public void Test_Runner_Jmp_11()
{
string programStr =
" cmp al, 0 " + Environment.NewLine +
" jp label1 " + Environment.NewLine +
" mov al, 1 " + Environment.NewLine +
" jz label1 " + Environment.NewLine +
" mov al, 2 " + Environment.NewLine +
"label1: ";
Tools tools = this.CreateTools();
var sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
if (logToDisplay)
{
Console.WriteLine(sFlow.ToString());
}
tools.StateConfig = sFlow.Create_StateConfig();
var dFlow = Runner.Construct_DynamicFlow_Backward(sFlow, tools);
State state = dFlow.EndState;
Assert.IsNotNull(state);
if (logToDisplay)
{
Console.WriteLine("state:\n" + state);
}
TestTools.IsTrue(state.IsConsistent);
var branch_Condition_jp = dFlow.Get_Branch_Condition(1);
var branch_Condition_jz = dFlow.Get_Branch_Condition(3);
if (true)
{
if (true)
{
State state2 = new State(state);
state2.Add(new BranchInfo(branch_Condition_jp, true));
state2.Add(new BranchInfo(branch_Condition_jz, true));
TestTools.AreEqual(Rn.AL, "00000000", state2);
}
if (true)
{
State state2 = new State(state);
state2.Add(new BranchInfo(branch_Condition_jp, true));
state2.Add(new BranchInfo(branch_Condition_jz, false));
TestTools.AreEqual(Rn.AL, "????????", state2);
}
if (true)
{
State state2 = new State(state);
state2.Add(new BranchInfo(branch_Condition_jp, false));
state2.Add(new BranchInfo(branch_Condition_jz, true));
TestTools.AreEqual(Rn.AL, "XXXXXXXX", state2);
}
if (true)
{
State state2 = new State(state);
state2.Add(new BranchInfo(branch_Condition_jp, false));
state2.Add(new BranchInfo(branch_Condition_jz, false));
TestTools.AreEqual(Rn.AL, "00000010", state2);
}
}
}
public void Test_BitTricks_Parallel_Search_GPR_2()
{
Tools tools = CreateTools();
tools.StateConfig.Set_All_Reg_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.StateConfig.RCX = true;
tools.StateConfig.RSP = true;
string line1 = "mov rax, 0x80_80_80_80_80_80_80_80";
string line2 = "mov rsp, 0x01_01_01_01_01_01_01_01";
string line3 = "mov rbx, 0x01_02_03_04_05_06_07_08"; // EBX contains 8 bytes
string line4a = "mov rcx, rbx"; // cannot substract with lea, now we need an extra mov
string line4b = "sub rcx, rsp"; // substract 1 from each byte
string line5 = "not rbx"; // invert all bytes
string line6 = "and rcx, rbx"; // and these two
string line7 = "and rcx, rax";
{ // forward
State state = CreateState(tools);
BitVecExpr bytes = state.Create(Rn.RBX);
state = Runner.SimpleStep_Forward(line1, state);
state = Runner.SimpleStep_Forward(line2, state);
if (false)
{
state = Runner.SimpleStep_Forward(line3, state);
if (logToDisplay)
{
Console.WriteLine("After \"" + line3 + "\", we know:\n" + state);
}
}
state = Runner.SimpleStep_Forward(line4a, state);
if (logToDisplay)
{
Console.WriteLine("After \"" + line4a + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line4b, state);
if (logToDisplay)
{
Console.WriteLine("After \"" + line4b + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line5, state);
if (logToDisplay)
{
Console.WriteLine("After \"" + line5 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line6, state);
if (logToDisplay)
{
Console.WriteLine("After \"" + line6 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line7, state);
if (logToDisplay)
{
Console.WriteLine("After \"" + line7 + "\", we know:\n" + state);
}
{
// if at least one of the bytes is equal to zero, then ECX cannot be equal to zero
// if ECX is zero, then none of the bytes is equal to zero.
