x94')
|
|
self.assertEqual(mem[0x7ffff7de6211], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de620f], '\x0f')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351934482L)
|
|
|
|
def test_SETG_1(self):
|
|
''' Instruction SETG_1
|
|
Groups:
|
|
0x555555567df4: setg r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555567000, 0x1000, 'rwx')
|
|
mem[0x555555567df4] = 'A'
|
|
mem[0x555555567df5] = '\x0f'
|
|
mem[0x555555567df6] = '\x9f'
|
|
mem[0x555555567df7] = '\xc1'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x0
|
|
cpu.SF = True
|
|
cpu.RIP = 0x555555567df4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555567df4], 'A')
|
|
self.assertEqual(mem[0x555555567df5], '\x0f')
|
|
self.assertEqual(mem[0x555555567df6], '\x9f')
|
|
self.assertEqual(mem[0x555555567df7], '\xc1')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 93824992312824L)
|
|
|
|
def test_SETG_2(self):
|
|
''' Instruction SETG_2
|
|
Groups:
|
|
0x555555567df4: setg r9b
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555567000, 0x1000, 'rwx')
|
|
mem[0x555555567df4] = 'A'
|
|
mem[0x555555567df5] = '\x0f'
|
|
mem[0x555555567df6] = '\x9f'
|
|
mem[0x555555567df7] = '\xc1'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.R9B = 0x0
|
|
cpu.SF = True
|
|
cpu.RIP = 0x555555567df4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x555555567df4], 'A')
|
|
self.assertEqual(mem[0x555555567df5], '\x0f')
|
|
self.assertEqual(mem[0x555555567df6], '\x9f')
|
|
self.assertEqual(mem[0x555555567df7], '\xc1')
|
|
self.assertEqual(cpu.R9B, 0L)
|
|
self.assertEqual(cpu.RIP, 93824992312824L)
|
|
|
|
def test_SETLE_1(self):
|
|
''' Instruction SETLE_1
|
|
Groups:
|
|
0x448ae0: setle dl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00448000, 0x1000, 'rwx')
|
|
mem[0x00448ae0] = '\x0f'
|
|
mem[0x00448ae1] = '\x9e'
|
|
mem[0x00448ae2] = '\xc2'
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.SF = False
|
|
cpu.RIP = 0x448ae0
|
|
cpu.DL = 0x1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x448ae0], '\x0f')
|
|
self.assertEqual(mem[0x448ae1], '\x9e')
|
|
self.assertEqual(mem[0x448ae2], '\xc2')
|
|
self.assertEqual(cpu.DL, 1L)
|
|
self.assertEqual(cpu.RIP, 4492003L)
|
|
|
|
def test_SETLE_2(self):
|
|
''' Instruction SETLE_2
|
|
Groups:
|
|
0x448ae0: setle dl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00448000, 0x1000, 'rwx')
|
|
mem[0x00448ae0] = '\x0f'
|
|
mem[0x00448ae1] = '\x9e'
|
|
mem[0x00448ae2] = '\xc2'
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.SF = False
|
|
cpu.RIP = 0x448ae0
|
|
cpu.DL = 0x1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x448ae0], '\x0f')
|
|
self.assertEqual(mem[0x448ae1], '\x9e')
|
|
self.assertEqual(mem[0x448ae2], '\xc2')
|
|
self.assertEqual(cpu.DL, 1L)
|
|
self.assertEqual(cpu.RIP, 4492003L)
|
|
|
|
def test_SETNE_1(self):
|
|
''' Instruction SETNE_1
|
|
Groups:
|
|
0x410ee5: setne cl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00410000, 0x1000, 'rwx')
|
|
mem[0x00410ee5] = '\x0f'
|
|
mem[0x00410ee6] = '\x95'
|
|
mem[0x00410ee7] = '\xc1'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x410ee5
|
|
cpu.CL = 0x6
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x410ee5], '\x0f')
|
|
self.assertEqual(mem[0x410ee6], '\x95')
|
|
self.assertEqual(mem[0x410ee7], '\xc1')
|
|
self.assertEqual(cpu.RIP, 4263656L)
|
|
self.assertEqual(cpu.CL, 0L)
|
|
|
|
def test_SETNE_2(self):
|
|
''' Instruction SETNE_2
|
|
Groups:
|
|
0x436d20: setne dl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00436000, 0x1000, 'rwx')
|
|
mem[0x00436d20] = '\x0f'
|
|
mem[0x00436d21] = '\x95'
|
|
mem[0x00436d22] = '\xc2'
|
|
cpu.ZF = True
|
|
cpu.DL = 0x0
|
|
cpu.RIP = 0x436d20
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x436d20], '\x0f')
|
|
self.assertEqual(mem[0x436d21], '\x95')
|
|
self.assertEqual(mem[0x436d22], '\xc2')
|
|
self.assertEqual(cpu.DL, 0L)
|
|
self.assertEqual(cpu.RIP, 4418851L)
|
|
|
|
def test_SETNE_3(self):
|
|
''' Instruction SETNE_3
|
|
Groups:
|
|
0x410f05: setne cl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00410000, 0x1000, 'rwx')
|
|
mem[0x00410f05] = '\x0f'
|
|
mem[0x00410f06] = '\x95'
|
|
mem[0x00410f07] = '\xc1'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x410f05
|
|
cpu.CL = 0x6
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x410f05], '\x0f')
|
|
self.assertEqual(mem[0x410f06], '\x95')
|
|
self.assertEqual(mem[0x410f07], '\xc1')
|
|
self.assertEqual(cpu.RIP, 4263688L)
|
|
self.assertEqual(cpu.CL, 0L)
|
|
|
|
def test_SETNE_4(self):
|
|
''' Instruction SETNE_4
|
|
Groups:
|
|
0x436f20: setne dl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00436000, 0x1000, 'rwx')
|
|
mem[0x00436f20] = '\x0f'
|
|
mem[0x00436f21] = '\x95'
|
|
mem[0x00436f22] = '\xc2'
|
|
cpu.ZF = True
|
|
cpu.DL = 0x0
|
|
cpu.RIP = 0x436f20
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x436f20], '\x0f')
|
|
self.assertEqual(mem[0x436f21], '\x95')
|
|
self.assertEqual(mem[0x436f22], '\xc2')
|
|
self.assertEqual(cpu.DL, 0L)
|
|
self.assertEqual(cpu.RIP, 4419363L)
|
|
|
|
def test_SETNE_5(self):
|
|
''' Instruction SETNE_5
|
|
Groups:
|
|
0x4120f9: setne cl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00412000, 0x1000, 'rwx')
|
|
mem[0x004120f9] = '\x0f'
|
|
mem[0x004120fa] = '\x95'
|
|
mem[0x004120fb] = '\xc1'
|
|
cpu.ZF = True
|
|
cpu.RIP = 0x4120f9
|
|
cpu.CL = 0x40
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4120f9], '\x0f')
|
|
self.assertEqual(mem[0x4120fa], '\x95')
|
|
self.assertEqual(mem[0x4120fb], '\xc1')
|
|
self.assertEqual(cpu.RIP, 4268284L)
|
|
self.assertEqual(cpu.CL, 0L)
|
|
|
|
def test_SETNE_6(self):
|
|
''' Instruction SETNE_6
|
|
Groups:
|
|
0x7ffff7de5de4: setne al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5de4] = '\x0f'
|
|
mem[0x7ffff7de5de5] = '\x95'
|
|
mem[0x7ffff7de5de6] = '\xc0'
|
|
cpu.ZF = True
|
|
cpu.AL = 0x0
|
|
cpu.RIP = 0x7ffff7de5de4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de5de4], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7de5de5], '\x95')
|
|
self.assertEqual(mem[0x7ffff7de5de6], '\xc0')
|
|
self.assertEqual(cpu.AL, 0L)
|
|
self.assertEqual(cpu.RIP, 140737351933415L)
|
|
|
|
def test_SHLX_1(self):
|
|
''' Instruction SHLX_1
|
|
Groups: bmi2
|
|
0x55555556594d: shlx rax, qword ptr [r14 + 0x50], rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffc800] = '\x00'
|
|
mem[0x7fffffffc801] = '\x00'
|
|
mem[0x7fffffffc802] = '\x00'
|
|
mem[0x7fffffffc803] = '\x00'
|
|
mem[0x7fffffffc804] = '\x00'
|
|
mem[0x7fffffffc805] = '\x00'
|
|
mem[0x7fffffffc806] = '\x00'
|
|
mem[0x7fffffffc807] = '\x00'
|
|
mem[0x55555556594d] = '\xc4'
|
|
mem[0x55555556594e] = '\xc2'
|
|
mem[0x55555556594f] = '\xf9'
|
|
mem[0x555555565950] = '\xf7'
|
|
mem[0x555555565951] = 'F'
|
|
mem[0x555555565952] = 'P'
|
|
cpu.R14 = 0x7fffffffc7b0
|
|
cpu.RIP = 0x55555556594d
|
|
cpu.RAX = 0x5
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffc800], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc801], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc802], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc803], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc804], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc805], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc806], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc807], '\x00')
|
|
self.assertEqual(mem[0x55555556594d], '\xc4')
|
|
self.assertEqual(mem[0x55555556594e], '\xc2')
|
|
self.assertEqual(mem[0x55555556594f], '\xf9')
|
|
self.assertEqual(mem[0x555555565950], '\xf7')
|
|
self.assertEqual(mem[0x555555565951], 'F')
|
|
self.assertEqual(mem[0x555555565952], 'P')
|
|
self.assertEqual(cpu.R14, 140737488340912L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RIP, 93824992303443L)
|
|
|
|
def test_SHLX_2(self):
|
|
''' Instruction SHLX_2
|
|
Groups: bmi2
|
|
0x55555556544a: shlx rax, rdx, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem[0x55555556544a] = '\xc4'
|
|
mem[0x55555556544b] = '\xe2'
|
|
mem[0x55555556544c] = '\xf9'
|
|
mem[0x55555556544d] = '\xf7'
|
|
mem[0x55555556544e] = '\xc2'
|
|
cpu.RIP = 0x55555556544a
|
|
cpu.RAX = 0x8
|
|
cpu.RDX = 0x1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x55555556544a], '\xc4')
|
|
self.assertEqual(mem[0x55555556544b], '\xe2')
|
|
self.assertEqual(mem[0x55555556544c], '\xf9')
|
|
self.assertEqual(mem[0x55555556544d], '\xf7')
|
|
self.assertEqual(mem[0x55555556544e], '\xc2')
|
|
self.assertEqual(cpu.RAX, 256L)
|
|
self.assertEqual(cpu.RIP, 93824992302159L)
|
|
self.assertEqual(cpu.RDX, 1L)
|
|
|
|
def test_SHLX_3(self):
|
|
''' Instruction SHLX_3
|
|
Groups: bmi2
|
|
0x55555556544a: shlx rax, rdx, rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem[0x55555556544a] = '\xc4'
|
|
mem[0x55555556544b] = '\xe2'
|
|
mem[0x55555556544c] = '\xf9'
|
|
mem[0x55555556544d] = '\xf7'
|
|
mem[0x55555556544e] = '\xc2'
|
|
cpu.RIP = 0x55555556544a
|
|
cpu.RAX = 0x8
|
|
cpu.RDX = 0x1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x55555556544a], '\xc4')
|
|
self.assertEqual(mem[0x55555556544b], '\xe2')
|
|
self.assertEqual(mem[0x55555556544c], '\xf9')
|
|
self.assertEqual(mem[0x55555556544d], '\xf7')
|
|
self.assertEqual(mem[0x55555556544e], '\xc2')
|
|
self.assertEqual(cpu.RAX, 256L)
|
|
self.assertEqual(cpu.RIP, 93824992302159L)
|
|
self.assertEqual(cpu.RDX, 1L)
|
|
|
|
def test_SHLX_4(self):
|
|
''' Instruction SHLX_4
|
|
Groups: bmi2
|
|
0x55555556594d: shlx rax, qword ptr [r14 + 0x50], rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffc800] = '\x00'
|
|
mem[0x7fffffffc801] = '\x00'
|
|
mem[0x7fffffffc802] = '\x00'
|
|
mem[0x7fffffffc803] = '\x00'
|
|
mem[0x7fffffffc804] = '\x00'
|
|
mem[0x7fffffffc805] = '\x00'
|
|
mem[0x7fffffffc806] = '\x00'
|
|
mem[0x7fffffffc807] = '\x00'
|
|
mem[0x55555556594d] = '\xc4'
|
|
mem[0x55555556594e] = '\xc2'
|
|
mem[0x55555556594f] = '\xf9'
|
|
mem[0x555555565950] = '\xf7'
|
|
mem[0x555555565951] = 'F'
|
|
mem[0x555555565952] = 'P'
|
|
cpu.R14 = 0x7fffffffc7b0
|
|
cpu.RIP = 0x55555556594d
|
|
cpu.RAX = 0x5
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffc800], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc801], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc802], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc803], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc804], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc805], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc806], '\x00')
|
|
self.assertEqual(mem[0x7fffffffc807], '\x00')
|
|
self.assertEqual(mem[0x55555556594d], '\xc4')
|
|
self.assertEqual(mem[0x55555556594e], '\xc2')
|
|
self.assertEqual(mem[0x55555556594f], '\xf9')
|
|
self.assertEqual(mem[0x555555565950], '\xf7')
|
|
self.assertEqual(mem[0x555555565951], 'F')
|
|
self.assertEqual(mem[0x555555565952], 'P')
|
|
self.assertEqual(cpu.R14, 140737488340912L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RIP, 93824992303443L)
|
|
|
|
def test_SHL_1(self):
|
|
''' Instruction SHL_1
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = 0x597904
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4390], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4391], '\xe6')
|
|
self.assertEqual(mem[0x7ffff7de4392], '\x05')
|
|
self.assertEqual(mem[0x7ffff7de438f], 'H')
|
|
self.assertEqual(cpu.RSI, 187637888L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926675L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHL_2(self):
|
|
''' Instruction SHL_2
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = 0x7144b72823ea49e0
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4390], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4391], '\xe6')
|
|
self.assertEqual(mem[0x7ffff7de4392], '\x05')
|
|
self.assertEqual(mem[0x7ffff7de438f], 'H')
|
|
self.assertEqual(cpu.RSI, 2924776815468297216L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926675L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHL_3(self):
|
|
''' Instruction SHL_3
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = 0xcc5c406168309853
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4390], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4391], '\xe6')
|
|
self.assertEqual(mem[0x7ffff7de4392], '\x05')
|
|
self.assertEqual(mem[0x7ffff7de438f], 'H')
|
|
self.assertEqual(cpu.RSI, 10054299555619605088L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351926675L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, True)
|
|
|
|
def test_SHL_4(self):
|
|
''' Instruction SHL_4
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = 0x726f9570cfb9645b
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4390], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4391], '\xe6')
|
|
self.assertEqual(mem[0x7ffff7de4392], '\x05')
|
|
self.assertEqual(mem[0x7ffff7de438f], 'H')
|
|
self.assertEqual(cpu.RSI, 5616743111828736864L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926675L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHL_5(self):
|
|
''' Instruction SHL_5
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = 0x2b60c
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4390], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4391], '\xe6')
|
|
self.assertEqual(mem[0x7ffff7de4392], '\x05')
|
|
self.assertEqual(mem[0x7ffff7de438f], 'H')
|
|
self.assertEqual(cpu.RSI, 5685632L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926675L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHL_6(self):
|
|
''' Instruction SHL_6
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = 0x377beb912d8eae5
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4390], '\xc1')
|
|
self.assertEqual(mem[0x7ffff7de4391], '\xe6')
|
|
self.assertEqual(mem[0x7ffff7de4392], '\x05')
|
|
self.assertEqual(mem[0x7ffff7de438f], 'H')
|
|
self.assertEqual(cpu.RSI, 7996096205977115808L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351926675L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHR_1(self):
|
|
''' Instruction SHR_1
|
|
Groups:
|
|
0x7ffff7de405d: shr rdx, 1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de405d] = 'H'
|
|
mem[0x7ffff7de405e] = '\xd1'
|
|
mem[0x7ffff7de405f] = '\xea'
|
|
cpu.ZF = False
|
|
cpu.RDX = 0x144a5ad4
|
|
cpu.RIP = 0x7ffff7de405d
|
|
cpu.CF = False
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de405d], 'H')
|
|
self.assertEqual(mem[0x7ffff7de405e], '\xd1')
|
|
self.assertEqual(mem[0x7ffff7de405f], '\xea')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925856L)
|
|
self.assertEqual(cpu.RDX, 170208618L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHR_2(self):
|
|
''' Instruction SHR_2
|
|
Groups:
|
|
0x7ffff7de391d: shr rsi, cl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de391d] = 'H'
|
|
mem[0x7ffff7de391e] = '\xd3'
|
|
mem[0x7ffff7de391f] = '\xee'
|
|
cpu.RSI = 0x20ce23f6
|
|
cpu.CL = 0x6
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de391d
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de391d], 'H')
|
|
self.assertEqual(mem[0x7ffff7de391e], '\xd3')
|
|
self.assertEqual(mem[0x7ffff7de391f], '\xee')
|
|
self.assertEqual(cpu.RSI, 8599695L)
|
|
self.assertEqual(cpu.CL, 6L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351924000L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHR_3(self):
|
|
''' Instruction SHR_3
|
|
Groups:
|
|
0x7ffff7de3926: shr rsi, cl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3928] = '\xee'
|
|
mem[0x7ffff7de3926] = 'H'
|
|
mem[0x7ffff7de3927] = '\xd3'
|
|
cpu.RSI = 0x800000001204088
|
|
cpu.CL = 0xda
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de3926
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3928], '\xee')
|
|
self.assertEqual(mem[0x7ffff7de3926], 'H')
|
|
self.assertEqual(mem[0x7ffff7de3927], '\xd3')
|
|
self.assertEqual(cpu.RSI, 8589934592L)
|
|
self.assertEqual(cpu.CL, 218L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351924009L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHR_4(self):
|
|
''' Instruction SHR_4
|
|
Groups:
|
|
0x7ffff7de61d2: shr al, 4
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de61d2] = '\xc0'
|
|
mem[0x7ffff7de61d3] = '\xe8'
|
|
mem[0x7ffff7de61d4] = '\x04'
|
|
cpu.ZF = False
|
|
cpu.AL = 0x22
|
|
cpu.RIP = 0x7ffff7de61d2
|
|
cpu.CF = False
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de61d2], '\xc0')
|
|
self.assertEqual(mem[0x7ffff7de61d3], '\xe8')
|
|
self.assertEqual(mem[0x7ffff7de61d4], '\x04')
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351934421L)
|
|
self.assertEqual(cpu.AL, 2L)
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHR_5(self):
|
|
''' Instruction SHR_5
|
|
Groups:
|
|
0x7ffff7de391d: shr rsi, cl
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de391d] = 'H'
|
|
mem[0x7ffff7de391e] = '\xd3'
|
|
mem[0x7ffff7de391f] = '\xee'
|
|
cpu.RSI = 0x7c967e3f
|
|
cpu.CL = 0xe
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de391d
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de391d], 'H')
|
|
self.assertEqual(mem[0x7ffff7de391e], '\xd3')
|
|
self.assertEqual(mem[0x7ffff7de391f], '\xee')
|
|
self.assertEqual(cpu.RSI, 127577L)
|
|
self.assertEqual(cpu.CL, 14L)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 140737351924000L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SHR_6(self):
|
|
''' Instruction SHR_6
|
|
Groups:
|
|
0x4322bd: shr rax, 1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004322bd] = 'H'
|
|
mem[0x004322be] = '\xd1'
|
|
mem[0x004322bf] = '\xe8'
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4322bd
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.RAX = 0x1
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4322bd], 'H')
|
|
self.assertEqual(mem[0x4322be], '\xd1')
|
|
self.assertEqual(mem[0x4322bf], '\xe8')
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4399808L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
|
|
def test_STC_1(self):
|
|
''' Instruction STC_1
|
|
Groups:
|
|
0x5667fa: stc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00566000, 0x1000, 'rwx')
|
|
mem[0x005667fa] = '\xf9'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x5667fa
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5667fa], '\xf9')
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 5662715L)
|
|
|
|
def test_STC_2(self):
|
|
''' Instruction STC_2
|
|
Groups:
|
|
0x42a889: stc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0042a000, 0x1000, 'rwx')
|
|
mem[0x0042a889] = '\xf9'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x42a889
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x42a889], '\xf9')
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 4368522L)
|
|
|
|
def test_STC_3(self):
|
|
''' Instruction STC_3
|
|
Groups:
|
|
0x60b5d5: stc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0060b000, 0x1000, 'rwx')
|
|
mem[0x0060b5d5] = '\xf9'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x60b5d5
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x60b5d5], '\xf9')
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 6338006L)
|
|
|
|
def test_STC_4(self):
|
|
''' Instruction STC_4
|
|
Groups:
|
|
0x52da4d: stc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0052d000, 0x1000, 'rwx')
|
|
mem[0x0052da4d] = '\xf9'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x52da4d
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x52da4d], '\xf9')
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 5429838L)
|
|
|
|
def test_STC_5(self):
|
|
''' Instruction STC_5
|
|
Groups:
|
|
0x56ba0e: stc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0056b000, 0x1000, 'rwx')
|
|
mem[0x0056ba0e] = '\xf9'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x56ba0e
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x56ba0e], '\xf9')
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 5683727L)
|
|
|
|
def test_STC_6(self):
|
|
''' Instruction STC_6
|
|
Groups:
|
|
0x61a7d6: stc
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0061a000, 0x1000, 'rwx')
|
|
mem[0x0061a7d6] = '\xf9'
|
|
cpu.CF = False
|
|
cpu.RIP = 0x61a7d6
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x61a7d6], '\xf9')
|
|
self.assertEqual(cpu.CF, True)
|
|
self.assertEqual(cpu.RIP, 6399959L)
|
|
|
|
def test_STOSD_1(self):
|
|
''' Instruction STOSD_1
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
mem[0x7fffffffda88] = '\x00'
|
|
mem[0x7fffffffda89] = '\x00'
|
|
mem[0x7fffffffda8a] = '\x00'
|
|
mem[0x7fffffffda8b] = '\x00'
|
|
mem[0x7fffffffda8c] = '\x00'
|
|
mem[0x7fffffffda8d] = '\x00'
|
|
mem[0x7fffffffda8e] = '\x00'
|
|
mem[0x7fffffffda8f] = '\x00'
|
|
mem[0x7fffffffdb70] = '\xa0'
|
|
mem[0x7fffffffdb71] = '\xdb'
|
|
mem[0x7fffffffdb72] = '\xff'
|
|
mem[0x7fffffffdb73] = '\xff'
|
|
mem[0x7fffffffdb74] = '\xff'
|
|
mem[0x7fffffffdb75] = '\x7f'
|
|
mem[0x7fffffffdb76] = '\x00'
|
|
mem[0x7fffffffdb77] = '\x00'
|
|
cpu.RDI = 0x7fffffffdb70
|
|
cpu.RCX = 0x6
|
|
cpu.RSI = 0x7fffffffda88
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5555555547c2], '\xf3')
|
|
self.assertEqual(mem[0x5555555547c3], '\xab')
|
|
self.assertEqual(mem[0x7fffffffda88], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda89], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb70], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb71], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb72], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb73], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb74], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdb75], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdb76], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb77], '\x00')
|
|
self.assertEqual(cpu.RCX, 5L)
|
|
self.assertEqual(cpu.RDI, 140737488345972L)
|
|
self.assertEqual(cpu.RSI, 140737488345736L)
|
|
self.assertEqual(cpu.RIP, 93824992233410L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
|
|
def test_STOSD_2(self):
|
|
''' Instruction STOSD_2
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdb20] = '\x00'
|
|
mem[0x7fffffffdb21] = '\x00'
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
mem[0x7fffffffda88] = '\x00'
|
|
mem[0x7fffffffda89] = '\x00'
|
|
mem[0x7fffffffda8a] = '\x00'
|
|
mem[0x7fffffffda8b] = '\x00'
|
|
mem[0x7fffffffda8c] = '\x00'
|
|
mem[0x7fffffffdb22] = '\x00'
|
|
mem[0x7fffffffda8e] = '\x00'
|
|
mem[0x7fffffffda8d] = '\x00'
|
|
mem[0x7fffffffdb23] = '\x00'
|
|
mem[0x7fffffffda8f] = '\x00'
|
|
mem[0x7fffffffdb1c] = '\x00'
|
|
mem[0x7fffffffdb1d] = '\x00'
|
|
mem[0x7fffffffdb1e] = '\x00'
|
|
mem[0x7fffffffdb1f] = '\x00'
|
|
cpu.RDI = 0x7fffffffdb1c
|
|
cpu.RCX = 0x1b
|
|
cpu.RSI = 0x7fffffffda88
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdb20], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb21], '\x00')
|
|
self.assertEqual(mem[0x5555555547c2], '\xf3')
|
|
self.assertEqual(mem[0x5555555547c3], '\xab')
|
|
self.assertEqual(mem[0x7fffffffda88], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda89], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb23], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb22], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb1c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb1d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb1e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb1f], '\x00')
|
|
self.assertEqual(cpu.RCX, 26L)
|
|
self.assertEqual(cpu.RDI, 140737488345888L)
|
|
self.assertEqual(cpu.RSI, 140737488345736L)
|
|
self.assertEqual(cpu.RIP, 93824992233410L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
|
|
def test_STOSD_3(self):
|
|
''' Instruction STOSD_3
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdaa0] = '&'
|
|
mem[0x7fffffffdaa1] = '\xb0'
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
mem[0x7fffffffda88] = '\x00'
|
|
mem[0x7fffffffda89] = '\x00'
|
|
mem[0x7fffffffda8a] = '\x00'
|
|
mem[0x7fffffffda8b] = '\x00'
|
|
mem[0x7fffffffda8c] = '\x00'
|
|
mem[0x7fffffffdaa2] = 'b'
|
|
mem[0x7fffffffda8e] = '\x00'
|
|
mem[0x7fffffffda8d] = '\x00'
|
|
mem[0x7fffffffdaa3] = 'e'
|
|
mem[0x7fffffffda8f] = '\x00'
|
|
mem[0x7fffffffda9c] = '\xff'
|
|
mem[0x7fffffffda9d] = '\x7f'
|
|
mem[0x7fffffffda9e] = '\x00'
|
|
mem[0x7fffffffda9f] = '\x00'
|
|
cpu.RDI = 0x7fffffffda9c
|
|
cpu.RCX = 0x3b
|
|
cpu.RSI = 0x7fffffffda88
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdaa0], '&')
|
|
self.assertEqual(mem[0x7fffffffdaa1], '\xb0')
|
|
self.assertEqual(mem[0x5555555547c2], '\xf3')
|
|
self.assertEqual(mem[0x5555555547c3], '\xab')
|
|
self.assertEqual(mem[0x7fffffffda88], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda89], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaa3], 'e')
|
|
self.assertEqual(mem[0x7fffffffdaa2], 'b')
|
|
self.assertEqual(mem[0x7fffffffda9c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda9d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda9e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda9f], '\x00')
|
|
self.assertEqual(cpu.RCX, 58L)
|
|
self.assertEqual(cpu.RDI, 140737488345760L)
|
|
self.assertEqual(cpu.RSI, 140737488345736L)
|
|
self.assertEqual(cpu.RIP, 93824992233410L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
|
|
def test_STOSD_4(self):
|
|
''' Instruction STOSD_4
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
mem[0x7fffffffdaec] = '\xff'
|
|
mem[0x7fffffffda88] = '\x00'
|
|
mem[0x7fffffffda89] = '\x00'
|
|
mem[0x7fffffffda8a] = '\x00'
|
|
mem[0x7fffffffda8b] = '\x00'
|
|
mem[0x7fffffffda8c] = '\x00'
|
|
mem[0x7fffffffda8d] = '\x00'
|
|
mem[0x7fffffffdaee] = '\x00'
|
|
mem[0x7fffffffdaed] = '\x7f'
|
|
mem[0x7fffffffdaf0] = '\x00'
|
|
mem[0x7fffffffdaf1] = '\x00'
|
|
mem[0x7fffffffdaf2] = '\x00'
|
|
mem[0x7fffffffdaf3] = '\x00'
|
|
mem[0x7fffffffda8e] = '\x00'
|
|
mem[0x7fffffffdaef] = '\x00'
|
|
mem[0x7fffffffda8f] = '\x00'
|
|
cpu.RDI = 0x7fffffffdaec
|
|
cpu.RCX = 0x27
|
|
cpu.RSI = 0x7fffffffda88
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5555555547c2], '\xf3')
|
|
self.assertEqual(mem[0x5555555547c3], '\xab')
|
|
self.assertEqual(mem[0x7fffffffdaec], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaed], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda88], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda89], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaee], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaef], '\x00')
|
|
self.assertEqual(cpu.RCX, 38L)
|
|
self.assertEqual(cpu.RDI, 140737488345840L)
|
|
self.assertEqual(cpu.RSI, 140737488345736L)
|
|
self.assertEqual(cpu.RIP, 93824992233410L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
|
|
def test_STOSD_5(self):
|
|
''' Instruction STOSD_5
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7fffffffdb80] = 'P'
|
|
mem[0x7fffffffdb81] = 'I'
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
mem[0x7fffffffda88] = '\x00'
|
|
mem[0x7fffffffda89] = '\x00'
|
|
mem[0x7fffffffda8a] = '\x00'
|
|
mem[0x7fffffffda8b] = '\x00'
|
|
mem[0x7fffffffda8c] = '\x00'
|
|
mem[0x7fffffffdb82] = 'U'
|
|
mem[0x7fffffffda8e] = '\x00'
|
|
mem[0x7fffffffda8d] = '\x00'
|
|
mem[0x7fffffffdb83] = 'U'
|
|
mem[0x7fffffffda8f] = '\x00'
|
|
mem[0x7fffffffdb7c] = '\x00'
|
|
mem[0x7fffffffdb7d] = '\x00'
|
|
mem[0x7fffffffdb7e] = '\x00'
|
|
mem[0x7fffffffdb7f] = '\x00'
|
|
cpu.RDI = 0x7fffffffdb7c
|
|
cpu.RCX = 0x3
|
|
cpu.RSI = 0x7fffffffda88
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffdb80], 'P')
|
|
self.assertEqual(mem[0x7fffffffdb81], 'I')
|
|
self.assertEqual(mem[0x5555555547c2], '\xf3')
|
|
self.assertEqual(mem[0x5555555547c3], '\xab')
|
|
self.assertEqual(mem[0x7fffffffda88], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda89], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb82], 'U')
|
|
self.assertEqual(mem[0x7fffffffda8e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb83], 'U')
|
|
self.assertEqual(mem[0x7fffffffda8f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb7c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb7d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb7e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdb7f], '\x00')
|
|
self.assertEqual(cpu.RCX, 2L)
|
|
self.assertEqual(cpu.RDI, 140737488345984L)
|
|
self.assertEqual(cpu.RSI, 140737488345736L)
|
|
self.assertEqual(cpu.RIP, 93824992233410L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
|
|
def test_STOSD_6(self):
|
|
''' Instruction STOSD_6
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
mem[0x7fffffffda88] = '\x00'
|
|
mem[0x7fffffffda89] = '\x00'
|
|
mem[0x7fffffffda8a] = '\x00'
|
|
mem[0x7fffffffda8b] = '\x00'
|
|
mem[0x7fffffffda8c] = '\x00'
|
|
mem[0x7fffffffda8d] = '\x00'
|
|
mem[0x7fffffffda8e] = '\x00'
|
|
mem[0x7fffffffda8f] = '\x00'
|
|
mem[0x7fffffffdaf0] = '\x00'
|
|
mem[0x7fffffffdaf1] = '\x00'
|
|
mem[0x7fffffffdaf2] = '\x00'
|
|
mem[0x7fffffffdaf3] = '\x00'
|
|
mem[0x7fffffffdaf4] = '\x00'
|
|
mem[0x7fffffffdaf5] = '\x00'
|
|
mem[0x7fffffffdaf6] = '\x00'
|
|
mem[0x7fffffffdaf7] = '\x00'
|
|
cpu.RDI = 0x7fffffffdaf0
|
|
cpu.RCX = 0x26
|
|
cpu.RSI = 0x7fffffffda88
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x5555555547c2], '\xf3')
|
|
self.assertEqual(mem[0x5555555547c3], '\xab')
|
|
self.assertEqual(mem[0x7fffffffda88], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda89], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8f], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf3], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf4], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdaf7], '\x00')
|
|
self.assertEqual(cpu.RCX, 37L)
|
|
self.assertEqual(cpu.RDI, 140737488345844L)
|
|
self.assertEqual(cpu.RSI, 140737488345736L)
|
|
self.assertEqual(cpu.RIP, 93824992233410L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
|
|
def test_STOSQ_1(self):
|
|
''' Instruction STOSQ_1
|
|
Groups:
|
|
0x7ffff7ded09b: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ded000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7fd7700] = '\x00'
|
|
mem[0x7ffff7fd7701] = '\x00'
|
|
mem[0x7ffff7fd7702] = '\x00'
|
|
mem[0x7ffff7fd7703] = '\x00'
|
|
mem[0x7ffff7fd7704] = '\x00'
|
|
mem[0x7ffff7fd7705] = '\x00'
|
|
mem[0x7ffff7fd7706] = '\x00'
|
|
mem[0x7ffff7fd7707] = '\x00'
|
|
mem[0x7ffff7ded09c] = 'H'
|
|
mem[0x7ffff7ded09d] = '\xab'
|
|
mem[0x7ffff7ded09b] = '\xf3'
|
|
mem[0x7ffff7fd7f38] = '\x00'
|
|
mem[0x7ffff7fd7f39] = '\x00'
|
|
mem[0x7ffff7fd7f3a] = '\x00'
|
|
mem[0x7ffff7fd7f3b] = '\x00'
|
|
mem[0x7ffff7fd7f3c] = '\x00'
|
|
mem[0x7ffff7fd7f3d] = '\x00'
|
|
mem[0x7ffff7fd7f3e] = '\x00'
|
|
mem[0x7ffff7fd7f3f] = '\x00'
|
|
cpu.RDI = 0x7ffff7fd7f38
|
|
cpu.RIP = 0x7ffff7ded09b
|
|
cpu.RCX = 0x19
|
|
cpu.RSI = 0x7ffff7fd7700
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7fd7700], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7701], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7702], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7703], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7704], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7705], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7706], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7707], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7f3b], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7f3c], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7f3d], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7f38], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7f39], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7f3a], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ded09b], '\xf3')
|
|
self.assertEqual(mem[0x7ffff7ded09c], 'H')
|
|
self.assertEqual(mem[0x7ffff7ded09d], '\xab')
|
|
self.assertEqual(mem[0x7ffff7fd7f3e], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7f3f], '\x00')
|
|
self.assertEqual(cpu.RCX, 24L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RDI, 140737353973568L)
|
|
self.assertEqual(cpu.RSI, 140737353971456L)
|
|
self.assertEqual(cpu.RIP, 140737351962779L)
|
|
|
|
def test_STOSQ_2(self):
|
|
''' Instruction STOSQ_2
|
|
Groups:
|
|
0x7ffff7ded09b: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ded000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7fd7700] = '\x00'
|
|
mem[0x7ffff7fd7701] = '\x00'
|
|
mem[0x7ffff7fd7702] = '\x00'
|
|
mem[0x7ffff7fd7703] = '\x00'
|
|
mem[0x7ffff7fd7704] = '\x00'
|
|
mem[0x7ffff7fd7705] = '\x00'
|
|
mem[0x7ffff7fd7706] = '\x00'
|
|
mem[0x7ffff7fd7707] = '\x00'
|
|
mem[0x7ffff7ded09c] = 'H'
|
|
mem[0x7ffff7ded09d] = '\xab'
|
|
mem[0x7ffff7ded09b] = '\xf3'
|
|
mem[0x7ffff7fd7cb8] = '\x00'
|
|
mem[0x7ffff7fd7cb9] = '\x00'
|
|
mem[0x7ffff7fd7cba] = '\x00'
|
|
mem[0x7ffff7fd7cbb] = '\x00'
|
|
mem[0x7ffff7fd7cbc] = '\x00'
|
|
mem[0x7ffff7fd7cbd] = '\x00'
|
|
mem[0x7ffff7fd7cbe] = '\x00'
|
|
mem[0x7ffff7fd7cbf] = '\x00'
|
|
cpu.RDI = 0x7ffff7fd7cb8
|
|
cpu.RIP = 0x7ffff7ded09b
|
|
cpu.RCX = 0x69
|
|
cpu.RSI = 0x7ffff7fd7700
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7fd7700], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7701], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7702], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7703], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7704], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7705], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7706], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7707], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7cbc], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7cbd], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7cbb], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7cb8], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7cb9], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7cba], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ded09b], '\xf3')
|
|
self.assertEqual(mem[0x7ffff7ded09c], 'H')
|
|
self.assertEqual(mem[0x7ffff7ded09d], '\xab')
|
|
self.assertEqual(mem[0x7ffff7fd7cbe], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7cbf], '\x00')
|
|
self.assertEqual(cpu.RCX, 104L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RDI, 140737353972928L)
|
|
self.assertEqual(cpu.RSI, 140737353971456L)
|
|
self.assertEqual(cpu.RIP, 140737351962779L)
|
|
|
|
def test_STOSQ_3(self):
|
|
''' Instruction STOSQ_3
|
|
Groups:
|
|
0x7ffff7de5ebf: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ffe000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5ec0] = 'H'
|
|
mem[0x7ffff7de5ec1] = '\xab'
|
|
mem[0x7ffff7ffe4a2] = '\xff'
|
|
mem[0x7ffff7ffe4a3] = '\xf7'
|
|
mem[0x7ffff7ffe4a4] = '\xff'
|
|
mem[0x7ffff7ffe4a5] = '\x7f'
|
|
mem[0x7ffff7ffe4a6] = '\x00'
|
|
mem[0x7ffff7ffe4a1] = '\xe4'
|
|
mem[0x7fffffffda88] = '\x90'
|
|
mem[0x7fffffffda89] = 'x'
|
|
mem[0x7fffffffda8a] = '\x00'
|
|
mem[0x7fffffffda8b] = '\x00'
|
|
mem[0x7fffffffda8c] = '\x00'
|
|
mem[0x7fffffffda8d] = '\x00'
|
|
mem[0x7fffffffda8e] = '\x00'
|
|
mem[0x7fffffffda8f] = '\x00'
|
|
mem[0x7ffff7ffe4a0] = '\x00'
|
|
mem[0x7ffff7ffe4a7] = '\x00'
|
|
mem[0x7ffff7de5ebf] = '\xf3'
|
|
cpu.RDI = 0x7fffffffda88
|
|
cpu.RIP = 0x7ffff7de5ebf
|
|
cpu.RCX = 0x7
|
|
cpu.RSI = 0x7ffff7ffe4a0
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de5ec0], 'H')
|
|
self.assertEqual(mem[0x7ffff7de5ec1], '\xab')
|
|
self.assertEqual(mem[0x7ffff7ffe4a2], '\xff')
|
|
self.assertEqual(mem[0x7ffff7ffe4a3], '\xf7')
|
|
self.assertEqual(mem[0x7ffff7ffe4a4], '\xff')
|
|
self.assertEqual(mem[0x7ffff7ffe4a5], '\x7f')
|
|
self.assertEqual(mem[0x7ffff7ffe4a6], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ffe4a1], '\xe4')
|
|
self.assertEqual(mem[0x7fffffffda88], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda89], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8a], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8b], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8c], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8d], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda8f], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ffe4a0], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ffe4a7], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de5ebf], '\xf3')
|
|
self.assertEqual(cpu.RCX, 6L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RDI, 140737488345744L)
|
|
self.assertEqual(cpu.RSI, 140737354130592L)
|
|
self.assertEqual(cpu.RIP, 140737351933631L)
|
|
|
|
def test_STOSQ_4(self):
|
|
''' Instruction STOSQ_4
|
|
Groups:
|
|
0x7ffff7ded09b: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ded000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7fd7700] = '\x00'
|
|
mem[0x7ffff7fd7701] = '\x00'
|
|
mem[0x7ffff7fd7702] = '\x00'
|
|
mem[0x7ffff7fd7703] = '\x00'
|
|
mem[0x7ffff7fd7704] = '\x00'
|
|
mem[0x7ffff7fd7705] = '\x00'
|
|
mem[0x7ffff7fd7706] = '\x00'
|
|
mem[0x7ffff7fd7707] = '\x00'
|
|
mem[0x7ffff7fd7730] = '\x00'
|
|
mem[0x7ffff7fd7731] = '\x00'
|
|
mem[0x7ffff7fd7732] = '\x00'
|
|
mem[0x7ffff7fd7733] = '\x00'
|
|
mem[0x7ffff7fd7734] = '\x00'
|
|
mem[0x7ffff7fd7735] = '\x00'
|
|
mem[0x7ffff7fd7736] = '\x00'
|
|
mem[0x7ffff7fd7737] = '\x00'
|
|
mem[0x7ffff7ded09b] = '\xf3'
|
|
mem[0x7ffff7ded09c] = 'H'
|
|
mem[0x7ffff7ded09d] = '\xab'
|
|
cpu.RDI = 0x7ffff7fd7730
|
|
cpu.RIP = 0x7ffff7ded09b
|
|
cpu.RCX = 0x11a
|
|
cpu.RSI = 0x7ffff7fd7700
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7fd7700], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7701], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7702], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7703], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7704], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7705], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7706], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7707], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7730], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7731], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7732], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7733], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7734], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7735], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7736], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7737], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ded09b], '\xf3')
|
|
self.assertEqual(mem[0x7ffff7ded09c], 'H')
|
|
self.assertEqual(mem[0x7ffff7ded09d], '\xab')
|
|
self.assertEqual(cpu.RCX, 281L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RDI, 140737353971512L)
|
|
self.assertEqual(cpu.RSI, 140737353971456L)
|
|
self.assertEqual(cpu.RIP, 140737351962779L)
|
|
|
|
def test_STOSQ_5(self):
|
|
''' Instruction STOSQ_5
|
|
Groups:
|
|
0x555555554895: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x555555554896] = 'H'
|
|
mem[0x7fffffffda95] = '\x00'
|
|
mem[0x555555554897] = '\xab'
|
|
mem[0x7fffffffda90] = '\x00'
|
|
mem[0x7fffffffda91] = '\x00'
|
|
mem[0x7fffffffda92] = '\x00'
|
|
mem[0x7fffffffda93] = '\x00'
|
|
mem[0x7fffffffda94] = '\x00'
|
|
mem[0x555555554895] = '\xf3'
|
|
mem[0x7fffffffda96] = '\x00'
|
|
mem[0x7fffffffda97] = '\x00'
|
|
mem[0x7fffffffdc98] = '\x1d'
|
|
mem[0x7fffffffdc99] = '\xe0'
|
|
mem[0x7fffffffdc9a] = '\xff'
|
|
mem[0x7fffffffdc9b] = '\xff'
|
|
mem[0x7fffffffdc9c] = '\xff'
|
|
mem[0x7fffffffdc9d] = '\x7f'
|
|
mem[0x7fffffffdc9e] = '\x00'
|
|
mem[0x7fffffffdc9f] = '\x00'
|
|
cpu.RDI = 0x7fffffffda90
|
|
cpu.RIP = 0x555555554895
|
|
cpu.RCX = 0x1e
|
|
cpu.RSI = 0x7fffffffdc98
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffda96], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda95], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda97], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda90], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda91], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda92], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda93], '\x00')
|
|
self.assertEqual(mem[0x7fffffffda94], '\x00')
|
|
self.assertEqual(mem[0x555555554895], '\xf3')
|
|
self.assertEqual(mem[0x555555554896], 'H')
|
|
self.assertEqual(mem[0x555555554897], '\xab')
|
|
self.assertEqual(mem[0x7fffffffdc98], '\x1d')
|
|
self.assertEqual(mem[0x7fffffffdc99], '\xe0')
|
|
self.assertEqual(mem[0x7fffffffdc9a], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdc9b], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdc9c], '\xff')
|
|
self.assertEqual(mem[0x7fffffffdc9d], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffdc9e], '\x00')
|
|
self.assertEqual(mem[0x7fffffffdc9f], '\x00')
|
|
self.assertEqual(cpu.RCX, 29L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RDI, 140737488345752L)
|
|
self.assertEqual(cpu.RSI, 140737488346264L)
|
|
self.assertEqual(cpu.RIP, 93824992233621L)
|
|
|
|
def test_STOSQ_6(self):
|
|
''' Instruction STOSQ_6
|
|
Groups:
|
|
0x7ffff7ded09b: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ded000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7fd7700] = '\x00'
|
|
mem[0x7ffff7fd7701] = '\x00'
|
|
mem[0x7ffff7fd7702] = '\x00'
|
|
mem[0x7ffff7fd7703] = '\x00'
|
|
mem[0x7ffff7fd7704] = '\x00'
|
|
mem[0x7ffff7fd7705] = '\x00'
|
|
mem[0x7ffff7fd7706] = '\x00'
|
|
mem[0x7ffff7fd7707] = '\x00'
|
|
mem[0x7ffff7fd7ef0] = '\x00'
|
|
mem[0x7ffff7fd7ef1] = '\x00'
|
|
mem[0x7ffff7fd7ef2] = '\x00'
|
|
mem[0x7ffff7fd7ef3] = '\x00'
|
|
mem[0x7ffff7fd7ef4] = '\x00'
|
|
mem[0x7ffff7fd7ef5] = '\x00'
|
|
mem[0x7ffff7fd7ef6] = '\x00'
|
|
mem[0x7ffff7fd7ef7] = '\x00'
|
|
mem[0x7ffff7ded09b] = '\xf3'
|
|
mem[0x7ffff7ded09c] = 'H'
|
|
mem[0x7ffff7ded09d] = '\xab'
|
|
cpu.RDI = 0x7ffff7fd7ef0
|
|
cpu.RIP = 0x7ffff7ded09b
|
|
cpu.RCX = 0x22
|
|
cpu.RSI = 0x7ffff7fd7700
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7fd7700], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7701], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7702], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7703], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7704], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7705], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7706], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7707], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7ef0], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7ef1], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7ef2], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7ef3], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7ef4], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7ef5], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7ef6], '\x00')
|
|
self.assertEqual(mem[0x7ffff7fd7ef7], '\x00')
|
|
self.assertEqual(mem[0x7ffff7ded09b], '\xf3')
|
|
self.assertEqual(mem[0x7ffff7ded09c], 'H')
|
|
self.assertEqual(mem[0x7ffff7ded09d], '\xab')
|
|
self.assertEqual(cpu.RCX, 33L)
|
|
self.assertEqual(cpu.RAX, 0L)
|
|
self.assertEqual(cpu.RDI, 140737353973496L)
|
|
self.assertEqual(cpu.RSI, 140737353971456L)
|
|
self.assertEqual(cpu.RIP, 140737351962779L)
|
|
|
|
def test_SUB_1(self):
|
|
''' Instruction SUB_1
|
|
Groups:
|
|
0x4326c3: sub rsp, 0x1020
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004326c3] = 'H'
|
|
mem[0x004326c4] = '\x81'
|
|
mem[0x004326c5] = '\xec'
|
|
mem[0x004326c6] = ' '
|
|
mem[0x004326c7] = '\x10'
|
|
mem[0x004326c8] = '\x00'
|
|
mem[0x004326c9] = '\x00'
|
|
cpu.PF = True
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RSP = 0x7fffffffdab0
|
|
cpu.CF = False
|
|
cpu.RIP = 0x4326c3
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4326c3], 'H')
|
|
self.assertEqual(mem[0x4326c4], '\x81')
|
|
self.assertEqual(mem[0x4326c5], '\xec')
|
|
self.assertEqual(mem[0x4326c6], ' ')
|
|
self.assertEqual(mem[0x4326c7], '\x10')
|
|
self.assertEqual(mem[0x4326c8], '\x00')
|
|
self.assertEqual(mem[0x4326c9], '\x00')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSP, 140737488341648L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4400842L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SUB_2(self):
|
|
''' Instruction SUB_2
|
|
Groups:
|
|
0x40b6dd: sub rsp, 0x1028
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040b000, 0x1000, 'rwx')
|
|
mem[0x0040b6e0] = '('
|
|
mem[0x0040b6e1] = '\x10'
|
|
mem[0x0040b6e2] = '\x00'
|
|
mem[0x0040b6e3] = '\x00'
|
|
mem[0x0040b6dd] = 'H'
|
|
mem[0x0040b6de] = '\x81'
|
|
mem[0x0040b6df] = '\xec'
|
|
cpu.PF = True
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RSP = 0x7fffffffda18
|
|
cpu.CF = False
|
|
cpu.RIP = 0x40b6dd
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x40b6e0], '(')
|
|
self.assertEqual(mem[0x40b6e1], '\x10')
|
|
self.assertEqual(mem[0x40b6e2], '\x00')
|
|
self.assertEqual(mem[0x40b6e3], '\x00')
|
|
self.assertEqual(mem[0x40b6dd], 'H')
|
|
self.assertEqual(mem[0x40b6de], '\x81')
|
|
self.assertEqual(mem[0x40b6df], '\xec')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSP, 140737488341488L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4241124L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SUB_3(self):
|
|
''' Instruction SUB_3
|
|
Groups:
|
|
0x7ffff7de406d: sub rsp, 8
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4070] = '\x08'
|
|
mem[0x7ffff7de406d] = 'H'
|
|
mem[0x7ffff7de406e] = '\x83'
|
|
mem[0x7ffff7de406f] = '\xec'
|
|
cpu.PF = False
|
|
cpu.AF = True
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RSP = 0x7fffffffd840
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de406d
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de4070], '\x08')
|
|
self.assertEqual(mem[0x7ffff7de406d], 'H')
|
|
self.assertEqual(mem[0x7ffff7de406e], '\x83')
|
|
self.assertEqual(mem[0x7ffff7de406f], '\xec')
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.AF, True)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSP, 140737488345144L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925873L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SUB_4(self):
|
|
''' Instruction SUB_4
|
|
Groups:
|
|
0x7ffff7decc04: sub rsp, 0x1020
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7dec000, 0x1000, 'rwx')
|
|
mem[0x7ffff7decc04] = 'H'
|
|
mem[0x7ffff7decc05] = '\x81'
|
|
mem[0x7ffff7decc06] = '\xec'
