libTriton version 1.0 build 1590
Loading...
Searching...
No Matches
aarch64Semantics.cpp
Go to the documentation of this file.
1
2/*
3** Copyright (C) - Triton
4**
5** This program is under the terms of the Apache License 2.0.
6*/
7
8#include <utility>
9#include <triton/aarch64Semantics.hpp>
10#include <triton/aarch64Specifications.hpp>
11#include <triton/astContext.hpp>
12#include <triton/cpuSize.hpp>
13#include <triton/exceptions.hpp>
14
15
16
204namespace triton {
205 namespace arch {
206 namespace arm {
207 namespace aarch64 {
208
209 AArch64Semantics::AArch64Semantics(triton::arch::Architecture* architecture,
210 triton::engines::symbolic::SymbolicEngine* symbolicEngine,
211 triton::engines::taint::TaintEngine* taintEngine,
212 const triton::ast::SharedAstContext& astCtxt) : astCtxt(astCtxt) {
213
214 this->architecture = architecture;
215 this->exception = triton::arch::NO_FAULT;
216 this->symbolicEngine = symbolicEngine;
217 this->taintEngine = taintEngine;
218
219 if (architecture == nullptr)
220 throw triton::exceptions::Semantics("AArch64Semantics::AArch64Semantics(): The architecture API must be defined.");
221
222 if (this->symbolicEngine == nullptr)
223 throw triton::exceptions::Semantics("AArch64Semantics::AArch64Semantics(): The symbolic engine API must be defined.");
224
225 if (this->taintEngine == nullptr)
226 throw triton::exceptions::Semantics("AArch64Semantics::AArch64Semantics(): The taint engines API must be defined.");
227 }
228
229
230 triton::arch::exception_e AArch64Semantics::buildSemantics(triton::arch::Instruction& inst) {
231 this->exception = triton::arch::NO_FAULT;
232 switch (inst.getType()) {
233 case ID_INS_ADC: this->adc_s(inst); break;
234 case ID_INS_ADD: this->add_s(inst); break;
235 case ID_INS_ADR: this->adr_s(inst); break;
236 case ID_INS_ADRP: this->adrp_s(inst); break;
237 case ID_INS_AND: this->and_s(inst); break;
238 case ID_INS_ASR: this->asr_s(inst); break;
239 case ID_INS_B: this->b_s(inst); break;
240 case ID_INS_BFI: this->bfi_s(inst); break;
241 case ID_INS_BFXIL: this->bfxil_s(inst); break;
242 case ID_INS_BIC: this->bic_s(inst); break;
243 case ID_INS_BL: this->bl_s(inst); break;
244 case ID_INS_BLR: this->blr_s(inst); break;
245 case ID_INS_BR: this->br_s(inst); break;
246 case ID_INS_BRK: this->brk_s(inst); break;
247 case ID_INS_CBNZ: this->cbnz_s(inst); break;
248 case ID_INS_CBZ: this->cbz_s(inst); break;
249 case ID_INS_CCMP: this->ccmp_s(inst); break;
250 case ID_INS_CINC: this->cinc_s(inst); break;
251 case ID_INS_CLZ: this->clz_s(inst); break;
252 case ID_INS_CMN: this->cmn_s(inst); break;
253 case ID_INS_CMP: this->cmp_s(inst); break;
254 case ID_INS_CNEG: this->cneg_s(inst); break;
255 case ID_INS_CSEL: this->csel_s(inst); break;
256 case ID_INS_CSET: this->cset_s(inst); break;
257 case ID_INS_CSINC: this->csinc_s(inst); break;
258 case ID_INS_CSNEG: this->csneg_s(inst); break;
259 case ID_INS_EON: this->eon_s(inst); break;
260 case ID_INS_EOR: this->eor_s(inst); break;
261 case ID_INS_EXTR: this->extr_s(inst); break;
262 case ID_INS_LD3: this->ld3_s(inst); break;
263 case ID_INS_LD3R: this->ld3r_s(inst); break;
264 case ID_INS_LD4: this->ld4_s(inst); break;
265 case ID_INS_LD4R: this->ld4r_s(inst); break;
266 case ID_INS_LDAR: this->ldar_s(inst); break;
267 case ID_INS_LDARB: this->ldarb_s(inst); break;
268 case ID_INS_LDARH: this->ldarh_s(inst); break;
269 case ID_INS_LDAXR: this->ldaxr_s(inst); break;
270 case ID_INS_LDAXRB: this->ldaxrb_s(inst); break;
271 case ID_INS_LDAXRH: this->ldaxrh_s(inst); break;
272 case ID_INS_LDNP: this->ldnp_s(inst); break;
273 case ID_INS_LDP: this->ldp_s(inst); break;
274 case ID_INS_LDPSW: this->ldpsw_s(inst); break;
275 case ID_INS_LDR: this->ldr_s(inst); break;
276 case ID_INS_LDRB: this->ldrb_s(inst); break;
277 case ID_INS_LDRH: this->ldrh_s(inst); break;
278 case ID_INS_LDRSB: this->ldrsb_s(inst); break;
279 case ID_INS_LDRSH: this->ldrsh_s(inst); break;
280 case ID_INS_LDRSW: this->ldrsw_s(inst); break;
281 case ID_INS_LDTR: this->ldtr_s(inst); break;
282 case ID_INS_LDTRB: this->ldtrb_s(inst); break;
283 case ID_INS_LDTRH: this->ldtrh_s(inst); break;
284 case ID_INS_LDTRSB: this->ldtrsb_s(inst); break;
285 case ID_INS_LDTRSH: this->ldtrsh_s(inst); break;
286 case ID_INS_LDTRSW: this->ldtrsw_s(inst); break;
287 case ID_INS_LDUR: this->ldur_s(inst); break;
288 case ID_INS_LDURB: this->ldurb_s(inst); break;
289 case ID_INS_LDURH: this->ldurh_s(inst); break;
290 case ID_INS_LDURSB: this->ldursb_s(inst); break;
291 case ID_INS_LDURSH: this->ldursh_s(inst); break;
292 case ID_INS_LDURSW: this->ldursw_s(inst); break;
293 case ID_INS_LDXP: this->ldxp_s(inst); break;
294 case ID_INS_LDXR: this->ldxr_s(inst); break;
295 case ID_INS_LDXRB: this->ldxrb_s(inst); break;
296 case ID_INS_LDXRH: this->ldxrh_s(inst); break;
297 case ID_INS_LSL: this->lsl_s(inst); break;
298 case ID_INS_LSR: this->lsr_s(inst); break;
299 case ID_INS_MADD: this->madd_s(inst); break;
300 case ID_INS_MNEG: this->mneg_s(inst); break;
301 case ID_INS_MOV: this->mov_s(inst); break;
302 case ID_INS_MOVI: this->movi_s(inst); break;
303 case ID_INS_MOVK: this->movk_s(inst); break;
304 case ID_INS_MOVN: this->movn_s(inst); break;
305 case ID_INS_MOVZ: this->movz_s(inst); break;
306 case ID_INS_MRS: this->mrs_s(inst); break;
307 case ID_INS_MSR: this->msr_s(inst); break;
308 case ID_INS_MSUB: this->msub_s(inst); break;
309 case ID_INS_MUL: this->mul_s(inst); break;
310 case ID_INS_MVN: this->mvn_s(inst); break;
311 case ID_INS_NEG: this->neg_s(inst); break;
312 case ID_INS_NOP: this->nop_s(inst); break;
313 case ID_INS_ORN: this->orn_s(inst); break;
314 case ID_INS_ORR: this->orr_s(inst); break;
315 case ID_INS_RBIT: this->rbit_s(inst); break;
316 case ID_INS_RET: this->ret_s(inst); break;
317 case ID_INS_REV16: this->rev16_s(inst); break;
318 case ID_INS_REV32: this->rev32_s(inst); break;
319 case ID_INS_REV64: this->rev_s(inst); break;
320 case ID_INS_REV: this->rev_s(inst); break;
321 case ID_INS_ROR: this->ror_s(inst); break;
322 case ID_INS_SBC: this->sbc_s(inst); break;
323 case ID_INS_SBFX: this->sbfx_s(inst); break;
324 case ID_INS_SDIV: this->sdiv_s(inst); break;
325 case ID_INS_SMADDL: this->smaddl_s(inst); break;
326 case ID_INS_SMSUBL: this->smsubl_s(inst); break;
327 case ID_INS_SMULH: this->smulh_s(inst); break;
328 case ID_INS_SMULL: this->smull_s(inst); break;
329 case ID_INS_STLR: this->stlr_s(inst); break;
330 case ID_INS_STLRB: this->stlrb_s(inst); break;
331 case ID_INS_STLRH: this->stlrh_s(inst); break;
332 case ID_INS_STLXR: this->stlxr_s(inst); break;
333 case ID_INS_STLXRB: this->stlxrb_s(inst); break;
334 case ID_INS_STLXRH: this->stlxrh_s(inst); break;
335 case ID_INS_STNP: this->stnp_s(inst); break;
336 case ID_INS_STP: this->stp_s(inst); break;
337 case ID_INS_STR: this->str_s(inst); break;
338 case ID_INS_STRB: this->strb_s(inst); break;
339 case ID_INS_STRH: this->strh_s(inst); break;
340 case ID_INS_STTR: this->sttr_s(inst); break;
341 case ID_INS_STTRB: this->sttrb_s(inst); break;
342 case ID_INS_STTRH: this->sttrh_s(inst); break;
343 case ID_INS_STUR: this->stur_s(inst); break;
344 case ID_INS_STURB: this->sturb_s(inst); break;
345 case ID_INS_STURH: this->sturh_s(inst); break;
346 case ID_INS_STXP: this->stxp_s(inst); break;
347 case ID_INS_STXR: this->stxr_s(inst); break;
348 case ID_INS_STXRB: this->stxrb_s(inst); break;
349 case ID_INS_STXRH: this->stxrh_s(inst); break;
350 case ID_INS_SUB: this->sub_s(inst); break;
351 case ID_INS_SVC: this->svc_s(inst); break;
352 case ID_INS_SXTB: this->sxtb_s(inst); break;
353 case ID_INS_SXTH: this->sxth_s(inst); break;
354 case ID_INS_SXTW: this->sxtw_s(inst); break;
355 case ID_INS_TBNZ: this->tbnz_s(inst); break;
356 case ID_INS_TBZ: this->tbz_s(inst); break;
357 case ID_INS_TST: this->tst_s(inst); break;
358 case ID_INS_UBFIZ: this->ubfiz_s(inst); break;
359 case ID_INS_UBFX: this->ubfx_s(inst); break;
360 case ID_INS_UDIV: this->udiv_s(inst); break;
361 case ID_INS_UMADDL: this->umaddl_s(inst); break;
362 case ID_INS_UMNEGL: this->umnegl_s(inst); break;
363 case ID_INS_UMSUBL: this->umsubl_s(inst); break;
364 case ID_INS_UMULH: this->umulh_s(inst); break;
365 case ID_INS_UMULL: this->umull_s(inst); break;
366 case ID_INS_UXTB: this->uxtb_s(inst); break;
367 case ID_INS_UXTH: this->uxth_s(inst); break;
368 default:
369 this->exception = triton::arch::FAULT_UD;
370 break;
371 }
372 return this->exception;
373 }
374
375
376 void AArch64Semantics::controlFlow_s(triton::arch::Instruction& inst) {
377 auto pc = triton::arch::OperandWrapper(this->architecture->getParentRegister(ID_REG_AARCH64_PC));
378
379 /* Create the semantics */
380 auto node = this->astCtxt->bv(inst.getNextAddress(), pc.getBitSize());
381
382 /* Create symbolic expression */
383 auto expr = this->symbolicEngine->createSymbolicRegisterExpression(inst, node, this->architecture->getParentRegister(ID_REG_AARCH64_PC), "Program Counter");
384
385 /* Spread taint */
386 expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getParentRegister(ID_REG_AARCH64_PC), triton::engines::taint::UNTAINTED);
387 }
388
389
390 triton::ast::SharedAbstractNode AArch64Semantics::getCodeConditionAst(triton::arch::Instruction& inst,
391 triton::ast::SharedAbstractNode& thenNode,
392 triton::ast::SharedAbstractNode& elseNode) {
393
394 switch (inst.getCodeCondition()) {
395 // Always. Any flags. This suffix is normally omitted.
396 case triton::arch::arm::ID_CONDITION_AL: {
397 return thenNode;
398 }
399
400 // Equal. Z set.
401 case triton::arch::arm::ID_CONDITION_EQ: {
402 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
403 auto node = this->astCtxt->ite(
404 this->astCtxt->equal(z, this->astCtxt->bvtrue()),
405 thenNode,
406 elseNode);
407 return node;
408 }
409
410 // Signed >=. N and V the same.
411 case triton::arch::arm::ID_CONDITION_GE: {
412 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
413 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
414 auto node = this->astCtxt->ite(
415 this->astCtxt->equal(n, v),
416 thenNode,
417 elseNode);
418 return node;
419 }
420
421 // Signed >. Z clear, N and V the same.
422 case triton::arch::arm::ID_CONDITION_GT: {
423 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
424 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
425 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
426 auto node = this->astCtxt->ite(
427 this->astCtxt->land(
428 this->astCtxt->equal(z, this->astCtxt->bvfalse()),
429 this->astCtxt->equal(n, v)
430 ),
431 thenNode,
432 elseNode);
433 return node;
434 }
435
436 // Higher (unsigned >). C set and Z clear.
437 case triton::arch::arm::ID_CONDITION_HI: {
438 auto c = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C)));
439 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
440 auto node = this->astCtxt->ite(
441 this->astCtxt->land(
442 this->astCtxt->equal(c, this->astCtxt->bvtrue()),
443 this->astCtxt->equal(z, this->astCtxt->bvfalse())
444 ),
445 thenNode,
446 elseNode);
447 return node;
448 }
449
450 // Higher or same (unsigned >=). C set.
451 case triton::arch::arm::ID_CONDITION_HS: {
452 auto c = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C)));
453 auto node = this->astCtxt->ite(
454 this->astCtxt->equal(c, this->astCtxt->bvtrue()),
455 thenNode,
456 elseNode);
457 return node;
458 }
459
460 // Signed <=. Z set or N and V differ.
461 case triton::arch::arm::ID_CONDITION_LE: {
462 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
463 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
464 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
465 auto node = this->astCtxt->ite(
466 this->astCtxt->lor(
467 this->astCtxt->equal(z, this->astCtxt->bvtrue()),
468 this->astCtxt->lnot(this->astCtxt->equal(n, v))
469 ),
470 thenNode,
471 elseNode);
472 return node;
473 }
474
475 // Lower (unsigned <). C clear.
476 case triton::arch::arm::ID_CONDITION_LO: {
477 auto c = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C)));
478 auto node = this->astCtxt->ite(
479 this->astCtxt->equal(c, this->astCtxt->bvfalse()),
480 thenNode,
481 elseNode);
482 return node;
483 }
484
485 // Lower or same (unsigned <=). C clear or Z set.
486 case triton::arch::arm::ID_CONDITION_LS: {
487 auto c = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C)));
488 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
489 auto node = this->astCtxt->ite(
490 this->astCtxt->lor(
491 this->astCtxt->equal(c, this->astCtxt->bvfalse()),
492 this->astCtxt->equal(z, this->astCtxt->bvtrue())
493 ),
494 thenNode,
495 elseNode);
496 return node;
497 }
498
499 // Signed <. N and V differ.
500 case triton::arch::arm::ID_CONDITION_LT: {
501 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
502 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
503 auto node = this->astCtxt->ite(
504 this->astCtxt->lnot(this->astCtxt->equal(n, v)),
505 thenNode,
506 elseNode);
507 return node;
508 }
509
510 // Negative. N set.
511 case triton::arch::arm::ID_CONDITION_MI: {
512 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
513 auto node = this->astCtxt->ite(
514 this->astCtxt->equal(n, this->astCtxt->bvtrue()),
515 thenNode,
516 elseNode);
517 return node;
518 }
519
520 // Not equal. Z clear.
521 case triton::arch::arm::ID_CONDITION_NE: {
522 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
523 auto node = this->astCtxt->ite(
524 this->astCtxt->equal(z, this->astCtxt->bvfalse()),
525 thenNode,
526 elseNode);
527 return node;
528 }
529
530 // Positive or zero. N clear.
531 case triton::arch::arm::ID_CONDITION_PL: {
532 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
533 auto node = this->astCtxt->ite(
534 this->astCtxt->equal(n, this->astCtxt->bvfalse()),
535 thenNode,
536 elseNode);
537 return node;
538 }
539
540 // No overflow. V clear.
541 case triton::arch::arm::ID_CONDITION_VC: {
542 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
543 auto node = this->astCtxt->ite(
544 this->astCtxt->equal(v, this->astCtxt->bvfalse()),
545 thenNode,
546 elseNode);
547 return node;
548 }
549
550 // Overflow. V set.
551 case triton::arch::arm::ID_CONDITION_VS: {
552 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
553 auto node = this->astCtxt->ite(
554 this->astCtxt->equal(v, this->astCtxt->bvtrue()),
555 thenNode,
556 elseNode);
557 return node;
558 }
559
560 default:
561 /* The instruction don't use condition, so just return the 'then' node */
562 return thenNode;
563 }
564 }
565
566
567 bool AArch64Semantics::getCodeConditionTainteSate(const triton::arch::Instruction& inst) {
568 switch (inst.getCodeCondition()) {
569 // Always. Any flags. This suffix is normally omitted.
570 case triton::arch::arm::ID_CONDITION_AL: {
571 return false;
572 }
573
574 // Equal. Z set.
575 // Not equal. Z clear.
576 case triton::arch::arm::ID_CONDITION_EQ:
577 case triton::arch::arm::ID_CONDITION_NE: {
578 auto z = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z));
579 return this->taintEngine->isTainted(z);
580 }
581
582 // Signed >=. N and V the same.
583 // Signed <. N and V differ.
584 case triton::arch::arm::ID_CONDITION_GE:
585 case triton::arch::arm::ID_CONDITION_LT: {
586 auto n = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N));
587 auto v = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V));
588 return this->taintEngine->isTainted(n) | this->taintEngine->isTainted(v);
589 }
590
591 // Signed >. Z clear, N and V the same.
592 // Signed <=. Z set, N and V differ.
593 case triton::arch::arm::ID_CONDITION_GT:
594 case triton::arch::arm::ID_CONDITION_LE: {
595 auto z = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z));
596 auto n = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N));
597 auto v = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V));
598 return this->taintEngine->isTainted(z) | this->taintEngine->isTainted(n) | this->taintEngine->isTainted(v);
599 }
600
601 // Higher (unsigned >). C set and Z clear.
602 // Lower or same (unsigned <=). C clear or Z set.
603 case triton::arch::arm::ID_CONDITION_HI:
604 case triton::arch::arm::ID_CONDITION_LS: {
605 auto c = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C));
606 auto z = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z));
607 return this->taintEngine->isTainted(c) | this->taintEngine->isTainted(z);
608 }
609
610 // Higher or same (unsigned >=). C set.
611 // Lower (unsigned <). C clear.
612 case triton::arch::arm::ID_CONDITION_HS:
613 case triton::arch::arm::ID_CONDITION_LO: {
614 auto c = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C));
615 return this->taintEngine->isTainted(c);
616 }
617
618 // Negative. N set.
619 // Positive or zero. N clear.
620 case triton::arch::arm::ID_CONDITION_MI:
621 case triton::arch::arm::ID_CONDITION_PL: {
622 auto n = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N));
623 return this->taintEngine->isTainted(n);
624 }
625
626 // No overflow. V clear.
627 // Overflow. V set.
628 case triton::arch::arm::ID_CONDITION_VC:
629 case triton::arch::arm::ID_CONDITION_VS: {
630 auto v = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V));
631 return this->taintEngine->isTainted(v);
632 }
633
634 default:
635 return false;
636 }
637 }
638
639
640 void AArch64Semantics::clearFlag_s(triton::arch::Instruction& inst, const triton::arch::Register& flag, std::string comment) {
641 /* Create the semantics */
642 auto node = this->astCtxt->bv(0, 1);
643
644 /* Create symbolic expression */
645 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, flag, comment);
646
647 /* Spread taint */
648 expr->isTainted = this->taintEngine->setTaintRegister(flag, triton::engines::taint::UNTAINTED);
649 }
650
651
652 void AArch64Semantics::setFlag_s(triton::arch::Instruction& inst, const triton::arch::Register& flag, std::string comment) {
653 /* Create the semantics */
654 auto node = this->astCtxt->bv(1, 1);
655
656 /* Create symbolic expression */
657 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, flag, comment);
658
659 /* Spread taint */
660 expr->isTainted = this->taintEngine->setTaintRegister(flag, triton::engines::taint::UNTAINTED);
661 }
662
663
664 void AArch64Semantics::nf_s(triton::arch::Instruction& inst,
665 const triton::engines::symbolic::SharedSymbolicExpression& parent,
666 triton::arch::OperandWrapper& dst) {
667
668 auto nf = this->architecture->getRegister(ID_REG_AARCH64_N);
669 auto high = dst.getHigh();
670
671 /*
672 * Create the semantic.
673 * nf = MSB(result)
674 */
675 auto node = this->astCtxt->extract(high, high, this->astCtxt->reference(parent));
676
677 /* Create the symbolic expression */
678 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, nf, "Negative flag");
679
680 /* Spread the taint from the parent to the child */
681 expr->isTainted = this->taintEngine->setTaintRegister(nf, parent->isTainted);
682 }
683
684
685 void AArch64Semantics::nfCcmp_s(triton::arch::Instruction& inst,
686 const triton::engines::symbolic::SharedSymbolicExpression& parent,
687 triton::arch::OperandWrapper& dst,
688 triton::ast::SharedAbstractNode& nzcv) {
689
690 auto nf = this->architecture->getRegister(ID_REG_AARCH64_N);
691 auto high = dst.getHigh();
692
693 /*
694 * Create the semantic.
695 * nf = MSB(result) if cond == true else NF(nzcv)
696 */
697 auto node1 = this->astCtxt->extract(high, high, this->astCtxt->reference(parent));
698 auto node2 = this->astCtxt->extract(3, 3, nzcv);
699 auto node3 = this->getCodeConditionAst(inst, node1, node2);
700
701 /* Create the symbolic expression */
702 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node3, nf, "Negative flag");
703
704 /* Spread the taint from the parent to the child */
705 expr->isTainted = this->taintEngine->setTaintRegister(nf, parent->isTainted);
706 }
707
708
709 void AArch64Semantics::zf_s(triton::arch::Instruction& inst,
710 const triton::engines::symbolic::SharedSymbolicExpression& parent,
711 triton::arch::OperandWrapper& dst) {
712
713 auto zf = this->architecture->getRegister(ID_REG_AARCH64_Z);
714 auto bvSize = dst.getBitSize();
715 auto low = dst.getLow();
716 auto high = dst.getHigh();
717
718 /*
719 * Create the semantic.
720 * zf = 0 == result
721 */
722 auto node = this->astCtxt->ite(
723 this->astCtxt->equal(
724 this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
725 this->astCtxt->bv(0, bvSize)
726 ),
727 this->astCtxt->bv(1, 1),
728 this->astCtxt->bv(0, 1)
729 );
730
731 /* Create the symbolic expression */
732 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, zf, "Zero flag");
733
734 /* Spread the taint from the parent to the child */
735 expr->isTainted = this->taintEngine->setTaintRegister(zf, parent->isTainted);
736 }
737
738
739 void AArch64Semantics::zfCcmp_s(triton::arch::Instruction& inst,
740 const triton::engines::symbolic::SharedSymbolicExpression& parent,
741 triton::arch::OperandWrapper& dst,
742 triton::ast::SharedAbstractNode& nzcv) {
743
744 auto zf = this->architecture->getRegister(ID_REG_AARCH64_Z);
745 auto bvSize = dst.getBitSize();
746 auto low = dst.getLow();
747 auto high = dst.getHigh();
748
749 /*
750 * Create the semantic.
751 * zf = 0 == result if cond == true else ZF(nzcv)
752 */
753 auto node1 = this->astCtxt->ite(
754 this->astCtxt->equal(
755 this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
756 this->astCtxt->bv(0, bvSize)
757 ),
758 this->astCtxt->bv(1, 1),
759 this->astCtxt->bv(0, 1)
760 );
761 auto node2 = this->astCtxt->extract(2, 2, nzcv);
762 auto node3 = this->getCodeConditionAst(inst, node1, node2);
763
764 /* Create the symbolic expression */
765 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node3, zf, "Zero flag");
766
767 /* Spread the taint from the parent to the child */
768 expr->isTainted = this->taintEngine->setTaintRegister(zf, parent->isTainted);
769 }
770
771
772 void AArch64Semantics::cfAdd_s(triton::arch::Instruction& inst,
773 const triton::engines::symbolic::SharedSymbolicExpression& parent,
774 triton::arch::OperandWrapper& dst,
775 triton::ast::SharedAbstractNode& op1,
776 triton::ast::SharedAbstractNode& op2) {
777
778 auto cf = this->architecture->getRegister(ID_REG_AARCH64_C);
779 auto bvSize = dst.getBitSize();
780 auto low = dst.getLow();
781 auto high = dst.getHigh();
782
783 /*
784 * Create the semantic.
785 * cf = MSB((op1 & op2) ^ ((op1 ^ op2 ^ result) & (op1 ^ op2)));
786 */
787 auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
788 this->astCtxt->bvxor(
789 this->astCtxt->bvand(op1, op2),
790 this->astCtxt->bvand(
791 this->astCtxt->bvxor(
792 this->astCtxt->bvxor(op1, op2),
793 this->astCtxt->extract(high, low, this->astCtxt->reference(parent))
794 ),
795 this->astCtxt->bvxor(op1, op2))
796 )
797 );
798
799 /* Create the symbolic expression */
800 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf, "Carry flag");
801
802 /* Spread the taint from the parent to the child */
803 expr->isTainted = this->taintEngine->setTaintRegister(cf, parent->isTainted);
804 }
805
806
807 void AArch64Semantics::cfSub_s(triton::arch::Instruction& inst,
808 const triton::engines::symbolic::SharedSymbolicExpression& parent,
809 triton::arch::OperandWrapper& dst,
810 triton::ast::SharedAbstractNode& op1,
811 triton::ast::SharedAbstractNode& op2) {
812
813 auto cf = this->architecture->getRegister(ID_REG_AARCH64_C);
814 auto bvSize = dst.getBitSize();
815 auto low = dst.getLow();
816 auto high = dst.getHigh();
817
818 /*
819 * Create the semantic.
820 * cf = (MSB(((op1 ^ op2 ^ result) ^ ((op1 ^ result) & (op1 ^ op2))))) ^ 1
821 */
822 auto node = this->astCtxt->bvxor(
823 this->astCtxt->extract(bvSize-1, bvSize-1,
824 this->astCtxt->bvxor(
825 this->astCtxt->bvxor(op1, this->astCtxt->bvxor(op2, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))),
826 this->astCtxt->bvand(
827 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent))),
828 this->astCtxt->bvxor(op1, op2)
829 )
830 )
831 ),
832 this->astCtxt->bvtrue()
833 );
834
835 /* Create the symbolic expression */
836 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf, "Carry flag");
837
838 /* Spread the taint from the parent to the child */
839 expr->isTainted = this->taintEngine->setTaintRegister(cf, parent->isTainted);
840 }
841
842
843 void AArch64Semantics::cfCcmp_s(triton::arch::Instruction& inst,
844 const triton::engines::symbolic::SharedSymbolicExpression& parent,
845 triton::arch::OperandWrapper& dst,
846 triton::ast::SharedAbstractNode& op1,
847 triton::ast::SharedAbstractNode& op2,
848 triton::ast::SharedAbstractNode& nzcv) {
849
850 auto cf = this->architecture->getRegister(ID_REG_AARCH64_C);
851 auto bvSize = dst.getBitSize();
852 auto low = dst.getLow();
853 auto high = dst.getHigh();
854
855 /*
856 * Create the semantic.
857 * if cond == true:
858 * cf = (MSB(((op1 ^ op2 ^ result) ^ ((op1 ^ result) & (op1 ^ op2))))) ^ 1
859 * else
860 * cf = CF(nzcv)
861 */
862 auto node1 = this->astCtxt->bvxor(
863 this->astCtxt->extract(bvSize-1, bvSize-1,
864 this->astCtxt->bvxor(
865 this->astCtxt->bvxor(op1, this->astCtxt->bvxor(op2, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))),
866 this->astCtxt->bvand(
867 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent))),
868 this->astCtxt->bvxor(op1, op2)
869 )
870 )
871 ),
872 this->astCtxt->bvtrue()
873 );
874 auto node2 = this->astCtxt->extract(1, 1, nzcv);
875 auto node3 = this->getCodeConditionAst(inst, node1, node2);
876
877 /* Create the symbolic expression */
878 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node3, cf, "Carry flag");
879
880 /* Spread the taint from the parent to the child */
881 expr->isTainted = this->taintEngine->setTaintRegister(cf, parent->isTainted);
882 }
883
884
885 void AArch64Semantics::vfAdd_s(triton::arch::Instruction& inst,
886 const triton::engines::symbolic::SharedSymbolicExpression& parent,
887 triton::arch::OperandWrapper& dst,
888 triton::ast::SharedAbstractNode& op1,
889 triton::ast::SharedAbstractNode& op2) {
890
891 auto vf = this->architecture->getRegister(ID_REG_AARCH64_V);
892 auto bvSize = dst.getBitSize();
893 auto low = dst.getLow();
894 auto high = dst.getHigh();
895
896 /*
897 * Create the semantic.
