Fix #169

.build_number

@@ -1 +1 @@
-746
+747

examples/inject_model_with_snapshot.py

@@ -74,7 +74,7 @@ def cbefore(instruction):
     if instruction.getAddress() == 0x40058b:
         rax = getRegValue(IDREF.REG.RAX)
         if rax in password:
-            setMemValue(rax, 1, password[rax])
+            setMemValue(rax, 8, password[rax])
             print '[+] Inject the character \'%c\' in memory' %(chr(password[rax]))
 
     # Epilogue of the function

examples/inject_model_with_snapshot_32b.py

@@ -74,7 +74,7 @@ def cbefore(instruction):
     if instruction.getAddress() == 0x8048412:
         rax = getRegValue(IDREF.REG.EAX)
         if rax in password:
-            setMemValue(rax, 1, password[rax])
+            setMemValue(rax, 8, password[rax])
             print '[+] Inject the character \'%c\' in memory' %(chr(password[rax]))
 
     # Epilogue of the function

src/bindings/python/modules/tritonCallbacks.cpp

@@ -181,12 +181,19 @@ static PyObject *Triton_getMemValue(PyObject *self, PyObject *args) {
   ad = PyLong_AsUint(addr);
   rs = PyLong_AsUint(readSize);
 
-  if (rs != DQWORD_SIZE && rs != QWORD_SIZE && rs != DWORD_SIZE && rs != WORD_SIZE && rs != BYTE_SIZE)
-    return PyErr_Format(PyExc_TypeError, "getMemValue(): The readSize argument must be: DQWORD, QWORD, DWORD, WORD or BYTE");
+  if (rs == 0)
+    return PyErr_Format(PyExc_TypeError, "getMemValue(): The readSize cannot be 0");
+
+  if (rs > DQWORD_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "getMemValue(): The readSize must be less than 128");
+
+  if (rs % BYTE_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "getMemValue(): The readSize must be a multiple of 8");
 
   if (PIN_CheckReadAccess(reinterpret_cast<void*>(ad)) == false)
     return PyErr_Format(PyExc_TypeError, "getMemValue(): The targeted address memory can not be read");
 
+  rs = rs / BYTE_SIZE_BIT;
   MemoryOperand mem(ad, rs);
 
   /* If this is a 128-bits read size, we must use uint128ToPyLongObject() */
@@ -365,13 +372,20 @@ static PyObject *Triton_setMemValue(PyObject *self, PyObject *args) {
   ad = PyLong_AsUint(addr);
   ws = PyLong_AsUint(writeSize);
 
-  if (ws != DQWORD_SIZE && ws != QWORD_SIZE && ws != DWORD_SIZE && ws != WORD_SIZE && ws != BYTE_SIZE)
-    return PyErr_Format(PyExc_TypeError, "setMemValue(): The writeSize argument must be: DQWORD, QWORD, DWORD, WORD or BYTE");
+  if (ws == 0)
+    return PyErr_Format(PyExc_TypeError, "setMemValue(): The writeSize cannot be 0");
+
+  if (ws > DQWORD_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "setMemValue(): The writeSize must be less than 128");
+
+  if (ws % BYTE_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "setMemValue(): The writeSize must be a multiple of 8");
 
   if (PIN_CheckWriteAccess(reinterpret_cast<void*>(ad)) == false)
     return PyErr_Format(PyExc_TypeError, "setMemValue(): Can not write into the targeted address memory");
 
   va = PyLongObjectToUint128(value);
+  ws = ws / BYTE_SIZE_BIT;
   MemoryOperand mo(ad, ws);
   ap.setMemValue(mo, ws, va);
 
@@ -600,6 +614,15 @@ static PyObject *Triton_convertExprToSymVar(PyObject *self, PyObject *args) {
   if (symVarSize == nullptr || (!PyLong_Check(symVarSize) && !PyInt_Check(symVarSize)))
     return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): expected an integer as second argument");
 
+  if (PyLong_AsUint(symVarSize) == 0)
+    return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): The size must cannot be 0");
+
+  if (PyLong_AsUint(symVarSize) % BYTE_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): The size must be a multiple of 8");
+
+  if (PyLong_AsUint(symVarSize) > DQWORD_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): The size must be less than 128");
+
   if (!PyString_Check(varComment))
       return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): expected a comment (string) as third argument");
 
@@ -631,10 +654,19 @@ static PyObject *Triton_convertMemToSymVar(PyObject *self, PyObject *args) {
   if (symVarSize == nullptr || (!PyLong_Check(symVarSize) && !PyInt_Check(symVarSize)))
     return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): expected a size as second argument");
 
+  if (PyLong_AsUint(symVarSize) == 0)
+    return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): The size must cannot be 0");
+
+  if (PyLong_AsUint(symVarSize) % BYTE_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): The size must be a multiple of 8");
+
+  if (PyLong_AsUint(symVarSize) > DQWORD_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): The size must be less than 128");
+
   if (!PyString_Check(varComment))
       return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): expected a comment (string) as third argument");
 
-  vs = PyLong_AsUint(symVarSize);
+  vs = PyLong_AsUint(symVarSize) / BYTE_SIZE_BIT;
   vc = PyString_AsString(varComment);
   MemoryOperand mo(PyLong_AsUint(memAddr), vs);
 
@@ -662,6 +694,15 @@ static PyObject *Triton_convertRegToSymVar(PyObject *self, PyObject *args) {
   if (symVarSize == nullptr || (!PyLong_Check(symVarSize) && !PyInt_Check(symVarSize)))
     return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): expected a size as second argument");
 
