本文整理汇总了C++中AnalysisProcessor::buildSymbolicMemOperand方法的典型用法代码示例。如果您正苦于以下问题:C++ AnalysisProcessor::buildSymbolicMemOperand方法的具体用法?C++ AnalysisProcessor::buildSymbolicMemOperand怎么用?C++ AnalysisProcessor::buildSymbolicMemOperand使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类AnalysisProcessor的用法示例。
在下文中一共展示了AnalysisProcessor::buildSymbolicMemOperand方法的14个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: regMem
void MovzxIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1;
uint32_t readSize = this->operands[1].getSize();
uint64_t mem = this->operands[1].getValue();
uint64_t reg = this->operands[0].getValue();
uint64_t regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem, readSize);
/* Final expr */
expr << smt2lib::zx(op1.str(), (regSize * REG_SIZE) - (readSize * REG_SIZE));
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}示例2: regMem
void MovzxIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1;
auto memSize = this->operands[1].getMem().getSize();
auto mem = this->operands[1].getMem().getAddress();
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicMemOperand(mem, memSize);
/* Final expr */
expr = smt2lib::zx((regSize * REG_SIZE) - (memSize * REG_SIZE), op1);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize);
}示例3: memImm
void RcrIRBuilder::memImm(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *cf, *res;
uint32 writeSize = this->operands[0].getSize();
uint64 mem = this->operands[0].getValue();
uint64 imm = this->operands[1].getValue();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_CF);
op1 = ap.buildSymbolicMemOperand(mem, writeSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(imm);
/* Rcl expression */
expr = smt2lib::bvror(
op2,
smt2lib::concat(cf, op1)
);
/* Temporary extended expression */
se1 = ap.createSE(inst, expr, "Temporary Extended Expression");
/* Apply the taint */
ap.assignmentSpreadTaintExprMem(se1, mem, writeSize);
/* Result expression */
res = smt2lib::extract((writeSize * REG_SIZE) - 1, 0, expr);
/* Create the symbolic expression */
se2 = ap.createMemSE(inst, res, mem, writeSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se2, mem, mem, writeSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRcl(inst, se1, ap, writeSize, op2); /* Same as RCL */
EflagsBuilder::ofRor(inst, se2, ap, writeSize, op2); /* Same as ROR */
}示例4: regMem
void AndnpsIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint32 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
op2 << ap.buildSymbolicMemOperand(mem, readSize);
// Final expr
expr << smt2lib::bvand(smt2lib::bvnot(op1.str()), op2.str());
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, reg, mem, readSize);
}示例5: regMem
void AndnpsIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto reg = this->operands[0].getReg();
auto regSize = this->operands[0].getReg().getSize();
auto mem = this->operands[1].getMem();
auto memSize = this->operands[1].getMem().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
op2 = ap.buildSymbolicMemOperand(mem, memSize);
// Final expr
expr = smt2lib::bvand(smt2lib::bvnot(op1), op2);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, reg, mem, memSize);
}示例6: memReg
void MovhpsIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint32 writeSize = this->operands[0].getSize();
uint64 mem = this->operands[0].getValue();
uint64 reg = this->operands[1].getValue();
uint64 regSize = this->operands[1].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(mem, writeSize);
op2 << ap.buildSymbolicRegOperand(reg, regSize);
expr << smt2lib::extract(127, 64, op2.str());
/* Create the symbolic element */
se = ap.createMemSE(inst, expr, mem, writeSize);
/* Apply the taint */
ap.assignmentSpreadTaintMemReg(se, mem, reg, writeSize);
}示例7: mem
void RetIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1;
uint64_t memSrc = this->operands[0].getValue(); // The dst memory read
uint32_t readSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicMemOperand(memSrc, readSize);
/* Finale expr */
expr << op1.str();
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, ID_RIP, REG_SIZE, "RIP");
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, ID_RIP, memSrc, readSize);
/* Create the SMT semantic side effect */
alignStack(inst, ap);
}示例8: memReg
void RclIRBuilder::memReg(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se1, *se2;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *cf, *res;
auto memSize = this->operands[0].getMem().getSize();
auto mem = this->operands[0].getMem();
/* Create the SMT semantic */
cf = ap.buildSymbolicFlagOperand(ID_TMP_CF);
op1 = ap.buildSymbolicMemOperand(mem, memSize);
/*
* Note that SMT2-LIB doesn't support expression as rotate's value.
