public MachineState(MachineState copyMe) { instructionPointer = copyMe.instructionPointer; registers = new RegisterCollection(copyMe.registers); dataSegment = new Dictionary<UInt32, AbstractValue>(copyMe.dataSegment); zeroFlag = copyMe.zeroFlag; }
public override MachineState Execute(MachineState state) { var buffer = AbstractValue.GetNewBuffer(state.TopOfStack.Value); state.ReturnValue = new AbstractValue(buffer); return state; }
public void SetUp() { var registers = new RegisterCollection(); registers[RegisterName.ESP] = new AbstractValue(AbstractValue.GetNewBuffer(1)); state = new MachineState(registers); contract = new GLibcStartMainContract(); }
public void Execute() { var address = new AbstractValue(0xdeadbabe); state = state.PushOntoStack(address); state = contract.Execute(state); Assert.AreEqual(address.Value, state.InstructionPointer); }
public void BigComplicatedMuthafuqqa() { const byte VALUE = 0xcd; state = state.DoOperation(RegisterName.ESP, OperatorEffect.Add, new AbstractValue(0x40)); state.InstructionPointer = 0x804839b; state = X86Emulator.Run(reportItems, state, new byte[] {0x55}); state = X86Emulator.Run(reportItems, state, new byte[] {0x89, 0xe5}); PrintStackAndBlock(); state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xec, 0x08}); state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xe4, 0xf0}); state = X86Emulator.Run(reportItems, state, new byte[] {0xb8, 0x00, 0x00, 0x00, 0x00}); state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xc0, 0x0f}); state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xc0, 0x0f}); state = X86Emulator.Run(reportItems, state, new byte[] {0xc1, 0xe8, 0x04}); state = X86Emulator.Run(reportItems, state, new byte[] {0xc1, 0xe0, 0x04}); state = X86Emulator.Run(reportItems, state, new byte[] {0x29, 0xc4}); state = X86Emulator.Run(reportItems, state, new byte[] {0xc7, 0x04, 0x24, VALUE, 0, 0, 0}); Assert.AreEqual(VALUE, state.TopOfStack.Value); state = X86Emulator.Run(reportItems, state, new byte[] {0xe8, 0x10, 0, 0, 0}); PrintStackAndBlock(); state = X86Emulator.Run(reportItems, state, new byte[] {0x55}); PrintStackAndBlock(); state = X86Emulator.Run(reportItems, state, new byte[] {0x89, 0xe5}); PrintStackAndBlock(); state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xec, 0x18}); PrintStackAndBlock(); state = X86Emulator.Run(reportItems, state, new byte[] {0x8b, 0x45, 0x08}); PrintStackAndBlock(); Assert.AreEqual(VALUE, state.Registers[RegisterName.EAX].Value); }
public override Boolean IsSatisfiedBy(MachineState state, Byte[] code) { var effectiveAddress = Opcode.GetEffectiveAddress(code, state.InstructionPointer); const UInt32 GLIBC_START_MAIN_IMPORT_FUNCTION_ADDR = 0x80482b8; return effectiveAddress == GLIBC_START_MAIN_IMPORT_FUNCTION_ADDR; }
public void AddOneToEAX() { code = new Byte[] {0x05, 0x01, 0x00, 0x00, 0x00}; state.Registers[RegisterName.EAX] = new AbstractValue(1); state = X86Emulator.Run(reportItems, state, code); Assert.AreEqual(code.Length, state.InstructionPointer); Assert.AreEqual(0x2, state.Registers[RegisterName.EAX].Value); }
private static void PrintStackFor(MachineState state) { var esp = state.Registers[RegisterName.ESP]; Console.WriteLine("Stack dump"); Console.WriteLine("esp-8\t\t esp-4\t\t esp"); Console.WriteLine("{0}\t\t {1}\t\t {2}", esp.PointsTo[-2], esp.PointsTo[-1], esp.PointsTo[0]); }
public void AddImmediateNonPointerDeref() { // add [eax], 0x00 code = new Byte[] {0x83, 0x00, 0x00}; state.Registers[RegisterName.EAX] = one; Assert.IsFalse(one.IsPointer); state = X86Emulator.Run(reportItems, state, code); }
public void Add() { eax = one; ebx = two; state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX); Assert.AreEqual(3, eax.Value); Assert.IsTrue(eax.IsTainted); }
