├── LICENSE
├── README.md
├── demo.png
├── type1ecallfinder
    ├── Makefile
    ├── README.md
    ├── enclave.signed.so
    ├── enclave.signed.so_asm
    ├── libenclave.signed.so
    ├── libenclave.signed.so_asm
    ├── libpal-Linux-SGX.so
    ├── libpal-Linux-SGX.so_asm
    ├── main.py
    ├── results
    │   ├── Graphene-SGX
    │   ├── RUST-SGX-SDK
    │   └── SGX_SDK
    └── test.sh
├── type1ocallfinder
    ├── Makefile
    ├── README.md
    ├── enclave.signed.so
    ├── enclave.signed.so_asm
    ├── libenclave.signed.so
    ├── libenclave.signed.so_asm
    ├── libpal-Linux-SGX.so
    ├── libpal-Linux-SGX.so_asm
    ├── main.py
    ├── results
    │   ├── Graphene-SGX
    │   │   ├── Graphene-SGX
    │   │   ├── Graphene-SGX_01
    │   │   ├── Graphene-SGX_02
    │   │   ├── Graphene-SGX_03
    │   │   ├── Graphene-SGX_04
    │   │   ├── Graphene-SGX_05
    │   │   ├── Graphene-SGX_06
    │   │   ├── Graphene-SGX_07
    │   │   ├── Graphene-SGX_08
    │   │   ├── Graphene-SGX_09
    │   │   ├── Graphene-SGX_10
    │   │   ├── Graphene-SGX_11
    │   │   ├── Graphene-SGX_12
    │   │   ├── Graphene-SGX_13
    │   │   ├── Graphene-SGX_14
    │   │   ├── Graphene-SGX_15
    │   │   ├── Graphene-SGX_16
    │   │   ├── Graphene-SGX_17
    │   │   ├── Graphene-SGX_18
    │   │   ├── Graphene-SGX_19
    │   │   ├── Graphene-SGX_20
    │   │   ├── Graphene-SGX_21
    │   │   ├── Graphene-SGX_22
    │   │   ├── Graphene-SGX_23
    │   │   ├── Graphene-SGX_24
    │   │   ├── Graphene-SGX_25
    │   │   ├── Graphene-SGX_26
    │   │   ├── Graphene-SGX_27
    │   │   ├── Graphene-SGX_28
    │   │   ├── Graphene-SGX_29
    │   │   ├── Graphene-SGX_30
    │   │   ├── Graphene-SGX_31
    │   │   ├── Graphene-SGX_32
    │   │   ├── Graphene-SGX_33
    │   │   ├── Graphene-SGX_34
    │   │   ├── Graphene-SGX_35
    │   │   ├── Graphene-SGX_36
    │   │   └── Graphene-SGX_37
    │   ├── RUST-SGX-SDK
    │   └── SGX_SDK
    └── test.sh
└── type2finder
    ├── Makefile
    ├── README.md
    ├── enclave.signed.so
    ├── enclave.signed.so_asm
    ├── libenclave.signed.so
    ├── libenclave.signed.so_asm
    ├── libpal-Linux-SGX.so
    ├── libpal-Linux-SGX.so_asm
    ├── main.py
    ├── results
        ├── Graphene-SGX
        ├── RUST-SGX-SDK
        └── SGX_SDK
    └── test.sh


/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # SgxPectre Attacks
 3 | Practical Spectre attacks against Intel's SGX enclaves, including Intel signed privileged enclaves, e.g., quoting enclaves.
 4 | 
 5 | ## Overview 
 6 | SgxPectre Attacks resulted from a research project conducted by security researchers at The Ohio State University.  The study systematically explores the insecurity of Intel SGX due to branch target injection attacks and micro-architectural side-channel attacks. The research is one of a series of [research projects](http://web.cse.ohio-state.edu/~zhang.834/projects/sgx-side-channels.html) on SGX side channels  in which OSU researchers have been involved.
 7 | 
 8 | Software Guard eXtensions (SGX) is a hardware extension available in recent Intel processors.  SGX provides software applications shielded execution environments, called *enclaves*, to run private code and operate sensitive data, where both the code and data are isolated from the rest of the software systems. Even privileged software such as the operating systems and hypervisors are not allowed to directly inspect or manipulate the memory inside the enclaves.  There are already commercial cloud platforms that utilize SGX to offer customers trustworthy computing environments.
 9 | 
10 | However, it has already been demonstrated that by observing execution traces of an enclave program left in the CPU caches, branch target buffers, DRAM's row buffer contention, page-table entries, and page-fault exception handlers, a side-channel adversary with system privileges may *infer* sensitive data from the enclaves. These traditional side-channel attacks are only feasible if the enclave program already has secret-dependent memory access patterns.
11 | 
12 | SgxPectre Attacks are a new type of side-channel attacks against SGX enclaves.
13 | But the consequences of SgxPectre Attacks are far more concerning. We show that SgxPectre Attacks can completely compromise the confidentiality of SGX enclaves. In particular, because vulnerable code patterns exist in most SGX runtime libraries (e.g., Intel SGX SDK, Rust-SGX, Graphene-SGX) and are difficult to  be eliminated, the adversary could perform SgxPectre Attacks against *any* enclave programs. We demonstrate end-to-end attacks to show that the adversary could learn the content of the enclave memory, as well as its register values in such attacks. Most importantly, we have applied SgxPectre Attacks to steal seal keys and attestation keys from Intel signed quoting enclaves. The seal key can be used to decrypt sealed storage outside the enclaves, and the attestation key can be used to forge attestation signatures.
14 | 
15 | ## Research papers
16 | * [SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution](https://arxiv.org/pdf/1802.09085.pdf), *Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, Ten H. Lai*, Jun. 2018.
17 | 
18 | ## What is the exploited vulnerability
19 | Similar to their non-SGX counterparts, SgxPectre attacks exploit the race condition between the injected, speculatively executed memory references and the latency of the branch resolution. Two hardware features enable SgxPectre attacks:
20 | * The branch prediction units used in the enclave mode for predicting branch targets are not thoroughly cleansed upon enclave entrance. Therefore, code outside the targeted enclave (either running in the unprotected memory region or in another enclave) can manipulate the targets the branch prediction inside the targeted enclave.
21 | * Implicit caching caused by speculatively executed instructions are not properly rolled back after these instructions are discarded, which means the speculatively executed instructions, though never committed to memory, may lead to cache state changes that are observable by the adversary.
22 | 
23 | ## What is the condition of practical exploitation
24 | In order to exploit the hardware vulnerability, two types of code patterns are required in the enclave code:
25 | * The first type of code patterns consists of a branch instruction that can be influenced by the adversary and several registers that are under the adversary's control when the branch instruction is executed. 
26 | * The second type of code patterns consists of two memory references sequentially close to each other that collectively reveal some enclave memory content through cache side channels. 
27 | 
28 | ##  Who is vulnerable
29 | Because there are vulnerable code patterns inside the SDK runtime libraries, any code developed with Intel's official SGX SDK will be impacted by the attacks. *It doesn't matter how the enclave program is implemented.*
30 | 
31 | We also studied a few other runtime libraries in the paper; such vulnerable code patterns are very common.
32 | 
33 | ## What are the solutions
34 | Our empirical evaluation on a patched Skylake processor (i5-6200U) suggests that Indirect Branch Restricted Speculation (IBRS) can effectively address SgxPectre attacks. IBRS restricts the speculation of indirect branches. By default, on machines that support IBRS, branch prediction inside the SGX enclave cannot be controlled by software running outside. 
35 | 
36 | However, since existing SGX processors need to apply microcode updates to support IBRS and the microcode patch can be reverted by a system administrator, enclave owners have to verify CPUSVN during their remote attestation. Moreover, due to the possible exposure of seal keys, enclave owners should not trust any legacy secrets sealed using an out-dated CPUSVN. And we also suggest developers of runtime libraries to scrutinize their code to remove exploitable gadgets in prevention of other potential ways of poisoning the BTB in the future. We have developed a software tool to automatically scan enclave programs and search for vulnerable code patterns. The detail of the tool can be found in our paper.  
37 | 
38 | ## Demo
39 | In this demo, we show that SgxPectre attacks can read the the GPRSGX region of the State Save Area (SSA) after an AEX of the targeted enclave. Because the register values inside the enclave are stored in the SSA region, every register can be read by the SgxPectre attacks.
40 |  
41 | [![SgxPectre](./demo.png)](https://youtu.be/dOJgPNovFZo)
42 | 
43 | ## Open-source code
44 | The source code of the project has two components: 
45 | * The SgxPectre attack code: userspace programs and kernel patches that work together to extract secrets from enclaves. 
46 | * The vulnerability scanning tool: an extension of [Angr](https://github.com/angr/angr) that automatically identify vulnerable code patterns in enclave programs via symbolic execution. 
47 | 
48 | We plan to open source the SgxPectre attack code later. But the symbolic execution tool is released here first to help the SGX developers to identify vulnerable code patterns in their own applications. 
49 | 
50 | ## People
51 | The research has been conducted by the following researchers at The Ohio State University:
52 | * Faculty members: *Yinqian Zhang, Zhiqiang Lin, Ten H. Lai*
53 | * Graduate students: *Guoxing Chen, Sanchuan Chen, Yuan Xiao*
54 | 
55 | ## Reponsible disclosure
56 | We have disclosed our study to Intel before releasing the research paper. 
57 | 


--------------------------------------------------------------------------------
/demo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/demo.png


--------------------------------------------------------------------------------
/type1ecallfinder/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: all
2 | 
3 | 
4 | all:
5 | 	
6 | 
7 | clean:
8 | 	rm -f *_asm
9 | 


--------------------------------------------------------------------------------
/type1ecallfinder/README.md:
--------------------------------------------------------------------------------
 1 | # type1ecallfinder
 2 | 
 3 | 1.Prerequisites:
 4 | 
 5 | Make sure you have angr binary analysis framework installed.
 6 | 
 7 | * [angr](http://angr.io/) - angr, a binary analysis framework
 8 | 
 9 | You may follow [angr documentaion](https://docs.angr.io/INSTALL.html) for installation.
10 | 
11 | Or a more simple way to install is to install [angr-dev](https://github.com/angr/angr-dev) which has a install script.
12 | 
13 | After installation of angr, our tool can be used instantly.
14 | 
15 | 
16 | 2.Run command:
17 | 
18 | ```
19 | bash test.sh
20 | ```
21 | You may also uncomment or change the content of test.sh to run different tests. 
22 | 
23 | All tests in the paper can be run by uncomment lines of test.sh.
24 | 
25 | And all the authors' tested results are in result folder.
26 | 
27 | 3.File Description:
28 | 
29 | * [libenclave.signed.so] - A typical SGX enclave .so file.
30 | * [libpal-Linux-SGX.so] - A typical Graphene SGX enclave .so file.
31 | * [enclave.signed.so] - A typical Rust SGX enclave .so file.
32 | 
33 | 
34 | 


