Add the cmp [mem], reg semantic

JonathanSalwan · Feb 6, 2015 · 1c6a708 · 1c6a708
1 parent 0660754
commit 1c6a708
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 8 deletions.
diff --git a/src/core/instructions.cpp b/src/core/instructions.cpp
@@ -235,6 +235,18 @@ VOID Instruction(INS ins, VOID *v)
           IARG_UINT32, INS_MemoryReadSize(ins),
           IARG_END);
 
+      /* cmp [mem], reg */
+      else if (INS_OperandCount(ins) == 3 && INS_MemoryOperandIsRead(ins, 0) && INS_OperandIsReg(ins, 1))
+        INS_InsertCall(
+          ins, IPOINT_BEFORE, (AFUNPTR)addMemReg,
+          IARG_PTR, new string(INS_Disassemble(ins)),
+          IARG_ADDRINT, INS_Address(ins),
+          IARG_CONTEXT,
+          IARG_UINT32, INS_OperandReg(ins, 1),
+          IARG_MEMORYOP_EA, 0,
+          IARG_UINT32, INS_MemoryReadSize(ins),
+          IARG_END);
+
       else
         /* Callback for semantics not yet implemented */
         INS_InsertCall(

diff --git a/src/includes/Triton.h b/src/includes/Triton.h
@@ -43,21 +43,29 @@ extern boost::format            outputInstruction;
 /* decl */
 VOID            Image(IMG img, VOID *v);
 VOID            Instruction(INS ins, VOID *v);
-VOID            addMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT64 writeSize);
-VOID            addMemReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT64 writeSize);
+
+VOID            addMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT32 writeSize);
+VOID            addMemReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT32 writeSize);
 VOID            addRegImm(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 imm);
 VOID            addRegReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, REG reg2);
+
 VOID            branchs(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, UINT32 opcode);
+
 VOID            cmpMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT32 readSize);
+VOID            cmpMemReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT32 readSize);
 VOID            cmpRegImm(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 imm);
 VOID            cmpRegReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, REG reg2);
+
 VOID            movMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT32 writeSize, INT32 opcode);
 VOID            movMemReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT32 writeSize, INT32 opcode);
 VOID            movRegImm(std::string insDis, ADDRINT insAddr, REG reg1, UINT64 imm, INT32 opcode);
 VOID            movRegMem(std::string insDis, ADDRINT insAddr, REG reg1, UINT64 mem, UINT32 readSize, INT32 opcode);
 VOID            movRegReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, REG reg2, INT32 opcode);
+
 VOID            notImplemented(std::string insDis, ADDRINT insAddr);
+
 VOID            popReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT32 readSize);
+
 VOID            pushImm(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, UINT64 imm, UINT64 mem, UINT32 writeSize);
 VOID            pushReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT32 writeSize);
 

diff --git a/src/ir/add.cpp b/src/ir/add.cpp
@@ -120,7 +120,7 @@ VOID addRegReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, REG
 }
 
 
-VOID addMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT64 writeSize)
+VOID addMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT32 writeSize)
 {
   if (_analysisStatus == LOCKED || insAddr > LIB_MAPING_MEMORY)
     return;
@@ -135,7 +135,6 @@ VOID addMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT
   expr << ")";
 
   SymbolicElement *elem = trace->symbolicEngine->newSymbolicElement(expr);
-  trace->symbolicEngine->symbolicReg[ID_ZF] = elem->getID();
 
   /* Craft the Tritinst */
   Tritinst *inst = new Tritinst(insAddr, insDis);
@@ -158,7 +157,7 @@ VOID addMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT
 }
 
 
-VOID addMemReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT64 writeSize)
+VOID addMemReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT32 writeSize)
 {
   if (_analysisStatus == LOCKED || insAddr > LIB_MAPING_MEMORY)
     return;
@@ -184,7 +183,6 @@ VOID addMemReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT
 
   /* Craft the symbolic element */
   SymbolicElement *elem = trace->symbolicEngine->newSymbolicElement(expr);
-  trace->symbolicEngine->symbolicReg[ID_ZF] = elem->getID();
 
   /* Craft the Tritinst */
   Tritinst *inst = new Tritinst(insAddr, insDis);

diff --git a/src/ir/cmp.cpp b/src/ir/cmp.cpp
@@ -9,8 +9,8 @@
  * reg, imm <- done
  * reg, reg <- done
  * mem, imm <- done
+ * mem, reg <- done
  *
- * mem, reg <- todo
  * reg, mem <- todo
  *
  * ZF <- done
@@ -118,7 +118,7 @@ VOID cmpMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT
   if (_analysisStatus == LOCKED || insAddr > LIB_MAPING_MEMORY)
     return;
 
-  std::stringstream expr, vr1, vr2;
+  std::stringstream expr;
 
   expr << "(assert (= ";
   if (trace->symbolicEngine->isMemoryReference(mem) != UNSET)
@@ -146,3 +146,47 @@ VOID cmpMemImm(std::string insDis, ADDRINT insAddr, UINT64 imm, UINT64 mem, UINT
 }
 
 
+VOID cmpMemReg(std::string insDis, ADDRINT insAddr, CONTEXT *ctx, REG reg1, UINT64 mem, UINT32 readSize)
+{
+  if (_analysisStatus == LOCKED || insAddr > LIB_MAPING_MEMORY)
+    return;
+
+  std::stringstream expr, vr1, vr2;
+
+  UINT64 reg1_ID = translatePinRegToID(reg1);
+
+  /* Operand 1 - mem */
+  if (trace->symbolicEngine->isMemoryReference(mem) != UNSET)
+    vr1 << "(" << smt2lib_extract(readSize) << "#" << std::dec << trace->symbolicEngine->isMemoryReference(mem) << ")";
+  else
+    vr1 << smt2lib_bv(derefMem(mem, readSize), readSize);
+
+  /* Operand 1 - reg */
+  if (trace->symbolicEngine->symbolicReg[reg1_ID] != UNSET)
+    vr2 << "#" << std::dec << trace->symbolicEngine->symbolicReg[reg1_ID];
+  else
+    vr2 << smt2lib_bv(PIN_GetContextReg(ctx, getHighReg(reg1)), readSize);
+
+  /* expression op1 op2 */
+  expr << "(assert (= " << vr1.str() << " " << vr2.str() << "))";
+
+  /* Craft the symbolic element */
+  SymbolicElement *elem = trace->symbolicEngine->newSymbolicElement(expr);
+  trace->symbolicEngine->symbolicReg[ID_ZF] = elem->getID();
+
+  /* Craft the Tritinst */
+  Tritinst *inst = new Tritinst(insAddr, insDis);
+  inst->addElement(elem);
+
+  /* Add the Tritinst in the trace */
+  trace->addInstruction(inst);
+
+  /* Apply taint */
+  if (trace->taintEngine->isMemoryTainted(mem) || trace->taintEngine->isRegTainted(reg1_ID))
+    elem->isTainted = TAINTED;
+
+  displayTrace(insAddr, insDis, elem);
+
+  return ;
+}
+