public void MovEax0()
{
code = new Byte[] { 0xb8, 0x00, 0x00, 0x00, 0x00 };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(code.Length, state.InstructionPointer);
Assert.AreEqual(0x0, state.Registers[RegisterName.EAX].Value);
}
public void MovEaxDword()
{
code = new Byte[] { 0xb8, 0x37, 0x13, 0x03, 0x00 };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(code.Length, state.InstructionPointer);
Assert.AreEqual(0x00031337, state.ReturnValue.Value);
}
public void MovEspDword()
{
code = new Byte[] { 0xc7, 0x04, 0x24, 0x37, 0x13, 0x03, 0x00 };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x7, state.InstructionPointer);
Assert.AreEqual(0x00031337, state.TopOfStack.Value);
}
public void BigComplicatedMuthafuqqa()
{
const byte VALUE = 0xcd;
state = state.DoOperation(RegisterName.ESP, OperatorEffect.Add, new AbstractValue(0x40));
state.InstructionPointer = 0x804839b;
state = X86Emulator.Run(reportItems, state, new byte[] { 0x55 });
state = X86Emulator.Run(reportItems, state, new byte[] { 0x89, 0xe5 });
PrintStackAndBlock();
state = X86Emulator.Run(reportItems, state, new byte[] { 0x83, 0xec, 0x08 });
state = X86Emulator.Run(reportItems, state, new byte[] { 0x83, 0xe4, 0xf0 });
state = X86Emulator.Run(reportItems, state, new byte[] { 0xb8, 0x00, 0x00, 0x00, 0x00 });
state = X86Emulator.Run(reportItems, state, new byte[] { 0x83, 0xc0, 0x0f });
state = X86Emulator.Run(reportItems, state, new byte[] { 0x83, 0xc0, 0x0f });
state = X86Emulator.Run(reportItems, state, new byte[] { 0xc1, 0xe8, 0x04 });
state = X86Emulator.Run(reportItems, state, new byte[] { 0xc1, 0xe0, 0x04 });
state = X86Emulator.Run(reportItems, state, new byte[] { 0x29, 0xc4 });
state = X86Emulator.Run(reportItems, state, new byte[] { 0xc7, 0x04, 0x24, VALUE, 0, 0, 0 });
Assert.AreEqual(VALUE, state.TopOfStack.Value);
state = X86Emulator.Run(reportItems, state, new byte[] { 0xe8, 0x10, 0, 0, 0 });
PrintStackAndBlock();
state = X86Emulator.Run(reportItems, state, new byte[] { 0x55 });
PrintStackAndBlock();
state = X86Emulator.Run(reportItems, state, new byte[] { 0x89, 0xe5 });
PrintStackAndBlock();
state = X86Emulator.Run(reportItems, state, new byte[] { 0x83, 0xec, 0x18 });
PrintStackAndBlock();
state = X86Emulator.Run(reportItems, state, new byte[] { 0x8b, 0x45, 0x08 });
PrintStackAndBlock();
Assert.AreEqual(VALUE, state.Registers[RegisterName.EAX].Value);
}
public void DereferenceRegisterWithNonPointer()
{
// mov eax,DWORD PTR [eax]
code = new Byte[] { 0x8b, 0x00 };
state.Registers[RegisterName.EAX] = one;
Assert.IsFalse(one.IsPointer);
state = X86Emulator.Run(reportItems, state, code);
}
public void AddImmediateNonPointerDeref()
{
// add [eax], 0x00
code = new Byte[] { 0x83, 0x00, 0x00 };
state.Registers[RegisterName.EAX] = one;
Assert.IsFalse(one.IsPointer);
state = X86Emulator.Run(reportItems, state, code);
}
public void PushEbx()
{
code = new Byte[] { 0x53 };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x1, state.InstructionPointer);
Assert.AreEqual(state.TopOfStack, state.Registers[RegisterName.EBX]);
}
public void Sub()
{
code = new Byte[] { 0x83, 0xec, 0x08 };
state.Registers[RegisterName.ESP] = new AbstractValue(0x0a);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x3, state.InstructionPointer);
Assert.AreEqual(0x02, state.Registers[RegisterName.ESP].Value);
}
public void SubNonPointerDeref()
{
// sub eax, [eax]
code = new Byte[] { 0x29, 0x00 };
state.Registers[RegisterName.EAX] = one;
Assert.IsFalse(one.IsPointer);
state = X86Emulator.Run(reportItems, state, code);
}
public void AddOneToEAX()
{
code = new Byte[] { 0x05, 0x01, 0x00, 0x00, 0x00 };
state.Registers[RegisterName.EAX] = new AbstractValue(1);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(code.Length, state.InstructionPointer);
Assert.AreEqual(0x2, state.Registers[RegisterName.EAX].Value);
