Source file path_generator.ml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
open Types
module V = Virtual_address
module A = Dba_types.Caddress
module I = Dba.Instr
let fetch : Env.t -> V.t -> unit =
fun state v ->
let inst, _ = Disasm_core.decode v in
Dhunk.iteri
~f:(fun i instr ->
let a = A.create v i in
A.Htbl.add state.dis a instr;
match instr with
| Stop _ -> ()
| DJump _ ->
Ghidra_cfg.iter_succ_e
(function
| _, Return r, _ when not (V.Set.mem r state.ctp) -> ()
| _, _, d ->
let t = A.of_virtual_address d in
A.Htbl.replace state.dap t
(a :: (try A.Htbl.find state.dap t with Not_found -> [])))
state.cfg v
| If (_, JOuter t, n) ->
A.Htbl.replace state.dap t
(a :: (try A.Htbl.find state.dap t with Not_found -> []));
let f = A.create v n in
A.Htbl.replace state.dap f
(a :: (try A.Htbl.find state.dap f with Not_found -> []))
| If (_, JInner b, n) ->
let t = A.create v b in
A.Htbl.replace state.dap t
(a :: (try A.Htbl.find state.dap t with Not_found -> []));
let f = A.create v n in
A.Htbl.replace state.dap f
(a :: (try A.Htbl.find state.dap f with Not_found -> []))
| SJump (JOuter t, _) ->
A.Htbl.replace state.dap t
(a :: (try A.Htbl.find state.dap t with Not_found -> []))
| SJump (JInner n, _)
| Assert (_, n)
| Assume (_, n)
| Assign (_, _, n)
| Undef (_, n)
| Nondet (_, n) ->
let f = A.create v n in
A.Htbl.replace state.dap f
(a :: (try A.Htbl.find state.dap f with Not_found -> [])))
(Instruction.hunk inst)
let find_condition : Env.t -> V.t -> A.t * Dba.Expr.t =
fun state v ->
if not (A.Htbl.mem state.dis (A.of_virtual_address v)) then fetch state v;
match Ghidra_cfg.succ_e state.cfg v with
| [ (_, Branch, t); (_, Fallthrough, _) ]
| [ (_, Fallthrough, _); (_, Branch, t) ] -> (
let addr =
List.find
(fun a -> Virtual_address.equal v a.Dba.base)
(A.Htbl.find state.dap (A.of_virtual_address t))
in
match A.Htbl.find state.dis addr with
| I.If (e, _, _) -> (addr, e)
| _ -> raise Not_found)
| _ -> raise Not_found
let havoc_eax =
I.non_deterministic
(Dba.LValue.var "eax" ~bitsize:Binsec_base.Size.Bit.bits32)
1
let havoc_ecx =
I.non_deterministic
(Dba.LValue.var "ecx" ~bitsize:Binsec_base.Size.Bit.bits32)
2
let havoc_edx =
I.non_deterministic
(Dba.LValue.var "edx" ~bitsize:Binsec_base.Size.Bit.bits32)
3
let havoc_rax =
I.non_deterministic
(Dba.LValue.var "rax" ~bitsize:Binsec_base.Size.Bit.bits64)
1
let havoc_rcx =
I.non_deterministic
(Dba.LValue.var "rcx" ~bitsize:Binsec_base.Size.Bit.bits64)
2
let havoc_rdx =
I.non_deterministic
(Dba.LValue.var "rdx" ~bitsize:Binsec_base.Size.Bit.bits64)
3
let ignore_call : Env.t -> V.t -> V.t -> unit =
fun state c v ->
match Kernel_options.Machine.isa () with
| Machine.X86 { bits = `x32 } ->
let a0 = A.create c 0
and a1 = A.create c 1
and a2 = A.create c 2
and a3 = A.create c 3
and v0 = A.of_virtual_address v in
A.Htbl.add state.dap a1 [ a0 ];
A.Htbl.add state.dap a2 [ a1 ];
A.Htbl.add state.dap a3 [ a2 ];
A.Htbl.add state.dap v0 (a3 :: A.Htbl.find state.dap v0);
A.Htbl.add state.dis a0 havoc_eax;
A.Htbl.add state.dis a1 havoc_ecx;
A.Htbl.add state.dis a2 havoc_edx;
A.Htbl.add state.dis a3 (I.static_jump ~tag:(Call v0) (Dba.JOuter v0))
| Machine.X86 { bits = `x64 } ->
let a0 = A.create c 0
and a1 = A.create c 1
and a2 = A.create c 2
and a3 = A.create c 3
and v0 = A.of_virtual_address v in
A.Htbl.add state.dap a1 [ a0 ];