898 * vf = MSB((op1 ^ ~op2) & (op1 ^ result))
899 */
900 auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
901 this->astCtxt->bvand(
902 this->astCtxt->bvxor(op1, this->astCtxt->bvnot(op2)),
903 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))
904 )
905 );
906
907 /* Create the symbolic expression */
908 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, vf, "Overflow flag");
909
910 /* Spread the taint from the parent to the child */
911 expr->isTainted = this->taintEngine->setTaintRegister(vf, parent->isTainted);
912 }
913
914
915 void AArch64Semantics::vfSub_s(triton::arch::Instruction& inst,
916 const triton::engines::symbolic::SharedSymbolicExpression& parent,
917 triton::arch::OperandWrapper& dst,
918 triton::ast::SharedAbstractNode& op1,
919 triton::ast::SharedAbstractNode& op2) {
920
921 auto vf = this->architecture->getRegister(ID_REG_AARCH64_V);
922 auto bvSize = dst.getBitSize();
923 auto low = dst.getLow();
924 auto high = dst.getHigh();
925
926 /*
927 * Create the semantic.
928 * vf = MSB((op1 ^ op2) & (op1 ^ result))
929 */
930 auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
931 this->astCtxt->bvand(
932 this->astCtxt->bvxor(op1, op2),
933 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))
934 )
935 );
936
937 /* Create the symbolic expression */
938 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, vf, "Overflow flag");
939
940 /* Spread the taint from the parent to the child */
941 expr->isTainted = this->taintEngine->setTaintRegister(vf, parent->isTainted);
942 }
943
944
945 void AArch64Semantics::vfCcmp_s(triton::arch::Instruction& inst,
946 const triton::engines::symbolic::SharedSymbolicExpression& parent,
947 triton::arch::OperandWrapper& dst,
948 triton::ast::SharedAbstractNode& op1,
949 triton::ast::SharedAbstractNode& op2,
950 triton::ast::SharedAbstractNode& nzcv) {
951
952 auto vf = this->architecture->getRegister(ID_REG_AARCH64_V);
953 auto bvSize = dst.getBitSize();
954 auto low = dst.getLow();
955 auto high = dst.getHigh();
956
957 /*
958 * Create the semantic.
959 * if cond == true:
960 * vf = MSB((op1 ^ op2) & (op1 ^ result))
961 * else:
962 * vf = VF(nzcv)
963 */
964 auto node1 = this->astCtxt->extract(bvSize-1, bvSize-1,
965 this->astCtxt->bvand(
966 this->astCtxt->bvxor(op1, op2),
967 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))
968 )
969 );
970 auto node2 = this->astCtxt->extract(0, 0, nzcv);
971 auto node3 = this->getCodeConditionAst(inst, node1, node2);
972
973 /* Create the symbolic expression */
974 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node3, vf, "Overflow flag");
975
976 /* Spread the taint from the parent to the child */
977 expr->isTainted = this->taintEngine->setTaintRegister(vf, parent->isTainted);
978 }
979
980
981 void AArch64Semantics::adc_s(triton::arch::Instruction& inst) {
982 auto& dst = inst.operands[0];
983 auto& src1 = inst.operands[1];
984 auto& src2 = inst.operands[2];
985 auto cf = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C));
986
987 /* Create symbolic operands */
988 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
989 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
990 auto op3 = this->symbolicEngine->getOperandAst(inst, cf);
991
992 /* Create the semantics */
993 auto node = this->astCtxt->bvadd(this->astCtxt->bvadd(op1, op2), this->astCtxt->zx(dst.getBitSize()-1, op3));
994
995 /* Create symbolic expression */
996 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ADC(S) operation");
997
998 /* Spread taint */
999 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(cf));
1000
1001 /* Update symbolic flags */
1002 if (inst.isUpdateFlag() == true) {
1003 this->cfAdd_s(inst, expr, dst, op1, op2);
1004 this->nf_s(inst, expr, dst);
1005 this->vfAdd_s(inst, expr, dst, op1, op2);
1006 this->zf_s(inst, expr, dst);
1007 }
1008
1009 /* Update the symbolic control flow */
1010 this->controlFlow_s(inst);
1011 }
1012
1013
1014 void AArch64Semantics::add_s(triton::arch::Instruction& inst) {
1015 auto& dst = inst.operands[0];
1016 auto& src1 = inst.operands[1];
1017 auto& src2 = inst.operands[2];
1018
1019 /* Create symbolic operands */
1020 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1021 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1022
1023 /* Create the semantics */
1024 auto node = this->astCtxt->bvadd(op1, op2);
1025
1026 /* Create symbolic expression */
1027 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ADD(S) operation");
1028
1029 /* Spread taint */
1030 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1031
1032 /* Update symbolic flags */
1033 if (inst.isUpdateFlag() == true) {
1034 this->cfAdd_s(inst, expr, dst, op1, op2);
1035 this->nf_s(inst, expr, dst);
1036 this->vfAdd_s(inst, expr, dst, op1, op2);
1037 this->zf_s(inst, expr, dst);
1038 }
1039
1040 /* Update the symbolic control flow */
1041 this->controlFlow_s(inst);
1042 }
1043
1044
1045 void AArch64Semantics::adr_s(triton::arch::Instruction& inst) {
1046 auto& dst = inst.operands[0];
1047 auto& src = inst.operands[1];
1048 auto pc = triton::arch::OperandWrapper(this->architecture->getParentRegister(ID_REG_AARCH64_PC));
1049
1050 /*
1051 * Note: Capstone already encodes the result into the source operand. We don't have
1052 * to compute the add operation but do we lose the symbolic?
1053 */
1054 /* Create symbolic semantics */
1055 auto node = this->symbolicEngine->getOperandAst(inst, src);
1056
1057 /* Create symbolic expression */
1058 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ADR operation");
1059
1060 /* Spread taint */
1061 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src) | this->taintEngine->isTainted(pc));
1062
1063 /* Update the symbolic control flow */
1064 this->controlFlow_s(inst);
1065 }
1066
1067
1068 void AArch64Semantics::adrp_s(triton::arch::Instruction& inst) {
1069 auto& dst = inst.operands[0];
1070 auto& src = inst.operands[1];
1071 auto pc = triton::arch::OperandWrapper(this->architecture->getParentRegister(ID_REG_AARCH64_PC));
1072
1073 /*
1074 * Note: Capstone already encodes the result into the source operand. We don't have
1075 * to compute the add operation but do we lose the symbolic?
1076 */
1077 /* Create symbolic semantics */
1078 auto node = this->symbolicEngine->getOperandAst(inst, src);
1079
1080 /* Create symbolic expression */
1081 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ADRP operation");
1082
1083 /* Spread taint */
1084 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src) | this->taintEngine->isTainted(pc));
1085
1086 /* Update the symbolic control flow */
1087 this->controlFlow_s(inst);
1088 }
1089
1090
1091 void AArch64Semantics::and_s(triton::arch::Instruction& inst) {
1092 auto& dst = inst.operands[0];
1093 auto& src1 = inst.operands[1];
1094 auto& src2 = inst.operands[2];
1095
1096 /* Create symbolic operands */
1097 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1098 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1099
1100 /* Create the semantics */
1101 auto node = this->astCtxt->bvand(op1, op2);
1102
1103 /* Special case for vector registers */
1104 if (dst.getConstRegister().getVASSize() == triton::size::qword) {
1105 node = this->astCtxt->extract(63, 0, node);
1106 }
1107
1108 /* Create symbolic expression */
1109 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "AND(S) operation");
1110
1111 /* Spread taint */
1112 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1113
1114 /* Update symbolic flags */
1115 if (inst.isUpdateFlag() == true) {
1116 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_C), "Clears carry flag");
1117 this->nf_s(inst, expr, dst);
1118 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_V), "Clears overflow flag");
1119 this->zf_s(inst, expr, dst);
1120 }
1121
1122 /* Update the symbolic control flow */
1123 this->controlFlow_s(inst);
1124 }
1125
1126
1127 void AArch64Semantics::asr_s(triton::arch::Instruction& inst) {
1128 auto& dst = inst.operands[0];
1129 auto& src1 = inst.operands[1];
1130 auto& src2 = inst.operands[2];
1131 auto size = src2.getBitSize();
1132
1133 /* Create symbolic operands */
1134 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1135 auto op2 = this->astCtxt->bvand(
1136 this->symbolicEngine->getOperandAst(inst, src2),
1137 this->astCtxt->bv(size - 1, size)
1138 );
1139
1140 /* Create the semantics */
1141 auto node = this->astCtxt->bvashr(op1, op2);
1142
1143 /* Create symbolic expression */
1144 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ASR operation");
1145
1146 /* Spread taint */
1147 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1148
1149 /* Update the symbolic control flow */
1150 this->controlFlow_s(inst);
1151 }
1152
1153
1154 void AArch64Semantics::b_s(triton::arch::Instruction& inst) {
1155 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1156 auto& src = inst.operands[0];
1157
1158 /* Create symbolic operands */
1159 auto op1 = this->symbolicEngine->getOperandAst(inst, src);
1160 auto op2 = this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize());
1161
1162 /* Create the semantics */
1163 auto node = this->getCodeConditionAst(inst, op1, op2);
1164
1165 /* Create symbolic expression */
1166 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "B operation - Program Counter");
1167
1168 /* Spread taint */
1169 expr->isTainted = this->taintEngine->setTaint(dst, this->getCodeConditionTainteSate(inst));
1170
1171 /* Set condition flag */
1172 if (node->getType() == triton::ast::ITE_NODE) {
1173 if (!(node->getChildren()[0]->evaluate().is_zero())) {
1174 inst.setConditionTaken(true);
1175 }
1176 }
1177
1178 /* Create the path constraint */
1179 this->symbolicEngine->pushPathConstraint(inst, expr);
1180 }
1181
1182
1183 void AArch64Semantics::bfi_s(triton::arch::Instruction& inst) {
1184 auto& dst = inst.operands[0]; // Reg
1185 auto& src1 = inst.operands[1]; // Reg
1186 auto& src2 = inst.operands[2]; // Imm (Lsb)
1187 auto& src3 = inst.operands[3]; // Imm (Width)
1188 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
1189 auto width = static_cast<uint32>(src3.getImmediate().getValue());
1190
1191 if (lsb + width > dst.getBitSize())
1192 throw triton::exceptions::Semantics("AArch64Semantics::bfi_s(): Invalid lsb and width.");
1193
1194 /* Create symbolic operands */
1195 auto op = this->symbolicEngine->getOperandAst(inst, src1);
1196 auto opDst = this->symbolicEngine->getOperandAst(inst, dst);
1197
1198 /* Create the semantics */
1199 std::vector<triton::ast::SharedAbstractNode> chunks;
1200 chunks.reserve(3);
1201
1202 if (lsb + width < dst.getBitSize()) {
1203 chunks.push_back(this->astCtxt->extract(dst.getBitSize() - 1, lsb + width, /* src */ opDst));
1204 }
1205 chunks.push_back(this->astCtxt->extract(width - 1, 0, /* src */ op));
1206 chunks.push_back(this->astCtxt->extract(lsb - 1, 0, /* dst */ opDst));
1207
1208 auto node = this->astCtxt->concat(chunks);
1209
1210 /* Create symbolic expression */
1211 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "BFI operation");
1212
1213 /* Spread taint */
1214 expr->isTainted = this->taintEngine->taintUnion(dst, src1);
1215
1216 /* Update the symbolic control flow */
1217 this->controlFlow_s(inst);
1218 }
1219
1220
1221 void AArch64Semantics::bfxil_s(triton::arch::Instruction& inst) {
1222 auto& dst = inst.operands[0]; // Reg
1223 auto& src1 = inst.operands[1]; // Reg
1224 auto& src2 = inst.operands[2]; // Imm (Lsb)
1225 auto& src3 = inst.operands[3]; // Imm (Width)
1226 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
1227 auto width = static_cast<uint32>(src3.getImmediate().getValue());
1228
1229 if (lsb + width > dst.getBitSize())
1230 throw triton::exceptions::Semantics("AArch64Semantics::bfxil_s(): Invalid lsb and width.");
1231
1232 /* Create symbolic operands */
1233 auto opSrc = this->symbolicEngine->getOperandAst(inst, src1);
1234 auto opDst = this->symbolicEngine->getOperandAst(inst, dst);
1235
1236 auto node = this->astCtxt->concat(
1237 this->astCtxt->extract(dst.getBitSize() - 1, width, opDst),
1238 this->astCtxt->extract(lsb + width - 1, lsb, opSrc)
1239 );
1240
1241 /* Create symbolic expression */
1242 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "BFXIL operation");
1243
1244 /* Spread taint */
1245 expr->isTainted = this->taintEngine->taintUnion(dst, src1);
1246
1247 /* Update the symbolic control flow */
1248 this->controlFlow_s(inst);
1249 }
1250
1251
1252 void AArch64Semantics::bic_s(triton::arch::Instruction& inst) {
1253 auto& dst = inst.operands[0]; // Reg
1254 auto& src1 = inst.operands[1]; // Reg
1255 auto& src2 = inst.operands[2]; // Reg + [Shift]
1256
1257 /* Create symbolic operands */
1258 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1259 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1260
1261 /* Create the semantics */
1262 auto node = this->astCtxt->bvand(op1, this->astCtxt->bvnot(op2));
1263
1264 /* Create symbolic expression */
1265 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "BIC(S) operation");
1266
1267 /* Spread taint */
1268 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1269
1270 /* Update symbolic flags */
1271 if (inst.isUpdateFlag() == true) {
1272 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_C), "Clears carry flag");
1273 this->nf_s(inst, expr, src1);
1274 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_V), "Clears overflow flag");
1275 this->zf_s(inst, expr, src1);
1276 }
1277
1278 /* Update the symbolic control flow */
1279 this->controlFlow_s(inst);
1280 }
1281
1282
1283
1284 void AArch64Semantics::bl_s(triton::arch::Instruction& inst) {
1285 auto dst1 = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_X30));
1286 auto dst2 = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1287 auto& src = inst.operands[0];
1288
1289 /* Create the semantics */
1290 auto node1 = this->astCtxt->bv(inst.getNextAddress(), dst1.getBitSize());
1291 auto node2 = this->symbolicEngine->getOperandAst(inst, src);
1292
1293 /* Create symbolic expression */
1294 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "BL operation - Link Register");
1295 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "BL operation - Program Counter");
1296
1297 /* Spread taint */
1298 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
1299 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
1300
1301 /* Set condition flag */
1302 inst.setConditionTaken(true);
1303
1304 /* Create the path constraint */
1305 this->symbolicEngine->pushPathConstraint(inst, expr2);
1306 }
1307
1308
1309 void AArch64Semantics::blr_s(triton::arch::Instruction& inst) {
1310 auto dst1 = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_X30));
1311 auto dst2 = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1312 auto& src = inst.operands[0];
1313
1314 /* Create the semantics */
1315 auto node1 = this->astCtxt->bv(inst.getNextAddress(), dst1.getBitSize());
1316 auto node2 = this->symbolicEngine->getOperandAst(inst, src);
1317
1318 /* Create symbolic expression */
1319 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "BLR operation - Link Register");
1320 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "BLR operation - Program Counter");
1321
1322 /* Spread taint */
1323 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
1324 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
1325
1326 /* Set condition flag */
1327 inst.setConditionTaken(true);
1328
1329 /* Create the path constraint */
1330 this->symbolicEngine->pushPathConstraint(inst, expr2);
1331 }
1332
1333
1334 void AArch64Semantics::br_s(triton::arch::Instruction& inst) {
1335 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1336 auto& src = inst.operands[0];
1337
1338 /* Create the semantics */
1339 auto node = this->symbolicEngine->getOperandAst(inst, src);
1340
1341 /* Create symbolic expression */
1342 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "BR operation - Program Counter");
1343
1344 /* Spread taint */
1345 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
1346
1347 /* Set condition flag */
1348 inst.setConditionTaken(true);
1349
1350 /* Create the path constraint */
1351 this->symbolicEngine->pushPathConstraint(inst, expr);
1352 }
1353
1354
1355 void AArch64Semantics::brk_s(triton::arch::Instruction& inst) {
1356 /* Set the exception */
1357 this->exception = triton::arch::FAULT_BP;
1358
1359 /* Update the symbolic control flow */
1360 this->controlFlow_s(inst);
1361 }
1362
1363
1364 void AArch64Semantics::cbnz_s(triton::arch::Instruction& inst) {
1365 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1366 auto& src1 = inst.operands[0];
1367 auto& src2 = inst.operands[1];
1368
1369 /* Create symbolic operands */
1370 auto op1 = this->astCtxt->zx(dst.getBitSize() - src1.getBitSize(), this->symbolicEngine->getOperandAst(inst, src1));
1371 auto op2 = this->astCtxt->zx(dst.getBitSize() - src2.getBitSize(), this->symbolicEngine->getOperandAst(inst, src2));
1372
1373 /* Create the semantics */
1374 auto node = this->astCtxt->ite(
1375 this->astCtxt->lnot(this->astCtxt->equal(op1, this->astCtxt->bv(0, op1->getBitvectorSize()))),
1376 op2,
1377 this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize())
1378 );
1379
1380 /* Create symbolic expression */
1381 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CBNZ operation - Program Counter");
1382
1383 /* Spread taint */
1384 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1385
1386 /* Set condition flag */
1387 if (op1->evaluate() != 0)
1388 inst.setConditionTaken(true);
1389
1390 /* Create the path constraint */
1391 this->symbolicEngine->pushPathConstraint(inst, expr);
1392 }
1393
1394
1395 void AArch64Semantics::cbz_s(triton::arch::Instruction& inst) {
1396 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1397 auto& src1 = inst.operands[0];
1398 auto& src2 = inst.operands[1];
1399
1400 /* Create symbolic operands */
1401 auto op1 = this->astCtxt->zx(dst.getBitSize() - src1.getBitSize(), this->symbolicEngine->getOperandAst(inst, src1));
1402 auto op2 = this->astCtxt->zx(dst.getBitSize() - src2.getBitSize(), this->symbolicEngine->getOperandAst(inst, src2));
1403
1404 /* Create the semantics */
1405 auto node = this->astCtxt->ite(
1406 this->astCtxt->equal(op1, this->astCtxt->bv(0, op1->getBitvectorSize())),
1407 op2,
1408 this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize())
1409 );
1410
1411 /* Create symbolic expression */
1412 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CBZ operation - Program Counter");
1413
1414 /* Spread taint */
1415 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1416
1417 /* Set condition flag */
1418 if (op1->evaluate() == 0)
1419 inst.setConditionTaken(true);
1420
1421 /* Create the path constraint */
1422 this->symbolicEngine->pushPathConstraint(inst, expr);
1423 }
1424
1425
1426 void AArch64Semantics::ccmp_s(triton::arch::Instruction& inst) {
1427 auto& src1 = inst.operands[0];
1428 auto& src2 = inst.operands[1];
1429 auto& src3 = inst.operands[2];
1430
1431 /* Create symbolic operands */
1432 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1433 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1434 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
1435
1436 /* Create the semantics */
1437 auto node = this->astCtxt->bvsub(op1, op2);
1438
1439 /* Create symbolic expression */
1440 auto expr = this->symbolicEngine->createSymbolicVolatileExpression(inst, node, "CCMP temporary operation");
1441
1442 /* Spread taint */
1443 expr->isTainted = this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2);
1444
1445 /* Update symbolic flags */
1446 this->cfCcmp_s(inst, expr, src1, op1, op2, op3);
1447 this->nfCcmp_s(inst, expr, src1, op3);
1448 this->vfCcmp_s(inst, expr, src1, op1, op2, op3);
1449 this->zfCcmp_s(inst, expr, src1, op3);
1450
1451 /* Update the symbolic control flow */
1452 this->controlFlow_s(inst);
1453 }
1454
1455
1456 void AArch64Semantics::cinc_s(triton::arch::Instruction& inst) {
1457 auto& dst = inst.operands[0];
1458 auto& src = inst.operands[1];
1459
1460 /* Create symbolic operands */
1461 auto op1 = this->symbolicEngine->getOperandAst(inst, src);
1462 auto op2 = this->astCtxt->bvadd(op1, this->astCtxt->bv(1, src.getBitSize()));
1463
1464 /* Create the semantics */
1465 auto node = this->getCodeConditionAst(inst, op2, op1);
1466
1467 /* Create symbolic expression */
1468 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CINC operation");
1469
1470 /* Spread taint */
1471 expr->isTainted = this->taintEngine->setTaint(dst, this->getCodeConditionTainteSate(inst));
1472
1473 /* Update the symbolic control flow */
1474 this->controlFlow_s(inst);
1475 }
1476
1477
1478 void AArch64Semantics::clz_s(triton::arch::Instruction& inst) {
1479 auto& dst = inst.operands[0];
1480 auto& src = inst.operands[1];
1481 auto bvSize = dst.getBitSize();
1482
1483 /* Create symbolic operands */
1484 auto op = this->symbolicEngine->getOperandAst(inst, src);
1485
1486 /* Create the semantics */
1487 triton::ast::SharedAbstractNode node = nullptr;
1488 switch (src.getSize()) {
1489 case triton::size::dword:
1490 node = this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(31, 31, op), this->astCtxt->bvtrue()), this->astCtxt->bv(0, bvSize),
1491 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(30, 30, op), this->astCtxt->bvtrue()), this->astCtxt->bv(1, bvSize),
1492 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(29, 29, op), this->astCtxt->bvtrue()), this->astCtxt->bv(2, bvSize),
1493 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(28, 28, op), this->astCtxt->bvtrue()), this->astCtxt->bv(3, bvSize),
1494 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(27, 27, op), this->astCtxt->bvtrue()), this->astCtxt->bv(4, bvSize),
1495 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(26, 26, op), this->astCtxt->bvtrue()), this->astCtxt->bv(5, bvSize),
1496 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(25, 25, op), this->astCtxt->bvtrue()), this->astCtxt->bv(6, bvSize),
1497 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(24, 24, op), this->astCtxt->bvtrue()), this->astCtxt->bv(7, bvSize),
1498 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(23, 23, op), this->astCtxt->bvtrue()), this->astCtxt->bv(8, bvSize),
1499 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(22, 22, op), this->astCtxt->bvtrue()), this->astCtxt->bv(9, bvSize),
1500 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(21, 21, op), this->astCtxt->bvtrue()), this->astCtxt->bv(10, bvSize),
1501 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(20, 20, op), this->astCtxt->bvtrue()), this->astCtxt->bv(11, bvSize),
1502 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(19, 19, op), this->astCtxt->bvtrue()), this->astCtxt->bv(12, bvSize),
1503 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(18, 18, op), this->astCtxt->bvtrue()), this->astCtxt->bv(13, bvSize),
1504 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(17, 17, op), this->astCtxt->bvtrue()), this->astCtxt->bv(14, bvSize),
1505 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(16, 16, op), this->astCtxt->bvtrue()), this->astCtxt->bv(15, bvSize),
1506 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(15, 15, op), this->astCtxt->bvtrue()), this->astCtxt->bv(16, bvSize),
1507 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(14, 14, op), this->astCtxt->bvtrue()), this->astCtxt->bv(17, bvSize),
1508 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(13, 13, op), this->astCtxt->bvtrue()), this->astCtxt->bv(18, bvSize),
1509 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(12, 12, op), this->astCtxt->bvtrue()), this->astCtxt->bv(19, bvSize),
1510 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(11, 11, op), this->astCtxt->bvtrue()), this->astCtxt->bv(20, bvSize),
1511 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(10, 10, op), this->astCtxt->bvtrue()), this->astCtxt->bv(21, bvSize),
1512 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(9, 9, op), this->astCtxt->bvtrue()), this->astCtxt->bv(22, bvSize),
1513 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(8, 8, op), this->astCtxt->bvtrue()), this->astCtxt->bv(23, bvSize),
1514 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(7, 7, op), this->astCtxt->bvtrue()), this->astCtxt->bv(24, bvSize),
1515 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(6, 6, op), this->astCtxt->bvtrue()), this->astCtxt->bv(25, bvSize),
1516 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(5, 5, op), this->astCtxt->bvtrue()), this->astCtxt->bv(26, bvSize),
1517 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(4, 4, op), this->astCtxt->bvtrue()), this->astCtxt->bv(27, bvSize),
1518 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(3, 3, op), this->astCtxt->bvtrue()), this->astCtxt->bv(28, bvSize),
1519 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(2, 2, op), this->astCtxt->bvtrue()), this->astCtxt->bv(29, bvSize),
1520 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(1, 1, op), this->astCtxt->bvtrue()), this->astCtxt->bv(30, bvSize),
1521 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(0, 0, op), this->astCtxt->bvtrue()), this->astCtxt->bv(31, bvSize),
1522 this->astCtxt->bv(32, bvSize)
1523 ))))))))))))))))))))))))))))))));
1524 break;
1525
1526 case triton::size::qword:
1527 node = this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(63, 63, op), this->astCtxt->bvtrue()), this->astCtxt->bv(0, bvSize),
1528 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(62, 62, op), this->astCtxt->bvtrue()), this->astCtxt->bv(1, bvSize),
1529 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(61, 61, op), this->astCtxt->bvtrue()), this->astCtxt->bv(2, bvSize),
1530 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(60, 60, op), this->astCtxt->bvtrue()), this->astCtxt->bv(3, bvSize),
1531 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(59, 59, op), this->astCtxt->bvtrue()), this->astCtxt->bv(4, bvSize),
1532 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(58, 58, op), this->astCtxt->bvtrue()), this->astCtxt->bv(5, bvSize),
1533 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(57, 57, op), this->astCtxt->bvtrue()), this->astCtxt->bv(6, bvSize),
1534 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(56, 56, op), this->astCtxt->bvtrue()), this->astCtxt->bv(7, bvSize),
1535 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(55, 55, op), this->astCtxt->bvtrue()), this->astCtxt->bv(8, bvSize),
1536 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(54, 54, op), this->astCtxt->bvtrue()), this->astCtxt->bv(9, bvSize),
1537 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(53, 53, op), this->astCtxt->bvtrue()), this->astCtxt->bv(10, bvSize),
1538 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(52, 52, op), this->astCtxt->bvtrue()), this->astCtxt->bv(11, bvSize),
1539 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(51, 51, op), this->astCtxt->bvtrue()), this->astCtxt->bv(12, bvSize),
1540 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(50, 50, op), this->astCtxt->bvtrue()), this->astCtxt->bv(13, bvSize),
1541 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(49, 49, op), this->astCtxt->bvtrue()), this->astCtxt->bv(14, bvSize),
1542 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(48, 48, op), this->astCtxt->bvtrue()), this->astCtxt->bv(15, bvSize),
1543 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(47, 47, op), this->astCtxt->bvtrue()), this->astCtxt->bv(16, bvSize),
1544 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(46, 46, op), this->astCtxt->bvtrue()), this->astCtxt->bv(17, bvSize),
1545 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(45, 45, op), this->astCtxt->bvtrue()), this->astCtxt->bv(18, bvSize),
1546 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(44, 44, op), this->astCtxt->bvtrue()), this->astCtxt->bv(19, bvSize),
1547 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(43, 43, op), this->astCtxt->bvtrue()), this->astCtxt->bv(20, bvSize),
1548 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(42, 42, op), this->astCtxt->bvtrue()), this->astCtxt->bv(21, bvSize),
1549 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(41, 41, op), this->astCtxt->bvtrue()), this->astCtxt->bv(22, bvSize),
1550 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(40, 40, op), this->astCtxt->bvtrue()), this->astCtxt->bv(23, bvSize),
1551 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(39, 39, op), this->astCtxt->bvtrue()), this->astCtxt->bv(24, bvSize),
1552 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(38, 38, op), this->astCtxt->bvtrue()), this->astCtxt->bv(25, bvSize),
1553 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(37, 37, op), this->astCtxt->bvtrue()), this->astCtxt->bv(26, bvSize),
1554 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(36, 36, op), this->astCtxt->bvtrue()), this->astCtxt->bv(27, bvSize),
1555 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(35, 35, op), this->astCtxt->bvtrue()), this->astCtxt->bv(28, bvSize),
1556 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(34, 34, op), this->astCtxt->bvtrue()), this->astCtxt->bv(29, bvSize),
1557 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(33, 33, op), this->astCtxt->bvtrue()), this->astCtxt->bv(30, bvSize),
1558 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(32, 32, op), this->astCtxt->bvtrue()), this->astCtxt->bv(31, bvSize),
1559 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(31, 31, op), this->astCtxt->bvtrue()), this->astCtxt->bv(32, bvSize),
1560 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(30, 30, op), this->astCtxt->bvtrue()), this->astCtxt->bv(33, bvSize),
1561 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(29, 29, op), this->astCtxt->bvtrue()), this->astCtxt->bv(34, bvSize),
1562 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(28, 28, op), this->astCtxt->bvtrue()), this->astCtxt->bv(35, bvSize),
1563 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(27, 27, op), this->astCtxt->bvtrue()), this->astCtxt->bv(36, bvSize),
1564 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(26, 26, op), this->astCtxt->bvtrue()), this->astCtxt->bv(37, bvSize),
1565 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(25, 25, op), this->astCtxt->bvtrue()), this->astCtxt->bv(38, bvSize),
1566 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(24, 24, op), this->astCtxt->bvtrue()), this->astCtxt->bv(39, bvSize),
1567 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(23, 23, op), this->astCtxt->bvtrue()), this->astCtxt->bv(40, bvSize),
1568 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(22, 22, op), this->astCtxt->bvtrue()), this->astCtxt->bv(41, bvSize),
1569 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(21, 21, op), this->astCtxt->bvtrue()), this->astCtxt->bv(42, bvSize),
1570 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(20, 20, op), this->astCtxt->bvtrue()), this->astCtxt->bv(43, bvSize),
1571 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(19, 19, op), this->astCtxt->bvtrue()), this->astCtxt->bv(44, bvSize),
