libTriton version 1.0 build 1592
Loading...
Searching...
No Matches
aarch64Semantics.cpp
Go to the documentation of this file.
1
2/*
3** Copyright (C) - Triton
4**
5** This program is under the terms of the Apache License 2.0.
6*/
7
8#include <triton/aarch64Semantics.hpp>
9#include <triton/aarch64Specifications.hpp>
10#include <triton/astContext.hpp>
11#include <triton/cpuSize.hpp>
12#include <triton/exceptions.hpp>
13
14
15
205namespace triton {
206 namespace arch {
207 namespace arm {
208 namespace aarch64 {
209
210 AArch64Semantics::AArch64Semantics(triton::arch::Architecture* architecture,
211 triton::engines::symbolic::SymbolicEngine* symbolicEngine,
212 triton::engines::taint::TaintEngine* taintEngine,
213 const triton::ast::SharedAstContext& astCtxt) : astCtxt(astCtxt) {
214
215 this->architecture = architecture;
216 this->exception = triton::arch::NO_FAULT;
217 this->symbolicEngine = symbolicEngine;
218 this->taintEngine = taintEngine;
219
220 if (architecture == nullptr)
221 throw triton::exceptions::Semantics("AArch64Semantics::AArch64Semantics(): The architecture API must be defined.");
222
223 if (this->symbolicEngine == nullptr)
224 throw triton::exceptions::Semantics("AArch64Semantics::AArch64Semantics(): The symbolic engine API must be defined.");
225
226 if (this->taintEngine == nullptr)
227 throw triton::exceptions::Semantics("AArch64Semantics::AArch64Semantics(): The taint engines API must be defined.");
228 }
229
230
231 triton::arch::exception_e AArch64Semantics::buildSemantics(triton::arch::Instruction& inst) {
232 this->exception = triton::arch::NO_FAULT;
233 switch (inst.getType()) {
234 case ID_INS_ADC: this->adc_s(inst); break;
235 case ID_INS_ADD: this->add_s(inst); break;
236 case ID_INS_ADR: this->adr_s(inst); break;
237 case ID_INS_ADRP: this->adrp_s(inst); break;
238 case ID_INS_AND: this->and_s(inst); break;
239 case ID_INS_ASR: this->asr_s(inst); break;
240 case ID_INS_B: this->b_s(inst); break;
241 case ID_INS_BFI: this->bfi_s(inst); break;
242 case ID_INS_BFXIL: this->bfxil_s(inst); break;
243 case ID_INS_BIC: this->bic_s(inst); break;
244 case ID_INS_BL: this->bl_s(inst); break;
245 case ID_INS_BLR: this->blr_s(inst); break;
246 case ID_INS_BR: this->br_s(inst); break;
247 case ID_INS_BRK: this->brk_s(inst); break;
248 case ID_INS_CBNZ: this->cbnz_s(inst); break;
249 case ID_INS_CBZ: this->cbz_s(inst); break;
250 case ID_INS_CCMP: this->ccmp_s(inst); break;
251 case ID_INS_CINC: this->cinc_s(inst); break;
252 case ID_INS_CLZ: this->clz_s(inst); break;
253 case ID_INS_CMN: this->cmn_s(inst); break;
254 case ID_INS_CMP: this->cmp_s(inst); break;
255 case ID_INS_CNEG: this->cneg_s(inst); break;
256 case ID_INS_CSEL: this->csel_s(inst); break;
257 case ID_INS_CSET: this->cset_s(inst); break;
258 case ID_INS_CSINC: this->csinc_s(inst); break;
259 case ID_INS_CSNEG: this->csneg_s(inst); break;
260 case ID_INS_EON: this->eon_s(inst); break;
261 case ID_INS_EOR: this->eor_s(inst); break;
262 case ID_INS_EXTR: this->extr_s(inst); break;
263 case ID_INS_FMOV: this->fmov_s(inst); break;
264 case ID_INS_LD3: this->ld3_s(inst); break;
265 case ID_INS_LD3R: this->ld3r_s(inst); break;
266 case ID_INS_LD4: this->ld4_s(inst); break;
267 case ID_INS_LD4R: this->ld4r_s(inst); break;
268 case ID_INS_LDAR: this->ldar_s(inst); break;
269 case ID_INS_LDARB: this->ldarb_s(inst); break;
270 case ID_INS_LDARH: this->ldarh_s(inst); break;
271 case ID_INS_LDAXR: this->ldaxr_s(inst); break;
272 case ID_INS_LDAXRB: this->ldaxrb_s(inst); break;
273 case ID_INS_LDAXRH: this->ldaxrh_s(inst); break;
274 case ID_INS_LDNP: this->ldnp_s(inst); break;
275 case ID_INS_LDP: this->ldp_s(inst); break;
276 case ID_INS_LDPSW: this->ldpsw_s(inst); break;
277 case ID_INS_LDR: this->ldr_s(inst); break;
278 case ID_INS_LDRB: this->ldrb_s(inst); break;
279 case ID_INS_LDRH: this->ldrh_s(inst); break;
280 case ID_INS_LDRSB: this->ldrsb_s(inst); break;
281 case ID_INS_LDRSH: this->ldrsh_s(inst); break;
282 case ID_INS_LDRSW: this->ldrsw_s(inst); break;
283 case ID_INS_LDTR: this->ldtr_s(inst); break;
284 case ID_INS_LDTRB: this->ldtrb_s(inst); break;
285 case ID_INS_LDTRH: this->ldtrh_s(inst); break;
286 case ID_INS_LDTRSB: this->ldtrsb_s(inst); break;
287 case ID_INS_LDTRSH: this->ldtrsh_s(inst); break;
288 case ID_INS_LDTRSW: this->ldtrsw_s(inst); break;
289 case ID_INS_LDUR: this->ldur_s(inst); break;
290 case ID_INS_LDURB: this->ldurb_s(inst); break;
291 case ID_INS_LDURH: this->ldurh_s(inst); break;
292 case ID_INS_LDURSB: this->ldursb_s(inst); break;
293 case ID_INS_LDURSH: this->ldursh_s(inst); break;
294 case ID_INS_LDURSW: this->ldursw_s(inst); break;
295 case ID_INS_LDXP: this->ldxp_s(inst); break;
296 case ID_INS_LDXR: this->ldxr_s(inst); break;
297 case ID_INS_LDXRB: this->ldxrb_s(inst); break;
298 case ID_INS_LDXRH: this->ldxrh_s(inst); break;
299 case ID_INS_LSL: this->lsl_s(inst); break;
300 case ID_INS_LSR: this->lsr_s(inst); break;
301 case ID_INS_MADD: this->madd_s(inst); break;
302 case ID_INS_MNEG: this->mneg_s(inst); break;
303 case ID_INS_MOV: this->mov_s(inst); break;
304 case ID_INS_MOVI: this->movi_s(inst); break;
305 case ID_INS_MOVK: this->movk_s(inst); break;
306 case ID_INS_MOVN: this->movn_s(inst); break;
307 case ID_INS_MOVZ: this->movz_s(inst); break;
308 case ID_INS_MRS: this->mrs_s(inst); break;
309 case ID_INS_MSR: this->msr_s(inst); break;
310 case ID_INS_MSUB: this->msub_s(inst); break;
311 case ID_INS_MUL: this->mul_s(inst); break;
312 case ID_INS_MVN: this->mvn_s(inst); break;
313 case ID_INS_NEG: this->neg_s(inst); break;
314 case ID_INS_NOP: this->nop_s(inst); break;
315 case ID_INS_ORN: this->orn_s(inst); break;
316 case ID_INS_ORR: this->orr_s(inst); break;
317 case ID_INS_RBIT: this->rbit_s(inst); break;
318 case ID_INS_RET: this->ret_s(inst); break;
319 case ID_INS_REV16: this->rev16_s(inst); break;
320 case ID_INS_REV32: this->rev32_s(inst); break;
321 case ID_INS_REV64: this->rev_s(inst); break;
322 case ID_INS_REV: this->rev_s(inst); break;
323 case ID_INS_ROR: this->ror_s(inst); break;
324 case ID_INS_SBC: this->sbc_s(inst); break;
325 case ID_INS_SBFX: this->sbfx_s(inst); break;
326 case ID_INS_SDIV: this->sdiv_s(inst); break;
327 case ID_INS_SMADDL: this->smaddl_s(inst); break;
328 case ID_INS_SMSUBL: this->smsubl_s(inst); break;
329 case ID_INS_SMULH: this->smulh_s(inst); break;
330 case ID_INS_SMULL: this->smull_s(inst); break;
331 case ID_INS_STLR: this->stlr_s(inst); break;
332 case ID_INS_STLRB: this->stlrb_s(inst); break;
333 case ID_INS_STLRH: this->stlrh_s(inst); break;
334 case ID_INS_STLXR: this->stlxr_s(inst); break;
335 case ID_INS_STLXRB: this->stlxrb_s(inst); break;
336 case ID_INS_STLXRH: this->stlxrh_s(inst); break;
337 case ID_INS_STNP: this->stnp_s(inst); break;
338 case ID_INS_STP: this->stp_s(inst); break;
339 case ID_INS_STR: this->str_s(inst); break;
340 case ID_INS_STRB: this->strb_s(inst); break;
341 case ID_INS_STRH: this->strh_s(inst); break;
342 case ID_INS_STTR: this->sttr_s(inst); break;
343 case ID_INS_STTRB: this->sttrb_s(inst); break;
344 case ID_INS_STTRH: this->sttrh_s(inst); break;
345 case ID_INS_STUR: this->stur_s(inst); break;
346 case ID_INS_STURB: this->sturb_s(inst); break;
347 case ID_INS_STURH: this->sturh_s(inst); break;
348 case ID_INS_STXP: this->stxp_s(inst); break;
349 case ID_INS_STXR: this->stxr_s(inst); break;
350 case ID_INS_STXRB: this->stxrb_s(inst); break;
351 case ID_INS_STXRH: this->stxrh_s(inst); break;
352 case ID_INS_SUB: this->sub_s(inst); break;
353 case ID_INS_SVC: this->svc_s(inst); break;
354 case ID_INS_SXTB: this->sxtb_s(inst); break;
355 case ID_INS_SXTH: this->sxth_s(inst); break;
356 case ID_INS_SXTW: this->sxtw_s(inst); break;
357 case ID_INS_TBNZ: this->tbnz_s(inst); break;
358 case ID_INS_TBZ: this->tbz_s(inst); break;
359 case ID_INS_TST: this->tst_s(inst); break;
360 case ID_INS_UBFIZ: this->ubfiz_s(inst); break;
361 case ID_INS_UBFX: this->ubfx_s(inst); break;
362 case ID_INS_UDIV: this->udiv_s(inst); break;
363 case ID_INS_UMADDL: this->umaddl_s(inst); break;
364 case ID_INS_UMOV: this->umov_s(inst); break;
365 case ID_INS_UMNEGL: this->umnegl_s(inst); break;
366 case ID_INS_UMSUBL: this->umsubl_s(inst); break;
367 case ID_INS_UMULH: this->umulh_s(inst); break;
368 case ID_INS_UMULL: this->umull_s(inst); break;
369 case ID_INS_UXTB: this->uxtb_s(inst); break;
370 case ID_INS_UXTH: this->uxth_s(inst); break;
371 default:
372 this->exception = triton::arch::FAULT_UD;
373 break;
374 }
375 return this->exception;
376 }
377
378
379 void AArch64Semantics::controlFlow_s(triton::arch::Instruction& inst) {
380 auto pc = triton::arch::OperandWrapper(this->architecture->getParentRegister(ID_REG_AARCH64_PC));
381
382 /* Create the semantics */
383 auto node = this->astCtxt->bv(inst.getNextAddress(), pc.getBitSize());
384
385 /* Create symbolic expression */
386 auto expr = this->symbolicEngine->createSymbolicRegisterExpression(inst, node, this->architecture->getParentRegister(ID_REG_AARCH64_PC), "Program Counter");
387
388 /* Spread taint */
389 expr->isTainted = this->taintEngine->setTaintRegister(this->architecture->getParentRegister(ID_REG_AARCH64_PC), triton::engines::taint::UNTAINTED);
390 }
391
392
393 triton::ast::SharedAbstractNode AArch64Semantics::getCodeConditionAst(triton::arch::Instruction& inst,
394 triton::ast::SharedAbstractNode& thenNode,
395 triton::ast::SharedAbstractNode& elseNode) {
396
397 switch (inst.getCodeCondition()) {
398 // Always. Any flags. This suffix is normally omitted.
399 case triton::arch::arm::ID_CONDITION_AL: {
400 return thenNode;
401 }
402
403 // Equal. Z set.
404 case triton::arch::arm::ID_CONDITION_EQ: {
405 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
406 auto node = this->astCtxt->ite(
407 this->astCtxt->equal(z, this->astCtxt->bvtrue()),
408 thenNode,
409 elseNode);
410 return node;
411 }
412
413 // Signed >=. N and V the same.
414 case triton::arch::arm::ID_CONDITION_GE: {
415 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
416 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
417 auto node = this->astCtxt->ite(
418 this->astCtxt->equal(n, v),
419 thenNode,
420 elseNode);
421 return node;
422 }
423
424 // Signed >. Z clear, N and V the same.
425 case triton::arch::arm::ID_CONDITION_GT: {
426 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
427 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
428 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
429 auto node = this->astCtxt->ite(
430 this->astCtxt->land(
431 this->astCtxt->equal(z, this->astCtxt->bvfalse()),
432 this->astCtxt->equal(n, v)
433 ),
434 thenNode,
435 elseNode);
436 return node;
437 }
438
439 // Higher (unsigned >). C set and Z clear.
440 case triton::arch::arm::ID_CONDITION_HI: {
441 auto c = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C)));
442 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
443 auto node = this->astCtxt->ite(
444 this->astCtxt->land(
445 this->astCtxt->equal(c, this->astCtxt->bvtrue()),
446 this->astCtxt->equal(z, this->astCtxt->bvfalse())
447 ),
448 thenNode,
449 elseNode);
450 return node;
451 }
452
453 // Higher or same (unsigned >=). C set.
454 case triton::arch::arm::ID_CONDITION_HS: {
455 auto c = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C)));
456 auto node = this->astCtxt->ite(
457 this->astCtxt->equal(c, this->astCtxt->bvtrue()),
458 thenNode,
459 elseNode);
460 return node;
461 }
462
463 // Signed <=. Z set or N and V differ.
464 case triton::arch::arm::ID_CONDITION_LE: {
465 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
466 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
467 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
468 auto node = this->astCtxt->ite(
469 this->astCtxt->lor(
470 this->astCtxt->equal(z, this->astCtxt->bvtrue()),
471 this->astCtxt->lnot(this->astCtxt->equal(n, v))
472 ),
473 thenNode,
474 elseNode);
475 return node;
476 }
477
478 // Lower (unsigned <). C clear.
479 case triton::arch::arm::ID_CONDITION_LO: {
480 auto c = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C)));
481 auto node = this->astCtxt->ite(
482 this->astCtxt->equal(c, this->astCtxt->bvfalse()),
483 thenNode,
484 elseNode);
485 return node;
486 }
487
488 // Lower or same (unsigned <=). C clear or Z set.
489 case triton::arch::arm::ID_CONDITION_LS: {
490 auto c = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C)));
491 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
492 auto node = this->astCtxt->ite(
493 this->astCtxt->lor(
494 this->astCtxt->equal(c, this->astCtxt->bvfalse()),
495 this->astCtxt->equal(z, this->astCtxt->bvtrue())
496 ),
497 thenNode,
498 elseNode);
499 return node;
500 }
501
502 // Signed <. N and V differ.
503 case triton::arch::arm::ID_CONDITION_LT: {
504 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
505 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
506 auto node = this->astCtxt->ite(
507 this->astCtxt->lnot(this->astCtxt->equal(n, v)),
508 thenNode,
509 elseNode);
510 return node;
511 }
512
513 // Negative. N set.
514 case triton::arch::arm::ID_CONDITION_MI: {
515 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
516 auto node = this->astCtxt->ite(
517 this->astCtxt->equal(n, this->astCtxt->bvtrue()),
518 thenNode,
519 elseNode);
520 return node;
521 }
522
523 // Not equal. Z clear.
524 case triton::arch::arm::ID_CONDITION_NE: {
525 auto z = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z)));
526 auto node = this->astCtxt->ite(
527 this->astCtxt->equal(z, this->astCtxt->bvfalse()),
528 thenNode,
529 elseNode);
530 return node;
531 }
532
533 // Positive or zero. N clear.
534 case triton::arch::arm::ID_CONDITION_PL: {
535 auto n = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N)));
536 auto node = this->astCtxt->ite(
537 this->astCtxt->equal(n, this->astCtxt->bvfalse()),
538 thenNode,
539 elseNode);
540 return node;
541 }
542
543 // No overflow. V clear.
544 case triton::arch::arm::ID_CONDITION_VC: {
545 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
546 auto node = this->astCtxt->ite(
547 this->astCtxt->equal(v, this->astCtxt->bvfalse()),
548 thenNode,
549 elseNode);
550 return node;
551 }
552
553 // Overflow. V set.
554 case triton::arch::arm::ID_CONDITION_VS: {
555 auto v = this->symbolicEngine->getOperandAst(inst, triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V)));
556 auto node = this->astCtxt->ite(
557 this->astCtxt->equal(v, this->astCtxt->bvtrue()),
558 thenNode,
559 elseNode);
560 return node;
561 }
562
563 default:
564 /* The instruction don't use condition, so just return the 'then' node */
565 return thenNode;
566 }
567 }
568
569
570 bool AArch64Semantics::getCodeConditionTainteSate(const triton::arch::Instruction& inst) {
571 switch (inst.getCodeCondition()) {
572 // Always. Any flags. This suffix is normally omitted.
573 case triton::arch::arm::ID_CONDITION_AL: {
574 return false;
575 }
576
577 // Equal. Z set.
578 // Not equal. Z clear.
579 case triton::arch::arm::ID_CONDITION_EQ:
580 case triton::arch::arm::ID_CONDITION_NE: {
581 auto z = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z));
582 return this->taintEngine->isTainted(z);
583 }
584
585 // Signed >=. N and V the same.
586 // Signed <. N and V differ.
587 case triton::arch::arm::ID_CONDITION_GE:
588 case triton::arch::arm::ID_CONDITION_LT: {
589 auto n = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N));
590 auto v = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V));
591 return this->taintEngine->isTainted(n) | this->taintEngine->isTainted(v);
592 }
593
594 // Signed >. Z clear, N and V the same.
595 // Signed <=. Z set, N and V differ.
596 case triton::arch::arm::ID_CONDITION_GT:
597 case triton::arch::arm::ID_CONDITION_LE: {
598 auto z = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z));
599 auto n = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N));
600 auto v = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V));
601 return this->taintEngine->isTainted(z) | this->taintEngine->isTainted(n) | this->taintEngine->isTainted(v);
602 }
603
604 // Higher (unsigned >). C set and Z clear.
605 // Lower or same (unsigned <=). C clear or Z set.
606 case triton::arch::arm::ID_CONDITION_HI:
607 case triton::arch::arm::ID_CONDITION_LS: {
608 auto c = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C));
609 auto z = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_Z));
610 return this->taintEngine->isTainted(c) | this->taintEngine->isTainted(z);
611 }
612
613 // Higher or same (unsigned >=). C set.
614 // Lower (unsigned <). C clear.
615 case triton::arch::arm::ID_CONDITION_HS:
616 case triton::arch::arm::ID_CONDITION_LO: {
617 auto c = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C));
618 return this->taintEngine->isTainted(c);
619 }
620
621 // Negative. N set.
622 // Positive or zero. N clear.
623 case triton::arch::arm::ID_CONDITION_MI:
624 case triton::arch::arm::ID_CONDITION_PL: {
625 auto n = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_N));
626 return this->taintEngine->isTainted(n);
627 }
628
629 // No overflow. V clear.
630 // Overflow. V set.
631 case triton::arch::arm::ID_CONDITION_VC:
632 case triton::arch::arm::ID_CONDITION_VS: {
633 auto v = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_V));
634 return this->taintEngine->isTainted(v);
635 }
636
637 default:
638 return false;
639 }
640 }
641
642
643 void AArch64Semantics::clearFlag_s(triton::arch::Instruction& inst, const triton::arch::Register& flag, std::string comment) {
644 /* Create the semantics */
645 auto node = this->astCtxt->bv(0, 1);
646
647 /* Create symbolic expression */
648 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, flag, comment);
649
650 /* Spread taint */
651 expr->isTainted = this->taintEngine->setTaintRegister(flag, triton::engines::taint::UNTAINTED);
652 }
653
654
655 void AArch64Semantics::setFlag_s(triton::arch::Instruction& inst, const triton::arch::Register& flag, std::string comment) {
656 /* Create the semantics */
657 auto node = this->astCtxt->bv(1, 1);
658
659 /* Create symbolic expression */
660 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, flag, comment);
661
662 /* Spread taint */
663 expr->isTainted = this->taintEngine->setTaintRegister(flag, triton::engines::taint::UNTAINTED);
664 }
665
666
667 void AArch64Semantics::nf_s(triton::arch::Instruction& inst,
668 const triton::engines::symbolic::SharedSymbolicExpression& parent,
669 triton::arch::OperandWrapper& dst) {
670
671 auto nf = this->architecture->getRegister(ID_REG_AARCH64_N);
672 auto high = dst.getHigh();
673
674 /*
675 * Create the semantic.
676 * nf = MSB(result)
677 */
678 auto node = this->astCtxt->extract(high, high, this->astCtxt->reference(parent));
679
680 /* Create the symbolic expression */
681 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, nf, "Negative flag");
682
683 /* Spread the taint from the parent to the child */
684 expr->isTainted = this->taintEngine->setTaintRegister(nf, parent->isTainted);
685 }
686
687
688 void AArch64Semantics::nfCcmp_s(triton::arch::Instruction& inst,
689 const triton::engines::symbolic::SharedSymbolicExpression& parent,
690 triton::arch::OperandWrapper& dst,
691 triton::ast::SharedAbstractNode& nzcv) {
692
693 auto nf = this->architecture->getRegister(ID_REG_AARCH64_N);
694 auto high = dst.getHigh();
695
696 /*
697 * Create the semantic.
698 * nf = MSB(result) if cond == true else NF(nzcv)
699 */
700 auto node1 = this->astCtxt->extract(high, high, this->astCtxt->reference(parent));
701 auto node2 = this->astCtxt->extract(3, 3, nzcv);
702 auto node3 = this->getCodeConditionAst(inst, node1, node2);
703
704 /* Create the symbolic expression */
705 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node3, nf, "Negative flag");
706
707 /* Spread the taint from the parent to the child */
708 expr->isTainted = this->taintEngine->setTaintRegister(nf, parent->isTainted);
709 }
710
711
712 void AArch64Semantics::zf_s(triton::arch::Instruction& inst,
713 const triton::engines::symbolic::SharedSymbolicExpression& parent,
714 triton::arch::OperandWrapper& dst) {
715
716 auto zf = this->architecture->getRegister(ID_REG_AARCH64_Z);
717 auto bvSize = dst.getBitSize();
718 auto low = dst.getLow();
719 auto high = dst.getHigh();
720
721 /*
722 * Create the semantic.
723 * zf = 0 == result
724 */
725 auto node = this->astCtxt->ite(
726 this->astCtxt->equal(
727 this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
728 this->astCtxt->bv(0, bvSize)
729 ),
730 this->astCtxt->bv(1, 1),
731 this->astCtxt->bv(0, 1)
732 );
733
734 /* Create the symbolic expression */
735 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, zf, "Zero flag");
736
737 /* Spread the taint from the parent to the child */
738 expr->isTainted = this->taintEngine->setTaintRegister(zf, parent->isTainted);
739 }
740
741
742 void AArch64Semantics::zfCcmp_s(triton::arch::Instruction& inst,
743 const triton::engines::symbolic::SharedSymbolicExpression& parent,
744 triton::arch::OperandWrapper& dst,
745 triton::ast::SharedAbstractNode& nzcv) {
746
747 auto zf = this->architecture->getRegister(ID_REG_AARCH64_Z);
748 auto bvSize = dst.getBitSize();
749 auto low = dst.getLow();
750 auto high = dst.getHigh();
751
752 /*
753 * Create the semantic.
754 * zf = 0 == result if cond == true else ZF(nzcv)
755 */
756 auto node1 = this->astCtxt->ite(
757 this->astCtxt->equal(
758 this->astCtxt->extract(high, low, this->astCtxt->reference(parent)),
759 this->astCtxt->bv(0, bvSize)
760 ),
761 this->astCtxt->bv(1, 1),
762 this->astCtxt->bv(0, 1)
763 );
764 auto node2 = this->astCtxt->extract(2, 2, nzcv);
765 auto node3 = this->getCodeConditionAst(inst, node1, node2);
766
767 /* Create the symbolic expression */
768 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node3, zf, "Zero flag");
769
770 /* Spread the taint from the parent to the child */
771 expr->isTainted = this->taintEngine->setTaintRegister(zf, parent->isTainted);
772 }
773
774
775 void AArch64Semantics::cfAdd_s(triton::arch::Instruction& inst,
776 const triton::engines::symbolic::SharedSymbolicExpression& parent,
777 triton::arch::OperandWrapper& dst,
778 triton::ast::SharedAbstractNode& op1,
779 triton::ast::SharedAbstractNode& op2) {
780
781 auto cf = this->architecture->getRegister(ID_REG_AARCH64_C);
782 auto bvSize = dst.getBitSize();
783 auto low = dst.getLow();
784 auto high = dst.getHigh();
785
786 /*
787 * Create the semantic.
788 * cf = MSB((op1 & op2) ^ ((op1 ^ op2 ^ result) & (op1 ^ op2)));
789 */
790 auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
791 this->astCtxt->bvxor(
792 this->astCtxt->bvand(op1, op2),
793 this->astCtxt->bvand(
794 this->astCtxt->bvxor(
795 this->astCtxt->bvxor(op1, op2),
796 this->astCtxt->extract(high, low, this->astCtxt->reference(parent))
797 ),
798 this->astCtxt->bvxor(op1, op2))
799 )
800 );
801
802 /* Create the symbolic expression */
803 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf, "Carry flag");
804
805 /* Spread the taint from the parent to the child */
806 expr->isTainted = this->taintEngine->setTaintRegister(cf, parent->isTainted);
807 }
808
809
810 void AArch64Semantics::cfSub_s(triton::arch::Instruction& inst,
811 const triton::engines::symbolic::SharedSymbolicExpression& parent,
812 triton::arch::OperandWrapper& dst,
813 triton::ast::SharedAbstractNode& op1,
814 triton::ast::SharedAbstractNode& op2) {
815
816 auto cf = this->architecture->getRegister(ID_REG_AARCH64_C);
817 auto bvSize = dst.getBitSize();
818 auto low = dst.getLow();
819 auto high = dst.getHigh();
820
821 /*
822 * Create the semantic.
823 * cf = (MSB(((op1 ^ op2 ^ result) ^ ((op1 ^ result) & (op1 ^ op2))))) ^ 1
824 */
825 auto node = this->astCtxt->bvxor(
826 this->astCtxt->extract(bvSize-1, bvSize-1,
827 this->astCtxt->bvxor(
828 this->astCtxt->bvxor(op1, this->astCtxt->bvxor(op2, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))),
829 this->astCtxt->bvand(
830 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent))),
831 this->astCtxt->bvxor(op1, op2)
832 )
833 )
834 ),
835 this->astCtxt->bvtrue()
836 );
837
838 /* Create the symbolic expression */
839 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, cf, "Carry flag");
840
841 /* Spread the taint from the parent to the child */
842 expr->isTainted = this->taintEngine->setTaintRegister(cf, parent->isTainted);
843 }
844
845
846 void AArch64Semantics::cfCcmp_s(triton::arch::Instruction& inst,
847 const triton::engines::symbolic::SharedSymbolicExpression& parent,
848 triton::arch::OperandWrapper& dst,
849 triton::ast::SharedAbstractNode& op1,
850 triton::ast::SharedAbstractNode& op2,
851 triton::ast::SharedAbstractNode& nzcv) {
852
853 auto cf = this->architecture->getRegister(ID_REG_AARCH64_C);
854 auto bvSize = dst.getBitSize();
855 auto low = dst.getLow();
856 auto high = dst.getHigh();
857
858 /*
859 * Create the semantic.
860 * if cond == true:
861 * cf = (MSB(((op1 ^ op2 ^ result) ^ ((op1 ^ result) & (op1 ^ op2))))) ^ 1
862 * else
863 * cf = CF(nzcv)
864 */
865 auto node1 = this->astCtxt->bvxor(
866 this->astCtxt->extract(bvSize-1, bvSize-1,
867 this->astCtxt->bvxor(
868 this->astCtxt->bvxor(op1, this->astCtxt->bvxor(op2, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))),
869 this->astCtxt->bvand(
870 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent))),
871 this->astCtxt->bvxor(op1, op2)
872 )
873 )
874 ),
875 this->astCtxt->bvtrue()
876 );
877 auto node2 = this->astCtxt->extract(1, 1, nzcv);
878 auto node3 = this->getCodeConditionAst(inst, node1, node2);
879
880 /* Create the symbolic expression */
881 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node3, cf, "Carry flag");
882
883 /* Spread the taint from the parent to the child */
884 expr->isTainted = this->taintEngine->setTaintRegister(cf, parent->isTainted);
885 }
886
887
888 void AArch64Semantics::vfAdd_s(triton::arch::Instruction& inst,
889 const triton::engines::symbolic::SharedSymbolicExpression& parent,
890 triton::arch::OperandWrapper& dst,
891 triton::ast::SharedAbstractNode& op1,
892 triton::ast::SharedAbstractNode& op2) {
893
894 auto vf = this->architecture->getRegister(ID_REG_AARCH64_V);
895 auto bvSize = dst.getBitSize();
896 auto low = dst.getLow();
897 auto high = dst.getHigh();
898
899 /*
900 * Create the semantic.
