public void Test_Z3_MemWithArray_2() { #region Definitions uint nBits = 8; Context ctx = new Context(); BitVecExpr bv_0 = ctx.MkBV(0, nBits); BitVecExpr bv_16 = ctx.MkBV(16, nBits); BitVecExpr bv_32 = ctx.MkBV(32, nBits); BitVecExpr rax = ctx.MkBVConst("RAX!0", nBits); BitVecExpr rbx = ctx.MkBVConst("RBX!0", nBits); BitVecExpr rcx = ctx.MkBVConst("RCX!0", nBits); BitVecExpr rdx = ctx.MkBVConst("RDX!0", nBits); ArrayExpr mem = ctx.MkArrayConst("mem", ctx.MkBitVecSort(nBits), ctx.MkBitVecSort(nBits)); Goal state = ctx.MkGoal(); #endregion // Test possible memory overwrite Console.WriteLine("mov qword ptr[16], 0 ; store at address=16 value=0"); mem = ctx.MkStore(mem, bv_16, bv_0); Console.WriteLine("mov rax, qword ptr[16] ; load rax with the value at address=16"); state.Assert(ctx.MkEq(rax, ctx.MkSelect(mem, bv_16))); Console.WriteLine("mov qword ptr[rcx], 32 ; store at unknown address rcx value 32, appreciate that address 16 could be overwritten"); mem = ctx.MkStore(mem, rcx, bv_32); Console.WriteLine("mov rbx, qword ptr[16] ; load rbx with value at address 16, appreciate that rbx need not be equal to rax"); state.Assert(ctx.MkEq(rbx, ctx.MkSelect(mem, bv_16))); if (true) { Console.WriteLine("cmp rcx, 16 ;"); Console.WriteLine("jnz label1: "); state.Assert(ctx.MkEq(rcx, bv_16)); } #region Write to console Console.WriteLine("mem=" + mem); Solver solver = ctx.MkSolver(); Solver solver_U = ctx.MkSolver(); solver.Assert(state.Formulas); Console.WriteLine("state1=" + state); if (true) { Tactic tactic1 = ctx.MkTactic("propagate-values"); Goal state2 = tactic1.Apply(state).Subgoals[0]; Console.WriteLine("state2=" + state2.ToString()); } Console.WriteLine(string.Empty); Tv[] raxTV = ToolsZ3.GetTvArray(rax, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rax = " + ToolsZ3.ToStringBin(raxTV) + " = " + ToolsZ3.ToStringHex(raxTV)); Tv[] rbxTV = ToolsZ3.GetTvArray(rbx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rbx = " + ToolsZ3.ToStringBin(rbxTV) + " = " + ToolsZ3.ToStringHex(rbxTV)); Tv[] rcxTV = ToolsZ3.GetTvArray(rcx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rcx = " + ToolsZ3.ToStringBin(rcxTV) + " = " + ToolsZ3.ToStringHex(rcxTV)); // Tv5[] rdxTV = ToolsZ3.getTvArray(rdx, nBits, solver, ctx); // Console.WriteLine("rdx = " + ToolsZ3.toStringBin(rdxTV) + " = " + ToolsZ3.toStringHex(rdxTV)); #endregion }
public string GetRegisterValue(Rn name, IState_R state) { if (state == null) { return(""); } Tv5[] reg = state.GetTv5Array(name); return(string.Format("{0} = {1}", ToolsZ3.ToStringBin(reg), ToolsZ3.ToStringHex(reg))); }
public void Test_Z3_MemWithArray_3() { #region Definitions uint nBits = 8; Context ctx = new Context(); BitVecExpr bv_0 = ctx.MkBV(0, nBits); BitVecExpr bv_16 = ctx.MkBV(16, nBits); BitVecExpr bv_32 = ctx.MkBV(32, nBits); BitVecExpr rax = ctx.MkBVConst("RAX!0", nBits); BitVecExpr rbx = ctx.MkBVConst("RBX!0", nBits); BitVecExpr rcx = ctx.MkBVConst("RCX!0", nBits); BitVecExpr rdx = ctx.MkBVConst("RDX!0", nBits); ArrayExpr mem = ctx.MkArrayConst("mem", ctx.MkBitVecSort(nBits), ctx.MkBitVecSort(nBits)); Goal state = ctx.MkGoal(); #endregion // Test if loading from two unknown addresses and then learning that the addresses were equal yields the same result // mov rcx, qword ptr[rax] state.Assert(ctx.MkEq(rcx, ctx.MkSelect(mem, rax))); // mov rdx, qword ptr[rbx] state.Assert(ctx.MkEq(rdx, ctx.MkSelect(mem, rbx))); // cmp rax, rbx; // jnz label1: state.Assert(ctx.MkEq(rax, rbx)); // cmp rax, 0 // jnz label2: state.Assert(ctx.MkEq(rcx, bv_16)); #region Write to console Console.WriteLine("mem=" + mem); Solver solver = ctx.MkSolver(); Solver solver_U = ctx.MkSolver(); solver.Assert(state.Formulas); Console.WriteLine("state1=" + state); Console.WriteLine(string.Empty); Tv[] raxTV = ToolsZ3.GetTvArray(rax, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rax = " + ToolsZ3.ToStringBin(raxTV) + " = " + ToolsZ3.ToStringHex(raxTV)); Tv[] rbxTV = ToolsZ3.GetTvArray(rbx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rbx = " + ToolsZ3.ToStringBin(rbxTV) + " = " + ToolsZ3.ToStringHex(rbxTV)); Tv[] rcxTV = ToolsZ3.GetTvArray(rcx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rcx = " + ToolsZ3.ToStringBin(rcxTV) + " = " + ToolsZ3.ToStringHex(rcxTV)); Tv[] rdxTV = ToolsZ3.GetTvArray(rdx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rdx = " + ToolsZ3.ToStringBin(rdxTV) + " = " + ToolsZ3.ToStringHex(rdxTV)); #endregion }
public void Test_Z3_MemWithArray_1() { #region Definitions uint nBits = 8; Context ctx = new Context(); BitVecExpr bv_0 = ctx.MkBV(0, nBits); BitVecExpr bv_10 = ctx.MkBV(10, nBits); BitVecExpr bv_20 = ctx.MkBV(20, nBits); BitVecExpr rax = ctx.MkBVConst("RAX!0", nBits); BitVecExpr rbx = ctx.MkBVConst("RBX!0", nBits); BitVecExpr rcx = ctx.MkBVConst("RCX!0", nBits); BitVecExpr rdx = ctx.MkBVConst("RDX!0", nBits); ArrayExpr mem = ctx.MkArrayConst("mem", ctx.MkBitVecSort(nBits), ctx.MkBitVecSort(nBits)); Goal state = ctx.MkGoal(); #endregion // Test chaining with memory loads // mov qword ptr[0], 10 mem = ctx.MkStore(mem, bv_0, bv_10); // mov qword ptr[10], 20 mem = ctx.MkStore(mem, bv_10, bv_20); // mov rbx, qword ptr[rax] state.Assert(ctx.MkEq(rbx, ctx.MkSelect(mem, rax))); // mov rcx, qword ptr[rbx] state.Assert(ctx.MkEq(rcx, ctx.MkSelect(mem, rbx))); // cmp rax, 10; // jnz label1: state.Assert(ctx.MkEq(rax, bv_0)); #region Write to console Console.WriteLine("mem=" + mem); Solver solver = ctx.MkSolver(); Solver solver_U = ctx.MkSolver(); solver.Assert(state.Formulas); Console.WriteLine("state1=" + state); Console.WriteLine(string.Empty); Tv[] raxTV = ToolsZ3.GetTvArray(rax, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rax = " + ToolsZ3.ToStringBin(raxTV) + " = " + ToolsZ3.ToStringHex(raxTV)); Tv[] rbxTV = ToolsZ3.GetTvArray(rbx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rbx = " + ToolsZ3.ToStringBin(rbxTV) + " = " + ToolsZ3.ToStringHex(rbxTV)); Tv[] rcxTV = ToolsZ3.GetTvArray(rcx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rcx = " + ToolsZ3.ToStringBin(rcxTV) + " = " + ToolsZ3.ToStringHex(rcxTV)); Tv[] rdxTV = ToolsZ3.GetTvArray(rdx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rdx = " + ToolsZ3.ToStringBin(rdxTV) + " = " + ToolsZ3.ToStringHex(rdxTV)); #endregion }
public void Test_Z3_MemWithImplies() { Context ctx = new Context(); BitVecExpr bv_0 = ctx.MkBV(0, 64); BitVecExpr bv_10 = ctx.MkBV(10, 64); BitVecExpr bv_20 = ctx.MkBV(20, 64); BitVecExpr addr = ctx.MkBVConst("ADDR", 64); BitVecExpr value = ctx.MkBVConst("VALUE", 64); BitVecExpr value1 = ctx.MkBVConst("value1", 64); BitVecExpr value2 = ctx.MkBVConst("value2", 64); BitVecExpr rax = ctx.MkBVConst("RAX!0-1955042C05A090D2", 64); BitVecExpr rbx = ctx.MkBVConst("RBX!1-5000C87A5EB2FB98", 64); BitVecExpr rcx = ctx.MkBVConst("RCX!1-68FC98BF6AFBF63E", 64); BitVecExpr rdx = ctx.MkBVConst("RDX!0-231D57E228F579AD", 64); Goal state = ctx.MkGoal(); // mov qword ptr[0], 10 state.Assert(ctx.MkImplies(ctx.MkEq(addr, bv_0), ctx.MkEq(value, bv_10))); // mov qword ptr[10], 20 state.Assert(ctx.MkImplies(ctx.MkEq(addr, bv_10), ctx.MkEq(value, bv_20))); // mov rbx, qword ptr[rax] //state.Assert(ctx.MkEq(rbx, ctx.MkEq(addr, value1)); // mov rcx, qword ptr[rbx] //state.Assert(ctx.MkEq(rcx, ctx.MkEq(addr, value2)); // cmp rax, 10; // jnz label1: state.Assert(ctx.MkEq(rax, bv_0)); Tactic tactic1 = ctx.MkTactic("propagate-values"); Console.WriteLine("state1=" + state); Console.WriteLine("state2=" + tactic1.Apply(state).ToString()); Solver solver = ctx.MkSolver(); Solver solver_U = ctx.MkSolver(); solver.Assert(state.Formulas); Tv[] f = ToolsZ3.GetTvArray(value, 64, solver, solver_U, ctx); Console.WriteLine("Value = 0b" + ToolsZ3.ToStringBin(f) + " = 0x" + ToolsZ3.ToStringHex(f)); }