* The op2 must be the concretization's value.
*/
op2 = smt2lib::decimal(ap.getRegisterValue(ID_TMP_RCX) & 0xff); /* 0xff -> There is only CL available */
/* Rcl expression */
expr = smt2lib::bvrol(
op2,
smt2lib::concat(cf, op1)
);
/* Temporary extended expression */
se1 = ap.createSE(inst, expr, "Temporary Extended Expression");
/* Apply the taint */
ap.assignmentSpreadTaintExprMem(se1, mem, memSize);
/* Result expression */
res = smt2lib::extract((memSize * REG_SIZE) - 1, 0, expr);
/* Create the symbolic expression */
se2 = ap.createMemSE(inst, res, mem, memSize);
/* Apply the taint */
ap.aluSpreadTaintMemMem(se2, mem, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfRcl(inst, se1, ap, memSize, op2);
EflagsBuilder::ofRol(inst, se2, ap, memSize, op2); /* Same as ROL */
}示例9: regMem
void MovlpdIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2;
auto memSize = this->operands[1].getMem().getSize();
auto mem = this->operands[1].getMem().getAddress();
auto reg = this->operands[0].getReg().getTritonRegId();
auto regSize = this->operands[0].getReg().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg, regSize);
op2 = ap.buildSymbolicMemOperand(mem, memSize);
expr = smt2lib::concat(
smt2lib::extract(127, 64, op1), /* Destination[64..127] unchanged */
smt2lib::extract(63, 0, op2) /* Destination[0..63] = Source */
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, memSize);
}示例10: regMem
void MovhpdIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, op1, op2;
uint32 readSize = this->operands[1].getSize();
uint64 mem = this->operands[1].getValue();
uint64 reg = this->operands[0].getValue();
uint64 regSize = this->operands[0].getSize();
/* Create the SMT semantic */
op1 << ap.buildSymbolicRegOperand(reg, regSize);
op2 << ap.buildSymbolicMemOperand(mem, readSize);
expr << smt2lib::concat(
smt2lib::extract(63, 0, op2.str()), /* Destination[64..127] = Source */
smt2lib::extract(63, 0, op1.str()) /* Destination[0..63] unchanged */
);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, reg, regSize);
/* Apply the taint */
ap.assignmentSpreadTaintRegMem(se, reg, mem, readSize);
}示例11: regMem
void ImulIRBuilder::regMem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *op3;
uint64 imm = 0;
auto reg1 = this->operands[0].getReg();
auto regSize1 = this->operands[0].getReg().getSize();
auto mem2 = this->operands[1].getMem();
auto memSize2 = this->operands[1].getMem().getSize();
if (this->operands[2].getType() == IRBuilderOperand::IMM)
imm = this->operands[2].getImm().getValue();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(reg1, regSize1);
op2 = ap.buildSymbolicMemOperand(mem2, memSize2);
op3 = smt2lib::bv(imm, memSize2 * REG_SIZE);
/* Case 1 */
if (this->operands[0].isReadOnly()) {
/* Expr */
expr = smt2lib::bvmul(
smt2lib::sx(memSize2 * REG_SIZE, op2),
smt2lib::sx(regSize1 * REG_SIZE, op1)
);
switch (regSize1) {
case BYTE_SIZE:
/* RAX */
se = ap.createRegSE(inst, smt2lib::extract(WORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, WORD_SIZE);
ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem2, memSize2);
break;
case WORD_SIZE:
/* RDX */
se = ap.createRegSE(inst, smt2lib::extract(DWORD_SIZE_BIT - 1, WORD_SIZE_BIT, expr), ID_TMP_RDX, WORD_SIZE);
ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem2, memSize2);
/* RAX */
se = ap.createRegSE(inst, smt2lib::extract(WORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, WORD_SIZE);
ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem2, memSize2);
break;
case DWORD_SIZE:
/* RDX */
se = ap.createRegSE(inst, smt2lib::extract(QWORD_SIZE_BIT - 1, DWORD_SIZE_BIT, expr), ID_TMP_RDX, DWORD_SIZE);
ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem2, memSize2);