901 * vf = MSB((op1 ^ ~op2) & (op1 ^ result))
902 */
903 auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
904 this->astCtxt->bvand(
905 this->astCtxt->bvxor(op1, this->astCtxt->bvnot(op2)),
906 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))
907 )
908 );
909
910 /* Create the symbolic expression */
911 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, vf, "Overflow flag");
912
913 /* Spread the taint from the parent to the child */
914 expr->isTainted = this->taintEngine->setTaintRegister(vf, parent->isTainted);
915 }
916
917
918 void AArch64Semantics::vfSub_s(triton::arch::Instruction& inst,
919 const triton::engines::symbolic::SharedSymbolicExpression& parent,
920 triton::arch::OperandWrapper& dst,
921 triton::ast::SharedAbstractNode& op1,
922 triton::ast::SharedAbstractNode& op2) {
923
924 auto vf = this->architecture->getRegister(ID_REG_AARCH64_V);
925 auto bvSize = dst.getBitSize();
926 auto low = dst.getLow();
927 auto high = dst.getHigh();
928
929 /*
930 * Create the semantic.
931 * vf = MSB((op1 ^ op2) & (op1 ^ result))
932 */
933 auto node = this->astCtxt->extract(bvSize-1, bvSize-1,
934 this->astCtxt->bvand(
935 this->astCtxt->bvxor(op1, op2),
936 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))
937 )
938 );
939
940 /* Create the symbolic expression */
941 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, vf, "Overflow flag");
942
943 /* Spread the taint from the parent to the child */
944 expr->isTainted = this->taintEngine->setTaintRegister(vf, parent->isTainted);
945 }
946
947
948 void AArch64Semantics::vfCcmp_s(triton::arch::Instruction& inst,
949 const triton::engines::symbolic::SharedSymbolicExpression& parent,
950 triton::arch::OperandWrapper& dst,
951 triton::ast::SharedAbstractNode& op1,
952 triton::ast::SharedAbstractNode& op2,
953 triton::ast::SharedAbstractNode& nzcv) {
954
955 auto vf = this->architecture->getRegister(ID_REG_AARCH64_V);
956 auto bvSize = dst.getBitSize();
957 auto low = dst.getLow();
958 auto high = dst.getHigh();
959
960 /*
961 * Create the semantic.
962 * if cond == true:
963 * vf = MSB((op1 ^ op2) & (op1 ^ result))
964 * else:
965 * vf = VF(nzcv)
966 */
967 auto node1 = this->astCtxt->extract(bvSize-1, bvSize-1,
968 this->astCtxt->bvand(
969 this->astCtxt->bvxor(op1, op2),
970 this->astCtxt->bvxor(op1, this->astCtxt->extract(high, low, this->astCtxt->reference(parent)))
971 )
972 );
973 auto node2 = this->astCtxt->extract(0, 0, nzcv);
974 auto node3 = this->getCodeConditionAst(inst, node1, node2);
975
976 /* Create the symbolic expression */
977 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node3, vf, "Overflow flag");
978
979 /* Spread the taint from the parent to the child */
980 expr->isTainted = this->taintEngine->setTaintRegister(vf, parent->isTainted);
981 }
982
983
984 void AArch64Semantics::adc_s(triton::arch::Instruction& inst) {
985 auto& dst = inst.operands[0];
986 auto& src1 = inst.operands[1];
987 auto& src2 = inst.operands[2];
988 auto cf = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C));
989
990 /* Create symbolic operands */
991 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
992 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
993 auto op3 = this->symbolicEngine->getOperandAst(inst, cf);
994
995 /* Create the semantics */
996 auto node = this->astCtxt->bvadd(this->astCtxt->bvadd(op1, op2), this->astCtxt->zx(dst.getBitSize()-1, op3));
997
998 /* Create symbolic expression */
999 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ADC(S) operation");
1000
1001 /* Spread taint */
1002 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(cf));
1003
1004 /* Update symbolic flags */
1005 if (inst.isUpdateFlag() == true) {
1006 this->cfAdd_s(inst, expr, dst, op1, op2);
1007 this->nf_s(inst, expr, dst);
1008 this->vfAdd_s(inst, expr, dst, op1, op2);
1009 this->zf_s(inst, expr, dst);
1010 }
1011
1012 /* Update the symbolic control flow */
1013 this->controlFlow_s(inst);
1014 }
1015
1016
1017 void AArch64Semantics::add_s(triton::arch::Instruction& inst) {
1018 auto& dst = inst.operands[0];
1019 auto& src1 = inst.operands[1];
1020 auto& src2 = inst.operands[2];
1021
1022 /* Create symbolic operands */
1023 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1024 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1025
1026 /* Create the semantics */
1027 auto node = this->astCtxt->bvadd(op1, op2);
1028
1029 /* Create symbolic expression */
1030 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ADD(S) operation");
1031
1032 /* Spread taint */
1033 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1034
1035 /* Update symbolic flags */
1036 if (inst.isUpdateFlag() == true) {
1037 this->cfAdd_s(inst, expr, dst, op1, op2);
1038 this->nf_s(inst, expr, dst);
1039 this->vfAdd_s(inst, expr, dst, op1, op2);
1040 this->zf_s(inst, expr, dst);
1041 }
1042
1043 /* Update the symbolic control flow */
1044 this->controlFlow_s(inst);
1045 }
1046
1047
1048 void AArch64Semantics::adr_s(triton::arch::Instruction& inst) {
1049 auto& dst = inst.operands[0];
1050 auto& src = inst.operands[1];
1051 auto pc = triton::arch::OperandWrapper(this->architecture->getParentRegister(ID_REG_AARCH64_PC));
1052
1053 /*
1054 * Note: Capstone already encodes the result into the source operand. We don't have
1055 * to compute the add operation but do we lose the symbolic?
1056 */
1057 /* Create symbolic semantics */
1058 auto node = this->symbolicEngine->getOperandAst(inst, src);
1059
1060 /* Create symbolic expression */
1061 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ADR operation");
1062
1063 /* Spread taint */
1064 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src) | this->taintEngine->isTainted(pc));
1065
1066 /* Update the symbolic control flow */
1067 this->controlFlow_s(inst);
1068 }
1069
1070
1071 void AArch64Semantics::adrp_s(triton::arch::Instruction& inst) {
1072 auto& dst = inst.operands[0];
1073 auto& src = inst.operands[1];
1074 auto pc = triton::arch::OperandWrapper(this->architecture->getParentRegister(ID_REG_AARCH64_PC));
1075
1076 /*
1077 * Note: Capstone already encodes the result into the source operand. We don't have
1078 * to compute the add operation but do we lose the symbolic?
1079 */
1080 /* Create symbolic semantics */
1081 auto node = this->symbolicEngine->getOperandAst(inst, src);
1082
1083 /* Create symbolic expression */
1084 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ADRP operation");
1085
1086 /* Spread taint */
1087 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src) | this->taintEngine->isTainted(pc));
1088
1089 /* Update the symbolic control flow */
1090 this->controlFlow_s(inst);
1091 }
1092
1093
1094 void AArch64Semantics::and_s(triton::arch::Instruction& inst) {
1095 auto& dst = inst.operands[0];
1096 auto& src1 = inst.operands[1];
1097 auto& src2 = inst.operands[2];
1098
1099 /* Create symbolic operands */
1100 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1101 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1102
1103 /* Create the semantics */
1104 auto node = this->astCtxt->bvand(op1, op2);
1105
1106 /* Special case for vector registers */
1107 if (dst.getConstRegister().getVASSize() == triton::size::qword) {
1108 node = this->astCtxt->extract(63, 0, node);
1109 }
1110
1111 /* Create symbolic expression */
1112 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "AND(S) operation");
1113
1114 /* Spread taint */
1115 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1116
1117 /* Update symbolic flags */
1118 if (inst.isUpdateFlag() == true) {
1119 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_C), "Clears carry flag");
1120 this->nf_s(inst, expr, dst);
1121 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_V), "Clears overflow flag");
1122 this->zf_s(inst, expr, dst);
1123 }
1124
1125 /* Update the symbolic control flow */
1126 this->controlFlow_s(inst);
1127 }
1128
1129
1130 void AArch64Semantics::asr_s(triton::arch::Instruction& inst) {
1131 auto& dst = inst.operands[0];
1132 auto& src1 = inst.operands[1];
1133 auto& src2 = inst.operands[2];
1134 auto size = src2.getBitSize();
1135
1136 /* Create symbolic operands */
1137 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1138 auto op2 = this->astCtxt->bvand(
1139 this->symbolicEngine->getOperandAst(inst, src2),
1140 this->astCtxt->bv(size - 1, size)
1141 );
1142
1143 /* Create the semantics */
1144 auto node = this->astCtxt->bvashr(op1, op2);
1145
1146 /* Create symbolic expression */
1147 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ASR operation");
1148
1149 /* Spread taint */
1150 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1151
1152 /* Update the symbolic control flow */
1153 this->controlFlow_s(inst);
1154 }
1155
1156
1157 void AArch64Semantics::b_s(triton::arch::Instruction& inst) {
1158 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1159 auto& src = inst.operands[0];
1160
1161 /* Create symbolic operands */
1162 auto op1 = this->symbolicEngine->getOperandAst(inst, src);
1163 auto op2 = this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize());
1164
1165 /* Create the semantics */
1166 auto node = this->getCodeConditionAst(inst, op1, op2);
1167
1168 /* Create symbolic expression */
1169 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "B operation - Program Counter");
1170
1171 /* Spread taint */
1172 expr->isTainted = this->taintEngine->setTaint(dst, this->getCodeConditionTainteSate(inst));
1173
1174 /* Set condition flag */
1175 if (node->getType() == triton::ast::ITE_NODE) {
1176 if (!(node->getChildren()[0]->evaluate().is_zero())) {
1177 inst.setConditionTaken(true);
1178 }
1179 }
1180
1181 /* Create the path constraint */
1182 this->symbolicEngine->pushPathConstraint(inst, expr);
1183 }
1184
1185
1186 void AArch64Semantics::bfi_s(triton::arch::Instruction& inst) {
1187 auto& dst = inst.operands[0]; // Reg
1188 auto& src1 = inst.operands[1]; // Reg
1189 auto& src2 = inst.operands[2]; // Imm (Lsb)
1190 auto& src3 = inst.operands[3]; // Imm (Width)
1191 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
1192 auto width = static_cast<uint32>(src3.getImmediate().getValue());
1193
1194 if (lsb + width > dst.getBitSize())
1195 throw triton::exceptions::Semantics("AArch64Semantics::bfi_s(): Invalid lsb and width.");
1196
1197 /* Create symbolic operands */
1198 auto op = this->symbolicEngine->getOperandAst(inst, src1);
1199 auto opDst = this->symbolicEngine->getOperandAst(inst, dst);
1200
1201 /* Create the semantics */
1202 std::vector<triton::ast::SharedAbstractNode> chunks;
1203 chunks.reserve(3);
1204
1205 if (lsb + width < dst.getBitSize()) {
1206 chunks.push_back(this->astCtxt->extract(dst.getBitSize() - 1, lsb + width, /* src */ opDst));
1207 }
1208 chunks.push_back(this->astCtxt->extract(width - 1, 0, /* src */ op));
1209 chunks.push_back(this->astCtxt->extract(lsb - 1, 0, /* dst */ opDst));
1210
1211 auto node = this->astCtxt->concat(chunks);
1212
1213 /* Create symbolic expression */
1214 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "BFI operation");
1215
1216 /* Spread taint */
1217 expr->isTainted = this->taintEngine->taintUnion(dst, src1);
1218
1219 /* Update the symbolic control flow */
1220 this->controlFlow_s(inst);
1221 }
1222
1223
1224 void AArch64Semantics::bfxil_s(triton::arch::Instruction& inst) {
1225 auto& dst = inst.operands[0]; // Reg
1226 auto& src1 = inst.operands[1]; // Reg
1227 auto& src2 = inst.operands[2]; // Imm (Lsb)
1228 auto& src3 = inst.operands[3]; // Imm (Width)
1229 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
1230 auto width = static_cast<uint32>(src3.getImmediate().getValue());
1231
1232 if (lsb + width > dst.getBitSize())
1233 throw triton::exceptions::Semantics("AArch64Semantics::bfxil_s(): Invalid lsb and width.");
1234
1235 /* Create symbolic operands */
1236 auto opSrc = this->symbolicEngine->getOperandAst(inst, src1);
1237 auto opDst = this->symbolicEngine->getOperandAst(inst, dst);
1238
1239 auto node = this->astCtxt->concat(
1240 this->astCtxt->extract(dst.getBitSize() - 1, width, opDst),
1241 this->astCtxt->extract(lsb + width - 1, lsb, opSrc)
1242 );
1243
1244 /* Create symbolic expression */
1245 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "BFXIL operation");
1246
1247 /* Spread taint */
1248 expr->isTainted = this->taintEngine->taintUnion(dst, src1);
1249
1250 /* Update the symbolic control flow */
1251 this->controlFlow_s(inst);
1252 }
1253
1254
1255 void AArch64Semantics::bic_s(triton::arch::Instruction& inst) {
1256 auto& dst = inst.operands[0]; // Reg
1257 auto& src1 = inst.operands[1]; // Reg
1258 auto& src2 = inst.operands[2]; // Reg + [Shift]
1259
1260 /* Create symbolic operands */
1261 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1262 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1263
1264 /* Create the semantics */
1265 auto node = this->astCtxt->bvand(op1, this->astCtxt->bvnot(op2));
1266
1267 /* Create symbolic expression */
1268 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "BIC(S) operation");
1269
1270 /* Spread taint */
1271 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1272
1273 /* Update symbolic flags */
1274 if (inst.isUpdateFlag() == true) {
1275 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_C), "Clears carry flag");
1276 this->nf_s(inst, expr, src1);
1277 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_V), "Clears overflow flag");
1278 this->zf_s(inst, expr, src1);
1279 }
1280
1281 /* Update the symbolic control flow */
1282 this->controlFlow_s(inst);
1283 }
1284
1285
1286
1287 void AArch64Semantics::bl_s(triton::arch::Instruction& inst) {
1288 auto dst1 = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_X30));
1289 auto dst2 = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1290 auto& src = inst.operands[0];
1291
1292 /* Create the semantics */
1293 auto node1 = this->astCtxt->bv(inst.getNextAddress(), dst1.getBitSize());
1294 auto node2 = this->symbolicEngine->getOperandAst(inst, src);
1295
1296 /* Create symbolic expression */
1297 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "BL operation - Link Register");
1298 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "BL operation - Program Counter");
1299
1300 /* Spread taint */
1301 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
1302 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
1303
1304 /* Set condition flag */
1305 inst.setConditionTaken(true);
1306
1307 /* Create the path constraint */
1308 this->symbolicEngine->pushPathConstraint(inst, expr2);
1309 }
1310
1311
1312 void AArch64Semantics::blr_s(triton::arch::Instruction& inst) {
1313 auto dst1 = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_X30));
1314 auto dst2 = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1315 auto& src = inst.operands[0];
1316
1317 /* Create the semantics */
1318 auto node1 = this->astCtxt->bv(inst.getNextAddress(), dst1.getBitSize());
1319 auto node2 = this->symbolicEngine->getOperandAst(inst, src);
1320
1321 /* Create symbolic expression */
1322 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "BLR operation - Link Register");
1323 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "BLR operation - Program Counter");
1324
1325 /* Spread taint */
1326 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
1327 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
1328
1329 /* Set condition flag */
1330 inst.setConditionTaken(true);
1331
1332 /* Create the path constraint */
1333 this->symbolicEngine->pushPathConstraint(inst, expr2);
1334 }
1335
1336
1337 void AArch64Semantics::br_s(triton::arch::Instruction& inst) {
1338 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1339 auto& src = inst.operands[0];
1340
1341 /* Create the semantics */
1342 auto node = this->symbolicEngine->getOperandAst(inst, src);
1343
1344 /* Create symbolic expression */
1345 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "BR operation - Program Counter");
1346
1347 /* Spread taint */
1348 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
1349
1350 /* Set condition flag */
1351 inst.setConditionTaken(true);
1352
1353 /* Create the path constraint */
1354 this->symbolicEngine->pushPathConstraint(inst, expr);
1355 }
1356
1357
1358 void AArch64Semantics::brk_s(triton::arch::Instruction& inst) {
1359 /* Set the exception */
1360 this->exception = triton::arch::FAULT_BP;
1361
1362 /* Update the symbolic control flow */
1363 this->controlFlow_s(inst);
1364 }
1365
1366
1367 void AArch64Semantics::cbnz_s(triton::arch::Instruction& inst) {
1368 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1369 auto& src1 = inst.operands[0];
1370 auto& src2 = inst.operands[1];
1371
1372 /* Create symbolic operands */
1373 auto op1 = this->astCtxt->zx(dst.getBitSize() - src1.getBitSize(), this->symbolicEngine->getOperandAst(inst, src1));
1374 auto op2 = this->astCtxt->zx(dst.getBitSize() - src2.getBitSize(), this->symbolicEngine->getOperandAst(inst, src2));
1375
1376 /* Create the semantics */
1377 auto node = this->astCtxt->ite(
1378 this->astCtxt->lnot(this->astCtxt->equal(op1, this->astCtxt->bv(0, op1->getBitvectorSize()))),
1379 op2,
1380 this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize())
1381 );
1382
1383 /* Create symbolic expression */
1384 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CBNZ operation - Program Counter");
1385
1386 /* Spread taint */
1387 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1388
1389 /* Set condition flag */
1390 if (op1->evaluate() != 0)
1391 inst.setConditionTaken(true);
1392
1393 /* Create the path constraint */
1394 this->symbolicEngine->pushPathConstraint(inst, expr);
1395 }
1396
1397
1398 void AArch64Semantics::cbz_s(triton::arch::Instruction& inst) {
1399 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
1400 auto& src1 = inst.operands[0];
1401 auto& src2 = inst.operands[1];
1402
1403 /* Create symbolic operands */
1404 auto op1 = this->astCtxt->zx(dst.getBitSize() - src1.getBitSize(), this->symbolicEngine->getOperandAst(inst, src1));
1405 auto op2 = this->astCtxt->zx(dst.getBitSize() - src2.getBitSize(), this->symbolicEngine->getOperandAst(inst, src2));
1406
1407 /* Create the semantics */
1408 auto node = this->astCtxt->ite(
1409 this->astCtxt->equal(op1, this->astCtxt->bv(0, op1->getBitvectorSize())),
1410 op2,
1411 this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize())
1412 );
1413
1414 /* Create symbolic expression */
1415 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CBZ operation - Program Counter");
1416
1417 /* Spread taint */
1418 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1419
1420 /* Set condition flag */
1421 if (op1->evaluate() == 0)
1422 inst.setConditionTaken(true);
1423
1424 /* Create the path constraint */
1425 this->symbolicEngine->pushPathConstraint(inst, expr);
1426 }
1427
1428
1429 void AArch64Semantics::ccmp_s(triton::arch::Instruction& inst) {
1430 auto& src1 = inst.operands[0];
1431 auto& src2 = inst.operands[1];
1432 auto& src3 = inst.operands[2];
1433
1434 /* Create symbolic operands */
1435 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1436 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1437 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
1438
1439 /* Create the semantics */
1440 auto node = this->astCtxt->bvsub(op1, op2);
1441
1442 /* Create symbolic expression */
1443 auto expr = this->symbolicEngine->createSymbolicVolatileExpression(inst, node, "CCMP temporary operation");
1444
1445 /* Spread taint */
1446 expr->isTainted = this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2);
1447
1448 /* Update symbolic flags */
1449 this->cfCcmp_s(inst, expr, src1, op1, op2, op3);
1450 this->nfCcmp_s(inst, expr, src1, op3);
1451 this->vfCcmp_s(inst, expr, src1, op1, op2, op3);
1452 this->zfCcmp_s(inst, expr, src1, op3);
1453
1454 /* Update the symbolic control flow */
1455 this->controlFlow_s(inst);
1456 }
1457
1458
1459 void AArch64Semantics::cinc_s(triton::arch::Instruction& inst) {
1460 auto& dst = inst.operands[0];
1461 auto& src = inst.operands[1];
1462
1463 /* Create symbolic operands */
1464 auto op1 = this->symbolicEngine->getOperandAst(inst, src);
1465 auto op2 = this->astCtxt->bvadd(op1, this->astCtxt->bv(1, src.getBitSize()));
1466
1467 /* Create the semantics */
1468 auto node = this->getCodeConditionAst(inst, op2, op1);
1469
1470 /* Create symbolic expression */
1471 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CINC operation");
1472
1473 /* Spread taint */
1474 expr->isTainted = this->taintEngine->setTaint(dst, this->getCodeConditionTainteSate(inst));
1475
1476 /* Update the symbolic control flow */
1477 this->controlFlow_s(inst);
1478 }
1479
1480
1481 void AArch64Semantics::clz_s(triton::arch::Instruction& inst) {
1482 auto& dst = inst.operands[0];
1483 auto& src = inst.operands[1];
1484 auto bvSize = dst.getBitSize();
1485
1486 /* Create symbolic operands */
1487 auto op = this->symbolicEngine->getOperandAst(inst, src);
1488
1489 /* Create the semantics */
1490 triton::ast::SharedAbstractNode node = nullptr;
1491 switch (src.getSize()) {
1492 case triton::size::dword:
1493 node = this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(31, 31, op), this->astCtxt->bvtrue()), this->astCtxt->bv(0, bvSize),
1494 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(30, 30, op), this->astCtxt->bvtrue()), this->astCtxt->bv(1, bvSize),
1495 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(29, 29, op), this->astCtxt->bvtrue()), this->astCtxt->bv(2, bvSize),
1496 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(28, 28, op), this->astCtxt->bvtrue()), this->astCtxt->bv(3, bvSize),
1497 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(27, 27, op), this->astCtxt->bvtrue()), this->astCtxt->bv(4, bvSize),
1498 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(26, 26, op), this->astCtxt->bvtrue()), this->astCtxt->bv(5, bvSize),
1499 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(25, 25, op), this->astCtxt->bvtrue()), this->astCtxt->bv(6, bvSize),
1500 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(24, 24, op), this->astCtxt->bvtrue()), this->astCtxt->bv(7, bvSize),
1501 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(23, 23, op), this->astCtxt->bvtrue()), this->astCtxt->bv(8, bvSize),
1502 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(22, 22, op), this->astCtxt->bvtrue()), this->astCtxt->bv(9, bvSize),
1503 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(21, 21, op), this->astCtxt->bvtrue()), this->astCtxt->bv(10, bvSize),
1504 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(20, 20, op), this->astCtxt->bvtrue()), this->astCtxt->bv(11, bvSize),
1505 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(19, 19, op), this->astCtxt->bvtrue()), this->astCtxt->bv(12, bvSize),
1506 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(18, 18, op), this->astCtxt->bvtrue()), this->astCtxt->bv(13, bvSize),
1507 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(17, 17, op), this->astCtxt->bvtrue()), this->astCtxt->bv(14, bvSize),
1508 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(16, 16, op), this->astCtxt->bvtrue()), this->astCtxt->bv(15, bvSize),
1509 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(15, 15, op), this->astCtxt->bvtrue()), this->astCtxt->bv(16, bvSize),
1510 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(14, 14, op), this->astCtxt->bvtrue()), this->astCtxt->bv(17, bvSize),
1511 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(13, 13, op), this->astCtxt->bvtrue()), this->astCtxt->bv(18, bvSize),
1512 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(12, 12, op), this->astCtxt->bvtrue()), this->astCtxt->bv(19, bvSize),
1513 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(11, 11, op), this->astCtxt->bvtrue()), this->astCtxt->bv(20, bvSize),
1514 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(10, 10, op), this->astCtxt->bvtrue()), this->astCtxt->bv(21, bvSize),
1515 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(9, 9, op), this->astCtxt->bvtrue()), this->astCtxt->bv(22, bvSize),
1516 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(8, 8, op), this->astCtxt->bvtrue()), this->astCtxt->bv(23, bvSize),
1517 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(7, 7, op), this->astCtxt->bvtrue()), this->astCtxt->bv(24, bvSize),
1518 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(6, 6, op), this->astCtxt->bvtrue()), this->astCtxt->bv(25, bvSize),
1519 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(5, 5, op), this->astCtxt->bvtrue()), this->astCtxt->bv(26, bvSize),
1520 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(4, 4, op), this->astCtxt->bvtrue()), this->astCtxt->bv(27, bvSize),
1521 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(3, 3, op), this->astCtxt->bvtrue()), this->astCtxt->bv(28, bvSize),
1522 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(2, 2, op), this->astCtxt->bvtrue()), this->astCtxt->bv(29, bvSize),
1523 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(1, 1, op), this->astCtxt->bvtrue()), this->astCtxt->bv(30, bvSize),
1524 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(0, 0, op), this->astCtxt->bvtrue()), this->astCtxt->bv(31, bvSize),
1525 this->astCtxt->bv(32, bvSize)
1526 ))))))))))))))))))))))))))))))));
1527 break;
1528
1529 case triton::size::qword:
1530 node = this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(63, 63, op), this->astCtxt->bvtrue()), this->astCtxt->bv(0, bvSize),
1531 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(62, 62, op), this->astCtxt->bvtrue()), this->astCtxt->bv(1, bvSize),
1532 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(61, 61, op), this->astCtxt->bvtrue()), this->astCtxt->bv(2, bvSize),
1533 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(60, 60, op), this->astCtxt->bvtrue()), this->astCtxt->bv(3, bvSize),
1534 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(59, 59, op), this->astCtxt->bvtrue()), this->astCtxt->bv(4, bvSize),
1535 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(58, 58, op), this->astCtxt->bvtrue()), this->astCtxt->bv(5, bvSize),
1536 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(57, 57, op), this->astCtxt->bvtrue()), this->astCtxt->bv(6, bvSize),
1537 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(56, 56, op), this->astCtxt->bvtrue()), this->astCtxt->bv(7, bvSize),
1538 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(55, 55, op), this->astCtxt->bvtrue()), this->astCtxt->bv(8, bvSize),
1539 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(54, 54, op), this->astCtxt->bvtrue()), this->astCtxt->bv(9, bvSize),
1540 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(53, 53, op), this->astCtxt->bvtrue()), this->astCtxt->bv(10, bvSize),
1541 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(52, 52, op), this->astCtxt->bvtrue()), this->astCtxt->bv(11, bvSize),
1542 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(51, 51, op), this->astCtxt->bvtrue()), this->astCtxt->bv(12, bvSize),
1543 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(50, 50, op), this->astCtxt->bvtrue()), this->astCtxt->bv(13, bvSize),
1544 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(49, 49, op), this->astCtxt->bvtrue()), this->astCtxt->bv(14, bvSize),
1545 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(48, 48, op), this->astCtxt->bvtrue()), this->astCtxt->bv(15, bvSize),
1546 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(47, 47, op), this->astCtxt->bvtrue()), this->astCtxt->bv(16, bvSize),
1547 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(46, 46, op), this->astCtxt->bvtrue()), this->astCtxt->bv(17, bvSize),
1548 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(45, 45, op), this->astCtxt->bvtrue()), this->astCtxt->bv(18, bvSize),
1549 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(44, 44, op), this->astCtxt->bvtrue()), this->astCtxt->bv(19, bvSize),
1550 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(43, 43, op), this->astCtxt->bvtrue()), this->astCtxt->bv(20, bvSize),
1551 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(42, 42, op), this->astCtxt->bvtrue()), this->astCtxt->bv(21, bvSize),
1552 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(41, 41, op), this->astCtxt->bvtrue()), this->astCtxt->bv(22, bvSize),
1553 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(40, 40, op), this->astCtxt->bvtrue()), this->astCtxt->bv(23, bvSize),
1554 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(39, 39, op), this->astCtxt->bvtrue()), this->astCtxt->bv(24, bvSize),
1555 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(38, 38, op), this->astCtxt->bvtrue()), this->astCtxt->bv(25, bvSize),
1556 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(37, 37, op), this->astCtxt->bvtrue()), this->astCtxt->bv(26, bvSize),
1557 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(36, 36, op), this->astCtxt->bvtrue()), this->astCtxt->bv(27, bvSize),
1558 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(35, 35, op), this->astCtxt->bvtrue()), this->astCtxt->bv(28, bvSize),
1559 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(34, 34, op), this->astCtxt->bvtrue()), this->astCtxt->bv(29, bvSize),
1560 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(33, 33, op), this->astCtxt->bvtrue()), this->astCtxt->bv(30, bvSize),
1561 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(32, 32, op), this->astCtxt->bvtrue()), this->astCtxt->bv(31, bvSize),
1562 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(31, 31, op), this->astCtxt->bvtrue()), this->astCtxt->bv(32, bvSize),
1563 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(30, 30, op), this->astCtxt->bvtrue()), this->astCtxt->bv(33, bvSize),
1564 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(29, 29, op), this->astCtxt->bvtrue()), this->astCtxt->bv(34, bvSize),
1565 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(28, 28, op), this->astCtxt->bvtrue()), this->astCtxt->bv(35, bvSize),
1566 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(27, 27, op), this->astCtxt->bvtrue()), this->astCtxt->bv(36, bvSize),
1567 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(26, 26, op), this->astCtxt->bvtrue()), this->astCtxt->bv(37, bvSize),
1568 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(25, 25, op), this->astCtxt->bvtrue()), this->astCtxt->bv(38, bvSize),
1569 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(24, 24, op), this->astCtxt->bvtrue()), this->astCtxt->bv(39, bvSize),
1570 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(23, 23, op), this->astCtxt->bvtrue()), this->astCtxt->bv(40, bvSize),
1571 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(22, 22, op), this->astCtxt->bvtrue()), this->astCtxt->bv(41, bvSize),
1572 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(21, 21, op), this->astCtxt->bvtrue()), this->astCtxt->bv(42, bvSize),
1573 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(20, 20, op), this->astCtxt->bvtrue()), this->astCtxt->bv(43, bvSize),
1574 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(19, 19, op), this->astCtxt->bvtrue()), this->astCtxt->bv(44, bvSize),
1575 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(18, 18, op), this->astCtxt->bvtrue()), this->astCtxt->bv(45, bvSize),
