Boyan-MILANOV
diff --git a/‎ropgenerator/Architecture.py
+34 b/‎ropgenerator/Architecture.py
+34
diff --git a/‎ropgenerator/CommonUtils.py
+16 b/‎ropgenerator/CommonUtils.py
+16
diff --git a/‎ropgenerator/Constraints.py
+1-1 b/‎ropgenerator/Constraints.py
+1-1
diff --git a/‎ropgenerator/Database.py
+70-1 b/‎ropgenerator/Database.py
+70-1
diff --git a/‎ropgenerator/Expressions.py
+28-1 b/‎ropgenerator/Expressions.py
+28-1
diff --git a/‎ropgenerator/Gadget.py
+12 b/‎ropgenerator/Gadget.py
+12
diff --git a/‎ropgenerator/Graph.py
+1 b/‎ropgenerator/Graph.py
+1
diff --git a/‎ropgenerator/Load.py
+2-2 b/‎ropgenerator/Load.py
+2-2
diff --git a/‎ropgenerator/Main.py
+1-1 b/‎ropgenerator/Main.py
+1-1
diff --git a/‎ropgenerator/Semantics.py
+56-4 b/‎ropgenerator/Semantics.py
+56-4
@@ -31,6 +31,8 @@ def __init__(self):
         self.bits = None
         self.octets = None
         self.minPageSize = None
+        self.endianness = None
+        self.regs = None
 
         # BARF Information 
         self.archMode = None
@@ -70,11 +72,29 @@ def n2r(name):
     global regNameToNum
     return regNameToNum[name]
 
+##############
+# Endianness # 
+##############
+class EndiannessType(Enum):
+    BIG = "BIG"
+    LITTLE = "LITTLE"
+    
 ###########################
 # Supported architectures #
 ###########################
 
 currentArch = None
+def setArch(arch):
+    global currentArch, ssaRegCount, regNumToName, regNameToNum
+    currentArch = arch
+    ssaRegCount = 0
+    regNumToName = dict()
+    regNameToNum = dict()
+    for reg in arch.regs:
+        regNumToName[ssaRegCount] = reg
+        regNameToNum[reg] = ssaRegCount
+        ssaRegCount += 1
+
 
 # X86 
 ArchX86 = Architecture()
@@ -88,6 +108,9 @@ def n2r(name):
 ArchX86.disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_32)
 ArchX86.irTranslator = X86Translator(architecture_mode=ARCH_X86_MODE_32)
 ArchX86.minPageSize = 0x1000
+ArchX86.endianness = EndiannessType.LITTLE
+ArchX86.regs = ['eax','ebx','ecx','edx','esi','edi','esp','eip'\
+                , 'cf', 'pf', 'af', 'zf', 'sf']
 
 # X86-64
 ArchX64 = Architecture()
@@ -101,6 +124,11 @@ def n2r(name):
 ArchX64.disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_64)
 ArchX64.irTranslator = X86Translator(architecture_mode=ARCH_X86_MODE_64)
 ArchX64.minPageSize = 0x1000
+ArchX64.endianness = EndiannessType.LITTLE
+ArchX64.regs = ['rax', 'rbx', 'rcx', 'rdx', 'rsi', 'rdi', 'rsp', 'rbp', 'rip'\
+                , 'r8', 'r9', 'r10', 'r11', 'r12', 'r13', 'r14', 'r15', 'sf', 'zf'\
+                , 'af','cf','df','es', 'fs']
+
 
 available = [ArchX86.name, ArchX64.name]
 
@@ -129,6 +157,12 @@ def current():
 def minPageSize():
     return currentArch.minPageSize
 
+def isLittleEndian():
+    return currentArch.endianness == EndiannessType.LITTLE
+
+def isBigEndian():
+    return currentArch.endianness == EndiannessType.BIG
+    
 #####################
 # Types of binaries #
 ##################### 
 
