search

JonathanSalwan / Triton

Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.
https://triton-library.github.io
Apache License 2.0
3.39k stars 524 forks source link

symbolizeRegister result is different with setConcreteRegisterValue result ? #1304

Open badguy123 opened 5 months ago

badguy123 commented 5 months ago

HI, i write some code and obfuscate it, when i use ctx.symbolizeRegister set register value, the result is right, but when i use ctx.setConcreteRegisterValue set register with a symbol, the ctx.liftToLLVM return error ir. is i missing something?

my source code:

int fun(int a, int b){

    if(a > 0){
        ++b;
    }
    else{
        --b;
    }

    return a + b;
}

my triton code:

int main(int argc, const char **argv) {
    //read file
    std::vector<uint8> buffer = read_file("/Users/c/Desktop/AOT/main_bcf");

    /* Init the triton context */
    triton::Context ctx;
    int base = 0;
    int begin = 0x3d1c;
    int end = 0x3f00;
    std::ostream& outs = std::cout;
    // llvm::LLVMContext  c;
    // ast::TritonToLLVM lifter(c);

    ctx.setArchitecture(ARCH_AARCH64);

    // ctx.setConcreteRegisterValue(ctx.registers.aarch64_w0, uint512(1));
    // ctx.setConcreteRegisterValue(ctx.registers.aarch64_w1, uint512(2));

    ctx.symbolizeRegister(ctx.registers.aarch64_w0, "a");
    ctx.symbolizeRegister(ctx.registers.aarch64_w1, "b");

    ctx.setConcreteMemoryAreaValue(base, buffer);

    uint512 pc = begin;
    do{
        auto insn = ctx.disassembly(uint64(pc), 1);
        outs << insn.back() << "\n";

        if(pc == end) break;

        ctx.processing(insn.back());
        pc = ctx.getConcreteRegisterValue(ctx.registers.aarch64_pc);

    }while(pc);

    auto x = ctx.getRegisterAst(ctx.registers.aarch64_w0);
    // outs << x->evaluate() << "\n";
    auto synt = ctx.synthesize(x);

    // reurn((_ extract 31 0) ((_ zero_extend 32) (bvadd (bvadd (bvadd a (_ bv0 32)) (bvadd b (_ bv4294967295 32))) (_ bv0 32))))
    // outs << synt.getOutput() << "\n"; 
    ctx.liftToLLVM(outs, synt.getOutput());
    return 0;
}

when set register value w0 = 1, w1 = 2, x->evaluate() return 4 when set register symbol, ctx.liftToLLVM return error IR:

; ModuleID = 'tritonModule'
source_filename = "tritonModule"

define i32 @__triton(i32 %SymVar_0, i32 %SymVar_1) {
entry:
  %0 = add i32 %SymVar_1, -1
  %1 = add i32 %SymVar_0, 0
  %2 = add i32 %1, %0
  %3 = add i32 %2, 0
  %4 = zext i32 %3 to i64
  %5 = trunc i64 %4 to i32
  ret i32 %5
}

this is macho arm64 file main_bcf.zip