--------------------------------------------------------------------------------
/type1ecallfinder/enclave.signed.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type1ecallfinder/enclave.signed.so


--------------------------------------------------------------------------------
/type1ecallfinder/libenclave.signed.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type1ecallfinder/libenclave.signed.so


--------------------------------------------------------------------------------
/type1ecallfinder/libpal-Linux-SGX.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type1ecallfinder/libpal-Linux-SGX.so


--------------------------------------------------------------------------------
/type1ecallfinder/results/Graphene-SGX:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x153f5L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | rdx
 20 | rdi
 21 | rsi
 22 | r8
 23 | regs:
 24 | <BV64 0xfffffffc>
 25 | <BV64 0x0>
 26 | <BV64 rsp_14_64>
 27 | <BV64 init_rdx_3_64>
 28 | <BV64 Reverse(0x0#32 .. Reverse(init_rdi_4_64)[31:0])>
 29 | <BV64 init_rsi_5_64>
 30 | <BV64 init_rbx_1_64 + (0xffffffffffffffff * mem_7f000008_20_64)>
 31 | <BV64 0x0>
 32 | <BV64 0x0>
 33 | <BV64 0x0>
 34 | <BV64 0x0>
 35 | <BV64 0x0>
 36 | <BV64 0x0>
 37 | <BV64 0x0>
 38 | *********************************
 39 | gadget 1:
 40 | *********************************
 41 | address:
 42 | 0x101e4L
 43 | gtype:
 44 | 3
 45 | regs affected:
 46 | r8
 47 | r9
 48 | r10
 49 | r11
 50 | r12
 51 | r13
 52 | r14
 53 | r15
 54 | regs:
 55 | <BV64 0x0>
 56 | <BV64 0x100>
 57 | <BV64 mem_22a5d8_60_64>
 58 | <BV64 0x319a800>
 59 | <BV64 0xfffffffffffffff8 + mem_ffffffffe0000000_26_64>
 60 | <BV64 0xfffffffffffffff8 + mem_ffffffffe0000000_26_64>
 61 | <BV64 init_r8_6_64>
 62 | <BV64 init_r9_7_64>
 63 | <BV64 init_r10_8_64>
 64 | <BV64 init_r11_9_64>
 65 | <BV64 init_rsi_5_64>
 66 | <BV64 init_r13_11_64>
 67 | <BV64 init_r14_12_64>
 68 | <BV64 init_r15_13_64>
 69 | *********************************
 70 | gadget 2:
 71 | *********************************
 72 | address:
 73 | 0x101e4L
 74 | gtype:
 75 | 3
 76 | regs affected:
 77 | r8
 78 | r9
 79 | r10
 80 | r11
 81 | r12
 82 | r13
 83 | r14
 84 | r15
 85 | regs:
 86 | <BV64 0x0>
 87 | <BV64 0x100>
 88 | <BV64 mem_22a5d8_60_64>
 89 | <BV64 0x319a800>
 90 | <BV64 0xfffffffffffffff8 + mem_ffffffffe0000000_26_64>
 91 | <BV64 0xfffffffffffffff8 + mem_ffffffffe0000000_26_64>
 92 | <BV64 init_r8_6_64>
 93 | <BV64 init_r9_7_64>
 94 | <BV64 init_r10_8_64>
 95 | <BV64 init_r11_9_64>
 96 | <BV64 init_rsi_5_64>
 97 | <BV64 init_r13_11_64>
 98 | <BV64 init_r14_12_64>
 99 | <BV64 init_r15_13_64>
100 | *********************************
101 | gadget 3:
102 | *********************************
103 | address:
104 | 0x12ef3L
105 | gtype:
106 | 3
107 | regs affected:
108 | rdi
109 | r8
110 | r12
111 | r13
112 | r14
113 | regs:
114 | <BV64 0x0>
115 | <BV64 rsp_14_64>
116 | <BV64 rsp_14_64>
117 | <BV64 0x422ef08>
118 | <BV64 init_rdx_3_64>
119 | <BV64 0x0>
120 | <BV64 init_rbx_1_64 + (0xffffffffffffffff * mem_7f000008_20_64)>
121 | <BV64 0x0>
122 | <BV64 0x0>
123 | <BV64 0x0>
124 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
125 | <BV64 init_rdx_3_64>
126 | <BV64 init_rsi_5_64>
127 | <BV64 0x0>
128 | *********************************
129 | gadget 4:
130 | *********************************
131 | address:
132 | 0x12ef3L
133 | gtype:
134 | 3
135 | regs affected:
136 | rax
137 | rdi
138 | rsi
139 | r8
140 | r12
141 | r13
142 | r14
143 | regs:
144 | <BV64 Reverse(0#7 .. __invert__((if (init_rdx_3_64 <= mem_422ef00_80_64) then 0 else 1)) .. 0xef220400000000#56)>
145 | <BV64 rsp_14_64>
146 | <BV64 rsp_14_64>
147 | <BV64 0x422ef08>
148 | <BV64 init_rdx_3_64>
149 | <BV64 init_rdx_3_64>
150 | <BV64 init_rbx_1_64 + (0xffffffffffffffff * mem_7f000008_20_64)>
151 | <BV64 0x0>
152 | <BV64 0x0>
153 | <BV64 0x0>
154 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
155 | <BV64 init_rdx_3_64>
156 | <BV64 init_rsi_5_64>
157 | <BV64 0x0>
158 | *********************************
159 | gadget 5:
160 | *********************************
161 | address:
162 | 0x12ef3L
163 | gtype:
164 | 3
165 | regs affected:
166 | rdi
167 | r8
168 | r12
169 | r13
170 | r14
171 | regs:
172 | <BV64 0x0>
173 | <BV64 rsp_14_64>
174 | <BV64 rsp_14_64>
175 | <BV64 0x422ef08>
176 | <BV64 init_rdx_3_64>
177 | <BV64 0x0>
178 | <BV64 __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))>
179 | <BV64 0x0>
180 | <BV64 0x0>
181 | <BV64 0x0>
182 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
183 | <BV64 init_rdx_3_64>
184 | <BV64 init_rsi_5_64>
185 | <BV64 0x0>
186 | *********************************
187 | gadget 6:
188 | *********************************
189 | address:
190 | 0x12ef3L
191 | gtype:
192 | 3
193 | regs affected:
194 | rax
195 | rax
196 | rdi
197 | rsi
198 | r8
199 | r12
200 | r13
201 | r14
202 | regs:
203 | <BV64 Reverse(0#7 .. __invert__((if (init_rdx_3_64 <= __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))) then 0 else 1)) .. 0xef220400000000#56)>
204 | <BV64 rsp_14_64>
205 | <BV64 rsp_14_64>
206 | <BV64 0x422ef08>
207 | <BV64 init_rdx_3_64>
208 | <BV64 init_rdx_3_64>
209 | <BV64 __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))>
210 | <BV64 0x0>
211 | <BV64 0x0>
212 | <BV64 0x0>
213 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
214 | <BV64 init_rdx_3_64>
215 | <BV64 init_rsi_5_64>
216 | <BV64 0x0>
217 | *********************************
218 | gadget 7:
219 | *********************************
220 | address:
221 | 0x153edL
222 | gtype:
223 | 3
224 | regs affected:
225 | rdi
226 | rsi
227 | r8
228 | regs:
229 | <BV64 0xfffffffa>
230 | <BV64 0x0>
231 | <BV64 rsp_14_64>
232 | <BV64 0x422ef08>
233 | <BV64 init_rdx_3_64>
234 | <BV64 init_rdx_3_64>
235 | <BV64 init_rbx_1_64 + (0xffffffffffffffff * mem_7f000008_20_64)>
236 | <BV64 0x0>
237 | <BV64 0x0>
238 | <BV64 0x0>
239 | <BV64 0x0>
240 | <BV64 0x0>
241 | <BV64 0x0>
242 | <BV64 0x0>
243 | *********************************
244 | gadget 8:
245 | *********************************
246 | address:
247 | 0x12ef3L
248 | gtype:
249 | 3
250 | regs affected:
251 | r8
252 | r12
253 | r13
254 | r14
255 | regs:
256 | <BV64 0x0>
257 | <BV64 rsp_14_64>
258 | <BV64 rsp_14_64>
259 | <BV64 0x422ef08>
260 | <BV64 rsp_14_64>
261 | <BV64 0x0>
262 | <BV64 init_rbx_1_64 + (0xffffffffffffffff * mem_7f000008_20_64)>
263 | <BV64 0x0>
264 | <BV64 0x0>
265 | <BV64 0x0>
266 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
267 | <BV64 init_rdx_3_64>
268 | <BV64 init_rsi_5_64>
269 | <BV64 0x0>
270 | *********************************
271 | gadget 9:
272 | *********************************
273 | address:
274 | 0x12ef3L
275 | gtype:
276 | 3
277 | regs affected:
278 | r8
279 | r12
280 | r13
281 | r14
282 | regs:
283 | <BV64 0x0>
284 | <BV64 rsp_14_64>
285 | <BV64 rsp_14_64>
286 | <BV64 0x422ef08>
287 | <BV64 rsp_14_64>
288 | <BV64 0x0>
289 | <BV64 init_rbx_1_64 + (0xffffffffffffffff * mem_7f000008_20_64)>
290 | <BV64 0x0>
291 | <BV64 0x0>
292 | <BV64 0x0>
293 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
294 | <BV64 init_rdx_3_64>
295 | <BV64 init_rsi_5_64>
296 | <BV64 0x0>
297 | *********************************
298 | gadget 10:
299 | *********************************
300 | address:
301 | 0x12ef3L
302 | gtype:
303 | 3
304 | regs affected:
305 | r8
306 | r12
307 | r13
308 | r14
309 | regs:
310 | <BV64 Reverse(0#7 .. __invert__((if (rsp_14_64 <= mem_422ef00_82_64) then 0 else 1)) .. 0xef220400000000#56)>
311 | <BV64 rsp_14_64>
312 | <BV64 rsp_14_64>
313 | <BV64 0x422ef08>
314 | <BV64 rsp_14_64>
315 | <BV64 rsp_14_64>
316 | <BV64 init_rbx_1_64 + (0xffffffffffffffff * mem_7f000008_20_64)>
317 | <BV64 0x0>
318 | <BV64 0x0>
319 | <BV64 0x0>
320 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
321 | <BV64 init_rdx_3_64>
322 | <BV64 init_rsi_5_64>
323 | <BV64 0x0>
324 | *********************************
325 | gadget 11:
326 | *********************************
327 | address:
328 | 0x153edL
329 | gtype:
330 | 3
331 | regs affected:
332 | rdi
333 | rsi
334 | r8
335 | regs:
336 | <BV64 0xfffffffa>
337 | <BV64 0x0>
338 | <BV64 rsp_14_64>
339 | <BV64 0x422ef08>
340 | <BV64 init_rdx_3_64>
341 | <BV64 init_rdx_3_64>
342 | <BV64 __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))>
343 | <BV64 0x0>
344 | <BV64 0x0>
345 | <BV64 0x0>
346 | <BV64 0x0>
347 | <BV64 0x0>
348 | <BV64 0x0>
349 | <BV64 0x0>
350 | *********************************
351 | gadget 12:
352 | *********************************
353 | address:
354 | 0x12ef3L
355 | gtype:
356 | 3
357 | regs affected:
358 | r8
359 | r12
360 | r13
361 | r14
362 | regs:
363 | <BV64 0x0>
364 | <BV64 rsp_14_64>
365 | <BV64 rsp_14_64>
366 | <BV64 0x422ef08>
367 | <BV64 rsp_14_64>
368 | <BV64 0x0>
369 | <BV64 __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))>
370 | <BV64 0x0>
371 | <BV64 0x0>
372 | <BV64 0x0>
373 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
374 | <BV64 init_rdx_3_64>
375 | <BV64 init_rsi_5_64>
376 | <BV64 0x0>
377 | *********************************
378 | gadget 13:
379 | *********************************
380 | address:
381 | 0x12ef3L
382 | gtype:
383 | 3
384 | regs affected:
385 | r8
386 | r12
387 | r13
388 | r14
389 | regs:
390 | <BV64 Reverse(0#7 .. __invert__((if (rsp_14_64 <= mem_422ef00_80_64) then 0 else 1)) .. 0xef220400000000#56)>
391 | <BV64 rsp_14_64>
392 | <BV64 rsp_14_64>
393 | <BV64 0x422ef08>
394 | <BV64 rsp_14_64>
395 | <BV64 rsp_14_64>
396 | <BV64 init_rbx_1_64 + (0xffffffffffffffff * mem_7f000008_20_64)>
397 | <BV64 0x0>
398 | <BV64 0x0>
399 | <BV64 0x0>
400 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
401 | <BV64 init_rdx_3_64>
402 | <BV64 init_rsi_5_64>
403 | <BV64 0x0>
404 | *********************************
405 | gadget 14:
406 | *********************************
407 | address:
408 | 0x12ef3L
409 | gtype:
410 | 3
411 | regs affected:
412 | r8
413 | r12
414 | r13
415 | r14
416 | regs:
417 | <BV64 0x0>
418 | <BV64 rsp_14_64>
419 | <BV64 rsp_14_64>
420 | <BV64 0x422ef08>
421 | <BV64 rsp_14_64>
422 | <BV64 0x0>
423 | <BV64 __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))>
424 | <BV64 0x0>
425 | <BV64 0x0>
426 | <BV64 0x0>
427 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
428 | <BV64 init_rdx_3_64>
429 | <BV64 init_rsi_5_64>
430 | <BV64 0x0>
431 | *********************************
432 | gadget 15:
433 | *********************************
434 | address:
435 | 0x12ef3L
436 | gtype:
437 | 3
438 | regs affected:
439 | rax
440 | r8
441 | r12
442 | r13
443 | r14
444 | regs:
445 | <BV64 Reverse(0#7 .. __invert__((if (rsp_14_64 <= __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))) then 0 else 1)) .. 0xef220400000000#56)>
446 | <BV64 rsp_14_64>
447 | <BV64 rsp_14_64>
448 | <BV64 0x422ef08>
449 | <BV64 rsp_14_64>
450 | <BV64 rsp_14_64>
451 | <BV64 __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))>
452 | <BV64 0x0>
453 | <BV64 0x0>
454 | <BV64 0x0>
455 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
456 | <BV64 init_rdx_3_64>
457 | <BV64 init_rsi_5_64>
458 | <BV64 0x0>
459 | *********************************
460 | gadget 16:
461 | *********************************
462 | address:
463 | 0x12ef3L
464 | gtype:
465 | 3
466 | regs affected:
467 | rax
468 | r8
469 | r12
470 | r13
471 | r14
472 | regs:
473 | <BV64 Reverse(0#7 .. __invert__((if (rsp_14_64 <= __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))) then 0 else 1)) .. 0xef220400000000#56)>
474 | <BV64 rsp_14_64>
475 | <BV64 rsp_14_64>
476 | <BV64 0x422ef08>
477 | <BV64 rsp_14_64>
478 | <BV64 rsp_14_64>
479 | <BV64 __add__(0x7f000000, init_rbx_1_64, (0xffffffffffffffff * mem_7f000008_20_64))>
480 | <BV64 0x0>
481 | <BV64 0x0>
482 | <BV64 0x0>
483 | <BV64 init_rdi_4_64[63:32] .. 0x0#32>
484 | <BV64 init_rdx_3_64>
485 | <BV64 init_rsi_5_64>
486 | <BV64 0x0>
487 | *********************************
488 | gadget 17:
489 | *********************************
490 | address:
491 | 0x10d07L
492 | gtype:
493 | 3
494 | regs affected:
495 | rbx
496 | rdi
497 | r8
498 | r9
499 | r10
500 | r11
501 | r12
502 | r13
503 | r14
504 | r15
505 | regs:
506 | <BV64 if (mem_fff0000000000000_172_64 == 0x0) then 0x0 else mem_fff0000000000000_172_64>
507 | <BV64 init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:0] .. 0#4 + mem_22a5a0_144_64>
508 | <BV64 0x0>
509 | <BV64 0x1>
510 | <BV64 init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:0] .. 0#4 + mem_22a5a0_144_64>
511 | <BV64 0xfffffffffffffff8 + mem_ffffffffe0000000_26_64>
512 | <BV64 init_r8_6_64>
513 | <BV64 init_r9_7_64>
514 | <BV64 init_r10_8_64>
515 | <BV64 init_r11_9_64>
516 | <BV64 init_rsi_5_64>
517 | <BV64 init_r13_11_64>
518 | <BV64 init_r14_12_64>
519 | <BV64 init_r15_13_64>
520 | *********************************
521 | gadget 18:
522 | *********************************
523 | address:
524 | 0x10d07L
525 | gtype:
526 | 3
527 | regs affected:
528 | rbx
529 | rdi
530 | r8
531 | r9
532 | r10
533 | r11
534 | r12
535 | r13
536 | r14
537 | r15
538 | regs:
539 | <BV64 if (mem_fffffff800000000_174_64 == 0x0) then 0x0 else mem_fffffff800000000_174_64>
540 | <BV64 init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:0] .. 0#4 + mem_22a5a0_148_64>
541 | <BV64 0x0>
542 | <BV64 0x1>
543 | <BV64 init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:0] .. 0#4 + mem_22a5a0_148_64>
544 | <BV64 0xfffffffffffffff8 + mem_ffffffffe0000000_26_64>
545 | <BV64 init_r8_6_64>
546 | <BV64 init_r9_7_64>
547 | <BV64 init_r10_8_64>
548 | <BV64 init_r11_9_64>
549 | <BV64 init_rsi_5_64>
550 | <BV64 init_r13_11_64>
551 | <BV64 init_r14_12_64>
552 | <BV64 init_r15_13_64>
553 | *********************************
554 | gadget 19:
555 | *********************************
556 | address:
557 | 0x10d07L
558 | gtype:
559 | 3
560 | regs affected:
561 | rbx
562 | rdi
563 | r8
564 | r9
565 | r10
566 | r11
567 | r12
568 | r13
569 | r14
570 | r15
571 | regs:
572 | <BV64 if (mem_fffffffe00108000_176_64 == 0x0) then 0x0 else mem_fffffffe00108000_176_64>
573 | <BV64 init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:0] .. 0#4 + mem_22a5a0_150_64>
574 | <BV64 0x0>
575 | <BV64 0x1>
576 | <BV64 init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:31] .. init_rsi_5_64[31:0] .. 0#4 + mem_22a5a0_150_64>
577 | <BV64 0xfffffffffffffff8 + mem_ffffffffe0000000_26_64>
578 | <BV64 init_r8_6_64>
579 | <BV64 init_r9_7_64>
580 | <BV64 init_r10_8_64>
581 | <BV64 init_r11_9_64>
582 | <BV64 init_rsi_5_64>
583 | <BV64 init_r13_11_64>
584 | <BV64 init_r14_12_64>
585 | <BV64 init_r15_13_64>
586 | 
587 | 