/* RAX */
se = ap.createRegSE(inst, smt2lib::extract(DWORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, DWORD_SIZE);
ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem2, memSize2);
break;
case QWORD_SIZE:
/* RDX */
se = ap.createRegSE(inst, smt2lib::extract(DQWORD_SIZE_BIT - 1, QWORD_SIZE_BIT, expr), ID_TMP_RDX, QWORD_SIZE);
ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem2, memSize2);
/* RAX */
se = ap.createRegSE(inst, smt2lib::extract(QWORD_SIZE_BIT - 1, 0, expr), ID_TMP_RAX, QWORD_SIZE);
ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem2, memSize2);
break;
default:
throw std::runtime_error("ImulIRBuilder::reg - Invalid operand size");
}
}
/* Case 2 */
else if (this->operands[0].isReadAndWrite()) {
/* Expr */
expr = smt2lib::bvmul(
smt2lib::sx(regSize1 * REG_SIZE, op1),
smt2lib::sx(memSize2 * REG_SIZE, op2)
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, smt2lib::extract((regSize1 * REG_SIZE) - 1, 0, expr), reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, reg1, mem2, memSize2);
}
/* Case 3 */
else if (this->operands[0].isWriteOnly()) {
/* Expr */
expr = smt2lib::bvmul(
smt2lib::sx(memSize2 * REG_SIZE, op2),
smt2lib::sx(memSize2 * REG_SIZE, op3)
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, smt2lib::extract((regSize1 * REG_SIZE) - 1, 0, expr), reg1, regSize1);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, reg1, mem2, memSize2);
}
else {
throw std::runtime_error("ImulIRBuilder::regReg - Invalid operand");
}
//.........这里部分代码省略.........
示例12: mem
void IdivIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicElement *se;
std::stringstream expr, result, dividend, divisor, mod;
uint64 mem = this->operands[0].getValue();
uint32 memSize = this->operands[0].getSize();
/* Create the SMT semantic */
divisor << ap.buildSymbolicMemOperand(mem, memSize);
switch (memSize) {
case BYTE_SIZE:
/* AX */
dividend << ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE);
/* res = AX / Source */
result << smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), BYTE_SIZE_BIT));
/* mod = AX % Source */
mod << smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), BYTE_SIZE_BIT));
/* AH = mod */
/* AL = res */
expr << smt2lib::concat(
smt2lib::extract(7, 0, mod.str()), /* AH = mod */
smt2lib::extract(7, 0, result.str()) /* AL = res */
);
/* Create the symbolic element */
se = ap.createRegSE(inst, expr, ID_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize);
break;
case WORD_SIZE:
/* DX:AX */
dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, WORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE));
/* res = DX:AX / Source */
result << smt2lib::extract(15, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), WORD_SIZE_BIT)));
/* mod = DX:AX % Source */
mod << smt2lib::extract(15, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), WORD_SIZE_BIT)));
/* Create the symbolic element for AX */
se = ap.createRegSE(inst, result, ID_RAX, WORD_SIZE);
/* Apply the taint for AX */
ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize);
/* Create the symbolic element for DX */
se = ap.createRegSE(inst, mod, ID_RDX, WORD_SIZE);
/* Apply the taint for DX */
ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize);
break;
case DWORD_SIZE:
/* EDX:EAX */
dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, DWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, DWORD_SIZE));
/* res = EDX:EAX / Source */
result << smt2lib::extract(31, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), DWORD_SIZE_BIT)));
/* mod = EDX:EAX % Source */
mod << smt2lib::extract(31, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), DWORD_SIZE_BIT)));
/* Create the symbolic element for EAX */