1576 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(17, 17, op), this->astCtxt->bvtrue()), this->astCtxt->bv(46, bvSize),
1577 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(16, 16, op), this->astCtxt->bvtrue()), this->astCtxt->bv(47, bvSize),
1578 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(15, 15, op), this->astCtxt->bvtrue()), this->astCtxt->bv(48, bvSize),
1579 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(14, 14, op), this->astCtxt->bvtrue()), this->astCtxt->bv(49, bvSize),
1580 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(13, 13, op), this->astCtxt->bvtrue()), this->astCtxt->bv(50, bvSize),
1581 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(12, 12, op), this->astCtxt->bvtrue()), this->astCtxt->bv(51, bvSize),
1582 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(11, 11, op), this->astCtxt->bvtrue()), this->astCtxt->bv(52, bvSize),
1583 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(10, 10, op), this->astCtxt->bvtrue()), this->astCtxt->bv(53, bvSize),
1584 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(9, 9, op), this->astCtxt->bvtrue()), this->astCtxt->bv(54, bvSize),
1585 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(8, 8, op), this->astCtxt->bvtrue()), this->astCtxt->bv(55, bvSize),
1586 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(7, 7, op), this->astCtxt->bvtrue()), this->astCtxt->bv(56, bvSize),
1587 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(6, 6, op), this->astCtxt->bvtrue()), this->astCtxt->bv(57, bvSize),
1588 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(5, 5, op), this->astCtxt->bvtrue()), this->astCtxt->bv(58, bvSize),
1589 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(4, 4, op), this->astCtxt->bvtrue()), this->astCtxt->bv(59, bvSize),
1590 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(3, 3, op), this->astCtxt->bvtrue()), this->astCtxt->bv(60, bvSize),
1591 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(2, 2, op), this->astCtxt->bvtrue()), this->astCtxt->bv(61, bvSize),
1592 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(1, 1, op), this->astCtxt->bvtrue()), this->astCtxt->bv(62, bvSize),
1593 this->astCtxt->ite(this->astCtxt->equal(this->astCtxt->extract(0, 0, op), this->astCtxt->bvtrue()), this->astCtxt->bv(63, bvSize),
1594 this->astCtxt->bv(64, bvSize)
1595 ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
1596 break;
1597
1598 default:
1599 throw triton::exceptions::Semantics("AArch64Semantics::clz_s(): Invalid operand size.");
1600 }
1601
1602 /* Create symbolic expression */
1603 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CLZ operation");
1604
1605 /* Spread taint */
1606 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
1607
1608 /* Update the symbolic control flow */
1609 this->controlFlow_s(inst);
1610 }
1611
1612
1613 void AArch64Semantics::cmn_s(triton::arch::Instruction& inst) {
1614 auto& src1 = inst.operands[0];
1615 auto& src2 = inst.operands[1];
1616
1617 /* Create symbolic operands */
1618 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1619 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1620
1621 /* Create the semantics */
1622 auto node = this->astCtxt->bvadd(op1, op2);
1623
1624 /* Create symbolic expression */
1625 auto expr = this->symbolicEngine->createSymbolicVolatileExpression(inst, node, "CMN operation");
1626
1627 /* Spread taint */
1628 expr->isTainted = this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2);
1629
1630 /* Update symbolic flags */
1631 this->cfAdd_s(inst, expr, src1, op1, op2);
1632 this->nf_s(inst, expr, src1);
1633 this->vfAdd_s(inst, expr, src1, op1, op2);
1634 this->zf_s(inst, expr, src1);
1635
1636 /* Update the symbolic control flow */
1637 this->controlFlow_s(inst);
1638 }
1639
1640
1641 void AArch64Semantics::cmp_s(triton::arch::Instruction& inst) {
1642 auto& src1 = inst.operands[0];
1643 auto& src2 = inst.operands[1];
1644
1645 /* Create symbolic operands */
1646 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1647 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1648
1649 /* Create the semantics */
1650 auto node = this->astCtxt->bvsub(op1, op2);
1651
1652 /* Create symbolic expression */
1653 auto expr = this->symbolicEngine->createSymbolicVolatileExpression(inst, node, "CMP operation");
1654
1655 /* Spread taint */
1656 expr->isTainted = this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2);
1657
1658 /* Update symbolic flags */
1659 this->cfSub_s(inst, expr, src1, op1, op2);
1660 this->nf_s(inst, expr, src1);
1661 this->vfSub_s(inst, expr, src1, op1, op2);
1662 this->zf_s(inst, expr, src1);
1663
1664 /* Update the symbolic control flow */
1665 this->controlFlow_s(inst);
1666 }
1667
1668
1669 void AArch64Semantics::cneg_s(triton::arch::Instruction& inst) {
1670 auto& dst = inst.operands[0];
1671 auto& src = inst.operands[1];
1672
1673 /* Create symbolic operands */
1674 auto op1 = this->astCtxt->bvneg(this->symbolicEngine->getOperandAst(inst, src));
1675 auto op2 = this->symbolicEngine->getOperandAst(inst, src);
1676
1677 /* Create the semantics */
1678 auto node = this->getCodeConditionAst(inst, op1, op2);
1679
1680 /* Create symbolic expression */
1681 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CNEG operation");
1682
1683 /* Spread taint */
1684 expr->isTainted = this->taintEngine->taintUnion(dst, src);
1685
1686 /* Update the symbolic control flow */
1687 this->controlFlow_s(inst);
1688 }
1689
1690
1691 void AArch64Semantics::csel_s(triton::arch::Instruction& inst) {
1692 auto& dst = inst.operands[0];
1693 auto& src1 = inst.operands[1];
1694 auto& src2 = inst.operands[2];
1695
1696 /* Create symbolic operands */
1697 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1698 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1699
1700 /* Create the semantics */
1701 auto node = this->getCodeConditionAst(inst, op1, op2);
1702
1703 /* Create symbolic expression */
1704 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSEL operation");
1705
1706 /* Spread taint */
1707 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1708
1709 /* Update the symbolic control flow */
1710 this->controlFlow_s(inst);
1711 }
1712
1713
1714 void AArch64Semantics::cset_s(triton::arch::Instruction& inst) {
1715 auto& dst = inst.operands[0];
1716
1717 /* Create symbolic operands */
1718 auto op1 = this->astCtxt->bv(1, dst.getBitSize());
1719 auto op2 = this->astCtxt->bv(0, dst.getBitSize());
1720
1721 /* Create the semantics */
1722 auto node = this->getCodeConditionAst(inst, op1, op2);
1723
1724 /* Create symbolic expression */
1725 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSET operation");
1726
1727 /* Spread taint */
1728 expr->isTainted = this->taintEngine->setTaint(dst, this->getCodeConditionTainteSate(inst));
1729
1730 /* Update the symbolic control flow */
1731 this->controlFlow_s(inst);
1732 }
1733
1734
1735 void AArch64Semantics::csinc_s(triton::arch::Instruction& inst) {
1736 auto& dst = inst.operands[0];
1737 auto& src1 = inst.operands[1];
1738 auto& src2 = inst.operands[2];
1739
1740 /* Create symbolic operands */
1741 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1742 auto op2 = this->astCtxt->bvadd(
1743 this->symbolicEngine->getOperandAst(inst, src2),
1744 this->astCtxt->bv(1, src2.getBitSize())
1745 );
1746
1747 /* Create the semantics */
1748 auto node = this->getCodeConditionAst(inst, op1, op2);
1749
1750 /* Create symbolic expression */
1751 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSINC operation");
1752
1753 /* Spread taint */
1754 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1755
1756 /* Update the symbolic control flow */
1757 this->controlFlow_s(inst);
1758 }
1759
1760
1761 void AArch64Semantics::csneg_s(triton::arch::Instruction& inst) {
1762 auto& dst = inst.operands[0];
1763 auto& src1 = inst.operands[1];
1764 auto& src2 = inst.operands[2];
1765
1766 /* Create symbolic operands */
1767 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1768 auto op2 = this->astCtxt->bvneg(this->symbolicEngine->getOperandAst(inst, src2));
1769
1770 /* Create the semantics */
1771 auto node = this->getCodeConditionAst(inst, op1, op2);
1772
1773 /* Create symbolic expression */
1774 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "CSNEG operation");
1775
1776 /* Spread taint */
1777 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1778
1779 /* Update the symbolic control flow */
1780 this->controlFlow_s(inst);
1781 }
1782
1783
1784 void AArch64Semantics::eon_s(triton::arch::Instruction& inst) {
1785 auto& dst = inst.operands[0];
1786 auto& src1 = inst.operands[1];
1787 auto& src2 = inst.operands[2];
1788
1789 /* Create symbolic operands */
1790 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1791 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1792
1793 /* Create the semantics */
1794 auto node = this->astCtxt->bvxnor(op1, op2);
1795
1796 /* Create symbolic expression */
1797 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "EON operation");
1798
1799 /* Spread taint */
1800 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1801
1802 /* Update the symbolic control flow */
1803 this->controlFlow_s(inst);
1804 }
1805
1806
1807 void AArch64Semantics::eor_s(triton::arch::Instruction& inst) {
1808 auto& dst = inst.operands[0];
1809 auto& src1 = inst.operands[1];
1810 auto& src2 = inst.operands[2];
1811
1812 /* Create symbolic operands */
1813 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1814 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1815
1816 /* Create the semantics */
1817 auto node = this->astCtxt->bvxor(op1, op2);
1818
1819 /* Special case for vector registers */
1820 if (dst.getConstRegister().getVASSize() == triton::size::qword) {
1821 node = this->astCtxt->extract(63, 0, node);
1822 }
1823
1824 /* Create symbolic expression */
1825 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "EOR operation");
1826
1827 /* Spread taint */
1828 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
1829
1830 /* Update the symbolic control flow */
1831 this->controlFlow_s(inst);
1832 }
1833
1834
1835 void AArch64Semantics::extr_s(triton::arch::Instruction& inst) {
1836 auto& dst = inst.operands[0];
1837 auto& src1 = inst.operands[1];
1838 auto& src2 = inst.operands[2];
1839 auto& src3 = inst.operands[3];
1840 auto lsb = static_cast<uint32>(src3.getImmediate().getValue());
1841
1842 /* Create symbolic operands */
1843 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
1844 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
1845
1846 /* Create the semantics */
1847 auto node = this->astCtxt->extract(lsb + dst.getBitSize() - 1, lsb, this->astCtxt->concat(op1, op2));
1848
1849 /* Create symbolic expression */
1850 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "EXTR operation");
1851
1852 /* Spread taint */
1853 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
1854
1855 /* Update the symbolic control flow */
1856 this->controlFlow_s(inst);
1857 }
1858
1859 void AArch64Semantics::fmov_s(triton::arch::Instruction& inst) {
1860 auto& dst = inst.operands[0];
1861 auto& src = inst.operands[1];
1862
1863 /* Create the semantics */
1864 auto node = this->symbolicEngine->getOperandAst(inst, src);
1865
1866 /* Create symbolic expression */
1867 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "FMOV operation");
1868
1869 /* Spread taint */
1870 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
1871
1872 /* Update the symbolic control flow */
1873 this->controlFlow_s(inst);
1874 }
1875
1876 void AArch64Semantics::ld3_s(triton::arch::Instruction& inst) {
1877 std::list<triton::ast::SharedAbstractNode> vec0;
1878 std::list<triton::ast::SharedAbstractNode> vec1;
1879 std::list<triton::ast::SharedAbstractNode> vec2;
1880
1881 triton::arch::OperandWrapper& vt0 = inst.operands[0]; /* vas register */
1882 triton::arch::OperandWrapper& vt1 = inst.operands[1]; /* vas register */
1883 triton::arch::OperandWrapper& vt2 = inst.operands[2]; /* vas register */
1884 triton::arch::OperandWrapper& src = inst.operands[3]; /* memory */
1885
1886 bool vt0_t = false; /* taint state of vt0 */
1887 bool vt1_t = false; /* taint state of vt1 */
1888 bool vt2_t = false; /* taint state of vt2 */
1889
1890 /*
1891 * Is the post-index immediate offset, encoded in Q:
1892 * 0 #24
1893 * 1 #48
1894 */
1895 triton::uint32 postIndex = 0;
1896
1897 auto mem = src.getConstMemory();
1898 auto vas_e = vt0.getConstRegister().getVASType();
1899
1900 switch (vas_e) {
1901 /* LD3 multiple structure */
1902 case triton::arch::arm::ID_VAS_16B: {
1903 for (triton::uint32 i = 0; i != 16; i++) {
1904 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::byte);
1905 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 1, triton::size::byte);
1906 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 2, triton::size::byte);
1907
1908 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1909 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1910 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1911
1912 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1913 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1914 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1915 }
1916 postIndex = 48;
1917 break;
1918 }
1919
1920 /* LD3 multiple structure */
1921 case triton::arch::arm::ID_VAS_8B: {
1922 for (triton::uint32 i = 0; i != 8; i++) {
1923 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::byte);
1924 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 1, triton::size::byte);
1925 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 2, triton::size::byte);
1926
1927 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1928 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1929 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1930
1931 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1932 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1933 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1934 }
1935 postIndex = 24;
1936 break;
1937 }
1938
1939 /* LD3 multiple structure */
1940 case triton::arch::arm::ID_VAS_8H: {
1941 for (triton::uint32 i = 0; i != 16; i += 2) {
1942 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::word);
1943 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 2, triton::size::word);
1944 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 4, triton::size::word);
1945
1946 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1947 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1948 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1949
1950 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1951 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1952 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1953 }
1954 postIndex = 48;
1955 break;
1956 }
1957
1958 /* LD3 multiple structure */
1959 case triton::arch::arm::ID_VAS_4H: {
1960 for (triton::uint32 i = 0; i != 8; i += 2) {
1961 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::word);
1962 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 2, triton::size::word);
1963 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 4, triton::size::word);
1964
1965 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1966 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1967 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1968
1969 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1970 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1971 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1972 }
1973 postIndex = 24;
1974 break;
1975 }
1976
1977 /* LD3 multiple structure */
1978 case triton::arch::arm::ID_VAS_4S: {
1979 for (triton::uint32 i = 0; i != 16; i += 4) {
1980 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::dword);
1981 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 4, triton::size::dword);
1982 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 8, triton::size::dword);
1983
1984 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
1985 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
1986 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
1987
1988 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
1989 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
1990 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
1991 }
1992 postIndex = 48;
1993 break;
1994 }
1995
1996 /* LD3 multiple structure */
1997 case triton::arch::arm::ID_VAS_2S: {
1998 for (triton::uint32 i = 0; i != 8; i += 4) {
1999 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::dword);
2000 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 4, triton::size::dword);
2001 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 8, triton::size::dword);
2002
2003 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2004 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2005 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2006
2007 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2008 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2009 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2010 }
2011 postIndex = 24;
2012 break;
2013 }
2014
2015 /* LD3 multiple structure */
2016 case triton::arch::arm::ID_VAS_2D: {
2017 for (triton::uint32 i = 0; i != 16; i += 8) {
2018 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 0, triton::size::qword);
2019 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 8, triton::size::qword);
2020 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 3) + 16, triton::size::qword);
2021
2022 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2023 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2024 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2025
2026 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2027 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2028 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2029 }
2030 postIndex = 48;
2031 break;
2032 }
2033
2034 default:
2035 throw triton::exceptions::Semantics("AArch64Semantics::ld3_s(): Invalid VAS encoding.");
2036 }
2037
2038 /* Create the semantics of the LD3 */
2039 auto node0 = this->astCtxt->concat(vec0);
2040 auto node1 = this->astCtxt->concat(vec1);
2041 auto node2 = this->astCtxt->concat(vec2);
2042
2043 /* Create symbolic expression */
2044 auto expr0 = this->symbolicEngine->createSymbolicExpression(inst, node0, vt0, "LD3 operation - LOAD access");
2045 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, vt1, "LD3 operation - LOAD access");
2046 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, vt2, "LD3 operation - LOAD access");
2047
2048 /* Spread taint */
2049 expr0->isTainted = vt0_t;
2050 expr1->isTainted = vt1_t;
2051 expr2->isTainted = vt2_t;
2052
2053 /*
2054 * Register offset (Rm != 11111)
2055 * LD3 { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T> }, [<Xn|SP>], <Xm>
2056 */
2057 if (inst.operands.size() == 5 && inst.operands[4].getType() == triton::arch::OP_REG) {
2058 auto base = mem.getBaseRegister();
2059 auto offset = inst.operands[4].getRegister();
2060
2061 /* Create symbolic operands of the post computation */
2062 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2063 auto offsetNode = this->symbolicEngine->getOperandAst(inst, offset);
2064
2065 /* Create the semantics of the base register */
2066 auto node3 = this->astCtxt->bvadd(baseNode, offsetNode);
2067
2068 /* Create symbolic expression */
2069 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LD3 operation - Post Index");
2070
2071 /* Spread taint */
2072 expr3->isTainted = this->taintEngine->isTainted(base) | this->taintEngine->isTainted(offset);
2073 }
2074
2075 /*
2076 * Register offset (Rm == 11111)
2077 * LD3 { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T> }, [<Xn|SP>], <imm>
2078 */
2079 else if (inst.operands.size() == 4 && inst.isWriteBack()) {
2080 /* Create symbolic operands of the post computation */
2081 auto base = mem.getBaseRegister();
2082 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2083
2084 /* Create the semantics of the base register */
2085 auto node3 = this->astCtxt->bvadd(baseNode, this->astCtxt->bv(postIndex, base.getBitSize()));
2086
2087 /* Create symbolic expression */
2088 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LD3 operation - Post Index");
2089
2090 /* Spread taint */
2091 expr3->isTainted = this->taintEngine->isTainted(base);
2092 }
2093
2094 /* Update the symbolic control flow */
2095 this->controlFlow_s(inst);
2096 }
2097
2098
2099 void AArch64Semantics::ld3r_s(triton::arch::Instruction& inst) {
2100 std::list<triton::ast::SharedAbstractNode> vec0;
2101 std::list<triton::ast::SharedAbstractNode> vec1;
2102 std::list<triton::ast::SharedAbstractNode> vec2;
2103
2104 triton::arch::OperandWrapper& vt0 = inst.operands[0]; /* vas register */
2105 triton::arch::OperandWrapper& vt1 = inst.operands[1]; /* vas register */
2106 triton::arch::OperandWrapper& vt2 = inst.operands[2]; /* vas register */
2107 triton::arch::OperandWrapper& src = inst.operands[3]; /* memory */
2108
2109 bool vt0_t = false; /* taint state of vt0 */
2110 bool vt1_t = false; /* taint state of vt1 */
2111 bool vt2_t = false; /* taint state of vt2 */
2112
2113 /*
2114 * Is the post-index immediate offset, encoded in size:
2115 * 00 #3
2116 * 01 #6
2117 * 10 #12
2118 * 11 #24
2119 */
2120 triton::uint32 postIndex = 0;
2121
2122 auto mem = src.getConstMemory();
2123 auto vas_e = vt0.getConstRegister().getVASType();
2124
2125 switch (vas_e) {
2126 case triton::arch::arm::ID_VAS_16B: {
2127 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::byte);
2128 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 1, triton::size::byte);
2129 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::byte);
2130
2131 for (triton::uint32 i = 0; i != 16; i++) {
2132 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2133 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2134 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2135
2136 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2137 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2138 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2139 }
2140
2141 postIndex = 3;
2142 break;
2143 }
2144
2145 case triton::arch::arm::ID_VAS_8B: {
2146 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::byte);
2147 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 1, triton::size::byte);
2148 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::byte);
2149
2150 for (triton::uint32 i = 0; i != 8; i++) {
2151 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2152 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2153 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2154
2155 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2156 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2157 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2158 }
2159
2160 postIndex = 3;
2161 break;
2162 }
2163
2164 case triton::arch::arm::ID_VAS_8H: {
2165 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::word);
2166 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::word);
2167 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::word);
2168
2169 for (triton::uint32 i = 0; i != 16; i += 2) {
2170 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2171 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2172 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2173
2174 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2175 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2176 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2177 }
2178
2179 postIndex = 6;
2180 break;
2181 }
2182
2183 case triton::arch::arm::ID_VAS_4H: {
2184 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::word);
2185 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::word);
2186 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::word);
2187
2188 for (triton::uint32 i = 0; i != 8; i += 2) {
2189 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2190 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2191 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2192
2193 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2194 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2195 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2196 }
2197
2198 postIndex = 6;
2199 break;
2200 }
2201
2202 case triton::arch::arm::ID_VAS_4S: {
2203 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::dword);
2204 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::dword);
2205 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::dword);
2206
2207 for (triton::uint32 i = 0; i != 16; i += 4) {
2208 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2209 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2210 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2211
2212 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2213 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2214 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2215 }
2216
2217 postIndex = 12;
2218 break;
2219 }
2220
2221 case triton::arch::arm::ID_VAS_2S: {
2222 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::dword);
2223 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::dword);
2224 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::dword);
2225
2226 for (triton::uint32 i = 0; i != 8; i += 4) {
2227 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2228 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2229 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2230
2231 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2232 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2233 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2234 }
2235
2236 postIndex = 12;
2237 break;
2238 }
2239
2240 case triton::arch::arm::ID_VAS_2D: {
2241 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::qword);
2242 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::qword);
2243 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 16, triton::size::qword);
2244
2245 for (triton::uint32 i = 0; i != 16; i += 8) {
2246 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2247 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2248 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2249
2250 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2251 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2252 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2253 }
2254
2255 postIndex = 24;
2256 break;
2257 }
2258
2259 case triton::arch::arm::ID_VAS_1D: {
2260 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::qword);
2261 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::qword);
2262 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 16, triton::size::qword);
2263
2264 for (triton::uint32 i = 0; i != 8; i += 8) {
2265 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2266 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2267 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2268
2269 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2270 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2271 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2272 }
2273
2274 postIndex = 24;
2275 break;
2276 }
2277
2278 default:
2279 throw triton::exceptions::Semantics("AArch64Semantics::ld3r_s(): Invalid VAS encoding.");
2280 }
2281
2282 /* Create the semantics of the LD3R */
2283 auto node0 = this->astCtxt->concat(vec0);
2284 auto node1 = this->astCtxt->concat(vec1);
2285 auto node2 = this->astCtxt->concat(vec2);
2286
2287 /* Create symbolic expression */
2288 auto expr0 = this->symbolicEngine->createSymbolicExpression(inst, node0, vt0, "LD3R operation - LOAD access");
2289 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, vt1, "LD3R operation - LOAD access");
2290 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, vt2, "LD3R operation - LOAD access");
2291
2292 /* Spread taint */
2293 expr0->isTainted = vt0_t;
2294 expr1->isTainted = vt1_t;
2295 expr2->isTainted = vt2_t;
2296
2297 /*
2298 * Register offset (Rm != 11111)
2299 * LD3R { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T> }, [<Xn|SP>], <Xm>
2300 */
2301 if (inst.operands.size() == 5 && inst.operands[4].getType() == triton::arch::OP_REG) {
2302 auto base = mem.getBaseRegister();
2303 auto offset = inst.operands[4].getRegister();
2304
2305 /* Create symbolic operands of the post computation */
2306 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2307 auto offsetNode = this->symbolicEngine->getOperandAst(inst, offset);
2308
2309 /* Create the semantics of the base register */
2310 auto node3 = this->astCtxt->bvadd(baseNode, offsetNode);
2311
2312 /* Create symbolic expression */
2313 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LD3R operation - Post Index");
2314
2315 /* Spread taint */
2316 expr3->isTainted = this->taintEngine->isTainted(base) | this->taintEngine->isTainted(offset);
2317 }
2318
2319 /*
2320 * Register offset (Rm == 11111)
2321 * LD3R { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T> }, [<Xn|SP>], <imm>
2322 */
2323 else if (inst.operands.size() == 4 && inst.isWriteBack()) {
2324 /* Create symbolic operands of the post computation */
2325 auto base = mem.getBaseRegister();
2326 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2327
2328 /* Create the semantics of the base register */
2329 auto node3 = this->astCtxt->bvadd(baseNode, this->astCtxt->bv(postIndex, base.getBitSize()));
2330
2331 /* Create symbolic expression */
2332 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LD3R operation - Post Index");
2333
2334 /* Spread taint */
2335 expr3->isTainted = this->taintEngine->isTainted(base);
2336 }
2337
2338 /* Update the symbolic control flow */
2339 this->controlFlow_s(inst);
2340 }
2341
2342
2343 void AArch64Semantics::ld4_s(triton::arch::Instruction& inst) {
2344 std::list<triton::ast::SharedAbstractNode> vec0;
2345 std::list<triton::ast::SharedAbstractNode> vec1;
2346 std::list<triton::ast::SharedAbstractNode> vec2;
2347 std::list<triton::ast::SharedAbstractNode> vec3;
2348
2349 triton::arch::OperandWrapper& vt0 = inst.operands[0]; /* vas register */
2350 triton::arch::OperandWrapper& vt1 = inst.operands[1]; /* vas register */
2351 triton::arch::OperandWrapper& vt2 = inst.operands[2]; /* vas register */
2352 triton::arch::OperandWrapper& vt3 = inst.operands[3]; /* vas register */
2353 triton::arch::OperandWrapper& src = inst.operands[4]; /* memory */
2354
2355 bool vt0_t = false; /* taint state of vt0 */
2356 bool vt1_t = false; /* taint state of vt1 */
2357 bool vt2_t = false; /* taint state of vt2 */
2358 bool vt3_t = false; /* taint state of vt3 */
2359
2360 /*
2361 * Is the post-index immediate offset, encoded in Q:
2362 * 0 #32
2363 * 1 #64
2364 */
2365 triton::uint32 postIndex = 0;
2366
2367 auto mem = src.getConstMemory();
2368 auto vas_e = vt0.getConstRegister().getVASType();
2369
2370 switch (vas_e) {
2371 /* LD4 multiple structure */
2372 case triton::arch::arm::ID_VAS_16B: {
2373 for (triton::uint32 i = 0; i != 16; i++) {
2374 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::byte);
2375 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 1, triton::size::byte);
2376 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 2, triton::size::byte);
2377 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 3, triton::size::byte);