|
|
mem[0x7ffff7decc07] = ' '
|
|
mem[0x7ffff7decc08] = '\x10'
|
|
mem[0x7ffff7decc09] = '\x00'
|
|
mem[0x7ffff7decc0a] = '\x00'
|
|
cpu.PF = True
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.RSP = 0x7fffffffd0c0
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7decc04
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7decc04], 'H')
|
|
self.assertEqual(mem[0x7ffff7decc05], '\x81')
|
|
self.assertEqual(mem[0x7ffff7decc06], '\xec')
|
|
self.assertEqual(mem[0x7ffff7decc07], ' ')
|
|
self.assertEqual(mem[0x7ffff7decc08], '\x10')
|
|
self.assertEqual(mem[0x7ffff7decc09], '\x00')
|
|
self.assertEqual(mem[0x7ffff7decc0a], '\x00')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSP, 140737488339104L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351961611L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SUB_5(self):
|
|
''' Instruction SUB_5
|
|
Groups:
|
|
0x7ffff7de060d: sub rsp, 0x1020
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de060d] = 'H'
|
|
mem[0x7ffff7de060e] = '\x81'
|
|
mem[0x7ffff7de060f] = '\xec'
|
|
mem[0x7ffff7de0610] = ' '
|
|
mem[0x7ffff7de0611] = '\x10'
|
|
mem[0x7ffff7de0612] = '\x00'
|
|
mem[0x7ffff7de0613] = '\x00'
|
|
cpu.PF = False
|
|
cpu.AF = False
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RSP = 0x7fffffffd2e0
|
|
cpu.CF = True
|
|
cpu.RIP = 0x7ffff7de060d
|
|
cpu.SF = True
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de060d], 'H')
|
|
self.assertEqual(mem[0x7ffff7de060e], '\x81')
|
|
self.assertEqual(mem[0x7ffff7de060f], '\xec')
|
|
self.assertEqual(mem[0x7ffff7de0610], ' ')
|
|
self.assertEqual(mem[0x7ffff7de0611], '\x10')
|
|
self.assertEqual(mem[0x7ffff7de0612], '\x00')
|
|
self.assertEqual(mem[0x7ffff7de0613], '\x00')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSP, 140737488339648L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351910932L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_SUB_6(self):
|
|
''' Instruction SUB_6
|
|
Groups:
|
|
0x7ffff7deb22d: sub rsp, 0x1078
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7deb000, 0x1000, 'rwx')
|
|
mem[0x7ffff7deb22d] = 'H'
|
|
mem[0x7ffff7deb22e] = '\x81'
|
|
mem[0x7ffff7deb22f] = '\xec'
|
|
mem[0x7ffff7deb230] = 'x'
|
|
mem[0x7ffff7deb231] = '\x10'
|
|
mem[0x7ffff7deb232] = '\x00'
|
|
mem[0x7ffff7deb233] = '\x00'
|
|
cpu.PF = False
|
|
cpu.AF = True
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.RSP = 0x7fffffffd9f8
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7deb22d
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7deb22d], 'H')
|
|
self.assertEqual(mem[0x7ffff7deb22e], '\x81')
|
|
self.assertEqual(mem[0x7ffff7deb22f], '\xec')
|
|
self.assertEqual(mem[0x7ffff7deb230], 'x')
|
|
self.assertEqual(mem[0x7ffff7deb231], '\x10')
|
|
self.assertEqual(mem[0x7ffff7deb232], '\x00')
|
|
self.assertEqual(mem[0x7ffff7deb233], '\x00')
|
|
self.assertEqual(cpu.PF, False)
|
|
self.assertEqual(cpu.AF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.RSP, 140737488341376L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351954996L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_TEST_1(self):
|
|
''' Instruction TEST_1
|
|
Groups:
|
|
0x7ffff7df459c: test al, al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df459c] = '\x84'
|
|
mem[0x7ffff7df459d] = '\xc0'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df459c
|
|
cpu.AL = 0x6c
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df459c], '\x84')
|
|
self.assertEqual(mem[0x7ffff7df459d], '\xc0')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992734L)
|
|
self.assertEqual(cpu.AL, 108L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_TEST_2(self):
|
|
''' Instruction TEST_2
|
|
Groups:
|
|
0x7ffff7df459c: test al, al
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df459c] = '\x84'
|
|
mem[0x7ffff7df459d] = '\xc0'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df459c
|
|
cpu.AL = 0x5f
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df459c], '\x84')
|
|
self.assertEqual(mem[0x7ffff7df459d], '\xc0')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992734L)
|
|
self.assertEqual(cpu.AL, 95L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_TEST_3(self):
|
|
''' Instruction TEST_3
|
|
Groups:
|
|
0x7ffff7de3892: test r15d, r15d
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3892] = 'E'
|
|
mem[0x7ffff7de3893] = '\x85'
|
|
mem[0x7ffff7de3894] = '\xff'
|
|
cpu.R15D = 0x0
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de3892
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3892], 'E')
|
|
self.assertEqual(mem[0x7ffff7de3893], '\x85')
|
|
self.assertEqual(mem[0x7ffff7de3894], '\xff')
|
|
self.assertEqual(cpu.R15D, 0L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351923861L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_TEST_4(self):
|
|
''' Instruction TEST_4
|
|
Groups:
|
|
0x7ffff7b58f07: test byte ptr [r8 - 4], 1
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a31000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f07] = 'A'
|
|
mem[0x7ffff7b58f08] = '\xf6'
|
|
mem[0x7ffff7b58f09] = '@'
|
|
mem[0x7ffff7b58f0a] = '\xfc'
|
|
mem[0x7ffff7b58f0b] = '\x01'
|
|
mem[0x7ffff7a3193c] = '\xbc'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.R8 = 0x7ffff7a31940
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7b58f07
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7b58f07], 'A')
|
|
self.assertEqual(mem[0x7ffff7b58f08], '\xf6')
|
|
self.assertEqual(mem[0x7ffff7b58f09], '@')
|
|
self.assertEqual(mem[0x7ffff7b58f0a], '\xfc')
|
|
self.assertEqual(mem[0x7ffff7b58f0b], '\x01')
|
|
self.assertEqual(mem[0x7ffff7a3193c], '\xbc')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.R8, 140737348049216L)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737349259020L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_TEST_5(self):
|
|
''' Instruction TEST_5
|
|
Groups:
|
|
0x7ffff7ddc6b7: test rdi, rdi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddc6b8] = '\x85'
|
|
mem[0x7ffff7ddc6b9] = '\xff'
|
|
mem[0x7ffff7ddc6b7] = 'H'
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7ddc6b7
|
|
cpu.PF = True
|
|
cpu.RDI = 0x7ffff7ffa3a0
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7ddc6b8], '\x85')
|
|
self.assertEqual(mem[0x7ffff7ddc6b9], '\xff')
|
|
self.assertEqual(mem[0x7ffff7ddc6b7], 'H')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351894714L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.RDI, 140737354113952L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_TEST_6(self):
|
|
''' Instruction TEST_6
|
|
Groups:
|
|
0x406e88: test rbx, rbx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x00406e88] = 'H'
|
|
mem[0x00406e89] = '\x85'
|
|
mem[0x00406e8a] = '\xdb'
|
|
cpu.RBX = 0x7fffffffe927
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x406e88
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x406e88], 'H')
|
|
self.assertEqual(mem[0x406e89], '\x85')
|
|
self.assertEqual(mem[0x406e8a], '\xdb')
|
|
self.assertEqual(cpu.RBX, 140737488349479L)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, False)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 4222603L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_VMOVD_1(self):
|
|
''' Instruction VMOVD_1
|
|
Groups: avx
|
|
0x432054: vmovd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432054] = '\xc5'
|
|
mem[0x00432055] = '\xf9'
|
|
mem[0x00432056] = 'n'
|
|
mem[0x00432057] = '\xce'
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x432054
|
|
cpu.ESI = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432054], '\xc5')
|
|
self.assertEqual(mem[0x432055], '\xf9')
|
|
self.assertEqual(mem[0x432056], 'n')
|
|
self.assertEqual(mem[0x432057], '\xce')
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.ESI, 0L)
|
|
self.assertEqual(cpu.RIP, 4399192L)
|
|
|
|
def test_VMOVD_2(self):
|
|
''' Instruction VMOVD_2
|
|
Groups: avx
|
|
0x432154: vmovd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432154] = '\xc5'
|
|
mem[0x00432155] = '\xf9'
|
|
mem[0x00432156] = 'n'
|
|
mem[0x00432157] = '\xce'
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x432154
|
|
cpu.ESI = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432154], '\xc5')
|
|
self.assertEqual(mem[0x432155], '\xf9')
|
|
self.assertEqual(mem[0x432156], 'n')
|
|
self.assertEqual(mem[0x432157], '\xce')
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.ESI, 0L)
|
|
self.assertEqual(cpu.RIP, 4399448L)
|
|
|
|
def test_VMOVD_3(self):
|
|
''' Instruction VMOVD_3
|
|
Groups: avx
|
|
0x432124: vmovd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432124] = '\xc5'
|
|
mem[0x00432125] = '\xf9'
|
|
mem[0x00432126] = 'n'
|
|
mem[0x00432127] = '\xce'
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x432124
|
|
cpu.ESI = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432124], '\xc5')
|
|
self.assertEqual(mem[0x432125], '\xf9')
|
|
self.assertEqual(mem[0x432126], 'n')
|
|
self.assertEqual(mem[0x432127], '\xce')
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.ESI, 0L)
|
|
self.assertEqual(cpu.RIP, 4399400L)
|
|
|
|
def test_VMOVD_4(self):
|
|
''' Instruction VMOVD_4
|
|
Groups: avx
|
|
0x434cd4: vmovd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x00434cd4] = '\xc5'
|
|
mem[0x00434cd5] = '\xf9'
|
|
mem[0x00434cd6] = 'n'
|
|
mem[0x00434cd7] = '\xce'
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x434cd4
|
|
cpu.ESI = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x434cd4], '\xc5')
|
|
self.assertEqual(mem[0x434cd5], '\xf9')
|
|
self.assertEqual(mem[0x434cd6], 'n')
|
|
self.assertEqual(mem[0x434cd7], '\xce')
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.ESI, 0L)
|
|
self.assertEqual(cpu.RIP, 4410584L)
|
|
|
|
def test_VMOVD_5(self):
|
|
''' Instruction VMOVD_5
|
|
Groups: avx
|
|
0x432134: vmovd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432134] = '\xc5'
|
|
mem[0x00432135] = '\xf9'
|
|
mem[0x00432136] = 'n'
|
|
mem[0x00432137] = '\xce'
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x432134
|
|
cpu.ESI = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432134], '\xc5')
|
|
self.assertEqual(mem[0x432135], '\xf9')
|
|
self.assertEqual(mem[0x432136], 'n')
|
|
self.assertEqual(mem[0x432137], '\xce')
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.ESI, 0L)
|
|
self.assertEqual(cpu.RIP, 4399416L)
|
|
|
|
def test_VMOVD_6(self):
|
|
''' Instruction VMOVD_6
|
|
Groups: avx
|
|
0x432514: vmovd xmm1, esi
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432514] = '\xc5'
|
|
mem[0x00432515] = '\xf9'
|
|
mem[0x00432516] = 'n'
|
|
mem[0x00432517] = '\xce'
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x432514
|
|
cpu.ESI = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432514], '\xc5')
|
|
self.assertEqual(mem[0x432515], '\xf9')
|
|
self.assertEqual(mem[0x432516], 'n')
|
|
self.assertEqual(mem[0x432517], '\xce')
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.ESI, 0L)
|
|
self.assertEqual(cpu.RIP, 4400408L)
|
|
|
|
def test_VPSHUFB_1(self):
|
|
''' Instruction VPSHUFB_1
|
|
Groups: avx
|
|
0x4321af: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004321b0] = '\xe2'
|
|
mem[0x004321b1] = 'q'
|
|
mem[0x004321b2] = '\x00'
|
|
mem[0x004321b3] = '\xc0'
|
|
mem[0x004321af] = '\xc4'
|
|
cpu.XMM0 = 0x0
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x4321af
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4321b0], '\xe2')
|
|
self.assertEqual(mem[0x4321b1], 'q')
|
|
self.assertEqual(mem[0x4321b2], '\x00')
|
|
self.assertEqual(mem[0x4321b3], '\xc0')
|
|
self.assertEqual(mem[0x4321af], '\xc4')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.RIP, 4399540L)
|
|
|
|
def test_VPSHUFB_2(self):
|
|
''' Instruction VPSHUFB_2
|
|
Groups: avx
|
|
0x43215f: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432160] = '\xe2'
|
|
mem[0x00432161] = 'q'
|
|
mem[0x00432162] = '\x00'
|
|
mem[0x00432163] = '\xc0'
|
|
mem[0x0043215f] = '\xc4'
|
|
cpu.XMM0 = 0x0
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x43215f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432160], '\xe2')
|
|
self.assertEqual(mem[0x432161], 'q')
|
|
self.assertEqual(mem[0x432162], '\x00')
|
|
self.assertEqual(mem[0x432163], '\xc0')
|
|
self.assertEqual(mem[0x43215f], '\xc4')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.RIP, 4399460L)
|
|
|
|
def test_VPSHUFB_3(self):
|
|
''' Instruction VPSHUFB_3
|
|
Groups: avx
|
|
0x43205f: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432060] = '\xe2'
|
|
mem[0x00432061] = 'q'
|
|
mem[0x00432062] = '\x00'
|
|
mem[0x00432063] = '\xc0'
|
|
mem[0x0043205f] = '\xc4'
|
|
cpu.XMM0 = 0x0
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x43205f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432060], '\xe2')
|
|
self.assertEqual(mem[0x432061], 'q')
|
|
self.assertEqual(mem[0x432062], '\x00')
|
|
self.assertEqual(mem[0x432063], '\xc0')
|
|
self.assertEqual(mem[0x43205f], '\xc4')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.RIP, 4399204L)
|
|
|
|
def test_VPSHUFB_4(self):
|
|
''' Instruction VPSHUFB_4
|
|
Groups: avx
|
|
0x43212f: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432130] = '\xe2'
|
|
mem[0x00432131] = 'q'
|
|
mem[0x00432132] = '\x00'
|
|
mem[0x00432133] = '\xc0'
|
|
mem[0x0043212f] = '\xc4'
|
|
cpu.XMM0 = 0x0
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x43212f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432130], '\xe2')
|
|
self.assertEqual(mem[0x432131], 'q')
|
|
self.assertEqual(mem[0x432132], '\x00')
|
|
self.assertEqual(mem[0x432133], '\xc0')
|
|
self.assertEqual(mem[0x43212f], '\xc4')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.RIP, 4399412L)
|
|
|
|
def test_VPSHUFB_5(self):
|
|
''' Instruction VPSHUFB_5
|
|
Groups: avx
|
|
0x43213f: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432140] = '\xe2'
|
|
mem[0x00432141] = 'q'
|
|
mem[0x00432142] = '\x00'
|
|
mem[0x00432143] = '\xc0'
|
|
mem[0x0043213f] = '\xc4'
|
|
cpu.XMM0 = 0x0
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x43213f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432140], '\xe2')
|
|
self.assertEqual(mem[0x432141], 'q')
|
|
self.assertEqual(mem[0x432142], '\x00')
|
|
self.assertEqual(mem[0x432143], '\xc0')
|
|
self.assertEqual(mem[0x43213f], '\xc4')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.RIP, 4399428L)
|
|
|
|
def test_VPSHUFB_6(self):
|
|
''' Instruction VPSHUFB_6
|
|
Groups: avx
|
|
0x434cdf: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x00434ce0] = '\xe2'
|
|
mem[0x00434ce1] = 'q'
|
|
mem[0x00434ce2] = '\x00'
|
|
mem[0x00434ce3] = '\xc0'
|
|
mem[0x00434cdf] = '\xc4'
|
|
cpu.XMM0 = 0x0
|
|
cpu.XMM1 = 0x0
|
|
cpu.RIP = 0x434cdf
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x434ce0], '\xe2')
|
|
self.assertEqual(mem[0x434ce1], 'q')
|
|
self.assertEqual(mem[0x434ce2], '\x00')
|
|
self.assertEqual(mem[0x434ce3], '\xc0')
|
|
self.assertEqual(mem[0x434cdf], '\xc4')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.XMM1, 0)
|
|
self.assertEqual(cpu.RIP, 4410596L)
|
|
|
|
def test_VPXOR_1(self):
|
|
''' Instruction VPXOR_1
|
|
Groups: avx
|
|
0x4321a0: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004321a0] = '\xc5'
|
|
mem[0x004321a1] = '\xf9'
|
|
mem[0x004321a2] = '\xef'
|
|
mem[0x004321a3] = '\xc0'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x4321a0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4321a0], '\xc5')
|
|
self.assertEqual(mem[0x4321a1], '\xf9')
|
|
self.assertEqual(mem[0x4321a2], '\xef')
|
|
self.assertEqual(mem[0x4321a3], '\xc0')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.RIP, 4399524L)
|
|
|
|
def test_VPXOR_2(self):
|
|
''' Instruction VPXOR_2
|
|
Groups: avx
|
|
0x432510: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432510] = '\xc5'
|
|
mem[0x00432511] = '\xf9'
|
|
mem[0x00432512] = '\xef'
|
|
mem[0x00432513] = '\xc0'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x432510
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432510], '\xc5')
|
|
self.assertEqual(mem[0x432511], '\xf9')
|
|
self.assertEqual(mem[0x432512], '\xef')
|
|
self.assertEqual(mem[0x432513], '\xc0')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.RIP, 4400404L)
|
|
|
|
def test_VPXOR_3(self):
|
|
''' Instruction VPXOR_3
|
|
Groups: avx
|
|
0x432050: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432050] = '\xc5'
|
|
mem[0x00432051] = '\xf9'
|
|
mem[0x00432052] = '\xef'
|
|
mem[0x00432053] = '\xc0'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x432050
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432050], '\xc5')
|
|
self.assertEqual(mem[0x432051], '\xf9')
|
|
self.assertEqual(mem[0x432052], '\xef')
|
|
self.assertEqual(mem[0x432053], '\xc0')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.RIP, 4399188L)
|
|
|
|
def test_VPXOR_4(self):
|
|
''' Instruction VPXOR_4
|
|
Groups: avx
|
|
0x432150: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432150] = '\xc5'
|
|
mem[0x00432151] = '\xf9'
|
|
mem[0x00432152] = '\xef'
|
|
mem[0x00432153] = '\xc0'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x432150
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432150], '\xc5')
|
|
self.assertEqual(mem[0x432151], '\xf9')
|
|
self.assertEqual(mem[0x432152], '\xef')
|
|
self.assertEqual(mem[0x432153], '\xc0')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.RIP, 4399444L)
|
|
|
|
def test_VPXOR_5(self):
|
|
''' Instruction VPXOR_5
|
|
Groups: avx
|
|
0x432130: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432130] = '\xc5'
|
|
mem[0x00432131] = '\xf9'
|
|
mem[0x00432132] = '\xef'
|
|
mem[0x00432133] = '\xc0'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x432130
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432130], '\xc5')
|
|
self.assertEqual(mem[0x432131], '\xf9')
|
|
self.assertEqual(mem[0x432132], '\xef')
|
|
self.assertEqual(mem[0x432133], '\xc0')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.RIP, 4399412L)
|
|
|
|
def test_VPXOR_6(self):
|
|
''' Instruction VPXOR_6
|
|
Groups: avx
|
|
0x432130: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432130] = '\xc5'
|
|
mem[0x00432131] = '\xf9'
|
|
mem[0x00432132] = '\xef'
|
|
mem[0x00432133] = '\xc0'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RIP = 0x432130
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432130], '\xc5')
|
|
self.assertEqual(mem[0x432131], '\xf9')
|
|
self.assertEqual(mem[0x432132], '\xef')
|
|
self.assertEqual(mem[0x432133], '\xc0')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.RIP, 4399412L)
|
|
|
|
def test_VZEROUPPER_1(self):
|
|
''' Instruction VZEROUPPER_1
|
|
Groups: avx
|
|
0x4322a9: vzeroupper
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004322a9] = '\xc5'
|
|
mem[0x004322aa] = '\xf8'
|
|
mem[0x004322ab] = 'w'
|
|
cpu.RIP = 0x4322a9
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4322a9], '\xc5')
|
|
self.assertEqual(mem[0x4322aa], '\xf8')
|
|
self.assertEqual(mem[0x4322ab], 'w')
|
|
self.assertEqual(cpu.RIP, 4399788L)
|
|
|
|
def test_VZEROUPPER_2(self):
|
|
''' Instruction VZEROUPPER_2
|
|
Groups: avx
|
|
0x432319: vzeroupper
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432319] = '\xc5'
|
|
mem[0x0043231a] = '\xf8'
|
|
mem[0x0043231b] = 'w'
|
|
cpu.RIP = 0x432319
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432319], '\xc5')
|
|
self.assertEqual(mem[0x43231a], '\xf8')
|
|
self.assertEqual(mem[0x43231b], 'w')
|
|
self.assertEqual(cpu.RIP, 4399900L)
|
|
|
|
def test_VZEROUPPER_3(self):
|
|
''' Instruction VZEROUPPER_3
|
|
Groups: avx
|
|
0x4322c9: vzeroupper
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004322c9] = '\xc5'
|
|
mem[0x004322ca] = '\xf8'
|
|
mem[0x004322cb] = 'w'
|
|
cpu.RIP = 0x4322c9
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4322c9], '\xc5')
|
|
self.assertEqual(mem[0x4322ca], '\xf8')
|
|
self.assertEqual(mem[0x4322cb], 'w')
|
|
self.assertEqual(cpu.RIP, 4399820L)
|
|
|
|
def test_VZEROUPPER_4(self):
|
|
''' Instruction VZEROUPPER_4
|
|
Groups: avx
|
|
0x432229: vzeroupper
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432229] = '\xc5'
|
|
mem[0x0043222a] = '\xf8'
|
|
mem[0x0043222b] = 'w'
|
|
cpu.RIP = 0x432229
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432229], '\xc5')
|
|
self.assertEqual(mem[0x43222a], '\xf8')
|
|
self.assertEqual(mem[0x43222b], 'w')
|
|
self.assertEqual(cpu.RIP, 4399660L)
|
|
|
|
def test_VZEROUPPER_5(self):
|
|
''' Instruction VZEROUPPER_5
|
|
Groups: avx
|
|
0x4322a9: vzeroupper
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x004322a9] = '\xc5'
|
|
mem[0x004322aa] = '\xf8'
|
|
mem[0x004322ab] = 'w'
|
|
cpu.RIP = 0x4322a9
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x4322a9], '\xc5')
|
|
self.assertEqual(mem[0x4322aa], '\xf8')
|
|
self.assertEqual(mem[0x4322ab], 'w')
|
|
self.assertEqual(cpu.RIP, 4399788L)
|
|
|
|
def test_VZEROUPPER_6(self):
|
|
''' Instruction VZEROUPPER_6
|
|
Groups: avx
|
|
0x432689: vzeroupper
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x00432689] = '\xc5'
|
|
mem[0x0043268a] = '\xf8'
|
|
mem[0x0043268b] = 'w'
|
|
cpu.RIP = 0x432689
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x432689], '\xc5')
|
|
self.assertEqual(mem[0x43268a], '\xf8')
|
|
self.assertEqual(mem[0x43268b], 'w')
|
|
self.assertEqual(cpu.RIP, 4400780L)
|
|
|
|
def test_XGETBV_1(self):
|
|
''' Instruction XGETBV_1
|
|
Groups:
|
|
0x7ffff7a4eb1b: xgetbv
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4eb1b] = '\x0f'
|
|
mem[0x7ffff7a4eb1c] = '\x01'
|
|
mem[0x7ffff7a4eb1d] = '\xd0'
|
|
cpu.RIP = 0x7ffff7a4eb1b
|
|
cpu.RCX = 0x0
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4eb1b], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7a4eb1c], '\x01')
|
|
self.assertEqual(mem[0x7ffff7a4eb1d], '\xd0')
|
|
self.assertEqual(cpu.RAX, 7L)
|
|
self.assertEqual(cpu.RCX, 0L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737348168478L)
|
|
|
|
def test_XGETBV_2(self):
|
|
''' Instruction XGETBV_2
|
|
Groups:
|
|
0x437c0e: xgetbv
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00437000, 0x1000, 'rwx')
|
|
mem[0x00437c10] = '\xd0'
|
|
mem[0x00437c0e] = '\x0f'
|
|
mem[0x00437c0f] = '\x01'
|
|
cpu.RIP = 0x437c0e
|
|
cpu.RCX = 0x0
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x437c10], '\xd0')
|
|
self.assertEqual(mem[0x437c0e], '\x0f')
|
|
self.assertEqual(mem[0x437c0f], '\x01')
|
|
self.assertEqual(cpu.RAX, 7L)
|
|
self.assertEqual(cpu.RCX, 0L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4422673L)
|
|
|
|
def test_XGETBV_3(self):
|
|
''' Instruction XGETBV_3
|
|
Groups:
|
|
0x7ffff7a4eb1b: xgetbv
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4eb1b] = '\x0f'
|
|
mem[0x7ffff7a4eb1c] = '\x01'
|
|
mem[0x7ffff7a4eb1d] = '\xd0'
|
|
cpu.RIP = 0x7ffff7a4eb1b
|
|
cpu.RCX = 0x0
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7a4eb1b], '\x0f')
|
|
self.assertEqual(mem[0x7ffff7a4eb1c], '\x01')
|
|
self.assertEqual(mem[0x7ffff7a4eb1d], '\xd0')
|
|
self.assertEqual(cpu.RAX, 7L)
|
|
self.assertEqual(cpu.RCX, 0L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 140737348168478L)
|
|
|
|
def test_XGETBV_4(self):
|
|
''' Instruction XGETBV_4
|
|
Groups:
|
|
0x43a59e: xgetbv
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0043a000, 0x1000, 'rwx')
|
|
mem[0x0043a5a0] = '\xd0'
|
|
mem[0x0043a59e] = '\x0f'
|
|
mem[0x0043a59f] = '\x01'
|
|
cpu.RIP = 0x43a59e
|
|
cpu.RCX = 0x0
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x43a5a0], '\xd0')
|
|
self.assertEqual(mem[0x43a59e], '\x0f')
|
|
self.assertEqual(mem[0x43a59f], '\x01')
|
|
self.assertEqual(cpu.RAX, 7L)
|
|
self.assertEqual(cpu.RCX, 0L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4433313L)
|
|
|
|
def test_XGETBV_5(self):
|
|
''' Instruction XGETBV_5
|
|
Groups:
|
|
0x43791e: xgetbv
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00437000, 0x1000, 'rwx')
|
|
mem[0x00437920] = '\xd0'
|
|
mem[0x0043791e] = '\x0f'
|
|
mem[0x0043791f] = '\x01'
|
|
cpu.RIP = 0x43791e
|
|
cpu.RCX = 0x0
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x437920], '\xd0')
|
|
self.assertEqual(mem[0x43791e], '\x0f')
|
|
self.assertEqual(mem[0x43791f], '\x01')
|
|
self.assertEqual(cpu.RAX, 7L)
|
|
self.assertEqual(cpu.RCX, 0L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4421921L)
|
|
|
|
def test_XGETBV_6(self):
|
|
''' Instruction XGETBV_6
|
|
Groups:
|
|
0x437a6e: xgetbv
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00437000, 0x1000, 'rwx')
|
|
mem[0x00437a70] = '\xd0'
|
|
mem[0x00437a6e] = '\x0f'
|
|
mem[0x00437a6f] = '\x01'
|
|
cpu.RIP = 0x437a6e
|
|
cpu.RCX = 0x0
|
|
cpu.RDX = 0x0
|
|
cpu.RAX = 0x0
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x437a70], '\xd0')
|
|
self.assertEqual(mem[0x437a6e], '\x0f')
|
|
self.assertEqual(mem[0x437a6f], '\x01')
|
|
self.assertEqual(cpu.RAX, 7L)
|
|
self.assertEqual(cpu.RCX, 0L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
self.assertEqual(cpu.RIP, 4422257L)
|
|
|
|
def test_XORPS_1(self):
|
|
''' Instruction XORPS_1
|
|
Groups: sse1
|
|
0x530d2f: xorps xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00530000, 0x1000, 'rwx')
|
|
mem[0x00530d30] = 'W'
|
|
mem[0x00530d31] = '\xc8'
|
|
mem[0x00530d2f] = '\x0f'
|
|
cpu.XMM0 = 0xfffffffe0000002100000040fffffffe
|
|
cpu.XMM1 = 0xffffffbeffffffdf00000061ffffffbe
|
|
cpu.RIP = 0x530d2f
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x530d30], 'W')
|
|
self.assertEqual(mem[0x530d31], '\xc8')
|
|
self.assertEqual(mem[0x530d2f], '\x0f')
|
|
self.assertEqual(cpu.XMM0, 340282366762482139043588486956268388350L)
|
|
self.assertEqual(cpu.XMM1, 5149830563390288455574671589440L)
|
|
self.assertEqual(cpu.RIP, 5442866L)
|
|
|
|
def test_XORPS_2(self):
|
|
''' Instruction XORPS_2
|
|
Groups: sse1
|
|
0x530a6c: xorps xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00530000, 0x1000, 'rwx')
|
|
mem[0x00530a6c] = '\x0f'
|
|
mem[0x00530a6d] = 'W'
|
|
mem[0x00530a6e] = '\xc8'
|
|
cpu.XMM0 = 0xfffffffe8000000100000040fffffffe
|
|
cpu.XMM1 = 0xffffffbe7fffffff80000041ffffffbe
|
|
cpu.RIP = 0x530a6c
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x530a6c], '\x0f')
|
|
self.assertEqual(mem[0x530a6d], 'W')
|
|
self.assertEqual(mem[0x530a6e], '\xc8')
|
|
self.assertEqual(cpu.XMM0, 340282366802096219710424845394334711806L)
|
|
self.assertEqual(cpu.XMM1, 5149830563399511827474087411776L)
|
|
self.assertEqual(cpu.RIP, 5442159L)
|
|
|
|
def test_XORPS_3(self):
|
|
''' Instruction XORPS_3
|
|
Groups: sse1
|
|
0x54f76a: xorps xmm0, xmmword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0054f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x0054f76a] = '\x0f'
|
|
mem[0x0054f76b] = 'W'
|
|
mem[0x0054f76c] = '\x04'
|
|
mem[0x0054f76d] = '$'
|
|
mem[0x7fffffffccb0] = '\x00'
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x80'
|
|
mem[0x7fffffffccb4] = '\xff'
|
|
mem[0x7fffffffccb5] = '\x7f'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = '\xff'
|
|
mem[0x7fffffffccb9] = '\x7f'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
mem[0x7fffffffccbc] = '\x00'
|
|
mem[0x7fffffffccbd] = '\x00'
|
|
mem[0x7fffffffccbe] = '\x00'
|
|
mem[0x7fffffffccbf] = '\x80'
|
|
cpu.XMM0 = 0x0
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x54f76a
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x54f76a], '\x0f')
|
|
self.assertEqual(mem[0x54f76b], 'W')
|
|
self.assertEqual(mem[0x54f76c], '\x04')
|
|
self.assertEqual(mem[0x54f76d], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x7f')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x80')
|
|
self.assertEqual(cpu.XMM0, 170141183460469836176150507692102778880L)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5568366L)
|
|
|
|
def test_XORPS_4(self):
|
|
''' Instruction XORPS_4
|
|
Groups: sse1
|
|
0x540f22: xorps xmm1, xmm0
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00540000, 0x1000, 'rwx')
|
|
mem[0x00540f22] = '\x0f'
|
|
mem[0x00540f23] = 'W'
|
|
mem[0x00540f24] = '\xc8'
|
|
cpu.XMM0 = 0x200000007f0000002100000020
|
|
cpu.XMM1 = 0x21000000200000007f00000021
|
|
cpu.RIP = 0x540f22
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x540f22], '\x0f')
|
|
self.assertEqual(mem[0x540f23], 'W')
|
|
self.assertEqual(mem[0x540f24], '\xc8')
|
|
self.assertEqual(cpu.XMM0, 2535301202799195300496253386784L)
|
|
self.assertEqual(cpu.XMM1, 79228164266705024999678279681L)
|
|
self.assertEqual(cpu.RIP, 5508901L)
|
|
|
|
def test_XORPS_5(self):
|
|
''' Instruction XORPS_5
|
|
Groups: sse1
|
|
0x560955: xorps xmm0, xmmword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00560000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7fffffffccb5] = '\x7f'
|
|
mem[0x00560956] = 'W'
|
|
mem[0x7fffffffccb8] = '!'
|
|
mem[0x00560957] = '\x04'
|
|
mem[0x7fffffffccb0] = '\xff'
|
|
mem[0x7fffffffccb1] = '\xff'
|
|
mem[0x7fffffffccb2] = '\xff'
|
|
mem[0x7fffffffccb3] = '\xff'
|
|
mem[0x7fffffffccb4] = '\xff'
|
|
mem[0x00560955] = '\x0f'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x00560958] = '$'
|
|
mem[0x7fffffffccb9] = 'C'
|
|
mem[0x7fffffffccba] = 'e'
|
|
mem[0x7fffffffccbb] = '\x87'
|
|
mem[0x7fffffffccbc] = '\xff'
|
|
mem[0x7fffffffccbd] = '\xff'
|
|
mem[0x7fffffffccbe] = '\xff'
|
|
mem[0x7fffffffccbf] = '\xff'
|
|
cpu.XMM0 = 0xffffffff8765432100007fffffffffff
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x560955
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x87')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb4], '\xff')
|
|
self.assertEqual(mem[0x560955], '\x0f')
|
|
self.assertEqual(mem[0x560956], 'W')
|
|
self.assertEqual(mem[0x560957], '\x04')
|
|
self.assertEqual(mem[0x560958], '$')
|
|
self.assertEqual(mem[0x7fffffffccb9], 'C')
|
|
self.assertEqual(mem[0x7fffffffccba], 'e')
|
|
self.assertEqual(mem[0x7fffffffccb8], '!')
|
|
self.assertEqual(mem[0x7fffffffccbc], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccbd], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccbe], '\xff')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x7f')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5638489L)
|
|
|
|
def test_XORPS_6(self):
|
|
''' Instruction XORPS_6
|
|
Groups: sse1
|
|
0x551ec4: xorps xmm0, xmmword ptr [rsp]
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00551000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x00551ec4] = '\x0f'
|
|
mem[0x00551ec5] = 'W'
|
|
mem[0x00551ec6] = '\x04'
|
|
mem[0x00551ec7] = '$'
|
|
mem[0x7fffffffccb0] = '\x00'
|
|
mem[0x7fffffffccb1] = '\x00'
|
|
mem[0x7fffffffccb2] = '\x00'
|
|
mem[0x7fffffffccb3] = '\x80'
|
|
mem[0x7fffffffccb4] = ' '
|
|
mem[0x7fffffffccb5] = '\x00'
|
|
mem[0x7fffffffccb6] = '\x00'
|
|
mem[0x7fffffffccb7] = '\x00'
|
|
mem[0x7fffffffccb8] = ' '
|
|
mem[0x7fffffffccb9] = '\x00'
|
|
mem[0x7fffffffccba] = '\x00'
|
|
mem[0x7fffffffccbb] = '\x00'
|
|
mem[0x7fffffffccbc] = '\x00'
|
|
mem[0x7fffffffccbd] = '\x00'
|
|
mem[0x7fffffffccbe] = '\x00'
|
|
mem[0x7fffffffccbf] = '\x80'
|
|
cpu.XMM0 = 0x80000000000000200000002080000000
|
|
cpu.RSP = 0x7fffffffccb0
|
|
cpu.RIP = 0x551ec4
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x551ec4], '\x0f')
|
|
self.assertEqual(mem[0x551ec5], 'W')
|
|
self.assertEqual(mem[0x551ec6], '\x04')
|
|
self.assertEqual(mem[0x551ec7], '$')
|
|
self.assertEqual(mem[0x7fffffffccb0], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb1], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb2], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb3], '\x80')
|
|
self.assertEqual(mem[0x7fffffffccb4], ' ')
|
|
self.assertEqual(mem[0x7fffffffccb5], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb6], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb7], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccb8], ' ')
|
|
self.assertEqual(mem[0x7fffffffccb9], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccba], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbb], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbc], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbd], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbe], '\x00')
|
|
self.assertEqual(mem[0x7fffffffccbf], '\x80')
|
|
self.assertEqual(cpu.XMM0, 0)
|
|
self.assertEqual(cpu.RSP, 140737488342192L)
|
|
self.assertEqual(cpu.RIP, 5578440L)
|
|
|
|
def test_XOR_1(self):
|
|
''' Instruction XOR_1
|
|
Groups:
|
|
0x7ffff7de6223: xor eax, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6223] = '1'
|
|
mem[0x7ffff7de6224] = '\xc0'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de6223
|
|
cpu.EAX = 0xffffff00
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de6223], '1')
|
|
self.assertEqual(mem[0x7ffff7de6224], '\xc0')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351934501L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_XOR_2(self):
|
|
''' Instruction XOR_2
|
|
Groups:
|
|
0x7ffff7de405a: xor rdx, r13
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de405a] = 'L'
|
|
mem[0x7ffff7de405b] = '1'
|
|
mem[0x7ffff7de405c] = '\xea'
|
|
cpu.PF = True
|
|
cpu.R13 = 0x7c96f087
|
|
cpu.SF = False
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de405a
|
|
cpu.RDX = 0x7c96f087
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de405a], 'L')
|
|
self.assertEqual(mem[0x7ffff7de405b], '1')
|
|
self.assertEqual(mem[0x7ffff7de405c], '\xea')
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.R13, 2090266759L)
|
|
self.assertEqual(cpu.SF, False)
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925853L)
|
|
self.assertEqual(cpu.RDX, 0L)
|
|
|
|
def test_XOR_3(self):
|
|
''' Instruction XOR_3
|
|
Groups:
|
|
0x7ffff7df45a0: xor eax, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45a0] = '1'
|
|
mem[0x7ffff7df45a1] = '\xc0'
|
|
cpu.OF = False
|
|
cpu.ZF = True
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df45a0
|
|
cpu.EAX = 0xf7ff7c00
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df45a0], '1')
|
|
self.assertEqual(mem[0x7ffff7df45a1], '\xc0')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351992738L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_XOR_4(self):
|
|
''' Instruction XOR_4
|
|
Groups:
|
|
0x7ffff7de3ff6: xor edx, edx
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff6] = '1'
|
|
mem[0x7ffff7de3ff7] = '\xd2'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de3ff6
|
|
cpu.PF = False
|
|
cpu.EDX = 0x3f3
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3ff6], '1')
|
|
self.assertEqual(mem[0x7ffff7de3ff7], '\xd2')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351925752L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.EDX, 0L)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_XOR_5(self):
|
|
''' Instruction XOR_5
|
|
Groups:
|
|
0x7ffff7df40cc: xor eax, eax
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df40cc] = '1'
|
|
mem[0x7ffff7df40cd] = '\xc0'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7df40cc
|
|
cpu.EAX = 0x3c340000
|
|
cpu.PF = False
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7df40cc], '1')
|
|
self.assertEqual(mem[0x7ffff7df40cd], '\xc0')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351991502L)
|
|
self.assertEqual(cpu.EAX, 0L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_XOR_6(self):
|
|
''' Instruction XOR_6
|
|
Groups:
|
|
0x7ffff7de3699: xor r10d, r10d
|
|
'''
|
|
mem = Memory64()
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3699] = 'E'
|
|
mem[0x7ffff7de369a] = '1'
|
|
mem[0x7ffff7de369b] = '\xd2'
|
|
cpu.OF = False
|
|
cpu.ZF = False
|
|
cpu.CF = False
|
|
cpu.RIP = 0x7ffff7de3699
|
|
cpu.R10D = 0xf7a2e000
|
|
cpu.PF = True
|
|
cpu.SF = False
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
self.assertEqual(mem[0x7ffff7de3699], 'E')
|
|
self.assertEqual(mem[0x7ffff7de369a], '1')
|
|
self.assertEqual(mem[0x7ffff7de369b], '\xd2')
|
|
self.assertEqual(cpu.OF, False)
|
|
self.assertEqual(cpu.ZF, True)
|
|
self.assertEqual(cpu.CF, False)
|
|
self.assertEqual(cpu.RIP, 140737351923356L)
|
|
self.assertEqual(cpu.R10D, 0L)
|
|
self.assertEqual(cpu.PF, True)
|
|
self.assertEqual(cpu.SF, False)
|
|
|
|
def test_ADD_1_symbolic(self):
|
|
''' Instruction ADD_1
|
|
Groups:
|
|
0x7ffff7de438b: add rcx, 1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de438b] = 'H'
|
|
mem[0x7ffff7de438c] = '\x83'
|
|
mem[0x7ffff7de438d] = '\xc1'
|
|
mem[0x7ffff7de438e] = '\x01'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x7ffff7ba0aba)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de438b
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438b, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438c, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438d, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438e, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x7ffff7ba0abb)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de438f)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ADD_2_symbolic(self):
|
|
''' Instruction ADD_2
|
|
Groups:
|
|
0x7ffff7de4396: add rax, rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4398] = '\xd0'
|
|
mem[0x7ffff7de4396] = 'H'
|
|
mem[0x7ffff7de4397] = '\x01'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x310ef63c39)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de4396
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x65)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4398, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4396, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4397, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x310ef63c9e)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4399)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x65)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ADD_3_symbolic(self):
|
|
''' Instruction ADD_3
|
|
Groups:
|
|
0x7ffff7de6128: add rdx, 0x18
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6128] = 'H'
|
|
mem[0x7ffff7de6129] = '\x83'
|
|
mem[0x7ffff7de612a] = '\xc2'
|
|
mem[0x7ffff7de612b] = '\x18'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6128
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x7ffff7a4c978)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6128, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6129, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de612a, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de612b, 8)== ord('\x18'))
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.AF == True)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de612c)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a4c990)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ADD_4_symbolic(self):
|
|
''' Instruction ADD_4
|
|
Groups:
|
|
0x7ffff7de3960: add r12, 1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3960] = 'I'
|
|
mem[0x7ffff7de3961] = '\x83'
|
|
mem[0x7ffff7de3962] = '\xc4'
|
|
mem[0x7ffff7de3963] = '\x01'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.R12 = cs.new_bitvec(64)
|
|
cs.add(cpu.R12 == 0x0)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de3960
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3960, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3961, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3962, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3963, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.R12 == 0x1)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3964)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ADD_5_symbolic(self):
|
|
''' Instruction ADD_5
|
|
Groups:
|
|
0x7ffff7de6124: add rax, qword ptr [rdx + 0x10]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a49000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a490d0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x25)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a490d1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5b)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a490d2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x17)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a490d3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a490d4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a490d5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a490d6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a490d7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de6124] = 'H'
|
|
mem[0x7ffff7de6125] = '\x03'
|
|
mem[0x7ffff7de6126] = 'B'
|
|
mem[0x7ffff7de6127] = '\x10'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7ffff7a2e000)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6124
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x7ffff7a490c0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d0, 8)== ord('%'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d1, 8)== ord('['))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d2, 8)== ord('\x17'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a490d7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6124, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6125, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6126, 8)== ord('B'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6127, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7ffff7ba3b25)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6128)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a490c0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ADD_6_symbolic(self):
|
|
''' Instruction ADD_6
|
|
Groups:
|
|
0x7ffff7de6124: add rax, qword ptr [rdx + 0x10]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4b000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a4bcc8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a4bcc9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x88)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a4bcca)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a4bccb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a4bccc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a4bccd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a4bcce)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a4bccf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de6124] = 'H'
|
|
mem[0x7ffff7de6125] = '\x03'
|
|
mem[0x7ffff7de6126] = 'B'
|
|
mem[0x7ffff7de6127] = '\x10'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7ffff7a2e000)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6124
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x7ffff7a4bcb8)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bcc8, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bcc9, 8)== ord('\x88'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bcca, 8)== ord('\x07'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bccb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bccc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bccd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bcce, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4bccf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6124, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6125, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6126, 8)== ord('B'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6127, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7ffff7aa68c0)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6128)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a4bcb8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_AND_1_symbolic(self):
|
|
''' Instruction AND_1
|
|
Groups:
|
|
0x7ffff7b58f2f: and r9d, 0xf
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f30] = '\x83'
|
|
mem[0x7ffff7b58f31] = '\xe1'
|
|
mem[0x7ffff7b58f32] = '\x0f'
|
|
mem[0x7ffff7b58f2f] = 'A'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7b58f2f
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.R9D = cs.new_bitvec(32)
|
|
cs.add(cpu.R9D == 0x12)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f30, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f31, 8)== ord('\xe1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f32, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f2f, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f33)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.R9D == 0x2)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_AND_2_symbolic(self):
|
|
''' Instruction AND_2
|
|
Groups:
|
|
0x7ffff7aa7bd0: and edx, 0x808
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa7bd0] = '\x81'
|
|
mem[0x7ffff7aa7bd1] = '\xe2'
|
|
mem[0x7ffff7aa7bd2] = '\x08'
|
|
mem[0x7ffff7aa7bd3] = '\x08'
|
|
mem[0x7ffff7aa7bd4] = '\x00'
|
|
mem[0x7ffff7aa7bd5] = '\x00'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7aa7bd0
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0xfbad2807)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd0, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd1, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd2, 8)== ord('\x08'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd3, 8)== ord('\x08'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa7bd5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa7bd6)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x800)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_AND_3_symbolic(self):
|
|
''' Instruction AND_3
|
|
Groups:
|
|
0x7ffff7b58f2f: and r9d, 0xf
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f30] = '\x83'
|
|
mem[0x7ffff7b58f31] = '\xe1'
|
|
mem[0x7ffff7b58f32] = '\x0f'
|
|
mem[0x7ffff7b58f2f] = 'A'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7b58f2f
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.R9D = cs.new_bitvec(32)
|
|
cs.add(cpu.R9D == 0x12)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f30, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f31, 8)== ord('\xe1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f32, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f2f, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f33)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.R9D == 0x2)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_AND_4_symbolic(self):
|
|
''' Instruction AND_4
|
|
Groups:
|
|
0x7ffff7de3930: and rax, rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3930] = 'H'
|
|
mem[0x7ffff7de3931] = '!'