1572 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(18, 18, op), this->astCtxt->bvtrue()), this->astCtxt->bv(45, bvSize),
1573 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(17, 17, op), this->astCtxt->bvtrue()), this->astCtxt->bv(46, bvSize),
1574 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(16, 16, op), this->astCtxt->bvtrue()), this->astCtxt->bv(47, bvSize),
1575 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(15, 15, op), this->astCtxt->bvtrue()), this->astCtxt->bv(48, bvSize),
1576 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(14, 14, op), this->astCtxt->bvtrue()), this->astCtxt->bv(49, bvSize),
1577 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(13, 13, op), this->astCtxt->bvtrue()), this->astCtxt->bv(50, bvSize),
1578 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(12, 12, op), this->astCtxt->bvtrue()), this->astCtxt->bv(51, bvSize),
1579 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(11, 11, op), this->astCtxt->bvtrue()), this->astCtxt->bv(52, bvSize),
1580 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(10, 10, op), this->astCtxt->bvtrue()), this->astCtxt->bv(53, bvSize),
1581 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(9, 9, op), this->astCtxt->bvtrue()), this->astCtxt->bv(54, bvSize),
1582 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(8, 8, op), this->astCtxt->bvtrue()), this->astCtxt->bv(55, bvSize),
1583 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(7, 7, op), this->astCtxt->bvtrue()), this->astCtxt->bv(56, bvSize),
1584 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(6, 6, op), this->astCtxt->bvtrue()), this->astCtxt->bv(57, bvSize),
1585 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(5, 5, op), this->astCtxt->bvtrue()), this->astCtxt->bv(58, bvSize),
1586 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(4, 4, op), this->astCtxt->bvtrue()), this->astCtxt->bv(59, bvSize),
1587 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(3, 3, op), this->astCtxt->bvtrue()), this->astCtxt->bv(60, bvSize),
1588 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(2, 2, op), this->astCtxt->bvtrue()), this->astCtxt->bv(61, bvSize),
1589 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(1, 1, op), this->astCtxt->bvtrue()), this->astCtxt->bv(62, bvSize),
1590 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(0, 0, op), this->astCtxt->bvtrue()), this->astCtxt->bv(63, bvSize),
1591 this->astCtxt->bv(64, bvSize)
1592 ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
1593 break;
1594
1595 default:
1596 throw triton::exceptions::Semantics("AArch64Semantics::clz_s(): Invalid operand size.");
1597 }
1598
1599 /* Create symbolic expression */
1600 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CLZ operation");
1601
1602 /* Spread taint */
1603 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
1604
1605 /* Update the symbolic control flow */
1606 this->controlFlow_s(inst);
1607 }
1608
1609
1610 void AArch64Semantics::cmn_s(triton::arch::Instruction& inst) {
1611 auto& src1 = inst.operands[0];
1612 auto& src2 = inst.operands[1];
1613
1614 /* Create symbolic operands */
1615 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1616 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1617
1618 /* Create the semantics */
1619 auto node = this->astCtxt->bvadd(op1, op2);
1620
1621 /* Create symbolic expression */
1622 auto expr = this->symbolicEngine->createSymbolicVolatileExpression(inst, node, "CMN operation");
1623
1624 /* Spread taint */
1625 expr->isTainted = this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2);
1626
1627 /* Update symbolic flags */
1628 this->cfAdd_s(inst, expr, src1, op1, op2);
1629 this->nf_s(inst, expr, src1);
1630 this->vfAdd_s(inst, expr, src1, op1, op2);
1631 this->zf_s(inst, expr, src1);
1632
1633 /* Update the symbolic control flow */
1634 this->controlFlow_s(inst);
1635 }
1636
1637
1638 void AArch64Semantics::cmp_s(triton::arch::Instruction& inst) {
1639 auto& src1 = inst.operands[0];
1640 auto& src2 = inst.operands[1];
1641
1642 /* Create symbolic operands */
1643 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1644 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1645
1646 /* Create the semantics */
1647 auto node = this->astCtxt->bvsub(op1, op2);
1648
1649 /* Create symbolic expression */
1650 auto expr = this->symbolicEngine->createSymbolicVolatileExpression(inst, node, "CMP operation");
1651
1652 /* Spread taint */
1653 expr->isTainted = this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2);
1654
1655 /* Update symbolic flags */
1656 this->cfSub_s(inst, expr, src1, op1, op2);
1657 this->nf_s(inst, expr, src1);
1658 this->vfSub_s(inst, expr, src1, op1, op2);
1659 this->zf_s(inst, expr, src1);
1660
1661 /* Update the symbolic control flow */
1662 this->controlFlow_s(inst);
1663 }
1664
1665
1666 void AArch64Semantics::cneg_s(triton::arch::Instruction& inst) {
1667 auto& dst = inst.operands[0];
1668 auto& src = inst.operands[1];
1669
1670 /* Create symbolic operands */
1671 auto op1 = this->astCtxt->bvneg(this->symbolicEngine->getOperandAst(inst, src));
1672 auto op2 = this->symbolicEngine->getOperandAst(inst, src);
1673
1674 /* Create the semantics */
1675 auto node = this->getCodeConditionAst(inst, op1, op2);
1676
1677 /* Create symbolic expression */
1678 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CNEG operation");
1679
1680 /* Spread taint */
1681 expr->isTainted = this->taintEngine->taintUnion(dst, src);
1682
1683 /* Update the symbolic control flow */
1684 this->controlFlow_s(inst);
1685 }
1686
1687
1688 void AArch64Semantics::csel_s(triton::arch::Instruction& inst) {
1689 auto& dst = inst.operands[0];
1690 auto& src1 = inst.operands[1];
1691 auto& src2 = inst.operands[2];
1692
1693 /* Create symbolic operands */
1694 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1695 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1696
1697 /* Create the semantics */
1698 auto node = this->getCodeConditionAst(inst, op1, op2);
1699
1700 /* Create symbolic expression */
1701 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSEL operation");
1702
1703 /* Spread taint */
1704 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1705
1706 /* Update the symbolic control flow */
1707 this->controlFlow_s(inst);
1708 }
1709
1710
1711 void AArch64Semantics::cset_s(triton::arch::Instruction& inst) {
1712 auto& dst = inst.operands[0];
1713
1714 /* Create symbolic operands */
1715 auto op1 = this->astCtxt->bv(1, dst.getBitSize());
1716 auto op2 = this->astCtxt->bv(0, dst.getBitSize());
1717
1718 /* Create the semantics */
1719 auto node = this->getCodeConditionAst(inst, op1, op2);
1720
1721 /* Create symbolic expression */
1722 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSET operation");
1723
1724 /* Spread taint */
1725 expr->isTainted = this->taintEngine->setTaint(dst, this->getCodeConditionTainteSate(inst));
1726
1727 /* Update the symbolic control flow */
1728 this->controlFlow_s(inst);
1729 }
1730
1731
1732 void AArch64Semantics::csinc_s(triton::arch::Instruction& inst) {
1733 auto& dst = inst.operands[0];
1734 auto& src1 = inst.operands[1];
1735 auto& src2 = inst.operands[2];
1736
1737 /* Create symbolic operands */
1738 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1739 auto op2 = this->astCtxt->bvadd(
1740 this->symbolicEngine->getOperandAst(inst, src2),
1741 this->astCtxt->bv(1, src2.getBitSize())
1742 );
1743
1744 /* Create the semantics */
1745 auto node = this->getCodeConditionAst(inst, op1, op2);
1746
1747 /* Create symbolic expression */
1748 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSINC operation");
1749
1750 /* Spread taint */
1751 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1752
1753 /* Update the symbolic control flow */
1754 this->controlFlow_s(inst);
1755 }
1756
1757
1758 void AArch64Semantics::csneg_s(triton::arch::Instruction& inst) {
1759 auto& dst = inst.operands[0];
1760 auto& src1 = inst.operands[1];
1761 auto& src2 = inst.operands[2];
1762
1763 /* Create symbolic operands */
1764 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1765 auto op2 = this->astCtxt->bvneg(this->symbolicEngine->getOperandAst(inst, src2));
1766
1767 /* Create the semantics */
1768 auto node = this->getCodeConditionAst(inst, op1, op2);
1769
1770 /* Create symbolic expression */
1771 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSNEG operation");
1772
1773 /* Spread taint */
1774 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1775
1776 /* Update the symbolic control flow */
1777 this->controlFlow_s(inst);
1778 }
1779
1780
1781 void AArch64Semantics::eon_s(triton::arch::Instruction& inst) {
1782 auto& dst = inst.operands[0];
1783 auto& src1 = inst.operands[1];
1784 auto& src2 = inst.operands[2];
1785
1786 /* Create symbolic operands */
1787 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1788 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1789
1790 /* Create the semantics */
1791 auto node = this->astCtxt->bvxnor(op1, op2);
1792
1793 /* Create symbolic expression */
1794 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "EON operation");
1795
1796 /* Spread taint */
1797 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1798
1799 /* Update the symbolic control flow */
1800 this->controlFlow_s(inst);
1801 }
1802
1803
1804 void AArch64Semantics::eor_s(triton::arch::Instruction& inst) {
1805 auto& dst = inst.operands[0];
1806 auto& src1 = inst.operands[1];
1807 auto& src2 = inst.operands[2];
1808
1809 /* Create symbolic operands */
1810 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1811 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1812
1813 /* Create the semantics */
1814 auto node = this->astCtxt->bvxor(op1, op2);
1815
1816 /* Special case for vector registers */
1817 if (dst.getConstRegister().getVASSize() == triton::size::qword) {
1818 node = this->astCtxt->extract(63, 0, node);
1819 }
1820
1821 /* Create symbolic expression */
1822 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "EOR operation");
1823
1824 /* Spread taint */
1825 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1826
1827 /* Update the symbolic control flow */
1828 this->controlFlow_s(inst);
1829 }
1830
1831
1832 void AArch64Semantics::extr_s(triton::arch::Instruction& inst) {
1833 auto& dst = inst.operands[0];
1834 auto& src1 = inst.operands[1];
1835 auto& src2 = inst.operands[2];
1836 auto& src3 = inst.operands[3];
1837 auto lsb = static_cast<uint32>(src3.getImmediate().getValue());
1838
1839 /* Create symbolic operands */
1840 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1841 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1842
1843 /* Create the semantics */
1844 auto node = this->astCtxt->extract(lsb + dst.getBitSize() - 1, lsb, this->astCtxt->concat(op1, op2));
1845
1846 /* Create symbolic expression */
1847 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "EXTR operation");
1848
1849 /* Spread taint */
1850 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
1851
1852 /* Update the symbolic control flow */
1853 this->controlFlow_s(inst);
1854 }
1855
1856
1857 void AArch64Semantics::ld3_s(triton::arch::Instruction& inst) {
1858 std::list<triton::ast::SharedAbstractNode> vec0;
1859 std::list<triton::ast::SharedAbstractNode> vec1;
1860 std::list<triton::ast::SharedAbstractNode> vec2;
1861
1862 triton::arch::OperandWrapper& vt0 = inst.operands[0]; /* vas register */
1863 triton::arch::OperandWrapper& vt1 = inst.operands[1]; /* vas register */
1864 triton::arch::OperandWrapper& vt2 = inst.operands[2]; /* vas register */
1865 triton::arch::OperandWrapper& src = inst.operands[3]; /* memory */
1866
1867 bool vt0_t = false; /* taint state of vt0 */
1868 bool vt1_t = false; /* taint state of vt1 */
1869 bool vt2_t = false; /* taint state of vt2 */
1870
1871 /*
1872 * Is the post-index immediate offset, encoded in Q:
1873 * 0 #24
1874 * 1 #48
1875 */
1876 triton::uint32 postIndex = 0;
1877
1878 auto mem = src.getConstMemory();
1879 auto vas_e = vt0.getConstRegister().getVASType();
1880
1881 switch (vas_e) {
1882 /* LD3 multiple structure */
1883 case triton::arch::arm::ID_VAS_16B: {
1884 for (triton::uint32 i = 0; i != 16; i++) {
1885 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::byte);
1886 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 1, triton::size::byte);
1887 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 2, triton::size::byte);
1888
1889 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1890 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1891 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1892
1893 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1894 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1895 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1896 }
1897 postIndex = 48;
1898 break;
1899 }
1900
1901 /* LD3 multiple structure */
1902 case triton::arch::arm::ID_VAS_8B: {
1903 for (triton::uint32 i = 0; i != 8; i++) {
1904 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::byte);
1905 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 1, triton::size::byte);
1906 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 2, triton::size::byte);
1907
1908 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1909 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1910 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1911
1912 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1913 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1914 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1915 }
1916 postIndex = 24;
1917 break;
1918 }
1919
1920 /* LD3 multiple structure */
1921 case triton::arch::arm::ID_VAS_8H: {
1922 for (triton::uint32 i = 0; i != 16; i += 2) {
1923 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::word);
1924 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 2, triton::size::word);
1925 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 4, triton::size::word);
1926
1927 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1928 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1929 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1930
1931 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1932 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1933 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1934 }
1935 postIndex = 48;
1936 break;
1937 }
1938
1939 /* LD3 multiple structure */
1940 case triton::arch::arm::ID_VAS_4H: {
1941 for (triton::uint32 i = 0; i != 8; i += 2) {
1942 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::word);
1943 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 2, triton::size::word);
1944 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 4, triton::size::word);
1945
1946 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1947 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1948 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1949
1950 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1951 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1952 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1953 }
1954 postIndex = 24;
1955 break;
1956 }
1957
1958 /* LD3 multiple structure */
1959 case triton::arch::arm::ID_VAS_4S: {
1960 for (triton::uint32 i = 0; i != 16; i += 4) {
1961 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::dword);
1962 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 4, triton::size::dword);
1963 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 8, triton::size::dword);
1964
1965 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1966 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1967 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1968
1969 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1970 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1971 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1972 }
1973 postIndex = 48;
1974 break;
1975 }
1976
1977 /* LD3 multiple structure */
1978 case triton::arch::arm::ID_VAS_2S: {
1979 for (triton::uint32 i = 0; i != 8; i += 4) {
1980 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::dword);
1981 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 4, triton::size::dword);
1982 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 8, triton::size::dword);
1983
1984 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1985 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1986 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1987
1988 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1989 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1990 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1991 }
1992 postIndex = 24;
1993 break;
1994 }
1995
1996 /* LD3 multiple structure */
1997 case triton::arch::arm::ID_VAS_2D: {
1998 for (triton::uint32 i = 0; i != 16; i += 8) {
1999 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::qword);
2000 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 8, triton::size::qword);
2001 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 16, triton::size::qword);
2002
2003 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2004 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2005 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2006
2007 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2008 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2009 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2010 }
2011 postIndex = 48;
2012 break;
2013 }
2014
2015 default:
2016 throw triton::exceptions::Semantics("AArch64Semantics::ld3_s(): Invalid VAS encoding.");
2017 }
2018
2019 /* Create the semantics of the LD3 */
2020 auto node0 = this->astCtxt->concat(vec0);
2021 auto node1 = this->astCtxt->concat(vec1);
2022 auto node2 = this->astCtxt->concat(vec2);
2023
2024 /* Create symbolic expression */
2025 auto expr0 = this->symbolicEngine->createSymbolicExpression(inst, node0, vt0, "LD3 operation - LOAD access");
2026 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, vt1, "LD3 operation - LOAD access");
2027 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, vt2, "LD3 operation - LOAD access");
2028
2029 /* Spread taint */
2030 expr0->isTainted = vt0_t;
2031 expr1->isTainted = vt1_t;
2032 expr2->isTainted = vt2_t;
2033
2034 /*
2035 * Register offset (Rm != 11111)
2036 * LD3 { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T> }, [<Xn|SP>], <Xm>
2037 */
2038 if (inst.operands.size() == 5 && inst.operands[4].getType() == triton::arch::OP_REG) {
2039 auto base = mem.getBaseRegister();
2040 auto offset = inst.operands[4].getRegister();
2041
2042 /* Create symbolic operands of the post computation */
2043 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2044 auto offsetNode = this->symbolicEngine->getOperandAst(inst, offset);
2045
2046 /* Create the semantics of the base register */
2047 auto node3 = this->astCtxt->bvadd(baseNode, offsetNode);
2048
2049 /* Create symbolic expression */
2050 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LD3 operation - Post Index");
2051
2052 /* Spread taint */
2053 expr3->isTainted = this->taintEngine->isTainted(base) | this->taintEngine->isTainted(offset);
2054 }
2055
2056 /*
2057 * Register offset (Rm == 11111)
2058 * LD3 { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T> }, [<Xn|SP>], <imm>
2059 */
2060 else if (inst.operands.size() == 4 && inst.isWriteBack()) {
2061 /* Create symbolic operands of the post computation */
2062 auto base = mem.getBaseRegister();
2063 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2064
2065 /* Create the semantics of the base register */
2066 auto node3 = this->astCtxt->bvadd(baseNode, this->astCtxt->bv(postIndex, base.getBitSize()));
2067
2068 /* Create symbolic expression */
2069 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LD3 operation - Post Index");
2070
2071 /* Spread taint */
2072 expr3->isTainted = this->taintEngine->isTainted(base);
2073 }
2074
2075 /* Update the symbolic control flow */
2076 this->controlFlow_s(inst);
2077 }
2078
2079
2080 void AArch64Semantics::ld3r_s(triton::arch::Instruction& inst) {
2081 std::list<triton::ast::SharedAbstractNode> vec0;
2082 std::list<triton::ast::SharedAbstractNode> vec1;
2083 std::list<triton::ast::SharedAbstractNode> vec2;
2084
2085 triton::arch::OperandWrapper& vt0 = inst.operands[0]; /* vas register */
2086 triton::arch::OperandWrapper& vt1 = inst.operands[1]; /* vas register */
2087 triton::arch::OperandWrapper& vt2 = inst.operands[2]; /* vas register */
2088 triton::arch::OperandWrapper& src = inst.operands[3]; /* memory */
2089
2090 bool vt0_t = false; /* taint state of vt0 */
2091 bool vt1_t = false; /* taint state of vt1 */
2092 bool vt2_t = false; /* taint state of vt2 */
2093
2094 /*
2095 * Is the post-index immediate offset, encoded in size:
2096 * 00 #3
2097 * 01 #6
2098 * 10 #12
2099 * 11 #24
2100 */
2101 triton::uint32 postIndex = 0;
2102
2103 auto mem = src.getConstMemory();
2104 auto vas_e = vt0.getConstRegister().getVASType();
2105
2106 switch (vas_e) {
2107 case triton::arch::arm::ID_VAS_16B: {
2108 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::byte);
2109 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 1, triton::size::byte);
2110 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::byte);
2111
2112 for (triton::uint32 i = 0; i != 16; i++) {
2113 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2114 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2115 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2116
2117 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2118 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2119 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2120 }
2121
2122 postIndex = 3;
2123 break;
2124 }
2125
2126 case triton::arch::arm::ID_VAS_8B: {
2127 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::byte);
2128 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 1, triton::size::byte);
2129 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::byte);
2130
2131 for (triton::uint32 i = 0; i != 8; i++) {
2132 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2133 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2134 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2135
2136 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2137 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2138 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2139 }
2140
2141 postIndex = 3;
2142 break;
2143 }
2144
2145 case triton::arch::arm::ID_VAS_8H: {
2146 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::word);
2147 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::word);
2148 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::word);
2149
2150 for (triton::uint32 i = 0; i != 16; i += 2) {
2151 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2152 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2153 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2154
2155 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2156 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2157 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2158 }
2159
2160 postIndex = 6;
2161 break;
2162 }
2163
2164 case triton::arch::arm::ID_VAS_4H: {
2165 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::word);
2166 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::word);
2167 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::word);
2168
2169 for (triton::uint32 i = 0; i != 8; i += 2) {
2170 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2171 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2172 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2173
2174 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2175 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2176 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2177 }
2178
2179 postIndex = 6;
2180 break;
2181 }
2182
2183 case triton::arch::arm::ID_VAS_4S: {
2184 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::dword);
2185 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::dword);
2186 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::dword);
2187
2188 for (triton::uint32 i = 0; i != 16; i += 4) {
2189 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2190 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2191 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2192
2193 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2194 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2195 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2196 }
2197
2198 postIndex = 12;
2199 break;
2200 }
2201
2202 case triton::arch::arm::ID_VAS_2S: {
2203 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::dword);
2204 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::dword);
2205 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::dword);
2206
2207 for (triton::uint32 i = 0; i != 8; i += 4) {
2208 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2209 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2210 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2211
2212 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2213 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2214 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2215 }
2216
2217 postIndex = 12;
2218 break;
2219 }
2220
2221 case triton::arch::arm::ID_VAS_2D: {
2222 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::qword);
2223 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::qword);
2224 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 16, triton::size::qword);
2225
2226 for (triton::uint32 i = 0; i != 16; i += 8) {
2227 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2228 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2229 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2230
2231 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2232 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2233 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2234 }
2235
2236 postIndex = 24;
2237 break;
2238 }
2239
2240 case triton::arch::arm::ID_VAS_1D: {
2241 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::qword);
2242 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::qword);
2243 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 16, triton::size::qword);
2244
2245 for (triton::uint32 i = 0; i != 8; i += 8) {
2246 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2247 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2248 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2249
2250 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2251 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2252 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2253 }
2254
2255 postIndex = 24;
2256 break;
2257 }
2258
2259 default:
2260 throw triton::exceptions::Semantics("AArch64Semantics::ld3r_s(): Invalid VAS encoding.");
2261 }
2262
2263 /* Create the semantics of the LD3R */
2264 auto node0 = this->astCtxt->concat(vec0);
2265 auto node1 = this->astCtxt->concat(vec1);
2266 auto node2 = this->astCtxt->concat(vec2);
2267
2268 /* Create symbolic expression */
2269 auto expr0 = this->symbolicEngine->createSymbolicExpression(inst, node0, vt0, "LD3R operation - LOAD access");
2270 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, vt1, "LD3R operation - LOAD access");
2271 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, vt2, "LD3R operation - LOAD access");
2272
2273 /* Spread taint */
2274 expr0->isTainted = vt0_t;
2275 expr1->isTainted = vt1_t;
2276 expr2->isTainted = vt2_t;
2277
2278 /*
2279 * Register offset (Rm != 11111)
2280 * LD3R { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T> }, [<Xn|SP>], <Xm>
2281 */
2282 if (inst.operands.size() == 5 && inst.operands[4].getType() == triton::arch::OP_REG) {
2283 auto base = mem.getBaseRegister();
2284 auto offset = inst.operands[4].getRegister();
2285
2286 /* Create symbolic operands of the post computation */
2287 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2288 auto offsetNode = this->symbolicEngine->getOperandAst(inst, offset);
2289
2290 /* Create the semantics of the base register */
2291 auto node3 = this->astCtxt->bvadd(baseNode, offsetNode);
2292
2293 /* Create symbolic expression */
2294 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LD3R operation - Post Index");
2295
2296 /* Spread taint */
2297 expr3->isTainted = this->taintEngine->isTainted(base) | this->taintEngine->isTainted(offset);
2298 }
2299
2300 /*
2301 * Register offset (Rm == 11111)
2302 * LD3R { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T> }, [<Xn|SP>], <imm>
2303 */
2304 else if (inst.operands.size() == 4 && inst.isWriteBack()) {
2305 /* Create symbolic operands of the post computation */
2306 auto base = mem.getBaseRegister();
2307 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2308
2309 /* Create the semantics of the base register */
2310 auto node3 = this->astCtxt->bvadd(baseNode, this->astCtxt->bv(postIndex, base.getBitSize()));
2311
2312 /* Create symbolic expression */
2313 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LD3R operation - Post Index");
2314
2315 /* Spread taint */
2316 expr3->isTainted = this->taintEngine->isTainted(base);
2317 }
2318
2319 /* Update the symbolic control flow */
2320 this->controlFlow_s(inst);
2321 }
2322
2323
2324 void AArch64Semantics::ld4_s(triton::arch::Instruction& inst) {
2325 std::list<triton::ast::SharedAbstractNode> vec0;
2326 std::list<triton::ast::SharedAbstractNode> vec1;
2327 std::list<triton::ast::SharedAbstractNode> vec2;
2328 std::list<triton::ast::SharedAbstractNode> vec3;
2329
2330 triton::arch::OperandWrapper& vt0 = inst.operands[0]; /* vas register */
2331 triton::arch::OperandWrapper& vt1 = inst.operands[1]; /* vas register */
2332 triton::arch::OperandWrapper& vt2 = inst.operands[2]; /* vas register */
2333 triton::arch::OperandWrapper& vt3 = inst.operands[3]; /* vas register */
2334 triton::arch::OperandWrapper& src = inst.operands[4]; /* memory */
2335
2336 bool vt0_t = false; /* taint state of vt0 */
2337 bool vt1_t = false; /* taint state of vt1 */
2338 bool vt2_t = false; /* taint state of vt2 */
2339 bool vt3_t = false; /* taint state of vt3 */
2340
2341 /*
2342 * Is the post-index immediate offset, encoded in Q:
2343 * 0 #32
2344 * 1 #64
2345 */
2346 triton::uint32 postIndex = 0;
2347
2348 auto mem = src.getConstMemory();
2349 auto vas_e = vt0.getConstRegister().getVASType();
2350
2351 switch (vas_e) {
2352 /* LD4 multiple structure */
2353 case triton::arch::arm::ID_VAS_16B: {
2354 for (triton::uint32 i = 0; i != 16; i++) {
2355 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::byte);
2356 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 1, triton::size::byte);
2357 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 2, triton::size::byte);
2358 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 3, triton::size::byte);
2359
