public void EP_AddrOf()
{
var arch = new FakeArchitecture();
var p = new ProgramBuilder(arch);
Identifier r2 = null, r3 = null;
var proc = p.Add("main", (m) =>
{
r2 = m.Register("r2");
r3 = m.Register("r3");
m.Assign(r2, 0x1234); // after which R2 has a definite value
m.SideEffect(m.Fn("Foo", m.Out(PrimitiveType.Pointer32, r2))); // Can't promise R2 is preserved after call, so should be invalid.
m.Assign(r3, r2);
});
var ctx = new SymbolicEvaluationContext(arch, proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(arch, simplifier, ctx, new ProgramDataFlow());
ctx.RegisterState[arch.StackRegister] = proc.Frame.FramePointer;
var stms = proc.EntryBlock.Succ[0].Statements;
var instr1 = stms[0].Instruction.Accept(ep);
Assert.AreEqual("0x00001234", ctx.GetValue(r2).ToString());
var instr2 = stms[1].Instruction.Accept(ep);
Assert.AreEqual("Foo(out r2)", instr2.ToString());
Assert.AreEqual("<invalid>", ctx.GetValue(r2).ToString());
var instr3 = stms[2].Instruction.Accept(ep);
Assert.AreEqual("r3 = r2", instr3.ToString());
Assert.AreEqual("<invalid>", ctx.GetValue(r2).ToString());
Assert.AreEqual("<invalid>", ctx.GetValue(r3).ToString());
}
private void CreateSymbolicEvaluator(Frame frame)
{
ctx = new SymbolicEvaluationContext(arch, frame);
se = new SymbolicEvaluator(ctx);
if (esp == null)
esp = Tmp32("esp");
ctx.SetValue(esp, frame.FramePointer);
}
public void Setup()
{
arch = new FakeArchitecture();
proc = new Procedure("Test", new Frame(arch.FramePointerType));
flow = new ProcedureFlow(proc, arch);
ctx = new SymbolicEvaluationContext(arch, proc.Frame);
trs = new TrashedRegisterSummarizer(arch, proc, flow, ctx);
}
public TrashedRegisterSummarizer(IProcessorArchitecture arch, Procedure proc, ProcedureFlow pf, SymbolicEvaluationContext ctx)
{
this.arch = arch;
this.proc = proc;
this.pf = pf;
trashed = new HashSet <RegisterStorage>();
preserved = new HashSet <RegisterStorage>();
this.ctx = ctx;
this.cmp = new ExpressionValueComparer();
}
private void CreateEvaluationState(Block block)
{
this.ctx = new SymbolicEvaluationContext(
block.Procedure.Architecture,
block.Procedure.Frame);
var tes = new TrashedExpressionSimplifier(
this.program.SegmentMap, this, ctx);
this.se = new SymbolicEvaluator(tes, ctx);
}
private void CreateSymbolicEvaluator(Frame frame)
{
ctx = new SymbolicEvaluationContext(arch, frame);
se = new SymbolicEvaluator(ctx);
if (esp == null)
{
esp = Tmp32("esp");
}
ctx.SetValue(esp, frame.FramePointer);
}
public TrashedRegisterSummarizer(IProcessorArchitecture arch, Procedure proc, ProcedureFlow pf, SymbolicEvaluationContext ctx)
{
this.arch = arch;
this.proc = proc;
this.pf = pf;
trashed = new HashSet<RegisterStorage>();
preserved = new HashSet<RegisterStorage>();
this.ctx = ctx;
this.cmp = new ExpressionValueComparer();
}
public ExpressionPropagator(
IPlatform platform,
ExpressionSimplifier simplifier,
SymbolicEvaluationContext ctx,
ProgramDataFlow flow)
{
this.platform = platform;
this.eval = simplifier;
this.ctx = ctx;
this.flow = flow;
this.sub = new Substitutor(ctx);
}
public ExpressionPropagator(