|
|
mem[0x7ffff7de3932] = '\xf0'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x13)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x9)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7de3930
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3930, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3931, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3932, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x13)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3933)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_AND_5_symbolic(self):
|
|
''' Instruction AND_5
|
|
Groups:
|
|
0x7ffff7b58f2f: and r9d, 0xf
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f30] = '\x83'
|
|
mem[0x7ffff7b58f31] = '\xe1'
|
|
mem[0x7ffff7b58f32] = '\x0f'
|
|
mem[0x7ffff7b58f2f] = 'A'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7b58f2f
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.R9D = cs.new_bitvec(32)
|
|
cs.add(cpu.R9D == 0x12)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f30, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f31, 8)== ord('\xe1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f32, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f2f, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f33)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.R9D == 0x2)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_AND_6_symbolic(self):
|
|
''' Instruction AND_6
|
|
Groups:
|
|
0x7ffff7de3909: and ecx, dword ptr [rbx + 0x2f0]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ff7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de390b] = '\xf0'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ff794a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ff7949)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ff7948)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3909] = '#'
|
|
mem[0x7ffff7de390a] = '\x8b'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ff794b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de390c] = '\x02'
|
|
mem[0x7ffff7de390d] = '\x00'
|
|
mem[0x7ffff7de390e] = '\x00'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x7ffff7ff7658)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x1c5e843)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de3909
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff794b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff794a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff7949, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff7948, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3909, 8)== ord('#'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390a, 8)== ord('\x8b'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390b, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390c, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de390e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x7ffff7ff7658)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x43)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de390f)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSF_1_symbolic(self):
|
|
''' Instruction BSF_1
|
|
Groups:
|
|
0x4184cd: bsf eax, edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4184cd] = '\x0f'
|
|
mem[0x4184ce] = '\xbc'
|
|
mem[0x4184cf] = '\xc2'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x495045)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x80)
|
|
cpu.RIP = 0x4184cd
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184cd, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184ce, 8)== ord('\xbc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184cf, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x80)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4184d0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSF_2_symbolic(self):
|
|
''' Instruction BSF_2
|
|
Groups:
|
|
0x4183ed: bsf eax, edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4183ed] = '\x0f'
|
|
mem[0x4183ee] = '\xbc'
|
|
mem[0x4183ef] = '\xc2'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x4a5301)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x5)
|
|
cpu.RIP = 0x4183ed
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183ed, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183ee, 8)== ord('\xbc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183ef, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x5)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4183f0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSF_3_symbolic(self):
|
|
''' Instruction BSF_3
|
|
Groups:
|
|
0x4184bd: bsf eax, edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4184bd] = '\x0f'
|
|
mem[0x4184be] = '\xbc'
|
|
mem[0x4184bf] = '\xc2'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x495085)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x80)
|
|
cpu.RIP = 0x4184bd
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184bd, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184be, 8)== ord('\xbc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184bf, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x80)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4184c0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSF_4_symbolic(self):
|
|
''' Instruction BSF_4
|
|
Groups:
|
|
0x41850a: bsf rax, rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x41850a] = 'H'
|
|
mem[0x41850b] = '\x0f'
|
|
mem[0x41850c] = '\xbc'
|
|
mem[0x41850d] = '\xc2'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x41850a
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x495100)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x800200020000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x41850a, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41850b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41850c, 8)== ord('\xbc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41850d, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x11)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41850e)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x800200020000)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSF_5_symbolic(self):
|
|
''' Instruction BSF_5
|
|
Groups:
|
|
0x7ffff7ab5d0a: bsf rax, rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab5d0a] = 'H'
|
|
mem[0x7ffff7ab5d0b] = '\x0f'
|
|
mem[0x7ffff7ab5d0c] = '\xbc'
|
|
mem[0x7ffff7ab5d0d] = '\xc2'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7ab5d0a
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x5555555549c0)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xe0e0e0e0ee080000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5d0a, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5d0b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5d0c, 8)== ord('\xbc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5d0d, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x13)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab5d0e)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xe0e0e0e0ee080000)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSF_6_symbolic(self):
|
|
''' Instruction BSF_6
|
|
Groups:
|
|
0x4183ed: bsf eax, edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4183ed] = '\x0f'
|
|
mem[0x4183ee] = '\xbc'
|
|
mem[0x4183ef] = '\xc2'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x494d05)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x80)
|
|
cpu.RIP = 0x4183ed
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183ed, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183ee, 8)== ord('\xbc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183ef, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x80)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4183f0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSR_1_symbolic(self):
|
|
''' Instruction BSR_1
|
|
Groups:
|
|
0x4008b7: bsr esi, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x4008b8] = '\xbd'
|
|
mem[0x4008b9] = '\xf6'
|
|
mem[0x4008b7] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x4008b7
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0xf)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4008b8, 8)== ord('\xbd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4008b9, 8)== ord('\xf6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4008b7, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x3)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4008ba)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSR_2_symbolic(self):
|
|
''' Instruction BSR_2
|
|
Groups:
|
|
0x400907: bsr esi, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400908] = '\xbd'
|
|
mem[0x400909] = '\xf6'
|
|
mem[0x400907] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x400907
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0xf)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400908, 8)== ord('\xbd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400909, 8)== ord('\xf6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400907, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x3)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40090a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSR_3_symbolic(self):
|
|
''' Instruction BSR_3
|
|
Groups:
|
|
0x457ac8: bsr rsi, rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457ac8] = 'H'
|
|
mem[0x457ac9] = '\x0f'
|
|
mem[0x457aca] = '\xbd'
|
|
mem[0x457acb] = '\xf6'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x4100800)
|
|
cpu.RIP = 0x457ac8
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ac8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ac9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457aca, 8)== ord('\xbd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457acb, 8)== ord('\xf6'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x1a)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457acc)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSR_4_symbolic(self):
|
|
''' Instruction BSR_4
|
|
Groups:
|
|
0x400847: bsr esi, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400848] = '\xbd'
|
|
mem[0x400849] = '\xf6'
|
|
mem[0x400847] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x400847
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0xf)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400848, 8)== ord('\xbd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400849, 8)== ord('\xf6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400847, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x3)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40084a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSR_5_symbolic(self):
|
|
''' Instruction BSR_5
|
|
Groups:
|
|
0x457c18: bsr rsi, rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457c18] = 'H'
|
|
mem[0x457c19] = '\x0f'
|
|
mem[0x457c1a] = '\xbd'
|
|
mem[0x457c1b] = '\xf6'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x41008000)
|
|
cpu.RIP = 0x457c18
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457c18, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457c19, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457c1a, 8)== ord('\xbd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457c1b, 8)== ord('\xf6'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x1e)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457c1c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BSR_6_symbolic(self):
|
|
''' Instruction BSR_6
|
|
Groups:
|
|
0x457db8: bsr rsi, rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457db8] = 'H'
|
|
mem[0x457db9] = '\x0f'
|
|
mem[0x457dba] = '\xbd'
|
|
mem[0x457dbb] = '\xf6'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x4100800)
|
|
cpu.RIP = 0x457db8
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457db8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457db9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457dba, 8)== ord('\xbd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457dbb, 8)== ord('\xf6'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x1a)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457dbc)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BT_1_symbolic(self):
|
|
''' Instruction BT_1
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = cs.new_bitvec(32)
|
|
cs.add(cpu.R8D == 0x467)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9)
|
|
condition = Operators.AND(condition, cpu.R8D == 0x467)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BT_2_symbolic(self):
|
|
''' Instruction BT_2
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x2)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = cs.new_bitvec(32)
|
|
cs.add(cpu.R8D == 0x467)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x2)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9)
|
|
condition = Operators.AND(condition, cpu.R8D == 0x467)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BT_3_symbolic(self):
|
|
''' Instruction BT_3
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x2)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = cs.new_bitvec(32)
|
|
cs.add(cpu.R8D == 0x467)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x2)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9)
|
|
condition = Operators.AND(condition, cpu.R8D == 0x467)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BT_4_symbolic(self):
|
|
''' Instruction BT_4
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = cs.new_bitvec(32)
|
|
cs.add(cpu.R8D == 0x467)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9)
|
|
condition = Operators.AND(condition, cpu.R8D == 0x467)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BT_5_symbolic(self):
|
|
''' Instruction BT_5
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = cs.new_bitvec(32)
|
|
cs.add(cpu.R8D == 0x467)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9)
|
|
condition = Operators.AND(condition, cpu.R8D == 0x467)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_BT_6_symbolic(self):
|
|
''' Instruction BT_6
|
|
Groups:
|
|
0x7ffff7de36b5: bt r8d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36b8] = '\xc0'
|
|
mem[0x7ffff7de36b5] = 'A'
|
|
mem[0x7ffff7de36b6] = '\x0f'
|
|
mem[0x7ffff7de36b7] = '\xa3'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x2)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de36b5
|
|
cpu.R8D = cs.new_bitvec(32)
|
|
cs.add(cpu.R8D == 0x467)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b8, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b5, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b6, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36b7, 8)== ord('\xa3'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x2)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36b9)
|
|
condition = Operators.AND(condition, cpu.R8D == 0x467)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CALL_1_symbolic(self):
|
|
''' Instruction CALL_1
|
|
Groups: call, mode64
|
|
0x7ffff7de447a: call 0x7ffff7de3800
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd880)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd881)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd882)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd883)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd884)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd885)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd886)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd887)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd888)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x48)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de447a] = '\xe8'
|
|
mem[0x7ffff7de447b] = '\x81'
|
|
mem[0x7ffff7de447c] = '\xf3'
|
|
mem[0x7ffff7de447d] = '\xff'
|
|
mem[0x7ffff7de447e] = '\xff'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd878)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd879)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x44)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xde)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd880)
|
|
cpu.RIP = 0x7ffff7de447a
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd9a0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd880, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd881, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd882, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd883, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd884, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd885, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd886, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd887, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd888, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87a, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd878, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd879, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447a, 8)== ord('\xe8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447b, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447c, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447d, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447e, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd878)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3800)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9a0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CALL_2_symbolic(self):
|
|
''' Instruction CALL_2
|
|
Groups: call, mode64
|
|
0x7ffff7a780e1: call qword ptr [r8 + 0x38]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd2000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffb000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa2)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffbdc8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a780e1] = 'A'
|
|
mem[0x7ffff7a780e2] = '\xff'
|
|
mem[0x7ffff7a780e3] = 'P'
|
|
mem[0x7ffff7a780e4] = '8'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd2578)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x60)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd2579)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x96)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd257a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xaa)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd257b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd257c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd257d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd257e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd257f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffbdc0)
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7dd2540)
|
|
cpu.RIP = 0x7ffff7a780e1
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffc330)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdb8, 8)== ord('\xe5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdb9, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdba, 8)== ord('\xa7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbb, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbc, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbd, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdbf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffbdc8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a780e1, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a780e2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a780e3, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a780e4, 8)== ord('8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd2578, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd2579, 8)== ord('\x96'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257a, 8)== ord('\xaa'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd257f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7dd2540)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffbdb8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa9660)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffc330)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CALL_3_symbolic(self):
|
|
''' Instruction CALL_3
|
|
Groups: call, mode64
|
|
0x4554b0: call 0x45c7a0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00455000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda18)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda19)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x53)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda1a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x45)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda1b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda1c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda1d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda1e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda1f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda20)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda21)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda22)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda23)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda24)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda25)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda26)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda27)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda28)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4)
|
|
mem[addr] = value
|
|
mem[0x4554b0] = '\xe8'
|
|
mem[0x4554b1] = '\xeb'
|
|
mem[0x4554b2] = 'r'
|
|
mem[0x4554b3] = '\x00'
|
|
mem[0x4554b4] = '\x00'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffda20)
|
|
cpu.RIP = 0x4554b0
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdad0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda18, 8)== ord('\xb5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda19, 8)== ord('T'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1a, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda1f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda20, 8)== ord('\x06'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda21, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda22, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda23, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda24, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda25, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda26, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda27, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda28, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4554b0, 8)== ord('\xe8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4554b1, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4554b2, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4554b3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4554b4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda18)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x45c7a0)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdad0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CALL_4_symbolic(self):
|
|
''' Instruction CALL_4
|
|
Groups: call, mode64
|
|
0x7ffff7de447a: call 0x7ffff7de3800
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd880)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd881)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd882)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd883)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd884)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd885)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd886)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd887)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd888)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x48)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de447a] = '\xe8'
|
|
mem[0x7ffff7de447b] = '\x81'
|
|
mem[0x7ffff7de447c] = '\xf3'
|
|
mem[0x7ffff7de447d] = '\xff'
|
|
mem[0x7ffff7de447e] = '\xff'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd878)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd879)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x44)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xde)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd880)
|
|
cpu.RIP = 0x7ffff7de447a
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd9a0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd880, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd881, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd882, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd883, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd884, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd885, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd886, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd887, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd888, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87a, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd878, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd879, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447a, 8)== ord('\xe8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447b, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447c, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447d, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de447e, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd878)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3800)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9a0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CALL_5_symbolic(self):
|
|
''' Instruction CALL_5
|
|
Groups: call, mode64
|
|
0x7ffff7de40a6: call 0x7ffff7de3660
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd808)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xab)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd809)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd80a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xde)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd80b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd80c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd80d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd80e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd80f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd810)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xec)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd811)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd812)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd813)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd814)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd815)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd816)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd817)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd818)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd8)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de40a6] = '\xe8'
|
|
mem[0x7ffff7de40a7] = '\xb5'
|
|
mem[0x7ffff7de40a8] = '\xf5'
|
|
mem[0x7ffff7de40a9] = '\xff'
|
|
mem[0x7ffff7de40aa] = '\xff'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd810)
|
|
cpu.RIP = 0x7ffff7de40a6
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd900)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd808, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd809, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80a, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd80f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd810, 8)== ord('\xec'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd811, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd812, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd813, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd814, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd815, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd816, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd817, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd818, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40a6, 8)== ord('\xe8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40a7, 8)== ord('\xb5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40a8, 8)== ord('\xf5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40a9, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de40aa, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd808)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3660)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd900)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CALL_6_symbolic(self):
|
|
''' Instruction CALL_6
|
|
Groups: call, mode64
|
|
0x45f878: call 0x413490
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0045f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb00)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb01)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x53)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb02)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb03)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb04)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb05)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb06)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb07)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb08)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf4)
|
|
mem[addr] = value
|
|
mem[0x45f878] = '\xe8'
|
|
mem[0x45f879] = '\x13'
|
|
mem[0x45f87a] = '<'
|
|
mem[0x45f87b] = '\xfb'
|
|
mem[0x45f87c] = '\xff'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x39)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf8)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x45)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaff)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffdb00)
|
|
cpu.RIP = 0x45f878
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdb20)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb00, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb01, 8)== ord('S'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb02, 8)== ord('J'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb03, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb04, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb05, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb06, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb07, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb08, 8)== ord('\xf4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf8, 8)== ord('}'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf9, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafa, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f878, 8)== ord('\xe8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f879, 8)== ord('\x13'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f87a, 8)== ord('<'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f87b, 8)== ord('\xfb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f87c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaff, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdaf8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x413490)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb20)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CDQE_1_symbolic(self):
|
|
''' Instruction CDQE_1
|
|
Groups:
|
|
0x400aa0: cdqe
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400aa0] = 'H'
|
|
mem[0x400aa1] = '\x98'
|
|
cpu.RIP = 0x400aa0
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x92)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aa0, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aa1, 8)== ord('\x98'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x92)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400aa2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CDQE_2_symbolic(self):
|
|
''' Instruction CDQE_2
|
|
Groups:
|
|
0x400aa0: cdqe
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400aa0] = 'H'
|
|
mem[0x400aa1] = '\x98'
|
|
cpu.RIP = 0x400aa0
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x5a)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aa0, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aa1, 8)== ord('\x98'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x5a)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400aa2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CDQE_3_symbolic(self):
|
|
''' Instruction CDQE_3
|
|
Groups:
|
|
0x400aa0: cdqe
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400aa0] = 'H'
|
|
mem[0x400aa1] = '\x98'
|
|
cpu.RIP = 0x400aa0
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x80)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aa0, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aa1, 8)== ord('\x98'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x80)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400aa2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CDQE_4_symbolic(self):
|
|
''' Instruction CDQE_4
|
|
Groups:
|
|
0x400acf: cdqe
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400ad0] = '\x98'
|
|
mem[0x400acf] = 'H'
|
|
cpu.RIP = 0x400acf
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x98)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400ad0, 8)== ord('\x98'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400acf, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x98)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400ad1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CDQE_5_symbolic(self):
|
|
''' Instruction CDQE_5
|
|
Groups:
|
|
0x400aa0: cdqe
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400aa0] = 'H'
|
|
mem[0x400aa1] = '\x98'
|
|
cpu.RIP = 0x400aa0
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x73)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aa0, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aa1, 8)== ord('\x98'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x73)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400aa2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CDQE_6_symbolic(self):
|
|
''' Instruction CDQE_6
|
|
Groups:
|
|
0x400b07: cdqe
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400b08] = '\x98'
|
|
mem[0x400b07] = 'H'
|
|
cpu.RIP = 0x400b07
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0xc6)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400b08, 8)== ord('\x98'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400b07, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xc6)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400b09)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CLC_1_symbolic(self):
|
|
''' Instruction CLC_1
|
|
Groups:
|
|
0x46a9fc: clc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0046a000, 0x1000, 'rwx')
|
|
mem[0x46a9fc] = '\xf8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x46a9fc
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x46a9fc, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x46a9fd)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CLC_2_symbolic(self):
|
|
''' Instruction CLC_2
|
|
Groups:
|
|
0x7542c8: clc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00754000, 0x1000, 'rwx')
|
|
mem[0x7542c8] = '\xf8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7542c8
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7542c8, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7542c9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CLC_3_symbolic(self):
|
|
''' Instruction CLC_3
|
|
Groups:
|
|
0x4b473c: clc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004b4000, 0x1000, 'rwx')
|
|
mem[0x4b473c] = '\xf8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x4b473c
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b473c, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4b473d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CLC_4_symbolic(self):
|
|
''' Instruction CLC_4
|
|
Groups:
|
|
0x49d4dd: clc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0049d000, 0x1000, 'rwx')
|
|
mem[0x49d4dd] = '\xf8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x49d4dd
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x49d4dd, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x49d4de)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CLC_5_symbolic(self):
|
|
''' Instruction CLC_5
|
|
Groups:
|
|
0x4fd621: clc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004fd000, 0x1000, 'rwx')
|
|
mem[0x4fd621] = '\xf8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x4fd621
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4fd621, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4fd622)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CLC_6_symbolic(self):
|
|
''' Instruction CLC_6
|
|
Groups:
|
|
0x4fadef: clc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004fa000, 0x1000, 'rwx')
|
|
mem[0x4fadef] = '\xf8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x4fadef
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4fadef, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4fadf0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVAE_1_symbolic(self):
|
|
''' Instruction CMOVAE_1
|
|
Groups: cmov
|
|
0x4117e8: cmovae rax, r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x4117e8] = 'I'
|
|
mem[0x4117e9] = '\x0f'
|
|
mem[0x4117ea] = 'C'
|
|
mem[0x4117eb] = '\xc2'
|
|
cpu.RIP = 0x4117e8
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x20)
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0x20)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4117e8, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4117e9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4117ea, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4117eb, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x20)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4117ec)
|
|
condition = Operators.AND(condition, cpu.R10 == 0x20)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVAE_2_symbolic(self):
|
|
''' Instruction CMOVAE_2
|
|
Groups: cmov
|
|
0x414318: cmovae rax, r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x414318] = 'I'
|
|
mem[0x414319] = '\x0f'
|
|
mem[0x41431a] = 'C'
|
|
mem[0x41431b] = '\xc2'
|
|
cpu.RIP = 0x414318
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x20)
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0x20)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x414318, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x414319, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41431a, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41431b, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x20)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41431c)
|
|
condition = Operators.AND(condition, cpu.R10 == 0x20)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVAE_3_symbolic(self):
|
|
''' Instruction CMOVAE_3
|
|
Groups: cmov
|
|
0x5555555662c8: cmovae rdx, rbx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555566000, 0x1000, 'rwx')
|
|
mem[0x5555555662c8] = 'H'
|
|
mem[0x5555555662c9] = '\x0f'
|
|
mem[0x5555555662ca] = 'C'
|
|
mem[0x5555555662cb] = '\xd3'
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xffffffffffffffff)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x5555555662c8
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x7)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555662c8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555662c9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555662ca, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555662cb, 8)== ord('\xd3'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0x7)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555662cc)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x7)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVAE_4_symbolic(self):
|
|
''' Instruction CMOVAE_4
|
|
Groups: cmov
|
|
0x411778: cmovae rax, r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x411778] = 'I'
|
|
mem[0x411779] = '\x0f'
|
|
mem[0x41177a] = 'C'
|
|
mem[0x41177b] = '\xc2'
|
|
cpu.RIP = 0x411778
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x20)
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0x4a0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x411778, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411779, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41177a, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41177b, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x4a0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41177c)
|
|
condition = Operators.AND(condition, cpu.R10 == 0x4a0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVAE_5_symbolic(self):
|
|
''' Instruction CMOVAE_5
|
|
Groups: cmov
|
|
0x411778: cmovae rax, r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x411778] = 'I'
|
|
mem[0x411779] = '\x0f'
|
|
mem[0x41177a] = 'C'
|
|
mem[0x41177b] = '\xc2'
|
|
cpu.RIP = 0x411778
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x20)
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0x20)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x411778, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411779, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41177a, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41177b, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x20)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41177c)
|
|
condition = Operators.AND(condition, cpu.R10 == 0x20)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVAE_6_symbolic(self):
|
|
''' Instruction CMOVAE_6
|
|
Groups: cmov
|
|
0x411b58: cmovae rax, r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x411b58] = 'I'
|
|
mem[0x411b59] = '\x0f'
|
|
mem[0x411b5a] = 'C'
|
|
mem[0x411b5b] = '\xc2'
|
|
cpu.RIP = 0x411b58
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x20)
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0x50)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x411b58, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411b59, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411b5a, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411b5b, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x50)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x411b5c)
|
|
condition = Operators.AND(condition, cpu.R10 == 0x50)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVA_1_symbolic(self):
|
|
''' Instruction CMOVA_1
|
|
Groups: cmov
|
|
0x7ffff7de0ab0: cmova rax, r8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de0ab0] = 'I'
|
|
mem[0x7ffff7de0ab1] = '\x0f'
|
|
mem[0x7ffff7de0ab2] = 'G'
|
|
mem[0x7ffff7de0ab3] = '\xc0'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de0ab0
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7dd9398)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7ffff7dd5000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0ab0, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0ab1, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0ab2, 8)== ord('G'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0ab3, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7dd9398)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7ffff7dd5000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de0ab4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVA_2_symbolic(self):
|
|
''' Instruction CMOVA_2
|
|
Groups: cmov
|
|
0x7ffff7a9d404: cmova rbx, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a9d000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a9d404] = 'H'
|
|
mem[0x7ffff7a9d405] = '\x0f'
|
|
mem[0x7ffff7a9d406] = 'G'
|
|
mem[0x7ffff7a9d407] = '\xd8'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7a9d404
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7fffffff)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x14)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a9d404, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a9d405, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a9d406, 8)== ord('G'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a9d407, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7fffffff)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a9d408)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x14)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVA_3_symbolic(self):
|
|
''' Instruction CMOVA_3
|
|
Groups: cmov
|
|
0x4082a4: cmova rbx, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00408000, 0x1000, 'rwx')
|
|
mem[0x4082a4] = 'H'
|
|
mem[0x4082a5] = '\x0f'
|
|
mem[0x4082a6] = 'G'
|
|
mem[0x4082a7] = '\xd8'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x4082a4
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7fffffff)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0xb)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4082a4, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4082a5, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4082a6, 8)== ord('G'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4082a7, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7fffffff)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4082a8)
|
|
condition = Operators.AND(condition, cpu.RBX == 0xb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVA_4_symbolic(self):
|
|
''' Instruction CMOVA_4
|
|
Groups: cmov
|
|
0x41462a: cmova rdx, r13
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x41462a] = 'I'
|
|
mem[0x41462b] = '\x0f'
|
|
mem[0x41462c] = 'G'
|
|
mem[0x41462d] = '\xd5'
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x4a0)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R13 = cs.new_bitvec(64)
|
|
cs.add(cpu.R13 == 0x21df0)
|
|
cpu.RIP = 0x41462a
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x41462a, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41462b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41462c, 8)== ord('G'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41462d, 8)== ord('\xd5'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0x4a0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41462e)
|
|
condition = Operators.AND(condition, cpu.R13 == 0x21df0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVA_5_symbolic(self):
|
|
''' Instruction CMOVA_5
|
|
Groups: cmov
|
|
0x41424a: cmova rdx, r13
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x41424a] = 'I'
|
|
mem[0x41424b] = '\x0f'
|
|
mem[0x41424c] = 'G'
|
|
mem[0x41424d] = '\xd5'
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x4a0)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R13 = cs.new_bitvec(64)
|
|
cs.add(cpu.R13 == 0x21df0)
|
|
cpu.RIP = 0x41424a
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x41424a, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41424b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41424c, 8)== ord('G'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41424d, 8)== ord('\xd5'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0x4a0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41424e)
|
|
condition = Operators.AND(condition, cpu.R13 == 0x21df0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVA_6_symbolic(self):
|
|
''' Instruction CMOVA_6
|
|
Groups: cmov
|
|
0x4142ba: cmova rdx, r13
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x4142ba] = 'I'
|
|
mem[0x4142bb] = '\x0f'
|
|
mem[0x4142bc] = 'G'
|
|
mem[0x4142bd] = '\xd5'
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x4a0)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R13 = cs.new_bitvec(64)
|
|
cs.add(cpu.R13 == 0x21df0)
|
|
cpu.RIP = 0x4142ba
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4142ba, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4142bb, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4142bc, 8)== ord('G'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4142bd, 8)== ord('\xd5'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0x4a0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4142be)
|
|
condition = Operators.AND(condition, cpu.R13 == 0x21df0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVBE_1_symbolic(self):
|
|
''' Instruction CMOVBE_1
|
|
Groups: cmov
|
|
0x40d233: cmovbe rbx, r14
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040d000, 0x1000, 'rwx')
|
|
mem[0x40d233] = 'I'
|
|
mem[0x40d234] = '\x0f'
|
|
mem[0x40d235] = 'F'
|
|
mem[0x40d236] = '\xde'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x1000)
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x20)
|
|
cpu.RIP = 0x40d233
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d233, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d234, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d235, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d236, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x20)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40d237)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x20)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVBE_2_symbolic(self):
|
|
''' Instruction CMOVBE_2
|
|
Groups: cmov
|
|
0x7ffff7aa96b3: cmovbe rbx, r14
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa96b3] = 'I'
|
|
mem[0x7ffff7aa96b4] = '\x0f'
|
|
mem[0x7ffff7aa96b5] = 'F'
|
|
mem[0x7ffff7aa96b6] = '\xde'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x2000)
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x4)
|
|
cpu.RIP = 0x7ffff7aa96b3
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b3, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b4, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b5, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b6, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x4)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa96b7)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVBE_3_symbolic(self):
|
|
''' Instruction CMOVBE_3
|
|
Groups: cmov
|
|
0x7ffff7aa96b3: cmovbe rbx, r14
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa96b3] = 'I'
|
|
mem[0x7ffff7aa96b4] = '\x0f'
|
|
mem[0x7ffff7aa96b5] = 'F'
|
|
mem[0x7ffff7aa96b6] = '\xde'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x1000)
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x13)
|
|
cpu.RIP = 0x7ffff7aa96b3
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b3, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b4, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b5, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b6, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x13)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa96b7)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x13)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVBE_4_symbolic(self):
|
|
''' Instruction CMOVBE_4
|
|
Groups: cmov
|
|
0x40d263: cmovbe rbx, r14
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040d000, 0x1000, 'rwx')
|
|
mem[0x40d263] = 'I'
|
|
mem[0x40d264] = '\x0f'
|
|
mem[0x40d265] = 'F'
|
|
mem[0x40d266] = '\xde'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x1000)
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x13)
|
|
cpu.RIP = 0x40d263
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d263, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d264, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d265, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d266, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x13)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40d267)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x13)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVBE_5_symbolic(self):
|
|
''' Instruction CMOVBE_5
|
|
Groups: cmov
|
|
0x7ffff7aa96b3: cmovbe rbx, r14
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa96b3] = 'I'
|
|
mem[0x7ffff7aa96b4] = '\x0f'
|
|
mem[0x7ffff7aa96b5] = 'F'
|
|
mem[0x7ffff7aa96b6] = '\xde'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x1000)
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x13)
|
|
cpu.RIP = 0x7ffff7aa96b3
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b3, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b4, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b5, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96b6, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x13)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa96b7)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x13)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVBE_6_symbolic(self):
|
|
''' Instruction CMOVBE_6
|
|
Groups: cmov
|
|
0x40fde3: cmovbe rbx, r14
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040f000, 0x1000, 'rwx')
|
|
mem[0x40fde3] = 'I'
|
|
mem[0x40fde4] = '\x0f'
|
|
mem[0x40fde5] = 'F'
|
|
mem[0x40fde6] = '\xde'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x1000)
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x240)
|
|
cpu.RIP = 0x40fde3
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40fde3, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40fde4, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40fde5, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40fde6, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x240)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40fde7)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x240)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVB_1_symbolic(self):
|
|
''' Instruction CMOVB_1
|
|
Groups: cmov
|
|
0x7ffff7deb97f: cmovb r12d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7deb000, 0x1000, 'rwx')
|
|
mem[0x7ffff7deb980] = '\x0f'
|
|
mem[0x7ffff7deb981] = 'B'
|
|
mem[0x7ffff7deb982] = '\xe0'
|
|
mem[0x7ffff7deb97f] = 'D'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0xa)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7deb97f
|
|
cpu.R12D = cs.new_bitvec(32)
|
|
cs.add(cpu.R12D == 0x1a)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb980, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb981, 8)== ord('B'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb982, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb97f, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0xa)
|
|
condition = Operators.AND(condition, cpu.R12D == 0x1a)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7deb983)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVB_2_symbolic(self):
|
|
''' Instruction CMOVB_2
|
|
Groups: cmov
|
|
0x7ffff7df45ad: cmovb eax, ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45ad] = '\x0f'
|
|
mem[0x7ffff7df45ae] = 'B'
|
|
mem[0x7ffff7df45af] = '\xc1'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7df45ad
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0xffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ad, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ae, 8)== ord('B'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45af, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0xffffffff)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45b0)
|
|
condition = Operators.AND(condition, cpu.ECX == 0xffffffff)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVB_3_symbolic(self):
|
|
''' Instruction CMOVB_3
|
|
Groups: cmov
|
|
0x7ffff7df45ad: cmovb eax, ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45ad] = '\x0f'
|
|
mem[0x7ffff7df45ae] = 'B'
|
|
mem[0x7ffff7df45af] = '\xc1'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df45ad
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0xffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ad, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ae, 8)== ord('B'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45af, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45b0)
|
|
condition = Operators.AND(condition, cpu.ECX == 0xffffffff)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVB_4_symbolic(self):
|
|
''' Instruction CMOVB_4
|
|
Groups: cmov
|
|
0x7ffff7deb97f: cmovb r12d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7deb000, 0x1000, 'rwx')
|
|
mem[0x7ffff7deb980] = '\x0f'
|
|
mem[0x7ffff7deb981] = 'B'
|
|
mem[0x7ffff7deb982] = '\xe0'
|
|
mem[0x7ffff7deb97f] = 'D'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x12)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7deb97f
|
|
cpu.R12D = cs.new_bitvec(32)
|
|
cs.add(cpu.R12D == 0x1a)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb980, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb981, 8)== ord('B'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb982, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb97f, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x12)
|
|
condition = Operators.AND(condition, cpu.R12D == 0x1a)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7deb983)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVB_5_symbolic(self):
|
|
''' Instruction CMOVB_5
|
|
Groups: cmov
|
|
0x7ffff7df45ad: cmovb eax, ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45ad] = '\x0f'
|
|
mem[0x7ffff7df45ae] = 'B'
|
|
mem[0x7ffff7df45af] = '\xc1'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df45ad
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0xffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ad, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ae, 8)== ord('B'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45af, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45b0)
|
|
condition = Operators.AND(condition, cpu.ECX == 0xffffffff)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVB_6_symbolic(self):
|
|
''' Instruction CMOVB_6
|
|
Groups: cmov
|
|
0x7ffff7df45ad: cmovb eax, ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45ad] = '\x0f'
|
|
mem[0x7ffff7df45ae] = 'B'
|
|
mem[0x7ffff7df45af] = '\xc1'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df45ad
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0xffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ad, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45ae, 8)== ord('B'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45af, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45b0)
|
|
condition = Operators.AND(condition, cpu.ECX == 0xffffffff)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVE_1_symbolic(self):
|
|
''' Instruction CMOVE_1
|
|
Groups: cmov
|
|
0x7ffff7de625e: cmove r8, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6260] = 'D'
|
|
mem[0x7ffff7de6261] = '\xc0'
|
|
mem[0x7ffff7de625e] = 'L'
|
|
mem[0x7ffff7de625f] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7ff7c48)
|
|
cpu.RIP = 0x7ffff7de625e
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6260, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6261, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625e, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625f, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7ff7c48)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6262)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVE_2_symbolic(self):
|
|
''' Instruction CMOVE_2
|
|
Groups: cmov
|
|
0x415f05: cmove rax, rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00415000, 0x1000, 'rwx')
|
|
mem[0x415f08] = '\xc2'
|
|
mem[0x415f05] = 'H'
|
|
mem[0x415f06] = '\x0f'
|
|
mem[0x415f07] = 'D'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x415f05
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x6e01c0)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x415f08, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x415f05, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x415f06, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x415f07, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x6e01c0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x415f09)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVE_3_symbolic(self):
|
|
''' Instruction CMOVE_3
|
|
Groups: cmov
|
|
0x7ffff7de625e: cmove r8, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6260] = 'D'
|
|
mem[0x7ffff7de6261] = '\xc0'
|
|
mem[0x7ffff7de625e] = 'L'
|
|
mem[0x7ffff7de625f] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7ff7c48)
|
|
cpu.RIP = 0x7ffff7de625e
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6260, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6261, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625e, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625f, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7ff7c48)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6262)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVE_4_symbolic(self):
|
|
''' Instruction CMOVE_4
|
|
Groups: cmov
|
|
0x7ffff7df2822: cmove rdi, qword ptr [rip + 0x20b886]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ffe000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df2822] = 'H'
|
|
mem[0x7ffff7df2823] = '\x0f'
|
|
mem[0x7ffff7df2824] = 'D'
|
|
mem[0x7ffff7df2825] = '='
|
|
mem[0x7ffff7df2826] = '\x86'
|
|
mem[0x7ffff7df2827] = '\xb8'
|
|
mem[0x7ffff7df2828] = ' '
|
|
mem[0x7ffff7df2829] = '\x00'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe0b0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x30)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe0b1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe0b2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe0b3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe0b4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe0b5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe0b6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe0b7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7fd8000)
|
|
cpu.RIP = 0x7ffff7df2822
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2822, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2823, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2824, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2825, 8)== ord('='))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2826, 8)== ord('\x86'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2827, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2828, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df2829, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b0, 8)== ord('0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b1, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b3, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe0b7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd8000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df282a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVE_5_symbolic(self):
|
|
''' Instruction CMOVE_5
|
|
Groups: cmov
|
|
0x7ffff7de625e: cmove r8, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6260] = 'D'
|
|
mem[0x7ffff7de6261] = '\xc0'
|
|
mem[0x7ffff7de625e] = 'L'
|
|
mem[0x7ffff7de625f] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7ff7c48)
|
|
cpu.RIP = 0x7ffff7de625e
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6260, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6261, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625e, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625f, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7ff7c48)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6262)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVE_6_symbolic(self):
|
|
''' Instruction CMOVE_6
|
|
Groups: cmov
|
|
0x7ffff7de625e: cmove r8, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6260] = 'D'
|
|
mem[0x7ffff7de6261] = '\xc0'
|
|
mem[0x7ffff7de625e] = 'L'
|
|
mem[0x7ffff7de625f] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7ff7c48)
|
|
cpu.RIP = 0x7ffff7de625e
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6260, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6261, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625e, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de625f, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7ff7c48)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6262)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVNE_1_symbolic(self):
|
|
''' Instruction CMOVNE_1
|
|
Groups: cmov
|
|
0x462435: cmovne rbx, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00462000, 0x1000, 'rwx')
|
|
mem[0x462438] = '\xd8'
|
|
mem[0x462435] = 'H'
|
|
mem[0x462436] = '\x0f'
|
|
mem[0x462437] = 'E'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x462435
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x4a5441)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x6bf6b0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x462438, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x462435, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x462436, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x462437, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x4a5441)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x462439)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x6bf6b0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVNE_2_symbolic(self):
|
|
''' Instruction CMOVNE_2
|
|
Groups: cmov
|
|
0x7ffff7de5776: cmovne r14d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5778] = 'E'
|
|
mem[0x7ffff7de5779] = '\xf0'
|
|
mem[0x7ffff7de5776] = 'D'
|
|
mem[0x7ffff7de5777] = '\x0f'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x10)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.R14D = cs.new_bitvec(32)
|
|
cs.add(cpu.R14D == 0x0)
|
|
cpu.RIP = 0x7ffff7de5776
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5778, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5779, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5776, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5777, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x10)
|
|
condition = Operators.AND(condition, cpu.R14D == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de577a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVNE_3_symbolic(self):
|
|
''' Instruction CMOVNE_3
|
|
Groups: cmov
|
|
0x7ffff7de57f6: cmovne rbx, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de57f8] = 'E'
|
|
mem[0x7ffff7de57f9] = '\xd8'
|
|
mem[0x7ffff7de57f6] = 'H'
|
|
mem[0x7ffff7de57f7] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de57f6
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7ffff7ff7640)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x7ffff7ff7af1)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de57f8, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de57f9, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de57f6, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de57f7, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7ffff7ff7640)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de57fa)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x7ffff7ff7640)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVNE_4_symbolic(self):
|
|
''' Instruction CMOVNE_4
|
|
Groups: cmov
|
|
0x457ba4: cmovne rsi, rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457ba4] = 'H'
|
|
mem[0x457ba5] = '\x0f'
|
|
mem[0x457ba6] = 'E'
|
|
mem[0x457ba7] = '\xf2'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x8201000080201021)
|
|
cpu.RIP = 0x457ba4
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x41008000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ba4, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ba5, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ba6, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ba7, 8)== ord('\xf2'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x41008000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457ba8)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x41008000)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVNE_5_symbolic(self):
|
|
''' Instruction CMOVNE_5
|
|
Groups: cmov
|
|
0x7ffff7de0910: cmovne esi, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de0910] = '\x0f'
|
|
mem[0x7ffff7de0911] = 'E'
|
|
mem[0x7ffff7de0912] = '\xf0'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de0910
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0910, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0911, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0912, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de0913)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVNE_6_symbolic(self):
|
|
''' Instruction CMOVNE_6
|
|
Groups: cmov
|
|
0x457db0: cmovne rcx, rdi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457db0] = 'H'
|
|
mem[0x457db1] = '\x0f'
|
|
mem[0x457db2] = 'E'
|
|
mem[0x457db3] = '\xcf'
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x7fffffffe01b)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffe040)
|
|
cpu.RIP = 0x457db0
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457db0, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457db1, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457db2, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457db3, 8)== ord('\xcf'))
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffe040)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x7fffffffe040)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457db4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVNS_1_symbolic(self):
|
|
''' Instruction CMOVNS_1
|
|
Groups: cmov
|
|
0x448555: cmovns rax, r11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00448000, 0x1000, 'rwx')
|
|
mem[0x448558] = '\xc3'
|
|
mem[0x448555] = 'I'
|
|
mem[0x448556] = '\x0f'
|
|
mem[0x448557] = 'I'
|
|
cpu.RIP = 0x448555
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
cpu.R11 = cs.new_bitvec(64)
|
|
cs.add(cpu.R11 == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x448558, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448555, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448556, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448557, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x448559)
|
|
condition = Operators.AND(condition, cpu.R11 == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMOVNS_2_symbolic(self):
|
|
''' Instruction CMOVNS_2
|
|
Groups: cmov
|
|
0x448555: cmovns rax, r11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00448000, 0x1000, 'rwx')
|
|
mem[0x448558] = '\xc3'
|
|
mem[0x448555] = 'I'
|
|
mem[0x448556] = '\x0f'
|
|
mem[0x448557] = 'I'
|
|
cpu.RIP = 0x448555
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
cpu.R11 = cs.new_bitvec(64)
|
|
cs.add(cpu.R11 == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x448558, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448555, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448556, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448557, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x448559)
|
|
condition = Operators.AND(condition, cpu.R11 == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPSB_1_symbolic(self):
|
|
''' Instruction CMPSB_1
|
|
Groups:
|
|
0x40065b: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem.mmap(0x00491000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda80)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda81)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xed)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda82)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xcf)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda83)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc2)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491604)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491605)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491606)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x52)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491607)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491608)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491609)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49160a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49160b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda87)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda86)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x94)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda84)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc0)
|
|
mem[addr] = value
|
|
mem[0x40065b] = '\xf3'
|
|
mem[0x40065c] = '\xa6'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda85)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x491604)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x7)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda80)
|
|
cpu.RIP = 0x40065b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda80, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda81, 8)== ord('\xed'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda82, 8)== ord('\xcf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda83, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491604, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491605, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491606, 8)== ord('R'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491607, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491608, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491609, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49160a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49160b, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda87, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda86, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda84, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40065b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40065c, 8)== ord('\xa6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda85, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x6)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x491605)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda81)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40065b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPSB_2_symbolic(self):
|
|
''' Instruction CMPSB_2
|
|
Groups:
|
|
0x400657: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem.mmap(0x00491000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
mem[0x400658] = '\xa6'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x61)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x72)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x67)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x31)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x61)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe070)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x72)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe071)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x67)
|
|
mem[addr] = value
|
|
mem[0x400657] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491818)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491819)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x64)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x73)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x74)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x75)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x66)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491817)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2d)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x491817)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xa)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffe06a)
|
|
cpu.RIP = 0x400657
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06b, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe071, 8)== ord('g'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06a, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400657, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06c, 8)== ord('g'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06d, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06f, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe070, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491818, 8)== ord('-'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491817, 8)== ord('-'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400658, 8)== ord('\xa6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491819, 8)== ord('d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181a, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181b, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181c, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181d, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181e, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x9)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x491818)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffe06b)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400659)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPSB_3_symbolic(self):
|
|
''' Instruction CMPSB_3
|
|
Groups:
|
|
0x40065b: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem.mmap(0x00491000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda81)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xed)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda82)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xcf)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda83)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc2)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda84)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491605)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491606)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x52)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491607)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491608)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491609)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49160a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49160b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49160c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda86)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x94)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xea)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda87)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
mem[0x40065b] = '\xf3'
|
|
mem[0x40065c] = '\xa6'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda85)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x491605)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x6)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda81)
|
|
cpu.RIP = 0x40065b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda81, 8)== ord('\xed'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda82, 8)== ord('\xcf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda83, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda84, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491605, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491606, 8)== ord('R'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491607, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491608, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491609, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49160a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49160b, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49160c, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda86, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\xea'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda87, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40065b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40065c, 8)== ord('\xa6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda85, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x5)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x491606)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda82)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40065d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPSB_4_symbolic(self):
|
|
''' Instruction CMPSB_4
|
|
Groups:
|
|
0x400657: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem.mmap(0x00491000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe065)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x61)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe066)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x72)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe067)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x67)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe068)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x31)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe069)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x61)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x72)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe06c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x67)
|
|
mem[addr] = value
|
|
mem[0x400658] = '\xa6'
|
|
mem[0x400657] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491818)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491819)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x64)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x73)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x74)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x75)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49181e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x66)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x491817)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2d)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x491817)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xa)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffe065)
|
|
cpu.RIP = 0x400657
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06b, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe065, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe066, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe067, 8)== ord('g'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe068, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe069, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06a, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400657, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe06c, 8)== ord('g'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491818, 8)== ord('-'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491817, 8)== ord('-'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400658, 8)== ord('\xa6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x491819, 8)== ord('d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181a, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181b, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181c, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181d, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49181e, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x9)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x491818)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffe066)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400659)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPSB_5_symbolic(self):
|
|
''' Instruction CMPSB_5
|
|
Groups:
|
|
0x55555555478b: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda80)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc6)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda81)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd9)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda82)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x50)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda83)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x25)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda84)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda85)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe2)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda86)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc9)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda87)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
mem[0x55555555478b] = '\xf3'
|
|
mem[0x55555555478c] = '\xa6'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555554998)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555554999)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555555499a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x52)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555555499b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555555499c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555555499d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555555499e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555555499f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4d)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x555555554998)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x7)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda80)
|
|
cpu.RIP = 0x55555555478b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda80, 8)== ord('\xc6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda81, 8)== ord('\xd9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda82, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda83, 8)== ord('%'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda84, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda85, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda86, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda87, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555478b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555478c, 8)== ord('\xa6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555554998, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555554999, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555499a, 8)== ord('R'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555499b, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555499c, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555499d, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555499e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555499f, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x6)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x555555554999)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda81)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x55555555478d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPSB_6_symbolic(self):
|
|
''' Instruction CMPSB_6
|
|
Groups:
|
|
0x5555555548c0: repe cmpsb byte ptr [rsi], byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x5555555548c0] = '\xf3'
|
|
mem[0x5555555548c1] = '\xa6'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda82)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd2)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda83)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda84)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda85)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1c)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda86)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x28)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda81)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x5555555549a8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x5555555549a9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x5555555549aa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x52)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x5555555549ab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x5555555549ac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x5555555549ad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x5555555549ae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x5555555549af)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda87)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x50)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda80)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x91)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x5555555549a8)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x7)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda80)
|
|
cpu.RIP = 0x5555555548c0