2360 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2361 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2362 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2363 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2364
2365 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2366 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2367 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2368 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2369 }
2370 postIndex = 64;
2371 break;
2372 }
2373
2374 /* LD4 multiple structure */
2375 case triton::arch::arm::ID_VAS_8B: {
2376 for (triton::uint32 i = 0; i != 8; i++) {
2377 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::byte);
2378 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 1, triton::size::byte);
2379 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 2, triton::size::byte);
2380 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 3, triton::size::byte);
2381
2382 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2383 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2384 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2385 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2386
2387 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2388 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2389 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2390 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2391 }
2392 postIndex = 32;
2393 break;
2394 }
2395
2396 /* LD4 multiple structure */
2397 case triton::arch::arm::ID_VAS_8H: {
2398 for (triton::uint32 i = 0; i != 16; i += 2) {
2399 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::word);
2400 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 2, triton::size::word);
2401 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 4, triton::size::word);
2402 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 6, triton::size::word);
2403
2404 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2405 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2406 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2407 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2408
2409 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2410 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2411 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2412 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2413 }
2414 postIndex = 64;
2415 break;
2416 }
2417
2418 /* LD4 multiple structure */
2419 case triton::arch::arm::ID_VAS_4H: {
2420 for (triton::uint32 i = 0; i != 8; i += 2) {
2421 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::word);
2422 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 2, triton::size::word);
2423 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 4, triton::size::word);
2424 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 6, triton::size::word);
2425
2426 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2427 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2428 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2429 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2430
2431 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2432 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2433 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2434 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2435 }
2436 postIndex = 32;
2437 break;
2438 }
2439
2440 /* LD4 multiple structure */
2441 case triton::arch::arm::ID_VAS_4S: {
2442 for (triton::uint32 i = 0; i != 16; i += 4) {
2443 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::dword);
2444 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 4, triton::size::dword);
2445 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 8, triton::size::dword);
2446 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 12, triton::size::dword);
2447
2448 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2449 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2450 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2451 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2452
2453 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2454 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2455 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2456 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2457 }
2458 postIndex = 64;
2459 break;
2460 }
2461
2462 /* LD4 multiple structure */
2463 case triton::arch::arm::ID_VAS_2S: {
2464 for (triton::uint32 i = 0; i != 8; i += 4) {
2465 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::dword);
2466 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 4, triton::size::dword);
2467 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 8, triton::size::dword);
2468 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 12, triton::size::dword);
2469
2470 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2471 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2472 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2473 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2474
2475 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2476 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2477 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2478 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2479 }
2480 postIndex = 32;
2481 break;
2482 }
2483
2484 /* LD4 multiple structure */
2485 case triton::arch::arm::ID_VAS_2D: {
2486 for (triton::uint32 i = 0; i != 16; i += 8) {
2487 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::qword);
2488 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 8, triton::size::qword);
2489 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 16, triton::size::qword);
2490 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 24, triton::size::qword);
2491
2492 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2493 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2494 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2495 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2496
2497 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2498 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2499 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2500 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2501 }
2502 postIndex = 64;
2503 break;
2504 }
2505
2506 default:
2507 throw triton::exceptions::Semantics("AArch64Semantics::ld4_s(): Invalid VAS encoding.");
2508 }
2509
2510 /* Create the semantics of the LD3 */
2511 auto node0 = this->astCtxt->concat(vec0);
2512 auto node1 = this->astCtxt->concat(vec1);
2513 auto node2 = this->astCtxt->concat(vec2);
2514 auto node3 = this->astCtxt->concat(vec3);
2515
2516 /* Create symbolic expression */
2517 auto expr0 = this->symbolicEngine->createSymbolicExpression(inst, node0, vt0, "LD4 operation - LOAD access");
2518 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, vt1, "LD4 operation - LOAD access");
2519 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, vt2, "LD4 operation - LOAD access");
2520 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, vt3, "LD4 operation - LOAD access");
2521
2522 /* Spread taint */
2523 expr0->isTainted = vt0_t;
2524 expr1->isTainted = vt1_t;
2525 expr2->isTainted = vt2_t;
2526 expr3->isTainted = vt3_t;
2527
2528 /*
2529 * Register offset (Rm != 11111)
2530 * LD4 { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T>, <Vt4>.<T> }, [<Xn|SP>], <Xm>
2531 */
2532 if (inst.operands.size() == 6 && inst.operands[5].getType() == triton::arch::OP_REG) {
2533 auto base = mem.getBaseRegister();
2534 auto offset = inst.operands[5].getRegister();
2535
2536 /* Create symbolic operands of the post computation */
2537 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2538 auto offsetNode = this->symbolicEngine->getOperandAst(inst, offset);
2539
2540 /* Create the semantics of the base register */
2541 auto node4 = this->astCtxt->bvadd(baseNode, offsetNode);
2542
2543 /* Create symbolic expression */
2544 auto expr4 = this->symbolicEngine->createSymbolicExpression(inst, node4, base, "LD4 operation - Post Index");
2545
2546 /* Spread taint */
2547 expr4->isTainted = this->taintEngine->isTainted(base) | this->taintEngine->isTainted(offset);
2548 }
2549
2550 /*
2551 * Register offset (Rm == 11111)
2552 * LD4 { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T>, <Vt4>.<T> }, [<Xn|SP>], <imm>
2553 */
2554 else if (inst.operands.size() == 5 && inst.isWriteBack()) {
2555 /* Create symbolic operands of the post computation */
2556 auto base = mem.getBaseRegister();
2557 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2558
2559 /* Create the semantics of the base register */
2560 auto node4 = this->astCtxt->bvadd(baseNode, this->astCtxt->bv(postIndex, base.getBitSize()));
2561
2562 /* Create symbolic expression */
2563 auto expr4 = this->symbolicEngine->createSymbolicExpression(inst, node4, base, "LD4 operation - Post Index");
2564
2565 /* Spread taint */
2566 expr4->isTainted = this->taintEngine->isTainted(base);
2567 }
2568
2569 /* Update the symbolic control flow */
2570 this->controlFlow_s(inst);
2571 }
2572
2573
2574 void AArch64Semantics::ld4r_s(triton::arch::Instruction& inst) {
2575 std::list<triton::ast::SharedAbstractNode> vec0;
2576 std::list<triton::ast::SharedAbstractNode> vec1;
2577 std::list<triton::ast::SharedAbstractNode> vec2;
2578 std::list<triton::ast::SharedAbstractNode> vec3;
2579
2580 triton::arch::OperandWrapper& vt0 = inst.operands[0]; /* vas register */
2581 triton::arch::OperandWrapper& vt1 = inst.operands[1]; /* vas register */
2582 triton::arch::OperandWrapper& vt2 = inst.operands[2]; /* vas register */
2583 triton::arch::OperandWrapper& vt3 = inst.operands[3]; /* vas register */
2584 triton::arch::OperandWrapper& src = inst.operands[4]; /* memory */
2585
2586 bool vt0_t = false; /* taint state of vt0 */
2587 bool vt1_t = false; /* taint state of vt1 */
2588 bool vt2_t = false; /* taint state of vt2 */
2589 bool vt3_t = false; /* taint state of vt3 */
2590
2591 /*
2592 * Is the post-index immediate offset, encoded in size:
2593 * 00 #4
2594 * 01 #8
2595 * 10 #16
2596 * 11 #32
2597 */
2598 triton::uint32 postIndex = 0;
2599
2600 auto mem = src.getConstMemory();
2601 auto vas_e = vt0.getConstRegister().getVASType();
2602
2603 switch (vas_e) {
2604 case triton::arch::arm::ID_VAS_16B: {
2605 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::byte);
2606 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 1, triton::size::byte);
2607 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::byte);
2608 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 3, triton::size::byte);
2609
2610 for (triton::uint32 i = 0; i != 16; i++) {
2611 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2612 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2613 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2614 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2615
2616 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2617 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2618 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2619 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2620 }
2621
2622 postIndex = 4;
2623 break;
2624 }
2625
2626 case triton::arch::arm::ID_VAS_8B: {
2627 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::byte);
2628 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 1, triton::size::byte);
2629 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::byte);
2630 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 3, triton::size::byte);
2631
2632 for (triton::uint32 i = 0; i != 8; i++) {
2633 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2634 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2635 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2636 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2637
2638 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2639 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2640 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2641 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2642 }
2643
2644 postIndex = 4;
2645 break;
2646 }
2647
2648 case triton::arch::arm::ID_VAS_8H: {
2649 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::word);
2650 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::word);
2651 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::word);
2652 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 6, triton::size::word);
2653
2654 for (triton::uint32 i = 0; i != 16; i += 2) {
2655 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2656 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2657 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2658 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2659
2660 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2661 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2662 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2663 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2664 }
2665
2666 postIndex = 8;
2667 break;
2668 }
2669
2670 case triton::arch::arm::ID_VAS_4H: {
2671 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::word);
2672 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::word);
2673 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::word);
2674 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 6, triton::size::word);
2675
2676 for (triton::uint32 i = 0; i != 8; i += 2) {
2677 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2678 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2679 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2680 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2681
2682 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2683 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2684 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2685 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2686 }
2687
2688 postIndex = 8;
2689 break;
2690 }
2691
2692 case triton::arch::arm::ID_VAS_4S: {
2693 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::dword);
2694 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::dword);
2695 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::dword);
2696 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 12, triton::size::dword);
2697
2698 for (triton::uint32 i = 0; i != 16; i += 4) {
2699 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2700 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2701 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2702 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2703
2704 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2705 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2706 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2707 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2708 }
2709
2710 postIndex = 16;
2711 break;
2712 }
2713
2714 case triton::arch::arm::ID_VAS_2S: {
2715 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::dword);
2716 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::dword);
2717 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::dword);
2718 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 12, triton::size::dword);
2719
2720 for (triton::uint32 i = 0; i != 8; i += 4) {
2721 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2722 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2723 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2724 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2725
2726 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2727 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2728 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2729 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2730 }
2731
2732 postIndex = 16;
2733 break;
2734 }
2735
2736 case triton::arch::arm::ID_VAS_2D: {
2737 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::qword);
2738 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::qword);
2739 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 16, triton::size::qword);
2740 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 24, triton::size::qword);
2741
2742 for (triton::uint32 i = 0; i != 16; i += 8) {
2743 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2744 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2745 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2746 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2747
2748 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2749 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2750 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2751 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2752 }
2753
2754 postIndex = 32;
2755 break;
2756 }
2757
2758 case triton::arch::arm::ID_VAS_1D: {
2759 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::qword);
2760 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::qword);
2761 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 16, triton::size::qword);
2762 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 24, triton::size::qword);
2763
2764 for (triton::uint32 i = 0; i != 8; i += 8) {
2765 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2766 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2767 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2768 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2769
2770 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2771 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2772 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2773 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2774 }
2775
2776 postIndex = 32;
2777 break;
2778 }
2779
2780 default:
2781 throw triton::exceptions::Semantics("AArch64Semantics::ld4r_s(): Invalid VAS encoding.");
2782 }
2783
2784 /* Create the semantics of the LD3R */
2785 auto node0 = this->astCtxt->concat(vec0);
2786 auto node1 = this->astCtxt->concat(vec1);
2787 auto node2 = this->astCtxt->concat(vec2);
2788 auto node3 = this->astCtxt->concat(vec3);
2789
2790 /* Create symbolic expression */
2791 auto expr0 = this->symbolicEngine->createSymbolicExpression(inst, node0, vt0, "LD4R operation - LOAD access");
2792 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, vt1, "LD4R operation - LOAD access");
2793 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, vt2, "LD4R operation - LOAD access");
2794 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, vt3, "LD4R operation - LOAD access");
2795
2796 /* Spread taint */
2797 expr0->isTainted = vt0_t;
2798 expr1->isTainted = vt1_t;
2799 expr2->isTainted = vt2_t;
2800 expr3->isTainted = vt3_t;
2801
2802 /*
2803 * Register offset (Rm != 11111)
2804 * LD4R { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T>, <Vt4>.<T> }, [<Xn|SP>], <Xm>
2805 */
2806 if (inst.operands.size() == 6 && inst.operands[5].getType() == triton::arch::OP_REG) {
2807 auto base = mem.getBaseRegister();
2808 auto offset = inst.operands[5].getRegister();
2809
2810 /* Create symbolic operands of the post computation */
2811 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2812 auto offsetNode = this->symbolicEngine->getOperandAst(inst, offset);
2813
2814 /* Create the semantics of the base register */
2815 auto node4 = this->astCtxt->bvadd(baseNode, offsetNode);
2816
2817 /* Create symbolic expression */
2818 auto expr4 = this->symbolicEngine->createSymbolicExpression(inst, node4, base, "LD4R operation - Post Index");
2819
2820 /* Spread taint */
2821 expr4->isTainted = this->taintEngine->isTainted(base) | this->taintEngine->isTainted(offset);
2822 }
2823
2824 /*
2825 * Register offset (Rm == 11111)
2826 * LD4R { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T>, <Vt4>.<T> }, [<Xn|SP>], <imm>
2827 */
2828 else if (inst.operands.size() == 5 && inst.isWriteBack()) {
2829 /* Create symbolic operands of the post computation */
2830 auto base = mem.getBaseRegister();
2831 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2832
2833 /* Create the semantics of the base register */
2834 auto node4 = this->astCtxt->bvadd(baseNode, this->astCtxt->bv(postIndex, base.getBitSize()));
2835
2836 /* Create symbolic expression */
2837 auto expr4 = this->symbolicEngine->createSymbolicExpression(inst, node4, base, "LD4R operation - Post Index");
2838
2839 /* Spread taint */
2840 expr4->isTainted = this->taintEngine->isTainted(base);
2841 }
2842
2843 /* Update the symbolic control flow */
2844 this->controlFlow_s(inst);
2845 }
2846
2847
2848 void AArch64Semantics::ldar_s(triton::arch::Instruction& inst) {
2849 triton::arch::OperandWrapper& dst = inst.operands[0];
2850 triton::arch::OperandWrapper& src = inst.operands[1];
2851
2852 /* Create the semantics of the LOAD */
2853 auto node = this->symbolicEngine->getOperandAst(inst, src);
2854
2855 /* Create symbolic expression */
2856 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDAR operation - LOAD access");
2857
2858 /* Spread taint */
2859 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2860
2861 /* Update the symbolic control flow */
2862 this->controlFlow_s(inst);
2863 }
2864
2865
2866 void AArch64Semantics::ldarb_s(triton::arch::Instruction& inst) {
2867 triton::arch::OperandWrapper& dst = inst.operands[0];
2868 triton::arch::OperandWrapper& src = inst.operands[1];
2869
2870 /* Create the semantics of the LOAD */
2871 auto node = this->symbolicEngine->getOperandAst(inst, src);
2872
2873 /* Create symbolic expression */
2874 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDARB operation - LOAD access");
2875
2876 /* Spread taint */
2877 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2878
2879 /* Update the symbolic control flow */
2880 this->controlFlow_s(inst);
2881 }
2882
2883
2884 void AArch64Semantics::ldarh_s(triton::arch::Instruction& inst) {
2885 triton::arch::OperandWrapper& dst = inst.operands[0];
2886 triton::arch::OperandWrapper& src = inst.operands[1];
2887
2888 /* Create the semantics of the LOAD */
2889 auto node = this->symbolicEngine->getOperandAst(inst, src);
2890
2891 /* Create symbolic expression */
2892 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDARH operation - LOAD access");
2893
2894 /* Spread taint */
2895 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2896
2897 /* Update the symbolic control flow */
2898 this->controlFlow_s(inst);
2899 }
2900
2901
2902 void AArch64Semantics::ldaxr_s(triton::arch::Instruction& inst) {
2903 triton::arch::OperandWrapper& dst = inst.operands[0];
2904 triton::arch::OperandWrapper& src = inst.operands[1];
2905
2906 /* Create the semantics of the LOAD */
2907 auto node = this->symbolicEngine->getOperandAst(inst, src);
2908
2909 /* Create symbolic expression */
2910 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDAXR operation - LOAD access");
2911
2912 /* Spread taint */
2913 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2914
2915 /* Update exclusive memory access tag */
2916 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
2917
2918 /* Update the symbolic control flow */
2919 this->controlFlow_s(inst);
2920 }
2921
2922
2923 void AArch64Semantics::ldaxrb_s(triton::arch::Instruction& inst) {
2924 triton::arch::OperandWrapper& dst = inst.operands[0];
2925 triton::arch::OperandWrapper& src = inst.operands[1];
2926
2927 /* Create the semantics of the LOAD */
2928 auto node = this->symbolicEngine->getOperandAst(inst, src);
2929
2930 /* Create symbolic expression */
2931 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDAXRB operation - LOAD access");
2932
2933 /* Spread taint */
2934 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2935
2936 /* Update exclusive memory access tag */
2937 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
2938
2939 /* Update the symbolic control flow */
2940 this->controlFlow_s(inst);
2941 }
2942
2943
2944 void AArch64Semantics::ldaxrh_s(triton::arch::Instruction& inst) {
2945 triton::arch::OperandWrapper& dst = inst.operands[0];
2946 triton::arch::OperandWrapper& src = inst.operands[1];
2947
2948 /* Create the semantics of the LOAD */
2949 auto node = this->symbolicEngine->getOperandAst(inst, src);
2950
2951 /* Create symbolic expression */
2952 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDAXRH operation - LOAD access");
2953
2954 /* Spread taint */
2955 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2956
2957 /* Update exclusive memory access tag */
2958 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
2959
2960 /* Update the symbolic control flow */
2961 this->controlFlow_s(inst);
2962 }
2963
2964
2965 void AArch64Semantics::ldnp_s(triton::arch::Instruction& inst) {
2966 triton::arch::OperandWrapper& dst1 = inst.operands[0];
2967 triton::arch::OperandWrapper& dst2 = inst.operands[1];
2968 triton::arch::OperandWrapper& src = inst.operands[2];
2969
2970 /* Special behavior: Define that the size of the memory access is dst1.size + dst2.size */
2971 src.getMemory().setBits((dst1.getBitSize() + dst2.getBitSize()) - 1, 0);
2972
2973 /* Create symbolic operands */
2974 auto op = this->symbolicEngine->getOperandAst(inst, src);
2975
2976 /* Create the semantics */
2977 auto node1 = this->astCtxt->extract((dst1.getBitSize() - 1), 0, op);
2978 auto node2 = this->astCtxt->extract((dst1.getBitSize() + dst2.getBitSize()) - 1, dst1.getBitSize(), op);
2979
2980 /* Create symbolic expression */
2981 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "LDNP operation - LOAD access");
2982 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "LDNP operation - LOAD access");
2983
2984 /* Spread taint */
2985 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
2986 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
2987
2988 /* Update the symbolic control flow */
2989 this->controlFlow_s(inst);
2990 }
2991
2992
2993 void AArch64Semantics::ldp_s(triton::arch::Instruction& inst) {
2994 triton::arch::OperandWrapper& dst1 = inst.operands[0];
2995 triton::arch::OperandWrapper& dst2 = inst.operands[1];
2996 triton::arch::OperandWrapper& src = inst.operands[2];
2997
2998 /* Special behavior: Define that the size of the memory access is dst1.size + dst2.size */
2999 src.getMemory().setBits((dst1.getBitSize() + dst2.getBitSize()) - 1, 0);
3000
3001 /* Create symbolic operands */
3002 auto op = this->symbolicEngine->getOperandAst(inst, src);
3003
3004 /* Create the semantics */
3005 auto node1 = this->astCtxt->extract((dst1.getBitSize() - 1), 0, op);
3006 auto node2 = this->astCtxt->extract((dst1.getBitSize() + dst2.getBitSize()) - 1, dst1.getBitSize(), op);
3007
3008 /* Create symbolic expression */
3009 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "LDP operation - LOAD access");
3010 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "LDP operation - LOAD access");
3011
3012 /* Spread taint */
3013 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
3014 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
3015
3016 /* Optional behavior. Post computation of the base register */
3017 /* LDP <Xt1>, <Xt2>, [<Xn|SP>], #<imm> */
3018 if (inst.operands.size() == 4) {
3019 triton::arch::Immediate& imm = inst.operands[3].getImmediate();
3020 triton::arch::Register& base = src.getMemory().getBaseRegister();
3021
3022 /* Create symbolic operands of the post computation */
3023 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3024 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3025
3026 /* Create the semantics of the base register */
3027 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3028
3029 /* Create symbolic expression */
3030 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDP operation - Base register computation");
3031
3032 /* Spread taint */
3033 expr2->isTainted = this->taintEngine->isTainted(base);
3034 }
3035
3036 /* LDP <Xt1>, <Xt2>, [<Xn|SP>, #<imm>]! */
3037 else if (inst.operands.size() == 3 && inst.isWriteBack() == true) {
3038 triton::arch::Register& base = src.getMemory().getBaseRegister();
3039
3040 /* Create the semantics of the base register */
3041 auto node3 = src.getMemory().getLeaAst();
3042
3043 /* Create symbolic expression */
3044 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDP operation - Base register computation");
3045
3046 /* Spread taint */
3047 expr3->isTainted = this->taintEngine->isTainted(base);
3048 }
3049
3050 /* Update the symbolic control flow */
3051 this->controlFlow_s(inst);
3052 }
3053
3054
3055 void AArch64Semantics::ldpsw_s(triton::arch::Instruction& inst) {
3056 triton::arch::OperandWrapper& dst1 = inst.operands[0];
3057 triton::arch::OperandWrapper& dst2 = inst.operands[1];
3058 triton::arch::OperandWrapper& src = inst.operands[2];
3059
3060 /* Create symbolic operands */
3061 auto op = this->symbolicEngine->getOperandAst(inst, src);
3062
3063 /* Create the semantics */
3064 auto node1 = this->astCtxt->sx(32, this->astCtxt->extract(31, 0, op));
3065 auto node2 = this->astCtxt->sx(32, this->astCtxt->extract(63, 32, op));
3066
3067 /* Create symbolic expression */
3068 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "LDPSW operation - LOAD access");
3069 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "LDPSW operation - LOAD access");
3070
3071 /* Spread taint */
3072 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
3073 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
3074
3075 /* Optional behavior. Post computation of the base register */
3076 /* LDPSW <Xt1>, <Xt2>, [<Xn|SP>], #<imm> */
3077 if (inst.operands.size() == 4) {
3078 triton::arch::Immediate& imm = inst.operands[3].getImmediate();
3079 triton::arch::Register& base = src.getMemory().getBaseRegister();
3080
3081 /* Create symbolic operands of the post computation */
3082 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3083 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3084
3085 /* Create the semantics of the base register */
3086 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3087
3088 /* Create symbolic expression */
3089 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDPSW operation - Base register computation");
3090
3091 /* Spread taint */
3092 expr2->isTainted = this->taintEngine->isTainted(base);
3093 }
3094
3095 /* LDPSW <Xt1>, <Xt2>, [<Xn|SP>, #<imm>]! */
3096 else if (inst.operands.size() == 3 && inst.isWriteBack() == true) {
3097 triton::arch::Register& base = src.getMemory().getBaseRegister();
3098
3099 /* Create the semantics of the base register */
3100 auto node3 = src.getMemory().getLeaAst();
3101
3102 /* Create symbolic expression */
3103 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDPSW operation - Base register computation");
3104
3105 /* Spread taint */
3106 expr3->isTainted = this->taintEngine->isTainted(base);
3107 }
3108
3109 /* Update the symbolic control flow */
3110 this->controlFlow_s(inst);
3111 }
3112
3113
3114 void AArch64Semantics::ldr_s(triton::arch::Instruction& inst) {
3115 triton::arch::OperandWrapper& dst = inst.operands[0];
3116 triton::arch::OperandWrapper& src = inst.operands[1];
3117
3118 /* LDR (literal) */
3119 if (inst.operands.size() == 2 && src.getType() == triton::arch::OP_IMM) {
3120 src = triton::arch::MemoryAccess(src.getConstImmediate().getValue(), dst.getSize());