@@ -0,0 +1,16 @@
+# -*- coding:utf-8 -*-  
+# CommonUtils module: useful functions 
+import ropgenerator.Database as Database
+import ropgenerator.exploit.Scanner as Scanner
+
+
+def set_offset(offset):
+    if( not Database.set_gadgets_offset(offset)):
+        return False
+    elif( not Scanner.set_offset(offset)):
+        return False
+    return True
+    
+def reset_offset():
+    Database.reset_gadgets_offset()
+    Scanner.reset_offset()
@@ -62,7 +62,7 @@ def verify(self, gadget):
         if( gadget.retType == RetType.UNKNOWN ):
             if( self.ret ):
                 for p in gadget.getSemantics(Arch.ipNum()):
-                    if( isinstance(p.expr, MEMExpr)):
+                    if( (not gadget.spInc is None) and isinstance(p.expr, MEMExpr)):
                         (isInc, inc) = p.expr.addr.isRegIncrement(Arch.spNum())    
                         # Normal ret if the final value of the IP is value that was in memory before the last modification of SP ( i.e final_IP = MEM[final_sp - size_of_a_register )        
                         if( isInc and inc == (gadget.spInc - (Arch.octets())) ):
 
@@ -41,6 +41,9 @@ class QueryType(Enum):
     SYSCALL = "syscall"
     INT80 = "int 0x80"
 
+def isMemWriteQuery(qtype):
+    return (qtype in [QueryType.CSTtoMEM, QueryType.REGtoMEM, QueryType.MEMtoMEM])
+    
 #######################
 # List of all gadgets #
 #######################
@@ -101,6 +104,7 @@ def add(self, cst, gadget_num, preCond = CTrue() ):
         self.preConditions[cst].insert(index, preCond)
 
     def find(self, cst, constraint, assertion, enablePreConds=False, n=1 , maxSpInc=None):
+        global gadgets
         res = []
         if( not cst in self.values ):
             return []
@@ -426,7 +430,7 @@ def possibleMemWrites(self, reg, cst, constraint, assertion, n=1):
 
     def possibleAddressWrites(self, reg, cst, constraint, assertion, n=1):
         """
-        : : nb of gadgets for each case !! 
+        n : nb of gadgets for each case !! 
         """
         global gadgets
         res = dict()
@@ -443,6 +447,25 @@ def possibleAddressWrites(self, reg, cst, constraint, assertion, n=1):
                     if( addr_cst not in reg[addr_reg]):
                         res[addr_reg][addr_cst] = []
                     res[addr_reg][addr_cst] += found
+                    
+    def allPossibleWrites(self, constraint, assertion):
+        """
+        n : nb of gadgets for each case
+        """
+        global gadgets 
+        res = []
+        for addr_reg in self.types[QueryType.REGtoMEM].registers.keys():
+            for addr_cst in self.types[QueryType.REGtoMEM].registers[addr_reg]:
+                # Get the lookUp for list of deps for MEM(addr_reg, addr_cst)
+                lookUp = self.types[QueryType.REGtoMEM].registers[addr_reg][addr_cst]
+                # Iterate through reg and cst 
+                for reg in lookUp.registers.keys():
+                    for cst in lookUp.registers[reg].values.keys():
+                        gadget_list = lookUp.registers[reg].find(cst, constraint, assertion, n=1)
+                        if( gadget_list ):
+                            res.append(((addr_reg, addr_cst),(reg,cst),gadget_list[0]))
+        return res 
+                    
 
 
 ########################
@@ -476,6 +499,13 @@ def DBPossibleAddressWrites(reg, cst, constraint, assertion, n=1):
     Return the list of [addr_reg, addr_cst] such than mem(addr_reg, addr_cst) <- reg+cst
     """
     return db.possibleAddressWrites(reg, cst, constraint, assertion, n)
+    
+def DBAllPossibleWrites(constraint, assertion):
+    """
+    Return a list of [(addr_reg, addr_cst), (reg, cst), gadget] 
+    s.t gadget does: mem(addr_reg, addr_cst) <- reg+cst ! 
+    """
+    return db.allPossibleWrites(constraint, assertion)
 