--------------------------------------------------------------------------------
/type1ecallfinder/results/SGX_SDK:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x404997L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | rbx
 20 | rdi
 21 | rsi
 22 | r8
 23 | r9
 24 | r10
 25 | r11
 26 | r12
 27 | r13
 28 | r14
 29 | r15
 30 | regs:
 31 | <BV64 0x7f000000>
 32 | <BV64 init_rbx_1_64>
 33 | <BV64 0x0>
 34 | <BV64 0x1006>
 35 | <BV64 init_rbx_1_64>
 36 | <BV64 init_rsi_5_64>
 37 | <BV64 init_r8_6_64>
 38 | <BV64 init_r9_7_64>
 39 | <BV64 init_r10_8_64>
 40 | <BV64 init_r11_9_64>
 41 | <BV64 init_rbx_1_64>
 42 | <BV64 init_rsi_5_64>
 43 | <BV64 init_r14_12_64>
 44 | <BV64 init_r15_13_64>
 45 | *********************************
 46 | gadget 1:
 47 | *********************************
 48 | address:
 49 | 0x404997L
 50 | gtype:
 51 | 3
 52 | regs affected:
 53 | rbx
 54 | rdi
 55 | rsi
 56 | r8
 57 | r9
 58 | r10
 59 | r11
 60 | r12
 61 | r13
 62 | r14
 63 | r15
 64 | regs:
 65 | <BV64 0x7f000000>
 66 | <BV64 init_rbx_1_64>
 67 | <BV64 0x0>
 68 | <BV64 0x1006>
 69 | <BV64 init_rbx_1_64>
 70 | <BV64 init_rsi_5_64>
 71 | <BV64 init_r8_6_64>
 72 | <BV64 init_r9_7_64>
 73 | <BV64 init_r10_8_64>
 74 | <BV64 init_r11_9_64>
 75 | <BV64 init_rbx_1_64>
 76 | <BV64 init_rsi_5_64>
 77 | <BV64 init_r14_12_64>
 78 | <BV64 init_r15_13_64>
 79 | *********************************
 80 | gadget 2:
 81 | *********************************
 82 | address:
 83 | 0x403211L
 84 | gtype:
 85 | 3
 86 | regs affected:
 87 | rdi
 88 | rsi
 89 | r8
 90 | r9
 91 | r10
 92 | r11
 93 | r12
 94 | r13
 95 | r14
 96 | r15
 97 | regs:
 98 | <BV64 0x7f000000>
 99 | <BV64 0x0>
100 | <BV64 mem_7f000008_18_64>
101 | <BV64 0x1006>
102 | <BV64 init_rbx_1_64>
103 | <BV64 init_rsi_5_64>
104 | <BV64 init_r8_6_64>
105 | <BV64 init_r9_7_64>
106 | <BV64 init_r10_8_64>
107 | <BV64 init_r11_9_64>
108 | <BV64 init_rbx_1_64>
109 | <BV64 init_rsi_5_64>
110 | <BV64 init_r14_12_64>
111 | <BV64 init_r15_13_64>
112 | *********************************
113 | gadget 3:
114 | *********************************
115 | address:
116 | 0x403211L
117 | gtype:
118 | 3
119 | regs affected:
120 | rdi
121 | rsi
122 | r8
123 | r9
124 | r10
125 | r11
126 | r12
127 | r13
128 | r14
129 | r15
130 | regs:
131 | <BV64 0x7f000000>
132 | <BV64 0x0>
133 | <BV64 mem_7f000008_18_64>
134 | <BV64 0x1006>
135 | <BV64 init_rbx_1_64>
136 | <BV64 init_rsi_5_64>
137 | <BV64 init_r8_6_64>
138 | <BV64 init_r9_7_64>
139 | <BV64 init_r10_8_64>
140 | <BV64 init_r11_9_64>
141 | <BV64 init_rbx_1_64>
142 | <BV64 init_rsi_5_64>
143 | <BV64 init_r14_12_64>
144 | <BV64 init_r15_13_64>
145 | *********************************
146 | gadget 4:
147 | *********************************
148 | address:
149 | 0x403211L
150 | gtype:
151 | 3
152 | regs affected:
153 | rdi
154 | rsi
155 | r8
156 | r9
157 | r10
158 | r11
159 | r12
160 | r13
161 | r14
162 | r15
163 | regs:
164 | <BV64 0x624020>
165 | <BV64 0x0>
166 | <BV64 mem_7f000008_18_64>
167 | <BV64 0x0>
168 | <BV64 init_rbx_1_64>
169 | <BV64 init_rsi_5_64>
170 | <BV64 init_r8_6_64>
171 | <BV64 init_r9_7_64>
172 | <BV64 init_r10_8_64>
173 | <BV64 init_r11_9_64>
174 | <BV64 init_rbx_1_64>
175 | <BV64 init_rsi_5_64>
176 | <BV64 init_r14_12_64>
177 | <BV64 init_r15_13_64>
178 | *********************************
179 | gadget 5:
180 | *********************************
181 | address:
182 | 0x403211L
183 | gtype:
184 | 3
185 | regs affected:
186 | rdi
187 | rsi
188 | r8
189 | r9
190 | r10
191 | r11
192 | r12
193 | r13
194 | r14
195 | r15
196 | regs:
197 | <BV64 0x624020>
198 | <BV64 0x0>
199 | <BV64 mem_7f000008_18_64>
200 | <BV64 0x0>
201 | <BV64 init_rbx_1_64>
202 | <BV64 init_rsi_5_64>
203 | <BV64 init_r8_6_64>
204 | <BV64 init_r9_7_64>
205 | <BV64 init_r10_8_64>
206 | <BV64 init_r11_9_64>
207 | <BV64 init_rbx_1_64>
208 | <BV64 init_rsi_5_64>
209 | <BV64 init_r14_12_64>
210 | <BV64 init_r15_13_64>
211 | *********************************
212 | gadget 6:
213 | *********************************
214 | address:
215 | 0x404997L
216 | gtype:
217 | 3
218 | regs affected:
219 | rsi
220 | r8
221 | r9
222 | r10
223 | r11
224 | r12
225 | r13
226 | r14
227 | r15
228 | regs:
229 | <BV64 0x7f000000>
230 | <BV64 0x0>
231 | <BV64 mem_7f000008_18_64>
232 | <BV64 0x1>
233 | <BV64 0x0>
234 | <BV64 init_rsi_5_64>
235 | <BV64 init_r8_6_64>
236 | <BV64 init_r9_7_64>
237 | <BV64 init_r10_8_64>
238 | <BV64 init_r11_9_64>
239 | <BV64 init_rbx_1_64>
240 | <BV64 init_rsi_5_64>
241 | <BV64 init_r14_12_64>
242 | <BV64 init_r15_13_64>
243 | *********************************
244 | gadget 7:
245 | *********************************
246 | address:
247 | 0x404997L
248 | gtype:
249 | 3
250 | regs affected:
251 | rsi
252 | r8
253 | r9
254 | r10
255 | r11
256 | r12
257 | r13
258 | r14
259 | r15
260 | regs:
261 | <BV64 0x7f000000>
262 | <BV64 0x0>
263 | <BV64 mem_7f000008_18_64>
264 | <BV64 0x1>
265 | <BV64 0x0>
266 | <BV64 init_rsi_5_64>
267 | <BV64 init_r8_6_64>
268 | <BV64 init_r9_7_64>
269 | <BV64 init_r10_8_64>
270 | <BV64 init_r11_9_64>
271 | <BV64 init_rbx_1_64>
272 | <BV64 init_rsi_5_64>
273 | <BV64 init_r14_12_64>
274 | <BV64 init_r15_13_64>
275 | *********************************
276 | gadget 8:
277 | *********************************
278 | address:
279 | 0x404997L
280 | gtype:
281 | 3
282 | regs affected:
283 | rsi
284 | r8
285 | r9
286 | r10
287 | r11
288 | r12
289 | r13
290 | r14
291 | r15
292 | regs:
293 | <BV64 0x7f000000>
294 | <BV64 0x0>
295 | <BV64 mem_7f000008_18_64>
296 | <BV64 0x1>
297 | <BV64 0x0>
298 | <BV64 init_rsi_5_64>
299 | <BV64 init_r8_6_64>
300 | <BV64 init_r9_7_64>
301 | <BV64 init_r10_8_64>
302 | <BV64 init_r11_9_64>
303 | <BV64 init_rbx_1_64>
304 | <BV64 init_rsi_5_64>
305 | <BV64 init_r14_12_64>
306 | <BV64 init_r15_13_64>
307 | *********************************
308 | gadget 9:
309 | *********************************
310 | address:
311 | 0x404997L
312 | gtype:
313 | 3
314 | regs affected:
315 | rsi
316 | r8
317 | r9
318 | r10
319 | r11
320 | r12
321 | r13
322 | r14
323 | r15
324 | regs:
325 | <BV64 0x7f000000>
326 | <BV64 0x0>
327 | <BV64 mem_7f000008_18_64>
328 | <BV64 0x1>
329 | <BV64 0x0>
330 | <BV64 init_rsi_5_64>
331 | <BV64 init_r8_6_64>
332 | <BV64 init_r9_7_64>
333 | <BV64 init_r10_8_64>
334 | <BV64 init_r11_9_64>
335 | <BV64 init_rbx_1_64>
336 | <BV64 init_rsi_5_64>
337 | <BV64 init_r14_12_64>
338 | <BV64 init_r15_13_64>
339 | *********************************
340 | gadget 10:
341 | *********************************
342 | address:
343 | 0x404997L
344 | gtype:
345 | 3
346 | regs affected:
347 | rsi
348 | r8
349 | r9
350 | r10
351 | r11