2378
2379 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2380 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2381 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2382 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2383
2384 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2385 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2386 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2387 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2388 }
2389 postIndex = 64;
2390 break;
2391 }
2392
2393 /* LD4 multiple structure */
2394 case triton::arch::arm::ID_VAS_8B: {
2395 for (triton::uint32 i = 0; i != 8; i++) {
2396 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::byte);
2397 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 1, triton::size::byte);
2398 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 2, triton::size::byte);
2399 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 3, triton::size::byte);
2400
2401 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2402 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2403 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2404 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2405
2406 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2407 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2408 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2409 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2410 }
2411 postIndex = 32;
2412 break;
2413 }
2414
2415 /* LD4 multiple structure */
2416 case triton::arch::arm::ID_VAS_8H: {
2417 for (triton::uint32 i = 0; i != 16; i += 2) {
2418 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::word);
2419 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 2, triton::size::word);
2420 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 4, triton::size::word);
2421 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 6, triton::size::word);
2422
2423 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2424 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2425 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2426 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2427
2428 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2429 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2430 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2431 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2432 }
2433 postIndex = 64;
2434 break;
2435 }
2436
2437 /* LD4 multiple structure */
2438 case triton::arch::arm::ID_VAS_4H: {
2439 for (triton::uint32 i = 0; i != 8; i += 2) {
2440 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::word);
2441 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 2, triton::size::word);
2442 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 4, triton::size::word);
2443 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 6, triton::size::word);
2444
2445 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2446 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2447 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2448 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2449
2450 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2451 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2452 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2453 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2454 }
2455 postIndex = 32;
2456 break;
2457 }
2458
2459 /* LD4 multiple structure */
2460 case triton::arch::arm::ID_VAS_4S: {
2461 for (triton::uint32 i = 0; i != 16; i += 4) {
2462 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::dword);
2463 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 4, triton::size::dword);
2464 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 8, triton::size::dword);
2465 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 12, triton::size::dword);
2466
2467 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2468 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2469 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2470 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2471
2472 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2473 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2474 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2475 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2476 }
2477 postIndex = 64;
2478 break;
2479 }
2480
2481 /* LD4 multiple structure */
2482 case triton::arch::arm::ID_VAS_2S: {
2483 for (triton::uint32 i = 0; i != 8; i += 4) {
2484 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::dword);
2485 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 4, triton::size::dword);
2486 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 8, triton::size::dword);
2487 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 12, triton::size::dword);
2488
2489 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2490 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2491 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2492 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2493
2494 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2495 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2496 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2497 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2498 }
2499 postIndex = 32;
2500 break;
2501 }
2502
2503 /* LD4 multiple structure */
2504 case triton::arch::arm::ID_VAS_2D: {
2505 for (triton::uint32 i = 0; i != 16; i += 8) {
2506 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 0, triton::size::qword);
2507 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 8, triton::size::qword);
2508 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 16, triton::size::qword);
2509 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + (i * 4) + 24, triton::size::qword);
2510
2511 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2512 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2513 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2514 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2515
2516 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2517 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2518 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2519 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2520 }
2521 postIndex = 64;
2522 break;
2523 }
2524
2525 default:
2526 throw triton::exceptions::Semantics("AArch64Semantics::ld4_s(): Invalid VAS encoding.");
2527 }
2528
2529 /* Create the semantics of the LD3 */
2530 auto node0 = this->astCtxt->concat(vec0);
2531 auto node1 = this->astCtxt->concat(vec1);
2532 auto node2 = this->astCtxt->concat(vec2);
2533 auto node3 = this->astCtxt->concat(vec3);
2534
2535 /* Create symbolic expression */
2536 auto expr0 = this->symbolicEngine->createSymbolicExpression(inst, node0, vt0, "LD4 operation - LOAD access");
2537 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, vt1, "LD4 operation - LOAD access");
2538 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, vt2, "LD4 operation - LOAD access");
2539 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, vt3, "LD4 operation - LOAD access");
2540
2541 /* Spread taint */
2542 expr0->isTainted = vt0_t;
2543 expr1->isTainted = vt1_t;
2544 expr2->isTainted = vt2_t;
2545 expr3->isTainted = vt3_t;
2546
2547 /*
2548 * Register offset (Rm != 11111)
2549 * LD4 { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T>, <Vt4>.<T> }, [<Xn|SP>], <Xm>
2550 */
2551 if (inst.operands.size() == 6 && inst.operands[5].getType() == triton::arch::OP_REG) {
2552 auto base = mem.getBaseRegister();
2553 auto offset = inst.operands[5].getRegister();
2554
2555 /* Create symbolic operands of the post computation */
2556 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2557 auto offsetNode = this->symbolicEngine->getOperandAst(inst, offset);
2558
2559 /* Create the semantics of the base register */
2560 auto node4 = this->astCtxt->bvadd(baseNode, offsetNode);
2561
2562 /* Create symbolic expression */
2563 auto expr4 = this->symbolicEngine->createSymbolicExpression(inst, node4, base, "LD4 operation - Post Index");
2564
2565 /* Spread taint */
2566 expr4->isTainted = this->taintEngine->isTainted(base) | this->taintEngine->isTainted(offset);
2567 }
2568
2569 /*
2570 * Register offset (Rm == 11111)
2571 * LD4 { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T>, <Vt4>.<T> }, [<Xn|SP>], <imm>
2572 */
2573 else if (inst.operands.size() == 5 && inst.isWriteBack()) {
2574 /* Create symbolic operands of the post computation */
2575 auto base = mem.getBaseRegister();
2576 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2577
2578 /* Create the semantics of the base register */
2579 auto node4 = this->astCtxt->bvadd(baseNode, this->astCtxt->bv(postIndex, base.getBitSize()));
2580
2581 /* Create symbolic expression */
2582 auto expr4 = this->symbolicEngine->createSymbolicExpression(inst, node4, base, "LD4 operation - Post Index");
2583
2584 /* Spread taint */
2585 expr4->isTainted = this->taintEngine->isTainted(base);
2586 }
2587
2588 /* Update the symbolic control flow */
2589 this->controlFlow_s(inst);
2590 }
2591
2592
2593 void AArch64Semantics::ld4r_s(triton::arch::Instruction& inst) {
2594 std::list<triton::ast::SharedAbstractNode> vec0;
2595 std::list<triton::ast::SharedAbstractNode> vec1;
2596 std::list<triton::ast::SharedAbstractNode> vec2;
2597 std::list<triton::ast::SharedAbstractNode> vec3;
2598
2599 triton::arch::OperandWrapper& vt0 = inst.operands[0]; /* vas register */
2600 triton::arch::OperandWrapper& vt1 = inst.operands[1]; /* vas register */
2601 triton::arch::OperandWrapper& vt2 = inst.operands[2]; /* vas register */
2602 triton::arch::OperandWrapper& vt3 = inst.operands[3]; /* vas register */
2603 triton::arch::OperandWrapper& src = inst.operands[4]; /* memory */
2604
2605 bool vt0_t = false; /* taint state of vt0 */
2606 bool vt1_t = false; /* taint state of vt1 */
2607 bool vt2_t = false; /* taint state of vt2 */
2608 bool vt3_t = false; /* taint state of vt3 */
2609
2610 /*
2611 * Is the post-index immediate offset, encoded in size:
2612 * 00 #4
2613 * 01 #8
2614 * 10 #16
2615 * 11 #32
2616 */
2617 triton::uint32 postIndex = 0;
2618
2619 auto mem = src.getConstMemory();
2620 auto vas_e = vt0.getConstRegister().getVASType();
2621
2622 switch (vas_e) {
2623 case triton::arch::arm::ID_VAS_16B: {
2624 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::byte);
2625 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 1, triton::size::byte);
2626 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::byte);
2627 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 3, triton::size::byte);
2628
2629 for (triton::uint32 i = 0; i != 16; i++) {
2630 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2631 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2632 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2633 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2634
2635 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2636 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2637 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2638 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2639 }
2640
2641 postIndex = 4;
2642 break;
2643 }
2644
2645 case triton::arch::arm::ID_VAS_8B: {
2646 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::byte);
2647 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 1, triton::size::byte);
2648 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::byte);
2649 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 3, triton::size::byte);
2650
2651 for (triton::uint32 i = 0; i != 8; i++) {
2652 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2653 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2654 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2655 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2656
2657 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2658 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2659 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2660 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2661 }
2662
2663 postIndex = 4;
2664 break;
2665 }
2666
2667 case triton::arch::arm::ID_VAS_8H: {
2668 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::word);
2669 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::word);
2670 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::word);
2671 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 6, triton::size::word);
2672
2673 for (triton::uint32 i = 0; i != 16; i += 2) {
2674 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2675 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2676 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2677 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2678
2679 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2680 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2681 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2682 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2683 }
2684
2685 postIndex = 8;
2686 break;
2687 }
2688
2689 case triton::arch::arm::ID_VAS_4H: {
2690 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::word);
2691 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 2, triton::size::word);
2692 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::word);
2693 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 6, triton::size::word);
2694
2695 for (triton::uint32 i = 0; i != 8; i += 2) {
2696 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2697 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2698 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2699 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2700
2701 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2702 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2703 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2704 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2705 }
2706
2707 postIndex = 8;
2708 break;
2709 }
2710
2711 case triton::arch::arm::ID_VAS_4S: {
2712 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::dword);
2713 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::dword);
2714 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::dword);
2715 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 12, triton::size::dword);
2716
2717 for (triton::uint32 i = 0; i != 16; i += 4) {
2718 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2719 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2720 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2721 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2722
2723 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2724 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2725 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2726 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2727 }
2728
2729 postIndex = 16;
2730 break;
2731 }
2732
2733 case triton::arch::arm::ID_VAS_2S: {
2734 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::dword);
2735 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 4, triton::size::dword);
2736 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::dword);
2737 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 12, triton::size::dword);
2738
2739 for (triton::uint32 i = 0; i != 8; i += 4) {
2740 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2741 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2742 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2743 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2744
2745 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2746 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2747 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2748 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2749 }
2750
2751 postIndex = 16;
2752 break;
2753 }
2754
2755 case triton::arch::arm::ID_VAS_2D: {
2756 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::qword);
2757 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::qword);
2758 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 16, triton::size::qword);
2759 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 24, triton::size::qword);
2760
2761 for (triton::uint32 i = 0; i != 16; i += 8) {
2762 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2763 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2764 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2765 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2766
2767 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2768 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2769 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2770 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2771 }
2772
2773 postIndex = 32;
2774 break;
2775 }
2776
2777 case triton::arch::arm::ID_VAS_1D: {
2778 auto vt0_m = triton::arch::MemoryAccess(mem.getAddress() + 0, triton::size::qword);
2779 auto vt1_m = triton::arch::MemoryAccess(mem.getAddress() + 8, triton::size::qword);
2780 auto vt2_m = triton::arch::MemoryAccess(mem.getAddress() + 16, triton::size::qword);
2781 auto vt3_m = triton::arch::MemoryAccess(mem.getAddress() + 24, triton::size::qword);
2782
2783 for (triton::uint32 i = 0; i != 8; i += 8) {
2784 vec0.push_front(this->symbolicEngine->getMemoryAst(inst, vt0_m));
2785 vec1.push_front(this->symbolicEngine->getMemoryAst(inst, vt1_m));
2786 vec2.push_front(this->symbolicEngine->getMemoryAst(inst, vt2_m));
2787 vec3.push_front(this->symbolicEngine->getMemoryAst(inst, vt3_m));
2788
2789 vt0_t |= this->taintEngine->isMemoryTainted(vt0_m);
2790 vt1_t |= this->taintEngine->isMemoryTainted(vt1_m);
2791 vt2_t |= this->taintEngine->isMemoryTainted(vt2_m);
2792 vt3_t |= this->taintEngine->isMemoryTainted(vt3_m);
2793 }
2794
2795 postIndex = 32;
2796 break;
2797 }
2798
2799 default:
2800 throw triton::exceptions::Semantics("AArch64Semantics::ld4r_s(): Invalid VAS encoding.");
2801 }
2802
2803 /* Create the semantics of the LD3R */
2804 auto node0 = this->astCtxt->concat(vec0);
2805 auto node1 = this->astCtxt->concat(vec1);
2806 auto node2 = this->astCtxt->concat(vec2);
2807 auto node3 = this->astCtxt->concat(vec3);
2808
2809 /* Create symbolic expression */
2810 auto expr0 = this->symbolicEngine->createSymbolicExpression(inst, node0, vt0, "LD4R operation - LOAD access");
2811 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, vt1, "LD4R operation - LOAD access");
2812 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, vt2, "LD4R operation - LOAD access");
2813 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, vt3, "LD4R operation - LOAD access");
2814
2815 /* Spread taint */
2816 expr0->isTainted = vt0_t;
2817 expr1->isTainted = vt1_t;
2818 expr2->isTainted = vt2_t;
2819 expr3->isTainted = vt3_t;
2820
2821 /*
2822 * Register offset (Rm != 11111)
2823 * LD4R { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T>, <Vt4>.<T> }, [<Xn|SP>], <Xm>
2824 */
2825 if (inst.operands.size() == 6 && inst.operands[5].getType() == triton::arch::OP_REG) {
2826 auto base = mem.getBaseRegister();
2827 auto offset = inst.operands[5].getRegister();
2828
2829 /* Create symbolic operands of the post computation */
2830 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2831 auto offsetNode = this->symbolicEngine->getOperandAst(inst, offset);
2832
2833 /* Create the semantics of the base register */
2834 auto node4 = this->astCtxt->bvadd(baseNode, offsetNode);
2835
2836 /* Create symbolic expression */
2837 auto expr4 = this->symbolicEngine->createSymbolicExpression(inst, node4, base, "LD4R operation - Post Index");
2838
2839 /* Spread taint */
2840 expr4->isTainted = this->taintEngine->isTainted(base) | this->taintEngine->isTainted(offset);
2841 }
2842
2843 /*
2844 * Register offset (Rm == 11111)
2845 * LD4R { <Vt>.<T>, <Vt2>.<T>, <Vt3>.<T>, <Vt4>.<T> }, [<Xn|SP>], <imm>
2846 */
2847 else if (inst.operands.size() == 5 && inst.isWriteBack()) {
2848 /* Create symbolic operands of the post computation */
2849 auto base = mem.getBaseRegister();
2850 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
2851
2852 /* Create the semantics of the base register */
2853 auto node4 = this->astCtxt->bvadd(baseNode, this->astCtxt->bv(postIndex, base.getBitSize()));
2854
2855 /* Create symbolic expression */
2856 auto expr4 = this->symbolicEngine->createSymbolicExpression(inst, node4, base, "LD4R operation - Post Index");
2857
2858 /* Spread taint */
2859 expr4->isTainted = this->taintEngine->isTainted(base);
2860 }
2861
2862 /* Update the symbolic control flow */
2863 this->controlFlow_s(inst);
2864 }
2865
2866
2867 void AArch64Semantics::ldar_s(triton::arch::Instruction& inst) {
2868 triton::arch::OperandWrapper& dst = inst.operands[0];
2869 triton::arch::OperandWrapper& src = inst.operands[1];
2870
2871 /* Create the semantics of the LOAD */
2872 auto node = this->symbolicEngine->getOperandAst(inst, src);
2873
2874 /* Create symbolic expression */
2875 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDAR operation - LOAD access");
2876
2877 /* Spread taint */
2878 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2879
2880 /* Update the symbolic control flow */
2881 this->controlFlow_s(inst);
2882 }
2883
2884
2885 void AArch64Semantics::ldarb_s(triton::arch::Instruction& inst) {
2886 triton::arch::OperandWrapper& dst = inst.operands[0];
2887 triton::arch::OperandWrapper& src = inst.operands[1];
2888
2889 /* Create the semantics of the LOAD */
2890 auto node = this->symbolicEngine->getOperandAst(inst, src);
2891
2892 /* Create symbolic expression */
2893 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDARB operation - LOAD access");
2894
2895 /* Spread taint */
2896 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2897
2898 /* Update the symbolic control flow */
2899 this->controlFlow_s(inst);
2900 }
2901
2902
2903 void AArch64Semantics::ldarh_s(triton::arch::Instruction& inst) {
2904 triton::arch::OperandWrapper& dst = inst.operands[0];
2905 triton::arch::OperandWrapper& src = inst.operands[1];
2906
2907 /* Create the semantics of the LOAD */
2908 auto node = this->symbolicEngine->getOperandAst(inst, src);
2909
2910 /* Create symbolic expression */
2911 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDARH operation - LOAD access");
2912
2913 /* Spread taint */
2914 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2915
2916 /* Update the symbolic control flow */
2917 this->controlFlow_s(inst);
2918 }
2919
2920
2921 void AArch64Semantics::ldaxr_s(triton::arch::Instruction& inst) {
2922 triton::arch::OperandWrapper& dst = inst.operands[0];
2923 triton::arch::OperandWrapper& src = inst.operands[1];
2924
2925 /* Create the semantics of the LOAD */
2926 auto node = this->symbolicEngine->getOperandAst(inst, src);
2927
2928 /* Create symbolic expression */
2929 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDAXR operation - LOAD access");
2930
2931 /* Spread taint */
2932 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2933
2934 /* Update exclusive memory access tag */
2935 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
2936
2937 /* Update the symbolic control flow */
2938 this->controlFlow_s(inst);
2939 }
2940
2941
2942 void AArch64Semantics::ldaxrb_s(triton::arch::Instruction& inst) {
2943 triton::arch::OperandWrapper& dst = inst.operands[0];
2944 triton::arch::OperandWrapper& src = inst.operands[1];
2945
2946 /* Create the semantics of the LOAD */
2947 auto node = this->symbolicEngine->getOperandAst(inst, src);
2948
2949 /* Create symbolic expression */
2950 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDAXRB operation - LOAD access");
2951
2952 /* Spread taint */
2953 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2954
2955 /* Update exclusive memory access tag */
2956 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
2957
2958 /* Update the symbolic control flow */
2959 this->controlFlow_s(inst);
2960 }
2961
2962
2963 void AArch64Semantics::ldaxrh_s(triton::arch::Instruction& inst) {
2964 triton::arch::OperandWrapper& dst = inst.operands[0];
2965 triton::arch::OperandWrapper& src = inst.operands[1];
2966
2967 /* Create the semantics of the LOAD */
2968 auto node = this->symbolicEngine->getOperandAst(inst, src);
2969
2970 /* Create symbolic expression */
2971 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDAXRH operation - LOAD access");
2972
2973 /* Spread taint */
2974 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
2975
2976 /* Update exclusive memory access tag */
2977 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
2978
2979 /* Update the symbolic control flow */
2980 this->controlFlow_s(inst);
2981 }
2982
2983
2984 void AArch64Semantics::ldnp_s(triton::arch::Instruction& inst) {
2985 triton::arch::OperandWrapper& dst1 = inst.operands[0];
2986 triton::arch::OperandWrapper& dst2 = inst.operands[1];
2987 triton::arch::OperandWrapper& src = inst.operands[2];
2988
2989 /* Special behavior: Define that the size of the memory access is dst1.size + dst2.size */
2990 src.getMemory().setBits((dst1.getBitSize() + dst2.getBitSize()) - 1, 0);
2991
2992 /* Create symbolic operands */
2993 auto op = this->symbolicEngine->getOperandAst(inst, src);
2994
2995 /* Create the semantics */
2996 auto node1 = this->astCtxt->extract((dst1.getBitSize() - 1), 0, op);
2997 auto node2 = this->astCtxt->extract((dst1.getBitSize() + dst2.getBitSize()) - 1, dst1.getBitSize(), op);
2998
2999 /* Create symbolic expression */
3000 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "LDNP operation - LOAD access");
3001 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "LDNP operation - LOAD access");
3002
3003 /* Spread taint */
3004 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
3005 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
3006
3007 /* Update the symbolic control flow */
3008 this->controlFlow_s(inst);
3009 }
3010
3011
3012 void AArch64Semantics::ldp_s(triton::arch::Instruction& inst) {
3013 triton::arch::OperandWrapper& dst1 = inst.operands[0];
3014 triton::arch::OperandWrapper& dst2 = inst.operands[1];
3015 triton::arch::OperandWrapper& src = inst.operands[2];
3016
3017 /* Special behavior: Define that the size of the memory access is dst1.size + dst2.size */
3018 src.getMemory().setBits((dst1.getBitSize() + dst2.getBitSize()) - 1, 0);
3019
3020 /* Create symbolic operands */
3021 auto op = this->symbolicEngine->getOperandAst(inst, src);
3022
3023 /* Create the semantics */
3024 auto node1 = this->astCtxt->extract((dst1.getBitSize() - 1), 0, op);
3025 auto node2 = this->astCtxt->extract((dst1.getBitSize() + dst2.getBitSize()) - 1, dst1.getBitSize(), op);
3026
3027 /* Create symbolic expression */
3028 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "LDP operation - LOAD access");
3029 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "LDP operation - LOAD access");
3030
3031 /* Spread taint */
3032 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
3033 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
3034
3035 /* Optional behavior. Post computation of the base register */
3036 /* LDP <Xt1>, <Xt2>, [<Xn|SP>], #<imm> */
3037 if (inst.operands.size() == 4) {
3038 triton::arch::Immediate& imm = inst.operands[3].getImmediate();
3039 triton::arch::Register& base = src.getMemory().getBaseRegister();
3040
3041 /* Create symbolic operands of the post computation */
3042 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3043 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3044
3045 /* Create the semantics of the base register */
3046 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3047
3048 /* Create symbolic expression */
3049 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDP operation - Base register computation");
3050
3051 /* Spread taint */
3052 expr2->isTainted = this->taintEngine->isTainted(base);
3053 }
3054
3055 /* LDP <Xt1>, <Xt2>, [<Xn|SP>, #<imm>]! */
3056 else if (inst.operands.size() == 3 && inst.isWriteBack() == true) {
3057 triton::arch::Register& base = src.getMemory().getBaseRegister();
3058
3059 /* Create the semantics of the base register */
3060 auto node3 = src.getMemory().getLeaAst();
3061
3062 /* Create symbolic expression */
3063 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDP operation - Base register computation");
3064
3065 /* Spread taint */
3066 expr3->isTainted = this->taintEngine->isTainted(base);
3067 }
3068
3069 /* Update the symbolic control flow */
3070 this->controlFlow_s(inst);
3071 }
3072
3073
3074 void AArch64Semantics::ldpsw_s(triton::arch::Instruction& inst) {
3075 triton::arch::OperandWrapper& dst1 = inst.operands[0];
3076 triton::arch::OperandWrapper& dst2 = inst.operands[1];
3077 triton::arch::OperandWrapper& src = inst.operands[2];
3078
3079 /* Create symbolic operands */
3080 auto op = this->symbolicEngine->getOperandAst(inst, src);
3081
3082 /* Create the semantics */
3083 auto node1 = this->astCtxt->sx(32, this->astCtxt->extract(31, 0, op));
3084 auto node2 = this->astCtxt->sx(32, this->astCtxt->extract(63, 32, op));
3085
3086 /* Create symbolic expression */
3087 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "LDPSW operation - LOAD access");
3088 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "LDPSW operation - LOAD access");
3089
3090 /* Spread taint */
3091 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
3092 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
3093
3094 /* Optional behavior. Post computation of the base register */
3095 /* LDPSW <Xt1>, <Xt2>, [<Xn|SP>], #<imm> */
3096 if (inst.operands.size() == 4) {
3097 triton::arch::Immediate& imm = inst.operands[3].getImmediate();
3098 triton::arch::Register& base = src.getMemory().getBaseRegister();
3099
3100 /* Create symbolic operands of the post computation */
3101 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3102 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3103
3104 /* Create the semantics of the base register */
3105 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3106
3107 /* Create symbolic expression */
3108 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDPSW operation - Base register computation");
3109
3110 /* Spread taint */
3111 expr2->isTainted = this->taintEngine->isTainted(base);
3112 }
3113
3114 /* LDPSW <Xt1>, <Xt2>, [<Xn|SP>, #<imm>]! */
3115 else if (inst.operands.size() == 3 && inst.isWriteBack() == true) {
3116 triton::arch::Register& base = src.getMemory().getBaseRegister();
3117
3118 /* Create the semantics of the base register */
3119 auto node3 = src.getMemory().getLeaAst();
3120
3121 /* Create symbolic expression */
3122 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDPSW operation - Base register computation");
3123
3124 /* Spread taint */
3125 expr3->isTainted = this->taintEngine->isTainted(base);
3126 }
3127
3128 /* Update the symbolic control flow */
3129 this->controlFlow_s(inst);
3130 }
3131
3132
3133 void AArch64Semantics::ldr_s(triton::arch::Instruction& inst) {
3134 triton::arch::OperandWrapper& dst = inst.operands[0];
3135 triton::arch::OperandWrapper& src = inst.operands[1];
3136
3137 /* LDR (literal) */
3138 if (inst.operands.size() == 2 && src.getType() == triton::arch::OP_IMM) {
3139 src = triton::arch::MemoryAccess(src.getConstImmediate().getValue(), dst.getSize());