se = ap.createRegSE(inst, result, ID_RAX, DWORD_SIZE);
/* Apply the taint for EAX */
ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize);
/* Create the symbolic element for EDX */
se = ap.createRegSE(inst, mod, ID_RDX, DWORD_SIZE);
/* Apply the taint for EDX */
ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize);
break;
case QWORD_SIZE:
/* RDX:RAX */
dividend << smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE), ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE));
/* res = RDX:RAX / Source */
result << smt2lib::extract(63, 0, smt2lib::bvsdiv(dividend.str(), smt2lib::sx(divisor.str(), QWORD_SIZE_BIT)));
/* mod = RDX:RAX % Source */
mod << smt2lib::extract(63, 0, smt2lib::bvsrem(dividend.str(), smt2lib::sx(divisor.str(), QWORD_SIZE_BIT)));
/* Create the symbolic element for RAX */
se = ap.createRegSE(inst, result, ID_RAX, QWORD_SIZE);
/* Apply the taint for RAX */
ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize);
/* Create the symbolic element for RDX */
se = ap.createRegSE(inst, mod, ID_RDX, QWORD_SIZE);
/* Apply the taint for RDX */
ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize);
break;
}
}示例13: mem
void DivIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *result, *dividend, *divisor, *mod;
auto mem = this->operands[0].getMem().getAddress();
auto memSize = this->operands[0].getMem().getSize();
/* Create the SMT semantic */
divisor = ap.buildSymbolicMemOperand(mem, memSize);
switch (memSize) {
case BYTE_SIZE:
/* AX */
dividend = ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE);
/* res = AX / Source */
result = smt2lib::bvudiv(dividend, smt2lib::zx(BYTE_SIZE_BIT, divisor));
/* mod = AX % Source */
mod = smt2lib::bvurem(dividend, smt2lib::zx(BYTE_SIZE_BIT, divisor));
/* AH = mod */
/* AL = res */
expr = smt2lib::concat(
smt2lib::extract(7, 0, mod), /* AH = mod */
smt2lib::extract(7, 0, result) /* AL = res */
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize);
break;
case WORD_SIZE:
/* DX:AX */
dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, WORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, WORD_SIZE));
/* res = DX:AX / Source */
result = smt2lib::extract(15, 0, smt2lib::bvudiv(dividend, smt2lib::zx(WORD_SIZE_BIT, divisor)));
/* mod = DX:AX % Source */
mod = smt2lib::extract(15, 0, smt2lib::bvurem(dividend, smt2lib::zx(WORD_SIZE_BIT, divisor)));
/* Create the symbolic expression for AX */
se = ap.createRegSE(inst, result, ID_RAX, WORD_SIZE);
/* Apply the taint for AX */
ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize);
/* Create the symbolic expression for DX */
se = ap.createRegSE(inst, mod, ID_RDX, WORD_SIZE);
/* Apply the taint for DX */
ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize);
break;
case DWORD_SIZE:
/* EDX:EAX */
dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, DWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, DWORD_SIZE));
/* res = EDX:EAX / Source */
result = smt2lib::extract(31, 0, smt2lib::bvudiv(dividend, smt2lib::zx(DWORD_SIZE_BIT, divisor)));
/* mod = EDX:EAX % Source */
mod = smt2lib::extract(31, 0, smt2lib::bvurem(dividend, smt2lib::zx(DWORD_SIZE_BIT, divisor)));
/* Create the symbolic expression for EAX */
se = ap.createRegSE(inst, result, ID_RAX, DWORD_SIZE);
/* Apply the taint for EAX */
ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize);
/* Create the symbolic expression for EDX */
se = ap.createRegSE(inst, mod, ID_RDX, DWORD_SIZE);
/* Apply the taint for EDX */
ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize);
break;
case QWORD_SIZE:
/* RDX:RAX */
dividend = smt2lib::concat(ap.buildSymbolicRegOperand(ID_RDX, QWORD_SIZE), ap.buildSymbolicRegOperand(ID_RAX, QWORD_SIZE));