}
public void MovFromGlobalIntoEax()
{
code = new Byte[] { 0xa1, 0xe4, 0x84, 0x04, 0x08 };
var value = new AbstractValue(31337);
state.DataSegment[0x080484e4] = value;
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(value, state.Registers[RegisterName.EAX]);
}
public void MovIntoOffsetFromAl()
{
// mov ds:0x80495e0,al
const uint VALUE = 1;
const uint OFFSET = 0x80495e0;
code = new Byte[] { 0xa2, 0xe0, 0x95, 0x04, 0x08 };
state.Registers[RegisterName.EAX] = new AbstractValue(VALUE);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(VALUE, state.DataSegment[OFFSET].Value);
}
public void NonMallocCall()
{
const uint INITIAL_INSTRUCTION_POINTER = 0x80483b8;
state.InstructionPointer = INITIAL_INSTRUCTION_POINTER;
code = new Byte[] { 0xe8, 0xbf, 0xff, 0xff, 0xff };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x804837c, state.InstructionPointer);
Assert.AreEqual(INITIAL_INSTRUCTION_POINTER + (UInt32)code.Length, state.TopOfStack.Value);
}
public void MovIntoEdxFromOffset()
{
// movzx edx,BYTE PTR ds:0x80495e0
const uint VALUE = 1;
var abstractValue = new AbstractValue(VALUE);
state.DataSegment[0x80495e0] = abstractValue;
code = new Byte[] { 0x0f, 0xb6, 0x15, 0xe0, 0x95, 0x04, 0x08 };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(VALUE, state.Registers[RegisterName.EDX].Value);
}
public void PushESPThenPopESP()
{
var pushCode = new Byte[] { 0x54 };
var popCode = new Byte[] { 0x5c };
state = X86Emulator.Run(reportItems, state, pushCode);
Assert.AreEqual(0x1, state.InstructionPointer);
state = X86Emulator.Run(reportItems, state, popCode);
Assert.AreEqual(0x2, state.InstructionPointer);
Assert.AreEqual(state.Registers[RegisterName.ESP], state.Registers[RegisterName.ESP]);
}
public void MovEbpMinus8()
{
// mov DWORD PTR [ebp-8],0xf
const byte FIFTEEN = 0x0f;
var value = AbstractValue.GetNewBuffer(0x100);
state.Registers[RegisterName.EBP] = new AbstractValue(value);
code = new Byte[] { 0xc7, 0x45, 0xf8, FIFTEEN, 0x00, 0x00, 0x00 };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(FIFTEEN, state.Registers[RegisterName.EBP].PointsTo[0xf8].Value);
}
public void MallocCall()
{
const uint INITIAL_INSTRUCTION_POINTER = 0x804838f;
// TODO: need to reconcile with esp/ebp handling
state = state.PushOntoStack(new AbstractValue(16));
state.InstructionPointer = INITIAL_INSTRUCTION_POINTER;
code = new Byte[] { 0xe8, 0x14, 0xff, 0xff, 0xff };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(INITIAL_INSTRUCTION_POINTER + code.Length, state.InstructionPointer);
Assert.AreEqual(16, state.ReturnValue.PointsTo.Length);
}
public void InitialRegisters()
{
var registers = new RegisterCollection();
registers[RegisterName.EAX] = one;
state = new MachineState(registers);
var newState = X86Emulator.Run(reportItems, state, new byte[] { 0x90 });
Assert.AreEqual(one, newState.Registers[RegisterName.EAX]);
Assert.AreNotSame(state, newState);
Assert.AreNotEqual(state, newState);
}
public void PushIzThenPopEbp()
{
var pushCode = new Byte[] { 0x68, 0x10, 0x84, 0x04, 0x08 };
var popCode = new Byte[] { 0x5d };
state = X86Emulator.Run(reportItems, state, pushCode);
Assert.AreEqual(0x5, state.InstructionPointer);
state.Registers[RegisterName.EBP] = null;
state = X86Emulator.Run(reportItems, state, popCode);
Assert.AreEqual(0x6, state.InstructionPointer);
Assert.AreEqual(0x08048410, state.Registers[RegisterName.EBP].Value);
}
public void MovBytePtrEaxInBounds()
{
// mov BYTE PTR [eax], value
const byte VALUE = 0x01;
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractValue(buffer);
state.ReturnValue = pointer;
code = new Byte[] { 0xc6, 0x00, VALUE };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(VALUE, state.ReturnValue.PointsTo[0].Value);
}
public void MovIntoAssignedEaxInBounds()
{
const Byte VALUE = 0x01;
const byte INDEX = 0xf;