352 | r13
353 | r14
354 | r15
355 | regs:
356 | <BV64 0x7f000000>
357 | <BV64 0x0>
358 | <BV64 mem_7f000008_18_64>
359 | <BV64 0x1>
360 | <BV64 0x0>
361 | <BV64 init_rsi_5_64>
362 | <BV64 init_r8_6_64>
363 | <BV64 init_r9_7_64>
364 | <BV64 init_r10_8_64>
365 | <BV64 init_r11_9_64>
366 | <BV64 0x623e80>
367 | <BV64 init_rsi_5_64>
368 | <BV64 init_r14_12_64>
369 | <BV64 init_r15_13_64>
370 | *********************************
371 | gadget 11:
372 | *********************************
373 | address:
374 | 0x404997L
375 | gtype:
376 | 3
377 | regs affected:
378 | rsi
379 | r8
380 | r9
381 | r10
382 | r11
383 | r13
384 | r14
385 | r15
386 | regs:
387 | <BV64 0x7f000000>
388 | <BV64 0x0>
389 | <BV64 mem_7f000008_18_64>
390 | <BV64 0x1>
391 | <BV64 0x0>
392 | <BV64 init_rsi_5_64>
393 | <BV64 init_r8_6_64>
394 | <BV64 init_r9_7_64>
395 | <BV64 init_r10_8_64>
396 | <BV64 init_r11_9_64>
397 | <BV64 0x623e80>
398 | <BV64 init_rsi_5_64>
399 | <BV64 init_r14_12_64>
400 | <BV64 init_r15_13_64>
401 | *********************************
402 | gadget 12:
403 | *********************************
404 | address:
405 | 0x404997L
406 | gtype:
407 | 3
408 | regs affected:
409 | rsi
410 | r8
411 | r9
412 | r10
413 | r11
414 | r13
415 | r14
416 | r15
417 | regs:
418 | <BV64 0x7f000000>
419 | <BV64 0x0>
420 | <BV64 mem_7f000008_18_64>
421 | <BV64 0x1>
422 | <BV64 0x0>
423 | <BV64 init_rsi_5_64>
424 | <BV64 init_r8_6_64>
425 | <BV64 init_r9_7_64>
426 | <BV64 init_r10_8_64>
427 | <BV64 init_r11_9_64>
428 | <BV64 0x623e80>
429 | <BV64 init_rsi_5_64>
430 | <BV64 init_r14_12_64>
431 | <BV64 init_r15_13_64>
432 | *********************************
433 | gadget 13:
434 | *********************************
435 | address:
436 | 0x404997L
437 | gtype:
438 | 3
439 | regs affected:
440 | rsi
441 | r8
442 | r9
443 | r10
444 | r11
445 | r13
446 | r14
447 | r15
448 | regs:
449 | <BV64 0x7f000000>
450 | <BV64 0x0>
451 | <BV64 mem_7f000008_18_64>
452 | <BV64 0x1>
453 | <BV64 0x0>
454 | <BV64 init_rsi_5_64>
455 | <BV64 init_r8_6_64>
456 | <BV64 init_r9_7_64>
457 | <BV64 init_r10_8_64>
458 | <BV64 init_r11_9_64>
459 | <BV64 0x623e80>
460 | <BV64 init_rsi_5_64>
461 | <BV64 init_r14_12_64>
462 | <BV64 init_r15_13_64>
463 | *********************************
464 | gadget 14:
465 | *********************************
466 | address:
467 | 0x402c83L
468 | gtype:
469 | 3
470 | regs affected:
471 | rsi
472 | r8
473 | r9
474 | r10
475 | r11
476 | r12
477 | r13
478 | r14
479 | r15
480 | regs:
481 | <BV64 0x1001>
482 | <BV64 0x0>
483 | <BV64 mem_7f000008_18_64>
484 | <BV64 0x1001>
485 | <BV64 0x0>
486 | <BV64 init_rsi_5_64>
487 | <BV64 init_r8_6_64>
488 | <BV64 init_r9_7_64>
489 | <BV64 init_r10_8_64>
490 | <BV64 init_r11_9_64>
491 | <BV64 init_rbx_1_64>
492 | <BV64 init_rsi_5_64>
493 | <BV64 init_r14_12_64>
494 | <BV64 init_r15_13_64>
495 | *********************************
496 | gadget 15:
497 | *********************************
498 | address:
499 | 0x402c83L
500 | gtype:
501 | 3
502 | regs affected:
503 | rsi
504 | r8
505 | r9
506 | r10
507 | r11
508 | r12
509 | r13
510 | r14
511 | r15
512 | regs:
513 | <BV64 0x1001>
514 | <BV64 0x0>
515 | <BV64 mem_7f000008_18_64>
516 | <BV64 0x1001>
517 | <BV64 0x0>
518 | <BV64 init_rsi_5_64>
519 | <BV64 init_r8_6_64>
520 | <BV64 init_r9_7_64>
521 | <BV64 init_r10_8_64>
522 | <BV64 init_r11_9_64>
523 | <BV64 init_rbx_1_64>
524 | <BV64 init_rsi_5_64>
525 | <BV64 init_r14_12_64>
526 | <BV64 init_r15_13_64>
527 | *********************************
528 | gadget 16:
529 | *********************************
530 | address:
531 | 0x402c41L
532 | gtype:
533 | 3
534 | regs affected:
535 | rsi
536 | r8
537 | r9
538 | r10
539 | r11
540 | r12
541 | r13
542 | r14
543 | r15
544 | regs:
545 | <BV64 0x1007>
546 | <BV64 0x0>
547 | <BV64 mem_7f000008_18_64>
548 | <BV64 0x1007>
549 | <BV64 0x0>
550 | <BV64 init_rsi_5_64>
551 | <BV64 init_r8_6_64>
552 | <BV64 init_r9_7_64>
553 | <BV64 init_r10_8_64>
554 | <BV64 init_r11_9_64>
555 | <BV64 init_rbx_1_64>
556 | <BV64 init_rsi_5_64>
557 | <BV64 init_r14_12_64>
558 | <BV64 init_r15_13_64>
559 | *********************************
560 | gadget 17:
561 | *********************************
562 | address:
563 | 0x402c41L
564 | gtype:
565 | 3
566 | regs affected:
567 | rsi
568 | r8
569 | r9
570 | r10
571 | r11
572 | r12
573 | r13
574 | r14
575 | r15
576 | regs:
577 | <BV64 0x1007>
578 | <BV64 0x0>
579 | <BV64 mem_7f000008_18_64>
580 | <BV64 0x1007>
581 | <BV64 0x0>
582 | <BV64 init_rsi_5_64>
583 | <BV64 init_r8_6_64>
584 | <BV64 init_r9_7_64>
585 | <BV64 init_r10_8_64>
586 | <BV64 init_r11_9_64>
587 | <BV64 init_rbx_1_64>
588 | <BV64 init_rsi_5_64>
589 | <BV64 init_r14_12_64>
590 | <BV64 init_r15_13_64>
591 | *********************************
592 | gadget 18:
593 | *********************************
594 | address:
595 | 0x4032c5L
596 | gtype:
597 | 3
598 | regs affected:
599 | rbx
600 | rsi
601 | r8
602 | r9
603 | r10
604 | r11
605 | r12
606 | r13
607 | r14
608 | r15
609 | regs:
610 | <BV64 0x1001>
611 | <BV64 init_rbx_1_64>
612 | <BV64 mem_7f000008_18_64>
613 | <BV64 0x1001>
614 | <BV64 0x0>
615 | <BV64 init_rsi_5_64>
616 | <BV64 init_r8_6_64>
617 | <BV64 init_r9_7_64>
618 | <BV64 init_r10_8_64>
619 | <BV64 init_r11_9_64>
620 | <BV64 init_r12_10_64>
621 | <BV64 init_r13_11_64>
622 | <BV64 init_r14_12_64>
623 | <BV64 init_r15_13_64>
624 | *********************************
625 | gadget 19:
626 | *********************************
627 | address:
628 | 0x4032c5L
629 | gtype:
630 | 3
631 | regs affected:
632 | rbx
633 | rsi
634 | r8
635 | r9
636 | r10
637 | r11
638 | r12
639 | r13
640 | r14
641 | r15
642 | regs:
643 | <BV64 0x1001>
644 | <BV64 init_rbx_1_64>
645 | <BV64 mem_7f000008_18_64>
646 | <BV64 0x1001>
647 | <BV64 0x0>
648 | <BV64 init_rsi_5_64>
649 | <BV64 init_r8_6_64>
650 | <BV64 init_r9_7_64>
651 | <BV64 init_r10_8_64>
652 | <BV64 init_r11_9_64>
653 | <BV64 init_r12_10_64>
654 | <BV64 init_r13_11_64>
655 | <BV64 init_r14_12_64>
656 | <BV64 init_r15_13_64>
657 | *********************************
658 | gadget 20:
659 | *********************************
660 | address:
661 | 0x402d38L
662 | gtype:
663 | 1
664 | regs affected:
665 | rdi
666 | r8
667 | r9
668 | r10
669 | r11
670 | r12
671 | r13
672 | r14
673 | r15
674 | regs:
675 | <BV64 0x4011af>
676 | <BV64 0x0>
677 | <BV64 mem_7f000008_18_64>
678 | <BV64 0x1>
679 | <BV64 init_rsi_5_64>
680 | <BV64 0x0>
681 | <BV64 init_r8_6_64>
682 | <BV64 init_r9_7_64>
683 | <BV64 init_r10_8_64>
684 | <BV64 init_r11_9_64>
685 | <BV64 init_rbx_1_64>
686 | <BV64 init_rsi_5_64>
687 | <BV64 init_r14_12_64>
688 | <BV64 init_r15_13_64>
689 | 
690 | 