3121 }
3122
3123 /* Create the semantics of the LOAD */
3124 auto node1 = this->symbolicEngine->getOperandAst(inst, src);
3125
3126 /* Create symbolic expression */
3127 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDR operation - LOAD access");
3128
3129 /* Spread taint */
3130 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3131
3132 /* Optional behavior. Post computation of the base register */
3133 /* LDR <Xt>, [<Xn|SP>], #<simm> */
3134 if (inst.operands.size() == 3) {
3135 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3136 triton::arch::Register& base = src.getMemory().getBaseRegister();
3137
3138 /* Create symbolic operands of the post computation */
3139 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3140 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3141
3142 /* Create the semantics of the base register */
3143 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3144
3145 /* Create symbolic expression */
3146 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDR operation - Base register computation");
3147
3148 /* Spread taint */
3149 expr2->isTainted = this->taintEngine->isTainted(base);
3150 }
3151 /* LDR <Xt>, [<Xn|SP>, #<simm>]! */
3152 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3153 triton::arch::Register& base = src.getMemory().getBaseRegister();
3154
3155 /* Create the semantics of the base register */
3156 auto node3 = src.getMemory().getLeaAst();
3157
3158 /* Create symbolic expression */
3159 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDR operation - Base register computation");
3160
3161 /* Spread taint */
3162 expr3->isTainted = this->taintEngine->isTainted(base);
3163 }
3164
3165 /* Update the symbolic control flow */
3166 this->controlFlow_s(inst);
3167 }
3168
3169
3170 void AArch64Semantics::ldrb_s(triton::arch::Instruction& inst) {
3171 triton::arch::OperandWrapper& dst = inst.operands[0];
3172 triton::arch::OperandWrapper& src = inst.operands[1];
3173
3174 /* Create the semantics of the LOAD */
3175 auto node1 = this->symbolicEngine->getOperandAst(inst, src);
3176
3177 /* Create symbolic expression */
3178 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRB operation - LOAD access");
3179
3180 /* Spread taint */
3181 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3182
3183 /* Optional behavior. Post computation of the base register */
3184 /* LDRB <Xt>, [<Xn|SP>], #<simm> */
3185 if (inst.operands.size() == 3) {
3186 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3187 triton::arch::Register& base = src.getMemory().getBaseRegister();
3188
3189 /* Create symbolic operands of the post computation */
3190 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3191 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3192
3193 /* Create the semantics of the base register */
3194 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3195
3196 /* Create symbolic expression */
3197 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRB operation - Base register computation");
3198
3199 /* Spread taint */
3200 expr2->isTainted = this->taintEngine->isTainted(base);
3201 }
3202
3203 /* LDRB <Xt>, [<Xn|SP>, #<simm>]! */
3204 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3205 triton::arch::Register& base = src.getMemory().getBaseRegister();
3206
3207 /* Create the semantics of the base register */
3208 auto node3 = src.getMemory().getLeaAst();
3209
3210 /* Create symbolic expression */
3211 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRB operation - Base register computation");
3212
3213 /* Spread taint */
3214 expr3->isTainted = this->taintEngine->isTainted(base);
3215 }
3216
3217 /* Update the symbolic control flow */
3218 this->controlFlow_s(inst);
3219 }
3220
3221
3222 void AArch64Semantics::ldrh_s(triton::arch::Instruction& inst) {
3223 triton::arch::OperandWrapper& dst = inst.operands[0];
3224 triton::arch::OperandWrapper& src = inst.operands[1];
3225
3226 /* Create the semantics of the LOAD */
3227 auto node1 = this->symbolicEngine->getOperandAst(inst, src);
3228
3229 /* Create symbolic expression */
3230 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRH operation - LOAD access");
3231
3232 /* Spread taint */
3233 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3234
3235 /* Optional behavior. Post computation of the base register */
3236 /* LDRH <Xt>, [<Xn|SP>], #<simm> */
3237 if (inst.operands.size() == 3) {
3238 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3239 triton::arch::Register& base = src.getMemory().getBaseRegister();
3240
3241 /* Create symbolic operands of the post computation */
3242 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3243 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3244
3245 /* Create the semantics of the base register */
3246 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3247
3248 /* Create symbolic expression */
3249 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRH operation - Base register computation");
3250
3251 /* Spread taint */
3252 expr2->isTainted = this->taintEngine->isTainted(base);
3253 }
3254
3255 /* LDRH <Xt>, [<Xn|SP>, #<simm>]! */
3256 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3257 triton::arch::Register& base = src.getMemory().getBaseRegister();
3258
3259 /* Create the semantics of the base register */
3260 auto node3 = src.getMemory().getLeaAst();
3261
3262 /* Create symbolic expression */
3263 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRH operation - Base register computation");
3264
3265 /* Spread taint */
3266 expr3->isTainted = this->taintEngine->isTainted(base);
3267 }
3268
3269 /* Update the symbolic control flow */
3270 this->controlFlow_s(inst);
3271 }
3272
3273
3274 void AArch64Semantics::ldrsb_s(triton::arch::Instruction& inst) {
3275 triton::arch::OperandWrapper& dst = inst.operands[0];
3276 triton::arch::OperandWrapper& src = inst.operands[1];
3277
3278 /* Create symbolic operands */
3279 auto op = this->symbolicEngine->getOperandAst(inst, src);
3280
3281 /* Create the semantics of the LOAD */
3282 auto node1 = this->astCtxt->sx(dst.getBitSize() - 8, op);
3283
3284 /* Create symbolic expression */
3285 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRSB operation - LOAD access");
3286
3287 /* Spread taint */
3288 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3289
3290 /* Optional behavior. Post computation of the base register */
3291 /* LDRSB <Xt>, [<Xn|SP>], #<simm> */
3292 if (inst.operands.size() == 3) {
3293 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3294 triton::arch::Register& base = src.getMemory().getBaseRegister();
3295
3296 /* Create symbolic operands of the post computation */
3297 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3298 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3299
3300 /* Create the semantics of the base register */
3301 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3302
3303 /* Create symbolic expression */
3304 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRSB operation - Base register computation");
3305
3306 /* Spread taint */
3307 expr2->isTainted = this->taintEngine->isTainted(base);
3308 }
3309
3310 /* LDRSB <Xt>, [<Xn|SP>, #<simm>]! */
3311 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3312 triton::arch::Register& base = src.getMemory().getBaseRegister();
3313
3314 /* Create the semantics of the base register */
3315 auto node3 = src.getMemory().getLeaAst();
3316
3317 /* Create symbolic expression */
3318 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRSB operation - Base register computation");
3319
3320 /* Spread taint */
3321 expr3->isTainted = this->taintEngine->isTainted(base);
3322 }
3323
3324 /* Update the symbolic control flow */
3325 this->controlFlow_s(inst);
3326 }
3327
3328
3329 void AArch64Semantics::ldrsh_s(triton::arch::Instruction& inst) {
3330 triton::arch::OperandWrapper& dst = inst.operands[0];
3331 triton::arch::OperandWrapper& src = inst.operands[1];
3332
3333 /* Create symbolic operands */
3334 auto op = this->symbolicEngine->getOperandAst(inst, src);
3335
3336 /* Create the semantics of the LOAD */
3337 auto node1 = this->astCtxt->sx(dst.getBitSize() - 16, op);
3338
3339 /* Create symbolic expression */
3340 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRSH operation - LOAD access");
3341
3342 /* Spread taint */
3343 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3344
3345 /* Optional behavior. Post computation of the base register */
3346 /* LDRSH <Xt>, [<Xn|SP>], #<simm> */
3347 if (inst.operands.size() == 3) {
3348 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3349 triton::arch::Register& base = src.getMemory().getBaseRegister();
3350
3351 /* Create symbolic operands of the post computation */
3352 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3353 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3354
3355 /* Create the semantics of the base register */
3356 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3357
3358 /* Create symbolic expression */
3359 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRSH operation - Base register computation");
3360
3361 /* Spread taint */
3362 expr2->isTainted = this->taintEngine->isTainted(base);
3363 }
3364
3365 /* LDRSH <Xt>, [<Xn|SP>, #<simm>]! */
3366 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3367 triton::arch::Register& base = src.getMemory().getBaseRegister();
3368
3369 /* Create the semantics of the base register */
3370 auto node3 = src.getMemory().getLeaAst();
3371
3372 /* Create symbolic expression */
3373 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRSH operation - Base register computation");
3374
3375 /* Spread taint */
3376 expr3->isTainted = this->taintEngine->isTainted(base);
3377 }
3378
3379 /* Update the symbolic control flow */
3380 this->controlFlow_s(inst);
3381 }
3382
3383
3384 void AArch64Semantics::ldrsw_s(triton::arch::Instruction& inst) {
3385 triton::arch::OperandWrapper& dst = inst.operands[0];
3386 triton::arch::OperandWrapper& src = inst.operands[1];
3387
3388 /* Create symbolic operands */
3389 auto op = this->symbolicEngine->getOperandAst(inst, src);
3390
3391 /* Create the semantics of the LOAD */
3392 auto node1 = this->astCtxt->sx(dst.getBitSize() - 32, op);
3393
3394 /* Create symbolic expression */
3395 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRSW operation - LOAD access");
3396
3397 /* Spread taint */
3398 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3399
3400 /* Optional behavior. Post computation of the base register */
3401 /* LDRSW <Xt>, [<Xn|SP>], #<simm> */
3402 if (inst.operands.size() == 3) {
3403 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3404 triton::arch::Register& base = src.getMemory().getBaseRegister();
3405
3406 /* Create symbolic operands of the post computation */
3407 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3408 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3409
3410 /* Create the semantics of the base register */
3411 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3412
3413 /* Create symbolic expression */
3414 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRSW operation - Base register computation");
3415
3416 /* Spread taint */
3417 expr2->isTainted = this->taintEngine->isTainted(base);
3418 }
3419
3420 /* LDRSW <Xt>, [<Xn|SP>, #<simm>]! */
3421 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3422 triton::arch::Register& base = src.getMemory().getBaseRegister();
3423
3424 /* Create the semantics of the base register */
3425 auto node3 = src.getMemory().getLeaAst();
3426
3427 /* Create symbolic expression */
3428 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRSW operation - Base register computation");
3429
3430 /* Spread taint */
3431 expr3->isTainted = this->taintEngine->isTainted(base);
3432 }
3433
3434 /* Update the symbolic control flow */
3435 this->controlFlow_s(inst);
3436 }
3437
3438
3439 void AArch64Semantics::ldtr_s(triton::arch::Instruction& inst) {
3440 triton::arch::OperandWrapper& dst = inst.operands[0];
3441 triton::arch::OperandWrapper& src = inst.operands[1];
3442
3443 /* Create the semantics of the LOAD */
3444 auto node = this->symbolicEngine->getOperandAst(inst, src);
3445
3446 /* Create symbolic expression */
3447 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTR operation");
3448
3449 /* Spread taint */
3450 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3451
3452 /* Update the symbolic control flow */
3453 this->controlFlow_s(inst);
3454 }
3455
3456
3457 void AArch64Semantics::ldtrb_s(triton::arch::Instruction& inst) {
3458 triton::arch::OperandWrapper& dst = inst.operands[0];
3459 triton::arch::OperandWrapper& src = inst.operands[1];
3460
3461 /* Create symbolic operands */
3462 auto op = this->symbolicEngine->getOperandAst(inst, src);
3463
3464 /* Create the semantics */
3465 auto node = this->astCtxt->zx(dst.getBitSize() - 8, op);
3466
3467 /* Create symbolic expression */
3468 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRB operation");
3469
3470 /* Spread taint */
3471 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3472
3473 /* Update the symbolic control flow */
3474 this->controlFlow_s(inst);
3475 }
3476
3477
3478 void AArch64Semantics::ldtrh_s(triton::arch::Instruction& inst) {
3479 triton::arch::OperandWrapper& dst = inst.operands[0];
3480 triton::arch::OperandWrapper& src = inst.operands[1];
3481
3482 /* Create symbolic operands */
3483 auto op = this->symbolicEngine->getOperandAst(inst, src);
3484
3485 /* Create the semantics */
3486 auto node = this->astCtxt->zx(dst.getBitSize() - 16, op);
3487
3488 /* Create symbolic expression */
3489 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRH operation");
3490
3491 /* Spread taint */
3492 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3493
3494 /* Update the symbolic control flow */
3495 this->controlFlow_s(inst);
3496 }
3497
3498
3499 void AArch64Semantics::ldtrsb_s(triton::arch::Instruction& inst) {
3500 triton::arch::OperandWrapper& dst = inst.operands[0];
3501 triton::arch::OperandWrapper& src = inst.operands[1];
3502
3503 /* Create symbolic operands */
3504 auto op = this->symbolicEngine->getOperandAst(inst, src);
3505
3506 /* Create the semantics */
3507 auto node = this->astCtxt->sx(dst.getBitSize() - 8, op);
3508
3509 /* Create symbolic expression */
3510 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRSB operation");
3511
3512 /* Spread taint */
3513 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3514
3515 /* Update the symbolic control flow */
3516 this->controlFlow_s(inst);
3517 }
3518
3519
3520 void AArch64Semantics::ldtrsh_s(triton::arch::Instruction& inst) {
3521 triton::arch::OperandWrapper& dst = inst.operands[0];
3522 triton::arch::OperandWrapper& src = inst.operands[1];
3523
3524 /* Create symbolic operands */
3525 auto op = this->symbolicEngine->getOperandAst(inst, src);
3526
3527 /* Create the semantics */
3528 auto node = this->astCtxt->sx(dst.getBitSize() - 16, op);
3529
3530 /* Create symbolic expression */
3531 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRSH operation");
3532
3533 /* Spread taint */
3534 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3535
3536 /* Update the symbolic control flow */
3537 this->controlFlow_s(inst);
3538 }
3539
3540
3541 void AArch64Semantics::ldtrsw_s(triton::arch::Instruction& inst) {
3542 triton::arch::OperandWrapper& dst = inst.operands[0];
3543 triton::arch::OperandWrapper& src = inst.operands[1];
3544
3545 /* Create symbolic operands */
3546 auto op = this->symbolicEngine->getOperandAst(inst, src);
3547
3548 /* Create the semantics */
3549 auto node = this->astCtxt->sx(dst.getBitSize() - 32, op);
3550
3551 /* Create symbolic expression */
3552 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRSW operation");
3553
3554 /* Spread taint */
3555 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3556
3557 /* Update the symbolic control flow */
3558 this->controlFlow_s(inst);
3559 }
3560
3561
3562 void AArch64Semantics::ldur_s(triton::arch::Instruction& inst) {
3563 triton::arch::OperandWrapper& dst = inst.operands[0];
3564 triton::arch::OperandWrapper& src = inst.operands[1];
3565
3566 /* Create the semantics of the LOAD */
3567 auto node = this->symbolicEngine->getOperandAst(inst, src);
3568
3569 /* Create symbolic expression */
3570 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDUR operation");
3571
3572 /* Spread taint */
3573 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3574
3575 /* Update the symbolic control flow */
3576 this->controlFlow_s(inst);
3577 }
3578
3579
3580 void AArch64Semantics::ldurb_s(triton::arch::Instruction& inst) {
3581 triton::arch::OperandWrapper& dst = inst.operands[0];
3582 triton::arch::OperandWrapper& src = inst.operands[1];
3583
3584 /* Create symbolic operands */
3585 auto op = this->symbolicEngine->getOperandAst(inst, src);
3586
3587 /* Create the semantics */
3588 auto node = this->astCtxt->zx(dst.getBitSize() - 8, op);
3589
3590 /* Create symbolic expression */
3591 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURB operation");
3592
3593 /* Spread taint */
3594 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3595
3596 /* Update the symbolic control flow */
3597 this->controlFlow_s(inst);
3598 }
3599
3600
3601 void AArch64Semantics::ldurh_s(triton::arch::Instruction& inst) {
3602 triton::arch::OperandWrapper& dst = inst.operands[0];
3603 triton::arch::OperandWrapper& src = inst.operands[1];
3604
3605 /* Create symbolic operands */
3606 auto op = this->symbolicEngine->getOperandAst(inst, src);
3607
3608 /* Create the semantics */
3609 auto node = this->astCtxt->zx(dst.getBitSize() - 16, op);
3610
3611 /* Create symbolic expression */
3612 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURH operation");
3613
3614 /* Spread taint */
3615 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3616
3617 /* Update the symbolic control flow */
3618 this->controlFlow_s(inst);
3619 }
3620
3621
3622 void AArch64Semantics::ldursb_s(triton::arch::Instruction& inst) {
3623 triton::arch::OperandWrapper& dst = inst.operands[0];
3624 triton::arch::OperandWrapper& src = inst.operands[1];
3625
3626 /* Create symbolic operands */
3627 auto op = this->symbolicEngine->getOperandAst(inst, src);
3628
3629 /* Create the semantics */
3630 auto node = this->astCtxt->sx(dst.getBitSize() - 8, op);
3631
3632 /* Create symbolic expression */
3633 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURSB operation");
3634
3635 /* Spread taint */
3636 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3637
3638 /* Update the symbolic control flow */
3639 this->controlFlow_s(inst);
3640 }
3641
3642
3643 void AArch64Semantics::ldursh_s(triton::arch::Instruction& inst) {
3644 triton::arch::OperandWrapper& dst = inst.operands[0];
3645 triton::arch::OperandWrapper& src = inst.operands[1];
3646
3647 /* Create symbolic operands */
3648 auto op = this->symbolicEngine->getOperandAst(inst, src);
3649
3650 /* Create the semantics */
3651 auto node = this->astCtxt->sx(dst.getBitSize() - 16, op);
3652
3653 /* Create symbolic expression */
3654 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURSH operation");
3655
3656 /* Spread taint */
3657 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3658
3659 /* Update the symbolic control flow */
3660 this->controlFlow_s(inst);
3661 }
3662
3663
3664 void AArch64Semantics::ldursw_s(triton::arch::Instruction& inst) {
3665 triton::arch::OperandWrapper& dst = inst.operands[0];
3666 triton::arch::OperandWrapper& src = inst.operands[1];
3667
3668 /* Create symbolic operands */
3669 auto op = this->symbolicEngine->getOperandAst(inst, src);
3670
3671 /* Create the semantics */
3672 auto node = this->astCtxt->sx(dst.getBitSize() - 32, op);
3673
3674 /* Create symbolic expression */
3675 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURSW operation");
3676
3677 /* Spread taint */
3678 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3679
3680 /* Update the symbolic control flow */
3681 this->controlFlow_s(inst);
3682 }
3683
3684
3685 void AArch64Semantics::ldxp_s(triton::arch::Instruction& inst) {
3686 triton::arch::OperandWrapper& dst1 = inst.operands[0];
3687 triton::arch::OperandWrapper& dst2 = inst.operands[1];
3688 triton::arch::OperandWrapper& src = inst.operands[2];
3689
3690 /* Special behavior: Define that the size of the memory access is dst1.size + dst2.size */
3691 src.getMemory().setBits((dst1.getBitSize() + dst2.getBitSize()) - 1, 0);
3692
3693 /* Create symbolic operands */
3694 auto op = this->symbolicEngine->getOperandAst(inst, src);
3695
3696 /* Create the semantics */
3697 auto node1 = this->astCtxt->extract((dst1.getBitSize() - 1), 0, op);
3698 auto node2 = this->astCtxt->extract((dst1.getBitSize() + dst2.getBitSize()) - 1, dst1.getBitSize(), op);
3699
3700 /* Create symbolic expression */
3701 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "LDXP operation - LOAD access");
3702 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "LDXP operation - LOAD access");
3703
3704 /* Spread taint */
3705 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
3706 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
3707
3708 /* Update exclusive memory access tag */
3709 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
3710
3711 /* Update the symbolic control flow */
3712 this->controlFlow_s(inst);
3713 }
3714
3715
3716 void AArch64Semantics::ldxr_s(triton::arch::Instruction& inst) {
3717 triton::arch::OperandWrapper& dst = inst.operands[0];
3718 triton::arch::OperandWrapper& src = inst.operands[1];
3719
3720 /* Create the semantics of the LOAD */
3721 auto node = this->symbolicEngine->getOperandAst(inst, src);
3722
3723 /* Create symbolic expression */
3724 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDXR operation");
3725
3726 /* Spread taint */
3727 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3728
3729 /* Update exclusive memory access tag */
3730 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
3731
3732 /* Update the symbolic control flow */
3733 this->controlFlow_s(inst);
3734 }
3735
3736
3737 void AArch64Semantics::ldxrb_s(triton::arch::Instruction& inst) {
3738 triton::arch::OperandWrapper& dst = inst.operands[0];
3739 triton::arch::OperandWrapper& src = inst.operands[1];
3740
3741 /* Create symbolic operands */
3742 auto op = this->symbolicEngine->getOperandAst(inst, src);
3743
3744 /* Create the semantics */
3745 auto node = this->astCtxt->zx(dst.getBitSize() - 8, op);
3746
3747 /* Create symbolic expression */
3748 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDXRB operation");
3749
3750 /* Spread taint */
3751 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3752
3753 /* Update exclusive memory access tag */
3754 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
3755
3756 /* Update the symbolic control flow */
3757 this->controlFlow_s(inst);
3758 }
3759
3760
3761 void AArch64Semantics::ldxrh_s(triton::arch::Instruction& inst) {
3762 triton::arch::OperandWrapper& dst = inst.operands[0];
3763 triton::arch::OperandWrapper& src = inst.operands[1];
3764
3765 /* Create symbolic operands */
3766 auto op = this->symbolicEngine->getOperandAst(inst, src);
3767
3768 /* Create the semantics */
3769 auto node = this->astCtxt->zx(dst.getBitSize() - 16, op);
3770
3771 /* Create symbolic expression */
3772 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDXRH operation");
3773
3774 /* Spread taint */
3775 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3776
3777 /* Update exclusive memory access tag */
3778 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
3779
3780 /* Update the symbolic control flow */
3781 this->controlFlow_s(inst);
3782 }
3783
3784
3785 void AArch64Semantics::lsl_s(triton::arch::Instruction& inst) {
3786 auto& dst = inst.operands[0];
3787 auto& src1 = inst.operands[1];
3788 auto& src2 = inst.operands[2];
3789 auto size = src2.getBitSize();
3790
3791 /* Create symbolic operands */
3792 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
3793 auto op2 = this->astCtxt->bvand(
3794 this->symbolicEngine->getOperandAst(inst, src2),
3795 this->astCtxt->bv(size - 1, size)
3796 );
3797
3798 /* Create the semantics */
3799 auto node = this->astCtxt->bvshl(op1, op2);
3800
3801 /* Create symbolic expression */
3802 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LSL operation");
3803
3804 /* Spread taint */
3805 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
3806
3807 /* Update the symbolic control flow */
3808 this->controlFlow_s(inst);
3809 }
3810
3811
3812 void AArch64Semantics::lsr_s(triton::arch::Instruction& inst) {
3813 auto& dst = inst.operands[0];
3814 auto& src1 = inst.operands[1];
3815 auto& src2 = inst.operands[2];
3816 auto size = src2.getBitSize();
3817
3818 /* Create symbolic operands */
3819 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
3820 auto op2 = this->astCtxt->bvand(
3821 this->symbolicEngine->getOperandAst(inst, src2),
3822 this->astCtxt->bv(size - 1, size)
3823 );
3824
3825 /* Create the semantics */
3826 auto node = this->astCtxt->bvlshr(op1, op2);
3827
3828 /* Create symbolic expression */
3829 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LSR operation");
3830
3831 /* Spread taint */
3832 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
3833
3834 /* Update the symbolic control flow */
3835 this->controlFlow_s(inst);
3836 }
3837
3838
3839 void AArch64Semantics::madd_s(triton::arch::Instruction& inst) {
3840 auto& dst = inst.operands[0];
3841 auto& src1 = inst.operands[1];
3842 auto& src2 = inst.operands[2];
3843 auto& src3 = inst.operands[3];
3844
3845 /* Create symbolic operands */
3846 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
3847 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
3848 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
3849
3850 /* Create the semantics */
3851 auto node = this->astCtxt->bvadd(op3, this->astCtxt->bvmul(op1, op2));
3852
3853 /* Create symbolic expression */
3854 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MADD operation");
3855
3856 /* Spread taint */
3857 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
3858
3859 /* Update the symbolic control flow */
3860 this->controlFlow_s(inst);
3861 }
3862
3863
3864 void AArch64Semantics::mneg_s(triton::arch::Instruction& inst) {
3865 auto& dst = inst.operands[0];
3866 auto& src1 = inst.operands[1];
3867 auto& src2 = inst.operands[2];
3868
3869 /* Create symbolic operands */
3870 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
3871 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
3872
3873 /* Create the semantics */
3874 auto node = this->astCtxt->bvneg(this->astCtxt->bvmul(op1, op2));
3875
3876 /* Create symbolic expression */
3877 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MNEG operation");
3878
3879 /* Spread taint */
3880 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
3881
3882 /* Update the symbolic control flow */
3883 this->controlFlow_s(inst);
3884 }
3885
3886
3887 void AArch64Semantics::mov_s(triton::arch::Instruction& inst) {
3888 auto& dst = inst.operands[0];
3889 auto& src = inst.operands[1];
3890
3891 /* Create the semantics */
3892 auto node = this->symbolicEngine->getOperandAst(inst, src);
3893
3894 /* Create symbolic expression */
3895 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOV operation");
3896
3897 /* Spread taint */
3898 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3899
3900 /* Update the symbolic control flow */
3901 this->controlFlow_s(inst);
3902 }
3903
3904
3905 void AArch64Semantics::movi_s(triton::arch::Instruction& inst) {
3906 std::list<triton::ast::SharedAbstractNode> vec;
3907
3908 triton::arch::OperandWrapper& dst = inst.operands[0]; /* vas register */
3909 triton::arch::OperandWrapper& src = inst.operands[1]; /* imm */
3910
3911 /* Create symbolic operands */
3912 auto imm = this->symbolicEngine->getOperandAst(inst, src);
3913 auto vas_e = dst.getConstRegister().getVASType();
3914
3915 switch (vas_e) {
3916 case triton::arch::arm::ID_VAS_16B: {
3917 for (triton::uint32 i = 0; i != 16; i++) {
3918 vec.push_front(this->astCtxt->extract(7, 0, imm));
3919 }
3920 break;
3921 }
3922
3923 case triton::arch::arm::ID_VAS_8B: {
3924 for (triton::uint32 i = 0; i != 8; i++) {
3925 vec.push_front(this->astCtxt->extract(7, 0, imm));
3926 }
3927 break;
3928 }
3929
3930 case triton::arch::arm::ID_VAS_8H: {
3931 for (triton::uint32 i = 0; i != 16; i += 2) {
3932 vec.push_front(this->astCtxt->extract(15, 0, imm));
3933 }
3934 break;
3935 }
3936
3937 case triton::arch::arm::ID_VAS_4H: {
3938 for (triton::uint32 i = 0; i != 8; i += 2) {
3939 vec.push_front(this->astCtxt->extract(15, 0, imm));
3940 }
3941 break;
3942 }
3943
3944 case triton::arch::arm::ID_VAS_4S: {
3945 for (triton::uint32 i = 0; i != 16; i += 4) {
3946 vec.push_front(this->astCtxt->extract(31, 0, imm));
3947 }
3948 break;
3949 }
3950
3951 case triton::arch::arm::ID_VAS_2S: {
3952 for (triton::uint32 i = 0; i != 8; i += 4) {
3953 vec.push_front(this->astCtxt->extract(31, 0, imm));
3954 }
3955 break;
3956 }
3957
3958 case triton::arch::arm::ID_VAS_2D: {
3959 for (triton::uint32 i = 0; i != 16; i += 8) {
3960 vec.push_front(this->astCtxt->extract(63, 0, imm));
3961 }
3962 break;
3963 }
3964
3965 case triton::arch::arm::ID_VAS_1D: {
3966 for (triton::uint32 i = 0; i != 8; i += 8) {
3967 vec.push_front(this->astCtxt->extract(63, 0, imm));
3968 }
3969 break;
3970 }
3971
3972 default:
3973 throw triton::exceptions::Semantics("AArch64Semantics::movi_s(): Invalid VAS encoding.");
3974 }
3975
3976 /* Create the semantics */
3977 auto node = this->astCtxt->concat(vec);
3978
3979 /* Create symbolic expression */
3980 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOVI operation");
3981
3982 /* Spread taint */
3983 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3984
3985 /* Update the symbolic control flow */
3986 this->controlFlow_s(inst);
3987 }
3988
3989
3990 void AArch64Semantics::movk_s(triton::arch::Instruction& inst) {
3991 auto& dst = inst.operands[0];
3992 auto& src = inst.operands[1];
3993 auto pos = src.getImmediate().getShiftImmediate(); // 0 by default.
3994
3995 /* Create symbolic operands */
3996 auto op1 = this->symbolicEngine->getOperandAst(inst, dst);
3997 auto op2 = this->symbolicEngine->getOperandAst(inst, src);
3998
3999 /* Create the semantics */
4000 std::vector<triton::ast::SharedAbstractNode> bits;
4001 bits.reserve(10);
4002
4003 switch (pos) {
4004 case 0:
4005 // [------------------------------------------------xxxxxxxxxxxxxxxx]
4006 bits.push_back(this->astCtxt->extract(dst.getHigh(), 16, op1));
4007 bits.push_back(this->astCtxt->extract(15, 0, op2));
4008 break;
4009
4010 case 16:
4011 // [--------------------------------xxxxxxxxxxxxxxxx----------------]
4012 if (dst.getBitSize() == 64) {
4013 /*
4014 * The case where the instruction is: MOVK <Xd>, #<imm>{, LSL #<shift>}.
4015 * Otherwise if the instruction is: MOVK <Wd>, #<imm>{, LSL #<shift>}, just
4016 * skip this extract.