 #############################
 # Build the list of gadgets #
@@ -556,3 +586,42 @@ def initDB():
     global db, gadgets
     gadgets = []
     db = Database()
+    
+    
+###################
+# Utils functions #
+###################
+_offset = 0 
+def set_gadgets_offset( offset):
+    """
+    adds offset to all gadget addresses 
+    returns True if success
+    returns False if fail 
+    """
+    global gadgets, _offset
+        
+    i = 0
+    _offset = offset
+    for gadget in gadgets:
+        if( not gadget.addOffset(offset)):
+            reset_gadgets_offset(i)
+            return False
+        i += 1
+    _offset = offset
+    return True
+            
+def reset_gadgets_offset(gadget_num=-1):
+    """
+    decrements gadget addresses by offset until gadget_num (NOT included)
+    if gadget_num = -1, do it for all gadgets 
+    """
+    global _offset, gadgets
+    if( gadget_num <= 0 ):
+        gadget_num = len(gadgets)
+    i = 0
+    for gadget in gadgets:
+        if( i >= gadget_num ):
+            return 
+        gadget.addOffset(-1*_offset)
+        i += 1
+    _offset = 0
@@ -417,6 +417,9 @@ class Op(Enum):
     OR = "Or"
     XOR = "Xor"
     BSH = "Bsh"
+    
+    def __str__(self):
+        return self.value
 
 
 class OpExpr(Expr):
@@ -438,7 +441,7 @@ def __init__(self, op, args):
         self.simplifiedValue = None
 
     def __str__(self):
-        return "%s%d(%s)" % ( self.op, self.size, ','.join(str(a) for a in self.args))
+        return "%s%d(%s)" % ( str(self.op), self.size, ','.join(str(a) for a in self.args))
 
     def replaceReg( self, reg, expr ):
         newArgs = []
@@ -622,6 +625,24 @@ def simplify(self):
             elif( left == right ):
                 res = ConstExpr(0, left.size)
 
+        elif( op == Op.AND ):
+            if( isinstance(left, ConstExpr) and isinstance(right, ConstExpr)):
+                res = ConstExpr(left.value & right.value, left.size)
+            elif( isinstance(left, ConstExpr)):
+                if( left.value == 0 ):
+                    res = left
+                elif( left.value == (0x1<<left.size)-1 ):
+                    res = right
+            elif( isinstance(right, ConstExpr)):
+                if( right.value == 0 ):
+                    res = right
+                elif( right.value == (0x1<<right.size)-1 ):
+                    res = left
+        elif( op == Op.BSH ):
+            if( isinstance(left, OpExpr) and left.op == Op.BSH and isinstance(left.args[1], ConstExpr)):
+                if( isinstance(right, ConstExpr)):
+                    res = OpExpr(Op.BSH, [left.args[0], ConstExpr(left.args[1].value+right.value, right.size)])
+        
         self.simplifiedValue = res
         return res
 
@@ -1007,6 +1028,12 @@ def simplify(self):
         elif( isinstance( simpExpr, MEMExpr ) and (self.low % 8 == 0)  and self.size != simpExpr.size ):
             # If we extract from the same address (from bit 0 )
             res = MEMExpr(OpExpr(Op.ADD, [simpExpr.addr, ConstExpr(self.low/8,simpExpr.addr.size)]).simplify(), self.size)
+        elif( isinstance( simpExpr, ConstExpr )):
+            res_value = simpExpr.value << (simpExpr.size-self.high)
+            res_value = res_value % (0x1<< simpExpr.size)
+            res_value = res_value >> (self.low+simpExpr.size-self.high)
+            res = ConstExpr(res_value, self.high-self.low+1)
+        
         self.simplifiedValue = res 
         return res
 
 
@@ -182,3 +182,15 @@ def getSemantics(self, value):
             # Or return the same
             else:
                 return [SPair(SSAExpr(num, 0), CTrue())]
+                
+    def addOffset(self, offset):
+        new_addresses = []
+        for addr in self.addrList:
+            new = addr+offset 
+            # Check if offset isn't too big 
+            if( new >= (0x1 << Arch.bits())\
+                or new < 0 ):
+                return False
+            new_addresses.append(new)
+        self.addrList = new_addresses
+        return True
@@ -126,6 +126,7 @@ def getSemantics( self ):
         semantics.flattenITE()
         semantics.simplifyValues()
         semantics.simplifyConditions()
+        semantics.customSemanticAdjust()
         return semantics
 
 #####################################
 
@@ -171,9 +171,9 @@ def load(args):
         print("\tFound: " + arch.name)
         return 
     elif( arch ):
-        Arch.currentArch = arch
+        Arch.setArch(arch)
     else:
-        Arch.currentArch = user_arch
+        Arch.setArch(user_arch)
 