3140 }
3141
3142 /* Create the semantics of the LOAD */
3143 auto node1 = this->symbolicEngine->getOperandAst(inst, src);
3144
3145 /* Create symbolic expression */
3146 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDR operation - LOAD access");
3147
3148 /* Spread taint */
3149 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3150
3151 /* Optional behavior. Post computation of the base register */
3152 /* LDR <Xt>, [<Xn|SP>], #<simm> */
3153 if (inst.operands.size() == 3) {
3154 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3155 triton::arch::Register& base = src.getMemory().getBaseRegister();
3156
3157 /* Create symbolic operands of the post computation */
3158 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3159 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3160
3161 /* Create the semantics of the base register */
3162 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3163
3164 /* Create symbolic expression */
3165 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDR operation - Base register computation");
3166
3167 /* Spread taint */
3168 expr2->isTainted = this->taintEngine->isTainted(base);
3169 }
3170 /* LDR <Xt>, [<Xn|SP>, #<simm>]! */
3171 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3172 triton::arch::Register& base = src.getMemory().getBaseRegister();
3173
3174 /* Create the semantics of the base register */
3175 auto node3 = src.getMemory().getLeaAst();
3176
3177 /* Create symbolic expression */
3178 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDR operation - Base register computation");
3179
3180 /* Spread taint */
3181 expr3->isTainted = this->taintEngine->isTainted(base);
3182 }
3183
3184 /* Update the symbolic control flow */
3185 this->controlFlow_s(inst);
3186 }
3187
3188
3189 void AArch64Semantics::ldrb_s(triton::arch::Instruction& inst) {
3190 triton::arch::OperandWrapper& dst = inst.operands[0];
3191 triton::arch::OperandWrapper& src = inst.operands[1];
3192
3193 /* Create the semantics of the LOAD */
3194 auto node1 = this->symbolicEngine->getOperandAst(inst, src);
3195
3196 /* Create symbolic expression */
3197 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRB operation - LOAD access");
3198
3199 /* Spread taint */
3200 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3201
3202 /* Optional behavior. Post computation of the base register */
3203 /* LDRB <Xt>, [<Xn|SP>], #<simm> */
3204 if (inst.operands.size() == 3) {
3205 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3206 triton::arch::Register& base = src.getMemory().getBaseRegister();
3207
3208 /* Create symbolic operands of the post computation */
3209 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3210 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3211
3212 /* Create the semantics of the base register */
3213 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3214
3215 /* Create symbolic expression */
3216 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRB operation - Base register computation");
3217
3218 /* Spread taint */
3219 expr2->isTainted = this->taintEngine->isTainted(base);
3220 }
3221
3222 /* LDRB <Xt>, [<Xn|SP>, #<simm>]! */
3223 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3224 triton::arch::Register& base = src.getMemory().getBaseRegister();
3225
3226 /* Create the semantics of the base register */
3227 auto node3 = src.getMemory().getLeaAst();
3228
3229 /* Create symbolic expression */
3230 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRB operation - Base register computation");
3231
3232 /* Spread taint */
3233 expr3->isTainted = this->taintEngine->isTainted(base);
3234 }
3235
3236 /* Update the symbolic control flow */
3237 this->controlFlow_s(inst);
3238 }
3239
3240
3241 void AArch64Semantics::ldrh_s(triton::arch::Instruction& inst) {
3242 triton::arch::OperandWrapper& dst = inst.operands[0];
3243 triton::arch::OperandWrapper& src = inst.operands[1];
3244
3245 /* Create the semantics of the LOAD */
3246 auto node1 = this->symbolicEngine->getOperandAst(inst, src);
3247
3248 /* Create symbolic expression */
3249 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRH operation - LOAD access");
3250
3251 /* Spread taint */
3252 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3253
3254 /* Optional behavior. Post computation of the base register */
3255 /* LDRH <Xt>, [<Xn|SP>], #<simm> */
3256 if (inst.operands.size() == 3) {
3257 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3258 triton::arch::Register& base = src.getMemory().getBaseRegister();
3259
3260 /* Create symbolic operands of the post computation */
3261 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3262 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3263
3264 /* Create the semantics of the base register */
3265 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3266
3267 /* Create symbolic expression */
3268 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRH operation - Base register computation");
3269
3270 /* Spread taint */
3271 expr2->isTainted = this->taintEngine->isTainted(base);
3272 }
3273
3274 /* LDRH <Xt>, [<Xn|SP>, #<simm>]! */
3275 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3276 triton::arch::Register& base = src.getMemory().getBaseRegister();
3277
3278 /* Create the semantics of the base register */
3279 auto node3 = src.getMemory().getLeaAst();
3280
3281 /* Create symbolic expression */
3282 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRH operation - Base register computation");
3283
3284 /* Spread taint */
3285 expr3->isTainted = this->taintEngine->isTainted(base);
3286 }
3287
3288 /* Update the symbolic control flow */
3289 this->controlFlow_s(inst);
3290 }
3291
3292
3293 void AArch64Semantics::ldrsb_s(triton::arch::Instruction& inst) {
3294 triton::arch::OperandWrapper& dst = inst.operands[0];
3295 triton::arch::OperandWrapper& src = inst.operands[1];
3296
3297 /* Create symbolic operands */
3298 auto op = this->symbolicEngine->getOperandAst(inst, src);
3299
3300 /* Create the semantics of the LOAD */
3301 auto node1 = this->astCtxt->sx(dst.getBitSize() - 8, op);
3302
3303 /* Create symbolic expression */
3304 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRSB operation - LOAD access");
3305
3306 /* Spread taint */
3307 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3308
3309 /* Optional behavior. Post computation of the base register */
3310 /* LDRSB <Xt>, [<Xn|SP>], #<simm> */
3311 if (inst.operands.size() == 3) {
3312 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3313 triton::arch::Register& base = src.getMemory().getBaseRegister();
3314
3315 /* Create symbolic operands of the post computation */
3316 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3317 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3318
3319 /* Create the semantics of the base register */
3320 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3321
3322 /* Create symbolic expression */
3323 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRSB operation - Base register computation");
3324
3325 /* Spread taint */
3326 expr2->isTainted = this->taintEngine->isTainted(base);
3327 }
3328
3329 /* LDRSB <Xt>, [<Xn|SP>, #<simm>]! */
3330 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3331 triton::arch::Register& base = src.getMemory().getBaseRegister();
3332
3333 /* Create the semantics of the base register */
3334 auto node3 = src.getMemory().getLeaAst();
3335
3336 /* Create symbolic expression */
3337 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRSB operation - Base register computation");
3338
3339 /* Spread taint */
3340 expr3->isTainted = this->taintEngine->isTainted(base);
3341 }
3342
3343 /* Update the symbolic control flow */
3344 this->controlFlow_s(inst);
3345 }
3346
3347
3348 void AArch64Semantics::ldrsh_s(triton::arch::Instruction& inst) {
3349 triton::arch::OperandWrapper& dst = inst.operands[0];
3350 triton::arch::OperandWrapper& src = inst.operands[1];
3351
3352 /* Create symbolic operands */
3353 auto op = this->symbolicEngine->getOperandAst(inst, src);
3354
3355 /* Create the semantics of the LOAD */
3356 auto node1 = this->astCtxt->sx(dst.getBitSize() - 16, op);
3357
3358 /* Create symbolic expression */
3359 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRSH operation - LOAD access");
3360
3361 /* Spread taint */
3362 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3363
3364 /* Optional behavior. Post computation of the base register */
3365 /* LDRSH <Xt>, [<Xn|SP>], #<simm> */
3366 if (inst.operands.size() == 3) {
3367 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3368 triton::arch::Register& base = src.getMemory().getBaseRegister();
3369
3370 /* Create symbolic operands of the post computation */
3371 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3372 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3373
3374 /* Create the semantics of the base register */
3375 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3376
3377 /* Create symbolic expression */
3378 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRSH operation - Base register computation");
3379
3380 /* Spread taint */
3381 expr2->isTainted = this->taintEngine->isTainted(base);
3382 }
3383
3384 /* LDRSH <Xt>, [<Xn|SP>, #<simm>]! */
3385 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3386 triton::arch::Register& base = src.getMemory().getBaseRegister();
3387
3388 /* Create the semantics of the base register */
3389 auto node3 = src.getMemory().getLeaAst();
3390
3391 /* Create symbolic expression */
3392 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRSH operation - Base register computation");
3393
3394 /* Spread taint */
3395 expr3->isTainted = this->taintEngine->isTainted(base);
3396 }
3397
3398 /* Update the symbolic control flow */
3399 this->controlFlow_s(inst);
3400 }
3401
3402
3403 void AArch64Semantics::ldrsw_s(triton::arch::Instruction& inst) {
3404 triton::arch::OperandWrapper& dst = inst.operands[0];
3405 triton::arch::OperandWrapper& src = inst.operands[1];
3406
3407 /* LDRSW (literal) */
3408 if (inst.operands.size() == 2 && src.getType() == triton::arch::OP_IMM) {
3409 src = triton::arch::MemoryAccess(src.getConstImmediate().getValue(), dst.getSize());
3410 }
3411
3412 /* Create symbolic operands */
3413 auto op = this->symbolicEngine->getOperandAst(inst, src);
3414
3415 /* Create the semantics of the LOAD */
3416 auto node1 = this->astCtxt->sx(dst.getBitSize() - 32, op);
3417
3418 /* Create symbolic expression */
3419 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "LDRSW operation - LOAD access");
3420
3421 /* Spread taint */
3422 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
3423
3424 /* Optional behavior. Post computation of the base register */
3425 /* LDRSW <Xt>, [<Xn|SP>], #<simm> */
3426 if (inst.operands.size() == 3) {
3427 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
3428 triton::arch::Register& base = src.getMemory().getBaseRegister();
3429
3430 /* Create symbolic operands of the post computation */
3431 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
3432 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
3433
3434 /* Create the semantics of the base register */
3435 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
3436
3437 /* Create symbolic expression */
3438 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "LDRSW operation - Base register computation");
3439
3440 /* Spread taint */
3441 expr2->isTainted = this->taintEngine->isTainted(base);
3442 }
3443
3444 /* LDRSW <Xt>, [<Xn|SP>, #<simm>]! */
3445 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
3446 triton::arch::Register& base = src.getMemory().getBaseRegister();
3447
3448 /* Create the semantics of the base register */
3449 auto node3 = src.getMemory().getLeaAst();
3450
3451 /* Create symbolic expression */
3452 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "LDRSW operation - Base register computation");
3453
3454 /* Spread taint */
3455 expr3->isTainted = this->taintEngine->isTainted(base);
3456 }
3457
3458 /* Update the symbolic control flow */
3459 this->controlFlow_s(inst);
3460 }
3461
3462
3463 void AArch64Semantics::ldtr_s(triton::arch::Instruction& inst) {
3464 triton::arch::OperandWrapper& dst = inst.operands[0];
3465 triton::arch::OperandWrapper& src = inst.operands[1];
3466
3467 /* Create the semantics of the LOAD */
3468 auto node = this->symbolicEngine->getOperandAst(inst, src);
3469
3470 /* Create symbolic expression */
3471 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTR operation");
3472
3473 /* Spread taint */
3474 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3475
3476 /* Update the symbolic control flow */
3477 this->controlFlow_s(inst);
3478 }
3479
3480
3481 void AArch64Semantics::ldtrb_s(triton::arch::Instruction& inst) {
3482 triton::arch::OperandWrapper& dst = inst.operands[0];
3483 triton::arch::OperandWrapper& src = inst.operands[1];
3484
3485 /* Create symbolic operands */
3486 auto op = this->symbolicEngine->getOperandAst(inst, src);
3487
3488 /* Create the semantics */
3489 auto node = this->astCtxt->zx(dst.getBitSize() - 8, op);
3490
3491 /* Create symbolic expression */
3492 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRB operation");
3493
3494 /* Spread taint */
3495 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3496
3497 /* Update the symbolic control flow */
3498 this->controlFlow_s(inst);
3499 }
3500
3501
3502 void AArch64Semantics::ldtrh_s(triton::arch::Instruction& inst) {
3503 triton::arch::OperandWrapper& dst = inst.operands[0];
3504 triton::arch::OperandWrapper& src = inst.operands[1];
3505
3506 /* Create symbolic operands */
3507 auto op = this->symbolicEngine->getOperandAst(inst, src);
3508
3509 /* Create the semantics */
3510 auto node = this->astCtxt->zx(dst.getBitSize() - 16, op);
3511
3512 /* Create symbolic expression */
3513 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRH operation");
3514
3515 /* Spread taint */
3516 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3517
3518 /* Update the symbolic control flow */
3519 this->controlFlow_s(inst);
3520 }
3521
3522
3523 void AArch64Semantics::ldtrsb_s(triton::arch::Instruction& inst) {
3524 triton::arch::OperandWrapper& dst = inst.operands[0];
3525 triton::arch::OperandWrapper& src = inst.operands[1];
3526
3527 /* Create symbolic operands */
3528 auto op = this->symbolicEngine->getOperandAst(inst, src);
3529
3530 /* Create the semantics */
3531 auto node = this->astCtxt->sx(dst.getBitSize() - 8, op);
3532
3533 /* Create symbolic expression */
3534 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRSB operation");
3535
3536 /* Spread taint */
3537 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3538
3539 /* Update the symbolic control flow */
3540 this->controlFlow_s(inst);
3541 }
3542
3543
3544 void AArch64Semantics::ldtrsh_s(triton::arch::Instruction& inst) {
3545 triton::arch::OperandWrapper& dst = inst.operands[0];
3546 triton::arch::OperandWrapper& src = inst.operands[1];
3547
3548 /* Create symbolic operands */
3549 auto op = this->symbolicEngine->getOperandAst(inst, src);
3550
3551 /* Create the semantics */
3552 auto node = this->astCtxt->sx(dst.getBitSize() - 16, op);
3553
3554 /* Create symbolic expression */
3555 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRSH operation");
3556
3557 /* Spread taint */
3558 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3559
3560 /* Update the symbolic control flow */
3561 this->controlFlow_s(inst);
3562 }
3563
3564
3565 void AArch64Semantics::ldtrsw_s(triton::arch::Instruction& inst) {
3566 triton::arch::OperandWrapper& dst = inst.operands[0];
3567 triton::arch::OperandWrapper& src = inst.operands[1];
3568
3569 /* Create symbolic operands */
3570 auto op = this->symbolicEngine->getOperandAst(inst, src);
3571
3572 /* Create the semantics */
3573 auto node = this->astCtxt->sx(dst.getBitSize() - 32, op);
3574
3575 /* Create symbolic expression */
3576 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDTRSW operation");
3577
3578 /* Spread taint */
3579 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3580
3581 /* Update the symbolic control flow */
3582 this->controlFlow_s(inst);
3583 }
3584
3585
3586 void AArch64Semantics::ldur_s(triton::arch::Instruction& inst) {
3587 triton::arch::OperandWrapper& dst = inst.operands[0];
3588 triton::arch::OperandWrapper& src = inst.operands[1];
3589
3590 /* Create the semantics of the LOAD */
3591 auto node = this->symbolicEngine->getOperandAst(inst, src);
3592
3593 /* Create symbolic expression */
3594 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDUR operation");
3595
3596 /* Spread taint */
3597 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3598
3599 /* Update the symbolic control flow */
3600 this->controlFlow_s(inst);
3601 }
3602
3603
3604 void AArch64Semantics::ldurb_s(triton::arch::Instruction& inst) {
3605 triton::arch::OperandWrapper& dst = inst.operands[0];
3606 triton::arch::OperandWrapper& src = inst.operands[1];
3607
3608 /* Create symbolic operands */
3609 auto op = this->symbolicEngine->getOperandAst(inst, src);
3610
3611 /* Create the semantics */
3612 auto node = this->astCtxt->zx(dst.getBitSize() - 8, op);
3613
3614 /* Create symbolic expression */
3615 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURB operation");
3616
3617 /* Spread taint */
3618 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3619
3620 /* Update the symbolic control flow */
3621 this->controlFlow_s(inst);
3622 }
3623
3624
3625 void AArch64Semantics::ldurh_s(triton::arch::Instruction& inst) {
3626 triton::arch::OperandWrapper& dst = inst.operands[0];
3627 triton::arch::OperandWrapper& src = inst.operands[1];
3628
3629 /* Create symbolic operands */
3630 auto op = this->symbolicEngine->getOperandAst(inst, src);
3631
3632 /* Create the semantics */
3633 auto node = this->astCtxt->zx(dst.getBitSize() - 16, op);
3634
3635 /* Create symbolic expression */
3636 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURH operation");
3637
3638 /* Spread taint */
3639 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3640
3641 /* Update the symbolic control flow */
3642 this->controlFlow_s(inst);
3643 }
3644
3645
3646 void AArch64Semantics::ldursb_s(triton::arch::Instruction& inst) {
3647 triton::arch::OperandWrapper& dst = inst.operands[0];
3648 triton::arch::OperandWrapper& src = inst.operands[1];
3649
3650 /* Create symbolic operands */
3651 auto op = this->symbolicEngine->getOperandAst(inst, src);
3652
3653 /* Create the semantics */
3654 auto node = this->astCtxt->sx(dst.getBitSize() - 8, op);
3655
3656 /* Create symbolic expression */
3657 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURSB operation");
3658
3659 /* Spread taint */
3660 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3661
3662 /* Update the symbolic control flow */
3663 this->controlFlow_s(inst);
3664 }
3665
3666
3667 void AArch64Semantics::ldursh_s(triton::arch::Instruction& inst) {
3668 triton::arch::OperandWrapper& dst = inst.operands[0];
3669 triton::arch::OperandWrapper& src = inst.operands[1];
3670
3671 /* Create symbolic operands */
3672 auto op = this->symbolicEngine->getOperandAst(inst, src);
3673
3674 /* Create the semantics */
3675 auto node = this->astCtxt->sx(dst.getBitSize() - 16, op);
3676
3677 /* Create symbolic expression */
3678 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURSH operation");
3679
3680 /* Spread taint */
3681 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3682
3683 /* Update the symbolic control flow */
3684 this->controlFlow_s(inst);
3685 }
3686
3687
3688 void AArch64Semantics::ldursw_s(triton::arch::Instruction& inst) {
3689 triton::arch::OperandWrapper& dst = inst.operands[0];
3690 triton::arch::OperandWrapper& src = inst.operands[1];
3691
3692 /* Create symbolic operands */
3693 auto op = this->symbolicEngine->getOperandAst(inst, src);
3694
3695 /* Create the semantics */
3696 auto node = this->astCtxt->sx(dst.getBitSize() - 32, op);
3697
3698 /* Create symbolic expression */
3699 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDURSW operation");
3700
3701 /* Spread taint */
3702 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3703
3704 /* Update the symbolic control flow */
3705 this->controlFlow_s(inst);
3706 }
3707
3708
3709 void AArch64Semantics::ldxp_s(triton::arch::Instruction& inst) {
3710 triton::arch::OperandWrapper& dst1 = inst.operands[0];
3711 triton::arch::OperandWrapper& dst2 = inst.operands[1];
3712 triton::arch::OperandWrapper& src = inst.operands[2];
3713
3714 /* Special behavior: Define that the size of the memory access is dst1.size + dst2.size */
3715 src.getMemory().setBits((dst1.getBitSize() + dst2.getBitSize()) - 1, 0);
3716
3717 /* Create symbolic operands */
3718 auto op = this->symbolicEngine->getOperandAst(inst, src);
3719
3720 /* Create the semantics */
3721 auto node1 = this->astCtxt->extract((dst1.getBitSize() - 1), 0, op);
3722 auto node2 = this->astCtxt->extract((dst1.getBitSize() + dst2.getBitSize()) - 1, dst1.getBitSize(), op);
3723
3724 /* Create symbolic expression */
3725 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "LDXP operation - LOAD access");
3726 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "LDXP operation - LOAD access");
3727
3728 /* Spread taint */
3729 expr1->isTainted = this->taintEngine->taintAssignment(dst1, src);
3730 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
3731
3732 /* Update exclusive memory access tag */
3733 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
3734
3735 /* Update the symbolic control flow */
3736 this->controlFlow_s(inst);
3737 }
3738
3739
3740 void AArch64Semantics::ldxr_s(triton::arch::Instruction& inst) {
3741 triton::arch::OperandWrapper& dst = inst.operands[0];
3742 triton::arch::OperandWrapper& src = inst.operands[1];
3743
3744 /* Create the semantics of the LOAD */
3745 auto node = this->symbolicEngine->getOperandAst(inst, src);
3746
3747 /* Create symbolic expression */
3748 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDXR operation");
3749
3750 /* Spread taint */
3751 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3752
3753 /* Update exclusive memory access tag */
3754 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
3755
3756 /* Update the symbolic control flow */
3757 this->controlFlow_s(inst);
3758 }
3759
3760
3761 void AArch64Semantics::ldxrb_s(triton::arch::Instruction& inst) {
3762 triton::arch::OperandWrapper& dst = inst.operands[0];
3763 triton::arch::OperandWrapper& src = inst.operands[1];
3764
3765 /* Create symbolic operands */
3766 auto op = this->symbolicEngine->getOperandAst(inst, src);
3767
3768 /* Create the semantics */
3769 auto node = this->astCtxt->zx(dst.getBitSize() - 8, op);
3770
3771 /* Create symbolic expression */
3772 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDXRB operation");
3773
3774 /* Spread taint */
3775 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3776
3777 /* Update exclusive memory access tag */
3778 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
3779
3780 /* Update the symbolic control flow */
3781 this->controlFlow_s(inst);
3782 }
3783
3784
3785 void AArch64Semantics::ldxrh_s(triton::arch::Instruction& inst) {
3786 triton::arch::OperandWrapper& dst = inst.operands[0];
3787 triton::arch::OperandWrapper& src = inst.operands[1];
3788
3789 /* Create symbolic operands */
3790 auto op = this->symbolicEngine->getOperandAst(inst, src);
3791
3792 /* Create the semantics */
3793 auto node = this->astCtxt->zx(dst.getBitSize() - 16, op);
3794
3795 /* Create symbolic expression */
3796 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LDXRH operation");
3797
3798 /* Spread taint */
3799 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3800
3801 /* Update exclusive memory access tag */
3802 this->architecture->setMemoryExclusiveTag(src.getConstMemory(), true);
3803
3804 /* Update the symbolic control flow */
3805 this->controlFlow_s(inst);
3806 }
3807
3808
3809 void AArch64Semantics::lsl_s(triton::arch::Instruction& inst) {
3810 auto& dst = inst.operands[0];
3811 auto& src1 = inst.operands[1];
3812 auto& src2 = inst.operands[2];
3813 auto size = src2.getBitSize();
3814
3815 /* Create symbolic operands */
3816 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
3817 auto op2 = this->astCtxt->bvand(
3818 this->symbolicEngine->getOperandAst(inst, src2),
3819 this->astCtxt->bv(size - 1, size)
3820 );
3821
3822 /* Create the semantics */
3823 auto node = this->astCtxt->bvshl(op1, op2);
3824
3825 /* Create symbolic expression */
3826 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LSL operation");
3827
3828 /* Spread taint */
3829 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
3830
3831 /* Update the symbolic control flow */
3832 this->controlFlow_s(inst);
3833 }
3834
3835
3836 void AArch64Semantics::lsr_s(triton::arch::Instruction& inst) {
3837 auto& dst = inst.operands[0];
3838 auto& src1 = inst.operands[1];
3839 auto& src2 = inst.operands[2];
3840 auto size = src2.getBitSize();
3841
3842 /* Create symbolic operands */
3843 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
3844 auto op2 = this->astCtxt->bvand(
3845 this->symbolicEngine->getOperandAst(inst, src2),
3846 this->astCtxt->bv(size - 1, size)
3847 );
3848
3849 /* Create the semantics */
3850 auto node = this->astCtxt->bvlshr(op1, op2);
3851
3852 /* Create symbolic expression */
3853 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "LSR operation");
3854
3855 /* Spread taint */
3856 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
3857
3858 /* Update the symbolic control flow */
3859 this->controlFlow_s(inst);
3860 }
3861
3862
3863 void AArch64Semantics::madd_s(triton::arch::Instruction& inst) {
3864 auto& dst = inst.operands[0];
3865 auto& src1 = inst.operands[1];
3866 auto& src2 = inst.operands[2];
3867 auto& src3 = inst.operands[3];
3868
3869 /* Create symbolic operands */
3870 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
3871 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
3872 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
3873
3874 /* Create the semantics */
3875 auto node = this->astCtxt->bvadd(op3, this->astCtxt->bvmul(op1, op2));
3876
3877 /* Create symbolic expression */
3878 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MADD operation");
3879
3880 /* Spread taint */
3881 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
3882
3883 /* Update the symbolic control flow */
3884 this->controlFlow_s(inst);
3885 }
3886
3887
3888 void AArch64Semantics::mneg_s(triton::arch::Instruction& inst) {
3889 auto& dst = inst.operands[0];
3890 auto& src1 = inst.operands[1];
3891 auto& src2 = inst.operands[2];
3892
3893 /* Create symbolic operands */
3894 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
3895 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
3896
3897 /* Create the semantics */
3898 auto node = this->astCtxt->bvneg(this->astCtxt->bvmul(op1, op2));
3899
3900 /* Create symbolic expression */
3901 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MNEG operation");
3902
3903 /* Spread taint */
3904 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
3905
3906 /* Update the symbolic control flow */
3907 this->controlFlow_s(inst);
3908 }
3909
3910
3911 void AArch64Semantics::mov_s(triton::arch::Instruction& inst) {
3912 auto& dst = inst.operands[0];
3913 auto& src = inst.operands[1];
3914
3915 /* Create the semantics */
3916 auto node = this->symbolicEngine->getOperandAst(inst, src);
3917
3918 /* Create symbolic expression */
3919 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOV operation");
3920
3921 /* Spread taint */
3922 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
3923
3924 /* Update the symbolic control flow */
3925 this->controlFlow_s(inst);
3926 }
3927
3928
3929 void AArch64Semantics::movi_s(triton::arch::Instruction& inst) {
3930 std::list<triton::ast::SharedAbstractNode> vec;
3931
3932 triton::arch::OperandWrapper& dst = inst.operands[0]; /* vas register */
3933 triton::arch::OperandWrapper& src = inst.operands[1]; /* imm */
3934
3935 /* Create symbolic operands */
3936 auto imm = this->symbolicEngine->getOperandAst(inst, src);
3937 auto vas_e = dst.getConstRegister().getVASType();
3938
3939 switch (vas_e) {
3940 case triton::arch::arm::ID_VAS_16B: {
3941 for (triton::uint32 i = 0; i != 16; i++) {
3942 vec.push_front(this->astCtxt->extract(7, 0, imm));
3943 }
3944 break;
3945 }
3946
3947 case triton::arch::arm::ID_VAS_8B: {
3948 for (triton::uint32 i = 0; i != 8; i++) {
3949 vec.push_front(this->astCtxt->extract(7, 0, imm));
3950 }
3951 break;
3952 }
3953
3954 case triton::arch::arm::ID_VAS_8H: {
3955 for (triton::uint32 i = 0; i != 16; i += 2) {
3956 vec.push_front(this->astCtxt->extract(15, 0, imm));
3957 }
3958 break;
3959 }
3960
3961 case triton::arch::arm::ID_VAS_4H: {
3962 for (triton::uint32 i = 0; i != 8; i += 2) {
3963 vec.push_front(this->astCtxt->extract(15, 0, imm));
3964 }
3965 break;
3966 }
3967
3968 case triton::arch::arm::ID_VAS_4S: {
3969 for (triton::uint32 i = 0; i != 16; i += 4) {
3970 vec.push_front(this->astCtxt->extract(31, 0, imm));
3971 }
3972 break;
3973 }
3974
3975 case triton::arch::arm::ID_VAS_2S: {
3976 for (triton::uint32 i = 0; i != 8; i += 4) {
3977 vec.push_front(this->astCtxt->extract(31, 0, imm));
3978 }
3979 break;
3980 }
3981
3982 case triton::arch::arm::ID_VAS_2D: {
3983 for (triton::uint32 i = 0; i != 16; i += 8) {
3984 vec.push_front(this->astCtxt->extract(63, 0, imm));
3985 }
3986 break;
3987 }
3988
3989 case triton::arch::arm::ID_VAS_1D: {
3990 for (triton::uint32 i = 0; i != 8; i += 8) {
3991 vec.push_front(this->astCtxt->extract(63, 0, imm));
3992 }
3993 break;
3994 }
3995
3996 default:
3997 throw triton::exceptions::Semantics("AArch64Semantics::movi_s(): Invalid VAS encoding.");
3998 }
3999
4000 /* Create the semantics */
4001 auto node = this->astCtxt->concat(vec);
4002
4003 /* Create symbolic expression */
4004 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOVI operation");
4005
4006 /* Spread taint */
4007 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4008
4009 /* Update the symbolic control flow */
4010 this->controlFlow_s(inst);
4011 }
4012
4013
4014 void AArch64Semantics::movk_s(triton::arch::Instruction& inst) {
4015 auto& dst = inst.operands[0];
4016 auto& src = inst.operands[1];
4017 auto pos = src.getImmediate().getShiftImmediate(); // 0 by default.
4018
4019 /* Create symbolic operands */
4020 auto op1 = this->symbolicEngine->getOperandAst(inst, dst);
4021 auto op2 = this->symbolicEngine->getOperandAst(inst, src);
4022
4023 /* Create the semantics */
4024 std::vector<triton::ast::SharedAbstractNode> bits;
4025 bits.reserve(10);
4026
4027 switch (pos) {
4028 case 0:
4029 // [------------------------------------------------xxxxxxxxxxxxxxxx]
4030 bits.push_back(this->astCtxt->extract(dst.getHigh(), 16, op1));
4031 bits.push_back(this->astCtxt->extract(15, 0, op2));
4032 break;
4033
4034 case 16:
4035 // [--------------------------------xxxxxxxxxxxxxxxx----------------]
4036 if (dst.getBitSize() == 64) {
4037 /*
4038 * The case where the instruction is: MOVK <Xd>, #<imm>{, LSL #<shift>}.
4039 * Otherwise if the instruction is: MOVK <Wd>, #<imm>{, LSL #<shift>}, just
4040 * skip this extract.
