from triton import *from capstone import *from z3 import *import osimpor

1. from triton import *
2. from capstone import *
3. from z3 import *
4. import os
5. import struct
6.  
7. entry_address = 0x400078
8. rsp_val = 0x7fffffffde40
9.  
10. def initRegs(t,SymCtx):
11.     global rsp_val
12.     t.concretizeAllRegister()
13.     SymCtx["symRbx"] = t.symbolizeRegister(t.registers.rbx)
14.     t.symbolizeRegister(t.registers.sf)
15.     t.symbolizeRegister(t.registers.of)
16.     t.setConcreteRegisterValue(t.registers.rsp,rsp_val)
17.     return SymCtx
18.  
19. def initMem(t,SymCtx):
20.     t.concretizeAllMemory()
21.     rspConcrete = t.getConcreteRegisterValue(t.registers.rsp)
22.     SymCtx["mem"] = MemoryAccess(rspConcrete,2)
23.     print("symbolize: ",SymCtx["mem"])
24.     SymCtx["symMemRsp2"] = t.symbolizeMemory(SymCtx["mem"])
25.     return SymCtx
26.  
27. def init(SymCtx):
28.     t = TritonContext()
29.     t.setArchitecture(ARCH.X86_64)
30.     t.enableSymbolicEngine(True)
31.     t.enableTaintEngine(True)
32.     SymCtx = initRegs(t,SymCtx)
33.     initMem(t,SymCtx)
34.     return t,SymCtx
35.  
36. def disasm(itext,address):
37.     cs = Cs(CS_ARCH_X86,CS_MODE_64)
38.     insns = dict()
39.     pc = address
40.     count = 0
41.     for insn in cs.disasm(itext,address):
42.         raw_insn = bytes(insn.bytes)
43.         insns[pc]=raw_insn
44.         size_insn = len(raw_insn)
45.         pc+=size_insn
46.         count+=1
47.     return insns,count
48.  
49. def get_decoded_insns(address):
50.     filename = "code.bin"
51.     f = open(filename,"rb")
52.     size = os.stat(filename).st_size
53.     itext = f.read(size)
54.     f.close()
55.     insns,count = disasm(itext,address)
56.     return insns,count
57.  
58. def load(t,SymCtx):
59.     global entry_address
60.     pc = entry_address
61.     insns,count = get_decoded_insns(address=pc)
62.     for i in range(count):
63.         insn = Instruction()
64.         insn.setAddress(pc)
65.         insn.setOpcode(insns[pc])
66.         supported = t.processing(insn)
67.         if not supported:
68.             return (False,insn)
69.         print(insn)
70.         if insn.isBranch():
71.             break
72.         AstNodeRip = t.getRegisterAst(t.registers.rip)
73.         pc = AstNodeRip.evaluate()
74.     return True,None,SymCtx
75.  
76. def getTrueModel(t,constraint):
77.     if t.isSat(constraint):
78.         return t.getModel(constraint)
79.     else:
80.         return None
81.  
82. def getFalseModel(t,constraint):
83.     astctx = t.getAstContext()
84.     constraint = astctx.lnot(constraint)
85.     if t.isSat(constraint):
86.         return t.getModel(constraint)
87.     else:
88.         return None
89.  
90. def extractVarsModel(t,model,SymCtx):
91.     symRbx = SymCtx["symRbx"]
92.     symMemRsp2 = SymCtx["symMemRsp2"]
93.     rbx_val = model[symRbx.getId()].getValue()
94.     memRsp2_val = model[symMemRsp2]
95.     return {"rbx":rbx_val,"mdword_rsp":MemRsp2_val}
96.  
97. def emulate_init(t,init_vals,SymCtx):
98.     global rsp_val
99.     t.reset()
100.     t.setArchitecture(ARCH.X86_64)
101.     t.enableSymbolicEngine(False)
102.     t.enableTaintEngine(False)
103.     rbx_val = init_vals["rbx"]
104.     mdword_rsp_le = init_vals['mdword_rsp']
105.     t.setConcreteRegisterValue(t.registers.rsp,rsp_val)
106.     t.setConcreteRegisterValue(t.registers.rbx,rbx_val)
107.     t.setConcreteMemoryValue(SymCtx["mem"],mdword_rsp_le)
108.  
109. def emulate(t,init_vals,SymCtx):
110.     global entry_address
111.     emulate_init(t,init_vals,SymCtx)
112.     insns,count = get_decoded_insns(entry_address)
113.     pc = entry_address
114.     for i in range(count):
115.         insn = Instruction()
116.         insn.setAddress(pc)
117.         insn.setOpcode(insns[pc])
118.         t.processing(insn)
119.         if insn.isBranch():
120.             is_branch_taken = insn.isConditionTaken()
121.             return is_branch_taken
122.         RipAstNode = t.getRegisterAst(t.registers.rip)
123.         pc = RipAstNode.evaluate()
124.     return None
125.  
126. def getConstraint(t):
127.     astctx = t.getAstContext()
128.     pcoRef = t.getPathPredicate()
129.     pcoFull = astctx.unroll(pcoRef)
130.     return pcoFull
131.    
132.  
133. def getBranchModels(t):
134.     astctx = t.getAstContext()
135.     constraint = getConstraint(t)
136.     model1 = getTrueModel(t,constraint)
137.     model2 = getFalseModel(t,constraint)
138.     return model1,model2
139.  
140. def solve(t,SymCtx):
141.  
142.     model1,model2 = getBranchModels(t,SymCtx)
143.  
144.     TVars = dict()
145.     FVars = dict()
146.  
147.     if model1 != None:
148.         TVars = extractVarsModel(t,model1,SymCtx)
149.         branch_taken = emulate(t,TVars,SymCtx)
150.         if branch_taken:
151.             keys = list(TVars.keys())
152.             print("\n[+] Complete Emulate for Branch Taken\n[*] Model representated in little endian:\n\t%s:%d,%s:%d" % (keys[0],TVars[keys[0]],keys[1],TVars[keys[1]]))
153.         else:
154.             print("[-] Not found model for Branch Taken")
155.        
156.     if model2 != None:
157.         FVars = extractVarsModel(model2,SymCtx)
158.         branch_taken = emulate(t,FVars,SymCtx)
159.         if branch_taken:
160.             keys = list(FVars.keys())
161.             print("\n[+] Complete Emulate for Branch No Taken\n[*] Model representated in little endian:\n\t%s:%d,%s:%d" % (keys[0],FVars[keys[0]],keys[1],FVars[keys[1]]))
162.     else:
163.         print("[-] Not found model for Branch No Taken")
164.  
165. def main():
166.  
167.     SymCtx = {
168.             "symRbx":None,
169.             "mem":None,
170.             "symMemRsp2":None
171.             }
172.  
173.     t,SymCtx = init(SymCtx)
174.     status,unsupInsn,SymCtx = load(t,SymCtx)
175.     if not status:
176.         print("error support ->",unsupInsn)
177.         os.exit(-1)
178.     solve(t,SymCtx)
179.  
180. if __name__ == "__main__":
181.     main()