forked from MaidsShadowClub/triton_krackme
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ttexplore.hpp
187 lines (139 loc) · 4.5 KB
/
ttexplore.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
//! \file
/*
** This program is under the terms of the Apache License 2.0.
** Jonathan Salwan
*/
#ifndef TRITON_TTEXPLORE_H
#define TRITON_TTEXPLORE_H
#include <list>
#include <map>
#include <sstream>
#include <unordered_map>
#include <vector>
#include <triton/comparableFunctor.hpp>
#include <triton/context.hpp>
#include <triton/dllexport.hpp>
#include <triton/pathConstraint.hpp>
#include <triton/solverModel.hpp>
#include <triton/tritonTypes.hpp>
//! The Triton namespace
namespace triton {
/*!
* \addtogroup triton
* @{
*/
//! The Callbacks namespace
namespace callbacks {
/*!
* \ingroup triton
* \addtogroup callbacks
* @{
*/
//! State of callback
enum cb_state_e {
CONTINUE,
BREAK,
PLT_CONTINUE,
};
};
//! The Engines namespace
namespace engines {
/*!
* \ingroup triton
* \addtogroup engines
* @{
*/
//! The Symbolic Exploration namespace
namespace exploration {
/*!
* \ingroup engines
* \addtogroup symbolic
* @{
*/
//! Shortcut for a seed.
using Seed = std::unordered_map<triton::usize, triton::engines::solver::SolverModel>;
//! Config of the exploration.
struct config_s {
bool stats;
std::string workspace = "workspace";
triton::uint64 end_point;
triton::usize ea_model;
triton::usize jmp_model;
triton::usize limit_inst;
triton::usize timeout; /* seconds */
};
//! Instruction callback signature
using instCallback = triton::ComparableFunctor<triton::callbacks::cb_state_e(triton::Context*)>;
/*! \class SymbolicExplorator
\brief The symbolic explorator class. */
class SymbolicExplorator {
private:
//! Execute one trace.
void run(const Seed& seed);
//! Init the worklist.
void initWorklist(void);
//! Snaptshot context from src to dst.
void snapshotContext(triton::Context* dst, triton::Context* src);
//! Find new inputs and update the path tree.
void findNewInputs(void);
//! Inject a seed into the state.
void injectSeed(const Seed& seed);
//! Pretty print a seed.
std::stringstream seedRepr(void);
//! Print stats at each execution
void printStat(void);
//! Symbolize LOAD and STORE accesses.
void symbolizeEffectiveAddress(const triton::arch::Instruction& inst);
//! Build the path encoding
std::list<triton::uint64> buildPathAddrs(void);
//! Convert a seed to a vector.
std::vector<triton::uint8> seed2vector(const Seed& seed);
//! Write the seed into the given directory
void writeSeedOnDisk(const std::string& dir, const Seed& seed);
//! Execute a ret instruction according to the architecture
void asmret(void);
protected:
//! Number of executions
triton::usize nbexec;
//! Number of sat
triton::usize nbsat;
//! Number of unsat
triton::usize nbunsat;
//! Number of timeout
triton::usize nbtimeout;
//! Initial context.
triton::Context* ini_ctx;
//! Backup context.
triton::Context* bck_ctx;
//! Worklist.
std::list<Seed> worklist;
//! Donelist
std::set<std::list<triton::uint64>> donelist;
//! The coverage map <inst addr: number of hits>
std::unordered_map<triton::uint64, triton::usize> coverage;
//! Hook instructions: <plt addr : cb>
std::map<triton::uint64, instCallback> instHooks;
public:
struct config_s config;
//! Constructor.
TRITON_EXPORT SymbolicExplorator();
//! Constructor.
TRITON_EXPORT SymbolicExplorator(triton::Context* ctx);
//! Destructor.
TRITON_EXPORT ~SymbolicExplorator();
//! Init context.
TRITON_EXPORT void initContext(triton::Context* ctx);
//! Explore the program.
TRITON_EXPORT void explore(void);
//! Dump the code coverage
TRITON_EXPORT void dumpCoverage(void);
//! Add callback
TRITON_EXPORT void hookInstruction(triton::uint64 addr, instCallback fn);
};
/*! @} End of exploration namespace */
};
/*! @} End of engines namespace */
};
/*! @} End of triton namespace */
};
#endif /* TRITON_TTEXPLORE_H */