4041 */
4042 bits.push_back(this->astCtxt->extract(dst.getHigh(), 32, op1));
4043 }
4044 bits.push_back(this->astCtxt->extract(31, 16, op2));
4045 bits.push_back(this->astCtxt->extract(15, 0, op1));
4046 break;
4047
4048 case 32:
4049 // [----------------xxxxxxxxxxxxxxxx--------------------------------]
4050 bits.push_back(this->astCtxt->extract(dst.getHigh(), 48, op1));
4051 bits.push_back(this->astCtxt->extract(47, 32, op2));
4052 bits.push_back(this->astCtxt->extract(31, 0, op1));
4053 break;
4054
4055 case 48:
4056 // [xxxxxxxxxxxxxxxx------------------------------------------------]
4057 bits.push_back(this->astCtxt->extract(63, 48, op2));
4058 bits.push_back(this->astCtxt->extract(47, 0, op1));
4059 break;
4060
4061 default:
4062 throw triton::exceptions::Semantics("AArch64Semantics::movk_s(): Invalid pos (hw field) encoding.");
4063 }
4064
4065 auto node = this->astCtxt->concat(bits);
4066
4067 /* Create symbolic expression */
4068 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOVK operation");
4069
4070 /* Spread taint */
4071 expr->isTainted = this->taintEngine->taintUnion(dst, src);
4072
4073 /* Update the symbolic control flow */
4074 this->controlFlow_s(inst);
4075 }
4076
4077
4078 void AArch64Semantics::movn_s(triton::arch::Instruction& inst) {
4079 auto& dst = inst.operands[0];
4080 auto& src = inst.operands[1];
4081
4082 /* Create symbolic operands */
4083 auto op = this->symbolicEngine->getOperandAst(inst, src);
4084
4085 /* Create the semantics */
4086 auto node = this->astCtxt->bvnot(op);
4087
4088 /* Create symbolic expression */
4089 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOVN operation");
4090
4091 /* Spread taint */
4092 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4093
4094 /* Update the symbolic control flow */
4095 this->controlFlow_s(inst);
4096 }
4097
4098
4099 void AArch64Semantics::movz_s(triton::arch::Instruction& inst) {
4100 auto& dst = inst.operands[0];
4101 auto& src = inst.operands[1];
4102
4103 /* Create the semantics */
4104 auto node = this->symbolicEngine->getOperandAst(inst, src);
4105
4106 /* Create symbolic expression */
4107 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MOVZ operation");
4108
4109 /* Spread taint */
4110 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4111
4112 /* Update the symbolic control flow */
4113 this->controlFlow_s(inst);
4114 }
4115
4116
4117 void AArch64Semantics::mrs_s(triton::arch::Instruction& inst) {
4118 auto& dst = inst.operands[0];
4119 auto& src = inst.operands[1];
4120
4121 /* Create the semantics */
4122 auto node = this->symbolicEngine->getOperandAst(inst, src);
4123
4124 /* Create symbolic expression */
4125 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MRS operation");
4126
4127 /* Spread taint */
4128 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4129
4130 /* Update the symbolic control flow */
4131 this->controlFlow_s(inst);
4132 }
4133
4134
4135 void AArch64Semantics::msr_s(triton::arch::Instruction& inst) {
4136 auto& dst = inst.operands[0];
4137 auto& src = inst.operands[1];
4138
4139 /* Create the semantics */
4140 auto node = this->symbolicEngine->getOperandAst(inst, src);
4141
4142 /* Create symbolic expression */
4143 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MSR operation");
4144
4145 /* Spread taint */
4146 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4147
4148 /* Update the symbolic control flow */
4149 this->controlFlow_s(inst);
4150 }
4151
4152
4153 void AArch64Semantics::msub_s(triton::arch::Instruction& inst) {
4154 auto& dst = inst.operands[0];
4155 auto& src1 = inst.operands[1];
4156 auto& src2 = inst.operands[2];
4157 auto& src3 = inst.operands[3];
4158
4159 /* Create symbolic operands */
4160 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4161 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4162 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
4163
4164 /* Create the semantics */
4165 auto node = this->astCtxt->bvsub(op3, this->astCtxt->bvmul(op1, op2));
4166
4167 /* Create symbolic expression */
4168 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MSUB operation");
4169
4170 /* Spread taint */
4171 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
4172
4173 /* Update the symbolic control flow */
4174 this->controlFlow_s(inst);
4175 }
4176
4177
4178 void AArch64Semantics::mul_s(triton::arch::Instruction& inst) {
4179 auto& dst = inst.operands[0];
4180 auto& src1 = inst.operands[1];
4181 auto& src2 = inst.operands[2];
4182
4183 /* Create symbolic operands */
4184 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4185 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4186
4187 /* Create the semantics */
4188 auto node = this->astCtxt->bvmul(op1, op2);
4189
4190 /* Create symbolic expression */
4191 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MUL operation");
4192
4193 /* Spread taint */
4194 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4195
4196 /* Update the symbolic control flow */
4197 this->controlFlow_s(inst);
4198 }
4199
4200
4201 void AArch64Semantics::mvn_s(triton::arch::Instruction& inst) {
4202 auto& dst = inst.operands[0];
4203 auto& src = inst.operands[1];
4204
4205 /* Create symbolic operands */
4206 auto op = this->symbolicEngine->getOperandAst(inst, src);
4207
4208 /* Create the semantics */
4209 auto node = this->astCtxt->bvnot(op);
4210
4211 /* Create symbolic expression */
4212 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MVN operation");
4213
4214 /* Spread taint */
4215 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4216
4217 /* Update the symbolic control flow */
4218 this->controlFlow_s(inst);
4219 }
4220
4221
4222 void AArch64Semantics::neg_s(triton::arch::Instruction& inst) {
4223 auto& dst = inst.operands[0];
4224 auto& src = inst.operands[1];
4225
4226 /* Create symbolic operands */
4227 auto op = this->symbolicEngine->getOperandAst(inst, src);
4228
4229 /* Create the semantics */
4230 auto node = this->astCtxt->bvneg(op);
4231
4232 /* Create symbolic expression */
4233 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "MEG operation");
4234
4235 /* Spread taint */
4236 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4237
4238 /* Update the symbolic control flow */
4239 this->controlFlow_s(inst);
4240 }
4241
4242
4243 void AArch64Semantics::nop_s(triton::arch::Instruction& inst) {
4244 /* Update the symbolic control flow */
4245 this->controlFlow_s(inst);
4246 }
4247
4248
4249 void AArch64Semantics::orn_s(triton::arch::Instruction& inst) {
4250 auto& dst = inst.operands[0];
4251 auto& src1 = inst.operands[1];
4252 auto& src2 = inst.operands[2];
4253
4254 /* Create symbolic operands */
4255 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4256 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4257
4258 /* Create the semantics */
4259 auto node = this->astCtxt->bvor(op1, this->astCtxt->bvnot(op2));
4260
4261 /* Create symbolic expression */
4262 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ORN operation");
4263
4264 /* Spread taint */
4265 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4266
4267 /* Update the symbolic control flow */
4268 this->controlFlow_s(inst);
4269 }
4270
4271
4272 void AArch64Semantics::orr_s(triton::arch::Instruction& inst) {
4273 auto& dst = inst.operands[0];
4274 auto& src1 = inst.operands[1];
4275 auto& src2 = inst.operands[2];
4276
4277 /* Create symbolic operands */
4278 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4279 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4280
4281 /* Create the semantics */
4282 auto node = this->astCtxt->bvor(op1, op2);
4283
4284 /* Special case for vector registers */
4285 if (dst.getConstRegister().getVASSize() == triton::size::qword) {
4286 node = this->astCtxt->extract(63, 0, node);
4287 }
4288
4289 /* Create symbolic expression */
4290 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ORR operation");
4291
4292 /* Spread taint */
4293 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4294
4295 /* Update the symbolic control flow */
4296 this->controlFlow_s(inst);
4297 }
4298
4299
4300 void AArch64Semantics::rbit_s(triton::arch::Instruction& inst) {
4301 auto& dst = inst.operands[0];
4302 auto& src = inst.operands[1];
4303
4304 /* Create symbolic operands */
4305 auto op = this->symbolicEngine->getOperandAst(inst, src);
4306
4307 /* Create the semantics */
4308 std::vector<triton::ast::SharedAbstractNode> bits;
4309 bits.reserve(src.getBitSize());
4310
4311 for (triton::uint32 index = 0; index < src.getBitSize(); index++) {
4312 bits.push_back(this->astCtxt->extract(index, index, op));
4313 }
4314
4315 auto node = this->astCtxt->concat(bits);
4316
4317 /* Create symbolic expression */
4318 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "RBIT operation");
4319
4320 /* Spread taint */
4321 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4322
4323 /* Update the symbolic control flow */
4324 this->controlFlow_s(inst);
4325 }
4326
4327
4328 void AArch64Semantics::ret_s(triton::arch::Instruction& inst) {
4329 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
4330 auto src = ((inst.operands.size() == 1) ? inst.operands[0] : triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_X30)));
4331
4332 /* Create the semantics */
4333 auto node = this->symbolicEngine->getOperandAst(inst, src);
4334
4335 /* Create symbolic expression */
4336 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "RET operation - Program Counter");
4337
4338 /* Spread taint */
4339 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4340 }
4341
4342
4343 void AArch64Semantics::rev_s(triton::arch::Instruction& inst) {
4344 auto& dst = inst.operands[0];
4345 auto& src = inst.operands[1];
4346
4347 /* Create symbolic operands */
4348 auto op = this->symbolicEngine->getOperandAst(inst, src);
4349
4350 /* Create the semantics */
4351 std::list<triton::ast::SharedAbstractNode> bits;
4352
4353 switch(src.getSize()) {
4354 case triton::size::qword:
4355 bits.push_front(this->astCtxt->extract(63, 56, op));
4356 bits.push_front(this->astCtxt->extract(55, 48, op));
4357 bits.push_front(this->astCtxt->extract(47, 40, op));
4358 bits.push_front(this->astCtxt->extract(39, 32, op));
4359 case triton::size::dword:
4360 bits.push_front(this->astCtxt->extract(31, 24, op));
4361 bits.push_front(this->astCtxt->extract(23, 16, op));
4362 bits.push_front(this->astCtxt->extract(15, 8, op));
4363 bits.push_front(this->astCtxt->extract(7, 0, op));
4364 break;
4365
4366 default:
4367 throw triton::exceptions::Semantics("AArch64Semantics::rev_s(): Invalid operand size.");
4368 }
4369
4370 auto node = this->astCtxt->concat(bits);
4371
4372 /* Create symbolic expression */
4373 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "REV operation");
4374
4375 /* Spread taint */
4376 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4377
4378 /* Update the symbolic control flow */
4379 this->controlFlow_s(inst);
4380 }
4381
4382
4383 void AArch64Semantics::rev16_s(triton::arch::Instruction& inst) {
4384 auto& dst = inst.operands[0];
4385 auto& src = inst.operands[1];
4386
4387 /* Create symbolic operands */
4388 auto op = this->symbolicEngine->getOperandAst(inst, src);
4389
4390 /* Create the semantics */
4391 std::vector<triton::ast::SharedAbstractNode> bits;
4392 bits.reserve(8);
4393
4394 switch(src.getSize()) {
4395 case triton::size::qword:
4396 bits.push_back(this->astCtxt->extract(55, 48, op));
4397 bits.push_back(this->astCtxt->extract(63, 56, op));
4398 bits.push_back(this->astCtxt->extract(39, 32, op));
4399 bits.push_back(this->astCtxt->extract(47, 40, op));
4400 case triton::size::dword:
4401 bits.push_back(this->astCtxt->extract(23, 16, op));
4402 bits.push_back(this->astCtxt->extract(31, 24, op));
4403 bits.push_back(this->astCtxt->extract(7, 0, op));
4404 bits.push_back(this->astCtxt->extract(15, 8, op));
4405 break;
4406
4407 default:
4408 throw triton::exceptions::Semantics("AArch64Semantics::rev16_s(): Invalid operand size.");
4409 }
4410
4411 auto node = this->astCtxt->concat(bits);
4412
4413 /* Create symbolic expression */
4414 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "REV16 operation");
4415
4416 /* Spread taint */
4417 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4418
4419 /* Update the symbolic control flow */
4420 this->controlFlow_s(inst);
4421 }
4422
4423
4424 void AArch64Semantics::rev32_s(triton::arch::Instruction& inst) {
4425 auto& dst = inst.operands[0];
4426 auto& src = inst.operands[1];
4427
4428 /* Create symbolic operands */
4429 auto op = this->symbolicEngine->getOperandAst(inst, src);
4430
4431 /* Create the semantics */
4432 std::vector<triton::ast::SharedAbstractNode> bits;
4433 bits.reserve(8);
4434
4435 bits.push_back(this->astCtxt->extract(39, 32, op));
4436 bits.push_back(this->astCtxt->extract(47, 40, op));
4437 bits.push_back(this->astCtxt->extract(55, 48, op));
4438 bits.push_back(this->astCtxt->extract(63, 56, op));
4439 bits.push_back(this->astCtxt->extract(7, 0, op));
4440 bits.push_back(this->astCtxt->extract(15, 8, op));
4441 bits.push_back(this->astCtxt->extract(23, 16, op));
4442 bits.push_back(this->astCtxt->extract(31, 24, op));
4443
4444 auto node = this->astCtxt->concat(bits);
4445
4446 /* Create symbolic expression */
4447 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "REV32 operation");
4448
4449 /* Spread taint */
4450 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4451
4452 /* Update the symbolic control flow */
4453 this->controlFlow_s(inst);
4454 }
4455
4456
4457 void AArch64Semantics::ror_s(triton::arch::Instruction& inst) {
4458 auto& dst = inst.operands[0];
4459 auto& src1 = inst.operands[1];
4460 auto& src2 = inst.operands[2];
4461
4462 /* Create symbolic operands */
4463 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4464 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4465
4466 /* Create the semantics */
4467 auto node = this->astCtxt->bvror(op1, op2);
4468
4469 /* Create symbolic expression */
4470 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "ROR operation");
4471
4472 /* Spread taint */
4473 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4474
4475 /* Update the symbolic control flow */
4476 this->controlFlow_s(inst);
4477 }
4478
4479
4480 void AArch64Semantics::sbc_s(triton::arch::Instruction& inst) {
4481 auto& dst = inst.operands[0];
4482 auto& src1 = inst.operands[1];
4483 auto& src2 = inst.operands[2];
4484 auto cf = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_C));
4485
4486 /* Create symbolic operands */
4487 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4488 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4489 auto op3 = this->symbolicEngine->getOperandAst(inst, cf);
4490
4491 /* Create the semantics */
4492 auto node = this->astCtxt->bvadd(this->astCtxt->bvadd(op1, this->astCtxt->bvnot(op2)), this->astCtxt->zx(dst.getBitSize()-1, op3));
4493
4494 /* Create symbolic expression */
4495 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SBC(S) operation");
4496
4497 /* Spread taint */
4498 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(cf));
4499
4500 /* Update symbolic flags */
4501 if (inst.isUpdateFlag() == true) {
4502 this->cfSub_s(inst, expr, src1, op1, op2);
4503 this->nf_s(inst, expr, src1);
4504 this->vfSub_s(inst, expr, src1, op1, op2);
4505 this->zf_s(inst, expr, src1);
4506 }
4507
4508 /* Update the symbolic control flow */
4509 this->controlFlow_s(inst);
4510 }
4511
4512
4513 void AArch64Semantics::sbfx_s(triton::arch::Instruction& inst) {
4514 auto& dst = inst.operands[0];
4515 auto& src1 = inst.operands[1];
4516 auto& src2 = inst.operands[2];
4517 auto& src3 = inst.operands[3];
4518 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
4519 auto width = static_cast<uint32>(src3.getImmediate().getValue());
4520
4521 if (lsb + width > dst.getBitSize())
4522 throw triton::exceptions::Semantics("AArch64Semantics::sbfx_s(): Invalid lsb and width.");
4523
4524 /* Create symbolic operands */
4525 auto op = this->symbolicEngine->getOperandAst(inst, src1);
4526
4527 /* Create the semantics */
4528 auto node = this->astCtxt->sx(dst.getBitSize() - width, this->astCtxt->extract(lsb+width-1, lsb, op));
4529
4530 /* Create symbolic expression */
4531 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SBFX operation");
4532
4533 /* Spread taint */
4534 expr->isTainted = this->taintEngine->taintAssignment(dst, src1);
4535
4536 /* Update the symbolic control flow */
4537 this->controlFlow_s(inst);
4538 }
4539
4540
4541 void AArch64Semantics::sdiv_s(triton::arch::Instruction& inst) {
4542 auto& dst = inst.operands[0];
4543 auto& src1 = inst.operands[1];
4544 auto& src2 = inst.operands[2];
4545
4546 /* Create symbolic operands */
4547 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4548 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4549
4550 /* Create the semantics */
4551 auto node = this->astCtxt->ite(
4552 this->astCtxt->equal(op2, this->astCtxt->bv(0, op2->getBitvectorSize())),
4553 this->astCtxt->bv(0, dst.getBitSize()),
4554 this->astCtxt->bvsdiv(op1, op2)
4555 );
4556
4557 /* Create symbolic expression */
4558 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SDIV operation");
4559
4560 /* Spread taint */
4561 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4562
4563 /* Update the symbolic control flow */
4564 this->controlFlow_s(inst);
4565 }
4566
4567
4568 void AArch64Semantics::smaddl_s(triton::arch::Instruction& inst) {
4569 auto& dst = inst.operands[0];
4570 auto& src1 = inst.operands[1];
4571 auto& src2 = inst.operands[2];
4572 auto& src3 = inst.operands[3];
4573
4574 /* Create symbolic operands */
4575 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4576 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4577 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
4578
4579 /* Create the semantics */
4580 auto node = this->astCtxt->bvadd(
4581 op3,
4582 this->astCtxt->bvmul(
4583 this->astCtxt->sx(triton::bitsize::dword, op1),
4584 this->astCtxt->sx(triton::bitsize::dword, op2)
4585 )
4586 );
4587
4588 /* Create symbolic expression */
4589 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SMADDL operation");
4590
4591 /* Spread taint */
4592 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
4593
4594 /* Update the symbolic control flow */
4595 this->controlFlow_s(inst);
4596 }
4597
4598
4599 void AArch64Semantics::smsubl_s(triton::arch::Instruction& inst) {
4600 auto& dst = inst.operands[0];
4601 auto& src1 = inst.operands[1];
4602 auto& src2 = inst.operands[2];
4603 auto& src3 = inst.operands[3];
4604
4605 /* Create symbolic operands */
4606 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4607 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4608 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
4609
4610 /* Create the semantics */
4611 auto node = this->astCtxt->bvsub(
4612 op3,
4613 this->astCtxt->bvmul(
4614 this->astCtxt->sx(triton::bitsize::dword, op1),
4615 this->astCtxt->sx(triton::bitsize::dword, op2)
4616 )
4617 );
4618
4619 /* Create symbolic expression */
4620 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SMSUBL operation");
4621
4622 /* Spread taint */
4623 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
4624
4625 /* Update the symbolic control flow */
4626 this->controlFlow_s(inst);
4627 }
4628
4629
4630 void AArch64Semantics::smulh_s(triton::arch::Instruction& inst) {
4631 auto& dst = inst.operands[0];
4632 auto& src1 = inst.operands[1];
4633 auto& src2 = inst.operands[2];
4634
4635 /* Create symbolic operands */
4636 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4637 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4638
4639 /* Create the semantics */
4640 auto node = this->astCtxt->extract(
4641 triton::bitsize::dqword-1,
4642 triton::bitsize::qword,
4643 this->astCtxt->bvmul(
4644 this->astCtxt->sx(triton::bitsize::qword, op1),
4645 this->astCtxt->sx(triton::bitsize::qword, op2)
4646 )
4647 );
4648
4649 /* Create symbolic expression */
4650 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SMULH operation");
4651
4652 /* Spread taint */
4653 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4654
4655 /* Update the symbolic control flow */
4656 this->controlFlow_s(inst);
4657 }
4658
4659
4660 void AArch64Semantics::smull_s(triton::arch::Instruction& inst) {
4661 auto& dst = inst.operands[0];
4662 auto& src1 = inst.operands[1];
4663 auto& src2 = inst.operands[2];
4664
4665 /* Create symbolic operands */
4666 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4667 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4668
4669 /* Create the semantics */
4670 auto node = this->astCtxt->bvmul(
4671 this->astCtxt->sx(triton::bitsize::dword, op1),
4672 this->astCtxt->sx(triton::bitsize::dword, op2)
4673 );
4674
4675 /* Create symbolic expression */
4676 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SMULL operation");
4677
4678 /* Spread taint */
4679 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4680
4681 /* Update the symbolic control flow */
4682 this->controlFlow_s(inst);
4683 }
4684
4685
4686 void AArch64Semantics::stlr_s(triton::arch::Instruction& inst) {
4687 triton::arch::OperandWrapper& src = inst.operands[0];
4688 triton::arch::OperandWrapper& dst = inst.operands[1];
4689
4690 /* Create the semantics of the STORE */
4691 auto node = this->symbolicEngine->getOperandAst(inst, src);
4692
4693 /* Create symbolic expression */
4694 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STLR operation - STORE access");
4695
4696 /* Spread taint */
4697 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4698
4699 /* Update the symbolic control flow */
4700 this->controlFlow_s(inst);
4701 }
4702
4703
4704 void AArch64Semantics::stlrb_s(triton::arch::Instruction& inst) {
4705 triton::arch::OperandWrapper& src = inst.operands[0];
4706 triton::arch::OperandWrapper& dst = inst.operands[1];
4707
4708 /* Create symbolic operands */
4709 auto op = this->symbolicEngine->getOperandAst(inst, src);
4710
4711 /* Create the semantics */
4712 auto node = this->astCtxt->extract(7, 0, op);
4713
4714 /* Create symbolic expression */
4715 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STLRB operation - STORE access");
4716
4717 /* Spread taint */
4718 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4719
4720 /* Update the symbolic control flow */
4721 this->controlFlow_s(inst);
4722 }
4723
4724
4725 void AArch64Semantics::stlrh_s(triton::arch::Instruction& inst) {
4726 triton::arch::OperandWrapper& src = inst.operands[0];
4727 triton::arch::OperandWrapper& dst = inst.operands[1];
4728
4729 /* Create symbolic operands */
4730 auto op = this->symbolicEngine->getOperandAst(inst, src);
4731
4732 /* Create the semantics */
4733 auto node = this->astCtxt->extract(15, 0, op);
4734
4735 /* Create symbolic expression */
4736 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STLRH operation - STORE access");
4737
4738 /* Spread taint */
4739 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
4740
4741 /* Update the symbolic control flow */
4742 this->controlFlow_s(inst);
4743 }
4744
4745
4746 void AArch64Semantics::stlxr_s(triton::arch::Instruction& inst) {
4747 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
4748 triton::arch::OperandWrapper& src = inst.operands[1];
4749 triton::arch::OperandWrapper& dst2 = inst.operands[2];
4750
4751 /* Is memory exclusive */
4752 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
4753
4754 /* Create the semantics */
4755 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
4756 auto node2 = this->symbolicEngine->getOperandAst(inst, src);
4757
4758 /* Create symbolic expression */
4759 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STLXR operation - write status");
4760
4761 /* Spread taint */
4762 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
4763
4764 /* Exclusive operation */
4765 if (exclusive) {
4766 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STLXR operation - STORE access");
4767 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
4768 }
4769
4770 /* Update exclusive memory access tag */
4771 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
4772
4773 /* Update the symbolic control flow */
4774 this->controlFlow_s(inst);
4775 }
4776
4777
4778 void AArch64Semantics::stlxrb_s(triton::arch::Instruction& inst) {
4779 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
4780 triton::arch::OperandWrapper& src = inst.operands[1];
4781 triton::arch::OperandWrapper& dst2 = inst.operands[2];
4782
4783 /* Is memory exclusive */
4784 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
4785
4786 /* Create symbolic operands */
4787 auto op = this->symbolicEngine->getOperandAst(inst, src);
4788
4789 /* Create the semantics */
4790 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
4791 auto node2 = this->astCtxt->extract(7, 0, op);
4792
4793 /* Create symbolic expression */
4794 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STLXRB operation - write status");
4795
4796 /* Spread taint */
4797 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
4798
4799 /* Exclusive operation */
4800 if (exclusive) {
4801 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STLXRB operation - STORE access");
4802 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
4803 }
4804
4805 /* Update exclusive memory access tag */
4806 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
4807
4808 /* Update the symbolic control flow */
4809 this->controlFlow_s(inst);
4810 }
4811
4812
4813 void AArch64Semantics::stlxrh_s(triton::arch::Instruction& inst) {
4814 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
4815 triton::arch::OperandWrapper& src = inst.operands[1];
4816 triton::arch::OperandWrapper& dst2 = inst.operands[2];
4817
4818 /* Is memory exclusive */
4819 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
4820
4821 /* Create symbolic operands */
4822 auto op = this->symbolicEngine->getOperandAst(inst, src);
4823
4824 /* Create the semantics */
4825 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
4826 auto node2 = this->astCtxt->extract(15, 0, op);
4827
4828 /* Create symbolic expression */
4829 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STLXRH operation - write status");
4830
4831 /* Spread taint */
4832 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
4833
4834 /* Exclusive operation */
4835 if (exclusive) {
4836 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STLXRH operation - STORE access");
4837 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
4838 }
4839
4840 /* Update exclusive memory access tag */
4841 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
4842
4843 /* Update the symbolic control flow */
4844 this->controlFlow_s(inst);
4845 }
4846
4847
4848 void AArch64Semantics::stnp_s(triton::arch::Instruction& inst) {
4849 triton::arch::OperandWrapper& src1 = inst.operands[0];
4850 triton::arch::OperandWrapper& src2 = inst.operands[1];
4851 triton::arch::OperandWrapper& dst = inst.operands[2];
4852
4853 /* Create symbolic operands */
4854 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4855 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4856
4857 /* Create the semantics */
4858 auto node = this->astCtxt->concat(op2, op1);
4859
4860 /* Special behavior: Define that the size of the memory access is src1.size + src2.size */
4861 dst.getMemory().setBits(node->getBitvectorSize()-1, 0);
4862
4863 /* Create symbolic expression */
4864 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STNP operation - STORE access");
4865
4866 /* Spread taint */
4867 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4868
4869 /* Update the symbolic control flow */
4870 this->controlFlow_s(inst);
4871 }
4872
4873
4874 void AArch64Semantics::stp_s(triton::arch::Instruction& inst) {
4875 triton::arch::OperandWrapper& src1 = inst.operands[0];
4876 triton::arch::OperandWrapper& src2 = inst.operands[1];
4877 triton::arch::OperandWrapper& dst = inst.operands[2];
4878
4879 /* Create symbolic operands */
4880 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
4881 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
4882
4883 /* Create the semantics */
4884 auto node = this->astCtxt->concat(op2, op1);
4885
4886 /* Special behavior: Define that the size of the memory access is src1.size + src2.size */
4887 dst.getMemory().setBits(node->getBitvectorSize()-1, 0);
4888
4889 /* Create symbolic expression */
4890 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STP operation - STORE access");
4891
4892 /* Spread taint */
4893 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
4894
4895 /* Optional behavior. Post computation of the base register */
4896 /* STP <Xt1>, <Xt2>, [<Xn|SP>], #<imm> */
4897 if (inst.operands.size() == 4) {
4898 triton::arch::Immediate& imm = inst.operands[3].getImmediate();
4899 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4900
4901 /* Create symbolic operands of the post computation */
4902 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
4903 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
4904
4905 /* Create the semantics of the base register */
4906 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
4907
4908 /* Create symbolic expression */
4909 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "STP operation - Base register computation");
4910
4911 /* Spread taint */
4912 expr2->isTainted = this->taintEngine->isTainted(base);
4913 }
4914
4915 /* STP <Xt1>, <Xt2>, [<Xn|SP>, #<imm>]! */
4916 else if (inst.operands.size() == 3 && inst.isWriteBack() == true) {
4917 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4918
4919 /* Create the semantics of the base register */
4920 auto node3 = dst.getMemory().getLeaAst();
4921
4922 /* Create symbolic expression */
4923 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "STP operation - Base register computation");
4924
4925 /* Spread taint */
4926 expr3->isTainted = this->taintEngine->isTainted(base);
4927 }
4928
4929 /* Update the symbolic control flow */
4930 this->controlFlow_s(inst);
4931 }
4932
4933
4934 void AArch64Semantics::str_s(triton::arch::Instruction& inst) {
4935 triton::arch::OperandWrapper& src = inst.operands[0];
4936 triton::arch::OperandWrapper& dst = inst.operands[1];
4937
4938 /* Create the semantics of the STORE */
4939 auto node1 = this->symbolicEngine->getOperandAst(inst, src);
4940
4941 /* Create symbolic expression */
4942 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "STR operation - STORE access");
4943
4944 /* Spread taint */
4945 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
4946
4947 /* Optional behavior. Post computation of the base register */
4948 /* STR <Xt>, [<Xn|SP>], #<simm> */
4949 if (inst.operands.size() == 3) {
4950 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
4951 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4952
4953 /* Create symbolic operands of the post computation */
4954 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
4955 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
4956
4957 /* Create the semantics of the base register */
4958 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
4959
4960 /* Create symbolic expression */
4961 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "STR operation - Base register computation");
4962
4963 /* Spread taint */
4964 expr2->isTainted = this->taintEngine->isTainted(base);
4965 }
4966
4967 /* STR <Xt>, [<Xn|SP>, #<simm>]! */
4968 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
4969 triton::arch::Register& base = dst.getMemory().getBaseRegister();
4970
4971 /* Create the semantics of the base register */
4972 auto node3 = dst.getMemory().getLeaAst();
4973
4974 /* Create symbolic expression */
4975 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "STR operation - Base register computation");
4976
4977 /* Spread taint */
4978 expr3->isTainted = this->taintEngine->isTainted(base);
4979 }
4980
4981 /* Update the symbolic control flow */
4982 this->controlFlow_s(inst);
4983 }
4984
4985
4986 void AArch64Semantics::strb_s(triton::arch::Instruction& inst) {
4987 triton::arch::OperandWrapper& src = inst.operands[0];
4988 triton::arch::OperandWrapper& dst = inst.operands[1];
4989
4990 /* Create symbolic operands */
4991 auto op = this->symbolicEngine->getOperandAst(inst, src);
4992
4993 /* Create the semantics */
4994 auto node1 = this->astCtxt->extract(7, 0, op);
4995
4996 /* Create symbolic expression */
4997 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "STRB operation - STORE access");
4998
4999 /* Spread taint */
5000 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
5001
5002 /* Optional behavior. Post computation of the base register */
5003 /* STRB <Wt>, [<Xn|SP>], #<simm> */
5004 if (inst.operands.size() == 3) {
5005 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
5006 triton::arch::Register& base = dst.getMemory().getBaseRegister();
5007
5008 /* Create symbolic operands of the post computation */
5009 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
5010 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
5011
5012 /* Create the semantics of the base register */
5013 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
5014
5015 /* Create symbolic expression */
5016 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "STRB operation - Base register computation");
5017
5018 /* Spread taint */
5019 expr2->isTainted = this->taintEngine->isTainted(base);
5020 }
5021
5022 /* STRB <Wt>, [<Xn|SP>, #<simm>]! */
5023 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
5024 triton::arch::Register& base = dst.getMemory().getBaseRegister();
5025
5026 /* Create the semantics of the base register */
5027 auto node3 = dst.getMemory().getLeaAst();
5028
5029 /* Create symbolic expression */
5030 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "STRB operation - Base register computation");
5031
5032 /* Spread taint */
5033 expr3->isTainted = this->taintEngine->isTainted(base);
5034 }
5035
5036 /* Update the symbolic control flow */
5037 this->controlFlow_s(inst);
5038 }
5039
5040
5041 void AArch64Semantics::strh_s(triton::arch::Instruction& inst) {
5042 triton::arch::OperandWrapper& src = inst.operands[0];
5043 triton::arch::OperandWrapper& dst = inst.operands[1];
5044
5045 /* Create symbolic operands */
5046 auto op = this->symbolicEngine->getOperandAst(inst, src);
5047
5048 /* Create the semantics */
5049 auto node1 = this->astCtxt->extract(15, 0, op);
5050
5051 /* Create symbolic expression */
5052 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst, "STRH operation - STORE access");
5053
5054 /* Spread taint */
5055 expr1->isTainted = this->taintEngine->taintAssignment(dst, src);
5056