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555548c0, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555548c1, 8)== ord('\xa6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda82, 8)== ord('\xd2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda83, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda84, 8)== ord('\x1f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda85, 8)== ord('\x1c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda86, 8)== ord('('))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda81, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555549a8, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555549a9, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555549aa, 8)== ord('R'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda87, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555549ac, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555549ad, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555549ae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555549af, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda80, 8)== ord('\x91'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555549ab, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x6)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x5555555549a9)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda81)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555548c2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG8B_1_symbolic(self):
|
|
''' Instruction CMPXCHG8B_1
|
|
Groups:
|
|
0x5c68cb: lock cmpxchg8b qword ptr [rsp + 4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x005c6000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x5c68cb] = '\xf0'
|
|
mem[0x5c68cc] = '\x0f'
|
|
mem[0x5c68cd] = '\xc7'
|
|
mem[0x5c68ce] = 'L'
|
|
mem[0x5c68cf] = '$'
|
|
mem[0x5c68d0] = '\x04'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.EBX = cs.new_bitvec(32)
|
|
cs.add(cpu.EBX == 0x80000001)
|
|
cpu.RIP = 0x5c68cb
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x80000001)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x8001)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x80)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5c68cb, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5c68cc, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5c68cd, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5c68ce, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5c68cf, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5c68d0, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5c68d1)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x80)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x8001)
|
|
condition = Operators.AND(condition, cpu.EBX == 0x80000001)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x80)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG8B_2_symbolic(self):
|
|
''' Instruction CMPXCHG8B_2
|
|
Groups:
|
|
0x5861a9: lock cmpxchg8b qword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00586000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x5861a9] = '\xf0'
|
|
mem[0x5861aa] = '\x0f'
|
|
mem[0x5861ab] = '\xc7'
|
|
mem[0x5861ac] = '\x0c'
|
|
mem[0x5861ad] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
cpu.EBX = cs.new_bitvec(32)
|
|
cs.add(cpu.EBX == 0x80000000)
|
|
cpu.RIP = 0x5861a9
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x80000000)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0xffffffff)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x80000000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5861a9, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5861aa, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5861ab, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5861ac, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5861ad, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5861ae)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x80000000)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x80000000)
|
|
condition = Operators.AND(condition, cpu.EBX == 0x80000000)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x80000000)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG8B_3_symbolic(self):
|
|
''' Instruction CMPXCHG8B_3
|
|
Groups:
|
|
0x58de05: lock cmpxchg8b qword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0058d000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x58de05] = '\xf0'
|
|
mem[0x58de06] = '\x0f'
|
|
mem[0x58de07] = '\xc7'
|
|
mem[0x58de08] = '\x0c'
|
|
mem[0x58de09] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.EBX = cs.new_bitvec(32)
|
|
cs.add(cpu.EBX == 0x80000001)
|
|
cpu.RIP = 0x58de05
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x80000001)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x21)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x40)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x58de05, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x58de06, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x58de07, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x58de08, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x58de09, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x58de0a)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x80000001)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x40)
|
|
condition = Operators.AND(condition, cpu.EBX == 0x80000001)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x40)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG8B_4_symbolic(self):
|
|
''' Instruction CMPXCHG8B_4
|
|
Groups:
|
|
0x59b473: lock cmpxchg8b qword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0059b000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x59b476] = '\x0c'
|
|
mem[0x59b477] = '$'
|
|
mem[0x59b473] = '\xf0'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
mem[0x59b474] = '\x0f'
|
|
mem[0x59b475] = '\xc7'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.EBX = cs.new_bitvec(32)
|
|
cs.add(cpu.EBX == 0xffffffff)
|
|
cpu.RIP = 0x59b473
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0xffffffff)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x80)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x80)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x59b473, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x59b474, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x59b475, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x59b476, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x59b477, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x59b478)
|
|
condition = Operators.AND(condition, cpu.EAX == 0xffffffff)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x80)
|
|
condition = Operators.AND(condition, cpu.EBX == 0xffffffff)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x80)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG8B_5_symbolic(self):
|
|
''' Instruction CMPXCHG8B_5
|
|
Groups:
|
|
0x624e14: lock cmpxchg8b qword ptr [rsp + 8]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00624000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x624e14] = '\xf0'
|
|
mem[0x624e15] = '\x0f'
|
|
mem[0x624e16] = '\xc7'
|
|
mem[0x624e17] = 'L'
|
|
mem[0x624e18] = '$'
|
|
mem[0x624e19] = '\x08'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.EBX = cs.new_bitvec(32)
|
|
cs.add(cpu.EBX == 0x40)
|
|
cpu.RIP = 0x624e14
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x40)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x80000000)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x8001)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x624e14, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x624e15, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x624e16, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x624e17, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x624e18, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x624e19, 8)== ord('\x08'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x624e1a)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x80000000)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x40)
|
|
condition = Operators.AND(condition, cpu.EBX == 0x40)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x8001)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG8B_6_symbolic(self):
|
|
''' Instruction CMPXCHG8B_6
|
|
Groups:
|
|
0x5bfa73: lock cmpxchg8b qword ptr [rsp + 4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x005bf000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
mem[0x5bfa76] = 'L'
|
|
mem[0x5bfa77] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
mem[0x5bfa73] = '\xf0'
|
|
mem[0x5bfa74] = '\x0f'
|
|
mem[0x5bfa75] = '\xc7'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x5bfa78] = '\x04'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
cpu.EBX = cs.new_bitvec(32)
|
|
cs.add(cpu.EBX == 0x80000000)
|
|
cpu.RIP = 0x5bfa73
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x80000000)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x7f)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x8001)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5bfa78, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5bfa73, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5bfa75, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5bfa76, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5bfa77, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5bfa74, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5bfa79)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x8001)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x7f)
|
|
condition = Operators.AND(condition, cpu.EBX == 0x80000000)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x8001)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG_1_symbolic(self):
|
|
''' Instruction CMPXCHG_1
|
|
Groups:
|
|
0x7ffff7a65367: cmpxchg dword ptr [rip + 0x36fde2], esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd5000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd5150)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd5151)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd5152)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd5153)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a65367] = '\x0f'
|
|
mem[0x7ffff7a65368] = '\xb1'
|
|
mem[0x7ffff7a65369] = '5'
|
|
mem[0x7ffff7a6536a] = '\xe2'
|
|
mem[0x7ffff7a6536b] = '\xfd'
|
|
mem[0x7ffff7a6536c] = '6'
|
|
mem[0x7ffff7a6536d] = '\x00'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x1)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7a65367
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5150, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5151, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5152, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5153, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65367, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65368, 8)== ord('\xb1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65369, 8)== ord('5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6536a, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6536b, 8)== ord('\xfd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6536c, 8)== ord('6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6536d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x1)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a6536e)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG_2_symbolic(self):
|
|
''' Instruction CMPXCHG_2
|
|
Groups:
|
|
0x40abbf: cmpxchg dword ptr [rdx], esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040a000, 0x1000, 'rwx')
|
|
mem.mmap(0x006be000, 0x1000, 'rwx')
|
|
mem[0x40abc0] = '\xb1'
|
|
mem[0x40abc1] = '2'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6be762)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6be763)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6be761)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6be760)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x40abbf] = '\x0f'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x1)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x40abbf
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x6be760)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40abc0, 8)== ord('\xb1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40abc1, 8)== ord('2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6be762, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6be763, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6be761, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40abbf, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6be760, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x1)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40abc2)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x6be760)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG_3_symbolic(self):
|
|
''' Instruction CMPXCHG_3
|
|
Groups:
|
|
0x413646: cmpxchg dword ptr [rbx], esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00413000, 0x1000, 'rwx')
|
|
mem.mmap(0x006b9000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6b9840)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6b9841)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6b9842)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6b9843)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x413646] = '\x0f'
|
|
mem[0x413647] = '\xb1'
|
|
mem[0x413648] = '3'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x1)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x6b9840)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x413646
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x6b9840, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6b9841, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6b9842, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6b9843, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x413646, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x413647, 8)== ord('\xb1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x413648, 8)== ord('3'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x1)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x6b9840)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x413649)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG_4_symbolic(self):
|
|
''' Instruction CMPXCHG_4
|
|
Groups:
|
|
0x435a25: cmpxchg qword ptr [rdx], rdi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00435000, 0x1000, 'rwx')
|
|
mem.mmap(0x006bd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6bd380)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6bd381)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6bd382)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6bd383)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6bd384)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6bd385)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6bd386)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6bd387)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x435a25] = 'H'
|
|
mem[0x435a26] = '\x0f'
|
|
mem[0x435a27] = '\xb1'
|
|
mem[0x435a28] = ':'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x6bb7c0)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x435a25
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x6bd380)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x6bd380, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6bd381, 8)== ord('\xb7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6bd382, 8)== ord('k'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6bd383, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6bd384, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6bd385, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6bd386, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6bd387, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x435a25, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x435a26, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x435a27, 8)== ord('\xb1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x435a28, 8)== ord(':'))
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x6bb7c0)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x435a29)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x6bd380)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG_5_symbolic(self):
|
|
''' Instruction CMPXCHG_5
|
|
Groups:
|
|
0x41086e: cmpxchg dword ptr [rdx], ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00410000, 0x1000, 'rwx')
|
|
mem.mmap(0x006be000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6be760)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6be761)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6be762)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x6be763)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x41086e] = '\x0f'
|
|
mem[0x41086f] = '\xb1'
|
|
mem[0x410870] = '\n'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x1)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x41086e
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x6be760)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x6be760, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6be761, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6be762, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6be763, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41086e, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41086f, 8)== ord('\xb1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x410870, 8)== ord('\n'))
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x1)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x410871)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x6be760)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMPXCHG_6_symbolic(self):
|
|
''' Instruction CMPXCHG_6
|
|
Groups:
|
|
0x7ffff7aafa06: cmpxchg dword ptr [rbx], esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aaf000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd3000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd3b80)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd3b81)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd3b82)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd3b83)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7aafa06] = '\x0f'
|
|
mem[0x7ffff7aafa07] = '\xb1'
|
|
mem[0x7ffff7aafa08] = '3'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x1)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x7ffff7dd3b80)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7aafa06
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3b80, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3b81, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3b82, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3b83, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aafa06, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aafa07, 8)== ord('\xb1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aafa08, 8)== ord('3'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x1)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x7ffff7dd3b80)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aafa09)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMP_1_symbolic(self):
|
|
''' Instruction CMP_1
|
|
Groups:
|
|
0x7ffff7b58f43: cmp r12, r9
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f43] = 'M'
|
|
mem[0x7ffff7b58f44] = '9'
|
|
mem[0x7ffff7b58f45] = '\xcc'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.R12 = cs.new_bitvec(64)
|
|
cs.add(cpu.R12 == 0x7ffff7ab0f80)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7b58f43
|
|
cpu.R9 = cs.new_bitvec(64)
|
|
cs.add(cpu.R9 == 0x7ffff7b23c00)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f43, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f44, 8)== ord('9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f45, 8)== ord('\xcc'))
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.R12 == 0x7ffff7ab0f80)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f46)
|
|
condition = Operators.AND(condition, cpu.R9 == 0x7ffff7b23c00)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMP_2_symbolic(self):
|
|
''' Instruction CMP_2
|
|
Groups:
|
|
0x406e1d: cmp r14w, word ptr [rbx]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
mem[0x406e20] = '3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffee69)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x57)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffee6a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x49)
|
|
mem[addr] = value
|
|
mem[0x406e1d] = 'f'
|
|
mem[0x406e1e] = 'D'
|
|
mem[0x406e1f] = ';'
|
|
cpu.R14W = cs.new_bitvec(16)
|
|
cs.add(cpu.R14W == 0x444c)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x7fffffffee69)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x406e1d
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e20, 8)== ord('3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffee69, 8)== ord('W'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffee6a, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e1d, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e1e, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e1f, 8)== ord(';'))
|
|
condition = Operators.AND(condition, cpu.R14W == 0x444c)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x7fffffffee69)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x406e21)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMP_3_symbolic(self):
|
|
''' Instruction CMP_3
|
|
Groups:
|
|
0x40d167: cmp eax, 0xff
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040d000, 0x1000, 'rwx')
|
|
mem[0x40d168] = '\xf8'
|
|
mem[0x40d169] = '\xff'
|
|
mem[0x40d167] = '\x83'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x1)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x40d167
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d168, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d169, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40d167, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x1)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.AF == True)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40d16a)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMP_4_symbolic(self):
|
|
''' Instruction CMP_4
|
|
Groups:
|
|
0x7ffff7de4488: cmp qword ptr [rbp - 0x90], 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa3)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de4488] = 'H'
|
|
mem[0x7ffff7de4489] = '\x83'
|
|
mem[0x7ffff7de448a] = '\xbd'
|
|
mem[0x7ffff7de448b] = 'p'
|
|
mem[0x7ffff7de448c] = '\xff'
|
|
mem[0x7ffff7de448d] = '\xff'
|
|
mem[0x7ffff7de448e] = '\xff'
|
|
mem[0x7ffff7de448f] = '\x00'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de4488
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffda30)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a0, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a1, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a2, 8)== ord('\xa3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a3, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4488, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4489, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448a, 8)== ord('\xbd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448b, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448d, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448e, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de448f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4490)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffda30)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMP_5_symbolic(self):
|
|
''' Instruction CMP_5
|
|
Groups:
|
|
0x7ffff7de6111: cmp rax, 0x26
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6111] = 'H'
|
|
mem[0x7ffff7de6112] = '\x83'
|
|
mem[0x7ffff7de6113] = '\xf8'
|
|
mem[0x7ffff7de6114] = '&'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x8)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6111
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6111, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6112, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6113, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6114, 8)== ord('&'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x8)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6115)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CMP_6_symbolic(self):
|
|
''' Instruction CMP_6
|
|
Groups:
|
|
0x7ffff7de620b: cmp r12, 0x24
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de620b] = 'I'
|
|
mem[0x7ffff7de620c] = '\x83'
|
|
mem[0x7ffff7de620d] = '\xfc'
|
|
mem[0x7ffff7de620e] = '$'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.R12 = cs.new_bitvec(64)
|
|
cs.add(cpu.R12 == 0x6)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de620b
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620b, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620c, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620d, 8)== ord('\xfc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620e, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.R12 == 0x6)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620f)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CQO_1_symbolic(self):
|
|
''' Instruction CQO_1
|
|
Groups:
|
|
0x400794: cqo
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400794] = 'H'
|
|
mem[0x400795] = '\x99'
|
|
cpu.RIP = 0x400794
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400794, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400795, 8)== ord('\x99'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x600000)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400796)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CQO_2_symbolic(self):
|
|
''' Instruction CQO_2
|
|
Groups:
|
|
0x4006d4: cqo
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x4006d4] = 'H'
|
|
mem[0x4006d5] = '\x99'
|
|
cpu.RIP = 0x4006d4
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d4, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d5, 8)== ord('\x99'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x600000)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4006d6)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CQO_3_symbolic(self):
|
|
''' Instruction CQO_3
|
|
Groups:
|
|
0x7ffff7a4e234: cqo
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e234] = 'H'
|
|
mem[0x7ffff7a4e235] = '\x99'
|
|
cpu.RIP = 0x7ffff7a4e234
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e234, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e235, 8)== ord('\x99'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x600000)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e236)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CQO_4_symbolic(self):
|
|
''' Instruction CQO_4
|
|
Groups:
|
|
0x7ffff7a4e234: cqo
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e234] = 'H'
|
|
mem[0x7ffff7a4e235] = '\x99'
|
|
cpu.RIP = 0x7ffff7a4e234
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e234, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e235, 8)== ord('\x99'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x600000)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e236)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CQO_5_symbolic(self):
|
|
''' Instruction CQO_5
|
|
Groups:
|
|
0x4006d4: cqo
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x4006d4] = 'H'
|
|
mem[0x4006d5] = '\x99'
|
|
cpu.RIP = 0x4006d4
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d4, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d5, 8)== ord('\x99'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x600000)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4006d6)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_CQO_6_symbolic(self):
|
|
''' Instruction CQO_6
|
|
Groups:
|
|
0x7ffff7a4e234: cqo
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e234] = 'H'
|
|
mem[0x7ffff7a4e235] = '\x99'
|
|
cpu.RIP = 0x7ffff7a4e234
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e234, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e235, 8)== ord('\x99'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x600000)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e236)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DEC_1_symbolic(self):
|
|
''' Instruction DEC_1
|
|
Groups: mode64
|
|
0x41e10a: dec ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0041e000, 0x1000, 'rwx')
|
|
mem[0x41e10a] = '\xff'
|
|
mem[0x41e10b] = '\xc9'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x41e10a
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0xd)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x41e10a, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41e10b, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41e10c)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.ECX == 0xc)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DEC_2_symbolic(self):
|
|
''' Instruction DEC_2
|
|
Groups: mode64
|
|
0x7ffff7df462c: dec ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df462c] = '\xff'
|
|
mem[0x7ffff7df462d] = '\xc9'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df462c
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x4)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462d, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df462e)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x3)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DEC_3_symbolic(self):
|
|
''' Instruction DEC_3
|
|
Groups: mode64
|
|
0x7ffff7df462c: dec ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df462c] = '\xff'
|
|
mem[0x7ffff7df462d] = '\xc9'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df462c
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x2)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462d, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df462e)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DEC_4_symbolic(self):
|
|
''' Instruction DEC_4
|
|
Groups: mode64
|
|
0x7ffff7a65448: dec dword ptr [rip + 0x36fd02]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd5000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd5150)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd5151)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd5152)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd5153)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a65448] = '\xff'
|
|
mem[0x7ffff7a65449] = '\r'
|
|
mem[0x7ffff7a6544a] = '\x02'
|
|
mem[0x7ffff7a6544b] = '\xfd'
|
|
mem[0x7ffff7a6544c] = '6'
|
|
mem[0x7ffff7a6544d] = '\x00'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x7ffff7a65448
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5150, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5151, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5152, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd5153, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65448, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65449, 8)== ord('\r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6544a, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6544b, 8)== ord('\xfd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6544c, 8)== ord('6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6544d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a6544e)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DEC_5_symbolic(self):
|
|
''' Instruction DEC_5
|
|
Groups: mode64
|
|
0x7ffff7df462c: dec ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df462c] = '\xff'
|
|
mem[0x7ffff7df462d] = '\xc9'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df462c
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x4)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462d, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df462e)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x3)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DEC_6_symbolic(self):
|
|
''' Instruction DEC_6
|
|
Groups: mode64
|
|
0x7ffff7df462c: dec ecx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df462c] = '\xff'
|
|
mem[0x7ffff7df462d] = '\xc9'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df462c
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x1)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df462d, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df462e)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DIV_1_symbolic(self):
|
|
''' Instruction DIV_1
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x3f3)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x3de00ec7)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xfaaef)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x3f3)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xea)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DIV_2_symbolic(self):
|
|
''' Instruction DIV_2
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x3f3)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x3de00ec7)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xfaaef)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x3f3)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xea)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DIV_3_symbolic(self):
|
|
''' Instruction DIV_3
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x3f3)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x9e7650bc)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x281ffc)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x3f3)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x88)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DIV_4_symbolic(self):
|
|
''' Instruction DIV_4
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x3f3)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x10a8b550)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x437e2)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x3f3)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x3ca)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DIV_5_symbolic(self):
|
|
''' Instruction DIV_5
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x32)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x3cbc6423)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x136f7c3)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x32)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xd)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_DIV_6_symbolic(self):
|
|
''' Instruction DIV_6
|
|
Groups:
|
|
0x7ffff7de3ff8: div rcx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff8] = 'H'
|
|
mem[0x7ffff7de3ff9] = '\xf7'
|
|
mem[0x7ffff7de3ffa] = '\xf1'
|
|
cpu.RIP = 0x7ffff7de3ff8
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x3f3)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x2e8912d8)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff9, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ffa, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xbc890)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x3f3)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x228)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ffb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IDIV_1_symbolic(self):
|
|
''' Instruction IDIV_1
|
|
Groups:
|
|
0x7ffff7a4e236: idiv r8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e238] = '\xf8'
|
|
mem[0x7ffff7a4e236] = 'I'
|
|
mem[0x7ffff7a4e237] = '\xf7'
|
|
cpu.RIP = 0x7ffff7a4e236
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e238, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e236, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e237, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xc0000)
|
|
condition = Operators.AND(condition, cpu.R8 == 0x8)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e239)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IDIV_2_symbolic(self):
|
|
''' Instruction IDIV_2
|
|
Groups:
|
|
0x4006d6: idiv r8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x4006d8] = '\xf8'
|
|
mem[0x4006d6] = 'I'
|
|
mem[0x4006d7] = '\xf7'
|
|
cpu.RIP = 0x4006d6
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d8, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d6, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d7, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xc0000)
|
|
condition = Operators.AND(condition, cpu.R8 == 0x8)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4006d9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IDIV_3_symbolic(self):
|
|
''' Instruction IDIV_3
|
|
Groups:
|
|
0x7ffff7a4e236: idiv r8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e238] = '\xf8'
|
|
mem[0x7ffff7a4e236] = 'I'
|
|
mem[0x7ffff7a4e237] = '\xf7'
|
|
cpu.RIP = 0x7ffff7a4e236
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e238, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e236, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e237, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xc0000)
|
|
condition = Operators.AND(condition, cpu.R8 == 0x8)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e239)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IDIV_4_symbolic(self):
|
|
''' Instruction IDIV_4
|
|
Groups:
|
|
0x4006d6: idiv r8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x4006d8] = '\xf8'
|
|
mem[0x4006d6] = 'I'
|
|
mem[0x4006d7] = '\xf7'
|
|
cpu.RIP = 0x4006d6
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d8, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d6, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d7, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xc0000)
|
|
condition = Operators.AND(condition, cpu.R8 == 0x8)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4006d9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IDIV_5_symbolic(self):
|
|
''' Instruction IDIV_5
|
|
Groups:
|
|
0x4006d6: idiv r8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x4006d8] = '\xf8'
|
|
mem[0x4006d6] = 'I'
|
|
mem[0x4006d7] = '\xf7'
|
|
cpu.RIP = 0x4006d6
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d8, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d6, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4006d7, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xc0000)
|
|
condition = Operators.AND(condition, cpu.R8 == 0x8)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4006d9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IDIV_6_symbolic(self):
|
|
''' Instruction IDIV_6
|
|
Groups:
|
|
0x7ffff7a4e236: idiv r8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e238] = '\xf8'
|
|
mem[0x7ffff7a4e236] = 'I'
|
|
mem[0x7ffff7a4e237] = '\xf7'
|
|
cpu.RIP = 0x7ffff7a4e236
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e238, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e236, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e237, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xc0000)
|
|
condition = Operators.AND(condition, cpu.R8 == 0x8)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e239)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IMUL_1_symbolic(self):
|
|
''' Instruction IMUL_1
|
|
Groups:
|
|
0x7ffff7acfec4: imul eax, edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7acf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7acfec4] = '\x0f'
|
|
mem[0x7ffff7acfec5] = '\xaf'
|
|
mem[0x7ffff7acfec6] = '\xc2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7acfec4
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x1)
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x600000)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x1)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x600000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfec4, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfec5, 8)== ord('\xaf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfec6, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7acfec7)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x1)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x600000)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x1)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x600000)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IMUL_2_symbolic(self):
|
|
''' Instruction IMUL_2
|
|
Groups:
|
|
0x7ffff7acfeb3: imul eax, edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7acf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7acfeb3] = '\x0f'
|
|
mem[0x7ffff7acfeb4] = '\xaf'
|
|
mem[0x7ffff7acfeb5] = '\xc2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7acfeb3
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x8)
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x40)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x8)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x40)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfeb3, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfeb4, 8)== ord('\xaf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfeb5, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7acfeb6)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x8)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x200)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x8)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x200)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IMUL_3_symbolic(self):
|
|
''' Instruction IMUL_3
|
|
Groups:
|
|
0x43230c: imul edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x43230c] = '\xf7'
|
|
mem[0x43230d] = '\xea'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x43230c
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x55555556)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x55555556)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x3)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x43230c, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43230d, 8)== ord('\xea'))
|
|
condition = Operators.AND(condition, cpu.OF == True)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43230e)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x1)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x1)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IMUL_4_symbolic(self):
|
|
''' Instruction IMUL_4
|
|
Groups:
|
|
0x43230c: imul edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x43230c] = '\xf7'
|
|
mem[0x43230d] = '\xea'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x43230c
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x55555556)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x55555556)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x3)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x43230c, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43230d, 8)== ord('\xea'))
|
|
condition = Operators.AND(condition, cpu.OF == True)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43230e)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x1)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x1)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IMUL_5_symbolic(self):
|
|
''' Instruction IMUL_5
|
|
Groups:
|
|
0x41403c: imul r12, rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00414000, 0x1000, 'rwx')
|
|
mem[0x41403c] = 'L'
|
|
mem[0x41403d] = '\x0f'
|
|
mem[0x41403e] = '\xaf'
|
|
mem[0x41403f] = '\xe6'
|
|
cpu.R12 = cs.new_bitvec(64)
|
|
cs.add(cpu.R12 == 0x491)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x1)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x491)
|
|
cpu.RIP = 0x41403c
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0xffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x41403c, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41403d, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41403e, 8)== ord('\xaf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41403f, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.R12 == 0x491)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x1)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x414040)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x491)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xffffffff)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_IMUL_6_symbolic(self):
|
|
''' Instruction IMUL_6
|
|
Groups:
|
|
0x413fdc: imul r12, rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00413000, 0x1000, 'rwx')
|
|
mem[0x413fdc] = 'L'
|
|
mem[0x413fdd] = '\x0f'
|
|
mem[0x413fde] = '\xaf'
|
|
mem[0x413fdf] = '\xe6'
|
|
cpu.R12 = cs.new_bitvec(64)
|
|
cs.add(cpu.R12 == 0x491)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x1)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x491)
|
|
cpu.RIP = 0x413fdc
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0xffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x413fdc, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x413fdd, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x413fde, 8)== ord('\xaf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x413fdf, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.R12 == 0x491)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x1)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x413fe0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x491)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xffffffff)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_INC_1_symbolic(self):
|
|
''' Instruction INC_1
|
|
Groups:
|
|
0x7ffff7df4596: inc rdi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4598] = '\xc7'
|
|
mem[0x7ffff7df4596] = 'H'
|
|
mem[0x7ffff7df4597] = '\xff'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x7ffff7df4596
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7a44729)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4598, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4596, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4597, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4599)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7a4472a)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_INC_2_symbolic(self):
|
|
''' Instruction INC_2
|
|
Groups:
|
|
0x7ffff7df4596: inc rdi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4598] = '\xc7'
|
|
mem[0x7ffff7df4596] = 'H'
|
|
mem[0x7ffff7df4597] = '\xff'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x7ffff7df4596
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7dda5ec)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4598, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4596, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4597, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4599)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7dda5ed)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_INC_3_symbolic(self):
|
|
''' Instruction INC_3
|
|
Groups:
|
|
0x7ffff7df4599: inc rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4599] = 'H'
|
|
mem[0x7ffff7df459a] = '\xff'
|
|
mem[0x7ffff7df459b] = '\xc6'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7a4472a)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df4599
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4599, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459a, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459b, 8)== ord('\xc6'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7a4472b)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459c)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_INC_4_symbolic(self):
|
|
''' Instruction INC_4
|
|
Groups:
|
|
0x7ffff7df4596: inc rdi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4598] = '\xc7'
|
|
mem[0x7ffff7df4596] = 'H'
|
|
mem[0x7ffff7df4597] = '\xff'
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x7ffff7df4596
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7a4472e)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4598, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4596, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4597, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4599)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7a4472f)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_INC_5_symbolic(self):
|
|
''' Instruction INC_5
|
|
Groups:
|
|
0x7ffff7df4599: inc rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4599] = 'H'
|
|
mem[0x7ffff7df459a] = '\xff'
|
|
mem[0x7ffff7df459b] = '\xc6'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x555555554cbb)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df4599
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4599, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459a, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459b, 8)== ord('\xc6'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x555555554cbc)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459c)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_INC_6_symbolic(self):
|
|
''' Instruction INC_6
|
|
Groups:
|
|
0x7ffff7df4599: inc rsi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4599] = 'H'
|
|
mem[0x7ffff7df459a] = '\xff'
|
|
mem[0x7ffff7df459b] = '\xc6'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7a44726)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df4599
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4599, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459a, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459b, 8)== ord('\xc6'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7a44727)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459c)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JAE_1_symbolic(self):
|
|
''' Instruction JAE_1
|
|
Groups: jump
|
|
0x7ffff7aa96ab: jae 0x7ffff7aa96e8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aa9000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aa96ab] = 's'
|
|
mem[0x7ffff7aa96ac] = ';'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7aa96ab
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96ab, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aa96ac, 8)== ord(';'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aa96ad)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JAE_2_symbolic(self):
|
|
''' Instruction JAE_2
|
|
Groups: jump
|
|
0x400c11: jae 0x400c69
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400c11] = 's'
|
|
mem[0x400c12] = 'V'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x400c11
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400c11, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400c12, 8)== ord('V'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400c69)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JAE_3_symbolic(self):
|
|
''' Instruction JAE_3
|
|
Groups: jump
|
|
0x432400: jae 0x432440
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432400] = 's'
|
|
mem[0x432401] = '>'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x432400
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432400, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432401, 8)== ord('>'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432402)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JAE_4_symbolic(self):
|
|
''' Instruction JAE_4
|
|
Groups: jump
|
|
0x411d5b: jae 0x412155
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x411d60] = '\x00'
|
|
mem[0x411d5b] = '\x0f'
|
|
mem[0x411d5c] = '\x83'
|
|
mem[0x411d5d] = '\xf4'
|
|
mem[0x411d5e] = '\x03'
|
|
mem[0x411d5f] = '\x00'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x411d5b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x411d60, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411d5b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411d5c, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411d5d, 8)== ord('\xf4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411d5e, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411d5f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x412155)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JAE_5_symbolic(self):
|
|
''' Instruction JAE_5
|
|
Groups: jump
|
|
0x7ffff7b58f5d: jae 0x7ffff7b58f00
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f5d] = 's'
|
|
mem[0x7ffff7b58f5e] = '\xa1'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7b58f5d
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f5d, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f5e, 8)== ord('\xa1'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f00)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JAE_6_symbolic(self):
|
|
''' Instruction JAE_6
|
|
Groups: jump
|
|
0x400b82: jae 0x400b9f
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400b82] = 's'
|
|
mem[0x400b83] = '\x1b'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x400b82
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400b82, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400b83, 8)== ord('\x1b'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400b84)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JA_1_symbolic(self):
|
|
''' Instruction JA_1
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6132
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JA_2_symbolic(self):
|
|
''' Instruction JA_2
|
|
Groups: jump
|
|
0x7ffff7ddf066: ja 0x7ffff7ddf0b2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddf066] = 'w'
|
|
mem[0x7ffff7ddf067] = 'J'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7ddf066
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf066, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf067, 8)== ord('J'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddf068)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JA_3_symbolic(self):
|
|
''' Instruction JA_3
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6132
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JA_4_symbolic(self):
|
|
''' Instruction JA_4
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6132
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JA_5_symbolic(self):
|
|
''' Instruction JA_5
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6132
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JA_6_symbolic(self):
|
|
''' Instruction JA_6
|
|
Groups: jump
|
|
0x7ffff7de6132: ja 0x7ffff7de6108
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6132] = 'w'
|
|
mem[0x7ffff7de6133] = '\xd4'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6132
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6132, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6133, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6108)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JBE_1_symbolic(self):
|
|
''' Instruction JBE_1
|
|
Groups: jump
|
|
0x41188d: jbe 0x411ec0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x41188d] = '\x0f'
|
|
mem[0x41188e] = '\x86'
|
|
mem[0x41188f] = '-'
|
|
mem[0x411890] = '\x06'
|
|
mem[0x411891] = '\x00'
|
|
mem[0x411892] = '\x00'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x41188d
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x41188d, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41188e, 8)== ord('\x86'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41188f, 8)== ord('-'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411890, 8)== ord('\x06'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411891, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411892, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x411ec0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JBE_2_symbolic(self):
|
|
''' Instruction JBE_2
|
|
Groups: jump
|
|
0x4325e3: jbe 0x4326cf
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4325e3] = '\x0f'
|
|
mem[0x4325e4] = '\x86'
|
|
mem[0x4325e5] = '\xe6'
|
|
mem[0x4325e6] = '\x00'
|
|
mem[0x4325e7] = '\x00'
|
|
mem[0x4325e8] = '\x00'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4325e3
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e3, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e4, 8)== ord('\x86'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e5, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4325e9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JBE_3_symbolic(self):
|
|
''' Instruction JBE_3
|
|
Groups: jump
|
|
0x432388: jbe 0x4323aa
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432388] = 'v'
|
|
mem[0x432389] = ' '
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x432388
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432388, 8)== ord('v'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432389, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43238a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JBE_4_symbolic(self):
|
|
''' Instruction JBE_4
|
|
Groups: jump
|
|
0x4325e3: jbe 0x4326cf
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4325e3] = '\x0f'
|
|
mem[0x4325e4] = '\x86'
|
|
mem[0x4325e5] = '\xe6'
|
|
mem[0x4325e6] = '\x00'
|
|
mem[0x4325e7] = '\x00'
|
|
mem[0x4325e8] = '\x00'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4325e3
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e3, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e4, 8)== ord('\x86'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e5, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4325e8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4325e9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JBE_5_symbolic(self):
|
|
''' Instruction JBE_5
|
|
Groups: jump
|
|
0x7ffff7df1269: jbe 0x7ffff7df1289
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1269] = 'v'
|
|
mem[0x7ffff7df126a] = '\x1e'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df1269
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1269, 8)== ord('v'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df126a, 8)== ord('\x1e'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df126b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JBE_6_symbolic(self):
|
|
''' Instruction JBE_6
|
|
Groups: jump
|
|
0x7ffff7acff53: jbe 0x7ffff7ad003f
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7acf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7acff53] = '\x0f'
|
|
mem[0x7ffff7acff54] = '\x86'
|
|
mem[0x7ffff7acff55] = '\xe6'
|
|
mem[0x7ffff7acff56] = '\x00'
|
|
mem[0x7ffff7acff57] = '\x00'
|
|
mem[0x7ffff7acff58] = '\x00'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7acff53
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff53, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff54, 8)== ord('\x86'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff55, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff56, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff57, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acff58, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7acff59)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JB_1_symbolic(self):
|
|
''' Instruction JB_1
|
|
Groups: jump
|
|
0x7ffff7b58f46: jb 0x7ffff7b58f00
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f46] = 'r'
|
|
mem[0x7ffff7b58f47] = '\xb8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7b58f46
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f46, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f47, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f00)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JB_2_symbolic(self):
|
|
''' Instruction JB_2
|
|
Groups: jump
|
|
0x7ffff7b58f46: jb 0x7ffff7b58f00
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f46] = 'r'
|
|
mem[0x7ffff7b58f47] = '\xb8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7b58f46
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f46, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f47, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f48)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JB_3_symbolic(self):
|
|
''' Instruction JB_3
|
|
Groups: jump
|
|
0x400bab: jb 0x400ab4
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400bab] = '\x0f'
|
|
mem[0x400bac] = '\x82'
|
|
mem[0x400bad] = '\x03'
|
|
mem[0x400bae] = '\xff'
|
|
mem[0x400baf] = '\xff'
|
|
mem[0x400bb0] = '\xff'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x400bab
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400bab, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400bac, 8)== ord('\x82'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400bad, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400bae, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400baf, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400bb0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400ab4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JB_4_symbolic(self):
|
|
''' Instruction JB_4
|
|
Groups: jump
|
|
0x7ffff7b58f46: jb 0x7ffff7b58f00
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f46] = 'r'
|
|
mem[0x7ffff7b58f47] = '\xb8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7b58f46
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f46, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f47, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f00)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JB_5_symbolic(self):
|
|
''' Instruction JB_5
|
|
Groups: jump
|
|
0x7ffff7ddeff1: jb 0x7ffff7ddefd0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7dde000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddeff1] = 'r'
|
|
mem[0x7ffff7ddeff2] = '\xdd'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7ddeff1
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddeff1, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddeff2, 8)== ord('\xdd'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddefd0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JB_6_symbolic(self):
|
|
''' Instruction JB_6
|
|
Groups: jump
|
|
0x7ffff7b58f46: jb 0x7ffff7b58f00
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f46] = 'r'
|
|
mem[0x7ffff7b58f47] = '\xb8'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7b58f46
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f46, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f47, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f00)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JE_1_symbolic(self):
|
|
''' Instruction JE_1
|
|
Groups: jump
|
|
0x7ffff7de3a9d: je 0x7ffff7de3ed1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3aa0] = '\x04'
|
|
mem[0x7ffff7de3aa1] = '\x00'
|
|
mem[0x7ffff7de3aa2] = '\x00'
|
|
mem[0x7ffff7de3a9d] = '\x0f'
|
|
mem[0x7ffff7de3a9e] = '\x84'
|
|
mem[0x7ffff7de3a9f] = '.'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de3a9d
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa0, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3a9d, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3a9e, 8)== ord('\x84'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3a9f, 8)== ord('.'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3aa3)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JE_2_symbolic(self):
|
|
''' Instruction JE_2
|
|
Groups: jump
|
|
0x7ffff7de61be: je 0x7ffff7de65b8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de61c0] = '\xf4'
|
|
mem[0x7ffff7de61c1] = '\x03'
|
|
mem[0x7ffff7de61c2] = '\x00'
|
|
mem[0x7ffff7de61c3] = '\x00'
|
|
mem[0x7ffff7de61be] = '\x0f'
|
|
mem[0x7ffff7de61bf] = '\x84'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de61be
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61c0, 8)== ord('\xf4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61c1, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61c2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61c3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61be, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61bf, 8)== ord('\x84'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de61c4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JE_3_symbolic(self):
|
|
''' Instruction JE_3
|
|
Groups: jump
|
|
0x7ffff7de38c6: je 0x7ffff7de3960
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de38c6] = '\x0f'
|
|
mem[0x7ffff7de38c7] = '\x84'
|
|
mem[0x7ffff7de38c8] = '\x94'
|
|
mem[0x7ffff7de38c9] = '\x00'
|
|
mem[0x7ffff7de38ca] = '\x00'
|
|
mem[0x7ffff7de38cb] = '\x00'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de38c6
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38c6, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38c7, 8)== ord('\x84'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38c8, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38c9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38ca, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de38cb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de38cc)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JE_4_symbolic(self):
|
|
''' Instruction JE_4
|
|
Groups: jump
|
|
0x7ffff7de440b: je 0x7ffff7de4644
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de440b] = '\x0f'
|
|
mem[0x7ffff7de440c] = '\x84'
|
|
mem[0x7ffff7de440d] = '3'
|
|
mem[0x7ffff7de440e] = '\x02'
|
|
mem[0x7ffff7de440f] = '\x00'
|
|
mem[0x7ffff7de4410] = '\x00'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de440b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440c, 8)== ord('\x84'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440d, 8)== ord('3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440e, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de440f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4410, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4411)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JE_5_symbolic(self):
|
|
''' Instruction JE_5
|
|
Groups: jump
|
|
0x7ffff7de6115: je 0x7ffff7de6121
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6115] = 't'
|
|
mem[0x7ffff7de6116] = '\n'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de6115
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6115, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6116, 8)== ord('\n'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6117)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JE_6_symbolic(self):
|
|
''' Instruction JE_6
|
|
Groups: jump
|
|
0x406e0b: je 0x406dc6
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x406e0b] = 't'
|
|
mem[0x406e0c] = '\xb9'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x406e0b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e0b, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e0c, 8)== ord('\xb9'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x406e0d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JGE_1_symbolic(self):
|
|
''' Instruction JGE_1
|
|
Groups: jump
|
|
0x7ffff7ab5b02: jge 0x7ffff7ab5be0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab5b02] = '\x0f'
|
|
mem[0x7ffff7ab5b03] = '\x8d'
|
|
mem[0x7ffff7ab5b04] = '\xd8'
|
|
mem[0x7ffff7ab5b05] = '\x00'
|
|
mem[0x7ffff7ab5b06] = '\x00'
|
|
mem[0x7ffff7ab5b07] = '\x00'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x7ffff7ab5b02
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b02, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b03, 8)== ord('\x8d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b04, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b05, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b06, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b07, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab5b08)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JGE_2_symbolic(self):
|
|
''' Instruction JGE_2
|
|
Groups: jump
|
|
0x7ffff7b09879: jge 0x7ffff7b0987f
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b09000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b09879] = '}'
|
|
mem[0x7ffff7b0987a] = '\x04'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7b09879
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b09879, 8)== ord('}'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b0987a, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b0987f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JGE_3_symbolic(self):
|
|
''' Instruction JGE_3
|
|
Groups: jump
|
|
0x7ffff7ab5b02: jge 0x7ffff7ab5be0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab5b02] = '\x0f'
|
|
mem[0x7ffff7ab5b03] = '\x8d'
|
|
mem[0x7ffff7ab5b04] = '\xd8'
|
|
mem[0x7ffff7ab5b05] = '\x00'
|
|
mem[0x7ffff7ab5b06] = '\x00'
|
|
mem[0x7ffff7ab5b07] = '\x00'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x7ffff7ab5b02
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b02, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b03, 8)== ord('\x8d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b04, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b05, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b06, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5b07, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab5b08)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JG_1_symbolic(self):
|
|
''' Instruction JG_1
|
|
Groups: jump
|
|
0x403684: jg 0x40361a
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00403000, 0x1000, 'rwx')
|
|
mem[0x403684] = '\x7f'
|
|
mem[0x403685] = '\x94'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x403684
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x403684, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x403685, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40361a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JG_2_symbolic(self):
|
|
''' Instruction JG_2
|
|
Groups: jump
|
|
0x40c120: jg 0x40c3f0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040c000, 0x1000, 'rwx')
|
|
mem[0x40c120] = '\x0f'
|
|
mem[0x40c121] = '\x8f'
|
|
mem[0x40c122] = '\xca'
|
|
mem[0x40c123] = '\x02'
|
|
mem[0x40c124] = '\x00'
|
|
mem[0x40c125] = '\x00'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x40c120
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c120, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c121, 8)== ord('\x8f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c122, 8)== ord('\xca'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c123, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c124, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c125, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40c126)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JG_3_symbolic(self):
|
|
''' Instruction JG_3
|
|
Groups: jump
|
|
0x7ffff7df1357: jg 0x7ffff7df13a0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1358] = 'G'
|
|
mem[0x7ffff7df1357] = '\x7f'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x7ffff7df1357
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1358, 8)== ord('G'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1357, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1359)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JG_4_symbolic(self):
|
|
''' Instruction JG_4
|
|
Groups: jump
|
|
0x7ffff7ddc9fb: jg 0x7ffff7ddce16
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddca00] = '\x00'
|
|
mem[0x7ffff7ddc9fb] = '\x0f'
|
|
mem[0x7ffff7ddc9fc] = '\x8f'
|
|
mem[0x7ffff7ddc9fd] = '\x15'
|
|
mem[0x7ffff7ddc9fe] = '\x04'
|
|
mem[0x7ffff7ddc9ff] = '\x00'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7ddc9fb
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddca00, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fb, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fc, 8)== ord('\x8f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fd, 8)== ord('\x15'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fe, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9ff, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddce16)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JG_5_symbolic(self):
|
|
''' Instruction JG_5
|
|
Groups: jump
|
|
0x7ffff7ddc9fb: jg 0x7ffff7ddce16
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddca00] = '\x00'
|
|
mem[0x7ffff7ddc9fb] = '\x0f'
|
|
mem[0x7ffff7ddc9fc] = '\x8f'
|
|
mem[0x7ffff7ddc9fd] = '\x15'
|
|
mem[0x7ffff7ddc9fe] = '\x04'
|
|
mem[0x7ffff7ddc9ff] = '\x00'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7ddc9fb
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddca00, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fb, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fc, 8)== ord('\x8f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fd, 8)== ord('\x15'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9fe, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc9ff, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddce16)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JG_6_symbolic(self):
|
|
''' Instruction JG_6
|
|
Groups: jump
|
|
0x40c2e4: jg 0x40c250
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040c000, 0x1000, 'rwx')
|
|
mem[0x40c2e4] = '\x0f'
|
|
mem[0x40c2e5] = '\x8f'
|
|
mem[0x40c2e6] = 'f'
|
|
mem[0x40c2e7] = '\xff'
|
|
mem[0x40c2e8] = '\xff'
|
|
mem[0x40c2e9] = '\xff'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x40c2e4
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c2e4, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c2e5, 8)== ord('\x8f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c2e6, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c2e7, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c2e8, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40c2e9, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40c2ea)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JLE_1_symbolic(self):
|
|
''' Instruction JLE_1
|
|
Groups: jump
|
|
0x400b2b: jle 0x400b01
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400b2b] = '~'
|
|
mem[0x400b2c] = '\xd4'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x400b2b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400b2b, 8)== ord('~'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400b2c, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400b01)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JLE_2_symbolic(self):
|
|
''' Instruction JLE_2
|
|
Groups: jump
|
|
0x7ffff7a4e1cb: jle 0x7ffff7a4e429
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4e1cb] = '\x0f'
|
|
mem[0x7ffff7a4e1cc] = '\x8e'
|
|
mem[0x7ffff7a4e1cd] = 'X'
|
|
mem[0x7ffff7a4e1ce] = '\x02'
|
|
mem[0x7ffff7a4e1cf] = '\x00'
|
|
mem[0x7ffff7a4e1d0] = '\x00'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7a4e1cb
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1cb, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1cc, 8)== ord('\x8e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1cd, 8)== ord('X'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1ce, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1cf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4e1d0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4e1d1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JLE_3_symbolic(self):
|
|
''' Instruction JLE_3
|
|
Groups: jump
|
|
0x437c08: jle 0x437c1f
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00437000, 0x1000, 'rwx')
|
|
mem[0x437c08] = '~'
|
|
mem[0x437c09] = '\x15'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x437c08
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x437c08, 8)== ord('~'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x437c09, 8)== ord('\x15'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x437c0a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JLE_4_symbolic(self):
|
|
''' Instruction JLE_4
|
|
Groups: jump
|
|
0x7ffff7de4486: jle 0x7ffff7de4430
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4486] = '~'
|
|
mem[0x7ffff7de4487] = '\xa8'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7de4486
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4486, 8)== ord('~'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4487, 8)== ord('\xa8'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4488)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JLE_5_symbolic(self):
|
|
''' Instruction JLE_5
|
|
Groups: jump
|
|
0x7ffff7de4486: jle 0x7ffff7de4430
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4486] = '~'
|
|
mem[0x7ffff7de4487] = '\xa8'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7de4486
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4486, 8)== ord('~'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4487, 8)== ord('\xa8'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4488)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JLE_6_symbolic(self):
|
|
''' Instruction JLE_6
|
|
Groups: jump
|
|
0x7ffff7de4486: jle 0x7ffff7de4430
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4486] = '~'
|
|
mem[0x7ffff7de4487] = '\xa8'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7de4486
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4486, 8)== ord('~'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4487, 8)== ord('\xa8'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4488)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JL_1_symbolic(self):
|
|
''' Instruction JL_1
|
|
Groups: jump
|
|
0x555555556f00: jl 0x555555556ee2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem[0x555555556f00] = '|'
|
|
mem[0x555555556f01] = '\xe0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x555555556f00
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556f00, 8)== ord('|'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556f01, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556ee2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JL_2_symbolic(self):
|
|
''' Instruction JL_2
|
|
Groups: jump
|
|
0x555555556f00: jl 0x555555556ee2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem[0x555555556f00] = '|'
|
|
mem[0x555555556f01] = '\xe0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x555555556f00
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556f00, 8)== ord('|'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556f01, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556f02)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JL_3_symbolic(self):
|
|
''' Instruction JL_3
|
|
Groups: jump
|
|
0x555555556f00: jl 0x555555556ee2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem[0x555555556f00] = '|'
|
|
mem[0x555555556f01] = '\xe0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x555555556f00
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556f00, 8)== ord('|'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556f01, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556ee2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JMP_1_symbolic(self):
|
|
''' Instruction JMP_1
|
|
Groups: jump
|
|
0x7ffff7de4279: jmp 0x7ffff7de3a98
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4279] = '\xe9'
|
|
mem[0x7ffff7de427a] = '\x1a'
|
|
mem[0x7ffff7de427b] = '\xf8'
|
|
mem[0x7ffff7de427c] = '\xff'
|
|
mem[0x7ffff7de427d] = '\xff'
|
|
cpu.RIP = 0x7ffff7de4279
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4279, 8)== ord('\xe9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de427a, 8)== ord('\x1a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de427b, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de427c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de427d, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3a98)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JMP_2_symbolic(self):
|
|
''' Instruction JMP_2
|
|
Groups: jump
|
|
0x7ffff7b58ee7: jmp 0x7ffff7b58f10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58ee8] = "'"
|
|
mem[0x7ffff7b58ee7] = '\xeb'
|
|
cpu.RIP = 0x7ffff7b58ee7
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee8, 8)== ord("'"))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee7, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f10)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JMP_3_symbolic(self):
|
|
''' Instruction JMP_3
|
|
Groups: jump
|
|
0x7ffff7df28e1: jmp 0x7ffff7ddaa00
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df28e1] = '\xe9'
|
|
mem[0x7ffff7df28e2] = '\x1a'
|
|
mem[0x7ffff7df28e3] = '\x81'
|
|
mem[0x7ffff7df28e4] = '\xfe'
|
|
mem[0x7ffff7df28e5] = '\xff'
|
|
cpu.RIP = 0x7ffff7df28e1
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e1, 8)== ord('\xe9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e2, 8)== ord('\x1a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e3, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e4, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df28e5, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddaa00)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JMP_4_symbolic(self):
|
|
''' Instruction JMP_4
|
|
Groups: mode64, jump
|
|
0x7ffff7de62ee: jmp rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de62ee] = '\xff'
|
|
mem[0x7ffff7de62ef] = '\xe2'
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x7ffff7de63b8)
|
|
cpu.RIP = 0x7ffff7de62ee
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62ee, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62ef, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0x7ffff7de63b8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de63b8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JMP_5_symbolic(self):
|
|
''' Instruction JMP_5
|
|
Groups: jump
|
|
0x7ffff7de4042: jmp 0x7ffff7de4054
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4042] = '\xeb'
|
|
mem[0x7ffff7de4043] = '\x10'
|
|
cpu.RIP = 0x7ffff7de4042
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4042, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4043, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4054)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JMP_6_symbolic(self):
|
|
''' Instruction JMP_6
|
|
Groups: jump
|
|
0x7ffff7b58ee7: jmp 0x7ffff7b58f10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58ee8] = "'"
|
|
mem[0x7ffff7b58ee7] = '\xeb'
|
|
cpu.RIP = 0x7ffff7b58ee7
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee8, 8)== ord("'"))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee7, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f10)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNE_1_symbolic(self):
|
|
''' Instruction JNE_1
|
|
Groups: jump
|
|
0x7ffff7df459e: jne 0x7ffff7df4590
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df459e] = 'u'
|
|
mem[0x7ffff7df459f] = '\xf0'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df459e
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459e, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459f, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4590)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNE_2_symbolic(self):
|
|
''' Instruction JNE_2
|
|
Groups: jump
|
|
0x7ffff7de5a4b: jne 0x7ffff7de5a40
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5a4b] = 'u'
|
|
mem[0x7ffff7de5a4c] = '\xf3'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de5a4b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5a4b, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5a4c, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5a40)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNE_3_symbolic(self):
|
|
''' Instruction JNE_3
|
|
Groups: jump
|
|
0x7ffff7de611b: jne 0x7ffff7de73ad
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6120] = '\x00'
|
|
mem[0x7ffff7de611b] = '\x0f'
|
|
mem[0x7ffff7de611c] = '\x85'
|
|
mem[0x7ffff7de611d] = '\x8c'
|
|
mem[0x7ffff7de611e] = '\x12'
|
|
mem[0x7ffff7de611f] = '\x00'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x7ffff7de611b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6120, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611c, 8)== ord('\x85'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611d, 8)== ord('\x8c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611e, 8)== ord('\x12'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de611f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6121)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNE_4_symbolic(self):
|
|
''' Instruction JNE_4
|
|
Groups: jump
|
|
0x7ffff7aab197: jne 0x7ffff7aab188
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7aab000, 0x1000, 'rwx')
|
|
mem[0x7ffff7aab198] = '\xef'
|
|
mem[0x7ffff7aab197] = 'u'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7aab197
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aab198, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7aab197, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7aab188)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNE_5_symbolic(self):
|
|
''' Instruction JNE_5
|
|
Groups: jump
|
|
0x7ffff7df4594: jne 0x7ffff7df45a3
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4594] = 'u'
|
|
mem[0x7ffff7df4595] = '\r'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x7ffff7df4594
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4594, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4595, 8)== ord('\r'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4596)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNE_6_symbolic(self):
|
|
''' Instruction JNE_6
|
|
Groups: jump
|
|
0x7ffff7df459e: jne 0x7ffff7df4590
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df459e] = 'u'
|
|
mem[0x7ffff7df459f] = '\xf0'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7df459e
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459e, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459f, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4590)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNS_1_symbolic(self):
|
|
''' Instruction JNS_1
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x7ffff7df138f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1391)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNS_2_symbolic(self):
|
|
''' Instruction JNS_2
|
|
Groups: jump
|
|
0x555555565fb2: jns 0x5555555659ec
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem[0x555555565fb2] = '\x0f'
|
|
mem[0x555555565fb3] = '\x89'
|
|
mem[0x555555565fb4] = '4'
|
|
mem[0x555555565fb5] = '\xfa'
|
|
mem[0x555555565fb6] = '\xff'
|
|
mem[0x555555565fb7] = '\xff'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x555555565fb2
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565fb2, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565fb3, 8)== ord('\x89'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565fb4, 8)== ord('4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565fb5, 8)== ord('\xfa'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565fb6, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565fb7, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555659ec)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNS_3_symbolic(self):
|
|
''' Instruction JNS_3
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x7ffff7df138f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1391)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNS_4_symbolic(self):
|
|
''' Instruction JNS_4
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7df138f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1350)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNS_5_symbolic(self):
|
|
''' Instruction JNS_5
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x7ffff7df138f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1391)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JNS_6_symbolic(self):
|
|
''' Instruction JNS_6
|
|
Groups: jump
|
|
0x7ffff7df138f: jns 0x7ffff7df1350
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1390] = '\xbf'
|
|
mem[0x7ffff7df138f] = 'y'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x7ffff7df138f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1390, 8)== ord('\xbf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df138f, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1350)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JS_1_symbolic(self):
|
|
''' Instruction JS_1
|
|
Groups: jump
|
|
0x4326b2: js 0x4328fb
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4326b2] = '\x0f'
|
|
mem[0x4326b3] = '\x88'
|
|
mem[0x4326b4] = 'C'
|
|
mem[0x4326b5] = '\x02'
|
|
mem[0x4326b6] = '\x00'
|
|
mem[0x4326b7] = '\x00'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x4326b2
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326b2, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326b3, 8)== ord('\x88'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326b4, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326b5, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326b6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326b7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4326b8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JS_2_symbolic(self):
|
|
''' Instruction JS_2
|
|
Groups: jump
|
|
0x4322d2: js 0x43251b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4322d2] = '\x0f'
|
|
mem[0x4322d3] = '\x88'
|
|
mem[0x4322d4] = 'C'
|
|
mem[0x4322d5] = '\x02'
|
|
mem[0x4322d6] = '\x00'
|
|
mem[0x4322d7] = '\x00'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x4322d2
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322d2, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322d3, 8)== ord('\x88'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322d4, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322d5, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322d6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322d7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4322d8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JS_3_symbolic(self):