public void Test_ToStringHex_2() { { string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(0xFF, 8)); Console.WriteLine(str); Assert.AreEqual("0xFF", str); } { string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(0xFFFF, 16)); Console.WriteLine(str); Assert.AreEqual("0xFFFF", str); } { string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(0xFFFF_FFFF, 32)); Console.WriteLine(str); Assert.AreEqual("0xFFFF_FFFF", str); } { string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(0xFFFF_FFFF_FFFF_FFFF, 64)); Console.WriteLine(str); Assert.AreEqual("0xFFFF_FFFF_FFFF_FFFF", str); } }
public void Test_ToStringHex_1() { { string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(10, 8)); Console.WriteLine(str); Assert.AreEqual("0x0A", str); } { string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(10, 16)); Console.WriteLine(str); Assert.AreEqual("0x000A", str); } { string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(10, 32)); Console.WriteLine(str); Assert.AreEqual("0x0000_000A", str); } { string str = ToolsZ3.ToStringHex(ToolsZ3.GetTvArray(10, 64)); Console.WriteLine(str); Assert.AreEqual("0x0000_0000_0000_000A", str); } }
public void Test_Z3_MemWithArray_4() { #region Definitions uint nBits = 8; Context ctx = new Context(); BitVecExpr bv_0 = ctx.MkBV(0, nBits); BitVecExpr bv_16 = ctx.MkBV(16, nBits); BitVecExpr bv_32 = ctx.MkBV(32, nBits); BitVecExpr rax = ctx.MkBVConst("RAX!0", nBits); BitVecExpr rbx = ctx.MkBVConst("RBX!0", nBits); BitVecExpr rcx = ctx.MkBVConst("RCX!0", nBits); BitVecExpr rdx = ctx.MkBVConst("RDX!0", nBits); IList <(BitVecExpr, BitVecExpr)> writes = new List <(BitVecExpr, BitVecExpr)>(); Goal state = ctx.MkGoal(); ArrayExpr mem = ctx.MkArrayConst("mem", ctx.MkBitVecSort(nBits), ctx.MkBitVecSort(nBits)); #endregion // Test if overwriting a address works Console.WriteLine("mov rbx, 16"); state.Assert(ctx.MkEq(rbx, bv_16)); Console.WriteLine("mov rcx, 32"); state.Assert(ctx.MkEq(rcx, bv_32)); // Console.WriteLine("mov rax, 0"); // state.Assert(ctx.MkEq(rax, bv_0)); Console.WriteLine("mov qword ptr[rax], rbx"); mem = ctx.MkStore(mem, rax, rbx); Console.WriteLine("mov qword ptr[rax], rcx"); mem = ctx.MkStore(mem, rax, rcx); Console.WriteLine("mov rdx, qword ptr[rax]"); state.Assert(ctx.MkEq(rdx, ctx.MkSelect(mem, rax))); #region Write to console Solver solver = ctx.MkSolver(); Solver solver_U = ctx.MkSolver(); solver.Assert(state.Formulas); Console.WriteLine(string.Empty); Console.WriteLine("state1=" + state); if (true) { Tactic tactic1 = ctx.MkTactic("propagate-values"); Goal state2 = tactic1.Apply(state).Subgoals[0]; Console.WriteLine("state2=" + state2.ToString()); } Console.WriteLine(string.Empty); Tv[] raxTV = ToolsZ3.GetTvArray(rax, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rax = " + ToolsZ3.ToStringBin(raxTV) + " = " + ToolsZ3.ToStringHex(raxTV)); Tv[] rbxTV = ToolsZ3.GetTvArray(rbx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rbx = " + ToolsZ3.ToStringBin(rbxTV) + " = " + ToolsZ3.ToStringHex(rbxTV)); Tv[] rcxTV = ToolsZ3.GetTvArray(rcx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rcx = " + ToolsZ3.ToStringBin(rcxTV) + " = " + ToolsZ3.ToStringHex(rcxTV)); Tv[] rdxTV = ToolsZ3.GetTvArray(rdx, (int)nBits, solver, solver_U, ctx); Console.WriteLine("rdx = " + ToolsZ3.ToStringBin(rdxTV) + " = " + ToolsZ3.ToStringHex(rdxTV)); #endregion }