IProcessorArchitecture arch,
ExpressionSimplifier simplifier,
SymbolicEvaluationContext ctx,
ProgramDataFlow flow)
{
this.arch = arch;
this.eval = simplifier;
this.ctx = ctx;
this.flow = flow;
this.sub = new Substitutor(ctx);
}
private void CreateSymbolicEvaluator(Frame frame)
{
ctx = new SymbolicEvaluationContext(arch, frame);
se = new SymbolicEvaluator(
new ExpressionSimplifier(segmentMap, ctx, listener),
ctx);
if (esp == null)
{
esp = Tmp32("esp");
}
ctx.SetValue(esp, frame.FramePointer);
}
public void Idc_ConstantReferenceInt()
{
var dword = new TypeReference("DWORD", PrimitiveType.Int32);
Identifier edx = new Identifier("edx", dword, Registers.edx);
var ctx = new SymbolicEvaluationContext(null, null);
ctx.SetValue(edx, Constant.Int32(321));
IdConstant ic = new IdConstant(ctx, new Unifier(null));
Assert.IsTrue(ic.Match(edx));
Expression e = ic.Transform();
Assert.AreEqual("321", e.ToString());
Assert.AreEqual("int32", e.DataType.ToString());
}
public void Idc_ConstantReferenceInt()
{
var dword = new TypeReference("DWORD", PrimitiveType.Int32);
Identifier edx = new Identifier("edx", dword, Registers.edx);
var ctx = new SymbolicEvaluationContext(null, null);
ctx.SetValue(edx, Constant.Int32(321));
IdConstant ic = new IdConstant(ctx, new Unifier(null), listener);
Assert.IsTrue(ic.Match(edx));
Expression e = ic.Transform();
Assert.AreEqual("321", e.ToString());
Assert.AreEqual("DWORD", e.DataType.ToString());
}
public void Idc_ConstantReferencePointerToInt()
{
var intptr = new TypeReference("INTPTR", new Pointer(PrimitiveType.Int32, 4));
Identifier edx = new Identifier("edx", intptr, Registers.edx);
var ctx = new SymbolicEvaluationContext(null, null);
ctx.SetValue(edx, Constant.Int32(0x567));
IdConstant ic = new IdConstant(ctx, new Unifier(null), listener);
Assert.IsTrue(ic.Match(edx));
Expression e = ic.Transform();
Assert.AreEqual("00000567", e.ToString());
Assert.AreEqual("(ptr int32)", e.DataType.ToString());
}
public void EP_TestCondition()
{
var p = new ProgramBuilder();
p.Add("main", (m) =>
{
m.Label("foo");
m.BranchCc(ConditionCode.EQ, "foo");
m.Return();
});
var proc = p.BuildProgram().Procedures.Values.First();
var ctx = new SymbolicEvaluationContext(new IntelArchitecture(ProcessorMode.Protected32), proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(null, simplifier, ctx, new ProgramDataFlow());
var newInstr = proc.EntryBlock.Succ[0].Statements[0].Instruction.Accept(ep);
Assert.AreEqual("branch Test(EQ,Z) foo", newInstr.ToString());
}
public void EP_TestCondition()
{
var p = new ProgramBuilder();
p.Add("main", (m) =>
{
m.Label("foo");
m.BranchCc(ConditionCode.EQ, "foo");
m.Return();
});
var proc = p.BuildProgram().Procedures.Values.First();
var ctx = new SymbolicEvaluationContext(new IntelArchitecture(ProcessorMode.Protected32), proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(null, simplifier, ctx, new ProgramDataFlow());
var newInstr = proc.EntryBlock.Succ[0].Statements[0].Instruction.Accept(ep);
Assert.AreEqual("branch Test(EQ,Z) foo", newInstr.ToString());
}
public void EP_ConditionOf()