public void And() { eax = new AbstractValue(0x350).AddTaint(); ebx = new AbstractValue(0xff); state = state.DoOperation(RegisterName.EAX, OperatorEffect.And, RegisterName.EBX); Assert.AreEqual(0x50, eax.Value); Assert.IsTrue(eax.IsTainted); }
public void Assignment() { eax = one; ebx = two; state = state.DoOperation(RegisterName.EAX, OperatorEffect.Assignment, RegisterName.EBX); Assert.AreEqual(eax, ebx); Assert.AreNotSame(eax, ebx); }
public void IsSatisified() { var code = new Byte[] {0xe8, 0xb7, 0xff, 0xff, 0xff}; state = new MachineState {InstructionPointer = 0x80482fc}; Assert.IsTrue(contract.IsSatisfiedBy(state, code)); state.InstructionPointer = 0xdeadbeef; Assert.IsFalse(contract.IsSatisfiedBy(state, code)); }
public void AddImmediateToEAX() { // add eax,0xf const byte IMMEDIATE = 0x0f; code = new Byte[] {0x83, 0xc0, IMMEDIATE}; const uint VALUE = 1; state.Registers[RegisterName.EAX] = new AbstractValue(VALUE); state = X86Emulator.Run(reportItems, state, code); Assert.AreEqual(VALUE + IMMEDIATE, state.Registers[RegisterName.EAX].Value); }
public static MachineState Run(Collection<ReportItem> reportItemCollector, MachineState machineState, Byte[] code) { if (code.Length == 0) { throw new ArgumentException("Empty array not allowed.", "code"); } var afterState = EmulateOpcode(reportItemCollector, machineState, code); if (!BranchTaken(machineState, afterState)) { afterState.InstructionPointer += opcode.GetInstructionLengthFor(code); } return afterState; }
internal EmulationEventArgs(MachineState state, ReadOnlyCollection <Byte> code) { this.state = state; this.code = code; }
public void Sub() { eax = one; ebx = two; state = state.DoOperation(RegisterName.EBX, OperatorEffect.Sub, RegisterName.EAX); Assert.AreEqual(1, ebx.Value); Assert.IsTrue(ebx.IsTainted); }
public void SetUp() { state = new MachineState(new RegisterCollection()); }
public void Shr() { eax = new AbstractValue(0x8).AddTaint(); ebx = new AbstractValue(0x3); state = state.DoOperation(RegisterName.EAX, OperatorEffect.Shr, RegisterName.EBX); Assert.AreEqual(0x1, eax.Value); Assert.IsTrue(eax.IsTainted); }
public void Copy() { state.Registers[RegisterName.ESP] = new AbstractValue(new AbstractBuffer(AbstractValue.GetNewBuffer(10))); var newState = new MachineState(state); Assert.AreNotSame(newState, state); Assert.AreNotSame(newState.Registers, state.Registers); Assert.AreNotSame(newState.DataSegment, state.DataSegment); Assert.AreNotSame(newState.ReturnValue, state.ReturnValue); Assert.AreSame(newState.TopOfStack, state.TopOfStack); }
public void PushTwiceThenManuallyAdjustStackThenAssignToEbp() { var buffer = AbstractValue.GetNewBuffer(0x20); esp = new AbstractValue(buffer); state = state.PushOntoStack(one); state = state.PushOntoStack(two); state = state.DoOperation(RegisterName.ESP, OperatorEffect.Sub, new AbstractValue(0x4)); Assert.AreEqual(one, state.TopOfStack); }
public void PointerAnd() { var buffer = AbstractValue.GetNewBuffer(0x10); buffer[4] = one; eax = new AbstractValue(buffer); state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4)); Assert.AreEqual(one, eax.PointsTo[0]); var andValue = new AbstractValue(0xfffffff0); var newState = state.DoOperation(RegisterName.EAX, OperatorEffect.And, andValue); Assert.AreNotSame(newState, state); Assert.AreNotEqual(newState, state); state = newState; Assert.AreEqual(one, eax.PointsTo[4]); }
public void PointerSub() { var buffer = AbstractValue.GetNewBuffer(0x10); buffer[0] = one; eax = new AbstractValue(buffer); ebx = new AbstractValue(0x4); state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX); Assert.IsNotNull(eax.PointsTo); state = state.DoOperation(RegisterName.EAX, OperatorEffect.Sub, RegisterName.EBX); Assert.AreEqual(one, eax.PointsTo[0]); }