|
|
''' Instruction JS_3
|
|
Groups: jump
|
|
0x555555565075: js 0x555555566260
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem[0x555555565075] = '\x0f'
|
|
mem[0x555555565076] = '\x88'
|
|
mem[0x555555565077] = '\xe5'
|
|
mem[0x555555565078] = '\x11'
|
|
mem[0x555555565079] = '\x00'
|
|
mem[0x55555556507a] = '\x00'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x555555565075
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565075, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565076, 8)== ord('\x88'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565077, 8)== ord('\xe5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565078, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565079, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556507a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x55555556507b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JS_4_symbolic(self):
|
|
''' Instruction JS_4
|
|
Groups: jump
|
|
0x40dd40: js 0x40dd4c
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040d000, 0x1000, 'rwx')
|
|
mem[0x40dd40] = 'x'
|
|
mem[0x40dd41] = '\n'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x40dd40
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40dd40, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40dd41, 8)== ord('\n'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40dd4c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JS_5_symbolic(self):
|
|
''' Instruction JS_5
|
|
Groups: jump
|
|
0x555555559cb6: js 0x555555559ccf
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555559000, 0x1000, 'rwx')
|
|
mem[0x555555559cb6] = 'x'
|
|
mem[0x555555559cb7] = '\x17'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x555555559cb6
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555559cb6, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555559cb7, 8)== ord('\x17'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555559ccf)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_JS_6_symbolic(self):
|
|
''' Instruction JS_6
|
|
Groups: jump
|
|
0x5555555673d5: js 0x555555567450
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555567000, 0x1000, 'rwx')
|
|
mem[0x5555555673d5] = 'x'
|
|
mem[0x5555555673d6] = 'y'
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x5555555673d5
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555673d5, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555673d6, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555673d7)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEAVE_1_symbolic(self):
|
|
''' Instruction LEAVE_1
|
|
Groups: mode64
|
|
0x7ffff7b30c15: leave
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b30000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b30c15] = '\xc9'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda98)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda99)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x48)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdab8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb3)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffdaa0)
|
|
cpu.RIP = 0x7ffff7b30c15
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdab0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b30c15, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda98, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda99, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9a, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9b, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa0, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa1, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa8, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa9, 8)== ord('\xe1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaaa, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaab, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaac, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaad, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab0, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab1, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdab8, 8)== ord('\xb3'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdab8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b30c16)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdac0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEAVE_2_symbolic(self):
|
|
''' Instruction LEAVE_2
|
|
Groups: mode64
|
|
0x4176f4: leave
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00417000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcad8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcad9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x76)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcada)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcadb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcadc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcadd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcade)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcadf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcae9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaea)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaeb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaec)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaed)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaee)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaef)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcaf8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2b)
|
|
mem[addr] = value
|
|
mem[0x4176f4] = '\xc9'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffcae0)
|
|
cpu.RIP = 0x4176f4
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffcaf0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcad8, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcad9, 8)== ord('v'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcada, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcadb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcadc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcadd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcade, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcadf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae0, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae8, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcae9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaea, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaeb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaec, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaed, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaee, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaef, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf0, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf1, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4176f4, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf8, 8)== ord('+'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcaf4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcaf8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4176f5)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb20)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEAVE_3_symbolic(self):
|
|
''' Instruction LEAVE_3
|
|
Groups: mode64
|
|
0x7ffff7b59b18: leave
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b59000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda08)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda09)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd4)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa4)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda10)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda11)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda12)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda13)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda14)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda15)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda16)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda17)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7b59b18] = '\xc9'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9d9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9da)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9db)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9dc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9dd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9de)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9df)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9d8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda18)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x27)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9e4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd9e0)
|
|
cpu.RIP = 0x7ffff7b59b18
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffda10)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda08, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda09, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0a, 8)== ord('\xa4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda10, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda11, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda12, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda13, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda14, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda15, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda16, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda17, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b59b18, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9d9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9da, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9db, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9dc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9dd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9de, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9df, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9d8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda18, 8)== ord("'"))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e8, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9e4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda18)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b59b19)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffda40)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEAVE_4_symbolic(self):
|
|
''' Instruction LEAVE_4
|
|
Groups: mode64
|
|
0x7ffff7b59b18: leave
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7b59000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb98)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb71)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdc)
|
|
mem[addr] = value
|
|
mem[0x7ffff7b59b18] = '\xc9'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb99)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x3a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb69)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb70)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb8)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb68)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb72)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb73)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb74)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb75)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb76)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb77)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb78)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x50)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffdb70)
|
|
cpu.RIP = 0x7ffff7b59b18
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdba0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b59b18, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb71, 8)== ord('\xdc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb98, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb99, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba0, 8)== ord('\xf0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba1, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba8, 8)== ord(':'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb69, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb70, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb68, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb72, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb73, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb74, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb75, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb76, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb77, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb78, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdba8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b59b19)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdbf0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEAVE_5_symbolic(self):
|
|
''' Instruction LEAVE_5
|
|
Groups: mode64
|
|
0x7ffff7ae0541: leave
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ae0000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ae0541] = '\xc9'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd988)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x37)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd989)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd98a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xae)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd98b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd98c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd98d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd98e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd98f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd990)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa8)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd991)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd992)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xba)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd993)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd994)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd995)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd996)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd997)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd998)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf6)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9a9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9aa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9ab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9ac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9ad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9ae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9af)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9b8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf8)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd990)
|
|
cpu.RIP = 0x7ffff7ae0541
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd9b0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ae0541, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd988, 8)== ord('7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd989, 8)== ord('\x05'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98a, 8)== ord('\xae'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd98f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd990, 8)== ord('\xa8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd991, 8)== ord('\n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd992, 8)== ord('\xba'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd993, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd994, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd995, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd996, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd997, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd998, 8)== ord('\xf6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a8, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9a9, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9aa, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ab, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ac, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ad, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9af, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b0, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b1, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9b8, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd9b8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ae0542)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdae0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEAVE_6_symbolic(self):
|
|
''' Instruction LEAVE_6
|
|
Groups: mode64
|
|
0x7ffff7a626cd: leave
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a62000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda6c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda6b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda68)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a626cd] = '\xc9'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda6d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda6e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda6f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda60)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda61)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda62)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda63)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda64)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda65)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda66)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda67)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb28)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb29)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb30)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x30)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb31)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdc)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb32)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb33)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb34)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb35)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb36)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb37)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb38)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x78)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda70)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda69)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda6a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffda68)
|
|
cpu.RIP = 0x7ffff7a626cd
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdb30)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda68, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a626cd, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda60, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda61, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda62, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda63, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda64, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda65, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda66, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda67, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb28, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb29, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb30, 8)== ord('0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb31, 8)== ord('\xdc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb32, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb33, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb34, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb35, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb36, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb37, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb38, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda70, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda69, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda6a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdb38)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a626ce)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdc30)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEA_1_symbolic(self):
|
|
''' Instruction LEA_1
|
|
Groups:
|
|
0x7ffff7de44f3: lea rsp, qword ptr [rbp - 0x28]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de44f3] = 'H'
|
|
mem[0x7ffff7de44f4] = '\x8d'
|
|
mem[0x7ffff7de44f5] = 'e'
|
|
mem[0x7ffff7de44f6] = '\xd8'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd978)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xc8)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd979)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xcd)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd97a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa4)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd97b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd97c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd97d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd97e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd97f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd8b0)
|
|
cpu.RIP = 0x7ffff7de44f3
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd9a0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de44f3, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de44f4, 8)== ord('\x8d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de44f5, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de44f6, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd978, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd979, 8)== ord('\xcd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97a, 8)== ord('\xa4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd97f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd978)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de44f7)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9a0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEA_2_symbolic(self):
|
|
''' Instruction LEA_2
|
|
Groups:
|
|
0x7ffff7b58ee3: lea r8, qword ptr [r8 + rdx*4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a2f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a2fde3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb2)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a2fde4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x34)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a2fde5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd5)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a2fde0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x78)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a2fde1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x29)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a2fde2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xce)
|
|
mem[addr] = value
|
|
mem[0x7ffff7b58ee3] = 'M'
|
|
mem[0x7ffff7b58ee4] = '\x8d'
|
|
mem[0x7ffff7b58ee5] = '\x04'
|
|
mem[0x7ffff7b58ee6] = '\x90'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a2fde7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x50)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a2fde6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x92)
|
|
mem[addr] = value
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7a2fa7c)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xd9)
|
|
cpu.RIP = 0x7ffff7b58ee3
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde3, 8)== ord('\xb2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde4, 8)== ord('4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde5, 8)== ord('\xd5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde0, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde1, 8)== ord(')'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde2, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee3, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee4, 8)== ord('\x8d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee5, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58ee6, 8)== ord('\x90'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde7, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a2fde6, 8)== ord('\x92'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7a2fde0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xd9)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58ee7)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEA_3_symbolic(self):
|
|
''' Instruction LEA_3
|
|
Groups:
|
|
0x7ffff7de3841: lea rsi, qword ptr [rbp - 0x3c]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3841] = 'H'
|
|
mem[0x7ffff7de3842] = '\x8d'
|
|
mem[0x7ffff7de3843] = 'u'
|
|
mem[0x7ffff7de3844] = '\xc4'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd8c5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd8c6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd8c7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd8c8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd8c9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd8ca)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd8cb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd8c4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0xbdd69f1b)
|
|
cpu.RIP = 0x7ffff7de3841
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd900)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3841, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3842, 8)== ord('\x8d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3843, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3844, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8ca, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8cb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd8c4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffd8c4)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3845)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd900)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEA_4_symbolic(self):
|
|
''' Instruction LEA_4
|
|
Groups:
|
|
0x7ffff7b58f14: lea rdx, qword ptr [rbx + rdx*8]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a34000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f14] = 'H'
|
|
mem[0x7ffff7b58f15] = '\x8d'
|
|
mem[0x7ffff7b58f16] = '\x14'
|
|
mem[0x7ffff7b58f17] = '\xd3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a34270)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb5)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a34271)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a34272)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a34273)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a34274)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a34275)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a34276)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a34277)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x4a1)
|
|
cpu.RIP = 0x7ffff7b58f14
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x7ffff7a31d68)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f14, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f15, 8)== ord('\x8d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f16, 8)== ord('\x14'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f17, 8)== ord('\xd3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34270, 8)== ord('\xb5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34271, 8)== ord('*'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34272, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34273, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34274, 8)== ord('\x1a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34275, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34276, 8)== ord('\x0b'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a34277, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a34270)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f18)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x7ffff7a31d68)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEA_5_symbolic(self):
|
|
''' Instruction LEA_5
|
|
Groups:
|
|
0x7ffff7a652b7: lea rsi, qword ptr [rip + 0x36e35a]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7dd3000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd3618)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd3619)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd361a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdd)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd361b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd361c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd361d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd361e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7dd361f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a652b7] = 'H'
|
|
mem[0x7ffff7a652b8] = '\x8d'
|
|
mem[0x7ffff7a652b9] = '5'
|
|
mem[0x7ffff7a652ba] = 'Z'
|
|
mem[0x7ffff7a652bb] = '\xe3'
|
|
mem[0x7ffff7a652bc] = '6'
|
|
mem[0x7ffff7a652bd] = '\x00'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x555555554a00)
|
|
cpu.RIP = 0x7ffff7a652b7
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3618, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd3619, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361a, 8)== ord('\xdd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dd361f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652b7, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652b8, 8)== ord('\x8d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652b9, 8)== ord('5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652ba, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652bb, 8)== ord('\xe3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652bc, 8)== ord('6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a652bd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7dd3618)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a652be)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_LEA_6_symbolic(self):
|
|
''' Instruction LEA_6
|
|
Groups:
|
|
0x7ffff7de4418: lea rdi, qword ptr [rbp - 0xa0]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd910)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd911)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd912)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd913)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd914)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd915)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd916)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd917)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de4418] = 'H'
|
|
mem[0x7ffff7de4419] = '\x8d'
|
|
mem[0x7ffff7de441a] = '\xbd'
|
|
mem[0x7ffff7de441b] = '`'
|
|
mem[0x7ffff7de441c] = '\xff'
|
|
mem[0x7ffff7de441d] = '\xff'
|
|
mem[0x7ffff7de441e] = '\xff'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x555555554548)
|
|
cpu.RIP = 0x7ffff7de4418
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd9b0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd910, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd911, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd912, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd913, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd914, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd915, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd916, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd917, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4418, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4419, 8)== ord('\x8d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441a, 8)== ord('\xbd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441b, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441d, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de441e, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffd910)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de441f)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9b0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVABS_1_symbolic(self):
|
|
''' Instruction MOVABS_1
|
|
Groups:
|
|
0x7ffff7ddc5df: movabs r8, 0x37ffff1a0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddc5e0] = '\xb8'
|
|
mem[0x7ffff7ddc5e1] = '\xa0'
|
|
mem[0x7ffff7ddc5e2] = '\xf1'
|
|
mem[0x7ffff7ddc5e3] = '\xff'
|
|
mem[0x7ffff7ddc5e4] = '\x7f'
|
|
mem[0x7ffff7ddc5e5] = '\x03'
|
|
mem[0x7ffff7ddc5e6] = '\x00'
|
|
mem[0x7ffff7ddc5e7] = '\x00'
|
|
mem[0x7ffff7ddc5e8] = '\x00'
|
|
mem[0x7ffff7ddc5df] = 'I'
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x0)
|
|
cpu.RIP = 0x7ffff7ddc5df
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e0, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e1, 8)== ord('\xa0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e2, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e4, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e5, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5df, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x37ffff1a0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddc5e9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVABS_2_symbolic(self):
|
|
''' Instruction MOVABS_2
|
|
Groups:
|
|
0x7ffff7ddc5df: movabs r8, 0x37ffff1a0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddc5e0] = '\xb8'
|
|
mem[0x7ffff7ddc5e1] = '\xa0'
|
|
mem[0x7ffff7ddc5e2] = '\xf1'
|
|
mem[0x7ffff7ddc5e3] = '\xff'
|
|
mem[0x7ffff7ddc5e4] = '\x7f'
|
|
mem[0x7ffff7ddc5e5] = '\x03'
|
|
mem[0x7ffff7ddc5e6] = '\x00'
|
|
mem[0x7ffff7ddc5e7] = '\x00'
|
|
mem[0x7ffff7ddc5e8] = '\x00'
|
|
mem[0x7ffff7ddc5df] = 'I'
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x0)
|
|
cpu.RIP = 0x7ffff7ddc5df
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e0, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e1, 8)== ord('\xa0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e2, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e4, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e5, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5df, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x37ffff1a0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddc5e9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVABS_3_symbolic(self):
|
|
''' Instruction MOVABS_3
|
|
Groups:
|
|
0x7ffff7df1435: movabs rcx, -0x8000000000000000
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1435] = 'H'
|
|
mem[0x7ffff7df1436] = '\xb9'
|
|
mem[0x7ffff7df1437] = '\x00'
|
|
mem[0x7ffff7df1438] = '\x00'
|
|
mem[0x7ffff7df1439] = '\x00'
|
|
mem[0x7ffff7df143a] = '\x00'
|
|
mem[0x7ffff7df143b] = '\x00'
|
|
mem[0x7ffff7df143c] = '\x00'
|
|
mem[0x7ffff7df143d] = '\x00'
|
|
mem[0x7ffff7df143e] = '\x80'
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x31)
|
|
cpu.RIP = 0x7ffff7df1435
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1435, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1436, 8)== ord('\xb9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1437, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1438, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1439, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df143e, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x8000000000000000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df143f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVABS_4_symbolic(self):
|
|
''' Instruction MOVABS_4
|
|
Groups:
|
|
0x45f853: movabs rdx, -0x3333333333333333
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0045f000, 0x1000, 'rwx')
|
|
mem[0x45f853] = 'H'
|
|
mem[0x45f854] = '\xba'
|
|
mem[0x45f855] = '\xcd'
|
|
mem[0x45f856] = '\xcc'
|
|
mem[0x45f857] = '\xcc'
|
|
mem[0x45f858] = '\xcc'
|
|
mem[0x45f859] = '\xcc'
|
|
mem[0x45f85a] = '\xcc'
|
|
mem[0x45f85b] = '\xcc'
|
|
mem[0x45f85c] = '\xcc'
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x6bf710)
|
|
cpu.RIP = 0x45f853
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f853, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f854, 8)== ord('\xba'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f855, 8)== ord('\xcd'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f856, 8)== ord('\xcc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f857, 8)== ord('\xcc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f858, 8)== ord('\xcc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f859, 8)== ord('\xcc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f85a, 8)== ord('\xcc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f85b, 8)== ord('\xcc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f85c, 8)== ord('\xcc'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0xcccccccccccccccd)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x45f85d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVABS_5_symbolic(self):
|
|
''' Instruction MOVABS_5
|
|
Groups:
|
|
0x7ffff7df4630: movabs r8, -0x101010101010101
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4630] = 'I'
|
|
mem[0x7ffff7df4631] = '\xb8'
|
|
mem[0x7ffff7df4632] = '\xff'
|
|
mem[0x7ffff7df4633] = '\xfe'
|
|
mem[0x7ffff7df4634] = '\xfe'
|
|
mem[0x7ffff7df4635] = '\xfe'
|
|
mem[0x7ffff7df4636] = '\xfe'
|
|
mem[0x7ffff7df4637] = '\xfe'
|
|
mem[0x7ffff7df4638] = '\xfe'
|
|
mem[0x7ffff7df4639] = '\xfe'
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7fdd5a0)
|
|
cpu.RIP = 0x7ffff7df4630
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4630, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4631, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4632, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4633, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4634, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4635, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4636, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4637, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4638, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4639, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0xfefefefefefefeff)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df463a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVABS_6_symbolic(self):
|
|
''' Instruction MOVABS_6
|
|
Groups:
|
|
0x7ffff7ddc5df: movabs r8, 0x37ffff1a0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddc5e0] = '\xb8'
|
|
mem[0x7ffff7ddc5e1] = '\xa0'
|
|
mem[0x7ffff7ddc5e2] = '\xf1'
|
|
mem[0x7ffff7ddc5e3] = '\xff'
|
|
mem[0x7ffff7ddc5e4] = '\x7f'
|
|
mem[0x7ffff7ddc5e5] = '\x03'
|
|
mem[0x7ffff7ddc5e6] = '\x00'
|
|
mem[0x7ffff7ddc5e7] = '\x00'
|
|
mem[0x7ffff7ddc5e8] = '\x00'
|
|
mem[0x7ffff7ddc5df] = 'I'
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x0)
|
|
cpu.RIP = 0x7ffff7ddc5df
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e0, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e1, 8)== ord('\xa0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e2, 8)== ord('\xf1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e4, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e5, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5e8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc5df, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x37ffff1a0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddc5e9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQA_1_symbolic(self):
|
|
''' Instruction MOVDQA_1
|
|
Groups: sse2
|
|
0x7ffff7ac0b0b: movdqa xmm4, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0b0b] = 'f'
|
|
mem[0x7ffff7ac0b0c] = '\x0f'
|
|
mem[0x7ffff7ac0b0d] = 'o'
|
|
mem[0x7ffff7ac0b0e] = '\xe0'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x616572635f706374746e6c63000a7325)
|
|
cpu.RIP = 0x7ffff7ac0b0b
|
|
cpu.XMM4 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM4 == 0xff0000000000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0b, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0c, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0d, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0e, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x616572635f706374746e6c63000a7325)
|
|
condition = Operators.AND(condition, cpu.XMM4 == 0x616572635f706374746e6c63000a7325)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0b0f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQA_2_symbolic(self):
|
|
''' Instruction MOVDQA_2
|
|
Groups: sse2
|
|
0x457d38: movdqa xmm0, xmm2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457d38] = 'f'
|
|
mem[0x457d39] = '\x0f'
|
|
mem[0x457d3a] = 'o'
|
|
mem[0x457d3b] = '\xc2'
|
|
cpu.XMM2 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM2 == 0x414d00323d524e54565f474458003267)
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0xff0000)
|
|
cpu.RIP = 0x457d38
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d38, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d39, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d3a, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d3b, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.XMM2 == 0x414d00323d524e54565f474458003267)
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x414d00323d524e54565f474458003267)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457d3c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQA_3_symbolic(self):
|
|
''' Instruction MOVDQA_3
|
|
Groups: sse2
|
|
0x457aaf: movdqa xmm5, xmm3
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457ab0] = '\x0f'
|
|
mem[0x457ab1] = 'o'
|
|
mem[0x457ab2] = '\xeb'
|
|
mem[0x457aaf] = 'f'
|
|
cpu.XMM3 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM3 == 0x726f74756365784563696c6f626d7953)
|
|
cpu.RIP = 0x457aaf
|
|
cpu.XMM5 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM5 == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ab0, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ab1, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ab2, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457aaf, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM3 == 0x726f74756365784563696c6f626d7953)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457ab3)
|
|
condition = Operators.AND(condition, cpu.XMM5 == 0x726f74756365784563696c6f626d7953)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQA_4_symbolic(self):
|
|
''' Instruction MOVDQA_4
|
|
Groups: sse2
|
|
0x457a08: movdqa xmm2, xmmword ptr [rdi + 0x30]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
mem[0x457a08] = 'f'
|
|
mem[0x457a09] = '\x0f'
|
|
mem[0x457a0a] = 'o'
|
|
mem[0x457a0b] = 'W'
|
|
mem[0x457a0c] = '0'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe070)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x44)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe071)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x47)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe072)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe073)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x56)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe074)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x54)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe075)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4e)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe076)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x52)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe077)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x3d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe078)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x32)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe079)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe07a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe07b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe07c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4e)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe07d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x50)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe07e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe07f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x54)
|
|
mem[addr] = value
|
|
cpu.XMM2 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM2 == 0x0)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffe040)
|
|
cpu.RIP = 0x457a08
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a08, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a09, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a0a, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a0b, 8)== ord('W'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a0c, 8)== ord('0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe070, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe071, 8)== ord('G'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe072, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe073, 8)== ord('V'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe074, 8)== ord('T'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe075, 8)== ord('N'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe076, 8)== ord('R'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe077, 8)== ord('='))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe078, 8)== ord('2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe079, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07a, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07b, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07c, 8)== ord('N'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07d, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07e, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe07f, 8)== ord('T'))
|
|
condition = Operators.AND(condition, cpu.XMM2 == 0x5441504e414d00323d524e54565f4744)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffe040)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457a0d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQA_5_symbolic(self):
|
|
''' Instruction MOVDQA_5
|
|
Groups: sse2
|
|
0x457b38: movdqa xmm0, xmm2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457b38] = 'f'
|
|
mem[0x457b39] = '\x0f'
|
|
mem[0x457b3a] = 'o'
|
|
mem[0x457b3b] = '\xc2'
|
|
cpu.XMM2 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM2 == 0x504e414d00323d524e54565f47445800)
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x457b38
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457b38, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457b39, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457b3a, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457b3b, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.XMM2 == 0x504e414d00323d524e54565f47445800)
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x504e414d00323d524e54565f47445800)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457b3c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQA_6_symbolic(self):
|
|
''' Instruction MOVDQA_6
|
|
Groups: sse2
|
|
0x7ffff7ac0b0b: movdqa xmm4, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0b0b] = 'f'
|
|
mem[0x7ffff7ac0b0c] = '\x0f'
|
|
mem[0x7ffff7ac0b0d] = 'o'
|
|
mem[0x7ffff7ac0b0e] = '\xe0'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0xcd202730fa0892a58d0000007fffff00)
|
|
cpu.RIP = 0x7ffff7ac0b0b
|
|
cpu.XMM4 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM4 == 0xffffff000000ff0000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0b, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0c, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0d, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b0e, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xcd202730fa0892a58d0000007fffff00)
|
|
condition = Operators.AND(condition, cpu.XMM4 == 0xcd202730fa0892a58d0000007fffff00)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0b0f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQU_1_symbolic(self):
|
|
''' Instruction MOVDQU_1
|
|
Groups: sse2
|
|
0x6a74d4: movdqu xmm0, xmmword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x006a7000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
mem[0x6a74d6] = 'o'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
mem[0x6a74d7] = '\x04'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x6a74d4] = '\xf3'
|
|
mem[0x6a74d5] = '\x0f'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x6a74d8] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x7fff800000000000002100007fff)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x6a74d4
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6a74d4, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6a74d5, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6a74d6, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6a74d7, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6a74d8, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x7fff800000010000002100007fff)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x6a74d9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQU_2_symbolic(self):
|
|
''' Instruction MOVDQU_2
|
|
Groups: sse2
|
|
0x568fac: movdqu xmm0, xmmword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00568000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x568fb0] = '$'
|
|
mem[0x568fac] = '\xf3'
|
|
mem[0x568fad] = '\x0f'
|
|
mem[0x568fae] = 'o'
|
|
mem[0x568faf] = '\x04'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x78)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x56)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x34)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x12)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x78)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x56)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x34)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x12)
|
|
mem[addr] = value
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x1234567800007fff00007fff12345678)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x568fac
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x568fac, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x568fad, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x568fae, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x568faf, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x568fb0, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('V'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x12'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('V'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x12'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x123456780000800100007fff12345678)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x568fb1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQU_3_symbolic(self):
|
|
''' Instruction MOVDQU_3
|
|
Groups: sse2
|
|
0x6f4c12: movdqu xmm1, xmmword ptr [rsp + 4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x006f4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x6f4c12] = '\xf3'
|
|
mem[0x6f4c13] = '\x0f'
|
|
mem[0x6f4c14] = 'o'
|
|
mem[0x6f4c15] = 'L'
|
|
mem[0x6f4c16] = '$'
|
|
mem[0x6f4c17] = '\x04'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x7fff000000210000002100007fff)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x6f4c12
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x6f4c12, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6f4c13, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6f4c14, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6f4c15, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6f4c16, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6f4c17, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc1, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x7fff000000210000002000007fff)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x6f4c18)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQU_4_symbolic(self):
|
|
''' Instruction MOVDQU_4
|
|
Groups: sse2
|
|
0x56fa50: movdqu xmm1, xmmword ptr [rsp + 4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0056f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x43)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x87)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x56fa50] = '\xf3'
|
|
mem[0x56fa51] = '\x0f'
|
|
mem[0x56fa52] = 'o'
|
|
mem[0x56fa53] = 'L'
|
|
mem[0x56fa54] = '$'
|
|
mem[0x56fa55] = '\x04'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x20876543218765432100000020)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x56fa50
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x87'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc0, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x56fa50, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x56fa51, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x56fa52, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x56fa53, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x56fa54, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x56fa55, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x20876543210000002100000020)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x56fa56)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQU_5_symbolic(self):
|
|
''' Instruction MOVDQU_5
|
|
Groups: sse2
|
|
0x606649: movdqu xmm1, xmmword ptr [rsp + 4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00606000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccc3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
mem[0x606649] = '\xf3'
|
|
mem[0x60664a] = '\x0f'
|
|
mem[0x60664b] = 'o'
|
|
mem[0x60664c] = 'L'
|
|
mem[0x60664d] = '$'
|
|
mem[0x60664e] = '\x04'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0xffffffff0000800100007fffffffffff)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x606649
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc1, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccc3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x606649, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x60664a, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x60664b, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x60664c, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x60664d, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x60664e, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0xffffffff0000800100008001ffffffff)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x60664f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVDQU_6_symbolic(self):
|
|
''' Instruction MOVDQU_6
|
|
Groups: sse2
|
|
0x6fc91e: movdqu xmm0, xmmword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x006fc000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x6fc920] = 'o'
|
|
mem[0x6fc921] = '\x04'
|
|
mem[0x6fc922] = '$'
|
|
mem[0x6fc91f] = '\x0f'
|
|
mem[0x6fc91e] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x40800000008000000100000040)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x6fc91e
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x6fc920, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6fc921, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6fc922, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6fc91e, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6fc91f, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x40800000018000000100000040)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x6fc923)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVD_1_symbolic(self):
|
|
''' Instruction MOVD_1
|
|
Groups: sse2
|
|
0x7ffff7df4370: movd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4370] = 'f'
|
|
mem[0x7ffff7df4371] = '\x0f'
|
|
mem[0x7ffff7df4372] = 'n'
|
|
mem[0x7ffff7df4373] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x24242424242424242424242424242424)
|
|
cpu.RIP = 0x7ffff7df4370
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x2f)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4370, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4371, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4372, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4373, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4374)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVD_2_symbolic(self):
|
|
''' Instruction MOVD_2
|
|
Groups: sse2
|
|
0x7ffff7ab7980: movd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab7980] = 'f'
|
|
mem[0x7ffff7ab7981] = '\x0f'
|
|
mem[0x7ffff7ab7982] = 'n'
|
|
mem[0x7ffff7ab7983] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x24242424242424242424242424242424)
|
|
cpu.RIP = 0x7ffff7ab7980
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x2f)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7980, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7981, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7982, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7983, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab7984)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVD_3_symbolic(self):
|
|
''' Instruction MOVD_3
|
|
Groups: sse2
|
|
0x4578e0: movd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x4578e0] = 'f'
|
|
mem[0x4578e1] = '\x0f'
|
|
mem[0x4578e2] = 'n'
|
|
mem[0x4578e3] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x4578e0
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x2f)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4578e0, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4578e1, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4578e2, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4578e3, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4578e4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVD_4_symbolic(self):
|
|
''' Instruction MOVD_4
|
|
Groups: sse2
|
|
0x421b10: movd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00421000, 0x1000, 'rwx')
|
|
mem[0x421b10] = 'f'
|
|
mem[0x421b11] = '\x0f'
|
|
mem[0x421b12] = 'n'
|
|
mem[0x421b13] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x25252525252525252525252525252525)
|
|
cpu.RIP = 0x421b10
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x25)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x421b10, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x421b11, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x421b12, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x421b13, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x25)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x25)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x421b14)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVD_5_symbolic(self):
|
|
''' Instruction MOVD_5
|
|
Groups: sse2
|
|
0x457da0: movd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457da0] = 'f'
|
|
mem[0x457da1] = '\x0f'
|
|
mem[0x457da2] = 'n'
|
|
mem[0x457da3] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x457da0
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x2f)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457da0, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457da1, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457da2, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457da3, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457da4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVD_6_symbolic(self):
|
|
''' Instruction MOVD_6
|
|
Groups: sse2
|
|
0x7ffff7ac0ae0: movd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0ae0] = 'f'
|
|
mem[0x7ffff7ac0ae1] = '\x0f'
|
|
mem[0x7ffff7ac0ae2] = 'n'
|
|
mem[0x7ffff7ac0ae3] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x25252525252525252525252525252525)
|
|
cpu.RIP = 0x7ffff7ac0ae0
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x25)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0ae0, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0ae1, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0ae2, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0ae3, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x25)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x25)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0ae4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVLPD_1_symbolic(self):
|
|
''' Instruction MOVLPD_1
|
|
Groups: sse2
|
|
0x50f61f: movlpd xmm1, qword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0050f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x50f61f] = 'f'
|
|
mem[0x50f620] = '\x0f'
|
|
mem[0x50f621] = '\x12'
|
|
mem[0x50f622] = '\x0c'
|
|
mem[0x50f623] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x80000000400000008000000040)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x50f61f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x50f61f, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x50f620, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x50f621, 8)== ord('\x12'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x50f622, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x50f623, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x80000000400000008000000040)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x50f624)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVLPD_2_symbolic(self):
|
|
''' Instruction MOVLPD_2
|
|
Groups: sse2
|
|
0x4aa891: movlpd qword ptr [rsp], xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004aa000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x4aa891] = 'f'
|
|
mem[0x4aa892] = '\x0f'
|
|
mem[0x4aa893] = '\x13'
|
|
mem[0x4aa894] = '\x0c'
|
|
mem[0x4aa895] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x43)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x87)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x87654321800000000000004087654321)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x4aa891
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4aa891, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4aa892, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4aa893, 8)== ord('\x13'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4aa894, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4aa895, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x87'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x87654321800000000000004087654321)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4aa896)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVLPD_3_symbolic(self):
|
|
''' Instruction MOVLPD_3
|
|
Groups: sse2
|
|
0x4adf87: movlpd qword ptr [rsp], xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004ad000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x4adf87] = 'f'
|
|
mem[0x4adf88] = '\x0f'
|
|
mem[0x4adf89] = '\x13'
|
|
mem[0x4adf8a] = '\x0c'
|
|
mem[0x4adf8b] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xfe)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0xfffffffe8000000180000001fffffffe)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x4adf87
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4adf87, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4adf88, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4adf89, 8)== ord('\x13'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4adf8a, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4adf8b, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0xfffffffe8000000180000001fffffffe)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4adf8c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVLPD_4_symbolic(self):
|
|
''' Instruction MOVLPD_4
|
|
Groups: sse2
|
|
0x4acf88: movlpd qword ptr [rsp], xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004ac000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x4acf88] = 'f'
|
|
mem[0x4acf89] = '\x0f'
|
|
mem[0x4acf8a] = '\x13'
|
|
mem[0x4acf8b] = '\x0c'
|
|
mem[0x4acf8c] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x7fff800000018000000100007fff)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x4acf88
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4acf88, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4acf89, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4acf8a, 8)== ord('\x13'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4acf8b, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4acf8c, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x7fff800000018000000100007fff)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4acf8d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVLPD_5_symbolic(self):
|
|
''' Instruction MOVLPD_5
|
|
Groups: sse2
|
|
0x50a2c7: movlpd xmm1, qword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0050a000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x50a2c7] = 'f'
|
|
mem[0x50a2c8] = '\x0f'
|
|
mem[0x50a2c9] = '\x12'
|
|
mem[0x50a2ca] = '\x0c'
|
|
mem[0x50a2cb] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x21000000200000004000000021)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x50a2c7
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x50a2c7, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x50a2c8, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x50a2c9, 8)== ord('\x12'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x50a2ca, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x50a2cb, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x21000000200000002100000020)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x50a2cc)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVLPD_6_symbolic(self):
|
|
''' Instruction MOVLPD_6
|
|
Groups: sse2
|
|
0x4d851b: movlpd qword ptr [rsp], xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004d8000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x4d851b] = 'f'
|
|
mem[0x4d851c] = '\x0f'
|
|
mem[0x4d851d] = '\x13'
|
|
mem[0x4d851e] = '\x0c'
|
|
mem[0x4d851f] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x7fff0000008000007fff00007fff)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x4d851b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4d851b, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4d851c, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4d851d, 8)== ord('\x13'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4d851e, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4d851f, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x7fff0000008000007fff00007fff)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4d8520)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSD_1_symbolic(self):
|
|
''' Instruction MOVSD_1
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x10)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555556e3c] = '\xa5'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e63b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e638)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e639)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e63a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555556e3b] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e63c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e63d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e63e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e63f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdba0)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x12)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x55555576e638)
|
|
cpu.RIP = 0x555555556e3b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e63c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e638, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e639, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e63a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e63b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e63d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e63e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e63f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x11)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdba4)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x55555576e63c)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSD_2_symbolic(self):
|
|
''' Instruction MOVSD_2
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e620)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e621)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e622)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e623)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb84)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x55)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb85)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x55)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb86)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb87)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb89)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb8a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb8b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e61c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e61d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e61e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e61f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdb84)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x19)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x55555576e61c)
|
|
cpu.RIP = 0x555555556e3b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e620, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e621, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e622, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e623, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb84, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb85, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb86, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb87, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb88, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb89, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb8a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb8b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e61c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e61d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e61e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e61f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x18)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb88)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x55555576e620)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSD_3_symbolic(self):
|
|
''' Instruction MOVSD_3
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x555555556e3b] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e64c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e64d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e64e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e64f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e650)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e651)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e652)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e653)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555556e3c] = '\xa5'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdbb4)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xd)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x55555576e64c)
|
|
cpu.RIP = 0x555555556e3b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e64c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e64d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e64e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e64f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e650, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e651, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e652, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e653, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0xc)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdbb8)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x55555576e650)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSD_4_symbolic(self):
|
|
''' Instruction MOVSD_4
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e640)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e641)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e642)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e643)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e644)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e645)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e646)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e647)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x67)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa8)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdbaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdba8)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x10)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x55555576e640)
|
|
cpu.RIP = 0x555555556e3b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e640, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e641, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e642, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e643, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e644, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e645, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e646, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e647, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbaa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbab, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbac, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbad, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdbaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0xf)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdbac)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x55555576e644)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSD_5_symbolic(self):
|
|
''' Instruction MOVSD_5
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x10)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdba3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555556e3b] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e634)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e635)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e636)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e637)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e638)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e639)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e63a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e63b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555556e3c] = '\xa5'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb9f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdb9c)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x13)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x55555576e634)
|
|
cpu.RIP = 0x555555556e3b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba0, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba1, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdba3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e63b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e634, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e635, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e636, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e637, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e638, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e639, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e63a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb9f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x12)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdba0)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x55555576e638)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSD_6_symbolic(self):
|
|
''' Instruction MOVSD_6
|
|
Groups:
|
|
0x555555556e3b: rep movsd dword ptr [rdi], dword ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555556000, 0x1000, 'rwx')
|
|
mem.mmap(0x55555576e000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e604)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e605)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e606)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e607)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e608)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e609)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e60a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555576e60b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb6f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb70)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb71)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb72)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb73)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
mem[0x555555556e3b] = '\xf3'
|
|
mem[0x555555556e3c] = '\xa5'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdb6c)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x1f)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x55555576e604)
|
|
cpu.RIP = 0x555555556e3b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e604, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e605, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e606, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e607, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e608, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e609, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e60a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555576e60b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb6f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb70, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb71, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb72, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb73, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555556e3c, 8)== ord('\xa5'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x1e)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb70)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x55555576e608)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555556e3b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSXD_1_symbolic(self):
|
|
''' Instruction MOVSXD_1
|
|
Groups:
|
|
0x466083: movsxd rdi, edi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00466000, 0x1000, 'rwx')
|
|
mem[0x466083] = 'H'
|
|
mem[0x466084] = 'c'
|
|
mem[0x466085] = '\xff'
|
|
cpu.EDI = cs.new_bitvec(32)
|
|
cs.add(cpu.EDI == 0x41)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x41)
|
|
cpu.RIP = 0x466083
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x466083, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x466084, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x466085, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.EDI == 0x41)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x41)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x466086)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSXD_2_symbolic(self):
|
|
''' Instruction MOVSXD_2
|
|
Groups:
|
|
0x7ffff7ddf068: movsxd rdx, dword ptr [r8 + rbx*4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddf000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddf068] = 'I'
|
|
mem[0x7ffff7ddf069] = 'c'
|
|
mem[0x7ffff7ddf06a] = '\x14'
|
|
mem[0x7ffff7ddf06b] = '\x98'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df5f1c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x8f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df5f1d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x91)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df5f1e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xfe)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df5f1f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7df5f1c)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x2)
|
|
cpu.RIP = 0x7ffff7ddf068
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf068, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf069, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf06a, 8)== ord('\x14'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddf06b, 8)== ord('\x98'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df5f1c, 8)== ord('\x8f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df5f1d, 8)== ord('\x91'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df5f1e, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df5f1f, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7df5f1c)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xfffffffffffe918f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddf06c)
|
|
condition = Operators.AND(condition, cpu.RBX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSXD_3_symbolic(self):
|
|
''' Instruction MOVSXD_3
|
|
Groups:
|
|
0x436902: movsxd rax, dword ptr [rdx + rax*4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00436000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494cf0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494cf1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1c)
|
|
mem[addr] = value
|
|
mem[0x436902] = 'H'
|
|
mem[0x436903] = 'c'
|
|
mem[0x436904] = '\x04'
|
|
mem[0x436905] = '\x82'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494cf3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494cf2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xfa)
|
|
mem[addr] = value
|
|
cpu.RIP = 0x436902
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x1c)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x494c80)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x494cf0, 8)== ord('\xa0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494cf1, 8)== ord('\x1c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436902, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436903, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436904, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436905, 8)== ord('\x82'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494cf3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494cf2, 8)== ord('\xfa'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xfffffffffffa1ca0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x436906)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x494c80)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSXD_4_symbolic(self):
|
|
''' Instruction MOVSXD_4
|
|
Groups:
|
|
0x7ffff7df214a: movsxd rax, dword ptr [rcx + rax*4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df6000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df674f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df674c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x30)
|
|
mem[addr] = value
|
|
mem[0x7ffff7df214a] = 'H'
|
|
mem[0x7ffff7df214b] = 'c'
|
|
mem[0x7ffff7df214c] = '\x04'
|
|
mem[0x7ffff7df214d] = '\x81'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df674e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df674d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xbb)
|
|
mem[addr] = value
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x7ffff7df6740)
|
|
cpu.RIP = 0x7ffff7df214a
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x3)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df674f, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df214c, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df214a, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df214b, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df674c, 8)== ord('0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df214d, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df674e, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df674d, 8)== ord('\xbb'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x7ffff7df6740)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xffffffffffffbb30)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df214e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSXD_5_symbolic(self):
|
|
''' Instruction MOVSXD_5
|
|
Groups:
|
|
0x436b12: movsxd rax, dword ptr [rdx + rax*4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00436000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494ea0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x10)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494ea1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494ea2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xfa)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494ea3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
mem[0x436b14] = '\x04'
|
|
mem[0x436b15] = '\x82'
|
|
mem[0x436b13] = 'c'
|
|
mem[0x436b12] = 'H'
|
|
cpu.RIP = 0x436b12
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x494e80)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x494ea0, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494ea1, 8)== ord('\x1d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494ea2, 8)== ord('\xfa'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494ea3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436b14, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436b15, 8)== ord('\x82'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436b13, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436b12, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0xfffffffffffa1d10)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x436b16)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x494e80)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSXD_6_symbolic(self):
|
|
''' Instruction MOVSXD_6
|
|
Groups:
|
|
0x7ffff7de62e7: movsxd rdx, dword ptr [rax + r12*4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df6000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df6458)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x78)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df6459)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de62e7] = 'J'
|
|
mem[0x7ffff7de62e8] = 'c'
|
|
mem[0x7ffff7de62e9] = '\x14'
|
|
mem[0x7ffff7de62ea] = '\xa0'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df645b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7df645a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xfe)
|
|
mem[addr] = value
|
|
cpu.RIP = 0x7ffff7de62e7
|
|
cpu.R12 = cs.new_bitvec(64)
|
|
cs.add(cpu.R12 == 0x6)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x7ffff7a32fe0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7ffff7df6440)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df6458, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df6459, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62e7, 8)== ord('J'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62e8, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62e9, 8)== ord('\x14'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de62ea, 8)== ord('\xa0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df645b, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df645a, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7ffff7df6440)
|
|
condition = Operators.AND(condition, cpu.R12 == 0x6)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xfffffffffffeff78)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de62eb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSX_1_symbolic(self):
|
|
''' Instruction MOVSX_1
|
|
Groups:
|
|
0x7ffff7df1273: movsx edx, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1273] = '\x0f'
|
|
mem[0x7ffff7df1274] = '\xbe'
|
|
mem[0x7ffff7df1275] = '\x17'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555554435)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2e)
|
|
mem[addr] = value
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x63)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x555555554435)
|
|
cpu.RIP = 0x7ffff7df1273
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1273, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1274, 8)== ord('\xbe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1275, 8)== ord('\x17'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555554435, 8)== ord('.'))