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractValue(buffer);
state.ReturnValue = pointer;
code = new Byte[] { 0xc6, 0x40, INDEX, VALUE };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(VALUE, state.ReturnValue.PointsTo[INDEX].Value);
}
public void AddImmediateToEAX()
{
// add eax,0xf
const byte IMMEDIATE = 0x0f;
code = new Byte[] { 0x83, 0xc0, IMMEDIATE };
const uint VALUE = 1;
state.Registers[RegisterName.EAX] = new AbstractValue(VALUE);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(VALUE + IMMEDIATE, state.Registers[RegisterName.EAX].Value);
}
public void MovPtrEsp16()
{
const byte SIXTEEN = 0x10;
code = new Byte[] { 0xc7, 0x04, 0x24, SIXTEEN, 0x00, 0x00, 0x00 };
var newState = X86Emulator.Run(reportItems, state, code);
Assert.AreNotSame(newState, state);
Assert.AreNotEqual(newState, state);
Assert.AreEqual(0x7, newState.InstructionPointer);
Assert.AreEqual(SIXTEEN, newState.TopOfStack.Value);
}
public void PushEdxThenPopEdx()
{
var pushCode = new Byte[] { 0x52 };
var popCode = new Byte[] { 0x5a };
state.Registers[RegisterName.EDX] = one;
state = X86Emulator.Run(reportItems, state, pushCode);
Assert.AreEqual(0x1, state.InstructionPointer);
state.Registers[RegisterName.EDX] = null;
state = X86Emulator.Run(reportItems, state, popCode);
Assert.AreEqual(0x2, state.InstructionPointer);
Assert.AreEqual(one, state.Registers[RegisterName.EDX]);
}
public void MovEbpEsp()
{
// mov ebp,esp
code = new Byte[] { 0x89, 0xe5 };
var value = new AbstractValue(0x31337);
state = state.PushOntoStack(value);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x2, state.InstructionPointer);
Assert.AreEqual(value, state.Registers[RegisterName.ESP].PointsTo[0]);
Assert.AreEqual(value, state.Registers[RegisterName.EBP].PointsTo[0]);
}
public void MovPtrEax16()
{
// mov DWORD PTR [eax],0x10
var value = AbstractValue.GetNewBuffer(1);
state.Registers[RegisterName.EAX] = new AbstractValue(value);
code = new Byte[] { 0xc7, 0x00, 0x10, 0x00, 0x00, 0x00 };
state = X86Emulator.Run(reportItems, state, code);
var sixteen = state.Registers[RegisterName.EAX].PointsTo[0];
Assert.AreEqual(0x10, sixteen.Value);
}
public void CmpKnownEax0()
{
// cmp eax, 0
code = new Byte[] { 0x83, 0xf8, 0x0 };
state.Registers[RegisterName.EAX] = new AbstractValue(1);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x3, state.InstructionPointer);
Assert.IsFalse(state.ZeroFlag);
state.Registers[RegisterName.EAX] = new AbstractValue(0);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x6, state.InstructionPointer);
Assert.IsTrue(state.ZeroFlag);
}
public void MovEaxEaxFourByteValue()
{
// mov eax,DWORD PTR [eax]
const uint VALUE = 0x31337;
var buffer = new[] { new AbstractValue(VALUE) };
var pointer = new AbstractValue(buffer);
state.Registers[RegisterName.EAX] = pointer;
code = new Byte[] { 0x8b, 0x00 };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x2, state.InstructionPointer);
Assert.AreEqual(VALUE, state.Registers[RegisterName.EAX].Value);
}
public void MovPtrEspEax()
{
// mov [esp]. eax
code = new Byte[] { 0x89, 0x04, 0x24 };
state.Registers[RegisterName.EAX] = new AbstractValue(0x10);
var values = new[] { new AbstractValue(1) };
var buffer = new AbstractBuffer(values);
state.Registers[RegisterName.ESP] = new AbstractValue(buffer);
state = X86Emulator.Run(reportItems, state, code);
var espBuffer = state.Registers[RegisterName.ESP].PointsTo;
Assert.AreEqual(0x10, espBuffer[0].Value);
}
public void MovEaxEbpPlusTwelve()
{
var buffer = AbstractValue.GetNewBuffer(16);
buffer[12] = new AbstractValue(1);
var pointer = new AbstractValue(buffer);
state.Registers[RegisterName.EBP] = pointer;
code = new Byte[] { 0x8b, 0x45, 0xc };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x3, state.InstructionPointer);
Assert.AreEqual(1, state.ReturnValue.Value);
}