public void NonAssignmentOfPointer() { eax = one; ebx = new AbstractValue(new[] {two}); state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX); }
public void PointerAdd() { var buffer = AbstractValue.GetNewBuffer(0x10); buffer[4] = one; eax = new AbstractValue(buffer); state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4)); Assert.AreEqual(one, eax.PointsTo[0]); }
public void JnzPointerOffset() { var pointer = new AbstractValue(AbstractValue.GetNewBuffer(1)); state = state.DoOperation(OperatorEffect.Jnz, pointer); }
public void InvalidOpcode() { // int3 -- not really invalid, but we probably won't see it in any program we care about code = new Byte[] { 0xcc }; state = X86Emulator.Run(reportItems, state, code); }
protected virtual MachineState RunCode(MachineState _machineState, Byte[] code) { return(X86Emulator.Run(reportItems, _machineState, code)); }
public void PushPopThenAssignToTop() { var buffer = AbstractValue.GetNewBuffer(0x20); esp = new AbstractValue(buffer); state = state.PushOntoStack(one); // TODO(matt_hargett): extract into state.PopOffStack() state = state.DoOperation(RegisterName.ESP, OperatorEffect.Sub, new AbstractValue(0x4)); state = state.DoOperation(RegisterName.ESP, 0, OperatorEffect.Assignment, two); Assert.AreEqual(two, state.TopOfStack); }
public void AssignmentRetainsOOB() { var oob = new AbstractValue(1) { IsOutOfBounds = true }; state = state.DoOperation(RegisterName.EAX, OperatorEffect.Assignment, oob); Assert.IsTrue(eax.IsOutOfBounds); }
public void NonAssignmentOfPointer() { eax = one; ebx = new AbstractValue(new[] { two }); state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX); }
public void EmptyCodeArray() { code = new Byte[] {}; state = X86Emulator.Run(reportItems, state, code); }
public void Equality() { var same = new MachineState(new RegisterCollection()); same.DataSegment[0] = new AbstractValue(2); var same2 = new MachineState(new RegisterCollection()); same2.DataSegment[0] = new AbstractValue(2); var registers = new RegisterCollection(); registers[RegisterName.EAX] = new AbstractValue(1); var differentViaRegisters = new MachineState(registers); differentViaRegisters.DataSegment[0] = new AbstractValue(2); Assert.IsTrue(same.Equals(same2)); Assert.IsFalse(differentViaRegisters.Equals(same)); Assert.IsTrue(same == same2); Assert.IsTrue(same != differentViaRegisters); Assert.AreEqual(same.GetHashCode(), same2.GetHashCode()); Assert.AreNotEqual(same.GetHashCode(), differentViaRegisters.GetHashCode()); registers = new RegisterCollection(); var differentViaDataSegmentKey = new MachineState(registers); differentViaDataSegmentKey.DataSegment[1] = new AbstractValue(2); Assert.IsFalse(same.Equals(differentViaDataSegmentKey)); registers = new RegisterCollection(); var differentViaDataSegmentValue = new MachineState(registers); differentViaDataSegmentValue.DataSegment[0] = new AbstractValue(1); Assert.IsFalse(same.Equals(differentViaDataSegmentValue)); }
protected override MachineState RunCode(MachineState machineState, Byte[] instructionBytes) { for (UInt32 i = 0; i < actualReportItemCount; i++) { ReportItems.Add(new ReportItem(i, false)); } machineState.InstructionPointer += (UInt32)instructionBytes.Length; return machineState; }
public void Jnz() { const byte offset = 6; eax = two; ebx = one; state = state.DoOperation(RegisterName.EAX, OperatorEffect.Cmp, RegisterName.EAX); state = state.DoOperation(OperatorEffect.Jnz, new AbstractValue(offset)); Assert.AreEqual(0, state.InstructionPointer); state = state.DoOperation(RegisterName.EAX, OperatorEffect.Cmp, RegisterName.EBX); state = state.DoOperation(OperatorEffect.Jnz, new AbstractValue(offset)); Assert.AreEqual(offset, state.InstructionPointer); }