/* res = RDX:RAX / Source */
result = smt2lib::extract(63, 0, smt2lib::bvudiv(dividend, smt2lib::zx(QWORD_SIZE_BIT, divisor)));
/* mod = RDX:RAX % Source */
mod = smt2lib::extract(63, 0, smt2lib::bvurem(dividend, smt2lib::zx(QWORD_SIZE_BIT, divisor)));
/* Create the symbolic expression for RAX */
se = ap.createRegSE(inst, result, ID_RAX, QWORD_SIZE);
/* Apply the taint for RAX */
ap.aluSpreadTaintRegMem(se, ID_RAX, mem, memSize);
/* Create the symbolic expression for RDX */
se = ap.createRegSE(inst, mod, ID_RDX, QWORD_SIZE);
/* Apply the taint for RDX */
ap.aluSpreadTaintRegMem(se, ID_RDX, mem, memSize);
break;
}
}示例14: mem
void MulIRBuilder::mem(AnalysisProcessor &ap, Inst &inst) const {
SymbolicExpression *se;
smt2lib::smtAstAbstractNode *expr, *op1, *op2, *rax, *rdx;
auto mem = this->operands[0].getMem();
auto memSize = this->operands[0].getMem().getSize();
/* Create the SMT semantic */
op1 = ap.buildSymbolicRegOperand(ID_TMP_RAX, memSize);
op2 = ap.buildSymbolicMemOperand(mem, memSize);
switch (memSize) {
/* AX = AL * r/m8 */
case BYTE_SIZE:
/* Final expr */
expr = smt2lib::bvmul(
smt2lib::zx(BYTE_SIZE_BIT, op1),
smt2lib::zx(BYTE_SIZE_BIT, op2)
);
/* Create the symbolic expression */
se = ap.createRegSE(inst, expr, ID_TMP_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem, memSize);
/* Add the symbolic flags expression to the current inst */
rax = smt2lib::extract((WORD_SIZE_BIT - 1), BYTE_SIZE_BIT, expr);
EflagsBuilder::cfMul(inst, se, ap, memSize, rax);
EflagsBuilder::ofMul(inst, se, ap, memSize, rax);
break;
/* DX:AX = AX * r/m16 */
case WORD_SIZE:
/* Final expr */
expr = smt2lib::bvmul(
smt2lib::zx(WORD_SIZE_BIT, op1),
smt2lib::zx(WORD_SIZE_BIT, op2)
);
rax = smt2lib::extract((WORD_SIZE_BIT - 1), 0, expr);
rdx = smt2lib::extract((DWORD_SIZE_BIT - 1), WORD_SIZE_BIT, expr);
/* Create the symbolic expression for AX */
se = ap.createRegSE(inst, rax, ID_TMP_RAX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem, memSize);
/* Create the symbolic expression for DX */
se = ap.createRegSE(inst, rdx, ID_TMP_RDX, WORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfMul(inst, se, ap, memSize, rdx);
EflagsBuilder::ofMul(inst, se, ap, memSize, rdx);
break;
/* EDX:EAX = EAX * r/m32 */
case DWORD_SIZE:
/* Final expr */
expr = smt2lib::bvmul(
smt2lib::zx(DWORD_SIZE_BIT, op1),
smt2lib::zx(DWORD_SIZE_BIT, op2)
);
rax = smt2lib::extract((DWORD_SIZE_BIT - 1), 0, expr);
rdx = smt2lib::extract((QWORD_SIZE_BIT - 1), DWORD_SIZE_BIT, expr);
/* Create the symbolic expression for EAX */
se = ap.createRegSE(inst, rax, ID_TMP_RAX, DWORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem, memSize);
/* Create the symbolic expression for EDX */
se = ap.createRegSE(inst, rdx, ID_TMP_RDX, DWORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfMul(inst, se, ap, memSize, rdx);
EflagsBuilder::ofMul(inst, se, ap, memSize, rdx);
break;
/* RDX:RAX = RAX * r/m64 */
case QWORD_SIZE:
/* Final expr */
expr = smt2lib::bvmul(
smt2lib::zx(QWORD_SIZE_BIT, op1),
smt2lib::zx(QWORD_SIZE_BIT, op2)
);
rax = smt2lib::extract((QWORD_SIZE_BIT - 1), 0, expr);
rdx = smt2lib::extract((DQWORD_SIZE_BIT - 1), QWORD_SIZE_BIT, expr);
/* Create the symbolic expression for RAX */
se = ap.createRegSE(inst, rax, ID_TMP_RAX, QWORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_TMP_RAX, mem, memSize);
/* Create the symbolic expression for RDX */
se = ap.createRegSE(inst, rdx, ID_TMP_RDX, QWORD_SIZE);
/* Apply the taint */
ap.aluSpreadTaintRegMem(se, ID_TMP_RDX, mem, memSize);
/* Add the symbolic flags expression to the current inst */
EflagsBuilder::cfMul(inst, se, ap, memSize, rdx);
EflagsBuilder::ofMul(inst, se, ap, memSize, rdx);
break;
}
}