Taint resulting from a dereference

JonathanSalwan / Triton

Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.

https://triton-library.github.io

Apache License 2.0

3.39k stars 524 forks source link

Taint resulting from a dereference #1292

Closed namreeb closed 8 months ago

namreeb commented 8 months ago

In this snippet, if r8 is tainted, I would expect ecx to also be tainted, but it does not seem to be. Is this intentional?

0x1416e4abe: movzx ecx, byte ptr [r8 - 5]
0x1416e4ac3: cmp cl, 0xe8
0x1416e4ac6: je 0x1416e4b70

JonathanSalwan commented 8 months ago

It depends of the taint propagation strategy. By default, the taint is spread if the memory cell that is read is tainted. If you want to spread the taint if the memory index is tainted you have to enable this mode:

ctx.setMode(MODE.TAINT_THROUGH_POINTERS, True)

namreeb commented 8 months ago

Sorry, I missed that. Thank you for your time! I can confirm this is working for me.