|
|
condition = Operators.AND(condition, cpu.EDX == 0x2e)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x555555554435)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1276)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSX_2_symbolic(self):
|
|
''' Instruction MOVSX_2
|
|
Groups:
|
|
0x7ffff7df1273: movsx edx, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1273] = '\x0f'
|
|
mem[0x7ffff7df1274] = '\xbe'
|
|
mem[0x7ffff7df1275] = '\x17'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x55555555444d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2e)
|
|
mem[addr] = value
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x63)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x55555555444d)
|
|
cpu.RIP = 0x7ffff7df1273
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1273, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1274, 8)== ord('\xbe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1275, 8)== ord('\x17'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555555444d, 8)== ord('.'))
|
|
condition = Operators.AND(condition, cpu.EDX == 0x2e)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x55555555444d)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1276)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSX_3_symbolic(self):
|
|
''' Instruction MOVSX_3
|
|
Groups:
|
|
0x7ffff7df1260: movsx eax, byte ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ff2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1260] = '\x0f'
|
|
mem[0x7ffff7df1261] = '\xbe'
|
|
mem[0x7ffff7df1262] = '\x06'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ff23b6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6c)
|
|
mem[addr] = value
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x3c)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7ff23b6)
|
|
cpu.RIP = 0x7ffff7df1260
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1260, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1261, 8)== ord('\xbe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1262, 8)== ord('\x06'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ff23b6, 8)== ord('l'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x6c)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7ff23b6)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1263)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSX_4_symbolic(self):
|
|
''' Instruction MOVSX_4
|
|
Groups:
|
|
0x7ffff7df1260: movsx eax, byte ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fed000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1260] = '\x0f'
|
|
mem[0x7ffff7df1261] = '\xbe'
|
|
mem[0x7ffff7df1262] = '\x06'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fede8e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x69)
|
|
mem[addr] = value
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x39)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7fede8e)
|
|
cpu.RIP = 0x7ffff7df1260
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1260, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1261, 8)== ord('\xbe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1262, 8)== ord('\x06'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fede8e, 8)== ord('i'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x69)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fede8e)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1263)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSX_5_symbolic(self):
|
|
''' Instruction MOVSX_5
|
|
Groups:
|
|
0x7ffff7df1260: movsx eax, byte ptr [rsi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fed000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1260] = '\x0f'
|
|
mem[0x7ffff7df1261] = '\xbe'
|
|
mem[0x7ffff7df1262] = '\x06'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fede8f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x62)
|
|
mem[addr] = value
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x32)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7fede8f)
|
|
cpu.RIP = 0x7ffff7df1260
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1260, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1261, 8)== ord('\xbe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1262, 8)== ord('\x06'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fede8f, 8)== ord('b'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x62)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fede8f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1263)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVSX_6_symbolic(self):
|
|
''' Instruction MOVSX_6
|
|
Groups:
|
|
0x7ffff7df1273: movsx edx, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df1274] = '\xbe'
|
|
mem[0x7ffff7df1273] = '\x0f'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555554434)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x63)
|
|
mem[addr] = value
|
|
mem[0x7ffff7df1275] = '\x17'
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x62)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x555555554434)
|
|
cpu.RIP = 0x7ffff7df1273
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555554434, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1273, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1274, 8)== ord('\xbe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df1275, 8)== ord('\x17'))
|
|
condition = Operators.AND(condition, cpu.EDX == 0x63)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x555555554434)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df1276)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVZX_1_symbolic(self):
|
|
''' Instruction MOVZX_1
|
|
Groups:
|
|
0x7ffff7de3aa3: movzx edx, byte ptr [rcx + 4]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a32000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3aa4] = '\xb6'
|
|
mem[0x7ffff7de3aa3] = '\x0f'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a324bc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x11)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3aa5] = 'Q'
|
|
mem[0x7ffff7de3aa6] = '\x04'
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x6)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x7ffff7a324b8)
|
|
cpu.RIP = 0x7ffff7de3aa3
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a324bc, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa3, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa4, 8)== ord('\xb6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa5, 8)== ord('Q'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3aa6, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.EDX == 0x11)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x7ffff7a324b8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3aa7)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVZX_2_symbolic(self):
|
|
''' Instruction MOVZX_2
|
|
Groups:
|
|
0x7ffff7de4399: movzx edx, byte ptr [rcx]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4399] = '\x0f'
|
|
mem[0x7ffff7de439a] = '\xb6'
|
|
mem[0x7ffff7de439b] = '\x11'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555554e44)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x6c)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x555555554e44)
|
|
cpu.RIP = 0x7ffff7de4399
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4399, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de439a, 8)== ord('\xb6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de439b, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555554e44, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.EDX == 0x5f)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x555555554e44)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de439c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVZX_3_symbolic(self):
|
|
''' Instruction MOVZX_3
|
|
Groups:
|
|
0x400aaa: movzx eax, al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x400aaa] = '\x0f'
|
|
mem[0x400aab] = '\xb6'
|
|
mem[0x400aac] = '\xc0'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x79)
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x79)
|
|
cpu.RIP = 0x400aaa
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aaa, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aab, 8)== ord('\xb6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x400aac, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x79)
|
|
condition = Operators.AND(condition, cpu.AL == 0x79)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x400aad)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVZX_4_symbolic(self):
|
|
''' Instruction MOVZX_4
|
|
Groups:
|
|
0x7ffff7b58f18: movzx r10d, word ptr [rdx + 6]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a35000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f18] = 'D'
|
|
mem[0x7ffff7b58f19] = '\x0f'
|
|
mem[0x7ffff7b58f1a] = '\xb7'
|
|
mem[0x7ffff7b58f1b] = 'R'
|
|
mem[0x7ffff7b58f1c] = '\x06'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a3575e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a3575f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x7ffff7a35758)
|
|
cpu.RIP = 0x7ffff7b58f18
|
|
cpu.R10D = cs.new_bitvec(32)
|
|
cs.add(cpu.R10D == 0x24)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f18, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f19, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f1a, 8)== ord('\xb7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f1b, 8)== ord('R'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f1c, 8)== ord('\x06'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a3575e, 8)== ord('\x0b'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a3575f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0x7ffff7a35758)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f1d)
|
|
condition = Operators.AND(condition, cpu.R10D == 0xb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVZX_5_symbolic(self):
|
|
''' Instruction MOVZX_5
|
|
Groups:
|
|
0x7ffff7de6219: movzx r9d, r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6219] = 'E'
|
|
mem[0x7ffff7de621a] = '\x0f'
|
|
mem[0x7ffff7de621b] = '\xb6'
|
|
mem[0x7ffff7de621c] = '\xc9'
|
|
cpu.R9D = cs.new_bitvec(32)
|
|
cs.add(cpu.R9D == 0xffffff00)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x0)
|
|
cpu.RIP = 0x7ffff7de6219
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6219, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de621a, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de621b, 8)== ord('\xb6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de621c, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.R9D == 0x0)
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de621d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOVZX_6_symbolic(self):
|
|
''' Instruction MOVZX_6
|
|
Groups:
|
|
0x7ffff7de3929: movzx ecx, byte ptr [rbp - 0x78]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd808)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x38)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3929] = '\x0f'
|
|
mem[0x7ffff7de392a] = '\xb6'
|
|
mem[0x7ffff7de392b] = 'M'
|
|
mem[0x7ffff7de392c] = '\x88'
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x2917737)
|
|
cpu.RIP = 0x7ffff7de3929
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd880)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd808, 8)== ord('8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3929, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de392a, 8)== ord('\xb6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de392b, 8)== ord('M'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de392c, 8)== ord('\x88'))
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd880)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de392d)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x38)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOV_1_symbolic(self):
|
|
''' Instruction MOV_1
|
|
Groups:
|
|
0x737287: mov ebx, 0x40
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00737000, 0x1000, 'rwx')
|
|
mem[0x737288] = '@'
|
|
mem[0x737289] = '\x00'
|
|
mem[0x73728a] = '\x00'
|
|
mem[0x73728b] = '\x00'
|
|
mem[0x737287] = '\xbb'
|
|
cpu.EBX = cs.new_bitvec(32)
|
|
cs.add(cpu.EBX == 0x40)
|
|
cpu.RIP = 0x737287
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x737288, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x737289, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x73728a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x73728b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x737287, 8)== ord('\xbb'))
|
|
condition = Operators.AND(condition, cpu.EBX == 0x40)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x73728c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOV_2_symbolic(self):
|
|
''' Instruction MOV_2
|
|
Groups:
|
|
0x7ffff7de6121: mov rax, r13
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6121] = 'L'
|
|
mem[0x7ffff7de6122] = '\x89'
|
|
mem[0x7ffff7de6123] = '\xe8'
|
|
cpu.RIP = 0x7ffff7de6121
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x8)
|
|
cpu.R13 = cs.new_bitvec(64)
|
|
cs.add(cpu.R13 == 0x7ffff7a2e000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6121, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6122, 8)== ord('\x89'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6123, 8)== ord('\xe8'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7ffff7a2e000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6124)
|
|
condition = Operators.AND(condition, cpu.R13 == 0x7ffff7a2e000)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOV_3_symbolic(self):
|
|
''' Instruction MOV_3
|
|
Groups:
|
|
0x74dced: mov dword ptr [rsp], 0x7fff
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0074d000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x74dced] = '\xc7'
|
|
mem[0x74dcf0] = '\xff'
|
|
mem[0x74dcf1] = '\x7f'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x74dcee] = '\x04'
|
|
mem[0x74dcef] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
mem[0x74dcf2] = '\x00'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x74dcf3] = '\x00'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x74dced
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x74dced, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x74dcee, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x74dcef, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x74dcf0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x74dcf1, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x74dcf2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x74dcf3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x74dcf4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOV_4_symbolic(self):
|
|
''' Instruction MOV_4
|
|
Groups:
|
|
0x4b00dc: mov dword ptr [rsp + 4], 0x80
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004b0000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x4b00dc] = '\xc7'
|
|
mem[0x4b00dd] = 'D'
|
|
mem[0x4b00de] = '$'
|
|
mem[0x4b00df] = '\x04'
|
|
mem[0x4b00e0] = '\x80'
|
|
mem[0x4b00e1] = '\x00'
|
|
mem[0x4b00e2] = '\x00'
|
|
mem[0x4b00e3] = '\x00'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x4b00dc
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b00dc, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b00dd, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b00de, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b00df, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b00e0, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b00e1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b00e2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4b00e3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4b00e4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOV_5_symbolic(self):
|
|
''' Instruction MOV_5
|
|
Groups:
|
|
0x7776d9: mov dword ptr [rsp + 8], 0x80000000
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00777000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7776d9] = '\xc7'
|
|
mem[0x7776da] = 'D'
|
|
mem[0x7776db] = '$'
|
|
mem[0x7776dc] = '\x08'
|
|
mem[0x7776dd] = '\x00'
|
|
mem[0x7776de] = '\x00'
|
|
mem[0x7776df] = '\x00'
|
|
mem[0x7776e0] = '\x80'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x7776d9
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7776d9, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7776da, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7776db, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7776dc, 8)== ord('\x08'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7776dd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7776de, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7776df, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7776e0, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7776e1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MOV_6_symbolic(self):
|
|
''' Instruction MOV_6
|
|
Groups:
|
|
0x4c3b88: mov dword ptr [rsp + 0xc], 0x12345678
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x004c3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x4c3b88] = '\xc7'
|
|
mem[0x4c3b89] = 'D'
|
|
mem[0x4c3b8a] = '$'
|
|
mem[0x4c3b8b] = '\x0c'
|
|
mem[0x4c3b8c] = 'x'
|
|
mem[0x4c3b8d] = 'V'
|
|
mem[0x4c3b8e] = '4'
|
|
mem[0x4c3b8f] = '\x12'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x78)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x56)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x34)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x12)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x4c3b88
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4c3b88, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4c3b89, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4c3b8a, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4c3b8b, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4c3b8c, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4c3b8d, 8)== ord('V'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4c3b8e, 8)== ord('4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4c3b8f, 8)== ord('\x12'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('V'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x12'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4c3b90)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MUL_1_symbolic(self):
|
|
''' Instruction MUL_1
|
|
Groups:
|
|
0x7ffff7de253f: mul rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de2540] = '\xf7'
|
|
mem[0x7ffff7de2541] = '\xe2'
|
|
mem[0x7ffff7de253f] = 'H'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x7ffff7de253f
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x5f)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xcccccccccccccccd)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2540, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2541, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de253f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.OF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x13)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de2542)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x4c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MUL_2_symbolic(self):
|
|
''' Instruction MUL_2
|
|
Groups:
|
|
0x7ffff7de253f: mul rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de2540] = '\xf7'
|
|
mem[0x7ffff7de2541] = '\xe2'
|
|
mem[0x7ffff7de253f] = 'H'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x7ffff7de253f
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x5f)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xcccccccccccccccd)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2540, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2541, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de253f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.OF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x13)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de2542)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x4c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MUL_3_symbolic(self):
|
|
''' Instruction MUL_3
|
|
Groups:
|
|
0x7ffff7de253f: mul rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de2540] = '\xf7'
|
|
mem[0x7ffff7de2541] = '\xe2'
|
|
mem[0x7ffff7de253f] = 'H'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x7ffff7de253f
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x5f)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xcccccccccccccccd)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2540, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2541, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de253f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.OF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x13)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de2542)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x4c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MUL_4_symbolic(self):
|
|
''' Instruction MUL_4
|
|
Groups:
|
|
0x45f865: mul rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0045f000, 0x1000, 'rwx')
|
|
mem[0x45f865] = 'H'
|
|
mem[0x45f866] = '\xf7'
|
|
mem[0x45f867] = '\xe2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x45f865
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x57)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xcccccccccccccccd)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f865, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f866, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45f867, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.OF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x99999999999999ab)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x45f868)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x45)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MUL_5_symbolic(self):
|
|
''' Instruction MUL_5
|
|
Groups:
|
|
0x4624e5: mul rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00462000, 0x1000, 'rwx')
|
|
mem[0x4624e5] = 'H'
|
|
mem[0x4624e6] = '\xf7'
|
|
mem[0x4624e7] = '\xe2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x4624e5
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x57)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xcccccccccccccccd)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4624e5, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4624e6, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4624e7, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.OF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x99999999999999ab)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4624e8)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x45)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_MUL_6_symbolic(self):
|
|
''' Instruction MUL_6
|
|
Groups:
|
|
0x443dc7: mul r9
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00443000, 0x1000, 'rwx')
|
|
mem[0x443dc8] = '\xf7'
|
|
mem[0x443dc9] = '\xe1'
|
|
mem[0x443dc7] = 'I'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.R9 = cs.new_bitvec(64)
|
|
cs.add(cpu.R9 == 0xcccccccccccccccd)
|
|
cpu.RIP = 0x443dc7
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0xa)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x3)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x443dc8, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x443dc9, 8)== ord('\xe1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x443dc7, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.RDX == 0x2)
|
|
condition = Operators.AND(condition, cpu.OF == True)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x443dca)
|
|
condition = Operators.AND(condition, cpu.R9 == 0xcccccccccccccccd)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x6666666666666667)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NEG_1_symbolic(self):
|
|
''' Instruction NEG_1
|
|
Groups:
|
|
0x7ffff7df27cf: neg rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df27d0] = '\xf7'
|
|
mem[0x7ffff7df27d1] = '\xd8'
|
|
mem[0x7ffff7df27cf] = 'H'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7ffff7ffeb78)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7df27cf
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27d0, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27d1, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27cf, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xffff800008001488)
|
|
condition = Operators.AND(condition, cpu.AF == True)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df27d2)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NEG_2_symbolic(self):
|
|
''' Instruction NEG_2
|
|
Groups:
|
|
0x7ffff7de5c54: neg rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5c54] = 'H'
|
|
mem[0x7ffff7de5c55] = '\xf7'
|
|
mem[0x7ffff7de5c56] = '\xd8'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x1000)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de5c54
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5c54, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5c55, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5c56, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xfffffffffffff000)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5c57)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NEG_3_symbolic(self):
|
|
''' Instruction NEG_3
|
|
Groups:
|
|
0x40baad: neg eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040b000, 0x1000, 'rwx')
|
|
mem[0x40baad] = '\xf7'
|
|
mem[0x40baae] = '\xd8'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x0)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x40baad
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40baad, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40baae, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40baaf)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NEG_4_symbolic(self):
|
|
''' Instruction NEG_4
|
|
Groups:
|
|
0x7ffff7df27b6: neg rdi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df27b8] = '\xdf'
|
|
mem[0x7ffff7df27b6] = 'H'
|
|
mem[0x7ffff7df27b7] = '\xf7'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x8)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df27b6
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b8, 8)== ord('\xdf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b6, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b7, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.AF == True)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RDI == 0xfffffffffffffff8)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df27b9)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NEG_5_symbolic(self):
|
|
''' Instruction NEG_5
|
|
Groups:
|
|
0x411176: neg r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem[0x411178] = '\xda'
|
|
mem[0x411176] = 'I'
|
|
mem[0x411177] = '\xf7'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0x1000)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x411176
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x411178, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411176, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x411177, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.R10 == 0xfffffffffffff000)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x411179)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NEG_6_symbolic(self):
|
|
''' Instruction NEG_6
|
|
Groups:
|
|
0x7ffff7df27b6: neg rdi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df2000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df27b8] = '\xdf'
|
|
mem[0x7ffff7df27b6] = 'H'
|
|
mem[0x7ffff7df27b7] = '\xf7'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x8)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df27b6
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b8, 8)== ord('\xdf'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b6, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df27b7, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.AF == True)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RDI == 0xfffffffffffffff8)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df27b9)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NOT_1_symbolic(self):
|
|
''' Instruction NOT_1
|
|
Groups:
|
|
0x7ffff7df144a: not rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df1000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df144a] = 'H'
|
|
mem[0x7ffff7df144b] = '\xf7'
|
|
mem[0x7ffff7df144c] = '\xd0'
|
|
cpu.RIP = 0x7ffff7df144a
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x8000000000000000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df144a, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df144b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df144c, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7fffffffffffffff)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df144d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NOT_2_symbolic(self):
|
|
''' Instruction NOT_2
|
|
Groups:
|
|
0x4008f7: not esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00400000, 0x1000, 'rwx')
|
|
mem[0x4008f8] = '\xd6'
|
|
mem[0x4008f7] = '\xf7'
|
|
cpu.RIP = 0x4008f7
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0xfffffff0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4008f8, 8)== ord('\xd6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4008f7, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.ESI == 0xf)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4008f9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NOT_3_symbolic(self):
|
|
''' Instruction NOT_3
|
|
Groups:
|
|
0x7ffff7a78242: not rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a78242] = 'H'
|
|
mem[0x7ffff7a78243] = '\xf7'
|
|
mem[0x7ffff7a78244] = '\xd0'
|
|
cpu.RIP = 0x7ffff7a78242
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0xfffffffffffffffc)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78242, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78243, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78244, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x3)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78245)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NOT_4_symbolic(self):
|
|
''' Instruction NOT_4
|
|
Groups:
|
|
0x7ffff7de5765: not r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5765] = 'I'
|
|
mem[0x7ffff7de5766] = '\xf7'
|
|
mem[0x7ffff7de5767] = '\xd2'
|
|
cpu.RIP = 0x7ffff7de5765
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0xffffffffffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5765, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5766, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5767, 8)== ord('\xd2'))
|
|
condition = Operators.AND(condition, cpu.R10 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5768)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NOT_5_symbolic(self):
|
|
''' Instruction NOT_5
|
|
Groups:
|
|
0x7ffff7de5765: not r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5765] = 'I'
|
|
mem[0x7ffff7de5766] = '\xf7'
|
|
mem[0x7ffff7de5767] = '\xd2'
|
|
cpu.RIP = 0x7ffff7de5765
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0xffffffffffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5765, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5766, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5767, 8)== ord('\xd2'))
|
|
condition = Operators.AND(condition, cpu.R10 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5768)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_NOT_6_symbolic(self):
|
|
''' Instruction NOT_6
|
|
Groups:
|
|
0x7ffff7de5765: not r10
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5765] = 'I'
|
|
mem[0x7ffff7de5766] = '\xf7'
|
|
mem[0x7ffff7de5767] = '\xd2'
|
|
cpu.RIP = 0x7ffff7de5765
|
|
cpu.R10 = cs.new_bitvec(64)
|
|
cs.add(cpu.R10 == 0xffffffffffffffff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5765, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5766, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5767, 8)== ord('\xd2'))
|
|
condition = Operators.AND(condition, cpu.R10 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5768)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_OR_1_symbolic(self):
|
|
''' Instruction OR_1
|
|
Groups:
|
|
0x7ffff7de6235: or r9d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6235] = 'A'
|
|
mem[0x7ffff7de6236] = '\t'
|
|
mem[0x7ffff7de6237] = '\xc1'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x0)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6235
|
|
cpu.R9D = cs.new_bitvec(32)
|
|
cs.add(cpu.R9D == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6235, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6236, 8)== ord('\t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6237, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.R9D == 0x0)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6238)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_OR_2_symbolic(self):
|
|
''' Instruction OR_2
|
|
Groups:
|
|
0x7ffff7de4344: or qword ptr [rsp], 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4344] = 'H'
|
|
mem[0x7ffff7de4345] = '\x83'
|
|
mem[0x7ffff7de4346] = '\x0c'
|
|
mem[0x7ffff7de4347] = '$'
|
|
mem[0x7ffff7de4348] = '\x00'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc920)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc921)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc922)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc923)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc924)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc925)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc926)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc927)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de4344
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffc920)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4344, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4345, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4346, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4347, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4348, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc920, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc921, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc922, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc923, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc924, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc925, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc926, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc927, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4349)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc920)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_OR_3_symbolic(self):
|
|
''' Instruction OR_3
|
|
Groups:
|
|
0x7ffff7de3814: or qword ptr [rsp], 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3816] = '\x0c'
|
|
mem[0x7ffff7de3817] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc790)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc791)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc792)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc793)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3814] = 'H'
|
|
mem[0x7ffff7de3815] = '\x83'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc796)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc797)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3818] = '\x00'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc794)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc795)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de3814
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffc790)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc796, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc797, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc790, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc791, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc792, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc793, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3814, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3815, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3816, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3817, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3818, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc794, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc795, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3819)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc790)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_OR_4_symbolic(self):
|
|
''' Instruction OR_4
|
|
Groups:
|
|
0x7ffff7de3814: or qword ptr [rsp], 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3816] = '\x0c'
|
|
mem[0x7ffff7de3817] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc790)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc791)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc792)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc793)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3814] = 'H'
|
|
mem[0x7ffff7de3815] = '\x83'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc796)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc797)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3818] = '\x00'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc794)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc795)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de3814
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffc790)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc796, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc797, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc790, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc791, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc792, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc793, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3814, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3815, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3816, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3817, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3818, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc794, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc795, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3819)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc790)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_OR_5_symbolic(self):
|
|
''' Instruction OR_5
|
|
Groups:
|
|
0x40a38c: or qword ptr [rsp], 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040a000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcb00)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcb01)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x68)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcb02)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcb03)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcb04)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcb05)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcb06)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x66)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcb07)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
mem[0x40a38c] = 'H'
|
|
mem[0x40a38d] = '\x83'
|
|
mem[0x40a38e] = '\x0c'
|
|
mem[0x40a38f] = '$'
|
|
mem[0x40a390] = '\x00'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x40a38c
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffcb00)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb00, 8)== ord('/'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb01, 8)== ord('h'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb02, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb03, 8)== ord('m'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb04, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb05, 8)== ord('/'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb06, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcb07, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40a38c, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40a38d, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40a38e, 8)== ord('\x0c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40a38f, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40a390, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40a391)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcb00)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_OR_6_symbolic(self):
|
|
''' Instruction OR_6
|
|
Groups:
|
|
0x7ffff7de6212: or r9d, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6212] = 'A'
|
|
mem[0x7ffff7de6213] = '\t'
|
|
mem[0x7ffff7de6214] = '\xc1'
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0xffffff00)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7de6212
|
|
cpu.R9D = cs.new_bitvec(32)
|
|
cs.add(cpu.R9D == 0xf7ff7600)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6212, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6213, 8)== ord('\t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6214, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.EAX == 0xffffff00)
|
|
condition = Operators.AND(condition, cpu.R9D == 0xffffff00)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6215)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PCMPEQB_1_symbolic(self):
|
|
''' Instruction PCMPEQB_1
|
|
Groups: sse2
|
|
0x457e12: pcmpeqb xmm5, xmm2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457e12] = 'f'
|
|
mem[0x457e13] = '\x0f'
|
|
mem[0x457e14] = 't'
|
|
mem[0x457e15] = '\xea'
|
|
cpu.XMM2 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM2 == 0x0)
|
|
cpu.RIP = 0x457e12
|
|
cpu.XMM5 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM5 == 0x2f65726f6369746e614d2f737463656a)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457e12, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457e13, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457e14, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457e15, 8)== ord('\xea'))
|
|
condition = Operators.AND(condition, cpu.XMM2 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457e16)
|
|
condition = Operators.AND(condition, cpu.XMM5 == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PCMPEQB_2_symbolic(self):
|
|
''' Instruction PCMPEQB_2
|
|
Groups: sse2
|
|
0x4184bf: pcmpeqb xmm12, xmm8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4184c0] = 'E'
|
|
mem[0x4184c1] = '\x0f'
|
|
mem[0x4184c2] = 't'
|
|
mem[0x4184c3] = '\xe0'
|
|
mem[0x4184bf] = 'f'
|
|
cpu.XMM12 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM12 == 0x6e696874796e61206f642074276e6f44)
|
|
cpu.XMM8 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM8 == 0x0)
|
|
cpu.RIP = 0x4184bf
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c0, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c1, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c2, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c3, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184bf, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM12 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM8 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4184c4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PCMPEQB_3_symbolic(self):
|
|
''' Instruction PCMPEQB_3
|
|
Groups: sse2
|
|
0x457a26: pcmpeqb xmm0, xmm7
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457a28] = 't'
|
|
mem[0x457a29] = '\xc7'
|
|
mem[0x457a26] = 'f'
|
|
mem[0x457a27] = '\x0f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x5400324e2f2f00313d524e00455f4744)
|
|
cpu.XMM7 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM7 == 0x0)
|
|
cpu.RIP = 0x457a26
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a28, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a29, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a26, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a27, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xff00000000ff00000000ff00000000)
|
|
condition = Operators.AND(condition, cpu.XMM7 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457a2a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PCMPEQB_4_symbolic(self):
|
|
''' Instruction PCMPEQB_4
|
|
Groups: sse2
|
|
0x4579e8: pcmpeqb xmm0, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x4579e8] = 'f'
|
|
mem[0x4579e9] = '\x0f'
|
|
mem[0x4579ea] = 't'
|
|
mem[0x4579eb] = '\xc1'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x2f78756e696c2f73656c706d6178652f)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f)
|
|
cpu.RIP = 0x4579e8
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4579e8, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4579e9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4579ea, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4579eb, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xff0000000000ff0000000000000000ff)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4579ec)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PCMPEQB_5_symbolic(self):
|
|
''' Instruction PCMPEQB_5
|
|
Groups: sse2
|
|
0x7ffff7ab7ac6: pcmpeqb xmm0, xmm7
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab7ac8] = 't'
|
|
mem[0x7ffff7ab7ac9] = '\xc7'
|
|
mem[0x7ffff7ab7ac6] = 'f'
|
|
mem[0x7ffff7ab7ac7] = '\x0f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x322f2f4d00313d522f00565f474458)
|
|
cpu.XMM7 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM7 == 0x0)
|
|
cpu.RIP = 0x7ffff7ab7ac6
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac8, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac9, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac6, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac7, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xff00000000ff00000000ff0000000000)
|
|
condition = Operators.AND(condition, cpu.XMM7 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab7aca)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PCMPEQB_6_symbolic(self):
|
|
''' Instruction PCMPEQB_6
|
|
Groups: sse2
|
|
0x7ffff7ab79b1: pcmpeqb xmm0, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab79b1] = 'f'
|
|
mem[0x7ffff7ab79b2] = '\x0f'
|
|
mem[0x7ffff7ab79b3] = 't'
|
|
mem[0x7ffff7ab79b4] = '\xc1'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x6f72502f6570696c65662f656d6f682f)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f)
|
|
cpu.RIP = 0x7ffff7ab79b1
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab79b1, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab79b2, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab79b3, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab79b4, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xff000000000000ff00000000ff)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab79b5)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMINUB_1_symbolic(self):
|
|
''' Instruction PMINUB_1
|
|
Groups: sse2
|
|
0x41b15f: pminub xmm8, xmmword ptr [rax + 0x10]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0041b000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494290)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494291)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494292)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494293)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494294)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494295)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494296)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494297)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494298)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x494299)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49429a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49429b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49429c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49429d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49429e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x49429f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
mem[0x41b15f] = 'f'
|
|
mem[0x41b160] = 'D'
|
|
mem[0x41b161] = '\x0f'
|
|
mem[0x41b162] = '\xda'
|
|
mem[0x41b163] = '@'
|
|
mem[0x41b164] = '\x10'
|
|
cpu.XMM8 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM8 == 0x5f5f5f5f5f200a2e646574726f706572)
|
|
cpu.RIP = 0x41b15f
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x494280)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x494290, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494291, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494292, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494293, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494294, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494295, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494296, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494297, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494298, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x494299, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49429a, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49429b, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49429c, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49429d, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49429e, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x49429f, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b15f, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b160, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b161, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b162, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b163, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b164, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.XMM8 == 0x2020202020200a202020202020202020)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x494280)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41b165)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMINUB_2_symbolic(self):
|
|
''' Instruction PMINUB_2
|
|
Groups: sse2
|
|
0x41b142: pminub xmm8, xmmword ptr [rax + 0x70]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0041b000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
mem[0x41b142] = 'f'
|
|
mem[0x41b143] = 'D'
|
|
mem[0x41b144] = '\x0f'
|
|
mem[0x41b145] = '\xda'
|
|
mem[0x41b146] = '@'
|
|
mem[0x41b147] = 'p'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942f9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942fa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942fb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942fc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942fd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942fe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4942ff)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5f)
|
|
mem[addr] = value
|
|
cpu.XMM8 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM8 == 0x2020202020202020202020200a202020)
|
|
cpu.RIP = 0x41b142
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x494280)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b142, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b143, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b144, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b145, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b146, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b147, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f0, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f1, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f2, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f3, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f4, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f5, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f6, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f7, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f8, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942f9, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942fa, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942fb, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942fc, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942fd, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942fe, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4942ff, 8)== ord('_'))
|
|
condition = Operators.AND(condition, cpu.XMM8 == 0x2020202020202020202020200a202020)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x494280)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41b148)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMINUB_3_symbolic(self):
|
|
''' Instruction PMINUB_3
|
|
Groups: sse2
|
|
0x457af6: pminub xmm0, xmm2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457af8] = '\xda'
|
|
mem[0x457af9] = '\xc2'
|
|
mem[0x457af6] = 'f'
|
|
mem[0x457af7] = '\x0f'
|
|
cpu.XMM2 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM2 == 0x504e414d00323d524e54565f47445800)
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x32677261003167726100706d636e7274)
|
|
cpu.RIP = 0x457af6
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457af8, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457af9, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457af6, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457af7, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM2 == 0x504e414d00323d524e54565f47445800)
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x324e414d00313d524e00565f47445800)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457afa)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMINUB_4_symbolic(self):
|
|
''' Instruction PMINUB_4
|
|
Groups: sse2
|
|
0x41b13c: pminub xmm8, xmmword ptr [rax + 0x60]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0041b000, 0x1000, 'rwx')
|
|
mem.mmap(0x00494000, 0x1000, 'rwx')
|
|
mem[0x41b13c] = 'f'
|
|
mem[0x41b13d] = 'D'
|
|
mem[0x41b13e] = '\x0f'
|
|
mem[0x41b13f] = '\xda'
|
|
mem[0x41b140] = '@'
|
|
mem[0x41b141] = '`'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x68)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x63)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6b)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x64)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x62)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x79)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941e9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941ea)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x73)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941eb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x79)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941ec)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x73)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941ed)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x74)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941ee)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x4941ef)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6d)
|
|
mem[addr] = value
|
|
cpu.XMM8 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM8 == 0x632067676f6120736720720a646e6120)
|
|
cpu.RIP = 0x41b13c
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x494180)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b13c, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b13d, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b13e, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b13f, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b140, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41b141, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e0, 8)== ord('h'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e1, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e2, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e3, 8)== ord('k'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e4, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e5, 8)== ord('d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e6, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e7, 8)== ord('b'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e8, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941e9, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941ea, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941eb, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941ec, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941ed, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941ee, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4941ef, 8)== ord('m'))
|
|
condition = Operators.AND(condition, cpu.XMM8 == 0x632067676f6120736220640a64636120)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x494180)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41b142)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMINUB_5_symbolic(self):
|
|
''' Instruction PMINUB_5
|
|
Groups: sse2
|
|
0x457ee2: pminub xmm0, xmm5
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457ee2] = 'f'
|
|
mem[0x457ee3] = '\x0f'
|
|
mem[0x457ee4] = '\xda'
|
|
mem[0x457ee5] = '\xc5'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x4d00313d524e00565f472f2f00326763)
|
|
cpu.RIP = 0x457ee2
|
|
cpu.XMM5 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM5 == 0x65784563696c6f626d79532f65726f63)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ee2, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ee3, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ee4, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ee5, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x4d00313d524e00565f472f2f00326763)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457ee6)
|
|
condition = Operators.AND(condition, cpu.XMM5 == 0x65784563696c6f626d79532f65726f63)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMINUB_6_symbolic(self):
|
|
''' Instruction PMINUB_6
|
|
Groups: sse2
|
|
0x7ffff7ab7abe: pminub xmm0, xmm4
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab7ac0] = '\xda'
|
|
mem[0x7ffff7ab7ac1] = '\xc4'
|
|
mem[0x7ffff7ab7abe] = 'f'
|
|
mem[0x7ffff7ab7abf] = '\x0f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x324e414d00313d524e00565f474458)
|
|
cpu.RIP = 0x7ffff7ab7abe
|
|
cpu.XMM4 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM4 == 0x7274732f78756e696c2f73656c706d61)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac0, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7ac1, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7abe, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab7abf, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x324e2f4d00313d522f00565f474458)
|
|
condition = Operators.AND(condition, cpu.XMM4 == 0x7274732f78756e696c2f73656c706d61)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab7ac2)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMOVMSKB_1_symbolic(self):
|
|
''' Instruction PMOVMSKB_1
|
|
Groups: sse2
|
|
0x4184f1: pmovmskb ecx, xmm11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4184f1] = 'f'
|
|
mem[0x4184f2] = 'A'
|
|
mem[0x4184f3] = '\x0f'
|
|
mem[0x4184f4] = '\xd7'
|
|
mem[0x4184f5] = '\xcb'
|
|
cpu.XMM11 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM11 == 0x0)
|
|
cpu.RIP = 0x4184f1
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0x10e)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184f1, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184f2, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184f3, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184f4, 8)== ord('\xd7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184f5, 8)== ord('\xcb'))
|
|
condition = Operators.AND(condition, cpu.XMM11 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4184f6)
|
|
condition = Operators.AND(condition, cpu.ECX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMOVMSKB_2_symbolic(self):
|
|
''' Instruction PMOVMSKB_2
|
|
Groups: sse2
|
|
0x457d6e: pmovmskb r10d, xmm3
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457d70] = '\x0f'
|
|
mem[0x457d71] = '\xd7'
|
|
mem[0x457d72] = '\xd3'
|
|
mem[0x457d6e] = 'f'
|
|
mem[0x457d6f] = 'D'
|
|
cpu.XMM3 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM3 == 0xff00000000ff0000000000000000)
|
|
cpu.RIP = 0x457d6e
|
|
cpu.R10D = cs.new_bitvec(32)
|
|
cs.add(cpu.R10D == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d70, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d71, 8)== ord('\xd7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d72, 8)== ord('\xd3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d6e, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457d6f, 8)== ord('D'))
|
|
condition = Operators.AND(condition, cpu.XMM3 == 0xff00000000ff0000000000000000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457d73)
|
|
condition = Operators.AND(condition, cpu.R10D == 0x2100)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMOVMSKB_3_symbolic(self):
|
|
''' Instruction PMOVMSKB_3
|
|
Groups: sse2
|
|
0x457ddd: pmovmskb edx, xmm3
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457de0] = '\xd3'
|
|
mem[0x457ddd] = 'f'
|
|
mem[0x457dde] = '\x0f'
|
|
mem[0x457ddf] = '\xd7'
|
|
cpu.XMM3 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM3 == 0x0)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0xffffdcc8)
|
|
cpu.RIP = 0x457ddd
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457de0, 8)== ord('\xd3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ddd, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457dde, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457ddf, 8)== ord('\xd7'))
|
|
condition = Operators.AND(condition, cpu.XMM3 == 0x0)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457de1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMOVMSKB_4_symbolic(self):
|
|
''' Instruction PMOVMSKB_4
|
|
Groups: sse2
|
|
0x7ffff7ab5ce1: pmovmskb ecx, xmm11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab5ce1] = 'f'
|
|
mem[0x7ffff7ab5ce2] = 'A'
|
|
mem[0x7ffff7ab5ce3] = '\x0f'
|
|
mem[0x7ffff7ab5ce4] = '\xd7'
|
|
mem[0x7ffff7ab5ce5] = '\xcb'
|
|
cpu.XMM11 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM11 == 0xffffff0000000000ffffff0000000000)
|
|
cpu.RIP = 0x7ffff7ab5ce1
|
|
cpu.ECX = cs.new_bitvec(32)
|
|
cs.add(cpu.ECX == 0xa00)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce1, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce2, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce3, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce4, 8)== ord('\xd7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab5ce5, 8)== ord('\xcb'))
|
|
condition = Operators.AND(condition, cpu.XMM11 == 0xffffff0000000000ffffff0000000000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab5ce6)
|
|
condition = Operators.AND(condition, cpu.ECX == 0xe0e0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMOVMSKB_5_symbolic(self):
|
|
''' Instruction PMOVMSKB_5
|
|
Groups: sse2
|
|
0x4184e7: pmovmskb edx, xmm9
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4184e8] = 'A'
|
|
mem[0x4184e9] = '\x0f'
|
|
mem[0x4184ea] = '\xd7'
|
|
mem[0x4184eb] = '\xd1'
|
|
mem[0x4184e7] = 'f'
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x0)
|
|
cpu.XMM9 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM9 == 0xff00000000000000000000000000)
|
|
cpu.RIP = 0x4184e7
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184e8, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184e9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184ea, 8)== ord('\xd7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184eb, 8)== ord('\xd1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184e7, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.EDX == 0x2000)
|
|
condition = Operators.AND(condition, cpu.XMM9 == 0xff00000000000000000000000000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4184ec)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PMOVMSKB_6_symbolic(self):
|
|
''' Instruction PMOVMSKB_6
|
|
Groups: sse2
|
|
0x4184c4: pmovmskb edx, xmm12
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4184c8] = '\xd4'
|
|
mem[0x4184c4] = 'f'
|
|
mem[0x4184c5] = 'A'
|
|
mem[0x4184c6] = '\x0f'
|
|
mem[0x4184c7] = '\xd7'
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x100)
|
|
cpu.XMM12 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM12 == 0x0)
|
|
cpu.RIP = 0x4184c4
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c8, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c4, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c5, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c6, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c7, 8)== ord('\xd7'))
|
|
condition = Operators.AND(condition, cpu.EDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM12 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4184c9)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POP_1_symbolic(self):
|
|
''' Instruction POP_1
|
|
Groups: mode64
|
|
0x7ffff7de3b0b: pop rbp
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd880)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd881)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd9)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd882)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd883)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd884)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd885)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd886)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd887)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd888)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3b0b] = ']'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd878)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x70)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd879)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd87f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd880)
|
|
cpu.RIP = 0x7ffff7de3b0b
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd880)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd880, 8)== ord('\xb0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd881, 8)== ord('\xd9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd882, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd883, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd884, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd885, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd886, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd887, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd888, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3b0b, 8)== ord(']'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd878, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd879, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87a, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87b, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd87f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd888)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3b0c)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd9b0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POP_2_symbolic(self):
|
|
''' Instruction POP_2
|
|
Groups: mode64
|
|
0x7ffff7dea3ad: pop r14
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7dea000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda08)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda09)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7dea3ad] = 'A'
|
|
mem[0x7ffff7dea3ae] = '^'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda10)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x30)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda11)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda12)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda13)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda14)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda16)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda17)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda18)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x60)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda0f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda15)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x4)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffda10)
|
|
cpu.RIP = 0x7ffff7dea3ad
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffda20)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dea3ae, 8)== ord('^'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda08, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda09, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda0f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda10, 8)== ord('0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda11, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda12, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda13, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda14, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda15, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda16, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda17, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda18, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7dea3ad, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x7fffffffda30)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda18)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7dea3af)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffda20)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POP_3_symbolic(self):
|
|
''' Instruction POP_3
|
|
Groups: mode64
|
|
0x4624e4: pop r12
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00462000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb00)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x48)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb01)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd4)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb02)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6b)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb03)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x4624e4] = 'A'
|
|
mem[0x4624e5] = '\\'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb06)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb07)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb08)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb8)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaff)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x3)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb04)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdafe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb05)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffdb00)
|
|
cpu.R12 = cs.new_bitvec(64)
|
|
cs.add(cpu.R12 == 0x1)
|
|
cpu.RIP = 0x4624e4
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdb20)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb00, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb01, 8)== ord('\xd4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb02, 8)== ord('k'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb03, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb04, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb05, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb06, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb07, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb08, 8)== ord('\xb8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaff, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf8, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4624e4, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdafe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4624e5, 8)== ord('\\'))
|
|
condition = Operators.AND(condition, cpu.R12 == 0x6bd448)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdb08)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4624e6)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb20)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POP_4_symbolic(self):
|
|
''' Instruction POP_4
|
|
Groups: mode64
|
|
0x6ff233: pop rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x006ff000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
mem[0x6ff233] = 'Z'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffcca8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x80000001)
|
|
cpu.RIP = 0x6ff233
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6ff233, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x6ff234)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POP_5_symbolic(self):
|
|
''' Instruction POP_5
|
|
Groups: mode64
|
|
0x632f8a: pop rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00632000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x632f8a] = 'Z'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffcca8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x7f)
|
|
cpu.RIP = 0x632f8a
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x632f8a, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x80000000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x632f8b)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POP_6_symbolic(self):
|
|
''' Instruction POP_6
|
|
Groups: mode64
|
|
0x737db3: pop rdx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00737000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
mem[0x737db3] = 'Z'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffcca8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x40)
|
|
cpu.RIP = 0x737db3
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x737db3, 8)== ord('Z'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xff00)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x737db4)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POR_1_symbolic(self):
|
|
''' Instruction POR_1
|
|
Groups: sse2
|
|
0x7ffff7df43a7: por xmm0, xmm4
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df43a8] = '\x0f'
|
|
mem[0x7ffff7df43a9] = '\xeb'
|
|
mem[0x7ffff7df43aa] = '\xc4'
|
|
mem[0x7ffff7df43a7] = 'f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x7ffff7df43a7
|
|
cpu.XMM4 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM4 == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a8, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a9, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43aa, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a7, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM4 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df43ab)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POR_2_symbolic(self):
|
|
''' Instruction POR_2
|
|
Groups: sse2
|
|
0x7ffff7df43a7: por xmm0, xmm4
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df43a8] = '\x0f'
|
|
mem[0x7ffff7df43a9] = '\xeb'
|
|
mem[0x7ffff7df43aa] = '\xc4'
|
|
mem[0x7ffff7df43a7] = 'f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x7ffff7df43a7
|
|
cpu.XMM4 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM4 == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a8, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a9, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43aa, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a7, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM4 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df43ab)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POR_3_symbolic(self):
|
|
''' Instruction POR_3
|
|
Groups: sse2
|
|
0x7ffff7df43a7: por xmm0, xmm4
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df43a8] = '\x0f'
|
|
mem[0x7ffff7df43a9] = '\xeb'
|
|
mem[0x7ffff7df43aa] = '\xc4'
|
|
mem[0x7ffff7df43a7] = 'f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x7ffff7df43a7
|
|
cpu.XMM4 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM4 == 0xff00000000ff000000000000000000)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a8, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a9, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43aa, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a7, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xff00000000ff000000000000000000)
|
|
condition = Operators.AND(condition, cpu.XMM4 == 0xff00000000ff000000000000000000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df43ab)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POR_4_symbolic(self):
|
|
''' Instruction POR_4
|
|
Groups: sse2
|
|
0x7ffff7df43a7: por xmm0, xmm4
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df43a8] = '\x0f'
|
|
mem[0x7ffff7df43a9] = '\xeb'
|
|
mem[0x7ffff7df43aa] = '\xc4'
|
|
mem[0x7ffff7df43a7] = 'f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x7ffff7df43a7
|
|
cpu.XMM4 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM4 == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a8, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a9, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43aa, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df43a7, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM4 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df43ab)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POR_5_symbolic(self):
|
|
''' Instruction POR_5
|
|
Groups: sse2
|
|
0x7ffff7df4412: por xmm0, xmm3
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4412] = 'f'
|
|
mem[0x7ffff7df4413] = '\x0f'
|
|
mem[0x7ffff7df4414] = '\xeb'
|
|
mem[0x7ffff7df4415] = '\xc3'
|
|
cpu.XMM3 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM3 == 0xff000000000000)
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x7ffff7df4412
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4412, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4413, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4414, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4415, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.XMM3 == 0xff000000000000)
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xff000000000000)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4416)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_POR_6_symbolic(self):
|
|
''' Instruction POR_6
|
|
Groups: sse2
|
|
0x7ffff7ac0b17: por xmm0, xmm4
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0b18] = '\x0f'
|
|
mem[0x7ffff7ac0b19] = '\xeb'
|
|
mem[0x7ffff7ac0b1a] = '\xc4'
|
|
mem[0x7ffff7ac0b17] = 'f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x7ffff7ac0b17
|
|
cpu.XMM4 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM4 == 0xffffff000000ff)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b18, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b19, 8)== ord('\xeb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b1a, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0b17, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xffffff000000ff)
|
|
condition = Operators.AND(condition, cpu.XMM4 == 0xffffff000000ff)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0b1b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PSHUFD_1_symbolic(self):
|
|
''' Instruction PSHUFD_1
|
|
Groups: sse2
|
|
0x7ffff7ac0af8: pshufd xmm1, xmm1, 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0af8] = 'f'
|
|
mem[0x7ffff7ac0af9] = '\x0f'
|
|
mem[0x7ffff7ac0afa] = 'p'
|
|
mem[0x7ffff7ac0afb] = '\xc9'
|
|
mem[0x7ffff7ac0afc] = '\x00'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x25252525)
|
|
cpu.RIP = 0x7ffff7ac0af8
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af8, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afa, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afb, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x25252525252525252525252525252525)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0afd)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PSHUFD_2_symbolic(self):
|
|
''' Instruction PSHUFD_2
|
|
Groups: sse2
|
|
0x7ffff7ac0af8: pshufd xmm1, xmm1, 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0af8] = 'f'
|
|
mem[0x7ffff7ac0af9] = '\x0f'
|
|
mem[0x7ffff7ac0afa] = 'p'
|
|
mem[0x7ffff7ac0afb] = '\xc9'
|
|
mem[0x7ffff7ac0afc] = '\x00'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x25252525)
|
|
cpu.RIP = 0x7ffff7ac0af8
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af8, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afa, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afb, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0afc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x25252525252525252525252525252525)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0afd)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PSHUFD_3_symbolic(self):
|
|
''' Instruction PSHUFD_3
|
|
Groups: sse2
|
|
0x7ffff7df4388: pshufd xmm1, xmm1, 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4388] = 'f'
|
|
mem[0x7ffff7df4389] = '\x0f'
|
|
mem[0x7ffff7df438a] = 'p'
|
|
mem[0x7ffff7df438b] = '\xc9'
|
|
mem[0x7ffff7df438c] = '\x00'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x24242424)
|
|
cpu.RIP = 0x7ffff7df4388
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4388, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4389, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438a, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438b, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x24242424242424242424242424242424)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df438d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PSHUFD_4_symbolic(self):
|
|
''' Instruction PSHUFD_4
|
|
Groups: sse2
|
|
0x7ffff7ab799a: pshufd xmm1, xmm1, 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab799a] = 'f'
|
|
mem[0x7ffff7ab799b] = '\x0f'
|
|
mem[0x7ffff7ab799c] = 'p'
|
|
mem[0x7ffff7ab799d] = '\xc9'
|
|
mem[0x7ffff7ab799e] = '\x00'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2f2f2f2f)
|
|
cpu.RIP = 0x7ffff7ab799a
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799a, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799c, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799d, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab799f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PSHUFD_5_symbolic(self):
|
|
''' Instruction PSHUFD_5
|
|
Groups: sse2
|
|
0x7ffff7df4388: pshufd xmm1, xmm1, 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4388] = 'f'
|
|
mem[0x7ffff7df4389] = '\x0f'
|
|
mem[0x7ffff7df438a] = 'p'
|
|
mem[0x7ffff7df438b] = '\xc9'
|
|
mem[0x7ffff7df438c] = '\x00'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x24242424)
|
|
cpu.RIP = 0x7ffff7df4388