     # Init the binary scanner
     initScanner(filename)
 
@@ -20,7 +20,7 @@
 ▒▒╔══▒▒║▒▒╔═══▒▒╗▒▒╔══▒╗
 ▒▒▒▒▒▒╔╝▒▒║   ▒▒║▒▒▒▒▒▒║ G  E  N  E  R  A  T  O  R
 ▒▒╔══▒▒╗╚▒▒▒▒▒▒╔╝▒▒╔═══╝ 
-╚═╝  ╚═╝ ╚═════╝ ╚═╝     ════════════════════ v1.1          
+╚═╝  ╚═╝ ╚═════╝ ╚═╝     ════════════════════ v1.2          
   
 
 """
 
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*- 
 # Semantics module: structure to store gadget semantics
 from ropgenerator.Conditions import Cond, CT, CTrue, CFalse
-from ropgenerator.Expressions import SSAReg
+from ropgenerator.Expressions import SSAReg, Concat, Extract, SSAExpr, Op, OpExpr, ConstExpr
 from ropgenerator.Architecture import r2n
 
 class SPair:
@@ -169,9 +169,61 @@ def customSemanticAdjust(self):
         """
         Make some adjustments in semantics so that it is easier to process by the search engine 
         """
-        ## Adjust Cat(0, Extract( x, 0, E))
-        ## --> E if E <  2^(x-1) €z 
-        pass #  TODO 
+        def adjustSemantic(spair):
+            """
+            returns a list of SPair
+            """
+            expr = spair.expr
+            cond  = spair.cond
+            if( isinstance(expr, Concat) and len(expr.args) == 2):
+                upper = expr.args[0][0]
+                lower = expr.args[1][0]
+                if( isinstance(upper, ConstExpr) and upper.value == 0):
+                    if( isinstance(lower, OpExpr)):
+                        left = lower.args[0]
+                        right = lower.args[1]
+                        # IF there is a Const it will be on the right ;)
+                        if( not isinstance(right, ConstExpr)):
+                            tmp = left
+                            left = right
+                            right = left
+                        # Reg + cst 
+                        if( lower.op == Op.ADD and (isinstance(left, Extract) and isinstance(left.args[0], SSAExpr) and left.low == 0)\
+                            and isinstance(right, ConstExpr)):
+                                new_cond = Cond(CT.AND, 
+                                            Cond(CT.AND, cond, Cond(CT.LT, left.args[0], \
+                                                ConstExpr((0x1<<(left.high+1))-right.value, left.args[0].size))), 
+                                            Cond(CT.GE, left.args[0], ConstExpr(0, left.args[0].size)))
+                                new_cond.customSimplify()
+                                new_expr = OpExpr(Op.ADD,[left.args[0], ConstExpr(right.value,left.args[0].size)])
+                                return [SPair(new_expr, new_cond)]
+                        
+                        # Reg - cst... 
+                        elif( lower.op == Op.SUB and (isinstance(left, Extract) and isinstance(left.args[0], SSAExpr) and left.low == 0)\
+                            and isinstance(right, ConstExpr)):
+                                new_cond = Cond(CT.AND, 
+                                            Cond(CT.AND, cond, Cond(CT.LT, left.args[0], \
+                                                ConstExpr(0x1<<(left.high+1),left.args[0].size ))), 
+                                            Cond(CT.GE, left.args[0], ConstExpr(right.value, left.args[0].size)))
+                                new_cond.customSimplify()
+                                new_expr = OpExpr(Op.SUB,[left.args[0], ConstExpr(right.value,left.args[0].size)])
+                                return [SPair(new_expr, new_cond)]
+                        # Other cases ? :) 
+                        else:
+                            pass
+            return []
+                
+        ## Adjust semantics 
+        for reg in self.registers.keys():
+            newPairs = [] 
+            for p in self.registers[reg]:
+                newPairs += adjustSemantic(p)
+            self.registers[reg] += newPairs
+        for addr in self.memory.keys():
+            newPairs = [] 
+            for p in self.memory[addr]:
+                newPairs += adjustSemantic(p)
+            self.memory[addr] += newPairs
 
 
     def simplifyConditions(self):