def can_control_read(self, reg):
flag_bits = CGC_FLAG_PAGE >> 12
# shouldn't unset any already good bits
orig_bits = self.orig_regs[reg] >> 12
orig_matching_bits = (~(flag_bits ^ orig_bits)) & 0xfffff
curr_best_matches = []
for i in self.byte_analysis:
ast_vals = [x["AST"] for x in self.byte_analysis[i].reg_vals.values()]
for a in ast_vals:
bits = a >> 12
matching_bits = ~(flag_bits ^ bits) & 0xfffff
if matching_bits & orig_matching_bits != orig_matching_bits:
continue
else:
is_better_than_curr = True
for b in list(curr_best_matches):
matching_bits_b = ~(flag_bits ^ b) & 0xfffff
if matching_bits & matching_bits_b == matching_bits:
is_better_than_curr = False
elif matching_bits & matching_bits_b == matching_bits_b:
curr_best_matches.remove(b)
if is_better_than_curr:
curr_best_matches.append(bits)
# verify it can be pointed at flag page
if len(curr_best_matches) > 0:
all_bits = reduce(operator.__or__, [~(x ^ flag_bits) & 0xfffff for x in curr_best_matches])
else:
all_bits = 0
if bin(all_bits).count("1") < 20:
return False
match_dict = defaultdict(set)
# now get all bytes that match each best
for i in self.byte_analysis:
for b in self.byte_analysis[i].reg_vals:
a = self.byte_analysis[i].reg_vals[b][reg]
bits = a >> 12
if bits in curr_best_matches:
match_dict[bits].add((i, b))
return True
评论列表
文章目录