--------------------------------------------------------------------------------
/type1ecallfinder/test.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # For example SGX SDK enclave file test:
 4 | python main.py "./libenclave.signed.so" 0x4049a2
 5 | 
 6 | # For example Rust SGX SDK enclave file test:
 7 | #python main.py "./enclave.signed.so" 0x4065e2
 8 | 
 9 | # For example Graphene-SGX enclave file test:
10 | #python main.py "./libpal-Linux-SGX.so" 0x1507a
11 | 
12 | 
13 | 


--------------------------------------------------------------------------------
/type1ocallfinder/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: all
2 | 
3 | 
4 | all:
5 | 	
6 | 
7 | clean:
8 | 	rm -f *_asm
9 | 


--------------------------------------------------------------------------------
/type1ocallfinder/README.md:
--------------------------------------------------------------------------------
 1 | # type1ocallfinder
 2 | 
 3 | 1.Prerequisites:
 4 | 
 5 | Make sure you have angr binary analysis framework installed.
 6 | 
 7 | * [angr](http://angr.io/) - angr, a binary analysis framework
 8 | 
 9 | You may follow [angr documentaion](https://docs.angr.io/INSTALL.html) for installation.
10 | 
11 | Or a more simple way to install is to install [angr-dev](https://github.com/angr/angr-dev) which has a install script.
12 | 
13 | After installation of angr, our tool can be used instantly.
14 | 
15 | 
16 | 2.Run command:
17 | 
18 | ```
19 | bash test.sh
20 | ```
21 | You may also uncomment or change the content of test.sh to run different tests. 
22 | 
23 | All tests in the paper can be run by uncomment lines of test.sh.
24 | 
25 | And all the authors' tested results are in result folder.
26 | 
27 | 3.File Description:
28 | 
29 | * [libenclave.signed.so] - A typical SGX enclave .so file.
30 | * [libpal-Linux-SGX.so] - A typical Graphene SGX enclave .so file.
31 | * [enclave.signed.so] - A typical Rust SGX enclave .so file.
32 | 
33 | 
34 | 


--------------------------------------------------------------------------------
/type1ocallfinder/enclave.signed.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type1ocallfinder/enclave.signed.so


--------------------------------------------------------------------------------
/type1ocallfinder/libenclave.signed.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type1ocallfinder/libenclave.signed.so


--------------------------------------------------------------------------------
/type1ocallfinder/libpal-Linux-SGX.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type1ocallfinder/libpal-Linux-SGX.so