4017 */
4018 bits.push_back(this->astCtxt->extract(dst.getHigh(), 32, op1));
4019 }
4020 bits.push_back(this->astCtxt->extract(31, 16, op2));
4021 bits.push_back(this->astCtxt->extract(15, 0, op1));
4022 break;
4023
4024 case 32:
4025 // [----------------xxxxxxxxxxxxxxxx--------------------------------]
4026 bits.push_back(this->astCtxt->extract(dst.getHigh(), 48, op1));
4027 bits.push_back(this->astCtxt->extract(47, 32, op2));
4028 bits.push_back(this->astCtxt->extract(31, 0, op1));
4029 break;
4030
4031 case 48:
4032 // [xxxxxxxxxxxxxxxx------------------------------------------------]
4033 bits.push_back(this->astCtxt->extract(63, 48, op2));
4034 bits.push_back(this->astCtxt->extract(47, 0, op1));
4035 break;
4036
4037 default:
4038 throw triton::exceptions::Semantics("AArch64Semantics::movk_s(): Invalid pos (hw field) encoding.");
4039 }
4040
4041 auto node = this->astCtxt->concat(bits);
4042
4043 /* Create symbolic expression */
4044 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOVK operation");
4045
4046 /* Spread taint */
4047 expr->isTainted = this->taintEngine->taintUnion(dst, src);
4048
4049 /* Update the symbolic control flow */
4050 this->controlFlow_s(inst);
4051 }
4052
4053
4054 void AArch64Semantics::movn_s(triton::arch::Instruction& inst) {
4055 auto& dst = inst.operands[0];
4056 auto& src = inst.operands[1];
4057
4058 /* Create symbolic operands */
4059 auto op = this->symbolicEngine->getOperandAst(inst, src);
4060
4061 /* Create the semantics */
4062 auto node = this->astCtxt->bvnot(op);
4063
4064 /* Create symbolic expression */
4065 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOVN operation");
4066
4067 /* Spread taint */
4068 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4069
4070 /* Update the symbolic control flow */
4071 this->controlFlow_s(inst);
4072 }
4073
4074
4075 void AArch64Semantics::movz_s(triton::arch::Instruction& inst) {
4076 auto& dst = inst.operands[0];
4077 auto& src = inst.operands[1];
4078
4079 /* Create the semantics */
4080 auto node = this->symbolicEngine->getOperandAst(inst, src);
4081
4082 /* Create symbolic expression */
4083 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOVZ operation");
4084
4085 /* Spread taint */
4086 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4087
4088 /* Update the symbolic control flow */
4089 this->controlFlow_s(inst);
4090 }
4091
4092
4093 void AArch64Semantics::mrs_s(triton::arch::Instruction& inst) {
4094 auto& dst = inst.operands[0];
4095 auto& src = inst.operands[1];
4096
4097 /* Create the semantics */
4098 auto node = this->symbolicEngine->getOperandAst(inst, src);
4099
4100 /* Create symbolic expression */
4101 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MRS operation");
4102
4103 /* Spread taint */
4104 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4105
4106 /* Update the symbolic control flow */
4107 this->controlFlow_s(inst);
4108 }
4109
4110
4111 void AArch64Semantics::msr_s(triton::arch::Instruction& inst) {
4112 auto& dst = inst.operands[0];
4113 auto& src = inst.operands[1];
4114
4115 /* Create the semantics */
4116 auto node = this->symbolicEngine->getOperandAst(inst, src);
4117
4118 /* Create symbolic expression */
4119 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MSR operation");
4120
4121 /* Spread taint */
4122 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4123
4124 /* Update the symbolic control flow */
4125 this->controlFlow_s(inst);
4126 }
4127
4128
4129 void AArch64Semantics::msub_s(triton::arch::Instruction& inst) {
4130 auto& dst = inst.operands[0];
4131 auto& src1 = inst.operands[1];
4132 auto& src2 = inst.operands[2];
4133 auto& src3 = inst.operands[3];
4134
4135 /* Create symbolic operands */
4136 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4137 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4138 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
4139
4140 /* Create the semantics */
4141 auto node = this->astCtxt->bvsub(op3, this->astCtxt->bvmul(op1, op2));
4142
4143 /* Create symbolic expression */
4144 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MSUB operation");
4145
4146 /* Spread taint */
4147 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
4148
4149 /* Update the symbolic control flow */
4150 this->controlFlow_s(inst);
4151 }
4152
4153
4154 void AArch64Semantics::mul_s(triton::arch::Instruction& inst) {
4155 auto& dst = inst.operands[0];
4156 auto& src1 = inst.operands[1];
4157 auto& src2 = inst.operands[2];
4158
4159 /* Create symbolic operands */
4160 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4161 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4162
4163 /* Create the semantics */
4164 auto node = this->astCtxt->bvmul(op1, op2);
4165
4166 /* Create symbolic expression */
4167 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MUL operation");
4168
4169 /* Spread taint */
4170 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4171
4172 /* Update the symbolic control flow */
4173 this->controlFlow_s(inst);
4174 }
4175
4176
4177 void AArch64Semantics::mvn_s(triton::arch::Instruction& inst) {
4178 auto& dst = inst.operands[0];
4179 auto& src = inst.operands[1];
4180
4181 /* Create symbolic operands */
4182 auto op = this->symbolicEngine->getOperandAst(inst, src);
4183
4184 /* Create the semantics */
4185 auto node = this->astCtxt->bvnot(op);
4186
4187 /* Create symbolic expression */
4188 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MVN operation");
4189
4190 /* Spread taint */
4191 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4192
4193 /* Update the symbolic control flow */
4194 this->controlFlow_s(inst);
4195 }
4196
4197
4198 void AArch64Semantics::neg_s(triton::arch::Instruction& inst) {
4199 auto& dst = inst.operands[0];
4200 auto& src = inst.operands[1];
4201
4202 /* Create symbolic operands */
4203 auto op = this->symbolicEngine->getOperandAst(inst, src);
4204
4205 /* Create the semantics */
4206 auto node = this->astCtxt->bvneg(op);
4207
4208 /* Create symbolic expression */
4209 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MEG operation");
4210
4211 /* Spread taint */
4212 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4213
4214 /* Update the symbolic control flow */
4215 this->controlFlow_s(inst);
4216 }
4217
4218
4219 void AArch64Semantics::nop_s(triton::arch::Instruction& inst) {
4220 /* Update the symbolic control flow */
4221 this->controlFlow_s(inst);
4222 }
4223
4224
4225 void AArch64Semantics::orn_s(triton::arch::Instruction& inst) {
4226 auto& dst = inst.operands[0];
4227 auto& src1 = inst.operands[1];
4228 auto& src2 = inst.operands[2];
4229
4230 /* Create symbolic operands */
4231 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4232 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4233
4234 /* Create the semantics */
4235 auto node = this->astCtxt->bvor(op1, this->astCtxt->bvnot(op2));
4236
4237 /* Create symbolic expression */
4238 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ORN operation");
4239
4240 /* Spread taint */
4241 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4242
4243 /* Update the symbolic control flow */
4244 this->controlFlow_s(inst);
4245 }
4246
4247
4248 void AArch64Semantics::orr_s(triton::arch::Instruction& inst) {
4249 auto& dst = inst.operands[0];
4250 auto& src1 = inst.operands[1];
4251 auto& src2 = inst.operands[2];
4252
4253 /* Create symbolic operands */
4254 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4255 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4256
4257 /* Create the semantics */
4258 auto node = this->astCtxt->bvor(op1, op2);
4259
4260 /* Special case for vector registers */
4261 if (dst.getConstRegister().getVASSize() == triton::size::qword) {
4262 node = this->astCtxt->extract(63, 0, node);
4263 }
4264
4265 /* Create symbolic expression */
4266 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ORR operation");
4267
4268 /* Spread taint */
4269 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4270
4271 /* Update the symbolic control flow */
4272 this->controlFlow_s(inst);
4273 }
4274
4275
4276 void AArch64Semantics::rbit_s(triton::arch::Instruction& inst) {
4277 auto& dst = inst.operands[0];
4278 auto& src = inst.operands[1];
4279
4280 /* Create symbolic operands */
4281 auto op = this->symbolicEngine->getOperandAst(inst, src);
4282
4283 /* Create the semantics */
4284 std::vector<triton::ast::SharedAbstractNode> bits;
4285 bits.reserve(src.getBitSize());
4286
4287 for (triton::uint32 index = 0; index < src.getBitSize(); index++) {
4288 bits.push_back(this->astCtxt->extract(index, index, op));
4289 }
4290
4291 auto node = this->astCtxt->concat(bits);
4292
4293 /* Create symbolic expression */
4294 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "RBIT operation");
4295
4296 /* Spread taint */
4297 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4298
4299 /* Update the symbolic control flow */
4300 this->controlFlow_s(inst);
4301 }
4302
4303
4304 void AArch64Semantics::ret_s(triton::arch::Instruction& inst) {
4305 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
4306 auto src = ((inst.operands.size() == 1) ? inst.operands[0] : triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_X30)));
4307
4308 /* Create the semantics */
4309 auto node = this->symbolicEngine->getOperandAst(inst, src);
4310
4311 /* Create symbolic expression */
4312 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "RET operation - Program Counter");
4313
4314 /* Spread taint */
4315 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4316 }
4317
4318
4319 void AArch64Semantics::rev_s(triton::arch::Instruction& inst) {
4320 auto& dst = inst.operands[0];
4321 auto& src = inst.operands[1];
4322
4323 /* Create symbolic operands */
4324 auto op = this->symbolicEngine->getOperandAst(inst, src);
4325
4326 /* Create the semantics */
4327 std::list<triton::ast::SharedAbstractNode> bits;
4328
4329 switch(src.getSize()) {
4330 case triton::size::qword:
4331 bits.push_front(this->astCtxt->extract(63, 56, op));
4332 bits.push_front(this->astCtxt->extract(55, 48, op));
4333 bits.push_front(this->astCtxt->extract(47, 40, op));
4334 bits.push_front(this->astCtxt->extract(39, 32, op));
4335 case triton::size::dword:
4336 bits.push_front(this->astCtxt->extract(31, 24, op));
4337 bits.push_front(this->astCtxt->extract(23, 16, op));
4338 bits.push_front(this->astCtxt->extract(15, 8, op));
4339 bits.push_front(this->astCtxt->extract(7, 0, op));
4340 break;
4341
4342 default:
4343 throw triton::exceptions::Semantics("AArch64Semantics::rev_s(): Invalid operand size.");
4344 }
4345
4346 auto node = this->astCtxt->concat(bits);
4347
4348 /* Create symbolic expression */
4349 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "REV operation");
4350
4351 /* Spread taint */
4352 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4353
4354 /* Update the symbolic control flow */
4355 this->controlFlow_s(inst);
4356 }
4357
4358
4359 void AArch64Semantics::rev16_s(triton::arch::Instruction& inst) {
4360 auto& dst = inst.operands[0];
4361 auto& src = inst.operands[1];
4362
4363 /* Create symbolic operands */
4364 auto op = this->symbolicEngine->getOperandAst(inst, src);
4365
4366 /* Create the semantics */
4367 std::vector<triton::ast::SharedAbstractNode> bits;
4368 bits.reserve(8);
4369
4370 switch(src.getSize()) {
4371 case triton::size::qword:
4372 bits.push_back(this->astCtxt->extract(55, 48, op));
4373 bits.push_back(this->astCtxt->extract(63, 56, op));
4374 bits.push_back(this->astCtxt->extract(39, 32, op));
4375 bits.push_back(this->astCtxt->extract(47, 40, op));
4376 case triton::size::dword:
4377 bits.push_back(this->astCtxt->extract(23, 16, op));
4378 bits.push_back(this->astCtxt->extract(31, 24, op));
4379 bits.push_back(this->astCtxt->extract(7, 0, op));
4380 bits.push_back(this->astCtxt->extract(15, 8, op));
4381 break;
4382
4383 default:
4384 throw triton::exceptions::Semantics("AArch64Semantics::rev16_s(): Invalid operand size.");
4385 }
4386
4387 auto node = this->astCtxt->concat(bits);
4388
4389 /* Create symbolic expression */
4390 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "REV16 operation");
4391
4392 /* Spread taint */
4393 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4394
4395 /* Update the symbolic control flow */
4396 this->controlFlow_s(inst);
4397 }
4398
4399
4400 void AArch64Semantics::rev32_s(triton::arch::Instruction& inst) {
4401 auto& dst = inst.operands[0];
4402 auto& src = inst.operands[1];
4403
4404 /* Create symbolic operands */
4405 auto op = this->symbolicEngine->getOperandAst(inst, src);
4406
4407 /* Create the semantics */
4408 std::vector<triton::ast::SharedAbstractNode> bits;
4409 bits.reserve(8);
4410
4411 bits.push_back(this->astCtxt->extract(39, 32, op));
4412 bits.push_back(this->astCtxt->extract(47, 40, op));
4413 bits.push_back(this->astCtxt->extract(55, 48, op));
4414 bits.push_back(this->astCtxt->extract(63, 56, op));
4415 bits.push_back(this->astCtxt->extract(7, 0, op));
4416 bits.push_back(this->astCtxt->extract(15, 8, op));
4417 bits.push_back(this->astCtxt->extract(23, 16, op));
4418 bits.push_back(this->astCtxt->extract(31, 24, op));
4419
4420 auto node = this->astCtxt->concat(bits);
4421
4422 /* Create symbolic expression */
4423 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "REV32 operation");
4424
4425 /* Spread taint */
4426 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4427
4428 /* Update the symbolic control flow */
4429 this->controlFlow_s(inst);
4430 }
4431
4432
4433 void AArch64Semantics::ror_s(triton::arch::Instruction& inst) {
4434 auto& dst = inst.operands[0];
4435 auto& src1 = inst.operands[1];
4436 auto& src2 = inst.operands[2];
4437
4438 /* Create symbolic operands */
4439 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4440 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4441
4442 /* Create the semantics */
4443 auto node = this->astCtxt->bvror(op1, op2);
4444
4445 /* Create symbolic expression */
4446 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ROR operation");
4447
4448 /* Spread taint */
4449 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4450
4451 /* Update the symbolic control flow */
4452 this->controlFlow_s(inst);
4453 }
4454
4455
4456 void AArch64Semantics::sbc_s(triton::arch::Instruction& inst) {
4457 auto& dst = inst.operands[0];
4458 auto& src1 = inst.operands[1];
4459 auto& src2 = inst.operands[2];
4460 auto cf = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C));
4461
4462 /* Create symbolic operands */
4463 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4464 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4465 auto op3 = this->symbolicEngine->getOperandAst(inst, cf);
4466
4467 /* Create the semantics */
4468 auto node = this->astCtxt->bvadd(this->astCtxt->bvadd(op1, this->astCtxt->bvnot(op2)), this->astCtxt->zx(dst.getBitSize()-1, op3));
4469
4470 /* Create symbolic expression */
4471 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SBC(S) operation");
4472
4473 /* Spread taint */
4474 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(cf));
4475
4476 /* Update symbolic flags */
4477 if (inst.isUpdateFlag() == true) {
4478 this->cfSub_s(inst, expr, src1, op1, op2);
4479 this->nf_s(inst, expr, src1);
4480 this->vfSub_s(inst, expr, src1, op1, op2);
4481 this->zf_s(inst, expr, src1);
4482 }
4483
4484 /* Update the symbolic control flow */
4485 this->controlFlow_s(inst);
4486 }
4487
4488
4489 void AArch64Semantics::sbfx_s(triton::arch::Instruction& inst) {
4490 auto& dst = inst.operands[0];
4491 auto& src1 = inst.operands[1];
4492 auto& src2 = inst.operands[2];
4493 auto& src3 = inst.operands[3];
4494 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
4495 auto width = static_cast<uint32>(src3.getImmediate().getValue());
4496
4497 if (lsb + width > dst.getBitSize())
4498 throw triton::exceptions::Semantics("AArch64Semantics::sbfx_s(): Invalid lsb and width.");
4499
4500 /* Create symbolic operands */
4501 auto op = this->symbolicEngine->getOperandAst(inst, src1);
4502
4503 /* Create the semantics */
4504 auto node = this->astCtxt->sx(dst.getBitSize() - width, this->astCtxt->extract(lsb+width-1, lsb, op));
4505
4506 /* Create symbolic expression */
4507 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SBFX operation");
4508
4509 /* Spread taint */
4510 expr->isTainted = this->taintEngine->taintAssignment(dst, src1);
4511
4512 /* Update the symbolic control flow */
4513 this->controlFlow_s(inst);
4514 }
4515
4516
4517 void AArch64Semantics::sdiv_s(triton::arch::Instruction& inst) {
4518 auto& dst = inst.operands[0];
4519 auto& src1 = inst.operands[1];
4520 auto& src2 = inst.operands[2];
4521
4522 /* Create symbolic operands */
4523 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4524 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4525
4526 /* Create the semantics */
4527 auto node = this->astCtxt->ite(
4528 this->astCtxt->equal(op2, this->astCtxt->bv(0, op2->getBitvectorSize())),
4529 this->astCtxt->bv(0, dst.getBitSize()),
4530 this->astCtxt->bvsdiv(op1, op2)
4531 );
4532
4533 /* Create symbolic expression */
4534 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SDIV operation");
4535
4536 /* Spread taint */
4537 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4538
4539 /* Update the symbolic control flow */
4540 this->controlFlow_s(inst);
4541 }
4542
4543
4544 void AArch64Semantics::smaddl_s(triton::arch::Instruction& inst) {
4545 auto& dst = inst.operands[0];
4546 auto& src1 = inst.operands[1];
4547 auto& src2 = inst.operands[2];
4548 auto& src3 = inst.operands[3];
4549
4550 /* Create symbolic operands */
4551 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4552 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4553 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
4554
4555 /* Create the semantics */
4556 auto node = this->astCtxt->bvadd(
4557 op3,
4558 this->astCtxt->bvmul(
4559 this->astCtxt->sx(triton::bitsize::dword, op1),
4560 this->astCtxt->sx(triton::bitsize::dword, op2)
4561 )
4562 );
4563
4564 /* Create symbolic expression */
4565 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SMADDL operation");
4566
4567 /* Spread taint */
4568 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
4569
4570 /* Update the symbolic control flow */
4571 this->controlFlow_s(inst);
4572 }
4573
4574
4575 void AArch64Semantics::smsubl_s(triton::arch::Instruction& inst) {
4576 auto& dst = inst.operands[0];
4577 auto& src1 = inst.operands[1];
4578 auto& src2 = inst.operands[2];
4579 auto& src3 = inst.operands[3];
4580
4581 /* Create symbolic operands */
4582 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4583 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4584 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
4585
4586 /* Create the semantics */
4587 auto node = this->astCtxt->bvsub(
4588 op3,
4589 this->astCtxt->bvmul(
4590 this->astCtxt->sx(triton::bitsize::dword, op1),
4591 this->astCtxt->sx(triton::bitsize::dword, op2)
4592 )
4593 );
4594
4595 /* Create symbolic expression */
4596 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SMSUBL operation");
4597
4598 /* Spread taint */
4599 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
4600
4601 /* Update the symbolic control flow */
4602 this->controlFlow_s(inst);
4603 }
4604
4605
4606 void AArch64Semantics::smulh_s(triton::arch::Instruction& inst) {
4607 auto& dst = inst.operands[0];
4608 auto& src1 = inst.operands[1];
4609 auto& src2 = inst.operands[2];
4610
4611 /* Create symbolic operands */
4612 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4613 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4614
4615 /* Create the semantics */
4616 auto node = this->astCtxt->extract(
4617 triton::bitsize::dqword-1,
4618 triton::bitsize::qword,
4619 this->astCtxt->bvmul(
4620 this->astCtxt->sx(triton::bitsize::qword, op1),
4621 this->astCtxt->sx(triton::bitsize::qword, op2)
4622 )
4623 );
4624
4625 /* Create symbolic expression */
4626 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SMULH operation");
4627
4628 /* Spread taint */
4629 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4630
4631 /* Update the symbolic control flow */
4632 this->controlFlow_s(inst);
4633 }
4634
4635
4636 void AArch64Semantics::smull_s(triton::arch::Instruction& inst) {
4637 auto& dst = inst.operands[0];
4638 auto& src1 = inst.operands[1];
4639 auto& src2 = inst.operands[2];
4640
4641 /* Create symbolic operands */
4642 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4643 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4644
4645 /* Create the semantics */
4646 auto node = this->astCtxt->bvmul(
4647 this->astCtxt->sx(triton::bitsize::dword, op1),
4648 this->astCtxt->sx(triton::bitsize::dword, op2)
4649 );
4650
4651 /* Create symbolic expression */
4652 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SMULL operation");
4653
4654 /* Spread taint */
4655 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4656
4657 /* Update the symbolic control flow */
4658 this->controlFlow_s(inst);
4659 }
4660
4661
4662 void AArch64Semantics::stlr_s(triton::arch::Instruction& inst) {
4663 triton::arch::OperandWrapper& src = inst.operands[0];
4664 triton::arch::OperandWrapper& dst = inst.operands[1];
4665
4666 /* Create the semantics of the STORE */
4667 auto node = this->symbolicEngine->getOperandAst(inst, src);
4668
4669 /* Create symbolic expression */
4670 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STLR operation - STORE access");
4671
4672 /* Spread taint */
4673 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4674
4675 /* Update the symbolic control flow */
4676 this->controlFlow_s(inst);
4677 }
4678
4679
4680 void AArch64Semantics::stlrb_s(triton::arch::Instruction& inst) {
4681 triton::arch::OperandWrapper& src = inst.operands[0];
4682 triton::arch::OperandWrapper& dst = inst.operands[1];
4683
4684 /* Create symbolic operands */
4685 auto op = this->symbolicEngine->getOperandAst(inst, src);
4686
4687 /* Create the semantics */
4688 auto node = this->astCtxt->extract(7, 0, op);
4689
4690 /* Create symbolic expression */
4691 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STLRB operation - STORE access");
4692
4693 /* Spread taint */
4694 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4695
4696 /* Update the symbolic control flow */
4697 this->controlFlow_s(inst);
4698 }
4699
4700
4701 void AArch64Semantics::stlrh_s(triton::arch::Instruction& inst) {
4702 triton::arch::OperandWrapper& src = inst.operands[0];
4703 triton::arch::OperandWrapper& dst = inst.operands[1];
4704
4705 /* Create symbolic operands */
4706 auto op = this->symbolicEngine->getOperandAst(inst, src);
4707
4708 /* Create the semantics */
4709 auto node = this->astCtxt->extract(15, 0, op);
4710
4711 /* Create symbolic expression */
4712 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STLRH operation - STORE access");
4713
4714 /* Spread taint */
4715 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4716
4717 /* Update the symbolic control flow */
4718 this->controlFlow_s(inst);
4719 }
4720
4721
4722 void AArch64Semantics::stlxr_s(triton::arch::Instruction& inst) {
4723 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
4724 triton::arch::OperandWrapper& src = inst.operands[1];
4725 triton::arch::OperandWrapper& dst2 = inst.operands[2];
4726
4727 /* Is memory exclusive */
4728 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
4729
4730 /* Create the semantics */
4731 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
4732 auto node2 = this->symbolicEngine->getOperandAst(inst, src);
4733
4734 /* Create symbolic expression */
4735 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STLXR operation - write status");
4736
4737 /* Spread taint */
4738 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
4739
4740 /* Exclusive operation */
4741 if (exclusive) {
4742 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STLXR operation - STORE access");
4743 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
4744 }
4745
4746 /* Update exclusive memory access tag */
4747 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
4748
4749 /* Update the symbolic control flow */
4750 this->controlFlow_s(inst);
4751 }
4752
4753
4754 void AArch64Semantics::stlxrb_s(triton::arch::Instruction& inst) {
4755 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
4756 triton::arch::OperandWrapper& src = inst.operands[1];
4757 triton::arch::OperandWrapper& dst2 = inst.operands[2];
4758
4759 /* Is memory exclusive */
4760 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
4761
4762 /* Create symbolic operands */
4763 auto op = this->symbolicEngine->getOperandAst(inst, src);
4764
4765 /* Create the semantics */
4766 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
4767 auto node2 = this->astCtxt->extract(7, 0, op);
4768
4769 /* Create symbolic expression */
4770 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STLXRB operation - write status");
4771
4772 /* Spread taint */
4773 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
4774
4775 /* Exclusive operation */
4776 if (exclusive) {
4777 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STLXRB operation - STORE access");
4778 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
4779 }
4780
4781 /* Update exclusive memory access tag */
4782 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
4783
4784 /* Update the symbolic control flow */
4785 this->controlFlow_s(inst);
4786 }
4787
4788
4789 void AArch64Semantics::stlxrh_s(triton::arch::Instruction& inst) {
4790 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
4791 triton::arch::OperandWrapper& src = inst.operands[1];
4792 triton::arch::OperandWrapper& dst2 = inst.operands[2];
4793
4794 /* Is memory exclusive */
4795 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
4796
4797 /* Create symbolic operands */
4798 auto op = this->symbolicEngine->getOperandAst(inst, src);
4799
4800 /* Create the semantics */
4801 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
4802 auto node2 = this->astCtxt->extract(15, 0, op);
4803
4804 /* Create symbolic expression */
4805 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STLXRH operation - write status");
4806
4807 /* Spread taint */
4808 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
4809
4810 /* Exclusive operation */
4811 if (exclusive) {
4812 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STLXRH operation - STORE access");
4813 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
4814 }
4815
4816 /* Update exclusive memory access tag */
4817 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
4818
4819 /* Update the symbolic control flow */
4820 this->controlFlow_s(inst);
4821 }
4822
4823
4824 void AArch64Semantics::stnp_s(triton::arch::Instruction& inst) {
4825 triton::arch::OperandWrapper& src1 = inst.operands[0];
4826 triton::arch::OperandWrapper& src2 = inst.operands[1];
4827 triton::arch::OperandWrapper& dst = inst.operands[2];
4828
4829 /* Create symbolic operands */
4830 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4831 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4832
4833 /* Create the semantics */
4834 auto node = this->astCtxt->concat(op2, op1);
4835
4836 /* Special behavior: Define that the size of the memory access is src1.size + src2.size */
4837 dst.getMemory().setBits(node->getBitvectorSize()-1, 0);
4838
4839 /* Create symbolic expression */
4840 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STNP operation - STORE access");
4841
4842 /* Spread taint */
4843 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4844
4845 /* Update the symbolic control flow */
4846 this->controlFlow_s(inst);
4847 }
4848
4849
4850 void AArch64Semantics::stp_s(triton::arch::Instruction& inst) {
4851 triton::arch::OperandWrapper& src1 = inst.operands[0];
4852 triton::arch::OperandWrapper& src2 = inst.operands[1];
4853 triton::arch::OperandWrapper& dst = inst.operands[2];
4854
4855 /* Create symbolic operands */
4856 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4857 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4858
4859 /* Create the semantics */
4860 auto node = this->astCtxt->concat(op2, op1);
4861
4862 /* Special behavior: Define that the size of the memory access is src1.size + src2.size */
4863 dst.getMemory().setBits(node->getBitvectorSize()-1, 0);
4864
4865 /* Create symbolic expression */
4866 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STP operation - STORE access");
4867
4868 /* Spread taint */
4869 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4870
4871 /* Optional behavior. Post computation of the base register */
4872 /* STP <Xt1>, <Xt2>, [<Xn|SP>], #<imm> */
4873 if (inst.operands.size() == 4) {
4874 triton::arch::Immediate& imm = inst.operands[3].getImmediate();
4875 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4876
4877 /* Create symbolic operands of the post computation */
4878 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
4879 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
4880
4881 /* Create the semantics of the base register */
4882 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
4883
4884 /* Create symbolic expression */
4885 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "STP operation - Base register computation");
4886
4887 /* Spread taint */
4888 expr2->isTainted = this->taintEngine->isTainted(base);
4889 }
4890
4891 /* STP <Xt1>, <Xt2>, [<Xn|SP>, #<imm>]! */
4892 else if (inst.operands.size() == 3 && inst.isWriteBack() == true) {
4893 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4894
4895 /* Create the semantics of the base register */
4896 auto node3 = dst.getMemory().getLeaAst();
4897
4898 /* Create symbolic expression */
4899 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "STP operation - Base register computation");
4900
4901 /* Spread taint */
4902 expr3->isTainted = this->taintEngine->isTainted(base);
4903 }
4904
4905 /* Update the symbolic control flow */
4906 this->controlFlow_s(inst);
4907 }
4908
4909
4910 void AArch64Semantics::str_s(triton::arch::Instruction& inst) {
4911 triton::arch::OperandWrapper& src = inst.operands[0];
4912 triton::arch::OperandWrapper& dst = inst.operands[1];
4913
4914 /* Create the semantics of the STORE */
4915 auto node1 = this->symbolicEngine->getOperandAst(inst, src);
4916
4917 /* Create symbolic expression */
4918 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "STR operation - STORE access");
4919
4920 /* Spread taint */
4921 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
4922
4923 /* Optional behavior. Post computation of the base register */
4924 /* STR <Xt>, [<Xn|SP>], #<simm> */
4925 if (inst.operands.size() == 3) {
4926 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
4927 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4928
4929 /* Create symbolic operands of the post computation */
4930 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
4931 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
4932
4933 /* Create the semantics of the base register */
4934 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
4935
4936 /* Create symbolic expression */
4937 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "STR operation - Base register computation");
4938
4939 /* Spread taint */
4940 expr2->isTainted = this->taintEngine->isTainted(base);
4941 }
4942
4943 /* STR <Xt>, [<Xn|SP>, #<simm>]! */
4944 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
4945 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4946
4947 /* Create the semantics of the base register */
4948 auto node3 = dst.getMemory().getLeaAst();
4949
4950 /* Create symbolic expression */
4951 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "STR operation - Base register computation");
4952
4953 /* Spread taint */
4954 expr3->isTainted = this->taintEngine->isTainted(base);
4955 }
4956
4957 /* Update the symbolic control flow */
4958 this->controlFlow_s(inst);
4959 }
4960
4961
4962 void AArch64Semantics::strb_s(triton::arch::Instruction& inst) {
4963 triton::arch::OperandWrapper& src = inst.operands[0];
4964 triton::arch::OperandWrapper& dst = inst.operands[1];
4965
4966 /* Create symbolic operands */
4967 auto op = this->symbolicEngine->getOperandAst(inst, src);
4968
4969 /* Create the semantics */
4970 auto node1 = this->astCtxt->extract(7, 0, op);
4971
4972 /* Create symbolic expression */
4973 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "STRB operation - STORE access");
4974
4975 /* Spread taint */
4976 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
4977
4978 /* Optional behavior. Post computation of the base register */
4979 /* STRB <Wt>, [<Xn|SP>], #<simm> */
4980 if (inst.operands.size() == 3) {
4981 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
4982 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4983
4984 /* Create symbolic operands of the post computation */
4985 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
4986 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
4987
4988 /* Create the semantics of the base register */
4989 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
4990
4991 /* Create symbolic expression */
4992 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "STRB operation - Base register computation");
4993
4994 /* Spread taint */
4995 expr2->isTainted = this->taintEngine->isTainted(base);
4996 }
4997
4998 /* STRB <Wt>, [<Xn|SP>, #<simm>]! */
4999 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
5000 triton::arch::Register& base = dst.getMemory().getBaseRegister();
5001
5002 /* Create the semantics of the base register */
5003 auto node3 = dst.getMemory().getLeaAst();
5004
5005 /* Create symbolic expression */
5006 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "STRB operation - Base register computation");
5007
5008 /* Spread taint */
5009 expr3->isTainted = this->taintEngine->isTainted(base);
5010 }
5011
5012 /* Update the symbolic control flow */
5013 this->controlFlow_s(inst);
5014 }
5015
5016
5017 void AArch64Semantics::strh_s(triton::arch::Instruction& inst) {
5018 triton::arch::OperandWrapper& src = inst.operands[0];
5019 triton::arch::OperandWrapper& dst = inst.operands[1];
5020
5021 /* Create symbolic operands */