Context ctx = state.Ctx;
BitVecExpr zero8 = ctx.MkBV(0, 8);
bytes = bytes.Translate(ctx) as BitVecExpr;
BitVecExpr byte1 = ctx.MkExtract((1 * 8) - 1, (0 * 8), bytes);
BitVecExpr byte2 = ctx.MkExtract((2 * 8) - 1, (1 * 8), bytes);
BitVecExpr byte3 = ctx.MkExtract((3 * 8) - 1, (2 * 8), bytes);
BitVecExpr byte4 = ctx.MkExtract((4 * 8) - 1, (3 * 8), bytes);
BitVecExpr byte5 = ctx.MkExtract((5 * 8) - 1, (4 * 8), bytes);
BitVecExpr byte6 = ctx.MkExtract((6 * 8) - 1, (5 * 8), bytes);
BitVecExpr byte7 = ctx.MkExtract((7 * 8) - 1, (6 * 8), bytes);
BitVecExpr byte8 = ctx.MkExtract((8 * 8) - 1, (7 * 8), bytes);
BoolExpr property = ctx.MkEq(
ctx.MkOr(
ctx.MkEq(byte1, zero8),
ctx.MkEq(byte2, zero8),
ctx.MkEq(byte3, zero8),
ctx.MkEq(byte4, zero8),
ctx.MkEq(byte5, zero8),
ctx.MkEq(byte6, zero8),
ctx.MkEq(byte7, zero8),
ctx.MkEq(byte8, zero8)
),
ctx.MkNot(ctx.MkEq(state.Create(Rn.RCX), ctx.MkBV(0, 64)))
);
TestTools.AreEqual(Tv.ONE, ToolsZ3.GetTv(property, state.Solver, ctx));
}
}
}
public void Test_DynamicFlow_Forward_1()
{
Tools tools = this.CreateTools();
tools.StateConfig.Set_All_Off();
tools.StateConfig.RAX = true;
tools.StateConfig.RBX = true;
tools.Quiet = true;
tools.ShowUndefConstraints = false;
string programStr =
" mov rax, 0 ; line 0 " + Environment.NewLine +
" mov rbx, 10 ; line 1 " + Environment.NewLine +
" mov rbx, rax ; line 2 ";
var sFlow = new StaticFlow(tools);
sFlow.Update(programStr);
if (logToDisplay)
{
Console.WriteLine(sFlow);
}
if (true)
{
DynamicFlow dFlow = Runner.Construct_DynamicFlow_Forward(sFlow, tools);
if (logToDisplay)
{
Console.WriteLine(dFlow.ToString(sFlow));
}
{
int lineNumber = 0;
IList <State> states_Before = new List <State>(dFlow.Create_States_Before(lineNumber));
Assert.AreEqual(1, states_Before.Count);
State state_Before = states_Before[0];
IList <State> states_After = new List <State>(dFlow.Create_States_After(lineNumber));
Assert.AreEqual(1, states_After.Count);
State state_After = states_After[0];
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: Before lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_Before);
}
TestTools.AreEqual(Rn.RAX, "????????.????????.????????.????????.????????.????????.????????.????????", state_Before);
TestTools.AreEqual(Rn.RBX, "????????.????????.????????.????????.????????.????????.????????.????????", state_Before);
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: After lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_After);
}
TestTools.AreEqual(Rn.RAX, 0, state_After);
TestTools.AreEqual(Rn.RBX, "????????.????????.????????.????????.????????.????????.????????.????????", state_After);
}
{
int lineNumber = 1;
IList <State> states_Before = new List <State>(dFlow.Create_States_Before(lineNumber));
Assert.AreEqual(1, states_Before.Count);
State state_Before = states_Before[0];
IList <State> states_After = new List <State>(dFlow.Create_States_After(lineNumber));
Assert.AreEqual(1, states_After.Count);
State state_After = states_After[0];
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: Before lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_Before);
}
TestTools.AreEqual(Rn.RAX, 0, state_Before);
TestTools.AreEqual(Rn.RBX, "????????.????????.????????.????????.????????.????????.????????.????????", state_Before);
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: After lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_After);
}
TestTools.AreEqual(Rn.RAX, 0, state_After);
TestTools.AreEqual(Rn.RBX, 10, state_After);
}
{
int lineNumber = 2;