--------------------------------------------------------------------------------
/type1ocallfinder/results/Graphene-SGX/Graphene-SGX:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x101e4L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | r8
 20 | r9
 21 | r10
 22 | r11
 23 | r12
 24 | r13
 25 | r14
 26 | r15
 27 | regs:
 28 | <BV64 0x0>
 29 | <BV64 0x100>
 30 | <BV64 mem_22a5d8_44_64>
 31 | <BV64 rbp_15_64>
 32 | <BV64 0xffffffffffffff68 + rsp_14_64>
 33 | <BV64 0xffffffffffffff68 + rsp_14_64>
 34 | <BV64 ocall_r8_36_64>
 35 | <BV64 ocall_r9_37_64>
 36 | <BV64 ocall_r10_38_64>
 37 | <BV64 ocall_r11_39_64>
 38 | <BV64 ocall_rsi_35_64>
 39 | <BV64 ocall_r13_41_64>
 40 | <BV64 ocall_r14_42_64>
 41 | <BV64 ocall_r15_43_64>
 42 | *********************************
 43 | gadget 1:
 44 | *********************************
 45 | address:
 46 | 0x101e4L
 47 | gtype:
 48 | 3
 49 | regs affected:
 50 | r8
 51 | r9
 52 | r10
 53 | r11
 54 | r12
 55 | r13
 56 | r14
 57 | r15
 58 | regs:
 59 | <BV64 0x0>
 60 | <BV64 0x100>
 61 | <BV64 mem_22a5d8_44_64>
 62 | <BV64 rbp_15_64>
 63 | <BV64 0xffffffffffffff68 + rsp_14_64>
 64 | <BV64 0xffffffffffffff68 + rsp_14_64>
 65 | <BV64 ocall_r8_36_64>
 66 | <BV64 ocall_r9_37_64>
 67 | <BV64 ocall_r10_38_64>
 68 | <BV64 ocall_r11_39_64>
 69 | <BV64 ocall_rsi_35_64>
 70 | <BV64 ocall_r13_41_64>
 71 | <BV64 ocall_r14_42_64>
 72 | <BV64 ocall_r15_43_64>
 73 | *********************************
 74 | gadget 2:
 75 | *********************************
 76 | address:
 77 | 0x7120L
 78 | gtype:
 79 | 3
 80 | regs affected:
 81 | rdi
 82 | r8
 83 | r9
 84 | r10
 85 | r11
 86 | r12
 87 | r13
 88 | r14
 89 | r15
 90 | regs:
 91 | <BV64 mem_ffff000000200008_54_64>
 92 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
 93 | <BV64 mem_22a5d8_44_64>
 94 | <BV64 rbp_15_64>
 95 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_48_64>
 96 | <BV64 0xffffffffffffff68 + rsp_14_64>
 97 | <BV64 ocall_r8_36_64>
 98 | <BV64 ocall_r9_37_64>
 99 | <BV64 ocall_r10_38_64>
100 | <BV64 ocall_r11_39_64>
101 | <BV64 ocall_rsi_35_64>
102 | <BV64 ocall_r13_41_64>
103 | <BV64 ocall_r14_42_64>
104 | <BV64 ocall_r15_43_64>
105 | *********************************
106 | gadget 3:
107 | *********************************
108 | address:
109 | 0x7120L
110 | gtype:
111 | 3
112 | regs affected:
113 | rdi
114 | r8
115 | r9
116 | r10
117 | r11
118 | r12
119 | r13
120 | r14
121 | r15
122 | regs:
123 | <BV64 mem_ff00000000000008_58_64>
124 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
125 | <BV64 mem_22a5d8_44_64>
126 | <BV64 rbp_15_64>
127 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_50_64>
128 | <BV64 0xffffffffffffff68 + rsp_14_64>
129 | <BV64 ocall_r8_36_64>
130 | <BV64 ocall_r9_37_64>
131 | <BV64 ocall_r10_38_64>
132 | <BV64 ocall_r11_39_64>
133 | <BV64 ocall_rsi_35_64>
134 | <BV64 ocall_r13_41_64>
135 | <BV64 ocall_r14_42_64>
136 | <BV64 ocall_r15_43_64>
137 | *********************************
138 | gadget 4:
139 | *********************************
140 | address:
141 | 0x7120L
142 | gtype:
143 | 3
144 | regs affected:
145 | rdi
146 | r8
147 | r9
148 | r10
149 | r11
150 | r12
151 | r13
152 | r14
153 | r15
154 | regs:
155 | <BV64 mem_ff80000000000008_60_64>
156 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
157 | <BV64 mem_22a5d8_44_64>
158 | <BV64 rbp_15_64>
159 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_52_64>
160 | <BV64 0xffffffffffffff68 + rsp_14_64>
161 | <BV64 ocall_r8_36_64>
162 | <BV64 ocall_r9_37_64>
163 | <BV64 ocall_r10_38_64>
164 | <BV64 ocall_r11_39_64>
165 | <BV64 ocall_rsi_35_64>
166 | <BV64 ocall_r13_41_64>
167 | <BV64 ocall_r14_42_64>
168 | <BV64 ocall_r15_43_64>
169 | *********************************
170 | gadget 5:
171 | *********************************
172 | address:
173 | 0x7120L
174 | gtype:
175 | 3
176 | regs affected:
177 | rdi
178 | r8
179 | r9
180 | r10
181 | r11
182 | r12
183 | r13
184 | r14
185 | r15
186 | regs:
187 | <BV64 mem_f000000000000028_62_64>
188 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
189 | <BV64 mem_22a5d8_44_64>
190 | <BV64 rbp_15_64>
191 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_56_64>
192 | <BV64 0xffffffffffffff68 + rsp_14_64>
193 | <BV64 ocall_r8_36_64>
194 | <BV64 ocall_r9_37_64>
195 | <BV64 ocall_r10_38_64>
196 | <BV64 ocall_r11_39_64>
197 | <BV64 ocall_rsi_35_64>
198 | <BV64 ocall_r13_41_64>
199 | <BV64 ocall_r14_42_64>
200 | <BV64 ocall_r15_43_64>
201 | *********************************
202 | gadget 6:
203 | *********************************
204 | address:
205 | 0x103a5L
206 | gtype:
207 | 3
208 | regs affected:
209 | rdi
210 | r8
211 | r9
212 | r10
213 | r11
214 | r12
215 | r13
216 | r14
217 | r15
218 | regs:
219 | <BV64 mem_ff80000000000008_60_64>
220 | <BV64 0x100>
221 | <BV64 mem_22a5d8_44_64>
222 | <BV64 rbp_15_64>
223 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_52_64>
224 | <BV64 0xffffffffffffff68 + rsp_14_64>
225 | <BV64 ocall_r8_36_64>
226 | <BV64 ocall_r9_37_64>
227 | <BV64 ocall_r10_38_64>
228 | <BV64 ocall_r11_39_64>
229 | <BV64 ocall_r12_40_64>
230 | <BV64 ocall_r13_41_64>
231 | <BV64 ocall_r14_42_64>
232 | <BV64 ocall_r15_43_64>
233 | *********************************
234 | gadget 7:
235 | *********************************
236 | address:
237 | 0x103a5L
238 | gtype:
239 | 3
240 | regs affected:
241 | rdi
242 | r8
243 | r9
244 | r10
245 | r11
246 | r12
247 | r13
248 | r14
249 | r15
250 | regs:
251 | <BV64 mem_f000000000000028_62_64>
252 | <BV64 0x100>
253 | <BV64 mem_22a5d8_44_64>
254 | <BV64 rbp_15_64>
255 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_56_64>
256 | <BV64 0xffffffffffffff68 + rsp_14_64>
257 | <BV64 ocall_r8_36_64>
258 | <BV64 ocall_r9_37_64>
259 | <BV64 ocall_r10_38_64>
260 | <BV64 ocall_r11_39_64>
261 | <BV64 ocall_r12_40_64>
262 | <BV64 ocall_r13_41_64>
263 | <BV64 ocall_r14_42_64>
264 | <BV64 ocall_r15_43_64>
265 | *********************************
266 | gadget 8:
267 | *********************************
268 | address:
269 | 0x10220L
270 | gtype:
271 | 2
272 | regs affected:
273 | r9
274 | r10
275 | r11
276 | r12
277 | r13
278 | r14
279 | r15
280 | regs:
281 | <BV64 mem_ffff000000200008_54_64>
282 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
283 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
284 | <BV64 0x0>
285 | <BV64 0xfffffffffffffea8 + rsp_14_64>
286 | <BV64 0x0>
287 | <BV64 0x0>
288 | <BV64 ocall_r9_37_64>
289 | <BV64 ocall_r10_38_64>
290 | <BV64 ocall_r11_39_64>
291 | <BV64 ocall_rsi_35_64>
292 | <BV64 ocall_r13_41_64>
293 | <BV64 ocall_r14_42_64>
294 | <BV64 ocall_r15_43_64>
295 | *********************************
296 | *********************************
297 | 8.702834 seconds.
298 | *********************************
299 | *********************************
300 | 
301 | 