A.Htbl.add state.dap a2 [ a1 ];
A.Htbl.add state.dap a3 [ a2 ];
A.Htbl.add state.dap v0 (a3 :: A.Htbl.find state.dap v0);
A.Htbl.add state.dis a0 havoc_rax;
A.Htbl.add state.dis a1 havoc_rcx;
A.Htbl.add state.dis a2 havoc_rdx;
A.Htbl.add state.dis a3 (I.static_jump ~tag:(Call v0) (Dba.JOuter v0))
| isa ->
raise
(Errors.not_yet_implemented
(Format.asprintf "default stubs not available for skipped %a calls"
Machine.ISA.pp isa))
let prefetch : Env.t -> V.t -> unit =
fun state v ->
let a = A.of_virtual_address v in
if not (A.Htbl.mem state.dap a) then A.Htbl.add state.dap a [];
let fallthrough = ref false in
let caller = ref None in
Ghidra_cfg.iter_pred_e
(function
| v, Call, _ when not (V.Set.mem v state.ctp) -> ()
| _, Return r, _ when not (V.Set.mem r state.ctp) -> fallthrough := true
| v, Presumed, _ ->
if not (V.Set.mem v state.ctp) then fallthrough := true;
caller := Some v
| v, _, _ when A.Htbl.mem state.dis (A.of_virtual_address v) -> ()
| v, _, _ -> fetch state v)
state.cfg v;
if !fallthrough then ignore_call state (Option.get !caller) v
let enumerate_path state n a =
let rec loop state result = function
| [] -> result
| (a, c, j, n) :: worklist -> (
if a.Dba.id = 0 then prefetch state a.Dba.base;
match (A.Htbl.find state.dap a, n) with
| [], _
| _ :: _ :: _, 0 ->
loop state ((a, c, j) :: result) worklist
| ([ _ ] as preds), n ->
step_backward state result worklist 1 a c j n preds
| preds, n -> step_backward state result worklist 0 a c j (n - 1) preds)
and step_backward state result worklist delta a c j n = function
| [] -> loop state result worklist
| p :: preds -> (
let inst = A.Htbl.find state.dis p in
match (inst, n) with
| If _, 0 | I.DJump _, 0 | I.SJump (_, Call _), 0 ->
step_backward state ((a, c, j) :: result) worklist delta a c j n
preds
| If (_, JOuter t, _), n when A.equal a t -> (
match A.Htbl.find state.opa p with
| (exception Not_found) | true ->
step_backward state result
((p, true :: c, j, n - delta) :: worklist)
delta a c j n preds
| false -> step_backward state result worklist delta a c j n preds)
| If (_, JInner t, _), n when A.equal a (A.reid p t) -> (
match A.Htbl.find state.opa p with
| (exception Not_found) | true ->
step_backward state result
((p, true :: c, j, n - delta) :: worklist)
delta a c j n preds
| false -> step_backward state result worklist delta a c j n preds)
| If (_, _, f), n -> (
assert (A.equal a (A.reid p f));
match A.Htbl.find state.opa p with
| (exception Not_found) | false ->
step_backward state result
((p, false :: c, j, n - delta) :: worklist)
delta a c j n preds
| true -> step_backward state result worklist delta a c j n preds)
| DJump _, n ->
step_backward state result
((p, c, A.to_virtual_address a :: j, n - delta) :: worklist)
delta a c j n preds
| SJump (JOuter t, Call _), n ->
assert (A.equal a t);
step_backward state result
((p, c, j, n - 1) :: worklist)
delta a c j n preds
| SJump (JOuter t, _), n ->
assert (A.equal a t);
step_backward state result ((p, c, j, n) :: worklist) delta a c j n
preds
| SJump (JInner f, _), n
| Assume (_, f), n
| Assert (_, f), n
| Assign (_, _, f), n
| Undef (_, f), n
| Nondet (_, f), n ->
assert (A.equal a (A.reid p f));
step_backward state result ((p, c, j, n) :: worklist) delta a c j n
preds
| Stop _, _ -> assert false)
in
loop state [] [ (a, [], [], n) ]