IList <State> states_Before = new List <State>(dFlow.Create_States_Before(lineNumber));
Assert.AreEqual(1, states_Before.Count);
State state_Before = states_Before[0];
IList <State> states_After = new List <State>(dFlow.Create_States_After(lineNumber));
Assert.AreEqual(1, states_After.Count);
State state_After = states_After[0];
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: Before lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_Before);
}
TestTools.AreEqual(Rn.RAX, 0, state_Before);
TestTools.AreEqual(Rn.RBX, 10, state_Before);
if (logToDisplay)
{
Console.WriteLine("Tree_Forward: After lineNumber " + lineNumber + " \"" + sFlow.Get_Line_Str(lineNumber) + "\", we know:\n" + state_After);
}
TestTools.AreEqual(Rn.RAX, 0, state_After);
TestTools.AreEqual(Rn.RBX, 0, state_After);
}
}
}
public void Test_BitTricks_Parallel_Search_GPR_1()
{
Tools tools = CreateTools();
tools.StateConfig.Set_All_Reg_Off();
tools.StateConfig.RBX = true;
tools.StateConfig.RCX = true;
tools.StateConfig.RDX = true;
string line1 = "mov ebx, 0x01_00_02_03"; // EBX contains four bytes
string line2 = "lea ecx, [ebx-0x01_01_01_01]"; // substract 1 from each byte
string line3 = "not ebx"; // invert all bytes
string line4 = "and ecx, ebx"; // and these two
string line5 = "and ecx, 80808080h";
{ // forward
State state = CreateState(tools);
BitVecExpr bytes = state.Create(Rn.EBX);
if (false)
{ // line 1
state = Runner.SimpleStep_Forward(line1, state);
//if (logToDisplay) Console.WriteLine("After \"" + line1 + "\", we know:\n" + state);
}
state = Runner.SimpleStep_Forward(line2, state);
//if (logToDisplay) Console.WriteLine("After \"" + line2 + "\", we know:\n" + state);
state = Runner.SimpleStep_Forward(line3, state);
//if (logToDisplay) Console.WriteLine("After \"" + line3 + "\", we know:\n" + state);
state = Runner.SimpleStep_Forward(line4, state);
//if (logToDisplay) Console.WriteLine("After \"" + line4 + "\", we know:\n" + state);
state = Runner.SimpleStep_Forward(line5, state);
//if (logToDisplay) Console.WriteLine("After \"" + line5 + "\", we know:\n" + state);
Context ctx = state.Ctx;
BitVecExpr zero = ctx.MkBV(0, 8);
bytes = bytes.Translate(ctx) as BitVecExpr;
BitVecExpr byte1 = ctx.MkExtract((1 * 8) - 1, (0 * 8), bytes);
BitVecExpr byte2 = ctx.MkExtract((2 * 8) - 1, (1 * 8), bytes);
BitVecExpr byte3 = ctx.MkExtract((3 * 8) - 1, (2 * 8), bytes);
BitVecExpr byte4 = ctx.MkExtract((4 * 8) - 1, (3 * 8), bytes);
{
// if at least one of the bytes is equal to zero, then ECX cannot be equal to zero
// if ECX is zero, then none of the bytes is equal to zero.
BoolExpr property = ctx.MkEq(
ctx.MkOr(
ctx.MkEq(byte1, zero),
ctx.MkEq(byte2, zero),
ctx.MkEq(byte3, zero),
ctx.MkEq(byte4, zero)
),
ctx.MkNot(ctx.MkEq(state.Create(Rn.ECX), ctx.MkBV(0, 32)))
);
TestTools.AreEqual(Tv.ONE, ToolsZ3.GetTv(property, state.Solver, state.Ctx));
}
{
state.Solver.Push();
BoolExpr p = ctx.MkOr(ctx.MkEq(byte1, zero), ctx.MkEq(byte2, zero), ctx.MkEq(byte3, zero), ctx.MkEq(byte4, zero));
state.Solver.Assert(p);
if (logToDisplay)
{
Console.WriteLine("After \"" + p + "\", we know:\n" + state);
}
state.Solver.Pop();
}
{
state.Solver.Push();
BoolExpr p = ctx.MkAnd(
ctx.MkEq(ctx.MkEq(byte1, zero), ctx.MkFalse()),
ctx.MkEq(ctx.MkEq(byte2, zero), ctx.MkFalse()),
ctx.MkEq(ctx.MkEq(byte3, zero), ctx.MkTrue()),
ctx.MkEq(ctx.MkEq(byte4, zero), ctx.MkFalse())
);
state.Solver.Assert(p);
if (logToDisplay)
{
Console.WriteLine("After \"" + p + "\", we know:\n" + state);
}
//state.Solver.Pop();
}
}
}