5057 /* Optional behavior. Post computation of the base register */
5058 /* STRH <Wt>, [<Xn|SP>], #<simm> */
5059 if (inst.operands.size() == 3) {
5060 triton::arch::Immediate& imm = inst.operands[2].getImmediate();
5061 triton::arch::Register& base = dst.getMemory().getBaseRegister();
5062
5063 /* Create symbolic operands of the post computation */
5064 auto baseNode = this->symbolicEngine->getOperandAst(inst, base);
5065 auto immNode = this->symbolicEngine->getOperandAst(inst, imm);
5066
5067 /* Create the semantics of the base register */
5068 auto node2 = this->astCtxt->bvadd(baseNode, this->astCtxt->sx(base.getBitSize() - imm.getBitSize(), immNode));
5069
5070 /* Create symbolic expression */
5071 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, base, "STRH operation - Base register computation");
5072
5073 /* Spread taint */
5074 expr2->isTainted = this->taintEngine->isTainted(base);
5075 }
5076
5077 /* STRH <Wt>, [<Xn|SP>, #<simm>]! */
5078 else if (inst.operands.size() == 2 && inst.isWriteBack() == true) {
5079 triton::arch::Register& base = dst.getMemory().getBaseRegister();
5080
5081 /* Create the semantics of the base register */
5082 auto node3 = dst.getMemory().getLeaAst();
5083
5084 /* Create symbolic expression */
5085 auto expr3 = this->symbolicEngine->createSymbolicExpression(inst, node3, base, "STRH operation - Base register computation");
5086
5087 /* Spread taint */
5088 expr3->isTainted = this->taintEngine->isTainted(base);
5089 }
5090
5091 /* Update the symbolic control flow */
5092 this->controlFlow_s(inst);
5093 }
5094
5095
5096 void AArch64Semantics::sttr_s(triton::arch::Instruction& inst) {
5097 triton::arch::OperandWrapper& src = inst.operands[0];
5098 triton::arch::OperandWrapper& dst = inst.operands[1];
5099
5100 /* Create the semantics of the STORE */
5101 auto node = this->symbolicEngine->getOperandAst(inst, src);
5102
5103 /* Create symbolic expression */
5104 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STTR operation");
5105
5106 /* Spread taint */
5107 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5108
5109 /* Update the symbolic control flow */
5110 this->controlFlow_s(inst);
5111 }
5112
5113
5114 void AArch64Semantics::sttrb_s(triton::arch::Instruction& inst) {
5115 triton::arch::OperandWrapper& src = inst.operands[0];
5116 triton::arch::OperandWrapper& dst = inst.operands[1];
5117
5118 /* Create symbolic operands */
5119 auto op = this->symbolicEngine->getOperandAst(inst, src);
5120
5121 /* Create the semantics */
5122 auto node = this->astCtxt->extract(7, 0, op);
5123
5124 /* Create symbolic expression */
5125 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STTRB operation");
5126
5127 /* Spread taint */
5128 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5129
5130 /* Update the symbolic control flow */
5131 this->controlFlow_s(inst);
5132 }
5133
5134
5135 void AArch64Semantics::sttrh_s(triton::arch::Instruction& inst) {
5136 triton::arch::OperandWrapper& src = inst.operands[0];
5137 triton::arch::OperandWrapper& dst = inst.operands[1];
5138
5139 /* Create symbolic operands */
5140 auto op = this->symbolicEngine->getOperandAst(inst, src);
5141
5142 /* Create the semantics */
5143 auto node = this->astCtxt->extract(15, 0, op);
5144
5145 /* Create symbolic expression */
5146 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STTRH operation");
5147
5148 /* Spread taint */
5149 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5150
5151 /* Update the symbolic control flow */
5152 this->controlFlow_s(inst);
5153 }
5154
5155
5156 void AArch64Semantics::stur_s(triton::arch::Instruction& inst) {
5157 triton::arch::OperandWrapper& src = inst.operands[0];
5158 triton::arch::OperandWrapper& dst = inst.operands[1];
5159
5160 /* Create the semantics of the STORE */
5161 auto node = this->symbolicEngine->getOperandAst(inst, src);
5162
5163 /* Create symbolic expression */
5164 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STUR operation");
5165
5166 /* Spread taint */
5167 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5168
5169 /* Update the symbolic control flow */
5170 this->controlFlow_s(inst);
5171 }
5172
5173
5174 void AArch64Semantics::sturb_s(triton::arch::Instruction& inst) {
5175 triton::arch::OperandWrapper& src = inst.operands[0];
5176 triton::arch::OperandWrapper& dst = inst.operands[1];
5177
5178 /* Create symbolic operands */
5179 auto op = this->symbolicEngine->getOperandAst(inst, src);
5180
5181 /* Create the semantics */
5182 auto node = this->astCtxt->extract(7, 0, op);
5183
5184 /* Create symbolic expression */
5185 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STURB operation");
5186
5187 /* Spread taint */
5188 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5189
5190 /* Update the symbolic control flow */
5191 this->controlFlow_s(inst);
5192 }
5193
5194
5195 void AArch64Semantics::sturh_s(triton::arch::Instruction& inst) {
5196 triton::arch::OperandWrapper& src = inst.operands[0];
5197 triton::arch::OperandWrapper& dst = inst.operands[1];
5198
5199 /* Create symbolic operands */
5200 auto op = this->symbolicEngine->getOperandAst(inst, src);
5201
5202 /* Create the semantics */
5203 auto node = this->astCtxt->extract(15, 0, op);
5204
5205 /* Create symbolic expression */
5206 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "STURH operation");
5207
5208 /* Spread taint */
5209 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5210
5211 /* Update the symbolic control flow */
5212 this->controlFlow_s(inst);
5213 }
5214
5215
5216 void AArch64Semantics::stxp_s(triton::arch::Instruction& inst) {
5217 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
5218 triton::arch::OperandWrapper& src1 = inst.operands[1];
5219 triton::arch::OperandWrapper& src2 = inst.operands[2];
5220 triton::arch::OperandWrapper& dst2 = inst.operands[3];
5221
5222 /* Special behavior: Define that the size of the memory access is src1.size + src2.size */
5223 dst2.getMemory().setBits((src1.getBitSize() + src2.getBitSize()) - 1, 0);
5224
5225 /* Is memory exclusive */
5226 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
5227
5228 /* Create symbolic operands */
5229 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5230 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5231
5232 /* Create the semantics */
5233 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
5234 auto node2 = this->astCtxt->concat(op2, op1);
5235
5236 /* Create symbolic expression */
5237 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STXP operation - write status");
5238
5239 /* Spread taint */
5240 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
5241
5242 /* Exclusive operation */
5243 if (exclusive) {
5244 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STXP operation - STORE access");
5245 expr2->isTainted = this->taintEngine->setTaint(dst2, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5246 }
5247
5248 /* Update exclusive memory access tag */
5249 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
5250
5251 /* Update the symbolic control flow */
5252 this->controlFlow_s(inst);
5253 }
5254
5255
5256 void AArch64Semantics::stxr_s(triton::arch::Instruction& inst) {
5257 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
5258 triton::arch::OperandWrapper& src = inst.operands[1];
5259 triton::arch::OperandWrapper& dst2 = inst.operands[2];
5260
5261 /* Is memory exclusive */
5262 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
5263
5264 /* Create the semantics */
5265 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
5266 auto node2 = this->symbolicEngine->getOperandAst(inst, src);
5267
5268 /* Create symbolic expression */
5269 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STXR operation - write status");
5270
5271 /* Spread taint */
5272 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
5273
5274 /* Exclusive operation */
5275 if (exclusive) {
5276 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STXR operation - STORE access");
5277 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
5278 }
5279
5280 /* Update exclusive memory access tag */
5281 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
5282
5283 /* Update the symbolic control flow */
5284 this->controlFlow_s(inst);
5285 }
5286
5287
5288 void AArch64Semantics::stxrb_s(triton::arch::Instruction& inst) {
5289 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
5290 triton::arch::OperandWrapper& src = inst.operands[1];
5291 triton::arch::OperandWrapper& dst2 = inst.operands[2];
5292
5293 /* Is memory exclusive */
5294 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
5295
5296 /* Create symbolic operands */
5297 auto op = this->symbolicEngine->getOperandAst(inst, src);
5298
5299 /* Create the semantics */
5300 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
5301 auto node2 = this->astCtxt->extract(7, 0, op);
5302
5303 /* Create symbolic expression */
5304 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STXRB operation - write status");
5305
5306 /* Spread taint */
5307 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
5308
5309 /* Exclusive operation */
5310 if (exclusive) {
5311 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STXRB operation - STORE access");
5312 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
5313 }
5314
5315 /* Update exclusive memory access tag */
5316 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
5317
5318 /* Update the symbolic control flow */
5319 this->controlFlow_s(inst);
5320 }
5321
5322
5323 void AArch64Semantics::stxrh_s(triton::arch::Instruction& inst) {
5324 triton::arch::OperandWrapper& dst1 = inst.operands[0]; /* status */
5325 triton::arch::OperandWrapper& src = inst.operands[1];
5326 triton::arch::OperandWrapper& dst2 = inst.operands[2];
5327
5328 /* Is memory exclusive */
5329 bool exclusive = this->architecture->isMemoryExclusive(dst2.getConstMemory());
5330
5331 /* Create symbolic operands */
5332 auto op = this->symbolicEngine->getOperandAst(inst, src);
5333
5334 /* Create the semantics */
5335 auto node1 = this->astCtxt->bv(exclusive ? 0 : 1, dst1.getBitSize());
5336 auto node2 = this->astCtxt->extract(15, 0, op);
5337
5338 /* Create symbolic expression */
5339 auto expr1 = this->symbolicEngine->createSymbolicExpression(inst, node1, dst1, "STXRH operation - write status");
5340
5341 /* Spread taint */
5342 expr1->isTainted = this->taintEngine->setTaint(dst1, false);
5343
5344 /* Exclusive operation */
5345 if (exclusive) {
5346 auto expr2 = this->symbolicEngine->createSymbolicExpression(inst, node2, dst2, "STXRH operation - STORE access");
5347 expr2->isTainted = this->taintEngine->taintAssignment(dst2, src);
5348 }
5349
5350 /* Update exclusive memory access tag */
5351 this->architecture->setMemoryExclusiveTag(dst2.getConstMemory(), false);
5352
5353 /* Update the symbolic control flow */
5354 this->controlFlow_s(inst);
5355 }
5356
5357
5358 void AArch64Semantics::sub_s(triton::arch::Instruction& inst) {
5359 auto& dst = inst.operands[0];
5360 auto& src1 = inst.operands[1];
5361 auto& src2 = inst.operands[2];
5362
5363 /* Create symbolic operands */
5364 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5365 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5366
5367 /* Create the semantics */
5368 auto node = this->astCtxt->bvsub(op1, op2);
5369
5370 /* Create symbolic expression */
5371 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SUB(S) operation");
5372
5373 /* Spread taint */
5374 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5375
5376 /* Update symbolic flags */
5377 if (inst.isUpdateFlag() == true) {
5378 this->cfSub_s(inst, expr, dst, op1, op2);
5379 this->nf_s(inst, expr, dst);
5380 this->vfSub_s(inst, expr, dst, op1, op2);
5381 this->zf_s(inst, expr, dst);
5382 }
5383
5384 /* Update the symbolic control flow */
5385 this->controlFlow_s(inst);
5386 }
5387
5388
5389 void AArch64Semantics::svc_s(triton::arch::Instruction& inst) {
5390 auto& src = inst.operands[0];
5391
5392 /* Link the immediate to the instruction */
5393 this->symbolicEngine->getOperandAst(inst, src);
5394
5395 /* Update the symbolic control flow */
5396 this->controlFlow_s(inst);
5397 }
5398
5399
5400 void AArch64Semantics::sxtb_s(triton::arch::Instruction& inst) {
5401 auto& dst = inst.operands[0];
5402 auto& src = inst.operands[1];
5403
5404 /* Create symbolic operands */
5405 auto op = this->symbolicEngine->getOperandAst(inst, src);
5406
5407 /* Create the semantics */
5408 auto node = this->astCtxt->sx(dst.getBitSize() - 8, this->astCtxt->extract(7, 0, op));
5409
5410 /* Create symbolic expression */
5411 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SXTB operation");
5412
5413 /* Spread taint */
5414 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5415
5416 /* Update the symbolic control flow */
5417 this->controlFlow_s(inst);
5418 }
5419
5420
5421 void AArch64Semantics::sxth_s(triton::arch::Instruction& inst) {
5422 auto& dst = inst.operands[0];
5423 auto& src = inst.operands[1];
5424
5425 /* Create symbolic operands */
5426 auto op = this->symbolicEngine->getOperandAst(inst, src);
5427
5428 /* Create the semantics */
5429 auto node = this->astCtxt->sx(dst.getBitSize() - 16, this->astCtxt->extract(15, 0, op));
5430
5431 /* Create symbolic expression */
5432 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SXTH operation");
5433
5434 /* Spread taint */
5435 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5436
5437 /* Update the symbolic control flow */
5438 this->controlFlow_s(inst);
5439 }
5440
5441
5442 void AArch64Semantics::sxtw_s(triton::arch::Instruction& inst) {
5443 auto& dst = inst.operands[0];
5444 auto& src = inst.operands[1];
5445
5446 /* Create symbolic operands */
5447 auto op = this->symbolicEngine->getOperandAst(inst, src);
5448
5449 /* Create the semantics */
5450 auto node = this->astCtxt->sx(dst.getBitSize() - 32, this->astCtxt->extract(31, 0, op));
5451
5452 /* Create symbolic expression */
5453 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "SXTW operation");
5454
5455 /* Spread taint */
5456 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5457
5458 /* Update the symbolic control flow */
5459 this->controlFlow_s(inst);
5460 }
5461
5462
5463 void AArch64Semantics::tbnz_s(triton::arch::Instruction& inst) {
5464 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
5465 auto& src1 = inst.operands[0];
5466 auto& src2 = inst.operands[1];
5467 auto& src3 = inst.operands[2];
5468
5469 /* Create symbolic operands */
5470 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5471 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5472 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
5473
5474 /* Create the semantics */
5475 auto node = this->astCtxt->ite(
5476 this->astCtxt->equal(
5477 this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, op2)),
5478 this->astCtxt->bvtrue()
5479 ),
5480 this->astCtxt->zx(dst.getBitSize() - op3->getBitvectorSize(), op3),
5481 this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize())
5482 );
5483
5484 /* Create symbolic expression */
5485 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "TBNZ operation - Program Counter");
5486
5487 /* Spread taint */
5488 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5489
5490 /* Set condition flag */
5491 if (this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, op2))->evaluate() != 0)
5492 inst.setConditionTaken(true);
5493
5494 /* Create the path constraint */
5495 this->symbolicEngine->pushPathConstraint(inst, expr);
5496 }
5497
5498
5499 void AArch64Semantics::tbz_s(triton::arch::Instruction& inst) {
5500 auto dst = triton::arch::OperandWrapper(this->architecture->getRegister(ID_REG_AARCH64_PC));
5501 auto& src1 = inst.operands[0];
5502 auto& src2 = inst.operands[1];
5503 auto& src3 = inst.operands[2];
5504
5505 /* Create symbolic operands */
5506 auto op1 = this->astCtxt->zx(dst.getBitSize() - src1.getBitSize(), this->symbolicEngine->getOperandAst(inst, src1));
5507 auto op2 = this->astCtxt->zx(dst.getBitSize() - src2.getBitSize(), this->symbolicEngine->getOperandAst(inst, src2));
5508 auto op3 = this->astCtxt->zx(dst.getBitSize() - src3.getBitSize(), this->symbolicEngine->getOperandAst(inst, src3));
5509
5510 /* Create the semantics */
5511 auto node = this->astCtxt->ite(
5512 this->astCtxt->equal(
5513 this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, op2)),
5514 this->astCtxt->bvfalse()
5515 ),
5516 this->astCtxt->zx(dst.getBitSize() - op3->getBitvectorSize(), op3),
5517 this->astCtxt->bv(inst.getNextAddress(), dst.getBitSize())
5518 );
5519
5520 /* Create symbolic expression */
5521 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "TBZ operation - Program Counter");
5522
5523 /* Spread taint */
5524 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5525
5526 /* Set condition flag */
5527 if (this->astCtxt->extract(0, 0, this->astCtxt->bvlshr(op1, op2))->evaluate() == 0)
5528 inst.setConditionTaken(true);
5529
5530 /* Create the path constraint */
5531 this->symbolicEngine->pushPathConstraint(inst, expr);
5532 }
5533
5534
5535 void AArch64Semantics::tst_s(triton::arch::Instruction& inst) {
5536 auto& src1 = inst.operands[0];
5537 auto& src2 = inst.operands[1];
5538
5539 /* Create symbolic operands */
5540 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5541 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5542
5543 /* Create the semantics */
5544 auto node = this->astCtxt->bvand(op1, op2);
5545
5546 /* Create symbolic expression */
5547 auto expr = this->symbolicEngine->createSymbolicVolatileExpression(inst, node, "TST operation");
5548
5549 /* Spread taint */
5550 expr->isTainted = this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2);
5551
5552 /* Update symbolic flags */
5553 if (inst.isUpdateFlag() == true) {
5554 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_C), "Clears carry flag");
5555 this->nf_s(inst, expr, src1);
5556 this->clearFlag_s(inst, this->architecture->getRegister(ID_REG_AARCH64_V), "Clears overflow flag");
5557 this->zf_s(inst, expr, src1);
5558 }
5559
5560 /* Update the symbolic control flow */
5561 this->controlFlow_s(inst);
5562 }
5563
5564
5565 void AArch64Semantics::ubfiz_s(triton::arch::Instruction& inst) {
5566 auto& dst = inst.operands[0];
5567 auto& src1 = inst.operands[1];
5568 auto& src2 = inst.operands[2];
5569 auto& src3 = inst.operands[3];
5570 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
5571 auto width = static_cast<uint32>(src3.getImmediate().getValue());
5572
5573 if (lsb + width > dst.getBitSize())
5574 throw triton::exceptions::Semantics("AArch64Semantics::ubfiz_s(): Invalid lsb and width.");
5575
5576 /* Create symbolic operands */
5577 auto op = this->symbolicEngine->getOperandAst(inst, src1);
5578
5579 /* Create the semantics */
5580 std::vector<triton::ast::SharedAbstractNode> bits;
5581 bits.reserve(3);
5582
5583 if (lsb + width < dst.getBitSize()) {
5584 bits.push_back(this->astCtxt->bv(0, dst.getBitSize() - (lsb + width)));
5585 }
5586
5587 bits.push_back(this->astCtxt->extract(width - 1, 0, op));
5588
5589 if (lsb) {
5590 bits.push_back(this->astCtxt->bv(0, lsb));
5591 }
5592
5593 auto node = this->astCtxt->concat(bits);
5594
5595 /* Create symbolic expression */
5596 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UBFIZ operation");
5597
5598 /* Spread taint */
5599 expr->isTainted = this->taintEngine->taintAssignment(dst, src1);
5600
5601 /* Update the symbolic control flow */
5602 this->controlFlow_s(inst);
5603 }
5604
5605
5606 void AArch64Semantics::ubfx_s(triton::arch::Instruction& inst) {
5607 auto& dst = inst.operands[0];
5608 auto& src1 = inst.operands[1];
5609 auto& src2 = inst.operands[2];
5610 auto& src3 = inst.operands[3];
5611 auto lsb = static_cast<uint32>(src2.getImmediate().getValue());
5612 auto width = static_cast<uint32>(src3.getImmediate().getValue());
5613
5614 if (lsb + width > dst.getBitSize())
5615 throw triton::exceptions::Semantics("AArch64Semantics::ubfx_s(): Invalid lsb and width.");
5616
5617 /* Create symbolic operands */
5618 auto op = this->symbolicEngine->getOperandAst(inst, src1);
5619
5620 /* Create the semantics */
5621 auto node = this->astCtxt->zx(dst.getBitSize() - width, this->astCtxt->extract(lsb+width-1, lsb, op));
5622
5623 /* Create symbolic expression */
5624 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UBFX operation");
5625
5626 /* Spread taint */
5627 expr->isTainted = this->taintEngine->taintAssignment(dst, src1);
5628
5629 /* Update the symbolic control flow */
5630 this->controlFlow_s(inst);
5631 }
5632
5633
5634 void AArch64Semantics::udiv_s(triton::arch::Instruction& inst) {
5635 auto& dst = inst.operands[0];
5636 auto& src1 = inst.operands[1];
5637 auto& src2 = inst.operands[2];
5638
5639 /* Create symbolic operands */
5640 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5641 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5642
5643 /* Create the semantics */
5644 auto node = this->astCtxt->ite(
5645 this->astCtxt->equal(op2, this->astCtxt->bv(0, op2->getBitvectorSize())),
5646 this->astCtxt->bv(0, dst.getBitSize()),
5647 this->astCtxt->bvudiv(op1, op2)
5648 );
5649
5650 /* Create symbolic expression */
5651 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UDIV operation");
5652
5653 /* Spread taint */
5654 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5655
5656 /* Update the symbolic control flow */
5657 this->controlFlow_s(inst);
5658 }
5659
5660
5661 void AArch64Semantics::umaddl_s(triton::arch::Instruction& inst) {
5662 auto& dst = inst.operands[0];
5663 auto& src1 = inst.operands[1];
5664 auto& src2 = inst.operands[2];
5665 auto& src3 = inst.operands[3];
5666
5667 /* Create symbolic operands */
5668 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5669 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5670 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
5671
5672 /* Create the semantics */
5673 auto node = this->astCtxt->bvadd(
5674 op3,
5675 this->astCtxt->bvmul(
5676 this->astCtxt->zx(triton::bitsize::dword, op1),
5677 this->astCtxt->zx(triton::bitsize::dword, op2)
5678 )
5679 );
5680
5681 /* Create symbolic expression */
5682 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMADDL operation");
5683
5684 /* Spread taint */
5685 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
5686
5687 /* Update the symbolic control flow */
5688 this->controlFlow_s(inst);
5689 }
5690
5691 void AArch64Semantics::umov_s(triton::arch::Instruction& inst) {
5692 auto& dst = inst.operands[0]; // GPR register
5693 auto& src = inst.operands[1]; // vector register
5694
5695 /* Create the semantics */
5696 auto vas_size = src.getConstRegister().getVASSize() * triton::bitsize::byte;
5697
5698 auto node =
5699 this->astCtxt->zx(
5700 dst.getBitSize() - vas_size,
5701 this->symbolicEngine->getOperandAst(src)
5702 );
5703
5704 /* Create symbolic expression */
5705 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst);
5706
5707 /* Spread taint */
5708 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5709
5710 this->controlFlow_s(inst);
5711 }
5712
5713 void AArch64Semantics::umnegl_s(triton::arch::Instruction& inst) {
5714 auto& dst = inst.operands[0];
5715 auto& src1 = inst.operands[1];
5716 auto& src2 = inst.operands[2];
5717
5718 /* Create symbolic operands */
5719 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5720 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5721
5722 /* Create the semantics */
5723 auto node = this->astCtxt->bvneg(
5724 this->astCtxt->bvmul(
5725 this->astCtxt->zx(triton::bitsize::dword, op1),
5726 this->astCtxt->zx(triton::bitsize::dword, op2)
5727 )
5728 );
5729
5730 /* Create symbolic expression */
5731 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMNEGL operation");
5732
5733 /* Spread taint */
5734 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5735
5736 /* Update the symbolic control flow */
5737 this->controlFlow_s(inst);
5738 }
5739
5740
5741 void AArch64Semantics::umsubl_s(triton::arch::Instruction& inst) {
5742 auto& dst = inst.operands[0];
5743 auto& src1 = inst.operands[1];
5744 auto& src2 = inst.operands[2];
5745 auto& src3 = inst.operands[3];
5746
5747 /* Create symbolic operands */
5748 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5749 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5750 auto op3 = this->symbolicEngine->getOperandAst(inst, src3);
5751
5752 /* Create the semantics */
5753 auto node = this->astCtxt->bvsub(
5754 op3,
5755 this->astCtxt->bvmul(
5756 this->astCtxt->zx(triton::bitsize::dword, op1),
5757 this->astCtxt->zx(triton::bitsize::dword, op2)
5758 )
5759 );
5760
5761 /* Create symbolic expression */
5762 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMSUBL operation");
5763
5764 /* Spread taint */
5765 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2) | this->taintEngine->isTainted(src3));
5766
5767 /* Update the symbolic control flow */
5768 this->controlFlow_s(inst);
5769 }
5770
5771
5772 void AArch64Semantics::umulh_s(triton::arch::Instruction& inst) {
5773 auto& dst = inst.operands[0];
5774 auto& src1 = inst.operands[1];
5775 auto& src2 = inst.operands[2];
5776
5777 /* Create symbolic operands */
5778 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5779 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5780
5781 /* Create the semantics */
5782 auto node = this->astCtxt->extract(
5783 triton::bitsize::dqword-1,
5784 triton::bitsize::qword,
5785 this->astCtxt->bvmul(
5786 this->astCtxt->zx(triton::bitsize::qword, op1),
5787 this->astCtxt->zx(triton::bitsize::qword, op2)
5788 )
5789 );
5790
5791 /* Create symbolic expression */
5792 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMULH operation");
5793
5794 /* Spread taint */
5795 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5796
5797 /* Update the symbolic control flow */
5798 this->controlFlow_s(inst);
5799 }
5800
5801
5802 void AArch64Semantics::umull_s(triton::arch::Instruction& inst) {
5803 auto& dst = inst.operands[0];
5804 auto& src1 = inst.operands[1];
5805 auto& src2 = inst.operands[2];
5806
5807 /* Create symbolic operands */
5808 auto op1 = this->symbolicEngine->getOperandAst(inst, src1);
5809 auto op2 = this->symbolicEngine->getOperandAst(inst, src2);
5810
5811 /* Create the semantics */
5812 auto node = this->astCtxt->bvmul(
5813 this->astCtxt->zx(triton::bitsize::dword, op1),
5814 this->astCtxt->zx(triton::bitsize::dword, op2)
5815 );
5816
5817 /* Create symbolic expression */
5818 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UMULL operation");
5819
5820 /* Spread taint */
5821 expr->isTainted = this->taintEngine->setTaint(dst, this->taintEngine->isTainted(src1) | this->taintEngine->isTainted(src2));
5822
5823 /* Update the symbolic control flow */
5824 this->controlFlow_s(inst);
5825 }
5826
5827
5828 void AArch64Semantics::uxtb_s(triton::arch::Instruction& inst) {
5829 auto& dst = inst.operands[0];
5830 auto& src = inst.operands[1];
5831
5832 /* Create symbolic operands */
5833 auto op = this->symbolicEngine->getOperandAst(inst, src);
5834
5835 /* Create the semantics */
5836 auto node = this->astCtxt->zx(dst.getBitSize() - 8, this->astCtxt->extract(7, 0, op));
5837
5838 /* Create symbolic expression */
5839 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UXTB operation");
5840
5841 /* Spread taint */
5842 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5843
5844 /* Update the symbolic control flow */
5845 this->controlFlow_s(inst);
5846 }
5847
5848
5849 void AArch64Semantics::uxth_s(triton::arch::Instruction& inst) {
5850 auto& dst = inst.operands[0];
5851 auto& src = inst.operands[1];
5852
5853 /* Create symbolic operands */
5854 auto op = this->symbolicEngine->getOperandAst(inst, src);
5855
5856 /* Create the semantics */
5857 auto node = this->astCtxt->zx(dst.getBitSize() - 16, this->astCtxt->extract(15, 0, op));
5858
5859 /* Create symbolic expression */
5860 auto expr = this->symbolicEngine->createSymbolicExpression(inst, node, dst, "UXTH operation");
5861
5862 /* Spread taint */
5863 expr->isTainted = this->taintEngine->taintAssignment(dst, src);
5864
5865 /* Update the symbolic control flow */
5866 this->controlFlow_s(inst);
5867 }
5868
5869 }; /* aarch64 namespace */
5870 }; /* arm namespace */
5871 }; /* arch namespace */
5872}; /* triton namespace */
triton::arch::Architecture
The abstract architecture class.
Definition architecture.hpp:45
triton::arch::Architecture::getRegister
TRITON_EXPORT const triton::arch::Register & getRegister(triton::arch::register_e id) const
Returns register from id.
Definition architecture.cpp:212
triton::arch::Architecture::isMemoryExclusive
TRITON_EXPORT bool isMemoryExclusive(const triton::arch::MemoryAccess &mem) const
Returns true if the memory access is tagged as exclusive. Only valid for Arm32 and AArch64.
Definition architecture.cpp:143
triton::arch::Architecture::setMemoryExclusiveTag
TRITON_EXPORT void setMemoryExclusiveTag(const triton::arch::MemoryAccess &mem, bool tag)
Sets exclusive memory access tag. Only valid for Arm32 and AArch64.
Definition architecture.cpp:150
triton::arch::Architecture::getParentRegister
TRITON_EXPORT const triton::arch::Register & getParentRegister(triton::arch::register_e id) const
Returns parent register from id.
Definition architecture.cpp:233
triton::arch::BitsVector::setBits
TRITON_EXPORT void setBits(triton::uint32 high, triton::uint32 low)
Sets the bits (high, low) position.
Definition bitsVector.cpp:72
triton::arch::Immediate
This class is used to represent an immediate.
Definition immediate.hpp:37
triton::arch::Immediate::getBitSize
TRITON_EXPORT triton::uint32 getBitSize(void) const
Returns the size (in bits) of the immediate vector.
Definition immediate.cpp:85
triton::arch::Immediate::getValue
TRITON_EXPORT triton::uint64 getValue(void) const
Returns the value of the operand.
Definition immediate.cpp:34
triton::arch::Instruction
This class is used to represent an instruction.
Definition instruction.hpp:48
triton::arch::Instruction::isWriteBack
TRITON_EXPORT bool isWriteBack(void) const
Returns true if the instruction performs a write back. Mainly used for AArch64 instructions like LDR.
Definition instruction.cpp:489
triton::arch::Instruction::setConditionTaken
TRITON_EXPORT void setConditionTaken(bool flag)
Sets flag to define if the condition is taken or not.
Definition instruction.cpp:514
triton::arch::Instruction::getType
TRITON_EXPORT triton::uint32 getType(void) const
Returns the type of the instruction.
Definition instruction.cpp:152
triton::arch::Instruction::operands
std::vector< triton::arch::OperandWrapper > operands
A list of operands.
Definition instruction.hpp:122
triton::arch::Instruction::isUpdateFlag
TRITON_EXPORT bool isUpdateFlag(void) const
Returns true if the instruction updates flags. Mainly used for AArch64 instructions like ADDS.
Definition instruction.cpp:494
triton::arch::Instruction::getCodeCondition
TRITON_EXPORT triton::arch::arm::condition_e getCodeCondition(void) const
Returns the code codition of the instruction (mainly for AArch64).
Definition instruction.cpp:167
triton::arch::Instruction::getNextAddress
TRITON_EXPORT triton::uint64 getNextAddress(void) const
Returns the next address of the instruction.
Definition instruction.cpp:119
triton::arch::MemoryAccess
This class is used to represent a memory access.
Definition memoryAccess.hpp:40
triton::arch::MemoryAccess::getLeaAst
TRITON_EXPORT triton::ast::SharedAbstractNode getLeaAst(void) const
Returns the AST of the memory access (LEA).
Definition memoryAccess.cpp:56
triton::arch::MemoryAccess::getBaseRegister
TRITON_EXPORT triton::arch::Register & getBaseRegister(void)
LEA - Returns the base register operand.
Definition memoryAccess.cpp:86
triton::arch::OperandWrapper
This class is used as operand wrapper.
Definition operandWrapper.hpp:38
triton::arch::OperandWrapper::getLow
TRITON_EXPORT triton::uint32 getLow(void) const
Returns the lower bit position of the abstract operand.
Definition operandWrapper.cpp:128
triton::arch::OperandWrapper::getType
TRITON_EXPORT triton::arch::operand_e getType(void) const
Returns the abstract type of the operand.
Definition operandWrapper.cpp:42
triton::arch::OperandWrapper::getSize
TRITON_EXPORT triton::uint32 getSize(void) const
Returns the abstract size (in bytes) of the operand.
Definition operandWrapper.cpp:92
triton::arch::OperandWrapper::getConstMemory
TRITON_EXPORT const triton::arch::MemoryAccess & getConstMemory(void) const
Returns the memory operand as const.
Definition operandWrapper.cpp:67
triton::arch::OperandWrapper::getMemory
TRITON_EXPORT triton::arch::MemoryAccess & getMemory(void)
Returns the memory operand.
Definition operandWrapper.cpp:52
triton::arch::OperandWrapper::getConstRegister
TRITON_EXPORT const triton::arch::Register & getConstRegister(void) const
Returns the register operand.
Definition operandWrapper.cpp:72
triton::arch::OperandWrapper::getHigh
TRITON_EXPORT triton::uint32 getHigh(void) const
Returns the highest bit position of the abstract operand.
Definition operandWrapper.cpp:116
triton::arch::OperandWrapper::getConstImmediate
TRITON_EXPORT const triton::arch::Immediate & getConstImmediate(void) const
Returns the immediate operand.
Definition operandWrapper.cpp:62
triton::arch::OperandWrapper::getBitSize
TRITON_EXPORT triton::uint32 getBitSize(void) const
Returns the abstract size (in bits) of the operand.
Definition operandWrapper.cpp:104
triton::arch::OperandWrapper::getImmediate
TRITON_EXPORT triton::arch::Immediate & getImmediate(void)
Returns the immediate operand.
Definition operandWrapper.cpp:47
triton::arch::Register
This class is used when an instruction has a register operand.
Definition register.hpp:44
triton::arch::Register::getBitSize
TRITON_EXPORT triton::uint32 getBitSize(void) const
Returns the size (in bits) of the register.
Definition register.cpp:63
triton::arch::arm::ArmOperandProperties::getShiftImmediate
TRITON_EXPORT triton::uint32 getShiftImmediate(void) const
Returns the value of the shift immediate.
Definition armOperandProperties.cpp:60
triton::arch::arm::ArmOperandProperties::getVASType
TRITON_EXPORT triton::arch::arm::vas_e getVASType(void) const
Returns the vector arrangement specifier.
Definition armOperandProperties.cpp:75
triton::arch::arm::ArmOperandProperties::getVASSize
TRITON_EXPORT triton::uint32 getVASSize(void) const
Returns the vector arrangement specifier size (64 or 128 bits).
Definition armOperandProperties.cpp:106
triton::arch::arm::aarch64::AArch64Semantics::buildSemantics
TRITON_EXPORT triton::arch::exception_e buildSemantics(triton::arch::Instruction &inst)
Builds the semantics of the instruction. Returns triton::arch::NO_FAULT if succeed.