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4388, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4389, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438a, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438b, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df438c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x24242424242424242424242424242424)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df438d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PSHUFD_6_symbolic(self):
|
|
''' Instruction PSHUFD_6
|
|
Groups: sse2
|
|
0x7ffff7ab799a: pshufd xmm1, xmm1, 0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ab7000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ab799a] = 'f'
|
|
mem[0x7ffff7ab799b] = '\x0f'
|
|
mem[0x7ffff7ab799c] = 'p'
|
|
mem[0x7ffff7ab799d] = '\xc9'
|
|
mem[0x7ffff7ab799e] = '\x00'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2f2f2f2f)
|
|
cpu.RIP = 0x7ffff7ab799a
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799a, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799c, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799d, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ab799e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ab799f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLBW_1_symbolic(self):
|
|
''' Instruction PUNPCKLBW_1
|
|
Groups: sse2
|
|
0x7ffff7df437b: punpcklbw xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df437b] = 'f'
|
|
mem[0x7ffff7df437c] = '\x0f'
|
|
mem[0x7ffff7df437d] = '`'
|
|
mem[0x7ffff7df437e] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x24)
|
|
cpu.RIP = 0x7ffff7df437b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437b, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437c, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437d, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437e, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2424)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df437f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLBW_2_symbolic(self):
|
|
''' Instruction PUNPCKLBW_2
|
|
Groups: sse2
|
|
0x7ffff7ac0aeb: punpcklbw xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0aeb] = 'f'
|
|
mem[0x7ffff7ac0aec] = '\x0f'
|
|
mem[0x7ffff7ac0aed] = '`'
|
|
mem[0x7ffff7ac0aee] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x25)
|
|
cpu.RIP = 0x7ffff7ac0aeb
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aeb, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aec, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aed, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aee, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2525)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0aef)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLBW_3_symbolic(self):
|
|
''' Instruction PUNPCKLBW_3
|
|
Groups: sse2
|
|
0x7ffff7ac0aeb: punpcklbw xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0aeb] = 'f'
|
|
mem[0x7ffff7ac0aec] = '\x0f'
|
|
mem[0x7ffff7ac0aed] = '`'
|
|
mem[0x7ffff7ac0aee] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x25)
|
|
cpu.RIP = 0x7ffff7ac0aeb
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aeb, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aec, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aed, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0aee, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2525)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0aef)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLBW_4_symbolic(self):
|
|
''' Instruction PUNPCKLBW_4
|
|
Groups: sse2
|
|
0x4579cc: punpcklbw xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x4579cc] = 'f'
|
|
mem[0x4579cd] = '\x0f'
|
|
mem[0x4579ce] = '`'
|
|
mem[0x4579cf] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2f)
|
|
cpu.RIP = 0x4579cc
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4579cc, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4579cd, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4579ce, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4579cf, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4579d0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLBW_5_symbolic(self):
|
|
''' Instruction PUNPCKLBW_5
|
|
Groups: sse2
|
|
0x45794c: punpcklbw xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x45794c] = 'f'
|
|
mem[0x45794d] = '\x0f'
|
|
mem[0x45794e] = '`'
|
|
mem[0x45794f] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2f)
|
|
cpu.RIP = 0x45794c
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x45794c, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45794d, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45794e, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45794f, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457950)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLBW_6_symbolic(self):
|
|
''' Instruction PUNPCKLBW_6
|
|
Groups: sse2
|
|
0x7ffff7df437b: punpcklbw xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df437b] = 'f'
|
|
mem[0x7ffff7df437c] = '\x0f'
|
|
mem[0x7ffff7df437d] = '`'
|
|
mem[0x7ffff7df437e] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x24)
|
|
cpu.RIP = 0x7ffff7df437b
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437b, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437c, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437d, 8)== ord('`'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df437e, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2424)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df437f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLWD_1_symbolic(self):
|
|
''' Instruction PUNPCKLWD_1
|
|
Groups: sse2
|
|
0x457a46: punpcklwd xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00457000, 0x1000, 'rwx')
|
|
mem[0x457a48] = 'a'
|
|
mem[0x457a49] = '\xc9'
|
|
mem[0x457a46] = 'f'
|
|
mem[0x457a47] = '\x0f'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2f2f)
|
|
cpu.RIP = 0x457a46
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a48, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a49, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a46, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x457a47, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457a4a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLWD_2_symbolic(self):
|
|
''' Instruction PUNPCKLWD_2
|
|
Groups: sse2
|
|
0x421b24: punpcklwd xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00421000, 0x1000, 'rwx')
|
|
mem[0x421b24] = 'f'
|
|
mem[0x421b25] = '\x0f'
|
|
mem[0x421b26] = 'a'
|
|
mem[0x421b27] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2525)
|
|
cpu.RIP = 0x421b24
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x421b24, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x421b25, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x421b26, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x421b27, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x25252525)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x421b28)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLWD_3_symbolic(self):
|
|
''' Instruction PUNPCKLWD_3
|
|
Groups: sse2
|
|
0x7ffff7df4384: punpcklwd xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4384] = 'f'
|
|
mem[0x7ffff7df4385] = '\x0f'
|
|
mem[0x7ffff7df4386] = 'a'
|
|
mem[0x7ffff7df4387] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2424)
|
|
cpu.RIP = 0x7ffff7df4384
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4384, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4385, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4386, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4387, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x24242424)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4388)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLWD_4_symbolic(self):
|
|
''' Instruction PUNPCKLWD_4
|
|
Groups: sse2
|
|
0x7ffff7df4384: punpcklwd xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4384] = 'f'
|
|
mem[0x7ffff7df4385] = '\x0f'
|
|
mem[0x7ffff7df4386] = 'a'
|
|
mem[0x7ffff7df4387] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2424)
|
|
cpu.RIP = 0x7ffff7df4384
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4384, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4385, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4386, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4387, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x24242424)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4388)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLWD_5_symbolic(self):
|
|
''' Instruction PUNPCKLWD_5
|
|
Groups: sse2
|
|
0x45a576: punpcklwd xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0045a000, 0x1000, 'rwx')
|
|
mem[0x45a578] = 'a'
|
|
mem[0x45a579] = '\xc9'
|
|
mem[0x45a576] = 'f'
|
|
mem[0x45a577] = '\x0f'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2f2f)
|
|
cpu.RIP = 0x45a576
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x45a578, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45a579, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45a576, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x45a577, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x2f2f2f2f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x45a57a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUNPCKLWD_6_symbolic(self):
|
|
''' Instruction PUNPCKLWD_6
|
|
Groups: sse2
|
|
0x7ffff7ac0af4: punpcklwd xmm1, xmm1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ac0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ac0af4] = 'f'
|
|
mem[0x7ffff7ac0af5] = '\x0f'
|
|
mem[0x7ffff7ac0af6] = 'a'
|
|
mem[0x7ffff7ac0af7] = '\xc9'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x2525)
|
|
cpu.RIP = 0x7ffff7ac0af4
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af4, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af5, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af6, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ac0af7, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x25252525)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ac0af8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUSH_1_symbolic(self):
|
|
''' Instruction PUSH_1
|
|
Groups: mode64
|
|
0x7ffff7de407a: push r12
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd7a0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x34)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de407b] = 'T'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd79a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd790)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x58)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd791)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x76)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd792)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd793)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd794)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd795)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd796)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd797)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd798)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x38)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd799)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd8)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de407a] = 'A'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd79b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd79c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd79d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd79e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd79f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd798)
|
|
cpu.R12 = cs.new_bitvec(64)
|
|
cs.add(cpu.R12 == 0x7ffff7ff7658)
|
|
cpu.RIP = 0x7ffff7de407a
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd870)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd7a0, 8)== ord('4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de407b, 8)== ord('T'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de407a, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd790, 8)== ord('X'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd791, 8)== ord('v'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd792, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd793, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd794, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd795, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd796, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd797, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd798, 8)== ord('8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd799, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79a, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79b, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd79f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.R12 == 0x7ffff7ff7658)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd790)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de407c)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd870)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUSH_2_symbolic(self):
|
|
''' Instruction PUSH_2
|
|
Groups: mode64
|
|
0x722546: push 0xff00
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00722000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xfe)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xfe)
|
|
mem[addr] = value
|
|
mem[0x722546] = 'h'
|
|
mem[0x722547] = '\x00'
|
|
mem[0x722548] = '\xff'
|
|
mem[0x722549] = '\x00'
|
|
mem[0x72254a] = '\x00'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x722546
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x722546, 8)== ord('h'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x722547, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x722548, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x722549, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x72254a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcca8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x72254b)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUSH_3_symbolic(self):
|
|
''' Instruction PUSH_3
|
|
Groups: mode64
|
|
0x744c3e: push 0xf00aabb
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00744000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xbb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xaa)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x43)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x87)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
mem[0x744c3e] = 'h'
|
|
mem[0x744c3f] = '\xbb'
|
|
mem[0x744c40] = '\xaa'
|
|
mem[0x744c41] = '\x00'
|
|
mem[0x744c42] = '\x0f'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x744c3e
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\xbb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\xaa'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x87'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x744c3e, 8)== ord('h'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x744c3f, 8)== ord('\xbb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x744c40, 8)== ord('\xaa'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x744c41, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x744c42, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcca8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x744c43)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUSH_4_symbolic(self):
|
|
''' Instruction PUSH_4
|
|
Groups: mode64
|
|
0x6651fa: push rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00665000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
mem[0x6651fa] = 'P'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x6651fa
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7f)
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x6651fa, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcca8)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7f)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x6651fb)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUSH_5_symbolic(self):
|
|
''' Instruction PUSH_5
|
|
Groups: mode64
|
|
0x7ffff7de4330: push rbp
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda40)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de4330] = 'U'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda30)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x70)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda31)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda32)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda33)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda34)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda35)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda36)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda37)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda38)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x94)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda39)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x62)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda3a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xde)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda3b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda3c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda3d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda3e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda3f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffda38)
|
|
cpu.RIP = 0x7ffff7de4330
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdb70)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda40, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda30, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4330, 8)== ord('U'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda31, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda32, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda33, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda34, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda35, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda36, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda37, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda38, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda39, 8)== ord('b'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3a, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda3f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda30)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4331)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb70)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PUSH_6_symbolic(self):
|
|
''' Instruction PUSH_6
|
|
Groups: mode64
|
|
0x75c167: push 0xf00aabb
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0075c000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xbb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffcca9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xaa)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccad)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccae)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccaf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xfe)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x78)
|
|
mem[addr] = value
|
|
mem[0x75c167] = 'h'
|
|
mem[0x75c168] = '\xbb'
|
|
mem[0x75c169] = '\xaa'
|
|
mem[0x75c16a] = '\x00'
|
|
mem[0x75c16b] = '\x0f'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x75c167
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca8, 8)== ord('\xbb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffcca9, 8)== ord('\xaa'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaa, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccab, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccac, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccad, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccae, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccaf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xfe'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x75c167, 8)== ord('h'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x75c168, 8)== ord('\xbb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x75c169, 8)== ord('\xaa'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x75c16a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x75c16b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffcca8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x75c16c)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PXOR_1_symbolic(self):
|
|
''' Instruction PXOR_1
|
|
Groups: sse2
|
|
0x418490: pxor xmm8, xmm8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x418490] = 'f'
|
|
mem[0x418491] = 'E'
|
|
mem[0x418492] = '\x0f'
|
|
mem[0x418493] = '\xef'
|
|
mem[0x418494] = '\xc0'
|
|
cpu.XMM8 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM8 == 0x0)
|
|
cpu.RIP = 0x418490
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x418490, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418491, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418492, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418493, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418494, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.XMM8 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x418495)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PXOR_2_symbolic(self):
|
|
''' Instruction PXOR_2
|
|
Groups: sse2
|
|
0x41848f: pxor xmm11, xmm11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x418490] = 'E'
|
|
mem[0x418491] = '\x0f'
|
|
mem[0x418492] = '\xef'
|
|
mem[0x418493] = '\xdb'
|
|
mem[0x41848f] = 'f'
|
|
cpu.XMM11 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM11 == 0x0)
|
|
cpu.RIP = 0x41848f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x418490, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418491, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418492, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418493, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x41848f, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM11 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x418494)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PXOR_3_symbolic(self):
|
|
''' Instruction PXOR_3
|
|
Groups: sse2
|
|
0x4184bf: pxor xmm11, xmm11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4184c0] = 'E'
|
|
mem[0x4184c1] = '\x0f'
|
|
mem[0x4184c2] = '\xef'
|
|
mem[0x4184c3] = '\xdb'
|
|
mem[0x4184bf] = 'f'
|
|
cpu.XMM11 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM11 == 0x0)
|
|
cpu.RIP = 0x4184bf
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c0, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c1, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c2, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184c3, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4184bf, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.XMM11 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4184c4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PXOR_4_symbolic(self):
|
|
''' Instruction PXOR_4
|
|
Groups: sse2
|
|
0x418480: pxor xmm8, xmm8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x418480] = 'f'
|
|
mem[0x418481] = 'E'
|
|
mem[0x418482] = '\x0f'
|
|
mem[0x418483] = '\xef'
|
|
mem[0x418484] = '\xc0'
|
|
cpu.XMM8 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM8 == 0x0)
|
|
cpu.RIP = 0x418480
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x418480, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418481, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418482, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418483, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418484, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.XMM8 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x418485)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PXOR_5_symbolic(self):
|
|
''' Instruction PXOR_5
|
|
Groups: sse2
|
|
0x4183b5: pxor xmm9, xmm9
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x4183b8] = '\xef'
|
|
mem[0x4183b9] = '\xc9'
|
|
mem[0x4183b5] = 'f'
|
|
mem[0x4183b6] = 'E'
|
|
mem[0x4183b7] = '\x0f'
|
|
cpu.XMM9 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM9 == 0x0)
|
|
cpu.RIP = 0x4183b5
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183b8, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183b9, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183b5, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183b6, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4183b7, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM9 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4183ba)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_PXOR_6_symbolic(self):
|
|
''' Instruction PXOR_6
|
|
Groups: sse2
|
|
0x418495: pxor xmm9, xmm9
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00418000, 0x1000, 'rwx')
|
|
mem[0x418498] = '\xef'
|
|
mem[0x418499] = '\xc9'
|
|
mem[0x418495] = 'f'
|
|
mem[0x418496] = 'E'
|
|
mem[0x418497] = '\x0f'
|
|
cpu.XMM9 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM9 == 0x0)
|
|
cpu.RIP = 0x418495
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x418498, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418499, 8)== ord('\xc9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418495, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418496, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x418497, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM9 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41849a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_RET_1_symbolic(self):
|
|
''' Instruction RET_1
|
|
Groups: ret, mode64
|
|
0x7ffff7de3748: ret
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd780)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x5d)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de3748] = '\xc3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd770)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x70)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd771)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd8)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd772)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd773)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd774)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd775)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd776)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd777)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd778)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xab)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd779)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd77a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xde)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd77b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd77c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd77d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd77e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd77f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd778)
|
|
cpu.RIP = 0x7ffff7de3748
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd870)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd780, 8)== ord(']'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3748, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd770, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd771, 8)== ord('\xd8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd772, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd773, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd774, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd775, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd776, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd777, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd778, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd779, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77a, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd77f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd780)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de40ab)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd870)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_RET_2_symbolic(self):
|
|
''' Instruction RET_2
|
|
Groups: ret, mode64
|
|
0x7ffff7df537f: ret
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df5000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd840)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7df537f] = '\xc3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd830)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x3)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd831)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd832)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd833)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd834)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd835)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd836)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd837)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd838)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd839)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd83a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xde)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd83b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd83c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd83d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd83e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd83f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd838)
|
|
cpu.RIP = 0x7ffff7df537f
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdae0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd840, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd830, 8)== ord('\x03'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd831, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd832, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd833, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd834, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd835, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd836, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd837, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd838, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd839, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83a, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd83e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df537f, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd840)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de7fdb)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdae0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_RET_3_symbolic(self):
|
|
''' Instruction RET_3
|
|
Groups: ret, mode64
|
|
0x406e67: ret
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb20)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x70)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb21)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb22)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb23)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb24)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb25)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb26)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x406e67] = '\xc3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb28)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4e)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb29)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x43)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb27)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb30)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x40)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb2b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffdb28)
|
|
cpu.RIP = 0x406e67
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdb70)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb20, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb21, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb22, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb23, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb24, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb25, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb26, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e67, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb28, 8)== ord('N'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb29, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2a, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb2f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb30, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb27, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdb30)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x436f4e)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb70)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_RET_4_symbolic(self):
|
|
''' Instruction RET_4
|
|
Groups: ret, mode64
|
|
0x7ffff7de2af3: ret
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de2000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd700)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd701)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd702)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd703)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd704)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd705)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd706)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd707)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd708)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x29)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd709)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x75)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd70a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xde)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd70b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd70c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd70d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd70e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd70f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd710)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de2af3] = '\xc3'
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd708)
|
|
cpu.RIP = 0x7ffff7de2af3
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffd720)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd700, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd701, 8)== ord('\xd7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd702, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd703, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd704, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd705, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd706, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd707, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd708, 8)== ord(')'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd709, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70a, 8)== ord('\xde'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70b, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd70f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd710, 8)== ord('\xb0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de2af3, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd710)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de7529)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffd720)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_RET_5_symbolic(self):
|
|
''' Instruction RET_5
|
|
Groups: ret, mode64
|
|
0x4118a1: ret
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00411000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x4118a1] = '\xc3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1c)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x36)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaea)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x41)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdae7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaec)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaed)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaee)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaef)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x2)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaeb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffdae8)
|
|
cpu.RIP = 0x4118a1
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdb00)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae1, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4118a1, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae8, 8)== ord('\x1c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae9, 8)== ord('6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaea, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdae7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaec, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaed, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaee, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaef, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf0, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaeb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffdaf0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x41361c)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdb00)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_RET_6_symbolic(self):
|
|
''' Instruction RET_6
|
|
Groups: ret, mode64
|
|
0x40fc8d: ret
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda00)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6)
|
|
mem[addr] = value
|
|
mem[0x40fc8d] = '\xc3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xda)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xee)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9f9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9fa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x45)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9fb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9fc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9fd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9fe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffd9ff)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd9f8)
|
|
cpu.RIP = 0x40fc8d
|
|
cpu.RBP = cs.new_bitvec(64)
|
|
cs.add(cpu.RBP == 0x7fffffffdab0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda00, 8)== ord('\x06'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40fc8d, 8)== ord('\xc3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f0, 8)== ord('\xb0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f1, 8)== ord('\xda'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f8, 8)== ord('\xee'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9f9, 8)== ord('}'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fa, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9fe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffd9ff, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffda00)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x457dee)
|
|
condition = Operators.AND(condition, cpu.RBP == 0x7fffffffdab0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROL_1_symbolic(self):
|
|
''' Instruction ROL_1
|
|
Groups:
|
|
0x44272a: rol rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00442000, 0x1000, 'rwx')
|
|
mem[0x44272a] = 'H'
|
|
mem[0x44272b] = '\xc1'
|
|
mem[0x44272c] = '\xc0'
|
|
mem[0x44272d] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x44272a
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x69fd1b8f25bea73)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x44272a, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x44272b, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x44272c, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x44272d, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xa371e4b7d4e60d3f)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x44272e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROL_2_symbolic(self):
|
|
''' Instruction ROL_2
|
|
Groups:
|
|
0x7ffff7df408d: rol rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df4090] = '\x11'
|
|
mem[0x7ffff7df408d] = 'H'
|
|
mem[0x7ffff7df408e] = '\xc1'
|
|
mem[0x7ffff7df408f] = '\xc0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x7ffff7df408d
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x7fffffffd9b0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df4090, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df408d, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df408e, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df408f, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xffffffffb3600000)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df4091)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROL_3_symbolic(self):
|
|
''' Instruction ROL_3
|
|
Groups:
|
|
0x409c7a: rol rdi, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00409000, 0x1000, 'rwx')
|
|
mem[0x409c7a] = 'H'
|
|
mem[0x409c7b] = '\xc1'
|
|
mem[0x409c7c] = '\xc7'
|
|
mem[0x409c7d] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x4fb19f79d00a9c7e)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x409c7a
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x409c7a, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x409c7b, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x409c7c, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x409c7d, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x3ef3a01538fc9f63)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x409c7e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROL_4_symbolic(self):
|
|
''' Instruction ROL_4
|
|
Groups:
|
|
0x40725a: rol rdi, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00407000, 0x1000, 'rwx')
|
|
mem[0x40725a] = 'H'
|
|
mem[0x40725b] = '\xc1'
|
|
mem[0x40725c] = '\xc7'
|
|
mem[0x40725d] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x1d13aa75a9fb0505)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x40725a
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40725a, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40725b, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40725c, 8)== ord('\xc7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40725d, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x54eb53f60a0a3a27)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40725e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROL_5_symbolic(self):
|
|
''' Instruction ROL_5
|
|
Groups:
|
|
0x4452b5: rol rdx, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00445000, 0x1000, 'rwx')
|
|
mem[0x4452b8] = '\x11'
|
|
mem[0x4452b5] = 'H'
|
|
mem[0x4452b6] = '\xc1'
|
|
mem[0x4452b7] = '\xc2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4452b5
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x4fb1e0862fb57b2e)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4452b8, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4452b5, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4452b6, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4452b7, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4452b9)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xc10c5f6af65c9f63)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROL_6_symbolic(self):
|
|
''' Instruction ROL_6
|
|
Groups:
|
|
0x7ffff7a6220a: rol rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a62000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a6220a] = 'H'
|
|
mem[0x7ffff7a6220b] = '\xc1'
|
|
mem[0x7ffff7a6220c] = '\xc0'
|
|
mem[0x7ffff7a6220d] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x7ffff7a6220a
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x4d168f8071dccc80)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6220a, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6220b, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6220c, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a6220d, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x1f00e3b999009a2d)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a6220e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROR_1_symbolic(self):
|
|
''' Instruction ROR_1
|
|
Groups:
|
|
0x406f53: ror rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x406f53] = 'H'
|
|
mem[0x406f54] = '\xc1'
|
|
mem[0x406f55] = '\xc8'
|
|
mem[0x406f56] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x406f53
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x9287e74ad78292fc)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x406f53, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406f54, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406f55, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406f56, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x497e4943f3a56bc1)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x406f57)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROR_2_symbolic(self):
|
|
''' Instruction ROR_2
|
|
Groups:
|
|
0x7ffff7a65253: ror rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a65253] = 'H'
|
|
mem[0x7ffff7a65254] = '\xc1'
|
|
mem[0x7ffff7a65255] = '\xc8'
|
|
mem[0x7ffff7a65256] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x7ffff7a65253
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x42002153efdd741e)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65253, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65254, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65255, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65256, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xba0f210010a9f7ee)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a65257)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROR_3_symbolic(self):
|
|
''' Instruction ROR_3
|
|
Groups:
|
|
0x406fd3: ror rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x406fd3] = 'H'
|
|
mem[0x406fd4] = '\xc1'
|
|
mem[0x406fd5] = '\xc8'
|
|
mem[0x406fd6] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x406fd3
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x4a02228a32751a47)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x406fd3, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406fd4, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406fd5, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406fd6, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x8d23a5011145193a)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x406fd7)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROR_4_symbolic(self):
|
|
''' Instruction ROR_4
|
|
Groups:
|
|
0x7ffff7a65253: ror rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a65000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a65253] = 'H'
|
|
mem[0x7ffff7a65254] = '\xc1'
|
|
mem[0x7ffff7a65255] = '\xc8'
|
|
mem[0x7ffff7a65256] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x7ffff7a65253
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x1b65e4b049796683)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65253, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65254, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65255, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a65256, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0xb3418db2f25824bc)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a65257)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROR_5_symbolic(self):
|
|
''' Instruction ROR_5
|
|
Groups:
|
|
0x406f53: ror rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x406f53] = 'H'
|
|
mem[0x406f54] = '\xc1'
|
|
mem[0x406f55] = '\xc8'
|
|
mem[0x406f56] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x406f53
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x54eb53f60a0a3a27)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x406f53, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406f54, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406f55, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406f56, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x1d13aa75a9fb0505)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x406f57)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_ROR_6_symbolic(self):
|
|
''' Instruction ROR_6
|
|
Groups:
|
|
0x406fc3: ror rax, 0x11
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x406fc3] = 'H'
|
|
mem[0x406fc4] = '\xc1'
|
|
mem[0x406fc5] = '\xc8'
|
|
mem[0x406fc6] = '\x11'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.RIP = 0x406fc3
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0xf69983477b463caa)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x406fc3, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406fc4, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406fc5, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406fc6, 8)== ord('\x11'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x1e557b4cc1a3bda3)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x406fc7)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SAR_1_symbolic(self):
|
|
''' Instruction SAR_1
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x15c8)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x572)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SAR_2_symbolic(self):
|
|
''' Instruction SAR_2
|
|
Groups:
|
|
0x7ffff7acfc78: sar r8d, 0x1f
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7acf000, 0x1000, 'rwx')
|
|
mem[0x7ffff7acfc78] = 'A'
|
|
mem[0x7ffff7acfc79] = '\xc1'
|
|
mem[0x7ffff7acfc7a] = '\xf8'
|
|
mem[0x7ffff7acfc7b] = '\x1f'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7acfc78
|
|
cpu.R8D = cs.new_bitvec(32)
|
|
cs.add(cpu.R8D == 0x9)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfc78, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfc79, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfc7a, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7acfc7b, 8)== ord('\x1f'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7acfc7c)
|
|
condition = Operators.AND(condition, cpu.R8D == 0x0)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SAR_3_symbolic(self):
|
|
''' Instruction SAR_3
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x1290)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x4a4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SAR_4_symbolic(self):
|
|
''' Instruction SAR_4
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x1450)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x514)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SAR_5_symbolic(self):
|
|
''' Instruction SAR_5
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x1420)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x508)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SAR_6_symbolic(self):
|
|
''' Instruction SAR_6
|
|
Groups:
|
|
0x7ffff7de4085: sar rax, 2
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4088] = '\x02'
|
|
mem[0x7ffff7de4085] = 'H'
|
|
mem[0x7ffff7de4086] = '\xc1'
|
|
mem[0x7ffff7de4087] = '\xf8'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de4085
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x1070)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4088, 8)== ord('\x02'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4085, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4086, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4087, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4089)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x41c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SCASB_1_symbolic(self):
|
|
''' Instruction SCASB_1
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x46)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7b)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ca)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xaa)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ce)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x74)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x72)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x79)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4e)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14ba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14bb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7ba14b4)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xffffffffffffffea)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffa9c8)
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b9, 8)== ord('N'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('{'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\xaa'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b5, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b6, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b7, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b4, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14ba, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14bb, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.RCX == 0xffffffffffffffe9)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ba14b5)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233)
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SCASB_2_symbolic(self):
|
|
''' Instruction SCASB_2
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x73)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x75)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x63)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x68)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x66)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x69)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ca)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ce)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7ba14a1)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xfffffffffffffffd)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffa9c8)
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a1, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a2, 8)== ord('s'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a3, 8)== ord('u'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a4, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a5, 8)== ord('h'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a6, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a7, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a8, 8)== ord('i'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0xfffffffffffffffc)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ba14a2)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233)
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SCASB_3_symbolic(self):
|
|
''' Instruction SCASB_3
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ca)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ce)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x63)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x74)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x72)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x79)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14b9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x4e)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7ba14b2)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xffffffffffffffec)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffa9c8)
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b9, 8)== ord('N'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b3, 8)== ord('c'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b2, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b5, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b6, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b7, 8)== ord('y'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14b4, 8)== ord('t'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0xffffffffffffffeb)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ba14b3)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233)
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SCASB_4_symbolic(self):
|
|
''' Instruction SCASB_4
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffe000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe0a5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x67)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe0a6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7a)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe0a7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x69)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe0a8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x70)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe0a9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe0aa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x61)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe0ab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x72)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffe0ac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x67)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc2f8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc2f9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xd5)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc2fa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc2fb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc2fc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc2fd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc2fe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc2ff)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffe0a5)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xffffffffffffffff)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffc2f8)
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a5, 8)== ord('g'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a6, 8)== ord('z'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a7, 8)== ord('i'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a8, 8)== ord('p'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0a9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0aa, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0ab, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffe0ac, 8)== ord('g'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2f8, 8)== ord('\x1f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2f9, 8)== ord('\xd5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fa, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fb, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fc, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fd, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2fe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc2ff, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0xfffffffffffffffe)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffe0a6)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffc2f8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233)
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SCASB_5_symbolic(self):
|
|
''' Instruction SCASB_5
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ba1000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14ab)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x68)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x66)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x69)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14a9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6c)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14aa)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ba14ac)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x6f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ce)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ca)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7ba14a5)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xfffffffffffffff9)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffa9c8)
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14ab, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a5, 8)== ord('h'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a6, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a7, 8)== ord('f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a8, 8)== ord('i'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14ac, 8)== ord('o'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14a9, 8)== ord('l'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ba14aa, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0xfffffffffffffff8)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ba14a6)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233)
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SCASB_6_symbolic(self):
|
|
''' Instruction SCASB_6
|
|
Groups:
|
|
0x7ffff7a78233: repne scasb al, byte ptr [rdi]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555771000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7a78000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffa000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555771dc0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x61)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555771dc1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x72)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555771dc2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x67)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555771dc3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x31)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555771dc4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555771dc5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555771dc6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x555555771dc7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9c9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ca)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9ce)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffa9cf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7a78233] = '\xf2'
|
|
mem[0x7ffff7a78234] = '\xae'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x555555771dc0)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0xffffffffffffffff)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffa9c8)
|
|
cpu.RIP = 0x7ffff7a78233
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555771dc0, 8)== ord('a'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555771dc1, 8)== ord('r'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555771dc2, 8)== ord('g'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555771dc3, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555771dc4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555771dc5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555771dc6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555771dc7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9c9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ca, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9ce, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffa9cf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78233, 8)== ord('\xf2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a78234, 8)== ord('\xae'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0xfffffffffffffffe)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x555555771dc1)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffa9c8)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a78233)
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETA_1_symbolic(self):
|
|
''' Instruction SETA_1
|
|
Groups:
|
|
0x5555555548c2: seta dl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem[0x5555555548c2] = '\x0f'
|
|
mem[0x5555555548c3] = '\x97'
|
|
mem[0x5555555548c4] = '\xc2'
|
|
cpu.DL = cs.new_bitvec(8)
|
|
cs.add(cpu.DL == 0x0)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x5555555548c2
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555548c2, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555548c3, 8)== ord('\x97'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555548c4, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.DL == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555548c5)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETBE_1_symbolic(self):
|
|
''' Instruction SETBE_1
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x58)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6207
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETBE_2_symbolic(self):
|
|
''' Instruction SETBE_2
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x58)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6207
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETBE_3_symbolic(self):
|
|
''' Instruction SETBE_3
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x58)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6207
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETBE_4_symbolic(self):
|
|
''' Instruction SETBE_4
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x58)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6207
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETBE_5_symbolic(self):
|
|
''' Instruction SETBE_5
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x58)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6207
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETBE_6_symbolic(self):
|
|
''' Instruction SETBE_6
|
|
Groups:
|
|
0x7ffff7de6207: setbe r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6208] = '\x0f'
|
|
mem[0x7ffff7de6209] = '\x96'
|
|
mem[0x7ffff7de620a] = '\xc1'
|
|
mem[0x7ffff7de6207] = 'A'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x58)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6207
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6208, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6209, 8)== ord('\x96'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620a, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6207, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de620b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETB_1_symbolic(self):
|
|
''' Instruction SETB_1
|
|
Groups:
|
|
0x4342ea: setb al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x4342ea] = '\x0f'
|
|
mem[0x4342eb] = '\x92'
|
|
mem[0x4342ec] = '\xc0'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4342ea
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0xc0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342ea, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342eb, 8)== ord('\x92'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342ec, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4342ed)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETB_2_symbolic(self):
|
|
''' Instruction SETB_2
|
|
Groups:
|
|
0x43426a: setb al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x43426a] = '\x0f'
|
|
mem[0x43426b] = '\x92'
|
|
mem[0x43426c] = '\xc0'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x43426a
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0xc0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x43426a, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43426b, 8)== ord('\x92'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43426c, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43426d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETB_3_symbolic(self):
|
|
''' Instruction SETB_3
|
|
Groups:
|
|
0x4346ca: setb al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x4346ca] = '\x0f'
|
|
mem[0x4346cb] = '\x92'
|
|
mem[0x4346cc] = '\xc0'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4346ca
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0xc0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4346ca, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4346cb, 8)== ord('\x92'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4346cc, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4346cd)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETB_4_symbolic(self):
|
|
''' Instruction SETB_4
|
|
Groups:
|
|
0x4342ea: setb al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x4342ea] = '\x0f'
|
|
mem[0x4342eb] = '\x92'
|
|
mem[0x4342ec] = '\xc0'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4342ea
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0xc0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342ea, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342eb, 8)== ord('\x92'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342ec, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4342ed)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETB_5_symbolic(self):
|
|
''' Instruction SETB_5
|
|
Groups:
|
|
0x4342ea: setb al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x4342ea] = '\x0f'
|
|
mem[0x4342eb] = '\x92'
|
|
mem[0x4342ec] = '\xc0'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4342ea
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342ea, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342eb, 8)== ord('\x92'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4342ec, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4342ed)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETB_6_symbolic(self):
|
|
''' Instruction SETB_6
|
|
Groups:
|
|
0x43430a: setb al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x43430a] = '\x0f'
|
|
mem[0x43430b] = '\x92'
|
|
mem[0x43430c] = '\xc0'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x43430a
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0xc0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x43430a, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43430b, 8)== ord('\x92'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43430c, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43430d)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETE_1_symbolic(self):
|
|
''' Instruction SETE_1
|
|
Groups:
|
|
0x7ffff7de36a2: sete r10b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de36a2] = 'A'
|
|
mem[0x7ffff7de36a3] = '\x0f'
|
|
mem[0x7ffff7de36a4] = '\x94'
|
|
mem[0x7ffff7de36a5] = '\xc2'
|
|
cpu.R10B = cs.new_bitvec(8)
|
|
cs.add(cpu.R10B == 0x0)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RIP = 0x7ffff7de36a2
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36a2, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36a3, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36a4, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de36a5, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.R10B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de36a6)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETE_2_symbolic(self):
|
|
''' Instruction SETE_2
|
|
Groups:
|
|
0x7ffff7de620f: sete al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6210] = '\x94'
|
|
mem[0x7ffff7de6211] = '\xc0'
|
|
mem[0x7ffff7de620f] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0xf5)
|
|
cpu.RIP = 0x7ffff7de620f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6210, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6211, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620f, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6212)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETE_3_symbolic(self):
|
|
''' Instruction SETE_3
|
|
Groups:
|
|
0x7ffff7de6229: sete al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6229] = '\x0f'
|
|
mem[0x7ffff7de622a] = '\x94'
|
|
mem[0x7ffff7de622b] = '\xc0'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
cpu.RIP = 0x7ffff7de6229
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6229, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de622a, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de622b, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de622c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETE_4_symbolic(self):
|
|
''' Instruction SETE_4
|
|
Groups:
|
|
0x7ffff7de6229: sete al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6229] = '\x0f'
|
|
mem[0x7ffff7de622a] = '\x94'
|
|
mem[0x7ffff7de622b] = '\xc0'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
cpu.RIP = 0x7ffff7de6229
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6229, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de622a, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de622b, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de622c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETE_5_symbolic(self):
|
|
''' Instruction SETE_5
|
|
Groups:
|
|
0x432458: sete r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432458] = 'A'
|
|
mem[0x432459] = '\x0f'
|
|
mem[0x43245a] = '\x94'
|
|
mem[0x43245b] = '\xc1'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x30)
|
|
cpu.RIP = 0x432458
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432458, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432459, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43245a, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43245b, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43245c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETE_6_symbolic(self):
|
|
''' Instruction SETE_6
|
|
Groups:
|
|
0x7ffff7de620f: sete al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6210] = '\x94'
|
|
mem[0x7ffff7de6211] = '\xc0'
|
|
mem[0x7ffff7de620f] = '\x0f'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0xf5)
|
|
cpu.RIP = 0x7ffff7de620f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6210, 8)== ord('\x94'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6211, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de620f, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6212)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETG_1_symbolic(self):
|
|
''' Instruction SETG_1
|
|
Groups:
|
|
0x555555567df4: setg r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555567000, 0x1000, 'rwx')
|
|
mem[0x555555567df4] = 'A'
|
|
mem[0x555555567df5] = '\x0f'
|
|
mem[0x555555567df6] = '\x9f'
|
|
mem[0x555555567df7] = '\xc1'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x0)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x555555567df4
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555567df4, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555567df5, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555567df6, 8)== ord('\x9f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555567df7, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555567df8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETG_2_symbolic(self):
|
|
''' Instruction SETG_2
|
|
Groups:
|
|
0x555555567df4: setg r9b
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555567000, 0x1000, 'rwx')
|
|
mem[0x555555567df4] = 'A'
|
|
mem[0x555555567df5] = '\x0f'
|
|
mem[0x555555567df6] = '\x9f'
|
|
mem[0x555555567df7] = '\xc1'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R9B = cs.new_bitvec(8)
|
|
cs.add(cpu.R9B == 0x0)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
cpu.RIP = 0x555555567df4
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555567df4, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555567df5, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555567df6, 8)== ord('\x9f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555567df7, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.R9B == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555567df8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETLE_1_symbolic(self):
|
|
''' Instruction SETLE_1
|
|
Groups:
|
|
0x448ae0: setle dl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00448000, 0x1000, 'rwx')
|
|
mem[0x448ae0] = '\x0f'
|
|
mem[0x448ae1] = '\x9e'
|
|
mem[0x448ae2] = '\xc2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x448ae0
|
|
cpu.DL = cs.new_bitvec(8)
|
|
cs.add(cpu.DL == 0x1)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x448ae0, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448ae1, 8)== ord('\x9e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448ae2, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.DL == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x448ae3)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETLE_2_symbolic(self):
|
|
''' Instruction SETLE_2
|
|
Groups:
|
|
0x448ae0: setle dl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00448000, 0x1000, 'rwx')
|
|
mem[0x448ae0] = '\x0f'
|
|
mem[0x448ae1] = '\x9e'
|
|
mem[0x448ae2] = '\xc2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RIP = 0x448ae0
|
|
cpu.DL = cs.new_bitvec(8)
|
|
cs.add(cpu.DL == 0x1)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x448ae0, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448ae1, 8)== ord('\x9e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x448ae2, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.DL == 0x1)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x448ae3)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETNE_1_symbolic(self):
|
|
''' Instruction SETNE_1
|
|
Groups:
|
|
0x410ee5: setne cl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00410000, 0x1000, 'rwx')
|
|
mem[0x410ee5] = '\x0f'
|
|
mem[0x410ee6] = '\x95'
|
|
mem[0x410ee7] = '\xc1'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x410ee5
|
|
cpu.CL = cs.new_bitvec(8)
|
|
cs.add(cpu.CL == 0x6)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x410ee5, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x410ee6, 8)== ord('\x95'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x410ee7, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x410ee8)
|
|
condition = Operators.AND(condition, cpu.CL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETNE_2_symbolic(self):
|
|
''' Instruction SETNE_2
|
|
Groups:
|
|
0x436d20: setne dl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00436000, 0x1000, 'rwx')
|
|
mem[0x436d20] = '\x0f'
|
|
mem[0x436d21] = '\x95'
|
|
mem[0x436d22] = '\xc2'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.DL = cs.new_bitvec(8)
|
|
cs.add(cpu.DL == 0x0)
|
|
cpu.RIP = 0x436d20
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x436d20, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436d21, 8)== ord('\x95'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436d22, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.DL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x436d23)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETNE_3_symbolic(self):
|
|
''' Instruction SETNE_3
|
|
Groups:
|
|
0x410f05: setne cl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00410000, 0x1000, 'rwx')
|
|
mem[0x410f05] = '\x0f'
|
|
mem[0x410f06] = '\x95'
|
|
mem[0x410f07] = '\xc1'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x410f05
|
|
cpu.CL = cs.new_bitvec(8)
|
|
cs.add(cpu.CL == 0x6)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x410f05, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x410f06, 8)== ord('\x95'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x410f07, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x410f08)
|
|
condition = Operators.AND(condition, cpu.CL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETNE_4_symbolic(self):
|
|
''' Instruction SETNE_4
|
|
Groups:
|
|
0x436f20: setne dl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00436000, 0x1000, 'rwx')
|
|
mem[0x436f20] = '\x0f'
|
|
mem[0x436f21] = '\x95'
|
|
mem[0x436f22] = '\xc2'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.DL = cs.new_bitvec(8)
|
|
cs.add(cpu.DL == 0x0)
|
|
cpu.RIP = 0x436f20
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x436f20, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436f21, 8)== ord('\x95'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x436f22, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.DL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x436f23)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETNE_5_symbolic(self):
|
|
''' Instruction SETNE_5
|
|
Groups:
|
|
0x4120f9: setne cl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00412000, 0x1000, 'rwx')
|
|
mem[0x4120f9] = '\x0f'
|
|
mem[0x4120fa] = '\x95'
|
|
mem[0x4120fb] = '\xc1'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RIP = 0x4120f9
|
|
cpu.CL = cs.new_bitvec(8)
|
|
cs.add(cpu.CL == 0x40)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4120f9, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4120fa, 8)== ord('\x95'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4120fb, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4120fc)
|
|
condition = Operators.AND(condition, cpu.CL == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SETNE_6_symbolic(self):
|
|
''' Instruction SETNE_6
|
|
Groups:
|
|
0x7ffff7de5de4: setne al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5de4] = '\x0f'
|
|
mem[0x7ffff7de5de5] = '\x95'
|
|
mem[0x7ffff7de5de6] = '\xc0'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x0)
|
|
cpu.RIP = 0x7ffff7de5de4
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5de4, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5de5, 8)== ord('\x95'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5de6, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.AL == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5de7)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHLX_1_symbolic(self):
|
|
''' Instruction SHLX_1
|
|
Groups: bmi2
|
|
0x55555556594d: shlx rax, qword ptr [r14 + 0x50], rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc800)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc801)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc802)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc803)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc804)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc805)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc806)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc807)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x55555556594d] = '\xc4'
|
|
mem[0x55555556594e] = '\xc2'
|
|
mem[0x55555556594f] = '\xf9'
|
|
mem[0x555555565950] = '\xf7'
|
|
mem[0x555555565951] = 'F'
|
|
mem[0x555555565952] = 'P'
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x7fffffffc7b0)
|
|
cpu.RIP = 0x55555556594d
