triton测试demo

版权声明：本人的作品仅供研究目的,如果读者利用本人的作品从事其他行为,与本人无关 https://blog.csdn.net/oShuangYue12/article/details/86673823

// ConsoleApplication1.cpp : 定义控制台应用程序的入口点。
//
#pragma warning (disable : 4204)

#include "stdafx.h"


#include <iostream>
#include <api.hpp>
#include <x86Specifications.hpp>
#include "exceptions.hpp"

using namespace triton;
using namespace triton::arch;


struct op {
	unsigned int    addr;
	unsigned char*  inst;
	unsigned int    size;
};

struct op trace[] = {
	{ 0x400000, (unsigned char *)"\x48\x8b\x05\xb8\x13\x00\x00", 7 }, /* mov        rax, QWORD PTR [rip+0x13b8] */
	{ 0x400007, (unsigned char *)"\x48\x8d\x34\xc3", 4 }, /* lea        rsi, [rbx+rax*8]            */
	{ 0x40000b, (unsigned char *)"\x67\x48\x8D\x74\xC3\x0A", 6 }, /* lea        rsi, [ebx+eax*8+0xa]        */
	{ 0x40000b, (unsigned char *)"\x67\x8D\x74\xC3\x0A", 5 }, /* lea        esi, [ebx+eax*8+0xa]        */
	{ 0x40000b, (unsigned char *)"\x48\x8D\x74\xDB\x0A", 5 }, /* lea        rsi, [rbx+rax*8+0xa]        */
	{ 0x40000b, (unsigned char *)"\x48\x8D\x74\xC3\x0A", 5 }, /* lea        rsi, [rbx+rax*8+0xa]        */
	{ 0x40000b, (unsigned char *)"\x48\x8D\x73\x0A", 4 }, /* lea        rsi, [rbx+0xa]              */
	{ 0x400011, (unsigned char *)"\x66\x0F\xD7\xD1", 4 }, /* pmovmskb   edx, xmm1                   */
	{ 0x400015, (unsigned char *)"\x89\xd0", 2 }, /* mov        eax, edx                    */
	{ 0x400017, (unsigned char *)"\x80\xf4\x99", 3 }, /* xor        ah, 0x99                    */
	{ 0x40001a, (unsigned char *)"\x48\x31\xc0", 3 }, /* xor        rax, rax                    */
	{ 0x40001d, (unsigned char *)"\x80\x30\x99", 3 }, /* xor        byte ptr [rax], 0x99        */
	{ 0x400020, (unsigned char *)"\x80\x30\x99", 3 }, /* xor        byte ptr [rax], 0x99        */
	{ 0x400023, (unsigned char *)"\x0F\x87\x00\x00\x00\x00", 6 }, /* ja         11                          */
	{ 0x0, nullptr, 0 }
};



int test1() {

	/* Set the arch */
	api.setArchitecture(ARCH_X86_64);

	for (unsigned int i = 0; trace[i].inst; i++) {
		/* Build an instruction */
		Instruction inst;

		/* Setup opcodes */
		inst.setOpcodes(trace[i].inst, trace[i].size);

		/* optional - Setup address */
		inst.setAddress(trace[i].addr);

		/* Process everything */
		api.processing(inst);

		std::cout << inst << std::endl;
		for (unsigned int op_index = 0; op_index != inst.operands.size(); op_index++) {
			std::cout << "\tOperand " << op_index << ": " << inst.operands[op_index] << std::endl;
			if (inst.operands[op_index].getType() == OP_MEM) {
				std::cout << "\t   base  : " << inst.operands[op_index].getMemory().getBaseRegister() << std::endl;
				std::cout << "\t   index : " << inst.operands[op_index].getMemory().getIndexRegister() << std::endl;
				std::cout << "\t   disp  : " << inst.operands[op_index].getMemory().getDisplacement() << std::endl;
				std::cout << "\t   scale : " << inst.operands[op_index].getMemory().getScale() << std::endl;
			}
		}

		std::cout << "\t-------" << std::endl;

		for (unsigned int exp_index = 0; exp_index != inst.symbolicExpressions.size(); exp_index++) {
			auto expr = inst.symbolicExpressions[exp_index];
			std::cout << "\tSymExpr " << exp_index << ": " << expr << std::endl;
		}

		std::cout << std::endl << std::endl;
	}

	return 0;
}






struct op trace2[] = {
	{ 0x400017, (unsigned char *)"\x48\x35\x44\x33\x22\x11", 6 }, /* xor rax, 0x11223344 */
	{ 0x0, nullptr, 0 }
};



int test2() {

	
	/* Set the arch */
	api.setArchitecture(ARCH_X86_64);
	
	/* Build an instruction */
	Instruction inst;
	
	/* Setup opcode */
	inst.setOpcodes(trace2[0].inst, trace2[0].size);

	api.convertRegisterToSymbolicVariable(triton::arch::x86::x86_reg_rax, "test");
	
	//inst.setAddress(trace2[0].addr);
	
	/* Process everything */
	api.processing(inst);

	
	/* Get the RAX symbolic ID */
	auto raxSym = api.getSymbolicRegisterId(TRITON_X86_REG_EAX);

	triton::uint512 val(0x003343);


	/* Get the RAX full AST */
	auto raxFullAst = api.getFullAstFromId(raxSym);

	/* Display RAX's AST*/
	std::cout << "RAX expr: " << raxFullAst << std::endl;

	/* Get the context to create and ast constraint*/
	auto& C = api.getAllocatedAstNodes();

	/* Modify RAX's AST to build the constraint */
	auto constraint = triton::ast::assert_(triton::ast::equal(raxFullAst, triton::ast::bv(0, raxFullAst->getBitvectorSize())));

	/* Display the AST */
	std::cout << "constraint: " << constraint << std::endl;

	/* Ask a model */
	auto model = api.getModel(constraint);

	/* Display all symbolic variable value contained in the model */
	std::cout << "Model:" << std::endl;
	for (auto it = model.begin(); it != model.end(); it++) {
		std::cout << "  - Variable id  : " << it->first << std::endl;
		std::cout << "  - Variable name: " << it->second.getName() << std::endl;
		std::cout << "  - Value        : " << std::hex << it->second.getValue() << std::endl;
	}

	return 0;
}





int main(int ac, const char **av) {
	test2();
	return 0;
}

output:

RAX expr: ((_ zero_extend 0) (bvxor ((_ extract 63 0) SymVar_0) (_ bv287454020
4)))
constraint: (assert (= ((_ zero_extend 0) (bvxor ((_ extract 63 0) SymVar_0) (_
bv287454020 64))) (_ bv0 64)))
Model:
  - Variable id  : 0
  - Variable name: SymVar_0
  - Value        : 11223344