Definition aarch64Semantics.cpp:231
triton::arch::arm::aarch64::AArch64Semantics::AArch64Semantics
TRITON_EXPORT AArch64Semantics(triton::arch::Architecture *architecture, triton::engines::symbolic::SymbolicEngine *symbolicEngine, triton::engines::taint::TaintEngine *taintEngine, const triton::ast::SharedAstContext &astCtxt)
Constructor.
Definition aarch64Semantics.cpp:210
triton::engines::symbolic::PathManager::pushPathConstraint
TRITON_EXPORT void pushPathConstraint(const triton::arch::Instruction &inst, const triton::engines::symbolic::SharedSymbolicExpression &expr)
Pushs constraints of a branch instruction to the path predicate.
Definition pathManager.cpp:155
triton::engines::symbolic::SymbolicEngine::createSymbolicRegisterExpression
TRITON_EXPORT const SharedSymbolicExpression & createSymbolicRegisterExpression(triton::arch::Instruction &inst, const triton::ast::SharedAbstractNode &node, const triton::arch::Register &reg, const std::string &comment="")
Returns the new symbolic register expression expression and links this expression to the instruction.
Definition symbolicEngine.cpp:1116
triton::engines::symbolic::SymbolicEngine::createSymbolicVolatileExpression
TRITON_EXPORT const SharedSymbolicExpression & createSymbolicVolatileExpression(triton::arch::Instruction &inst, const triton::ast::SharedAbstractNode &node, const std::string &comment="")
Returns the new symbolic volatile expression expression and links this expression to the instruction.
Definition symbolicEngine.cpp:1129
triton::engines::symbolic::SymbolicEngine::getMemoryAst
TRITON_EXPORT triton::ast::SharedAbstractNode getMemoryAst(const triton::arch::MemoryAccess &mem)
Returns the AST corresponding to the memory.
Definition symbolicEngine.cpp:859
triton::engines::symbolic::SymbolicEngine::createSymbolicExpression
TRITON_EXPORT const SharedSymbolicExpression & createSymbolicExpression(triton::arch::Instruction &inst, const triton::ast::SharedAbstractNode &node, const triton::arch::OperandWrapper &dst, const std::string &comment="")
Returns the new symbolic expression and links this expression to the instruction.
Definition symbolicEngine.cpp:968
triton::engines::symbolic::SymbolicEngine::getOperandAst
TRITON_EXPORT triton::ast::SharedAbstractNode getOperandAst(const triton::arch::OperandWrapper &op)
Returns the AST corresponding to the operand.
Definition symbolicEngine.cpp:677
triton::engines::taint::TaintEngine::setTaint
TRITON_EXPORT bool setTaint(const triton::arch::OperandWrapper &op, bool flag)
Sets the flag (taint or untaint) to an abstract operand (Register or Memory).
Definition taintEngine.cpp:133
triton::engines::taint::TaintEngine::isTainted
TRITON_EXPORT bool isTainted(const triton::arch::OperandWrapper &op) const
Abstract taint verification. Returns true if the operand is tainted.
Definition taintEngine.cpp:107
triton::engines::taint::TaintEngine::isMemoryTainted
TRITON_EXPORT bool isMemoryTainted(triton::uint64 addr, triton::uint32 size=1) const
Returns true if the addr is tainted.
Definition taintEngine.cpp:87
triton::engines::taint::TaintEngine::taintUnion
TRITON_EXPORT bool taintUnion(const triton::arch::OperandWrapper &op1, const triton::arch::OperandWrapper &op2)
Abstract union tainting.
Definition taintEngine.cpp:207
triton::engines::taint::TaintEngine::setTaintRegister
TRITON_EXPORT bool setTaintRegister(const triton::arch::Register &reg, bool flag)
Sets the flag (taint or untaint) to a register.
Definition taintEngine.cpp:157
triton::engines::taint::TaintEngine::taintAssignment
TRITON_EXPORT bool taintAssignment(const triton::arch::OperandWrapper &op1, const triton::arch::OperandWrapper &op2)
Abstract assignment tainting.
Definition taintEngine.cpp:234
triton::exceptions::Semantics
The exception class used by all semantics.
Definition exceptions.hpp:377
triton::arch::arm::aarch64::ID_INS_CBNZ
@ ID_INS_CBNZ
cbnz
Definition aarch64Specifications.hpp:117
triton::arch::arm::aarch64::ID_INS_ADC
@ ID_INS_ADC
adc
Definition aarch64Specifications.hpp:93
triton::arch::arm::aarch64::ID_INS_ADRP
@ ID_INS_ADRP
adrp
Definition aarch64Specifications.hpp:100
triton::arch::arm::aarch64::ID_INS_REV64
@ ID_INS_REV64
rev64
Definition aarch64Specifications.hpp:303
triton::arch::arm::aarch64::ID_INS_LDR
@ ID_INS_LDR
ldr
Definition aarch64Specifications.hpp:253
triton::arch::arm::aarch64::ID_INS_MUL
@ ID_INS_MUL
mul
Definition aarch64Specifications.hpp:286
triton::arch::arm::aarch64::ID_INS_LDURSB
@ ID_INS_LDURSB
ldursb
Definition aarch64Specifications.hpp:267
triton::arch::arm::aarch64::ID_INS_LDAXRB
@ ID_INS_LDAXRB
ldaxrb
Definition aarch64Specifications.hpp:246
triton::arch::arm::aarch64::ID_INS_SUB
@ ID_INS_SUB
sub
Definition aarch64Specifications.hpp:431
triton::arch::arm::aarch64::ID_INS_SMSUBL
@ ID_INS_SMSUBL
smsubl
Definition aarch64Specifications.hpp:358
triton::arch::arm::aarch64::ID_INS_LSR
@ ID_INS_LSR
lsr
Definition aarch64Specifications.hpp:275
triton::arch::arm::aarch64::ID_INS_UMULL
@ ID_INS_UMULL
umull
Definition aarch64Specifications.hpp:475
triton::arch::arm::aarch64::ID_INS_LDRB
@ ID_INS_LDRB
ldrb
Definition aarch64Specifications.hpp:252
triton::arch::arm::aarch64::ID_INS_BFI
@ ID_INS_BFI
bfi
Definition aarch64Specifications.hpp:524
triton::arch::arm::aarch64::ID_INS_MNEG
@ ID_INS_MNEG
mneg
Definition aarch64Specifications.hpp:510
triton::arch::arm::aarch64::ID_INS_LD4
@ ID_INS_LD4
ld4
Definition aarch64Specifications.hpp:240
triton::arch::arm::aarch64::ID_INS_LDURSW
@ ID_INS_LDURSW
ldursw
Definition aarch64Specifications.hpp:269
triton::arch::arm::aarch64::ID_INS_MOVK
@ ID_INS_MOVK
movk
Definition aarch64Specifications.hpp:280
triton::arch::arm::aarch64::ID_INS_NOP
@ ID_INS_NOP
nop
Definition aarch64Specifications.hpp:513
triton::arch::arm::aarch64::ID_INS_LD3R
@ ID_INS_LD3R
ld3r
Definition aarch64Specifications.hpp:238
triton::arch::arm::aarch64::ID_INS_LDTR
@ ID_INS_LDTR
ldtr
Definition aarch64Specifications.hpp:263
triton::arch::arm::aarch64::ID_INS_UMOV
@ ID_INS_UMOV
umov
Definition aarch64Specifications.hpp:471
triton::arch::arm::aarch64::ID_INS_LSL
@ ID_INS_LSL
lsl
Definition aarch64Specifications.hpp:274
triton::arch::arm::aarch64::ID_INS_STLR
@ ID_INS_STLR
stlr
Definition aarch64Specifications.hpp:409
triton::arch::arm::aarch64::ID_INS_REV32
@ ID_INS_REV32
rev32
Definition aarch64Specifications.hpp:302
triton::arch::arm::aarch64::ID_INS_ASR
@ ID_INS_ASR
asr
Definition aarch64Specifications.hpp:106
triton::arch::arm::aarch64::ID_INS_LDRSW
@ ID_INS_LDRSW
ldrsw
Definition aarch64Specifications.hpp:257
triton::arch::arm::aarch64::ID_INS_CCMP
@ ID_INS_CCMP
ccmp
Definition aarch64Specifications.hpp:120
triton::arch::arm::aarch64::ID_INS_LDTRSB
@ ID_INS_LDTRSB
ldtrsb
Definition aarch64Specifications.hpp:260
triton::arch::arm::aarch64::ID_INS_SDIV
@ ID_INS_SDIV
sdiv
Definition aarch64Specifications.hpp:326
triton::arch::arm::aarch64::ID_INS_LDXR
@ ID_INS_LDXR
ldxr
Definition aarch64Specifications.hpp:273
triton::arch::arm::aarch64::ID_INS_STLRH
@ ID_INS_STLRH
stlrh
Definition aarch64Specifications.hpp:408
triton::arch::arm::aarch64::ID_INS_MOVI
@ ID_INS_MOVI
movi
Definition aarch64Specifications.hpp:279
triton::arch::arm::aarch64::ID_INS_CLZ
@ ID_INS_CLZ
clz
Definition aarch64Specifications.hpp:123
triton::arch::arm::aarch64::ID_INS_LDTRH
@ ID_INS_LDTRH
ldtrh
Definition aarch64Specifications.hpp:259
triton::arch::arm::aarch64::ID_INS_MADD
@ ID_INS_MADD
madd
Definition aarch64Specifications.hpp:276
triton::arch::arm::aarch64::ID_INS_UMNEGL
@ ID_INS_UMNEGL
umnegl
Definition aarch64Specifications.hpp:511
triton::arch::arm::aarch64::ID_INS_SXTB
@ ID_INS_SXTB
sxtb
Definition aarch64Specifications.hpp:534
triton::arch::arm::aarch64::ID_INS_TBZ
@ ID_INS_TBZ
tbz
Definition aarch64Specifications.hpp:439
triton::arch::arm::aarch64::ID_INS_LDPSW
@ ID_INS_LDPSW
ldpsw
Definition aarch64Specifications.hpp:251
triton::arch::arm::aarch64::ID_INS_MSUB
@ ID_INS_MSUB
msub
Definition aarch64Specifications.hpp:285
triton::arch::arm::aarch64::ID_INS_TBNZ
@ ID_INS_TBNZ
tbnz
Definition aarch64Specifications.hpp:437
triton::arch::arm::aarch64::ID_INS_LDAXR
@ ID_INS_LDAXR
ldaxr
Definition aarch64Specifications.hpp:248
triton::arch::arm::aarch64::ID_INS_NEG
@ ID_INS_NEG
neg
Definition aarch64Specifications.hpp:288
triton::arch::arm::aarch64::ID_INS_STURH
@ ID_INS_STURH
sturh
Definition aarch64Specifications.hpp:424
triton::arch::arm::aarch64::ID_INS_ROR
@ ID_INS_ROR
ror
Definition aarch64Specifications.hpp:305
triton::arch::arm::aarch64::ID_INS_LDRSH
@ ID_INS_LDRSH
ldrsh
Definition aarch64Specifications.hpp:256
triton::arch::arm::aarch64::ID_INS_CBZ
@ ID_INS_CBZ
cbz
Definition aarch64Specifications.hpp:118
triton::arch::arm::aarch64::ID_INS_BL
@ ID_INS_BL
bl
Definition aarch64Specifications.hpp:112
triton::arch::arm::aarch64::ID_INS_LDAXRH
@ ID_INS_LDAXRH
ldaxrh
Definition aarch64Specifications.hpp:247
triton::arch::arm::aarch64::ID_INS_CSET
@ ID_INS_CSET
cset
Definition aarch64Specifications.hpp:529
triton::arch::arm::aarch64::ID_INS_LDXP
@ ID_INS_LDXP
ldxp
Definition aarch64Specifications.hpp:270
triton::arch::arm::aarch64::ID_INS_STTRH
@ ID_INS_STTRH
sttrh
Definition aarch64Specifications.hpp:420
triton::arch::arm::aarch64::ID_INS_LDP
@ ID_INS_LDP
ldp
Definition aarch64Specifications.hpp:250
triton::arch::arm::aarch64::ID_INS_UXTB
@ ID_INS_UXTB
uxtb
Definition aarch64Specifications.hpp:538
triton::arch::arm::aarch64::ID_INS_ORR
@ ID_INS_ORR
orr
Definition aarch64Specifications.hpp:291
triton::arch::arm::aarch64::ID_INS_UDIV
@ ID_INS_UDIV
udiv
Definition aarch64Specifications.hpp:457
triton::arch::arm::aarch64::ID_INS_UMADDL
@ ID_INS_UMADDL
umaddl
Definition aarch64Specifications.hpp:460
triton::arch::arm::aarch64::ID_INS_MVN
@ ID_INS_MVN
mvn
Definition aarch64Specifications.hpp:527
triton::arch::arm::aarch64::ID_INS_SMULH
@ ID_INS_SMULH
smulh
Definition aarch64Specifications.hpp:359
triton::arch::arm::aarch64::ID_INS_MOVZ
@ ID_INS_MOVZ
movz
Definition aarch64Specifications.hpp:282
triton::arch::arm::aarch64::ID_INS_LDXRB
@ ID_INS_LDXRB
ldxrb
Definition aarch64Specifications.hpp:271
triton::arch::arm::aarch64::ID_INS_UMSUBL
@ ID_INS_UMSUBL
umsubl
Definition aarch64Specifications.hpp:472
triton::arch::arm::aarch64::ID_INS_STLXR
@ ID_INS_STLXR
stlxr
Definition aarch64Specifications.hpp:413
triton::arch::arm::aarch64::ID_INS_MRS
@ ID_INS_MRS
mrs
Definition aarch64Specifications.hpp:283
triton::arch::arm::aarch64::ID_INS_CSEL
@ ID_INS_CSEL
csel
Definition aarch64Specifications.hpp:142
triton::arch::arm::aarch64::ID_INS_MOVN
@ ID_INS_MOVN
movn
Definition aarch64Specifications.hpp:281
triton::arch::arm::aarch64::ID_INS_REV
@ ID_INS_REV
rev
Definition aarch64Specifications.hpp:304
triton::arch::arm::aarch64::ID_INS_REV16
@ ID_INS_REV16
rev16
Definition aarch64Specifications.hpp:301
triton::arch::arm::aarch64::ID_INS_STP
@ ID_INS_STP
stp
Definition aarch64Specifications.hpp:415
triton::arch::arm::aarch64::ID_INS_AND
@ ID_INS_AND
and
Definition aarch64Specifications.hpp:105
triton::arch::arm::aarch64::ID_INS_MSR
@ ID_INS_MSR
msr
Definition aarch64Specifications.hpp:284
triton::arch::arm::aarch64::ID_INS_ADD
@ ID_INS_ADD
add
Definition aarch64Specifications.hpp:97
triton::arch::arm::aarch64::ID_INS_LDXRH
@ ID_INS_LDXRH
ldxrh
Definition aarch64Specifications.hpp:272
triton::arch::arm::aarch64::ID_INS_CSINC
@ ID_INS_CSINC
csinc
Definition aarch64Specifications.hpp:143
triton::arch::arm::aarch64::ID_INS_CINC
@ ID_INS_CINC
cinc
Definition aarch64Specifications.hpp:530
triton::arch::arm::aarch64::ID_INS_STLXRB
@ ID_INS_STLXRB
stlxrb
Definition aarch64Specifications.hpp:411
triton::arch::arm::aarch64::ID_INS_CMN
@ ID_INS_CMN
cmn
Definition aarch64Specifications.hpp:526
triton::arch::arm::aarch64::ID_INS_ORN
@ ID_INS_ORN
orn
Definition aarch64Specifications.hpp:290
triton::arch::arm::aarch64::ID_INS_STURB
@ ID_INS_STURB
sturb
Definition aarch64Specifications.hpp:422
triton::arch::arm::aarch64::ID_INS_STRH
@ ID_INS_STRH
strh
Definition aarch64Specifications.hpp:418
triton::arch::arm::aarch64::ID_INS_STXP
@ ID_INS_STXP
stxp
Definition aarch64Specifications.hpp:425
triton::arch::arm::aarch64::ID_INS_BLR
@ ID_INS_BLR
blr
Definition aarch64Specifications.hpp:113
triton::arch::arm::aarch64::ID_INS_STR
@ ID_INS_STR
str
Definition aarch64Specifications.hpp:417
triton::arch::arm::aarch64::ID_INS_STLRB
@ ID_INS_STLRB
stlrb
Definition aarch64Specifications.hpp:407
triton::arch::arm::aarch64::ID_INS_LDARB
@ ID_INS_LDARB
ldarb
Definition aarch64Specifications.hpp:242
triton::arch::arm::aarch64::ID_INS_ADR
@ ID_INS_ADR
adr
Definition aarch64Specifications.hpp:99
triton::arch::arm::aarch64::ID_INS_LDURSH
@ ID_INS_LDURSH
ldursh
Definition aarch64Specifications.hpp:268
triton::arch::arm::aarch64::ID_INS_B
@ ID_INS_B
b
Definition aarch64Specifications.hpp:107
triton::arch::arm::aarch64::ID_INS_SBC
@ ID_INS_SBC
sbc
Definition aarch64Specifications.hpp:323
triton::arch::arm::aarch64::ID_INS_LDURH
@ ID_INS_LDURH
ldurh
Definition aarch64Specifications.hpp:266
triton::arch::arm::aarch64::ID_INS_LDUR
@ ID_INS_LDUR
ldur
Definition aarch64Specifications.hpp:265
triton::arch::arm::aarch64::ID_INS_UXTH
@ ID_INS_UXTH
uxth
Definition aarch64Specifications.hpp:539
triton::arch::arm::aarch64::ID_INS_STTR
@ ID_INS_STTR
sttr
Definition aarch64Specifications.hpp:421
triton::arch::arm::aarch64::ID_INS_STLXRH
@ ID_INS_STLXRH
stlxrh
Definition aarch64Specifications.hpp:412
triton::arch::arm::aarch64::ID_INS_BR
@ ID_INS_BR
br
Definition aarch64Specifications.hpp:114
triton::arch::arm::aarch64::ID_INS_RBIT
@ ID_INS_RBIT
rbit
Definition aarch64Specifications.hpp:299
triton::arch::arm::aarch64::ID_INS_SVC
@ ID_INS_SVC
svc
Definition aarch64Specifications.hpp:433
triton::arch::arm::aarch64::ID_INS_FMOV
@ ID_INS_FMOV
fmov
Definition aarch64Specifications.hpp:207
triton::arch::arm::aarch64::ID_INS_CNEG
@ ID_INS_CNEG
cneg
Definition aarch64Specifications.hpp:533
triton::arch::arm::aarch64::ID_INS_LD4R
@ ID_INS_LD4R
ld4r
Definition aarch64Specifications.hpp:241
triton::arch::arm::aarch64::ID_INS_EOR
@ ID_INS_EOR
eor
Definition aarch64Specifications.hpp:154
triton::arch::arm::aarch64::ID_INS_CSNEG
@ ID_INS_CSNEG
csneg
Definition aarch64Specifications.hpp:145
triton::arch::arm::aarch64::ID_INS_STXR
@ ID_INS_STXR
stxr
Definition aarch64Specifications.hpp:428
triton::arch::arm::aarch64::ID_INS_SMULL
@ ID_INS_SMULL
smull
Definition aarch64Specifications.hpp:361
triton::arch::arm::aarch64::ID_INS_EON
@ ID_INS_EON
eon
Definition aarch64Specifications.hpp:153
triton::arch::arm::aarch64::ID_INS_SXTW
@ ID_INS_SXTW
sxtw
Definition aarch64Specifications.hpp:536
triton::arch::arm::aarch64::ID_INS_TST
@ ID_INS_TST
tst
Definition aarch64Specifications.hpp:528
triton::arch::arm::aarch64::ID_INS_UBFX
@ ID_INS_UBFX
ubfx
Definition aarch64Specifications.hpp:523
triton::arch::arm::aarch64::ID_INS_STTRB
@ ID_INS_STTRB
sttrb
Definition aarch64Specifications.hpp:419
triton::arch::arm::aarch64::ID_INS_BIC
@ ID_INS_BIC
bic
Definition aarch64Specifications.hpp:109
triton::arch::arm::aarch64::ID_INS_LDRH
@ ID_INS_LDRH
ldrh
Definition aarch64Specifications.hpp:254
triton::arch::arm::aarch64::ID_INS_STNP
@ ID_INS_STNP
stnp
Definition aarch64Specifications.hpp:414
triton::arch::arm::aarch64::ID_INS_CMP
@ ID_INS_CMP
cmp
Definition aarch64Specifications.hpp:537
triton::arch::arm::aarch64::ID_INS_LDNP
@ ID_INS_LDNP
ldnp
Definition aarch64Specifications.hpp:249
triton::arch::arm::aarch64::ID_INS_BFXIL
@ ID_INS_BFXIL
bfxil
Definition aarch64Specifications.hpp:525
triton::arch::arm::aarch64::ID_INS_LDTRSW
@ ID_INS_LDTRSW
ldtrsw
Definition aarch64Specifications.hpp:262
triton::arch::arm::aarch64::ID_INS_MOV
@ ID_INS_MOV
mov
Definition aarch64Specifications.hpp:133
triton::arch::arm::aarch64::ID_INS_STUR
@ ID_INS_STUR
stur
Definition aarch64Specifications.hpp:423
triton::arch::arm::aarch64::ID_INS_SXTH
@ ID_INS_SXTH
sxth
Definition aarch64Specifications.hpp:535
triton::arch::arm::aarch64::ID_INS_LDAR
@ ID_INS_LDAR
ldar
Definition aarch64Specifications.hpp:244
triton::arch::arm::aarch64::ID_INS_SBFX
@ ID_INS_SBFX
sbfx
Definition aarch64Specifications.hpp:522
triton::arch::arm::aarch64::ID_INS_STXRH
@ ID_INS_STXRH
stxrh
Definition aarch64Specifications.hpp:427
triton::arch::arm::aarch64::ID_INS_STRB
@ ID_INS_STRB
strb
Definition aarch64Specifications.hpp:416
triton::arch::arm::aarch64::ID_INS_SMADDL
@ ID_INS_SMADDL
smaddl
Definition aarch64Specifications.hpp:345
triton::arch::arm::aarch64::ID_INS_LDURB
@ ID_INS_LDURB
ldurb
Definition aarch64Specifications.hpp:264
triton::arch::arm::aarch64::ID_INS_UMULH
@ ID_INS_UMULH
umulh
Definition aarch64Specifications.hpp:473
triton::arch::arm::aarch64::ID_INS_LDARH
@ ID_INS_LDARH
ldarh
Definition aarch64Specifications.hpp:243
triton::arch::arm::aarch64::ID_INS_LDRSB
@ ID_INS_LDRSB
ldrsb
Definition aarch64Specifications.hpp:255
triton::arch::arm::aarch64::ID_INS_LDTRB
@ ID_INS_LDTRB
ldtrb
Definition aarch64Specifications.hpp:258
triton::arch::arm::aarch64::ID_INS_LD3
@ ID_INS_LD3
ld3
Definition aarch64Specifications.hpp:239
triton::arch::arm::aarch64::ID_INS_STXRB
@ ID_INS_STXRB
stxrb
Definition aarch64Specifications.hpp:426
triton::arch::arm::aarch64::ID_INS_BRK
@ ID_INS_BRK
brk
Definition aarch64Specifications.hpp:115
triton::arch::arm::aarch64::ID_INS_EXTR
@ ID_INS_EXTR
extr
Definition aarch64Specifications.hpp:156
triton::arch::arm::aarch64::ID_INS_UBFIZ
@ ID_INS_UBFIZ
ubfiz
Definition aarch64Specifications.hpp:521
triton::arch::arm::aarch64::ID_INS_RET
@ ID_INS_RET
ret
Definition aarch64Specifications.hpp:300
triton::arch::arm::aarch64::ID_INS_LDTRSH
@ ID_INS_LDTRSH
ldtrsh
Definition aarch64Specifications.hpp:261
triton::arch::exception_e
exception_e
Definition archEnums.hpp:59
triton::arch::OP_IMM
@ OP_IMM
Definition archEnums.hpp:53
triton::arch::OP_REG
@ OP_REG
Definition archEnums.hpp:55
triton::arch::NO_FAULT
@ NO_FAULT
Definition archEnums.hpp:60
triton::arch::FAULT_UD
@ FAULT_UD
Definition archEnums.hpp:63
triton::arch::FAULT_BP
@ FAULT_BP
Definition archEnums.hpp:62
triton::arch::arm::vas_e
vas_e
Vector arrangement specifier.
Definition archEnums.hpp:191
triton::arch::arm::ID_VAS_4S
@ ID_VAS_4S
4 lanes, each containing a 32-bit element.
Definition archEnums.hpp:201
triton::arch::arm::ID_VAS_2D
@ ID_VAS_2D
2 lanes, each containing a 64-bit element.
Definition archEnums.hpp:204
triton::arch::arm::ID_VAS_1D
@ ID_VAS_1D
1 lane containing a 64-bit element.
Definition archEnums.hpp:205
triton::arch::arm::ID_VAS_16B
@ ID_VAS_16B
16 lanes, each containing an 8-bit element.
Definition archEnums.hpp:193
triton::arch::arm::ID_VAS_8B
@ ID_VAS_8B
8 lanes, each containing an 8-bit element.
Definition archEnums.hpp:194
triton::arch::arm::ID_VAS_8H
@ ID_VAS_8H
8 lanes, each containing a 16-bit element.
Definition archEnums.hpp:197
triton::arch::arm::ID_VAS_4H
@ ID_VAS_4H
4 lanes, each containing a 16-bit element.
Definition archEnums.hpp:198
triton::arch::arm::ID_VAS_2S
@ ID_VAS_2S
2 lanes, each containing a 32-bit element.
Definition archEnums.hpp:202
triton::arch::arm::ID_CONDITION_HS
@ ID_CONDITION_HS
Higher or same (unsigned >=). C set.
Definition archEnums.hpp:177
triton::arch::arm::ID_CONDITION_PL
@ ID_CONDITION_PL
Positive or zero. N clear.
Definition archEnums.hpp:184
triton::arch::arm::ID_CONDITION_VC
@ ID_CONDITION_VC
No overflow. V clear.
Definition archEnums.hpp:185
triton::arch::arm::ID_CONDITION_LE
@ ID_CONDITION_LE
Signed <=. Z set, N and V differ.
Definition archEnums.hpp:178
triton::arch::arm::ID_CONDITION_VS
@ ID_CONDITION_VS
Overflow. V set.
Definition archEnums.hpp:186
triton::arch::arm::ID_CONDITION_MI
@ ID_CONDITION_MI
Negative. N set.
Definition archEnums.hpp:182
triton::arch::arm::ID_CONDITION_GE
@ ID_CONDITION_GE
Signed >=. N and V the same.
Definition archEnums.hpp:174
triton::arch::arm::ID_CONDITION_GT
@ ID_CONDITION_GT
Signed >. Z clear, N and V the same.
Definition archEnums.hpp:175
triton::arch::arm::ID_CONDITION_HI
@ ID_CONDITION_HI
Higher (unsigned >). C set and Z clear.
Definition archEnums.hpp:176
triton::arch::arm::ID_CONDITION_NE
@ ID_CONDITION_NE
Not equal. Z clear.
Definition archEnums.hpp:183
triton::arch::arm::ID_CONDITION_AL
@ ID_CONDITION_AL
Always. Any flags. This suffix is normally omitted.
Definition archEnums.hpp:172
triton::arch::arm::ID_CONDITION_LO
@ ID_CONDITION_LO
Lower (unsigned <). C clear.
Definition archEnums.hpp:179
triton::arch::arm::ID_CONDITION_LT
@ ID_CONDITION_LT
Signed <. N and V differ.
Definition archEnums.hpp:181
triton::arch::arm::ID_CONDITION_LS
@ ID_CONDITION_LS
Lower or same (unsigned <=). C clear or Z set.
Definition archEnums.hpp:180
triton::arch::arm::ID_CONDITION_EQ
@ ID_CONDITION_EQ
Equal. Z set.
Definition archEnums.hpp:173
triton::ast::SharedAbstractNode
std::shared_ptr< triton::ast::AbstractNode > SharedAbstractNode
Shared Abstract Node.
Definition ast.hpp:59
triton::ast::SharedAstContext
std::shared_ptr< triton::ast::AstContext > SharedAstContext
Shared AST context.
Definition ast.hpp:65
triton::ast::ITE_NODE
@ ITE_NODE
Definition astEnums.hpp:73
triton::bitsize::byte
constexpr triton::uint32 byte
byte size in bit
Definition cpuSize.hpp:60
triton::bitsize::dword
constexpr triton::uint32 dword
dword size in bit
Definition cpuSize.hpp:64
triton::bitsize::qword
constexpr triton::uint32 qword
qword size in bit
Definition cpuSize.hpp:66
triton::bitsize::dqword
constexpr triton::uint32 dqword
dqword size in bit
Definition cpuSize.hpp:70
triton::size::dword
constexpr triton::uint32 dword
dword size in byte
Definition cpuSize.hpp:34
triton::size::word
constexpr triton::uint32 word
word size in byte
Definition cpuSize.hpp:32
triton::size::byte
constexpr triton::uint32 byte
byte size in byte
Definition cpuSize.hpp:30
triton::size::qword
constexpr triton::uint32 qword
qword size in byte
Definition cpuSize.hpp:36
triton::engines::symbolic::SharedSymbolicExpression
std::shared_ptr< triton::engines::symbolic::SymbolicExpression > SharedSymbolicExpression
Shared Symbolic Expression.
Definition ast.hpp:40
triton::engines::taint::UNTAINTED
const bool UNTAINTED
Defines an untainted item.
Definition taintEngine.hpp:49
triton::uint32
std::uint32_t uint32
unisgned 32-bits
Definition tritonTypes.hpp:39
triton
The Triton namespace.
Definition architecture.cpp:27
Generated by doxygen 1.10.0