search

JonathanSalwan / Triton

Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.
https://triton-library.github.io
Apache License 2.0
3.39k stars 524 forks source link

Symbolic execution jump instruction path #1326

Closed yujack008 closed 1 month ago

yujack008 commented 1 month ago

My Code:

    const std::vector<triton::uint8> code = {
        0x90,                         // nop
//        0xb8,0x01,0x00,0x00,0x00,     // mov eax,1
        0x83,0xf8,0x01,               // cmp eax,1
        0x75,0x2,                     // jne 0x400008
        0x90,0x90,0x90,0x90,0x90,     // nop
        0xc3,                         // ret
    };

    uint64 pc = 0x400000;
    ctx.setConcreteMemoryAreaValue(pc, code);
    //ctx.symbolizeRegister(ctx.registers.x86_eax);
    //ctx.convertRegisterToSymbolicVariable(ctx.registers.x86_eax);
    while(pc){
        Instruction inst;

        std::vector<triton::uint8> opcode = ctx.getConcreteMemoryAreaValue(pc,16);

        inst.setAddress(pc);
        inst.setOpcode((void*)opcode.data(),opcode.size());
        ctx.processing(inst);

        std::cout << inst << std::endl;

        pc = (uint64)ctx.getConcreteRegisterValue(ctx.registers.x86_eip);
    }

output:

0x400000: nop
0x400001: cmp eax, 1
0x400004: jne 0x400008
0x400008: nop
0x400009: nop
0x40000a: nop
0x40000b: ret

i want to know. how can i detect another jne instruction path 0x400005 by symbolic execution. triton symbolic execution can not emulation all path?

yujack008 commented 1 month ago

copy TritonContext can solve it. but is difficult to copy TritonContext.