--------------------------------------------------------------------------------
/type1ocallfinder/results/Graphene-SGX/Graphene-SGX_01:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x101e4L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | r8
 20 | r9
 21 | r10
 22 | r11
 23 | r12
 24 | r13
 25 | r14
 26 | r15
 27 | regs:
 28 | <BV64 0x0>
 29 | <BV64 0x100>
 30 | <BV64 mem_22a5d8_40_64>
 31 | <BV64 0xfffffffffffffff8 + rsp_14_64>
 32 | <BV64 0xffffffffffffff58 + rsp_14_64>
 33 | <BV64 0xffffffffffffff58 + rsp_14_64>
 34 | <BV64 ocall_r8_32_64>
 35 | <BV64 ocall_r9_33_64>
 36 | <BV64 ocall_r10_34_64>
 37 | <BV64 ocall_r11_35_64>
 38 | <BV64 ocall_rsi_31_64>
 39 | <BV64 ocall_r13_37_64>
 40 | <BV64 ocall_r14_38_64>
 41 | <BV64 ocall_r15_39_64>
 42 | *********************************
 43 | gadget 1:
 44 | *********************************
 45 | address:
 46 | 0x101e4L
 47 | gtype:
 48 | 3
 49 | regs affected:
 50 | r8
 51 | r9
 52 | r10
 53 | r11
 54 | r12
 55 | r13
 56 | r14
 57 | r15
 58 | regs:
 59 | <BV64 0x0>
 60 | <BV64 0x100>
 61 | <BV64 mem_22a5d8_40_64>
 62 | <BV64 0xfffffffffffffff8 + rsp_14_64>
 63 | <BV64 0xffffffffffffff58 + rsp_14_64>
 64 | <BV64 0xffffffffffffff58 + rsp_14_64>
 65 | <BV64 ocall_r8_32_64>
 66 | <BV64 ocall_r9_33_64>
 67 | <BV64 ocall_r10_34_64>
 68 | <BV64 ocall_r11_35_64>
 69 | <BV64 ocall_rsi_31_64>
 70 | <BV64 ocall_r13_37_64>
 71 | <BV64 ocall_r14_38_64>
 72 | <BV64 ocall_r15_39_64>
 73 | *********************************
 74 | gadget 2:
 75 | *********************************
 76 | address:
 77 | 0x101e4L
 78 | gtype:
 79 | 3
 80 | regs affected:
 81 | r8
 82 | r9
 83 | r10
 84 | r11
 85 | r12
 86 | r13
 87 | r14
 88 | r15
 89 | regs:
 90 | <BV64 0xffffffffffffff98 + rsp_14_64>
 91 | <BV64 0x100>
 92 | <BV64 init_r8_6_64>
 93 | <BV64 0xffffffffffffff58 + rsp_14_64>
 94 | <BV64 0xffffffffffffff58 + rsp_14_64>
 95 | <BV64 0xdeaddeadbeefbeef>
 96 | <BV64 ocall_r8_32_64>
 97 | <BV64 ocall_r9_33_64>
 98 | <BV64 ocall_r10_34_64>
 99 | <BV64 ocall_r11_35_64>
100 | <BV64 ocall_rsi_31_64>
101 | <BV64 ocall_r13_37_64>
102 | <BV64 ocall_r14_38_64>
103 | <BV64 ocall_r15_39_64>
104 | *********************************
105 | gadget 3:
106 | *********************************
107 | address:
108 | 0x103a5L
109 | gtype:
110 | 3
111 | regs affected:
112 | r8
113 | r9
114 | r10
115 | r11
116 | r12
117 | r13
118 | r14
119 | r15
120 | regs:
121 | <BV64 mem_22a4c0_44_64>
122 | <BV64 0x100>
123 | <BV64 init_r8_6_64>
124 | <BV64 0xffffffffffffff58 + rsp_14_64>
125 | <BV64 0xffffffffffffff58 + rsp_14_64>
126 | <BV64 0xdeaddeadbeefbeef>
127 | <BV64 ocall_r8_32_64>
128 | <BV64 ocall_r9_33_64>
129 | <BV64 ocall_r10_34_64>
130 | <BV64 ocall_r11_35_64>
131 | <BV64 ocall_r12_36_64>
132 | <BV64 ocall_r13_37_64>
133 | <BV64 ocall_r14_38_64>
134 | <BV64 ocall_r15_39_64>
135 | *********************************
136 | gadget 4:
137 | *********************************
138 | address:
139 | 0x7120L
140 | gtype:
141 | 3
142 | regs affected:
143 | rdi
144 | r8
145 | r9
146 | r10
147 | r11
148 | r12
149 | r13
150 | r14
151 | r15
152 | regs:
153 | <BV64 0x1507a>
154 | <BV64 0xffffffffffffff98 + rsp_14_64>
155 | <BV64 init_r8_6_64>
156 | <BV64 0xffffffffffffff58 + rsp_14_64>
157 | <BV64 ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:0] .. 0#4 + mem_22a5a0_46_64>
158 | <BV64 0xdeaddeadbeefbeef>
159 | <BV64 ocall_r8_32_64>
160 | <BV64 ocall_r9_33_64>
161 | <BV64 ocall_r10_34_64>
162 | <BV64 ocall_r11_35_64>
163 | <BV64 ocall_rsi_31_64>
164 | <BV64 ocall_r13_37_64>
165 | <BV64 ocall_r14_38_64>
166 | <BV64 ocall_r15_39_64>
167 | *********************************
168 | gadget 5:
169 | *********************************
170 | address:
171 | 0x7120L
172 | gtype:
173 | 3
174 | regs affected:
175 | rdi
176 | r8
177 | r9
178 | r10
179 | r11
180 | r12
181 | r13
182 | r14
183 | r15
184 | regs:
185 | <BV64 mem_ffffff397ebfa980_50_64>
186 | <BV64 0xffffffffffffff98 + rsp_14_64>
187 | <BV64 init_r8_6_64>
188 | <BV64 0xffffffffffffff58 + rsp_14_64>
189 | <BV64 ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:0] .. 0#4 + mem_22a5a0_48_64>
190 | <BV64 0xdeaddeadbeefbeef>
191 | <BV64 ocall_r8_32_64>
192 | <BV64 ocall_r9_33_64>
193 | <BV64 ocall_r10_34_64>
194 | <BV64 ocall_r11_35_64>
195 | <BV64 ocall_rsi_31_64>
196 | <BV64 ocall_r13_37_64>
197 | <BV64 ocall_r14_38_64>
198 | <BV64 ocall_r15_39_64>
199 | *********************************
200 | gadget 6:
201 | *********************************
202 | address:
203 | 0x101e4L
204 | gtype:
205 | 3
206 | regs affected:
207 | r8
208 | r9
209 | r10
210 | r11
211 | r12
212 | r13
213 | r14
214 | r15
215 | regs:
216 | <BV64 0xffffffffffffff70 + rsp_14_64>
217 | <BV64 0x100>
218 | <BV64 init_rbx_1_64>
219 | <BV64 0xffffffffffffff58 + rsp_14_64>
220 | <BV64 0xffffffffffffff58 + rsp_14_64>
221 | <BV64 0xdeaddeadbeefbeef>
222 | <BV64 ocall_r8_32_64>
223 | <BV64 ocall_r9_33_64>
224 | <BV64 ocall_r10_34_64>
225 | <BV64 ocall_r11_35_64>
226 | <BV64 ocall_rsi_31_64>
227 | <BV64 ocall_r13_37_64>
228 | <BV64 ocall_r14_38_64>
229 | <BV64 ocall_r15_39_64>
230 | *********************************
231 | gadget 7:
232 | *********************************
233 | address:
234 | 0x103a5L
235 | gtype:
236 | 3
237 | regs affected:
238 | rdi
239 | r8
240 | r9
241 | r10
242 | r11
243 | r12
244 | r13
245 | r14
246 | r15
247 | regs:
248 | <BV64 mem_ffffff397ebfa980_50_64>
249 | <BV64 0x100>
250 | <BV64 init_r8_6_64>
251 | <BV64 0xffffffffffffff58 + rsp_14_64>
252 | <BV64 ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:0] .. 0#4 + mem_22a5a0_48_64>
253 | <BV64 0xdeaddeadbeefbeef>
254 | <BV64 ocall_r8_32_64>
255 | <BV64 ocall_r9_33_64>
256 | <BV64 ocall_r10_34_64>
257 | <BV64 ocall_r11_35_64>
258 | <BV64 ocall_r12_36_64>
259 | <BV64 ocall_r13_37_64>
260 | <BV64 ocall_r14_38_64>
261 | <BV64 ocall_r15_39_64>
262 | *********************************
263 | gadget 8:
264 | *********************************
265 | address:
266 | 0x101e4L
267 | gtype:
268 | 3
269 | regs affected:
270 | r8
271 | r9
272 | r10
273 | r11
274 | r12
275 | r13
276 | r14
277 | r15
278 | regs:
279 | <BV64 0xffffffffffffff68 + rsp_14_64>
280 | <BV64 0x100>
281 | <BV64 init_rdx_3_64>
282 | <BV64 0xffffffffffffff58 + rsp_14_64>
283 | <BV64 0xffffffffffffff58 + rsp_14_64>
284 | <BV64 0xdeaddeadbeefbeef>
285 | <BV64 ocall_r8_32_64>
286 | <BV64 ocall_r9_33_64>
287 | <BV64 ocall_r10_34_64>
288 | <BV64 ocall_r11_35_64>
289 | <BV64 ocall_rsi_31_64>
290 | <BV64 ocall_r13_37_64>
291 | <BV64 ocall_r14_38_64>
292 | <BV64 ocall_r15_39_64>
293 | *********************************
294 | gadget 9:
295 | *********************************
296 | address:
297 | 0x7120L
298 | gtype:
299 | 3
300 | regs affected:
301 | rdi
302 | r8
303 | r9
304 | r10
305 | r11
306 | r12
307 | r13
308 | r14
309 | r15
310 | regs:
311 | <BV64 0x1507a>
312 | <BV64 (0xfffffffffffffed7 + rsp_14_64)[63:4] .. 0#4>
313 | <BV64 mem_22a5d8_40_64>
314 | <BV64 0xfffffffffffffff8 + rsp_14_64>
315 | <BV64 ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:0] .. 0#4 + mem_22a5a0_52_64>
316 | <BV64 0xffffffffffffff58 + rsp_14_64>
317 | <BV64 ocall_r8_32_64>
318 | <BV64 ocall_r9_33_64>
319 | <BV64 ocall_r10_34_64>
320 | <BV64 ocall_r11_35_64>
321 | <BV64 ocall_rsi_31_64>
322 | <BV64 ocall_r13_37_64>
323 | <BV64 ocall_r14_38_64>
324 | <BV64 ocall_r15_39_64>
325 | *********************************
326 | gadget 10:
327 | *********************************
328 | address:
329 | 0x7120L
330 | gtype:
331 | 3
332 | regs affected:
333 | rdi
334 | r8
335 | r9
336 | r10
337 | r11
338 | r12
339 | r13
340 | r14
341 | r15
342 | regs:
343 | <BV64 0x1507a>
344 | <BV64 (0xfffffffffffffed7 + rsp_14_64)[63:4] .. 0#4>
345 | <BV64 mem_22a5d8_40_64>
346 | <BV64 0xfffffffffffffff8 + rsp_14_64>
347 | <BV64 ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:0] .. 0#4 + mem_22a5a0_54_64>
348 | <BV64 0xffffffffffffff58 + rsp_14_64>
349 | <BV64 ocall_r8_32_64>
350 | <BV64 ocall_r9_33_64>
351 | <BV64 ocall_r10_34_64>
352 | <BV64 ocall_r11_35_64>
353 | <BV64 ocall_rsi_31_64>
354 | <BV64 ocall_r13_37_64>
355 | <BV64 ocall_r14_38_64>
356 | <BV64 ocall_r15_39_64>
357 | *********************************
358 | gadget 11:
359 | *********************************
360 | address:
361 | 0x7120L
362 | gtype:
363 | 3
364 | regs affected:
365 | rdi
366 | r8
367 | r9
368 | r10
369 | r11
370 | r12
371 | r13
372 | r14
373 | r15
374 | regs:
375 | <BV64 0x10102464c45>
376 | <BV64 (0xfffffffffffffed7 + rsp_14_64)[63:4] .. 0#4>
377 | <BV64 mem_22a5d8_40_64>
378 | <BV64 0xfffffffffffffff8 + rsp_14_64>
379 | <BV64 ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:0] .. 0#4 + mem_22a5a0_56_64>
380 | <BV64 0xffffffffffffff58 + rsp_14_64>
381 | <BV64 ocall_r8_32_64>
382 | <BV64 ocall_r9_33_64>
383 | <BV64 ocall_r10_34_64>
384 | <BV64 ocall_r11_35_64>
385 | <BV64 ocall_rsi_31_64>
386 | <BV64 ocall_r13_37_64>
387 | <BV64 ocall_r14_38_64>
388 | <BV64 ocall_r15_39_64>
389 | *********************************
390 | gadget 12:
391 | *********************************
392 | address:
393 | 0x7120L
394 | gtype:
395 | 3
396 | regs affected:
397 | rdi
398 | r8
399 | r9
400 | r10
401 | r11
402 | r12
403 | r13
404 | r14
405 | r15
406 | regs:
407 | <BV64 init_r13_11_64[7:0] .. init_r12_10_64[63:8]>
408 | <BV64 (0xfffffffffffffed7 + rsp_14_64)[63:4] .. 0#4>
409 | <BV64 mem_22a5d8_40_64>
410 | <BV64 0xfffffffffffffff8 + rsp_14_64>
411 | <BV64 ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:31] .. ocall_rsi_31_64[31:0] .. 0#4 + mem_22a5a0_59_64>
412 | <BV64 0xffffffffffffff58 + rsp_14_64>
413 | <BV64 ocall_r8_32_64>
414 | <BV64 ocall_r9_33_64>
415 | <BV64 ocall_r10_34_64>
416 | <BV64 ocall_r11_35_64>
417 | <BV64 ocall_rsi_31_64>
418 | <BV64 ocall_r13_37_64>
419 | <BV64 ocall_r14_38_64>
420 | <BV64 ocall_r15_39_64>
421 | *********************************
422 | gadget 13:
423 | *********************************
424 | address:
425 | 0x101e4L
426 | gtype:
427 | 3
428 | regs affected:
429 | r8
430 | r9
431 | r10
432 | r11
433 | r12
434 | r13
435 | r14
436 | r15
437 | regs:
438 | <BV64 0xffffffffffffff60 + rsp_14_64>
439 | <BV64 0x100>
440 | <BV64 init_rcx_2_64>
441 | <BV64 0xffffffffffffff58 + rsp_14_64>
442 | <BV64 0xffffffffffffff58 + rsp_14_64>
443 | <BV64 0xdeaddeadbeefbeef>
444 | <BV64 ocall_r8_32_64>
445 | <BV64 ocall_r9_33_64>
446 | <BV64 ocall_r10_34_64>
447 | <BV64 ocall_r11_35_64>
448 | <BV64 ocall_rsi_31_64>
449 | <BV64 ocall_r13_37_64>
450 | <BV64 ocall_r14_38_64>
451 | <BV64 ocall_r15_39_64>
452 | *********************************
453 | gadget 14:
454 | *********************************
455 | address:
456 | 0x10220L
457 | gtype:
458 | 2
459 | regs affected:
460 | r9
461 | r10
462 | r11
463 | r12
464 | r13
465 | r14
466 | r15
467 | regs:
468 | <BV64 0x1507a>
469 | <BV64 0xffffffffffffff98 + rsp_14_64>
470 | <BV64 0xffffffffffffff98 + rsp_14_64>
471 | <BV64 0x0>
472 | <BV64 0xffffffffffffff08 + rsp_14_64>
473 | <BV64 0x0>
474 | <BV64 0x0>
475 | <BV64 ocall_r9_33_64>
476 | <BV64 ocall_r10_34_64>
477 | <BV64 ocall_r11_35_64>
478 | <BV64 ocall_rsi_31_64>
479 | <BV64 ocall_r13_37_64>
480 | <BV64 ocall_r14_38_64>
481 | <BV64 ocall_r15_39_64>
482 | *********************************
483 | *********************************
484 | 12.086116 seconds.
485 | *********************************
486 | *********************************
487 | 
488 | 