5022 auto op = this->symbolicEngine->getOperandAst(inst, src);
5023
5024 /* Create the semantics */
5025 auto node1 = this->astCtxt->extract(15, 0, op);
5026
5027 /* Create symbolic expression */
5028 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "STRH operation - STORE access");
5029
5030 /* Spread taint */
5031 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
5032
5033 /* Optional behavior. Post computation of the base register */
5034 /* STRH <Wt>, [<Xn|SP>], #<simm> */
5035 if (inst.operands.size() == 3) {
5036 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
5037 triton::arch::Register& base = dst.getMemory().getBaseRegister();
5038
5039 /* Create symbolic operands of the post computation */
5040 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
5041 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
5042
5043 /* Create the semantics of the base register */
5044 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
5045
5046 /* Create symbolic expression */
5047 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "STRH operation - Base register computation");
5048
5049 /* Spread taint */
5050 expr2->isTainted = this->taintEngine->isTainted(base);
5051 }
5052
5053 /* STRH <Wt>, [<Xn|SP>, #<simm>]! */
5054 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
5055 triton::arch::Register& base = dst.getMemory().getBaseRegister();
5056
5057 /* Create the semantics of the base register */
5058 auto node3 = dst.getMemory().getLeaAst();
5059
5060 /* Create symbolic expression */
5061 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "STRH operation - Base register computation");
5062
5063 /* Spread taint */
5064 expr3->isTainted = this->taintEngine->isTainted(base);
5065 }
5066
5067 /* Update the symbolic control flow */
5068 this->controlFlow_s(inst);
5069 }
5070
5071
5072 void AArch64Semantics::sttr_s(triton::arch::Instruction& inst) {
5073 triton::arch::OperandWrapper& src = inst.operands[0];
5074 triton::arch::OperandWrapper& dst = inst.operands[1];
5075
5076 /* Create the semantics of the STORE */
5077 auto node = this->symbolicEngine->getOperandAst(inst, src);
5078
5079 /* Create symbolic expression */
5080 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STTR operation");
5081
5082 /* Spread taint */
5083 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5084
5085 /* Update the symbolic control flow */
5086 this->controlFlow_s(inst);
5087 }
5088
5089
5090 void AArch64Semantics::sttrb_s(triton::arch::Instruction& inst) {
5091 triton::arch::OperandWrapper& src = inst.operands[0];
5092 triton::arch::OperandWrapper& dst = inst.operands[1];
5093
5094 /* Create symbolic operands */
5095 auto op = this->symbolicEngine->getOperandAst(inst, src);
5096
5097 /* Create the semantics */
5098 auto node = this->astCtxt->extract(7, 0, op);
5099
5100 /* Create symbolic expression */
5101 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STTRB operation");
5102
5103 /* Spread taint */
5104 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5105
5106 /* Update the symbolic control flow */
5107 this->controlFlow_s(inst);
5108 }
5109
5110
5111 void AArch64Semantics::sttrh_s(triton::arch::Instruction& inst) {
5112 triton::arch::OperandWrapper& src = inst.operands[0];
5113 triton::arch::OperandWrapper& dst = inst.operands[1];
5114
5115 /* Create symbolic operands */
5116 auto op = this->symbolicEngine->getOperandAst(inst, src);
5117
5118 /* Create the semantics */
5119 auto node = this->astCtxt->extract(15, 0, op);
5120
5121 /* Create symbolic expression */
5122 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STTRH operation");
5123
5124 /* Spread taint */
5125 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5126
5127 /* Update the symbolic control flow */
5128 this->controlFlow_s(inst);
5129 }
5130
5131
5132 void AArch64Semantics::stur_s(triton::arch::Instruction& inst) {
5133 triton::arch::OperandWrapper& src = inst.operands[0];
5134 triton::arch::OperandWrapper& dst = inst.operands[1];
5135
5136 /* Create the semantics of the STORE */
5137 auto node = this->symbolicEngine->getOperandAst(inst, src);
5138
5139 /* Create symbolic expression */
5140 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STUR operation");
5141
5142 /* Spread taint */
5143 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5144
5145 /* Update the symbolic control flow */
5146 this->controlFlow_s(inst);
5147 }
5148
5149
5150 void AArch64Semantics::sturb_s(triton::arch::Instruction& inst) {
5151 triton::arch::OperandWrapper& src = inst.operands[0];
5152 triton::arch::OperandWrapper& dst = inst.operands[1];
5153
5154 /* Create symbolic operands */
5155 auto op = this->symbolicEngine->getOperandAst(inst, src);
5156
5157 /* Create the semantics */
5158 auto node = this->astCtxt->extract(7, 0, op);
5159
5160 /* Create symbolic expression */
5161 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STURB operation");
5162
5163 /* Spread taint */
5164 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5165
5166 /* Update the symbolic control flow */
5167 this->controlFlow_s(inst);
5168 }
5169
5170
5171 void AArch64Semantics::sturh_s(triton::arch::Instruction& inst) {
5172 triton::arch::OperandWrapper& src = inst.operands[0];
5173 triton::arch::OperandWrapper& dst = inst.operands[1];
5174
5175 /* Create symbolic operands */
5176 auto op = this->symbolicEngine->getOperandAst(inst, src);
5177
5178 /* Create the semantics */
5179 auto node = this->astCtxt->extract(15, 0, op);
5180
5181 /* Create symbolic expression */
5182 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STURH operation");
5183
5184 /* Spread taint */
5185 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5186
5187 /* Update the symbolic control flow */
5188 this->controlFlow_s(inst);
5189 }
5190
5191
5192 void AArch64Semantics::stxp_s(triton::arch::Instruction& inst) {
5193 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
5194 triton::arch::OperandWrapper& src1 = inst.operands[1];
5195 triton::arch::OperandWrapper& src2 = inst.operands[2];
5196 triton::arch::OperandWrapper& dst2 = inst.operands[3];
5197
5198 /* Special behavior: Define that the size of the memory access is src1.size + src2.size */
5199 dst2.getMemory().setBits((src1.getBitSize() + src2.getBitSize()) - 1, 0);
5200
5201 /* Is memory exclusive */
5202 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
5203
5204 /* Create symbolic operands */
5205 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5206 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5207
5208 /* Create the semantics */
5209 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
5210 auto node2 = this->astCtxt->concat(op2, op1);
5211
5212 /* Create symbolic expression */
5213 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STXP operation - write status");
5214
5215 /* Spread taint */
5216 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
5217
5218 /* Exclusive operation */
5219 if (exclusive) {
5220 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STXP operation - STORE access");
5221 expr2->isTainted = this->taintEngine->setTaint(dst2, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5222 }
5223
5224 /* Update exclusive memory access tag */
5225 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
5226
5227 /* Update the symbolic control flow */
5228 this->controlFlow_s(inst);
5229 }
5230
5231
5232 void AArch64Semantics::stxr_s(triton::arch::Instruction& inst) {
5233 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
5234 triton::arch::OperandWrapper& src = inst.operands[1];
5235 triton::arch::OperandWrapper& dst2 = inst.operands[2];
5236
5237 /* Is memory exclusive */
5238 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
5239
5240 /* Create the semantics */
5241 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
5242 auto node2 = this->symbolicEngine->getOperandAst(inst, src);
5243
5244 /* Create symbolic expression */
5245 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STXR operation - write status");
5246
5247 /* Spread taint */
5248 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
5249
5250 /* Exclusive operation */
5251 if (exclusive) {
5252 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STXR operation - STORE access");
5253 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
5254 }
5255
5256 /* Update exclusive memory access tag */
5257 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
5258
5259 /* Update the symbolic control flow */
5260 this->controlFlow_s(inst);
5261 }
5262
5263
5264 void AArch64Semantics::stxrb_s(triton::arch::Instruction& inst) {
5265 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
5266 triton::arch::OperandWrapper& src = inst.operands[1];
5267 triton::arch::OperandWrapper& dst2 = inst.operands[2];
5268
5269 /* Is memory exclusive */
5270 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
5271
5272 /* Create symbolic operands */
5273 auto op = this->symbolicEngine->getOperandAst(inst, src);
5274
5275 /* Create the semantics */
5276 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
5277 auto node2 = this->astCtxt->extract(7, 0, op);
5278
5279 /* Create symbolic expression */
5280 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STXRB operation - write status");
5281
5282 /* Spread taint */
5283 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
5284
5285 /* Exclusive operation */
5286 if (exclusive) {
5287 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STXRB operation - STORE access");
5288 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
5289 }
5290
5291 /* Update exclusive memory access tag */
5292 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
5293
5294 /* Update the symbolic control flow */
5295 this->controlFlow_s(inst);
5296 }
5297
5298
5299 void AArch64Semantics::stxrh_s(triton::arch::Instruction& inst) {
5300 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
5301 triton::arch::OperandWrapper& src = inst.operands[1];
5302 triton::arch::OperandWrapper& dst2 = inst.operands[2];
5303
5304 /* Is memory exclusive */
5305 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
5306
5307 /* Create symbolic operands */
5308 auto op = this->symbolicEngine->getOperandAst(inst, src);
5309
5310 /* Create the semantics */
5311 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
5312 auto node2 = this->astCtxt->extract(15, 0, op);
5313
5314 /* Create symbolic expression */
5315 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STXRH operation - write status");
5316
5317 /* Spread taint */
5318 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
5319
5320 /* Exclusive operation */
5321 if (exclusive) {
5322 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STXRH operation - STORE access");
5323 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
5324 }
5325
5326 /* Update exclusive memory access tag */
5327 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
5328
5329 /* Update the symbolic control flow */
5330 this->controlFlow_s(inst);
5331 }
5332
5333
5334 void AArch64Semantics::sub_s(triton::arch::Instruction& inst) {
5335 auto& dst = inst.operands[0];
5336 auto& src1 = inst.operands[1];
5337 auto& src2 = inst.operands[2];
5338
5339 /* Create symbolic operands */
5340 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5341 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5342
5343 /* Create the semantics */
5344 auto node = this->astCtxt->bvsub(op1, op2);
5345
5346 /* Create symbolic expression */
5347 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SUB(S) operation");
5348
5349 /* Spread taint */
5350 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5351
5352 /* Update symbolic flags */
5353 if (inst.isUpdateFlag() == true) {
5354 this->cfSub_s(inst, expr, dst, op1, op2);
5355 this->nf_s(inst, expr, dst);
5356 this->vfSub_s(inst, expr, dst, op1, op2);
5357 this->zf_s(inst, expr, dst);
5358 }
5359
5360 /* Update the symbolic control flow */
5361 this->controlFlow_s(inst);
5362 }
5363
5364
5365 void AArch64Semantics::svc_s(triton::arch::Instruction& inst) {
5366 auto& src = inst.operands[0];
5367
5368 /* Link the immediate to the instruction */
5369 this->symbolicEngine->getOperandAst(inst, src);
5370
5371 /* Update the symbolic control flow */
5372 this->controlFlow_s(inst);
5373 }
5374
5375
5376 void AArch64Semantics::sxtb_s(triton::arch::Instruction& inst) {
5377 auto& dst = inst.operands[0];
5378 auto& src = inst.operands[1];
5379
5380 /* Create symbolic operands */
5381 auto op = this->symbolicEngine->getOperandAst(inst, src);
5382
5383 /* Create the semantics */
5384 auto node = this->astCtxt->sx(dst.getBitSize() - 8, this->astCtxt->extract(7, 0, op));
5385
5386 /* Create symbolic expression */
5387 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SXTB operation");
5388
5389 /* Spread taint */
5390 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5391
5392 /* Update the symbolic control flow */
5393 this->controlFlow_s(inst);
5394 }
5395
5396
5397 void AArch64Semantics::sxth_s(triton::arch::Instruction& inst) {
5398 auto& dst = inst.operands[0];
5399 auto& src = inst.operands[1];
5400
5401 /* Create symbolic operands */
5402 auto op = this->symbolicEngine->getOperandAst(inst, src);
5403
5404 /* Create the semantics */
5405 auto node = this->astCtxt->sx(dst.getBitSize() - 16, this->astCtxt->extract(15, 0, op));
5406
5407 /* Create symbolic expression */
5408 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SXTH operation");
5409
5410 /* Spread taint */
5411 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5412
5413 /* Update the symbolic control flow */
5414 this->controlFlow_s(inst);
5415 }
5416
5417
5418 void AArch64Semantics::sxtw_s(triton::arch::Instruction& inst) {
5419 auto& dst = inst.operands[0];
5420 auto& src = inst.operands[1];
5421
5422 /* Create symbolic operands */
5423 auto op = this->symbolicEngine->getOperandAst(inst, src);
5424
5425 /* Create the semantics */
5426 auto node = this->astCtxt->sx(dst.getBitSize() - 32, this->astCtxt->extract(31, 0, op));
5427
5428 /* Create symbolic expression */
5429 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SXTW operation");
5430
5431 /* Spread taint */
5432 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5433
5434 /* Update the symbolic control flow */
5435 this->controlFlow_s(inst);
5436 }
5437
5438
5439 void AArch64Semantics::tbnz_s(triton::arch::Instruction& inst) {
5440 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
5441 auto& src1 = inst.operands[0];
5442 auto& src2 = inst.operands[1];
5443 auto& src3 = inst.operands[2];
5444
5445 /* Create symbolic operands */
5446 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5447 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5448 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
5449
5450 /* Create the semantics */
5451 auto node = this->astCtxt->ite(
5452 this->astCtxt->equal(
5453 this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, op2)),
5454 this->astCtxt->bvtrue()
5455 ),
5456 this->astCtxt->zx(dst.getBitSize() - op3->getBitvectorSize(), op3),
5457 this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize())
5458 );
5459
5460 /* Create symbolic expression */
5461 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "TBNZ operation - Program Counter");
5462
5463 /* Spread taint */
5464 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5465
5466 /* Set condition flag */
5467 if (this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, op2))->evaluate() != 0)
5468 inst.setConditionTaken(true);
5469
5470 /* Create the path constraint */
5471 this->symbolicEngine->pushPathConstraint(inst, expr);
5472 }
5473
5474
5475 void AArch64Semantics::tbz_s(triton::arch::Instruction& inst) {
5476 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
5477 auto& src1 = inst.operands[0];
5478 auto& src2 = inst.operands[1];
5479 auto& src3 = inst.operands[2];
5480
5481 /* Create symbolic operands */
5482 auto op1 = this->astCtxt->zx(dst.getBitSize() - src1.getBitSize(), this->symbolicEngine->getOperandAst(inst, src1));
5483 auto op2 = this->astCtxt->zx(dst.getBitSize() - src2.getBitSize(), this->symbolicEngine->getOperandAst(inst, src2));
5484 auto op3 = this->astCtxt->zx(dst.getBitSize() - src3.getBitSize(), this->symbolicEngine->getOperandAst(inst, src3));
5485
5486 /* Create the semantics */
5487 auto node = this->astCtxt->ite(
5488 this->astCtxt->equal(
5489 this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, op2)),
5490 this->astCtxt->bvfalse()
5491 ),
5492 this->astCtxt->zx(dst.getBitSize() - op3->getBitvectorSize(), op3),
5493 this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize())
5494 );
5495
5496 /* Create symbolic expression */
5497 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "TBZ operation - Program Counter");
5498
5499 /* Spread taint */
5500 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5501
5502 /* Set condition flag */
5503 if (this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, op2))->evaluate() == 0)
5504 inst.setConditionTaken(true);
5505
5506 /* Create the path constraint */
5507 this->symbolicEngine->pushPathConstraint(inst, expr);
5508 }
5509
5510
5511 void AArch64Semantics::tst_s(triton::arch::Instruction& inst) {
5512 auto& src1 = inst.operands[0];
5513 auto& src2 = inst.operands[1];
5514
5515 /* Create symbolic operands */
5516 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5517 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5518
5519 /* Create the semantics */
5520 auto node = this->astCtxt->bvand(op1, op2);
5521
5522 /* Create symbolic expression */
5523 auto expr = this->symbolicEngine->createSymbolicVolatileExpression(inst, node, "TST operation");
5524
5525 /* Spread taint */
5526 expr->isTainted = this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2);
5527
5528 /* Update symbolic flags */
5529 if (inst.isUpdateFlag() == true) {
5530 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_C), "Clears carry flag");
5531 this->nf_s(inst, expr, src1);
5532 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_V), "Clears overflow flag");
5533 this->zf_s(inst, expr, src1);
5534 }
5535
5536 /* Update the symbolic control flow */
5537 this->controlFlow_s(inst);
5538 }
5539
5540
5541 void AArch64Semantics::ubfiz_s(triton::arch::Instruction& inst) {
5542 auto& dst = inst.operands[0];
5543 auto& src1 = inst.operands[1];
5544 auto& src2 = inst.operands[2];
5545 auto& src3 = inst.operands[3];
5546 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
5547 auto width = static_cast<uint32>(src3.getImmediate().getValue());
5548
5549 if (lsb + width > dst.getBitSize())
5550 throw triton::exceptions::Semantics("AArch64Semantics::ubfiz_s(): Invalid lsb and width.");
5551
5552 /* Create symbolic operands */
5553 auto op = this->symbolicEngine->getOperandAst(inst, src1);
5554
5555 /* Create the semantics */
5556 std::vector<triton::ast::SharedAbstractNode> bits;
5557 bits.reserve(3);
5558
5559 if (lsb + width < dst.getBitSize()) {
5560 bits.push_back(this->astCtxt->bv(0, dst.getBitSize() - (lsb + width)));
5561 }
5562
5563 bits.push_back(this->astCtxt->extract(width - 1, 0, op));
5564
5565 if (lsb) {
5566 bits.push_back(this->astCtxt->bv(0, lsb));
5567 }
5568
5569 auto node = this->astCtxt->concat(bits);
5570
5571 /* Create symbolic expression */
5572 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UBFIZ operation");
5573
5574 /* Spread taint */
5575 expr->isTainted = this->taintEngine->taintAssignment(dst, src1);
5576
5577 /* Update the symbolic control flow */
5578 this->controlFlow_s(inst);
5579 }
5580
5581
5582 void AArch64Semantics::ubfx_s(triton::arch::Instruction& inst) {
5583 auto& dst = inst.operands[0];
5584 auto& src1 = inst.operands[1];
5585 auto& src2 = inst.operands[2];
5586 auto& src3 = inst.operands[3];
5587 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
5588 auto width = static_cast<uint32>(src3.getImmediate().getValue());
5589
5590 if (lsb + width > dst.getBitSize())
5591 throw triton::exceptions::Semantics("AArch64Semantics::ubfx_s(): Invalid lsb and width.");
5592
5593 /* Create symbolic operands */
5594 auto op = this->symbolicEngine->getOperandAst(inst, src1);
5595
5596 /* Create the semantics */
5597 auto node = this->astCtxt->zx(dst.getBitSize() - width, this->astCtxt->extract(lsb+width-1, lsb, op));
5598
5599 /* Create symbolic expression */
5600 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UBFX operation");
5601
5602 /* Spread taint */
5603 expr->isTainted = this->taintEngine->taintAssignment(dst, src1);
5604
5605 /* Update the symbolic control flow */
5606 this->controlFlow_s(inst);
5607 }
5608
5609
5610 void AArch64Semantics::udiv_s(triton::arch::Instruction& inst) {
5611 auto& dst = inst.operands[0];
5612 auto& src1 = inst.operands[1];
5613 auto& src2 = inst.operands[2];
5614
5615 /* Create symbolic operands */
5616 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5617 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5618
5619 /* Create the semantics */
5620 auto node = this->astCtxt->ite(
5621 this->astCtxt->equal(op2, this->astCtxt->bv(0, op2->getBitvectorSize())),
5622 this->astCtxt->bv(0, dst.getBitSize()),
5623 this->astCtxt->bvudiv(op1, op2)
5624 );
5625
5626 /* Create symbolic expression */
5627 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UDIV operation");
5628
5629 /* Spread taint */
5630 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5631
5632 /* Update the symbolic control flow */
5633 this->controlFlow_s(inst);
5634 }
5635
5636
5637 void AArch64Semantics::umaddl_s(triton::arch::Instruction& inst) {
5638 auto& dst = inst.operands[0];
5639 auto& src1 = inst.operands[1];
5640 auto& src2 = inst.operands[2];
5641 auto& src3 = inst.operands[3];
5642
5643 /* Create symbolic operands */
5644 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5645 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5646 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
5647
5648 /* Create the semantics */
5649 auto node = this->astCtxt->bvadd(
5650 op3,
5651 this->astCtxt->bvmul(
5652 this->astCtxt->zx(triton::bitsize::dword, op1),
5653 this->astCtxt->zx(triton::bitsize::dword, op2)
5654 )
5655 );
5656
5657 /* Create symbolic expression */
5658 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMADDL operation");
5659
5660 /* Spread taint */
5661 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
5662
5663 /* Update the symbolic control flow */
5664 this->controlFlow_s(inst);
5665 }
5666
5667
5668 void AArch64Semantics::umnegl_s(triton::arch::Instruction& inst) {
5669 auto& dst = inst.operands[0];
5670 auto& src1 = inst.operands[1];
5671 auto& src2 = inst.operands[2];
5672
5673 /* Create symbolic operands */
5674 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5675 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5676
5677 /* Create the semantics */
5678 auto node = this->astCtxt->bvneg(
5679 this->astCtxt->bvmul(
5680 this->astCtxt->zx(triton::bitsize::dword, op1),
5681 this->astCtxt->zx(triton::bitsize::dword, op2)
5682 )
5683 );
5684
5685 /* Create symbolic expression */
5686 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMNEGL operation");
5687
5688 /* Spread taint */
5689 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5690
5691 /* Update the symbolic control flow */
5692 this->controlFlow_s(inst);
5693 }
5694
5695
5696 void AArch64Semantics::umsubl_s(triton::arch::Instruction& inst) {
5697 auto& dst = inst.operands[0];
5698 auto& src1 = inst.operands[1];
5699 auto& src2 = inst.operands[2];
5700 auto& src3 = inst.operands[3];
5701
5702 /* Create symbolic operands */
5703 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5704 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5705 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
5706
5707 /* Create the semantics */
5708 auto node = this->astCtxt->bvsub(
5709 op3,
5710 this->astCtxt->bvmul(
5711 this->astCtxt->zx(triton::bitsize::dword, op1),
5712 this->astCtxt->zx(triton::bitsize::dword, op2)
5713 )
5714 );
5715
5716 /* Create symbolic expression */
5717 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMSUBL operation");
5718
5719 /* Spread taint */
5720 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
5721
5722 /* Update the symbolic control flow */
5723 this->controlFlow_s(inst);
5724 }
5725
5726
5727 void AArch64Semantics::umulh_s(triton::arch::Instruction& inst) {
5728 auto& dst = inst.operands[0];
5729 auto& src1 = inst.operands[1];
5730 auto& src2 = inst.operands[2];
5731
5732 /* Create symbolic operands */
5733 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5734 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5735
5736 /* Create the semantics */
5737 auto node = this->astCtxt->extract(
5738 triton::bitsize::dqword-1,
5739 triton::bitsize::qword,
5740 this->astCtxt->bvmul(
5741 this->astCtxt->zx(triton::bitsize::qword, op1),
5742 this->astCtxt->zx(triton::bitsize::qword, op2)
5743 )
5744 );
5745
5746 /* Create symbolic expression */
5747 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMULH operation");
5748
5749 /* Spread taint */
5750 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5751
5752 /* Update the symbolic control flow */
5753 this->controlFlow_s(inst);
5754 }
5755
5756
5757 void AArch64Semantics::umull_s(triton::arch::Instruction& inst) {
5758 auto& dst = inst.operands[0];
5759 auto& src1 = inst.operands[1];
5760 auto& src2 = inst.operands[2];
5761
5762 /* Create symbolic operands */
5763 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5764 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5765
5766 /* Create the semantics */
5767 auto node = this->astCtxt->bvmul(
5768 this->astCtxt->zx(triton::bitsize::dword, op1),
5769 this->astCtxt->zx(triton::bitsize::dword, op2)
5770 );
5771
5772 /* Create symbolic expression */
5773 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMULL operation");
5774
5775 /* Spread taint */
5776 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5777
5778 /* Update the symbolic control flow */
5779 this->controlFlow_s(inst);
5780 }
5781
5782
5783 void AArch64Semantics::uxtb_s(triton::arch::Instruction& inst) {
5784 auto& dst = inst.operands[0];
5785 auto& src = inst.operands[1];
5786
5787 /* Create symbolic operands */
5788 auto op = this->symbolicEngine->getOperandAst(inst, src);
5789
5790 /* Create the semantics */
5791 auto node = this->astCtxt->zx(dst.getBitSize() - 8, this->astCtxt->extract(7, 0, op));
5792
5793 /* Create symbolic expression */
5794 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UXTB operation");
5795
5796 /* Spread taint */
5797 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5798
5799 /* Update the symbolic control flow */
5800 this->controlFlow_s(inst);
5801 }
5802
5803
5804 void AArch64Semantics::uxth_s(triton::arch::Instruction& inst) {
5805 auto& dst = inst.operands[0];
5806 auto& src = inst.operands[1];
5807
5808 /* Create symbolic operands */
5809 auto op = this->symbolicEngine->getOperandAst(inst, src);
5810
5811 /* Create the semantics */
5812 auto node = this->astCtxt->zx(dst.getBitSize() - 16, this->astCtxt->extract(15, 0, op));
5813
5814 /* Create symbolic expression */
5815 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UXTH operation");
5816
5817 /* Spread taint */
5818 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5819
5820 /* Update the symbolic control flow */
5821 this->controlFlow_s(inst);
5822 }
5823
5824 }; /* aarch64 namespace */
5825 }; /* arm namespace */
5826 }; /* arch namespace */
5827}; /* triton namespace */
triton::arch::Architecture
The abstract architecture class.
Definition architecture.hpp:45
triton::arch::Architecture::getRegister
TRITON_EXPORT const triton::arch::Register & getRegister(triton::arch::register_e id) const
Returns register from id.
Definition architecture.cpp:203
triton::arch::Architecture::isMemoryExclusive
TRITON_EXPORT bool isMemoryExclusive(const triton::arch::MemoryAccess &mem) const
Returns true if the memory access is tagged as exclusive. Only valid for Arm32 and AArch64.
Definition architecture.cpp:134
triton::arch::Architecture::setMemoryExclusiveTag
TRITON_EXPORT void setMemoryExclusiveTag(const triton::arch::MemoryAccess &mem, bool tag)
Sets exclusive memory access tag. Only valid for Arm32 and AArch64.
Definition architecture.cpp:141
triton::arch::Architecture::getParentRegister
TRITON_EXPORT const triton::arch::Register & getParentRegister(triton::arch::register_e id) const
Returns parent register from id.
Definition architecture.cpp:224
triton::arch::BitsVector::setBits
TRITON_EXPORT void setBits(triton::uint32 high, triton::uint32 low)
Sets the bits (high, low) position.
Definition bitsVector.cpp:72
triton::arch::Immediate
This class is used to represent an immediate.
Definition immediate.hpp:37
triton::arch::Immediate::getBitSize
TRITON_EXPORT triton::uint32 getBitSize(void) const
Returns the size (in bits) of the immediate vector.
Definition immediate.cpp:85
triton::arch::Immediate::getValue
TRITON_EXPORT triton::uint64 getValue(void) const
Returns the value of the operand.
Definition immediate.cpp:34
triton::arch::Instruction
This class is used to represent an instruction.
Definition instruction.hpp:48
triton::arch::Instruction::isWriteBack
TRITON_EXPORT bool isWriteBack(void) const
Returns true if the instruction performs a write back. Mainly used for AArch64 instructions like LDR.
Definition instruction.cpp:489
triton::arch::Instruction::setConditionTaken
TRITON_EXPORT void setConditionTaken(bool flag)
Sets flag to define if the condition is taken or not.
Definition instruction.cpp:514
triton::arch::Instruction::getType
TRITON_EXPORT triton::uint32 getType(void) const
Returns the type of the instruction.
Definition instruction.cpp:152
triton::arch::Instruction::operands
std::vector< triton::arch::OperandWrapper > operands
A list of operands.
Definition instruction.hpp:122
triton::arch::Instruction::isUpdateFlag
TRITON_EXPORT bool isUpdateFlag(void) const
Returns true if the instruction updates flags. Mainly used for AArch64 instructions like ADDS.
Definition instruction.cpp:494
triton::arch::Instruction::getCodeCondition
TRITON_EXPORT triton::arch::arm::condition_e getCodeCondition(void) const
Returns the code codition of the instruction (mainly for AArch64).
Definition instruction.cpp:167
triton::arch::Instruction::getNextAddress
TRITON_EXPORT triton::uint64 getNextAddress(void) const
Returns the next address of the instruction.
Definition instruction.cpp:119
triton::arch::MemoryAccess
This class is used to represent a memory access.
Definition memoryAccess.hpp:40
triton::arch::MemoryAccess::getLeaAst
TRITON_EXPORT triton::ast::SharedAbstractNode getLeaAst(void) const
Returns the AST of the memory access (LEA).
Definition memoryAccess.cpp:56
triton::arch::MemoryAccess::getBaseRegister
TRITON_EXPORT triton::arch::Register & getBaseRegister(void)
LEA - Returns the base register operand.
Definition memoryAccess.cpp:86
triton::arch::OperandWrapper
This class is used as operand wrapper.
Definition operandWrapper.hpp:38
triton::arch::OperandWrapper::getLow
TRITON_EXPORT triton::uint32 getLow(void) const
Returns the lower bit position of the abstract operand.
Definition operandWrapper.cpp:128
triton::arch::OperandWrapper::getType
TRITON_EXPORT triton::arch::operand_e getType(void) const
Returns the abstract type of the operand.
Definition operandWrapper.cpp:42
triton::arch::OperandWrapper::getSize
TRITON_EXPORT triton::uint32 getSize(void) const
Returns the abstract size (in bytes) of the operand.
Definition operandWrapper.cpp:92
triton::arch::OperandWrapper::getConstMemory
TRITON_EXPORT const triton::arch::MemoryAccess & getConstMemory(void) const
Returns the memory operand as const.
Definition operandWrapper.cpp:67
triton::arch::OperandWrapper::getMemory
TRITON_EXPORT triton::arch::MemoryAccess & getMemory(void)
Returns the memory operand.
Definition operandWrapper.cpp:52
triton::arch::OperandWrapper::getConstRegister
TRITON_EXPORT const triton::arch::Register & getConstRegister(void) const
Returns the register operand.
Definition operandWrapper.cpp:72
triton::arch::OperandWrapper::getHigh
TRITON_EXPORT triton::uint32 getHigh(void) const
Returns the highest bit position of the abstract operand.
Definition operandWrapper.cpp:116
triton::arch::OperandWrapper::getConstImmediate
TRITON_EXPORT const triton::arch::Immediate & getConstImmediate(void) const
Returns the immediate operand.
Definition operandWrapper.cpp:62
triton::arch::OperandWrapper::getBitSize
TRITON_EXPORT triton::uint32 getBitSize(void) const
Returns the abstract size (in bits) of the operand.
Definition operandWrapper.cpp:104
triton::arch::OperandWrapper::getImmediate
TRITON_EXPORT triton::arch::Immediate & getImmediate(void)
Returns the immediate operand.
Definition operandWrapper.cpp:47
triton::arch::Register
This class is used when an instruction has a register operand.
Definition register.hpp:44
triton::arch::Register::getBitSize
TRITON_EXPORT triton::uint32 getBitSize(void) const
Returns the size (in bits) of the register.
Definition register.cpp:63
triton::arch::arm::ArmOperandProperties::getShiftImmediate
TRITON_EXPORT triton::uint32 getShiftImmediate(void) const
Returns the value of the shift immediate.
Definition armOperandProperties.cpp:60
triton::arch::arm::ArmOperandProperties::getVASType
TRITON_EXPORT triton::arch::arm::vas_e getVASType(void) const
Returns the vector arrangement specifier.
Definition armOperandProperties.cpp:75
triton::arch::arm::ArmOperandProperties::getVASSize
TRITON_EXPORT triton::uint32 getVASSize(void) const
Returns the vector arrangement specifier size (64 or 128 bits).
Definition armOperandProperties.cpp:100
triton::arch::arm::aarch64::AArch64Semantics::buildSemantics
TRITON_EXPORT triton::arch::exception_e buildSemantics(triton::arch::Instruction &inst)
Builds the semantics of the instruction. Returns triton::arch::NO_FAULT if succeed.
Definition aarch64Semantics.cpp:230
triton::arch::arm::aarch64::AArch64Semantics::AArch64Semantics
TRITON_EXPORT AArch64Semantics(triton::arch::Architecture *architecture, triton::engines::symbolic::SymbolicEngine *symbolicEngine, triton::engines::taint::TaintEngine *taintEngine, const triton::ast::SharedAstContext &astCtxt)
Constructor.
