Why i stuck at idiv instruction

JonathanSalwan / Triton

Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.

https://triton-library.github.io

Apache License 2.0

3.4k stars 524 forks source link

Why i stuck at idiv instruction #1260

Closed AnduinBrian closed 11 months ago

AnduinBrian commented 11 months ago

Hello, im writing a script to detect opaque predicate. I use this sample and script but dont recieved anything. When i try to write it myself, i notice i was stucked at the idiv instruction. Here is a detail look: In IDA, i got this block:

My script will process every instruction in this block and print out instruction Disassembly. But the result i got show me that my script wont pass through the idiv, it just stay there:

my script:

from idautils   import *
from idaapi     import *
from idc        import *
from triton     import *

def prove_bb(startEA, endEA):
    global ctx
    global names
    global nb_ed
    global nb_in
    global nb_to

    ctx = TritonContext()
    ctx.setArchitecture(ARCH.X86)
    ctx.setMode(MODE.ALIGNED_MEMORY, True)

    names = dict()

    # Symbolize registers
    for r in ctx.getParentRegisters():
        var = ctx.symbolizeRegister(r)
        names.update({var.getName() : str(r)})

    ip = startEA
    for _ in range(1000):
        # Get opcodes from IDA and exectue them into Triton
        inst = Instruction()
        opcode = idc.get_bytes(ip, 16)
        inst.setOpcode(opcode)
        inst.setAddress(ip)
        ctx.processing(inst)

        print(hex(inst.getAddress()), inst.getDisassembly())

        # Get next instruction
        ip = ctx.getSymbolicRegisterValue(ctx.registers.eip)

prove_bb(0x407BE2, 0x407C0C)

Why is this happend and how can i fix this. Thanks Best Regards,

JonathanSalwan commented 11 months ago

Hey,

Probably because the idiv instruction raised an exception. processing can return these following exception enums:

EXCEPTION.NO_FAULT: No fault, execution succeed.
EXCEPTION.FAULT_DE: Fault raised: Divide-by-zero.
EXCEPTION.FAULT_BP: Fault raised: Breakpoint.
EXCEPTION.FAULT_UD: Fault raised: Instruction not supported.
EXCEPTION.FAULT_GP: Fault raised: General Protection Fault.

Maybe you got EXCEPTION.FAULT_DE. In this case, the program counter is not incremented and you loop on the same instruction.

Two solutions:

1) If you got an exception, just ignore it and increment the program counter yourself. (e.g ip = inst.getNextAddress()) 2) define an initial context that will not raise a div by zero exception.

AnduinBrian commented 11 months ago

maybe div by zero. I think so