{
var p = new ProgramBuilder();
var proc = p.Add("main", (m) =>
{
var szo = m.Frame.EnsureFlagGroup(0x7, "SZO", PrimitiveType.Byte);
var ebx = m.Frame.EnsureRegister(new RegisterStorage("ebx", 0, PrimitiveType.Word32));
var v4 = m.Frame.CreateTemporary(PrimitiveType.Word16);
m.Assign(v4, m.IAdd(m.LoadW(ebx), 1));
m.Store(ebx, v4);
m.Assign(szo, m.Cond(v4));
m.Return();
});
var ctx = new SymbolicEvaluationContext(new IntelArchitecture(ProcessorMode.Protected32), proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(null, simplifier, ctx, new ProgramDataFlow());
var newInstr = proc.EntryBlock.Succ[0].Statements[2].Instruction.Accept(ep);
Assert.AreEqual("SZO = cond(v4)", newInstr.ToString());
}
public void EP_Application()
{
var p = new ProgramBuilder();
var proc = p.Add("main", (m) =>
{
var r1 = m.Frame.EnsureRegister(new RegisterStorage("r1", 1, PrimitiveType.Word32));
m.Assign(r1, m.Word32(0x42));
m.SideEffect(m.Fn("foo", r1));
m.Return();
});
var ctx = new SymbolicEvaluationContext(new FakeArchitecture(), proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(null, simplifier, ctx, new ProgramDataFlow());
var stms = proc.EntryBlock.Succ[0].Statements;
stms[0].Instruction.Accept(ep);
var newInstr = stms[1].Instruction.Accept(ep);
Assert.AreEqual("foo(0x00000042)", newInstr.ToString());
}
public void EP_ConditionOf()
{
var p = new ProgramBuilder();
var proc = p.Add("main", (m) =>
{
var szo = m.Frame.EnsureFlagGroup(0x7, "SZO", PrimitiveType.Byte);
var ebx = m.Frame.EnsureRegister(new RegisterStorage("ebx", 0, PrimitiveType.Word32));
var v4 = m.Frame.CreateTemporary(PrimitiveType.Word16);
m.Assign(v4, m.IAdd(m.LoadW(ebx), 1));
m.Store(ebx, v4);
m.Assign(szo, m.Cond(v4));
m.Return();
});
var ctx = new SymbolicEvaluationContext(new IntelArchitecture(ProcessorMode.Protected32), proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(null, simplifier, ctx, new ProgramDataFlow());
var newInstr = proc.EntryBlock.Succ[0].Statements[2].Instruction.Accept(ep);
Assert.AreEqual("SZO = cond(v4)", newInstr.ToString());
}
public void Idc_ConstantReferencePointerToInt()
{
var intptr = new TypeReference("INTPTR", new Pointer(PrimitiveType.Int32, 4));
Identifier edx = new Identifier("edx", intptr, Registers.edx);
var ctx = new SymbolicEvaluationContext(null, null);
ctx.SetValue(edx, Constant.Int32(0x567));
IdConstant ic = new IdConstant(ctx, new Unifier(null));
Assert.IsTrue(ic.Match(edx));
Expression e = ic.Transform();
Assert.AreEqual("00000567", e.ToString());
Assert.AreEqual("(ptr int32)", e.DataType.ToString());
}
private void Given_Contexts()
{
frame = new Frame(PrimitiveType.Pointer32);
ctx = new SymbolicEvaluationContext(arch, frame);
blockflow = new BlockFlow(null, arch.CreateRegisterBitset(), ctx);
trf.EnsureEvaluationContext(blockflow);
}
public void EP_IndirectCall()
{
var arch = new FakeArchitecture();
var p = new ProgramBuilder(arch);
var proc = p.Add("main", (m) =>
{
var r1 = m.Register("r1");
m.Assign(r1, m.Word32(0x42));
m.Emit(new CallInstruction(r1, new CallSite(4, 0)));
m.Return();
});