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x5)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc800, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc801, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc802, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc803, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc804, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc805, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc806, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc807, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556594d, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556594e, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556594f, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565950, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565951, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565952, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x7fffffffc7b0)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555565953)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHLX_2_symbolic(self):
|
|
''' Instruction SHLX_2
|
|
Groups: bmi2
|
|
0x55555556544a: shlx rax, rdx, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem[0x55555556544a] = '\xc4'
|
|
mem[0x55555556544b] = '\xe2'
|
|
mem[0x55555556544c] = '\xf9'
|
|
mem[0x55555556544d] = '\xf7'
|
|
mem[0x55555556544e] = '\xc2'
|
|
cpu.RIP = 0x55555556544a
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x1)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544a, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544b, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544c, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544d, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544e, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x100)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x55555556544f)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHLX_3_symbolic(self):
|
|
''' Instruction SHLX_3
|
|
Groups: bmi2
|
|
0x55555556544a: shlx rax, rdx, rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem[0x55555556544a] = '\xc4'
|
|
mem[0x55555556544b] = '\xe2'
|
|
mem[0x55555556544c] = '\xf9'
|
|
mem[0x55555556544d] = '\xf7'
|
|
mem[0x55555556544e] = '\xc2'
|
|
cpu.RIP = 0x55555556544a
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x8)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x1)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544a, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544b, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544c, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544d, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556544e, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x100)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x55555556544f)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHLX_4_symbolic(self):
|
|
''' Instruction SHLX_4
|
|
Groups: bmi2
|
|
0x55555556594d: shlx rax, qword ptr [r14 + 0x50], rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555565000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc800)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc801)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc802)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc803)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc804)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc805)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc806)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffc807)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x55555556594d] = '\xc4'
|
|
mem[0x55555556594e] = '\xc2'
|
|
mem[0x55555556594f] = '\xf9'
|
|
mem[0x555555565950] = '\xf7'
|
|
mem[0x555555565951] = 'F'
|
|
mem[0x555555565952] = 'P'
|
|
cpu.R14 = cs.new_bitvec(64)
|
|
cs.add(cpu.R14 == 0x7fffffffc7b0)
|
|
cpu.RIP = 0x55555556594d
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x5)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc800, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc801, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc802, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc803, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc804, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc805, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc806, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffc807, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556594d, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556594e, 8)== ord('\xc2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x55555556594f, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565950, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565951, 8)== ord('F'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555565952, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.R14 == 0x7fffffffc7b0)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555565953)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHL_1_symbolic(self):
|
|
''' Instruction SHL_1
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x597904)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0xb2f2080)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHL_2_symbolic(self):
|
|
''' Instruction SHL_2
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7144b72823ea49e0)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x2896e5047d493c00)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHL_3_symbolic(self):
|
|
''' Instruction SHL_3
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0xcc5c406168309853)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x8b880c2d06130a60)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == True)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHL_4_symbolic(self):
|
|
''' Instruction SHL_4
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x726f9570cfb9645b)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x4df2ae19f72c8b60)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHL_5_symbolic(self):
|
|
''' Instruction SHL_5
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x2b60c)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x56c180)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHL_6_symbolic(self):
|
|
''' Instruction SHL_6
|
|
Groups:
|
|
0x7ffff7de438f: shl rsi, 5
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4390] = '\xc1'
|
|
mem[0x7ffff7de4391] = '\xe6'
|
|
mem[0x7ffff7de4392] = '\x05'
|
|
mem[0x7ffff7de438f] = 'H'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x377beb912d8eae5)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de438f
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4390, 8)== ord('\xc1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4391, 8)== ord('\xe6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4392, 8)== ord('\x05'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de438f, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x6ef7d7225b1d5ca0)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4393)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHR_1_symbolic(self):
|
|
''' Instruction SHR_1
|
|
Groups:
|
|
0x7ffff7de405d: shr rdx, 1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de405d] = 'H'
|
|
mem[0x7ffff7de405e] = '\xd1'
|
|
mem[0x7ffff7de405f] = '\xea'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x144a5ad4)
|
|
cpu.RIP = 0x7ffff7de405d
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405d, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405e, 8)== ord('\xd1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405f, 8)== ord('\xea'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4060)
|
|
condition = Operators.AND(condition, cpu.RDX == 0xa252d6a)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHR_2_symbolic(self):
|
|
''' Instruction SHR_2
|
|
Groups:
|
|
0x7ffff7de391d: shr rsi, cl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de391d] = 'H'
|
|
mem[0x7ffff7de391e] = '\xd3'
|
|
mem[0x7ffff7de391f] = '\xee'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x20ce23f6)
|
|
cpu.CL = cs.new_bitvec(8)
|
|
cs.add(cpu.CL == 0x6)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de391d
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391d, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391e, 8)== ord('\xd3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391f, 8)== ord('\xee'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x83388f)
|
|
condition = Operators.AND(condition, cpu.CL == 0x6)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3920)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHR_3_symbolic(self):
|
|
''' Instruction SHR_3
|
|
Groups:
|
|
0x7ffff7de3926: shr rsi, cl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3928] = '\xee'
|
|
mem[0x7ffff7de3926] = 'H'
|
|
mem[0x7ffff7de3927] = '\xd3'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x800000001204088)
|
|
cpu.CL = cs.new_bitvec(8)
|
|
cs.add(cpu.CL == 0xda)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de3926
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3928, 8)== ord('\xee'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3926, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3927, 8)== ord('\xd3'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x200000000)
|
|
condition = Operators.AND(condition, cpu.CL == 0xda)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3929)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHR_4_symbolic(self):
|
|
''' Instruction SHR_4
|
|
Groups:
|
|
0x7ffff7de61d2: shr al, 4
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de61d2] = '\xc0'
|
|
mem[0x7ffff7de61d3] = '\xe8'
|
|
mem[0x7ffff7de61d4] = '\x04'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x22)
|
|
cpu.RIP = 0x7ffff7de61d2
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61d2, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61d3, 8)== ord('\xe8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de61d4, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de61d5)
|
|
condition = Operators.AND(condition, cpu.AL == 0x2)
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHR_5_symbolic(self):
|
|
''' Instruction SHR_5
|
|
Groups:
|
|
0x7ffff7de391d: shr rsi, cl
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de391d] = 'H'
|
|
mem[0x7ffff7de391e] = '\xd3'
|
|
mem[0x7ffff7de391f] = '\xee'
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7c967e3f)
|
|
cpu.CL = cs.new_bitvec(8)
|
|
cs.add(cpu.CL == 0xe)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de391d
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391d, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391e, 8)== ord('\xd3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de391f, 8)== ord('\xee'))
|
|
condition = Operators.AND(condition, cpu.RSI == 0x1f259)
|
|
condition = Operators.AND(condition, cpu.CL == 0xe)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3920)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SHR_6_symbolic(self):
|
|
''' Instruction SHR_6
|
|
Groups:
|
|
0x4322bd: shr rax, 1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4322bd] = 'H'
|
|
mem[0x4322be] = '\xd1'
|
|
mem[0x4322bf] = '\xe8'
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4322bd
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x1)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322bd, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322be, 8)== ord('\xd1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322bf, 8)== ord('\xe8'))
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4322c0)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STC_1_symbolic(self):
|
|
''' Instruction STC_1
|
|
Groups:
|
|
0x5667fa: stc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00566000, 0x1000, 'rwx')
|
|
mem[0x5667fa] = '\xf9'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x5667fa
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5667fa, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5667fb)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STC_2_symbolic(self):
|
|
''' Instruction STC_2
|
|
Groups:
|
|
0x42a889: stc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0042a000, 0x1000, 'rwx')
|
|
mem[0x42a889] = '\xf9'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x42a889
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x42a889, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x42a88a)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STC_3_symbolic(self):
|
|
''' Instruction STC_3
|
|
Groups:
|
|
0x60b5d5: stc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0060b000, 0x1000, 'rwx')
|
|
mem[0x60b5d5] = '\xf9'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x60b5d5
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x60b5d5, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x60b5d6)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STC_4_symbolic(self):
|
|
''' Instruction STC_4
|
|
Groups:
|
|
0x52da4d: stc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0052d000, 0x1000, 'rwx')
|
|
mem[0x52da4d] = '\xf9'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x52da4d
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x52da4d, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x52da4e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STC_5_symbolic(self):
|
|
''' Instruction STC_5
|
|
Groups:
|
|
0x56ba0e: stc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0056b000, 0x1000, 'rwx')
|
|
mem[0x56ba0e] = '\xf9'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x56ba0e
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x56ba0e, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x56ba0f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STC_6_symbolic(self):
|
|
''' Instruction STC_6
|
|
Groups:
|
|
0x61a7d6: stc
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0061a000, 0x1000, 'rwx')
|
|
mem[0x61a7d6] = '\xf9'
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x61a7d6
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x61a7d6, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.CF == True)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x61a7d7)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSD_1_symbolic(self):
|
|
''' Instruction STOSD_1
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda89)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb70)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xa0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb71)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xdb)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb72)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb73)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb74)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb75)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb76)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb77)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdb70)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x6)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda88)
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb70, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb71, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb72, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb73, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb74, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb75, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb76, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb77, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x5)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb74)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSD_2_symbolic(self):
|
|
''' Instruction STOSD_2
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb20)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb21)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda89)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb22)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb23)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb1c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb1d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb1e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb1f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdb1c)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x1b)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda88)
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb20, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb21, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb23, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb22, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb1c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb1d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb1e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb1f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x1a)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb20)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSD_3_symbolic(self):
|
|
''' Instruction STOSD_3
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x26)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xb0)
|
|
mem[addr] = value
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda89)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x62)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaa3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda9f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffda9c)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x3b)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda88)
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa0, 8)== ord('&'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa1, 8)== ord('\xb0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa3, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaa2, 8)== ord('b'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda9f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x3a)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdaa0)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSD_4_symbolic(self):
|
|
''' Instruction STOSD_4
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaec)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda89)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaee)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaed)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaef)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdaec)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x27)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda88)
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaec, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaed, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaee, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaef, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x26)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdaf0)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSD_5_symbolic(self):
|
|
''' Instruction STOSD_5
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb80)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x50)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb81)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x49)
|
|
mem[addr] = value
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda89)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb82)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x55)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb83)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x55)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb7c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb7d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb7e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdb7f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdb7c)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x3)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda88)
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb80, 8)== ord('P'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb81, 8)== ord('I'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb82, 8)== ord('U'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb83, 8)== ord('U'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb7c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb7d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb7e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdb7f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x2)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdb80)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSD_6_symbolic(self):
|
|
''' Instruction STOSD_6
|
|
Groups:
|
|
0x5555555547c2: rep stosd dword ptr [rdi], eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x5555555547c2] = '\xf3'
|
|
mem[0x5555555547c3] = '\xab'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda89)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdaf7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffdaf0)
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x26)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffda88)
|
|
cpu.RIP = 0x5555555547c2
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c2, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x5555555547c3, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdaf7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x25)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffdaf4)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffda88)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x5555555547c2)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSQ_1_symbolic(self):
|
|
''' Instruction STOSQ_1
|
|
Groups:
|
|
0x7ffff7ded09b: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ded000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7700)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7701)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7702)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7703)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7704)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7705)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7706)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7707)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7ded09c] = 'H'
|
|
mem[0x7ffff7ded09d] = '\xab'
|
|
mem[0x7ffff7ded09b] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7f38)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7f39)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7f3a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7f3b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7f3c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7f3d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7f3e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7f3f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7fd7f38)
|
|
cpu.RIP = 0x7ffff7ded09b
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x19)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7fd7700)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7700, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7701, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7702, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7703, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7704, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7705, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7706, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7707, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f38, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f39, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09c, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09d, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7f3f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x18)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd7f40)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fd7700)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ded09b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSQ_2_symbolic(self):
|
|
''' Instruction STOSQ_2
|
|
Groups:
|
|
0x7ffff7ded09b: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ded000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7700)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7701)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7702)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7703)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7704)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7705)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7706)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7707)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7ded09c] = 'H'
|
|
mem[0x7ffff7ded09d] = '\xab'
|
|
mem[0x7ffff7ded09b] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7cb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7cb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7cba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7cbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7cbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7cbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7cbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7cbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7fd7cb8)
|
|
cpu.RIP = 0x7ffff7ded09b
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x69)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7fd7700)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7700, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7701, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7702, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7703, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7704, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7705, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7706, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7707, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cb8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09c, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09d, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7cbf, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x68)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd7cc0)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fd7700)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ded09b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSQ_3_symbolic(self):
|
|
''' Instruction STOSQ_3
|
|
Groups:
|
|
0x7ffff7de5ebf: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de5000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7ffe000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de5ec0] = 'H'
|
|
mem[0x7ffff7de5ec1] = '\xab'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe4a2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe4a3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xf7)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe4a4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe4a5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe4a6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe4a1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe4)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda88)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x90)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda89)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x78)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda8f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe4a0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7ffe4a7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7de5ebf] = '\xf3'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffda88)
|
|
cpu.RIP = 0x7ffff7de5ebf
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x7)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7ffe4a0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5ec0, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5ec1, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a3, 8)== ord('\xf7'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a1, 8)== ord('\xe4'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda88, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda89, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8b, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8c, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8d, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda8f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ffe4a7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de5ebf, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x6)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffda90)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7ffe4a0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de5ebf)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSQ_4_symbolic(self):
|
|
''' Instruction STOSQ_4
|
|
Groups:
|
|
0x7ffff7ded09b: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ded000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7700)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7701)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7702)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7703)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7704)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7705)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7706)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7707)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7730)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7731)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7732)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7733)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7734)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7735)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7736)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7737)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7ded09b] = '\xf3'
|
|
mem[0x7ffff7ded09c] = 'H'
|
|
mem[0x7ffff7ded09d] = '\xab'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7fd7730)
|
|
cpu.RIP = 0x7ffff7ded09b
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x11a)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7fd7700)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7700, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7701, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7702, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7703, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7704, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7705, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7706, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7707, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7730, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7731, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7732, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7733, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7734, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7735, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7736, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7737, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09c, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09d, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x119)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd7738)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fd7700)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ded09b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSQ_5_symbolic(self):
|
|
''' Instruction STOSQ_5
|
|
Groups:
|
|
0x555555554895: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x555555554000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffd000, 0x1000, 'rwx')
|
|
mem[0x555555554896] = 'H'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda95)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555554897] = '\xab'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda90)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda91)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda92)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda93)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda94)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x555555554895] = '\xf3'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda96)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffda97)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdc98)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x1d)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdc99)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xe0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdc9a)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdc9b)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdc9c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdc9d)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdc9e)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffdc9f)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7fffffffda90)
|
|
cpu.RIP = 0x555555554895
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x1e)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7fffffffdc98)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda96, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda95, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda97, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda90, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda91, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda92, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda93, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffda94, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555554895, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555554896, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x555555554897, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc98, 8)== ord('\x1d'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc99, 8)== ord('\xe0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9a, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9b, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9c, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9d, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9e, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffdc9f, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x1d)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7fffffffda98)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7fffffffdc98)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x555555554895)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_STOSQ_6_symbolic(self):
|
|
''' Instruction STOSQ_6
|
|
Groups:
|
|
0x7ffff7ded09b: rep stosq qword ptr [rdi], rax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ded000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7fd7000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7700)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7701)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7702)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7703)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7704)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7705)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7706)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7707)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7ef0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7ef1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7ef2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7ef3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7ef4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7ef5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7ef6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7fd7ef7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x7ffff7ded09b] = '\xf3'
|
|
mem[0x7ffff7ded09c] = 'H'
|
|
mem[0x7ffff7ded09d] = '\xab'
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7fd7ef0)
|
|
cpu.RIP = 0x7ffff7ded09b
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x22)
|
|
cpu.RSI = cs.new_bitvec(64)
|
|
cs.add(cpu.RSI == 0x7ffff7fd7700)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7700, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7701, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7702, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7703, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7704, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7705, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7706, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7707, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef4, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7fd7ef7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09b, 8)== ord('\xf3'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09c, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ded09d, 8)== ord('\xab'))
|
|
condition = Operators.AND(condition, cpu.RCX == 0x21)
|
|
condition = Operators.AND(condition, cpu.RAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7fd7ef8)
|
|
condition = Operators.AND(condition, cpu.RSI == 0x7ffff7fd7700)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ded09b)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SUB_1_symbolic(self):
|
|
''' Instruction SUB_1
|
|
Groups:
|
|
0x4326c3: sub rsp, 0x1020
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4326c3] = 'H'
|
|
mem[0x4326c4] = '\x81'
|
|
mem[0x4326c5] = '\xec'
|
|
mem[0x4326c6] = ' '
|
|
mem[0x4326c7] = '\x10'
|
|
mem[0x4326c8] = '\x00'
|
|
mem[0x4326c9] = '\x00'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffdab0)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x4326c3
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326c3, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326c4, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326c5, 8)== ord('\xec'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326c6, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326c7, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326c8, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4326c9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffca90)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4326ca)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SUB_2_symbolic(self):
|
|
''' Instruction SUB_2
|
|
Groups:
|
|
0x40b6dd: sub rsp, 0x1028
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0040b000, 0x1000, 'rwx')
|
|
mem[0x40b6e0] = '('
|
|
mem[0x40b6e1] = '\x10'
|
|
mem[0x40b6e2] = '\x00'
|
|
mem[0x40b6e3] = '\x00'
|
|
mem[0x40b6dd] = 'H'
|
|
mem[0x40b6de] = '\x81'
|
|
mem[0x40b6df] = '\xec'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffda18)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x40b6dd
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x40b6e0, 8)== ord('('))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40b6e1, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40b6e2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40b6e3, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40b6dd, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40b6de, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x40b6df, 8)== ord('\xec'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc9f0)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x40b6e4)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SUB_3_symbolic(self):
|
|
''' Instruction SUB_3
|
|
Groups:
|
|
0x7ffff7de406d: sub rsp, 8
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de4070] = '\x08'
|
|
mem[0x7ffff7de406d] = 'H'
|
|
mem[0x7ffff7de406e] = '\x83'
|
|
mem[0x7ffff7de406f] = '\xec'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == True)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd840)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de406d
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de4070, 8)== ord('\x08'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de406d, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de406e, 8)== ord('\x83'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de406f, 8)== ord('\xec'))
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.AF == True)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffd838)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de4071)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SUB_4_symbolic(self):
|
|
''' Instruction SUB_4
|
|
Groups:
|
|
0x7ffff7decc04: sub rsp, 0x1020
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7dec000, 0x1000, 'rwx')
|
|
mem[0x7ffff7decc04] = 'H'
|
|
mem[0x7ffff7decc05] = '\x81'
|
|
mem[0x7ffff7decc06] = '\xec'
|
|
mem[0x7ffff7decc07] = ' '
|
|
mem[0x7ffff7decc08] = '\x10'
|
|
mem[0x7ffff7decc09] = '\x00'
|
|
mem[0x7ffff7decc0a] = '\x00'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd0c0)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7decc04
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc04, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc05, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc06, 8)== ord('\xec'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc07, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc08, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc09, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7decc0a, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc0a0)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7decc0b)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SUB_5_symbolic(self):
|
|
''' Instruction SUB_5
|
|
Groups:
|
|
0x7ffff7de060d: sub rsp, 0x1020
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de0000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de060d] = 'H'
|
|
mem[0x7ffff7de060e] = '\x81'
|
|
mem[0x7ffff7de060f] = '\xec'
|
|
mem[0x7ffff7de0610] = ' '
|
|
mem[0x7ffff7de0611] = '\x10'
|
|
mem[0x7ffff7de0612] = '\x00'
|
|
mem[0x7ffff7de0613] = '\x00'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd2e0)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == True)
|
|
cpu.RIP = 0x7ffff7de060d
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == True)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de060d, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de060e, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de060f, 8)== ord('\xec'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0610, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0611, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0612, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de0613, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc2c0)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de0614)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_SUB_6_symbolic(self):
|
|
''' Instruction SUB_6
|
|
Groups:
|
|
0x7ffff7deb22d: sub rsp, 0x1078
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7deb000, 0x1000, 'rwx')
|
|
mem[0x7ffff7deb22d] = 'H'
|
|
mem[0x7ffff7deb22e] = '\x81'
|
|
mem[0x7ffff7deb22f] = '\xec'
|
|
mem[0x7ffff7deb230] = 'x'
|
|
mem[0x7ffff7deb231] = '\x10'
|
|
mem[0x7ffff7deb232] = '\x00'
|
|
mem[0x7ffff7deb233] = '\x00'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.AF = cs.new_bool()
|
|
cs.add(cpu.AF == True)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffd9f8)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7deb22d
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb22d, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb22e, 8)== ord('\x81'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb22f, 8)== ord('\xec'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb230, 8)== ord('x'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb231, 8)== ord('\x10'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb232, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7deb233, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.PF == False)
|
|
condition = Operators.AND(condition, cpu.AF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffc980)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7deb234)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_TEST_1_symbolic(self):
|
|
''' Instruction TEST_1
|
|
Groups:
|
|
0x7ffff7df459c: test al, al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df459c] = '\x84'
|
|
mem[0x7ffff7df459d] = '\xc0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df459c
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x6c)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459c, 8)== ord('\x84'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459d, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459e)
|
|
condition = Operators.AND(condition, cpu.AL == 0x6c)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_TEST_2_symbolic(self):
|
|
''' Instruction TEST_2
|
|
Groups:
|
|
0x7ffff7df459c: test al, al
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df459c] = '\x84'
|
|
mem[0x7ffff7df459d] = '\xc0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df459c
|
|
cpu.AL = cs.new_bitvec(8)
|
|
cs.add(cpu.AL == 0x5f)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459c, 8)== ord('\x84'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df459d, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df459e)
|
|
condition = Operators.AND(condition, cpu.AL == 0x5f)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_TEST_3_symbolic(self):
|
|
''' Instruction TEST_3
|
|
Groups:
|
|
0x7ffff7de3892: test r15d, r15d
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3892] = 'E'
|
|
mem[0x7ffff7de3893] = '\x85'
|
|
mem[0x7ffff7de3894] = '\xff'
|
|
cpu.R15D = cs.new_bitvec(32)
|
|
cs.add(cpu.R15D == 0x0)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de3892
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3892, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3893, 8)== ord('\x85'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3894, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.R15D == 0x0)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3895)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_TEST_4_symbolic(self):
|
|
''' Instruction TEST_4
|
|
Groups:
|
|
0x7ffff7b58f07: test byte ptr [r8 - 4], 1
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a31000, 0x1000, 'rwx')
|
|
mem.mmap(0x7ffff7b58000, 0x1000, 'rwx')
|
|
mem[0x7ffff7b58f07] = 'A'
|
|
mem[0x7ffff7b58f08] = '\xf6'
|
|
mem[0x7ffff7b58f09] = '@'
|
|
mem[0x7ffff7b58f0a] = '\xfc'
|
|
mem[0x7ffff7b58f0b] = '\x01'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7ffff7a3193c)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xbc)
|
|
mem[addr] = value
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.R8 = cs.new_bitvec(64)
|
|
cs.add(cpu.R8 == 0x7ffff7a31940)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7b58f07
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f07, 8)== ord('A'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f08, 8)== ord('\xf6'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f09, 8)== ord('@'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f0a, 8)== ord('\xfc'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7b58f0b, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a3193c, 8)== ord('\xbc'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.R8 == 0x7ffff7a31940)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7b58f0c)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_TEST_5_symbolic(self):
|
|
''' Instruction TEST_5
|
|
Groups:
|
|
0x7ffff7ddc6b7: test rdi, rdi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7ddc000, 0x1000, 'rwx')
|
|
mem[0x7ffff7ddc6b8] = '\x85'
|
|
mem[0x7ffff7ddc6b9] = '\xff'
|
|
mem[0x7ffff7ddc6b7] = 'H'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7ddc6b7
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.RDI = cs.new_bitvec(64)
|
|
cs.add(cpu.RDI == 0x7ffff7ffa3a0)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc6b8, 8)== ord('\x85'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc6b9, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7ddc6b7, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7ddc6ba)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.RDI == 0x7ffff7ffa3a0)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_TEST_6_symbolic(self):
|
|
''' Instruction TEST_6
|
|
Groups:
|
|
0x406e88: test rbx, rbx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00406000, 0x1000, 'rwx')
|
|
mem[0x406e88] = 'H'
|
|
mem[0x406e89] = '\x85'
|
|
mem[0x406e8a] = '\xdb'
|
|
cpu.RBX = cs.new_bitvec(64)
|
|
cs.add(cpu.RBX == 0x7fffffffe927)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x406e88
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e88, 8)== ord('H'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e89, 8)== ord('\x85'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x406e8a, 8)== ord('\xdb'))
|
|
condition = Operators.AND(condition, cpu.RBX == 0x7fffffffe927)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == False)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x406e8b)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VMOVD_1_symbolic(self):
|
|
''' Instruction VMOVD_1
|
|
Groups: avx
|
|
0x432054: vmovd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432054] = '\xc5'
|
|
mem[0x432055] = '\xf9'
|
|
mem[0x432056] = 'n'
|
|
mem[0x432057] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x432054
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432054, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432055, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432056, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432057, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432058)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VMOVD_2_symbolic(self):
|
|
''' Instruction VMOVD_2
|
|
Groups: avx
|
|
0x432154: vmovd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432154] = '\xc5'
|
|
mem[0x432155] = '\xf9'
|
|
mem[0x432156] = 'n'
|
|
mem[0x432157] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x432154
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432154, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432155, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432156, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432157, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432158)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VMOVD_3_symbolic(self):
|
|
''' Instruction VMOVD_3
|
|
Groups: avx
|
|
0x432124: vmovd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432124] = '\xc5'
|
|
mem[0x432125] = '\xf9'
|
|
mem[0x432126] = 'n'
|
|
mem[0x432127] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x432124
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432124, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432125, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432126, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432127, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432128)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VMOVD_4_symbolic(self):
|
|
''' Instruction VMOVD_4
|
|
Groups: avx
|
|
0x434cd4: vmovd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x434cd4] = '\xc5'
|
|
mem[0x434cd5] = '\xf9'
|
|
mem[0x434cd6] = 'n'
|
|
mem[0x434cd7] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x434cd4
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x434cd4, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x434cd5, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x434cd6, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x434cd7, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x434cd8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VMOVD_5_symbolic(self):
|
|
''' Instruction VMOVD_5
|
|
Groups: avx
|
|
0x432134: vmovd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432134] = '\xc5'
|
|
mem[0x432135] = '\xf9'
|
|
mem[0x432136] = 'n'
|
|
mem[0x432137] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x432134
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432134, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432135, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432136, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432137, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432138)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VMOVD_6_symbolic(self):
|
|
''' Instruction VMOVD_6
|
|
Groups: avx
|
|
0x432514: vmovd xmm1, esi
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432514] = '\xc5'
|
|
mem[0x432515] = '\xf9'
|
|
mem[0x432516] = 'n'
|
|
mem[0x432517] = '\xce'
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x432514
|
|
cpu.ESI = cs.new_bitvec(32)
|
|
cs.add(cpu.ESI == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432514, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432515, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432516, 8)== ord('n'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432517, 8)== ord('\xce'))
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.ESI == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432518)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPSHUFB_1_symbolic(self):
|
|
''' Instruction VPSHUFB_1
|
|
Groups: avx
|
|
0x4321af: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4321b0] = '\xe2'
|
|
mem[0x4321b1] = 'q'
|
|
mem[0x4321b2] = '\x00'
|
|
mem[0x4321b3] = '\xc0'
|
|
mem[0x4321af] = '\xc4'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x4321af
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321b0, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321b1, 8)== ord('q'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321b2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321b3, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321af, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4321b4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPSHUFB_2_symbolic(self):
|
|
''' Instruction VPSHUFB_2
|
|
Groups: avx
|
|
0x43215f: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432160] = '\xe2'
|
|
mem[0x432161] = 'q'
|
|
mem[0x432162] = '\x00'
|
|
mem[0x432163] = '\xc0'
|
|
mem[0x43215f] = '\xc4'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x43215f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432160, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432161, 8)== ord('q'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432162, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432163, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43215f, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432164)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPSHUFB_3_symbolic(self):
|
|
''' Instruction VPSHUFB_3
|
|
Groups: avx
|
|
0x43205f: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432060] = '\xe2'
|
|
mem[0x432061] = 'q'
|
|
mem[0x432062] = '\x00'
|
|
mem[0x432063] = '\xc0'
|
|
mem[0x43205f] = '\xc4'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x43205f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432060, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432061, 8)== ord('q'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432062, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432063, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43205f, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432064)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPSHUFB_4_symbolic(self):
|
|
''' Instruction VPSHUFB_4
|
|
Groups: avx
|
|
0x43212f: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432130] = '\xe2'
|
|
mem[0x432131] = 'q'
|
|
mem[0x432132] = '\x00'
|
|
mem[0x432133] = '\xc0'
|
|
mem[0x43212f] = '\xc4'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x43212f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432130, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432131, 8)== ord('q'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432132, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432133, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43212f, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432134)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPSHUFB_5_symbolic(self):
|
|
''' Instruction VPSHUFB_5
|
|
Groups: avx
|
|
0x43213f: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432140] = '\xe2'
|
|
mem[0x432141] = 'q'
|
|
mem[0x432142] = '\x00'
|
|
mem[0x432143] = '\xc0'
|
|
mem[0x43213f] = '\xc4'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x43213f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432140, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432141, 8)== ord('q'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432142, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432143, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43213f, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432144)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPSHUFB_6_symbolic(self):
|
|
''' Instruction VPSHUFB_6
|
|
Groups: avx
|
|
0x434cdf: vpshufb xmm0, xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00434000, 0x1000, 'rwx')
|
|
mem[0x434ce0] = '\xe2'
|
|
mem[0x434ce1] = 'q'
|
|
mem[0x434ce2] = '\x00'
|
|
mem[0x434ce3] = '\xc0'
|
|
mem[0x434cdf] = '\xc4'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x0)
|
|
cpu.RIP = 0x434cdf
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x434ce0, 8)== ord('\xe2'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x434ce1, 8)== ord('q'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x434ce2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x434ce3, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x434cdf, 8)== ord('\xc4'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x434ce4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPXOR_1_symbolic(self):
|
|
''' Instruction VPXOR_1
|
|
Groups: avx
|
|
0x4321a0: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4321a0] = '\xc5'
|
|
mem[0x4321a1] = '\xf9'
|
|
mem[0x4321a2] = '\xef'
|
|
mem[0x4321a3] = '\xc0'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x4321a0
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321a0, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321a1, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321a2, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4321a3, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4321a4)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPXOR_2_symbolic(self):
|
|
''' Instruction VPXOR_2
|
|
Groups: avx
|
|
0x432510: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432510] = '\xc5'
|
|
mem[0x432511] = '\xf9'
|
|
mem[0x432512] = '\xef'
|
|
mem[0x432513] = '\xc0'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x432510
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432510, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432511, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432512, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432513, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432514)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPXOR_3_symbolic(self):
|
|
''' Instruction VPXOR_3
|
|
Groups: avx
|
|
0x432050: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432050] = '\xc5'
|
|
mem[0x432051] = '\xf9'
|
|
mem[0x432052] = '\xef'
|
|
mem[0x432053] = '\xc0'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x432050
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432050, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432051, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432052, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432053, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432054)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPXOR_4_symbolic(self):
|
|
''' Instruction VPXOR_4
|
|
Groups: avx
|
|
0x432150: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432150] = '\xc5'
|
|
mem[0x432151] = '\xf9'
|
|
mem[0x432152] = '\xef'
|
|
mem[0x432153] = '\xc0'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x432150
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432150, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432151, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432152, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432153, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432154)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPXOR_5_symbolic(self):
|
|
''' Instruction VPXOR_5
|
|
Groups: avx
|
|
0x432130: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432130] = '\xc5'
|
|
mem[0x432131] = '\xf9'
|
|
mem[0x432132] = '\xef'
|
|
mem[0x432133] = '\xc0'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x432130
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432130, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432131, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432132, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432133, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432134)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VPXOR_6_symbolic(self):
|
|
''' Instruction VPXOR_6
|
|
Groups: avx
|
|
0x432130: vpxor xmm0, xmm0, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432130] = '\xc5'
|
|
mem[0x432131] = '\xf9'
|
|
mem[0x432132] = '\xef'
|
|
mem[0x432133] = '\xc0'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RIP = 0x432130
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432130, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432131, 8)== ord('\xf9'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432132, 8)== ord('\xef'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x432133, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x432134)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VZEROUPPER_1_symbolic(self):
|
|
''' Instruction VZEROUPPER_1
|
|
Groups: avx
|
|
0x4322a9: vzeroupper
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4322a9] = '\xc5'
|
|
mem[0x4322aa] = '\xf8'
|
|
mem[0x4322ab] = 'w'
|
|
cpu.RIP = 0x4322a9
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322a9, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322aa, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322ab, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4322ac)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VZEROUPPER_2_symbolic(self):
|
|
''' Instruction VZEROUPPER_2
|
|
Groups: avx
|
|
0x432319: vzeroupper
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432319] = '\xc5'
|
|
mem[0x43231a] = '\xf8'
|
|
mem[0x43231b] = 'w'
|
|
cpu.RIP = 0x432319
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432319, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43231a, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43231b, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43231c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VZEROUPPER_3_symbolic(self):
|
|
''' Instruction VZEROUPPER_3
|
|
Groups: avx
|
|
0x4322c9: vzeroupper
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4322c9] = '\xc5'
|
|
mem[0x4322ca] = '\xf8'
|
|
mem[0x4322cb] = 'w'
|
|
cpu.RIP = 0x4322c9
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322c9, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322ca, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322cb, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4322cc)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VZEROUPPER_4_symbolic(self):
|
|
''' Instruction VZEROUPPER_4
|
|
Groups: avx
|
|
0x432229: vzeroupper
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432229] = '\xc5'
|
|
mem[0x43222a] = '\xf8'
|
|
mem[0x43222b] = 'w'
|
|
cpu.RIP = 0x432229
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432229, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43222a, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43222b, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43222c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VZEROUPPER_5_symbolic(self):
|
|
''' Instruction VZEROUPPER_5
|
|
Groups: avx
|
|
0x4322a9: vzeroupper
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x4322a9] = '\xc5'
|
|
mem[0x4322aa] = '\xf8'
|
|
mem[0x4322ab] = 'w'
|
|
cpu.RIP = 0x4322a9
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322a9, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322aa, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x4322ab, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x4322ac)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_VZEROUPPER_6_symbolic(self):
|
|
''' Instruction VZEROUPPER_6
|
|
Groups: avx
|
|
0x432689: vzeroupper
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00432000, 0x1000, 'rwx')
|
|
mem[0x432689] = '\xc5'
|
|
mem[0x43268a] = '\xf8'
|
|
mem[0x43268b] = 'w'
|
|
cpu.RIP = 0x432689
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x432689, 8)== ord('\xc5'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43268a, 8)== ord('\xf8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43268b, 8)== ord('w'))
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43268c)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XGETBV_1_symbolic(self):
|
|
''' Instruction XGETBV_1
|
|
Groups:
|
|
0x7ffff7a4eb1b: xgetbv
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4eb1b] = '\x0f'
|
|
mem[0x7ffff7a4eb1c] = '\x01'
|
|
mem[0x7ffff7a4eb1d] = '\xd0'
|
|
cpu.RIP = 0x7ffff7a4eb1b
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x0)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1c, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1d, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4eb1e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XGETBV_2_symbolic(self):
|
|
''' Instruction XGETBV_2
|
|
Groups:
|
|
0x437c0e: xgetbv
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00437000, 0x1000, 'rwx')
|
|
mem[0x437c10] = '\xd0'
|
|
mem[0x437c0e] = '\x0f'
|
|
mem[0x437c0f] = '\x01'
|
|
cpu.RIP = 0x437c0e
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x0)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x437c10, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x437c0e, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x437c0f, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x437c11)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XGETBV_3_symbolic(self):
|
|
''' Instruction XGETBV_3
|
|
Groups:
|
|
0x7ffff7a4eb1b: xgetbv
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7a4e000, 0x1000, 'rwx')
|
|
mem[0x7ffff7a4eb1b] = '\x0f'
|
|
mem[0x7ffff7a4eb1c] = '\x01'
|
|
mem[0x7ffff7a4eb1d] = '\xd0'
|
|
cpu.RIP = 0x7ffff7a4eb1b
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x0)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1b, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1c, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7a4eb1d, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7a4eb1e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XGETBV_4_symbolic(self):
|
|
''' Instruction XGETBV_4
|
|
Groups:
|
|
0x43a59e: xgetbv
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0043a000, 0x1000, 'rwx')
|
|
mem[0x43a5a0] = '\xd0'
|
|
mem[0x43a59e] = '\x0f'
|
|
mem[0x43a59f] = '\x01'
|
|
cpu.RIP = 0x43a59e
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x0)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x43a5a0, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43a59e, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43a59f, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x43a5a1)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XGETBV_5_symbolic(self):
|
|
''' Instruction XGETBV_5
|
|
Groups:
|
|
0x43791e: xgetbv
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00437000, 0x1000, 'rwx')
|
|
mem[0x437920] = '\xd0'
|
|
mem[0x43791e] = '\x0f'
|
|
mem[0x43791f] = '\x01'
|
|
cpu.RIP = 0x43791e
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x0)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x437920, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43791e, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x43791f, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x437921)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XGETBV_6_symbolic(self):
|
|
''' Instruction XGETBV_6
|
|
Groups:
|
|
0x437a6e: xgetbv
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00437000, 0x1000, 'rwx')
|
|
mem[0x437a70] = '\xd0'
|
|
mem[0x437a6e] = '\x0f'
|
|
mem[0x437a6f] = '\x01'
|
|
cpu.RIP = 0x437a6e
|
|
cpu.RCX = cs.new_bitvec(64)
|
|
cs.add(cpu.RCX == 0x0)
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x0)
|
|
cpu.RAX = cs.new_bitvec(64)
|
|
cs.add(cpu.RAX == 0x0)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x437a70, 8)== ord('\xd0'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x437a6e, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x437a6f, 8)== ord('\x01'))
|
|
condition = Operators.AND(condition, cpu.RAX == 0x7)
|
|
condition = Operators.AND(condition, cpu.RCX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x437a71)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XORPS_1_symbolic(self):
|
|
''' Instruction XORPS_1
|
|
Groups: sse1
|
|
0x530d2f: xorps xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00530000, 0x1000, 'rwx')
|
|
mem[0x530d30] = 'W'
|
|
mem[0x530d31] = '\xc8'
|
|
mem[0x530d2f] = '\x0f'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0xfffffffe0000002100000040fffffffe)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0xffffffbeffffffdf00000061ffffffbe)
|
|
cpu.RIP = 0x530d2f
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x530d30, 8)== ord('W'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x530d31, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x530d2f, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xfffffffe0000002100000040fffffffe)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x40fffffffe0000002100000040)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x530d32)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XORPS_2_symbolic(self):
|
|
''' Instruction XORPS_2
|
|
Groups: sse1
|
|
0x530a6c: xorps xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00530000, 0x1000, 'rwx')
|
|
mem[0x530a6c] = '\x0f'
|
|
mem[0x530a6d] = 'W'
|
|
mem[0x530a6e] = '\xc8'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0xfffffffe8000000100000040fffffffe)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0xffffffbe7fffffff80000041ffffffbe)
|
|
cpu.RIP = 0x530a6c
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x530a6c, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x530a6d, 8)== ord('W'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x530a6e, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0xfffffffe8000000100000040fffffffe)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x40fffffffe8000000100000040)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x530a6f)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XORPS_3_symbolic(self):
|
|
''' Instruction XORPS_3
|
|
Groups: sse1
|
|
0x54f76a: xorps xmm0, xmmword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x0054f000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x54f76a] = '\x0f'
|
|
mem[0x54f76b] = 'W'
|
|
mem[0x54f76c] = '\x04'
|
|
mem[0x54f76d] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x0)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x54f76a
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x54f76a, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x54f76b, 8)== ord('W'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x54f76c, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x54f76d, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x8000000000007fff00007fff80000000)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x54f76e)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XORPS_4_symbolic(self):
|
|
''' Instruction XORPS_4
|
|
Groups: sse1
|
|
0x540f22: xorps xmm1, xmm0
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00540000, 0x1000, 'rwx')
|
|
mem[0x540f22] = '\x0f'
|
|
mem[0x540f23] = 'W'
|
|
mem[0x540f24] = '\xc8'
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x200000007f0000002100000020)
|
|
cpu.XMM1 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM1 == 0x21000000200000007f00000021)
|
|
cpu.RIP = 0x540f22
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x540f22, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x540f23, 8)== ord('W'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x540f24, 8)== ord('\xc8'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x200000007f0000002100000020)
|
|
condition = Operators.AND(condition, cpu.XMM1 == 0x10000005f0000005e00000001)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x540f25)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XORPS_5_symbolic(self):
|
|
''' Instruction XORPS_5
|
|
Groups: sse1
|
|
0x560955: xorps xmm0, xmmword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00560000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x7f)
|
|
mem[addr] = value
|
|
mem[0x560956] = 'W'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x21)
|
|
mem[addr] = value
|
|
mem[0x560957] = '\x04'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
mem[0x560955] = '\x0f'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
mem[0x560958] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x43)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x65)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x87)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0xff)
|
|
mem[addr] = value
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0xffffffff8765432100007fffffffffff)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x560955
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x87'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x560955, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x560956, 8)== ord('W'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x560957, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x560958, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('C'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('e'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord('!'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\xff'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x7f'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x560959)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XORPS_6_symbolic(self):
|
|
''' Instruction XORPS_6
|
|
Groups: sse1
|
|
0x551ec4: xorps xmm0, xmmword ptr [rsp]
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x00551000, 0x1000, 'rwx')
|
|
mem.mmap(0x7fffffffc000, 0x1000, 'rwx')
|
|
mem[0x551ec4] = '\x0f'
|
|
mem[0x551ec5] = 'W'
|
|
mem[0x551ec6] = '\x04'
|
|
mem[0x551ec7] = '$'
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb0)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb1)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb2)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb3)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb4)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb5)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb6)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb7)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb8)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x20)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccb9)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccba)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbb)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbc)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbd)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbe)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x0)
|
|
mem[addr] = value
|
|
addr = cs.new_bitvec(64)
|
|
cs.add(addr == 0x7fffffffccbf)
|
|
value = cs.new_bitvec(8)
|
|
cs.add(value == 0x80)
|
|
mem[addr] = value
|
|
cpu.XMM0 = cs.new_bitvec(128)
|
|
cs.add(cpu.XMM0 == 0x80000000000000200000002080000000)
|
|
cpu.RSP = cs.new_bitvec(64)
|
|
cs.add(cpu.RSP == 0x7fffffffccb0)
|
|
cpu.RIP = 0x551ec4
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x551ec4, 8)== ord('\x0f'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x551ec5, 8)== ord('W'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x551ec6, 8)== ord('\x04'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x551ec7, 8)== ord('$'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb0, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb1, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb2, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb3, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb4, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb5, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb6, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb7, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb8, 8)== ord(' '))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccb9, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccba, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbb, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbc, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbd, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbe, 8)== ord('\x00'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7fffffffccbf, 8)== ord('\x80'))
|
|
condition = Operators.AND(condition, cpu.XMM0 == 0x0)
|
|
condition = Operators.AND(condition, cpu.RSP == 0x7fffffffccb0)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x551ec8)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XOR_1_symbolic(self):
|
|
''' Instruction XOR_1
|
|
Groups:
|
|
0x7ffff7de6223: xor eax, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de6000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de6223] = '1'
|
|
mem[0x7ffff7de6224] = '\xc0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de6223
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0xffffff00)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6223, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de6224, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de6225)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XOR_2_symbolic(self):
|
|
''' Instruction XOR_2
|
|
Groups:
|
|
0x7ffff7de405a: xor rdx, r13
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de405a] = 'L'
|
|
mem[0x7ffff7de405b] = '1'
|
|
mem[0x7ffff7de405c] = '\xea'
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.R13 = cs.new_bitvec(64)
|
|
cs.add(cpu.R13 == 0x7c96f087)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de405a
|
|
cpu.RDX = cs.new_bitvec(64)
|
|
cs.add(cpu.RDX == 0x7c96f087)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405a, 8)== ord('L'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405b, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de405c, 8)== ord('\xea'))
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.R13 == 0x7c96f087)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de405d)
|
|
condition = Operators.AND(condition, cpu.RDX == 0x0)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XOR_3_symbolic(self):
|
|
''' Instruction XOR_3
|
|
Groups:
|
|
0x7ffff7df45a0: xor eax, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df45a0] = '1'
|
|
mem[0x7ffff7df45a1] = '\xc0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == True)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df45a0
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0xf7ff7c00)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45a0, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df45a1, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df45a2)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XOR_4_symbolic(self):
|
|
''' Instruction XOR_4
|
|
Groups:
|
|
0x7ffff7de3ff6: xor edx, edx
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3ff6] = '1'
|
|
mem[0x7ffff7de3ff7] = '\xd2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de3ff6
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.EDX = cs.new_bitvec(32)
|
|
cs.add(cpu.EDX == 0x3f3)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff6, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3ff7, 8)== ord('\xd2'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de3ff8)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.EDX == 0x0)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XOR_5_symbolic(self):
|
|
''' Instruction XOR_5
|
|
Groups:
|
|
0x7ffff7df40cc: xor eax, eax
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7df4000, 0x1000, 'rwx')
|
|
mem[0x7ffff7df40cc] = '1'
|
|
mem[0x7ffff7df40cd] = '\xc0'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7df40cc
|
|
cpu.EAX = cs.new_bitvec(32)
|
|
cs.add(cpu.EAX == 0x3c340000)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == False)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df40cc, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7df40cd, 8)== ord('\xc0'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7df40ce)
|
|
condition = Operators.AND(condition, cpu.EAX == 0x0)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
def test_XOR_6_symbolic(self):
|
|
''' Instruction XOR_6
|
|
Groups:
|
|
0x7ffff7de3699: xor r10d, r10d
|
|
'''
|
|
cs = ConstraintSet()
|
|
mem = SMemory64(cs)
|
|
cpu = AMD64Cpu(mem)
|
|
mem.mmap(0x7ffff7de3000, 0x1000, 'rwx')
|
|
mem[0x7ffff7de3699] = 'E'
|
|
mem[0x7ffff7de369a] = '1'
|
|
mem[0x7ffff7de369b] = '\xd2'
|
|
cpu.OF = cs.new_bool()
|
|
cs.add(cpu.OF == False)
|
|
cpu.ZF = cs.new_bool()
|
|
cs.add(cpu.ZF == False)
|
|
cpu.CF = cs.new_bool()
|
|
cs.add(cpu.CF == False)
|
|
cpu.RIP = 0x7ffff7de3699
|
|
cpu.R10D = cs.new_bitvec(32)
|
|
cs.add(cpu.R10D == 0xf7a2e000)
|
|
cpu.PF = cs.new_bool()
|
|
cs.add(cpu.PF == True)
|
|
cpu.SF = cs.new_bool()
|
|
cs.add(cpu.SF == False)
|
|
|
|
done = False
|
|
while not done:
|
|
try:
|
|
cpu.execute()
|
|
#cpu.writeback()
|
|
done = True
|
|
except ConcretizeRegister,e:
|
|
symbol = getattr(cpu, e.reg_name)
|
|
values = solver.get_all_values(cs, symbol)
|
|
self.assertEqual(len(values), 1)
|
|
setattr(cpu, e.reg_name, values[0])
|
|
|
|
condition = True
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de3699, 8)== ord('E'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de369a, 8)== ord('1'))
|
|
condition = Operators.AND(condition, cpu.read_int(0x7ffff7de369b, 8)== ord('\xd2'))
|
|
condition = Operators.AND(condition, cpu.OF == False)
|
|
condition = Operators.AND(condition, cpu.ZF == True)
|
|
condition = Operators.AND(condition, cpu.CF == False)
|
|
condition = Operators.AND(condition, cpu.RIP == 0x7ffff7de369c)
|
|
condition = Operators.AND(condition, cpu.R10D == 0x0)
|
|
condition = Operators.AND(condition, cpu.PF == True)
|
|
condition = Operators.AND(condition, cpu.SF == False)
|
|
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition)
|
|
self.assertTrue(solver.check(temp_cs))
|
|
with cs as temp_cs:
|
|
temp_cs.add(condition == False)
|
|
self.assertFalse(solver.check(temp_cs))
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|
|
|