+  if (PyLong_AsUint(symVarSize) == 0)
+    return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): The size must cannot be 0");
+
+  if (PyLong_AsUint(symVarSize) % BYTE_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): The size must be a multiple of 8");
+
+  if (PyLong_AsUint(symVarSize) > DQWORD_SIZE_BIT)
+    return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): The size must be less than 128");
+
   if (!PyString_Check(varComment))
       return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): expected a comment (string) as third argument");
 

tests/test_convertMemToSymVar.py

@@ -21,7 +21,7 @@ def sbefore(instruction):
                 if addr != 0: # Check valid address
                     print instruction.getDisassembly(), "at", hex(addr)
                     print "Operand mem size:", op.getMem().getSize()
-                    s = convertMemToSymVar(addr, op.getMem().getSize(), "test") # convertMemToSymVar
+                    s = convertMemToSymVar(addr, op.getMem().getBitSize(), "test") # convertMemToSymVar
                     print "New symbolic variable:"
                     print "[+] Comment:", s.getComment()
                     print "[+] Size: %d" % (s.getSize())

tools/code_coverage.py

@@ -193,22 +193,22 @@ def mainAnalysis(threadId):
         rdi = getRegValue(IDREF.REG.RDI) # argc
         rsi = getRegValue(IDREF.REG.RSI) # argv
 
-        argv0_addr = getMemValue(rsi, IDREF.CPUSIZE.QWORD)      # argv[0] pointer
-        argv1_addr = getMemValue(rsi + 8, IDREF.CPUSIZE.QWORD)  # argv[1] pointer
+        argv0_addr = getMemValue(rsi, IDREF.CPUSIZE.QWORD_BIT)      # argv[0] pointer
+        argv1_addr = getMemValue(rsi + 8, IDREF.CPUSIZE.QWORD_BIT)  # argv[1] pointer
 
         print "[+] In main() we set :"
         od = OrderedDict(sorted(TritonExecution.input.dataAddr.items()))
 
         for k,v in od.iteritems():
             print "\t[0x%x] = %x %c" % (k, v, v)
-            setMemValue(k, IDREF.CPUSIZE.BYTE, v)
-            convertMemToSymVar(k, IDREF.CPUSIZE.BYTE, "addr_%d" % k)
+            setMemValue(k, 8, v)
+            convertMemToSymVar(k, IDREF.CPUSIZE.BYTE_BIT, "addr_%d" % k)
 
         for idx, byte in enumerate(TritonExecution.input.data):
             if argv1_addr + idx not in TritonExecution.input.dataAddr: # Not overwrite the previous setting
                 print "\t[0x%x] = %x %c" % (argv1_addr + idx, ord(byte), ord(byte))
-                setMemValue(argv1_addr + idx, IDREF.CPUSIZE.BYTE, ord(byte))
-                convertMemToSymVar(argv1_addr + idx, IDREF.CPUSIZE.BYTE, "addr_%d" % idx)
+                setMemValue(argv1_addr + idx, IDREF.CPUSIZE.BYTE_BIT, ord(byte))
+                convertMemToSymVar(argv1_addr + idx, IDREF.CPUSIZE.BYTE_BIT, "addr_%d" % idx)
 
 
     @staticmethod

tools/format_string_bug_analysis.py

@@ -53,7 +53,7 @@ def printfAnalysis(threadId):
     print '[+] Analyzing the printf prologue argument.'
     arg = getRegValue(IDREF.REG.RDI)
     index = 0
-    while getMemValue(arg + index, 1) != 0x00:
+    while getMemValue(arg + index, 8) != 0x00:
         if isMemTainted(arg + index) == True:
             print '[+] Possible format string bug found. The first argument contains some tainted bytes.' 
             global TRACE
@@ -71,9 +71,9 @@ def mainAnalysis(threadId):
     rsi = getRegValue(IDREF.REG.RSI) # argv
 
     while rdi != 0:
-        argv = getMemValue(rsi + ((rdi-1) * 8), 8)
+        argv = getMemValue(rsi + ((rdi-1) * 8), 64)
         offset = 0
-        while getMemValue(argv + offset, 1) != 0x00:
+        while getMemValue(argv + offset, 8) != 0x00:
             taintMem(argv + offset)
             offset += 1
         print '[+] %03d bytes tainted from the argv[%d] (%#x) pointer' %(offset, rdi-1, argv)

tools/generate_db.py

@@ -32,11 +32,11 @@ def accessMemoryDump(opType, instruction, operand):
         accessAddr       = operand.getMem().getAddress()
         accessSize       = operand.getMem().getSize()
         contentAsString  = str()
-        contentAsInteger = getMemValue(accessAddr, accessSize)
+        contentAsInteger = getMemValue(accessAddr, accessSize * 8)
 
         # fills the contentAsString
         for i in range(accessSize):
-            contentAsString += '%02x ' %(getMemValue(accessAddr+i, 1))
+            contentAsString += '%02x ' %(getMemValue(accessAddr+i, 8))
 
         cursor.execute("INSERT INTO memoryAccess VALUES (%d, '%s', %d, %d, '%s', %d)" %(insAddr, accessType, accessSize, accessAddr, contentAsString[:-1], contentAsInteger))
 

tools/memory_tracer.py

@@ -54,9 +54,9 @@ def dump(opType, instruction, operand):
     if checkReadAccess(memoryAccess):
         a = '%c:0x%016x:' %(opAccess, memoryAccess)
         for i in range(memoryAccessSize):
-            a += ' %02x' %(getMemValue(memoryAccess+i, 1))
+            a += ' %02x' %(getMemValue(memoryAccess+i, 8))
 
-    print '%s%s%s (%#x)' %(d, ' '*(70-len(d)), a, getMemValue(memoryAccess, memoryAccessSize))
+    print '%s%s%s (%#x)' %(d, ' '*(70-len(d)), a, getMemValue(memoryAccess, memoryAccessSize * 8))
     return