var ctx = new SymbolicEvaluationContext(arch, proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(arch, simplifier, ctx, new ProgramDataFlow());
ctx.RegisterState[arch.StackRegister] = proc.Frame.FramePointer;
var stms = proc.EntryBlock.Succ[0].Statements;
stms[0].Instruction.Accept(ep);
var newInstr = stms[1].Instruction.Accept(ep);
Assert.AreEqual("call 0x00000042 (retsize: 4; depth: 4)", newInstr.ToString());
}
private void Given_Contexts()
{
frame = new Frame(PrimitiveType.Pointer32);
ctx = new SymbolicEvaluationContext(arch, frame);
blockflow = new BlockFlow(null, new HashSet<RegisterStorage>(), ctx);
trf.EnsureEvaluationContext(blockflow);
}
public void EP_LValue()
{
var arch = new FakeArchitecture();
var p = new ProgramBuilder(arch);
Identifier r2 = null;
Identifier sp = null;
var proc = p.Add("main", (m) =>
{
r2 = m.Register("r2");
sp = m.Frame.EnsureRegister(arch.StackRegister);
m.Store(m.ISub(sp, 12), m.ISub(sp, 16));
m.Store(m.ISub(sp, 12), 2);
});
var ctx = new SymbolicEvaluationContext (arch, proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(arch,simplifier,ctx, new ProgramDataFlow());
ctx.RegisterState[arch.StackRegister]= proc.Frame.FramePointer;
var stms = proc.EntryBlock.Succ[0].Statements;
var instr1 = stms[0].Instruction.Accept(ep);
Assert.AreEqual("dwLoc0C = fp - 0x00000010", instr1.ToString());
var instr2 = stms[1].Instruction.Accept(ep);
Assert.AreEqual("dwLoc0C = 0x00000002", instr2.ToString());
}
public TrashedExpressionSimplifier(TrashedRegisterFinder trf, SymbolicEvaluationContext ctx)
: base(ctx, trf.eventListener)
{
this.trf = trf;
this.ctx = ctx;
}
public void EP_StackReference()
{
var arch = new FakeArchitecture();
var p = new ProgramBuilder(arch);
var proc = p.Add("main", (m) =>
{
var sp = m.Frame.EnsureRegister(m.Architecture.StackRegister);
var r1 = m.Register(1);
m.Assign(sp, m.ISub(sp, 4));
m.Assign(r1, m.LoadDw(m.IAdd(sp, 8)));
m.Return();
});
var ctx = new SymbolicEvaluationContext(arch, proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(arch, simplifier, ctx, new ProgramDataFlow());
ctx.RegisterState[arch.StackRegister] = proc.Frame.FramePointer;
var stms = proc.EntryBlock.Succ[0].Statements;
var newInstr = stms[0].Instruction.Accept(ep);
Assert.AreEqual("r63 = fp - 0x00000004", newInstr.ToString());
newInstr = stms[1].Instruction.Accept(ep);
Assert.AreEqual("r1 = dwArg04", newInstr.ToString());
}
public void EP_Application()
{
var p = new ProgramBuilder();
var proc = p.Add("main", (m) =>
{
var r1 = m.Frame.EnsureRegister(new RegisterStorage("r1", 1, PrimitiveType.Word32));
m.Assign(r1, m.Word32(0x42));
m.SideEffect(m.Fn("foo", r1));
m.Return();
});
var arch = new FakeArchitecture();
var ctx = new SymbolicEvaluationContext(arch, proc.Frame);
var simplifier = new ExpressionSimplifier(ctx);
var ep = new ExpressionPropagator(null, simplifier, ctx, new ProgramDataFlow());
var stms = proc.EntryBlock.Succ[0].Statements;
stms[0].Instruction.Accept(ep);
var newInstr = stms[1].Instruction.Accept(ep);
Assert.AreEqual("foo(0x00000042)", newInstr.ToString());
}