Definition aarch64Semantics.cpp:209
triton::engines::symbolic::PathManager::pushPathConstraint
TRITON_EXPORT void pushPathConstraint(const triton::arch::Instruction &inst, const triton::engines::symbolic::SharedSymbolicExpression &expr)
Pushs constraints of a branch instruction to the path predicate.
Definition pathManager.cpp:155
triton::engines::symbolic::SymbolicEngine::createSymbolicRegisterExpression
TRITON_EXPORT const SharedSymbolicExpression & createSymbolicRegisterExpression(triton::arch::Instruction &inst, const triton::ast::SharedAbstractNode &node, const triton::arch::Register &reg, const std::string &comment="")
Returns the new symbolic register expression expression and links this expression to the instruction.
Definition symbolicEngine.cpp:1102
triton::engines::symbolic::SymbolicEngine::createSymbolicVolatileExpression
TRITON_EXPORT const SharedSymbolicExpression & createSymbolicVolatileExpression(triton::arch::Instruction &inst, const triton::ast::SharedAbstractNode &node, const std::string &comment="")
Returns the new symbolic volatile expression expression and links this expression to the instruction.
Definition symbolicEngine.cpp:1115
triton::engines::symbolic::SymbolicEngine::getMemoryAst
TRITON_EXPORT triton::ast::SharedAbstractNode getMemoryAst(const triton::arch::MemoryAccess &mem)
Returns the AST corresponding to the memory.
Definition symbolicEngine.cpp:850
triton::engines::symbolic::SymbolicEngine::createSymbolicExpression
TRITON_EXPORT const SharedSymbolicExpression & createSymbolicExpression(triton::arch::Instruction &inst, const triton::ast::SharedAbstractNode &node, const triton::arch::OperandWrapper &dst, const std::string &comment="")
Returns the new symbolic expression and links this expression to the instruction.
Definition symbolicEngine.cpp:954
triton::engines::symbolic::SymbolicEngine::getOperandAst
TRITON_EXPORT triton::ast::SharedAbstractNode getOperandAst(const triton::arch::OperandWrapper &op)
Returns the AST corresponding to the operand.
Definition symbolicEngine.cpp:677
triton::engines::taint::TaintEngine::setTaint
TRITON_EXPORT bool setTaint(const triton::arch::OperandWrapper &op, bool flag)
Sets the flag (taint or untaint) to an abstract operand (Register or Memory).
Definition taintEngine.cpp:133
triton::engines::taint::TaintEngine::isTainted
TRITON_EXPORT bool isTainted(const triton::arch::OperandWrapper &op) const
Abstract taint verification. Returns true if the operand is tainted.
Definition taintEngine.cpp:107
triton::engines::taint::TaintEngine::isMemoryTainted
TRITON_EXPORT bool isMemoryTainted(triton::uint64 addr, triton::uint32 size=1) const
Returns true if the addr is tainted.
Definition taintEngine.cpp:87
triton::engines::taint::TaintEngine::taintUnion
TRITON_EXPORT bool taintUnion(const triton::arch::OperandWrapper &op1, const triton::arch::OperandWrapper &op2)
Abstract union tainting.
Definition taintEngine.cpp:207
triton::engines::taint::TaintEngine::setTaintRegister
TRITON_EXPORT bool setTaintRegister(const triton::arch::Register &reg, bool flag)
Sets the flag (taint or untaint) to a register.
Definition taintEngine.cpp:157
triton::engines::taint::TaintEngine::taintAssignment
TRITON_EXPORT bool taintAssignment(const triton::arch::OperandWrapper &op1, const triton::arch::OperandWrapper &op2)
Abstract assignment tainting.
Definition taintEngine.cpp:234
triton::exceptions::Semantics
The exception class used by all semantics.
Definition exceptions.hpp:377
triton::arch::arm::aarch64::ID_INS_CBNZ
@ ID_INS_CBNZ
cbnz
Definition aarch64Specifications.hpp:117
triton::arch::arm::aarch64::ID_INS_ADC
@ ID_INS_ADC
adc
Definition aarch64Specifications.hpp:93
triton::arch::arm::aarch64::ID_INS_ADRP
@ ID_INS_ADRP
adrp
Definition aarch64Specifications.hpp:100
triton::arch::arm::aarch64::ID_INS_REV64
@ ID_INS_REV64
rev64
Definition aarch64Specifications.hpp:303
triton::arch::arm::aarch64::ID_INS_LDR
@ ID_INS_LDR
ldr
Definition aarch64Specifications.hpp:253
triton::arch::arm::aarch64::ID_INS_MUL
@ ID_INS_MUL
mul
Definition aarch64Specifications.hpp:286
triton::arch::arm::aarch64::ID_INS_LDURSB
@ ID_INS_LDURSB
ldursb
Definition aarch64Specifications.hpp:267
triton::arch::arm::aarch64::ID_INS_LDAXRB
@ ID_INS_LDAXRB
ldaxrb
Definition aarch64Specifications.hpp:246
triton::arch::arm::aarch64::ID_INS_SUB
@ ID_INS_SUB
sub
Definition aarch64Specifications.hpp:431
triton::arch::arm::aarch64::ID_INS_SMSUBL
@ ID_INS_SMSUBL
smsubl
Definition aarch64Specifications.hpp:358
triton::arch::arm::aarch64::ID_INS_LSR
@ ID_INS_LSR
lsr
Definition aarch64Specifications.hpp:275
triton::arch::arm::aarch64::ID_INS_UMULL
@ ID_INS_UMULL
umull
Definition aarch64Specifications.hpp:475
triton::arch::arm::aarch64::ID_INS_LDRB
@ ID_INS_LDRB
ldrb
Definition aarch64Specifications.hpp:252
triton::arch::arm::aarch64::ID_INS_BFI
@ ID_INS_BFI
bfi
Definition aarch64Specifications.hpp:524
triton::arch::arm::aarch64::ID_INS_MNEG
@ ID_INS_MNEG
mneg
Definition aarch64Specifications.hpp:510
triton::arch::arm::aarch64::ID_INS_LD4
@ ID_INS_LD4
ld4
Definition aarch64Specifications.hpp:240
triton::arch::arm::aarch64::ID_INS_LDURSW
@ ID_INS_LDURSW
ldursw
Definition aarch64Specifications.hpp:269
triton::arch::arm::aarch64::ID_INS_MOVK
@ ID_INS_MOVK
movk
Definition aarch64Specifications.hpp:280
triton::arch::arm::aarch64::ID_INS_NOP
@ ID_INS_NOP
nop
Definition aarch64Specifications.hpp:513
triton::arch::arm::aarch64::ID_INS_LD3R
@ ID_INS_LD3R
ld3r
Definition aarch64Specifications.hpp:238
triton::arch::arm::aarch64::ID_INS_LDTR
@ ID_INS_LDTR
ldtr
Definition aarch64Specifications.hpp:263
triton::arch::arm::aarch64::ID_INS_LSL
@ ID_INS_LSL
lsl
Definition aarch64Specifications.hpp:274
triton::arch::arm::aarch64::ID_INS_STLR
@ ID_INS_STLR
stlr
Definition aarch64Specifications.hpp:409
triton::arch::arm::aarch64::ID_INS_REV32
@ ID_INS_REV32
rev32
Definition aarch64Specifications.hpp:302
triton::arch::arm::aarch64::ID_INS_ASR
@ ID_INS_ASR
asr
Definition aarch64Specifications.hpp:106
triton::arch::arm::aarch64::ID_INS_LDRSW
@ ID_INS_LDRSW
ldrsw
Definition aarch64Specifications.hpp:257
triton::arch::arm::aarch64::ID_INS_CCMP
@ ID_INS_CCMP
ccmp
Definition aarch64Specifications.hpp:120
triton::arch::arm::aarch64::ID_INS_LDTRSB
@ ID_INS_LDTRSB
ldtrsb
Definition aarch64Specifications.hpp:260
triton::arch::arm::aarch64::ID_INS_SDIV
@ ID_INS_SDIV
sdiv
Definition aarch64Specifications.hpp:326
triton::arch::arm::aarch64::ID_INS_LDXR
@ ID_INS_LDXR
ldxr
Definition aarch64Specifications.hpp:273
triton::arch::arm::aarch64::ID_INS_STLRH
@ ID_INS_STLRH
stlrh
Definition aarch64Specifications.hpp:408
triton::arch::arm::aarch64::ID_INS_MOVI
@ ID_INS_MOVI
movi
Definition aarch64Specifications.hpp:279
triton::arch::arm::aarch64::ID_INS_CLZ
@ ID_INS_CLZ
clz
Definition aarch64Specifications.hpp:123
triton::arch::arm::aarch64::ID_INS_LDTRH
@ ID_INS_LDTRH
ldtrh
Definition aarch64Specifications.hpp:259
triton::arch::arm::aarch64::ID_INS_MADD
@ ID_INS_MADD
madd
Definition aarch64Specifications.hpp:276
triton::arch::arm::aarch64::ID_INS_UMNEGL
@ ID_INS_UMNEGL
umnegl
Definition aarch64Specifications.hpp:511
triton::arch::arm::aarch64::ID_INS_SXTB
@ ID_INS_SXTB
sxtb
Definition aarch64Specifications.hpp:534
triton::arch::arm::aarch64::ID_INS_TBZ
@ ID_INS_TBZ
tbz
Definition aarch64Specifications.hpp:439
triton::arch::arm::aarch64::ID_INS_LDPSW
@ ID_INS_LDPSW
ldpsw
Definition aarch64Specifications.hpp:251
triton::arch::arm::aarch64::ID_INS_MSUB
@ ID_INS_MSUB
msub
Definition aarch64Specifications.hpp:285
triton::arch::arm::aarch64::ID_INS_TBNZ
@ ID_INS_TBNZ
tbnz
Definition aarch64Specifications.hpp:437
triton::arch::arm::aarch64::ID_INS_LDAXR
@ ID_INS_LDAXR
ldaxr
Definition aarch64Specifications.hpp:248
triton::arch::arm::aarch64::ID_INS_NEG
@ ID_INS_NEG
neg
Definition aarch64Specifications.hpp:288
triton::arch::arm::aarch64::ID_INS_STURH
@ ID_INS_STURH
sturh
Definition aarch64Specifications.hpp:424
triton::arch::arm::aarch64::ID_INS_ROR
@ ID_INS_ROR
ror
Definition aarch64Specifications.hpp:305
triton::arch::arm::aarch64::ID_INS_LDRSH
@ ID_INS_LDRSH
ldrsh
Definition aarch64Specifications.hpp:256
triton::arch::arm::aarch64::ID_INS_CBZ
@ ID_INS_CBZ
cbz
Definition aarch64Specifications.hpp:118
triton::arch::arm::aarch64::ID_INS_BL
@ ID_INS_BL
bl
Definition aarch64Specifications.hpp:112
triton::arch::arm::aarch64::ID_INS_LDAXRH
@ ID_INS_LDAXRH
ldaxrh
Definition aarch64Specifications.hpp:247
triton::arch::arm::aarch64::ID_INS_CSET
@ ID_INS_CSET
cset
Definition aarch64Specifications.hpp:529
triton::arch::arm::aarch64::ID_INS_LDXP
@ ID_INS_LDXP
ldxp
Definition aarch64Specifications.hpp:270
triton::arch::arm::aarch64::ID_INS_STTRH
@ ID_INS_STTRH
sttrh
Definition aarch64Specifications.hpp:420
triton::arch::arm::aarch64::ID_INS_LDP
@ ID_INS_LDP
ldp
Definition aarch64Specifications.hpp:250
triton::arch::arm::aarch64::ID_INS_UXTB
@ ID_INS_UXTB
uxtb
Definition aarch64Specifications.hpp:538
triton::arch::arm::aarch64::ID_INS_ORR
@ ID_INS_ORR
orr
Definition aarch64Specifications.hpp:291
triton::arch::arm::aarch64::ID_INS_UDIV
@ ID_INS_UDIV
udiv
Definition aarch64Specifications.hpp:457
triton::arch::arm::aarch64::ID_INS_UMADDL
@ ID_INS_UMADDL
umaddl
Definition aarch64Specifications.hpp:460
triton::arch::arm::aarch64::ID_INS_MVN
@ ID_INS_MVN
mvn
Definition aarch64Specifications.hpp:527
triton::arch::arm::aarch64::ID_INS_SMULH
@ ID_INS_SMULH
smulh
Definition aarch64Specifications.hpp:359
triton::arch::arm::aarch64::ID_INS_MOVZ
@ ID_INS_MOVZ
movz
Definition aarch64Specifications.hpp:282
triton::arch::arm::aarch64::ID_INS_LDXRB
@ ID_INS_LDXRB
ldxrb
Definition aarch64Specifications.hpp:271
triton::arch::arm::aarch64::ID_INS_UMSUBL
@ ID_INS_UMSUBL
umsubl
Definition aarch64Specifications.hpp:472
triton::arch::arm::aarch64::ID_INS_STLXR
@ ID_INS_STLXR
stlxr
Definition aarch64Specifications.hpp:413
triton::arch::arm::aarch64::ID_INS_MRS
@ ID_INS_MRS
mrs
Definition aarch64Specifications.hpp:283
triton::arch::arm::aarch64::ID_INS_CSEL
@ ID_INS_CSEL
csel
Definition aarch64Specifications.hpp:142
triton::arch::arm::aarch64::ID_INS_MOVN
@ ID_INS_MOVN
movn
Definition aarch64Specifications.hpp:281
triton::arch::arm::aarch64::ID_INS_REV
@ ID_INS_REV
rev
Definition aarch64Specifications.hpp:304
triton::arch::arm::aarch64::ID_INS_REV16
@ ID_INS_REV16
rev16
Definition aarch64Specifications.hpp:301
triton::arch::arm::aarch64::ID_INS_STP
@ ID_INS_STP
stp
Definition aarch64Specifications.hpp:415
triton::arch::arm::aarch64::ID_INS_AND
@ ID_INS_AND
and
Definition aarch64Specifications.hpp:105
triton::arch::arm::aarch64::ID_INS_MSR
@ ID_INS_MSR
msr
Definition aarch64Specifications.hpp:284
triton::arch::arm::aarch64::ID_INS_ADD
@ ID_INS_ADD
add
Definition aarch64Specifications.hpp:97
triton::arch::arm::aarch64::ID_INS_LDXRH
@ ID_INS_LDXRH
ldxrh
Definition aarch64Specifications.hpp:272
triton::arch::arm::aarch64::ID_INS_CSINC
@ ID_INS_CSINC
csinc
Definition aarch64Specifications.hpp:143
triton::arch::arm::aarch64::ID_INS_CINC
@ ID_INS_CINC
cinc
Definition aarch64Specifications.hpp:530
triton::arch::arm::aarch64::ID_INS_STLXRB
@ ID_INS_STLXRB
stlxrb
Definition aarch64Specifications.hpp:411
triton::arch::arm::aarch64::ID_INS_CMN
@ ID_INS_CMN
cmn
Definition aarch64Specifications.hpp:526
triton::arch::arm::aarch64::ID_INS_ORN
@ ID_INS_ORN
orn
Definition aarch64Specifications.hpp:290
triton::arch::arm::aarch64::ID_INS_STURB
@ ID_INS_STURB
sturb
Definition aarch64Specifications.hpp:422
triton::arch::arm::aarch64::ID_INS_STRH
@ ID_INS_STRH
strh
Definition aarch64Specifications.hpp:418
triton::arch::arm::aarch64::ID_INS_STXP
@ ID_INS_STXP
stxp
Definition aarch64Specifications.hpp:425
triton::arch::arm::aarch64::ID_INS_BLR
@ ID_INS_BLR
blr
Definition aarch64Specifications.hpp:113
triton::arch::arm::aarch64::ID_INS_STR
@ ID_INS_STR
str
Definition aarch64Specifications.hpp:417
triton::arch::arm::aarch64::ID_INS_STLRB
@ ID_INS_STLRB
stlrb
Definition aarch64Specifications.hpp:407
triton::arch::arm::aarch64::ID_INS_LDARB
@ ID_INS_LDARB
ldarb
Definition aarch64Specifications.hpp:242
triton::arch::arm::aarch64::ID_INS_ADR
@ ID_INS_ADR
adr
Definition aarch64Specifications.hpp:99
triton::arch::arm::aarch64::ID_INS_LDURSH
@ ID_INS_LDURSH
ldursh
Definition aarch64Specifications.hpp:268
triton::arch::arm::aarch64::ID_INS_B
@ ID_INS_B
b
Definition aarch64Specifications.hpp:107
triton::arch::arm::aarch64::ID_INS_SBC
@ ID_INS_SBC
sbc
Definition aarch64Specifications.hpp:323
triton::arch::arm::aarch64::ID_INS_LDURH
@ ID_INS_LDURH
ldurh
Definition aarch64Specifications.hpp:266
triton::arch::arm::aarch64::ID_INS_LDUR
@ ID_INS_LDUR
ldur
Definition aarch64Specifications.hpp:265
triton::arch::arm::aarch64::ID_INS_UXTH
@ ID_INS_UXTH
uxth
Definition aarch64Specifications.hpp:539
triton::arch::arm::aarch64::ID_INS_STTR
@ ID_INS_STTR
sttr
Definition aarch64Specifications.hpp:421
triton::arch::arm::aarch64::ID_INS_STLXRH
@ ID_INS_STLXRH
stlxrh
Definition aarch64Specifications.hpp:412
triton::arch::arm::aarch64::ID_INS_BR
@ ID_INS_BR
br
Definition aarch64Specifications.hpp:114
triton::arch::arm::aarch64::ID_INS_RBIT
@ ID_INS_RBIT
rbit
Definition aarch64Specifications.hpp:299
triton::arch::arm::aarch64::ID_INS_SVC
@ ID_INS_SVC
svc
Definition aarch64Specifications.hpp:433
triton::arch::arm::aarch64::ID_INS_CNEG
@ ID_INS_CNEG
cneg
Definition aarch64Specifications.hpp:533
triton::arch::arm::aarch64::ID_INS_LD4R
@ ID_INS_LD4R
ld4r
Definition aarch64Specifications.hpp:241
triton::arch::arm::aarch64::ID_INS_EOR
@ ID_INS_EOR
eor
Definition aarch64Specifications.hpp:154
triton::arch::arm::aarch64::ID_INS_CSNEG
@ ID_INS_CSNEG
csneg
Definition aarch64Specifications.hpp:145
triton::arch::arm::aarch64::ID_INS_STXR
@ ID_INS_STXR
stxr
Definition aarch64Specifications.hpp:428
triton::arch::arm::aarch64::ID_INS_SMULL
@ ID_INS_SMULL
smull
Definition aarch64Specifications.hpp:361
triton::arch::arm::aarch64::ID_INS_EON
@ ID_INS_EON
eon
Definition aarch64Specifications.hpp:153
triton::arch::arm::aarch64::ID_INS_SXTW
@ ID_INS_SXTW
sxtw
Definition aarch64Specifications.hpp:536
triton::arch::arm::aarch64::ID_INS_TST
@ ID_INS_TST
tst
Definition aarch64Specifications.hpp:528
triton::arch::arm::aarch64::ID_INS_UBFX
@ ID_INS_UBFX
ubfx
Definition aarch64Specifications.hpp:523
triton::arch::arm::aarch64::ID_INS_STTRB
@ ID_INS_STTRB
sttrb
Definition aarch64Specifications.hpp:419
triton::arch::arm::aarch64::ID_INS_BIC
@ ID_INS_BIC
bic
Definition aarch64Specifications.hpp:109
triton::arch::arm::aarch64::ID_INS_LDRH
@ ID_INS_LDRH
ldrh
Definition aarch64Specifications.hpp:254
triton::arch::arm::aarch64::ID_INS_STNP
@ ID_INS_STNP
stnp
Definition aarch64Specifications.hpp:414
triton::arch::arm::aarch64::ID_INS_CMP
@ ID_INS_CMP
cmp
Definition aarch64Specifications.hpp:537
triton::arch::arm::aarch64::ID_INS_LDNP
@ ID_INS_LDNP
ldnp
Definition aarch64Specifications.hpp:249
triton::arch::arm::aarch64::ID_INS_BFXIL
@ ID_INS_BFXIL
bfxil
Definition aarch64Specifications.hpp:525
triton::arch::arm::aarch64::ID_INS_LDTRSW
@ ID_INS_LDTRSW
ldtrsw
Definition aarch64Specifications.hpp:262
triton::arch::arm::aarch64::ID_INS_MOV
@ ID_INS_MOV
mov
Definition aarch64Specifications.hpp:133
triton::arch::arm::aarch64::ID_INS_STUR
@ ID_INS_STUR
stur
Definition aarch64Specifications.hpp:423
triton::arch::arm::aarch64::ID_INS_SXTH
@ ID_INS_SXTH
sxth
Definition aarch64Specifications.hpp:535
triton::arch::arm::aarch64::ID_INS_LDAR
@ ID_INS_LDAR
ldar
Definition aarch64Specifications.hpp:244
triton::arch::arm::aarch64::ID_INS_SBFX
@ ID_INS_SBFX
sbfx
Definition aarch64Specifications.hpp:522
triton::arch::arm::aarch64::ID_INS_STXRH
@ ID_INS_STXRH
stxrh
Definition aarch64Specifications.hpp:427
triton::arch::arm::aarch64::ID_INS_STRB
@ ID_INS_STRB
strb
Definition aarch64Specifications.hpp:416
triton::arch::arm::aarch64::ID_INS_SMADDL
@ ID_INS_SMADDL
smaddl
Definition aarch64Specifications.hpp:345
triton::arch::arm::aarch64::ID_INS_LDURB
@ ID_INS_LDURB
ldurb
Definition aarch64Specifications.hpp:264
triton::arch::arm::aarch64::ID_INS_UMULH
@ ID_INS_UMULH
umulh
Definition aarch64Specifications.hpp:473
triton::arch::arm::aarch64::ID_INS_LDARH
@ ID_INS_LDARH
ldarh
Definition aarch64Specifications.hpp:243
triton::arch::arm::aarch64::ID_INS_LDRSB
@ ID_INS_LDRSB
ldrsb
Definition aarch64Specifications.hpp:255
triton::arch::arm::aarch64::ID_INS_LDTRB
@ ID_INS_LDTRB
ldtrb
Definition aarch64Specifications.hpp:258
triton::arch::arm::aarch64::ID_INS_LD3
@ ID_INS_LD3
ld3
Definition aarch64Specifications.hpp:239
triton::arch::arm::aarch64::ID_INS_STXRB
@ ID_INS_STXRB
stxrb
Definition aarch64Specifications.hpp:426
triton::arch::arm::aarch64::ID_INS_BRK
@ ID_INS_BRK
brk
Definition aarch64Specifications.hpp:115
triton::arch::arm::aarch64::ID_INS_EXTR
@ ID_INS_EXTR
extr
Definition aarch64Specifications.hpp:156
triton::arch::arm::aarch64::ID_INS_UBFIZ
@ ID_INS_UBFIZ
ubfiz
Definition aarch64Specifications.hpp:521
triton::arch::arm::aarch64::ID_INS_RET
@ ID_INS_RET
ret
Definition aarch64Specifications.hpp:300
triton::arch::arm::aarch64::ID_INS_LDTRSH
@ ID_INS_LDTRSH
ldtrsh
Definition aarch64Specifications.hpp:261
triton::arch::exception_e
exception_e
Definition archEnums.hpp:55
triton::arch::OP_IMM
@ OP_IMM
Definition archEnums.hpp:49
triton::arch::OP_REG
@ OP_REG
Definition archEnums.hpp:51
triton::arch::NO_FAULT
@ NO_FAULT
Definition archEnums.hpp:56
triton::arch::FAULT_UD
@ FAULT_UD
Definition archEnums.hpp:59
triton::arch::FAULT_BP
@ FAULT_BP
Definition archEnums.hpp:58
triton::arch::arm::vas_e
vas_e
Vector arrangement specifier.
Definition archEnums.hpp:175
triton::arch::arm::ID_VAS_4S
@ ID_VAS_4S
4 lanes, each containing a 32-bit element.
Definition archEnums.hpp:181
triton::arch::arm::ID_VAS_2D
@ ID_VAS_2D
2 lanes, each containing a 64-bit element.
Definition archEnums.hpp:183
triton::arch::arm::ID_VAS_1D
@ ID_VAS_1D
1 lane containing a 64-bit element.
Definition archEnums.hpp:184
triton::arch::arm::ID_VAS_16B
@ ID_VAS_16B
16 lanes, each containing an 8-bit element.
Definition archEnums.hpp:177
triton::arch::arm::ID_VAS_8B
@ ID_VAS_8B
8 lanes, each containing an 8-bit element.
Definition archEnums.hpp:178
triton::arch::arm::ID_VAS_8H
@ ID_VAS_8H
8 lanes, each containing a 16-bit element.
Definition archEnums.hpp:179
triton::arch::arm::ID_VAS_4H
@ ID_VAS_4H
4 lanes, each containing a 16-bit element.
Definition archEnums.hpp:180
triton::arch::arm::ID_VAS_2S
@ ID_VAS_2S
2 lanes, each containing a 32-bit element.
Definition archEnums.hpp:182
triton::arch::arm::ID_CONDITION_HS
@ ID_CONDITION_HS
Higher or same (unsigned >=). C set.
Definition archEnums.hpp:161
triton::arch::arm::ID_CONDITION_PL
@ ID_CONDITION_PL
Positive or zero. N clear.
Definition archEnums.hpp:168
triton::arch::arm::ID_CONDITION_VC
@ ID_CONDITION_VC
No overflow. V clear.
Definition archEnums.hpp:169
triton::arch::arm::ID_CONDITION_LE
@ ID_CONDITION_LE
Signed <=. Z set, N and V differ.
Definition archEnums.hpp:162
triton::arch::arm::ID_CONDITION_VS
@ ID_CONDITION_VS
Overflow. V set.
Definition archEnums.hpp:170
triton::arch::arm::ID_CONDITION_MI
@ ID_CONDITION_MI
Negative. N set.
Definition archEnums.hpp:166
triton::arch::arm::ID_CONDITION_GE
@ ID_CONDITION_GE
Signed >=. N and V the same.
Definition archEnums.hpp:158
triton::arch::arm::ID_CONDITION_GT
@ ID_CONDITION_GT
Signed >. Z clear, N and V the same.
Definition archEnums.hpp:159
triton::arch::arm::ID_CONDITION_HI
@ ID_CONDITION_HI
Higher (unsigned >). C set and Z clear.
Definition archEnums.hpp:160
triton::arch::arm::ID_CONDITION_NE
@ ID_CONDITION_NE
Not equal. Z clear.
Definition archEnums.hpp:167
triton::arch::arm::ID_CONDITION_AL
@ ID_CONDITION_AL
Always. Any flags. This suffix is normally omitted.
Definition archEnums.hpp:156
triton::arch::arm::ID_CONDITION_LO
@ ID_CONDITION_LO
Lower (unsigned <). C clear.
Definition archEnums.hpp:163
triton::arch::arm::ID_CONDITION_LT
@ ID_CONDITION_LT
Signed <. N and V differ.
Definition archEnums.hpp:165
triton::arch::arm::ID_CONDITION_LS
@ ID_CONDITION_LS
Lower or same (unsigned <=). C clear or Z set.
Definition archEnums.hpp:164
triton::arch::arm::ID_CONDITION_EQ
@ ID_CONDITION_EQ
Equal. Z set.
Definition archEnums.hpp:157
triton::ast::SharedAbstractNode
std::shared_ptr< triton::ast::AbstractNode > SharedAbstractNode
Shared Abstract Node.
Definition ast.hpp:59
triton::ast::SharedAstContext
std::shared_ptr< triton::ast::AstContext > SharedAstContext
Shared AST context.
Definition ast.hpp:65
triton::ast::ITE_NODE
@ ITE_NODE
Definition astEnums.hpp:73
triton::bitsize::dword
constexpr triton::uint32 dword
dword size in bit
Definition cpuSize.hpp:64
triton::bitsize::qword
constexpr triton::uint32 qword
qword size in bit
Definition cpuSize.hpp:66
triton::bitsize::dqword
constexpr triton::uint32 dqword
dqword size in bit
Definition cpuSize.hpp:70
triton::size::dword
constexpr triton::uint32 dword
dword size in byte
Definition cpuSize.hpp:34
triton::size::word
constexpr triton::uint32 word
word size in byte
Definition cpuSize.hpp:32
triton::size::byte
constexpr triton::uint32 byte
byte size in byte
Definition cpuSize.hpp:30
triton::size::qword
constexpr triton::uint32 qword
qword size in byte
Definition cpuSize.hpp:36
triton::engines::symbolic::SharedSymbolicExpression
std::shared_ptr< triton::engines::symbolic::SymbolicExpression > SharedSymbolicExpression
Shared Symbolic Expression.
Definition ast.hpp:40
triton::engines::taint::UNTAINTED
const bool UNTAINTED
Defines an untainted item.
Definition taintEngine.hpp:49
triton::uint32
std::uint32_t uint32
unisgned 32-bits
Definition tritonTypes.hpp:39
triton
The Triton namespace.
Definition architecture.cpp:22
Generated by doxygen 1.9.8