--------------------------------------------------------------------------------
/type1ocallfinder/results/Graphene-SGX/Graphene-SGX_13:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x101e4L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | r8
 20 | r9
 21 | r10
 22 | r11
 23 | r12
 24 | r13
 25 | r14
 26 | r15
 27 | regs:
 28 | <BV64 0x0>
 29 | <BV64 0x100>
 30 | <BV64 mem_22a5d8_42_64>
 31 | <BV64 0xfffffffffffffff8 + rsp_14_64>
 32 | <BV64 0xffffffffffffff48 + rsp_14_64>
 33 | <BV64 0xffffffffffffff48 + rsp_14_64>
 34 | <BV64 ocall_r8_34_64>
 35 | <BV64 ocall_r9_35_64>
 36 | <BV64 ocall_r10_36_64>
 37 | <BV64 ocall_r11_37_64>
 38 | <BV64 ocall_rsi_33_64>
 39 | <BV64 ocall_r13_39_64>
 40 | <BV64 ocall_r14_40_64>
 41 | <BV64 ocall_r15_41_64>
 42 | *********************************
 43 | gadget 1:
 44 | *********************************
 45 | address:
 46 | 0x101e4L
 47 | gtype:
 48 | 3
 49 | regs affected:
 50 | r8
 51 | r9
 52 | r10
 53 | r11
 54 | r12
 55 | r13
 56 | r14
 57 | r15
 58 | regs:
 59 | <BV64 0x0>
 60 | <BV64 0x100>
 61 | <BV64 mem_22a5d8_42_64>
 62 | <BV64 0xfffffffffffffff8 + rsp_14_64>
 63 | <BV64 0xffffffffffffff48 + rsp_14_64>
 64 | <BV64 0xffffffffffffff48 + rsp_14_64>
 65 | <BV64 ocall_r8_34_64>
 66 | <BV64 ocall_r9_35_64>
 67 | <BV64 ocall_r10_36_64>
 68 | <BV64 ocall_r11_37_64>
 69 | <BV64 ocall_rsi_33_64>
 70 | <BV64 ocall_r13_39_64>
 71 | <BV64 ocall_r14_40_64>
 72 | <BV64 ocall_r15_41_64>
 73 | *********************************
 74 | gadget 2:
 75 | *********************************
 76 | address:
 77 | 0x101e4L
 78 | gtype:
 79 | 3
 80 | regs affected:
 81 | r8
 82 | r9
 83 | r10
 84 | r11
 85 | r12
 86 | r13
 87 | r14
 88 | r15
 89 | regs:
 90 | <BV64 0xffffffffffffff98 + rsp_14_64>
 91 | <BV64 0x100>
 92 | <BV64 init_r10_8_64>
 93 | <BV64 0xffffffffffffff58 + rsp_14_64>
 94 | <BV64 0xffffffffffffff48 + rsp_14_64>
 95 | <BV64 0xdeaddeadbeefbeef>
 96 | <BV64 ocall_r8_34_64>
 97 | <BV64 ocall_r9_35_64>
 98 | <BV64 ocall_r10_36_64>
 99 | <BV64 ocall_r11_37_64>
100 | <BV64 ocall_rsi_33_64>
101 | <BV64 ocall_r13_39_64>
102 | <BV64 ocall_r14_40_64>
103 | <BV64 ocall_r15_41_64>
104 | *********************************
105 | gadget 3:
106 | *********************************
107 | address:
108 | 0x101e4L
109 | gtype:
110 | 3
111 | regs affected:
112 | r8
113 | r9
114 | r10
115 | r11
116 | r12
117 | r13
118 | r14
119 | r15
120 | regs:
121 | <BV64 0xffffffffffffff90 + rsp_14_64>
122 | <BV64 0x100>
123 | <BV64 init_r9_7_64>
124 | <BV64 0xffffffffffffff58 + rsp_14_64>
125 | <BV64 0xffffffffffffff48 + rsp_14_64>
126 | <BV64 0xdeaddeadbeefbeef>
127 | <BV64 ocall_r8_34_64>
128 | <BV64 ocall_r9_35_64>
129 | <BV64 ocall_r10_36_64>
130 | <BV64 ocall_r11_37_64>
131 | <BV64 ocall_rsi_33_64>
132 | <BV64 ocall_r13_39_64>
133 | <BV64 ocall_r14_40_64>
134 | <BV64 ocall_r15_41_64>
135 | *********************************
136 | gadget 4:
137 | *********************************
138 | address:
139 | 0x101e4L
140 | gtype:
141 | 3
142 | regs affected:
143 | r8
144 | r9
145 | r10
146 | r11
147 | r12
148 | r13
149 | r14
150 | r15
151 | regs:
152 | <BV64 0xffffffffffffff88 + rsp_14_64>
153 | <BV64 0x100>
154 | <BV64 init_r8_6_64>
155 | <BV64 0xffffffffffffff58 + rsp_14_64>
156 | <BV64 0xffffffffffffff48 + rsp_14_64>
157 | <BV64 0xdeaddeadbeefbeef>
158 | <BV64 ocall_r8_34_64>
159 | <BV64 ocall_r9_35_64>
160 | <BV64 ocall_r10_36_64>
161 | <BV64 ocall_r11_37_64>
162 | <BV64 ocall_rsi_33_64>
163 | <BV64 ocall_r13_39_64>
164 | <BV64 ocall_r14_40_64>
165 | <BV64 ocall_r15_41_64>
166 | *********************************
167 | gadget 5:
168 | *********************************
169 | address:
170 | 0x103a5L
171 | gtype:
172 | 3
173 | regs affected:
174 | r8
175 | r9
176 | r10
177 | r11
178 | r12
179 | r13
180 | r14
181 | r15
182 | regs:
183 | <BV64 mem_22a4c0_46_64>
184 | <BV64 0x100>
185 | <BV64 init_r10_8_64>
186 | <BV64 0xffffffffffffff58 + rsp_14_64>
187 | <BV64 0xffffffffffffff48 + rsp_14_64>
188 | <BV64 0xdeaddeadbeefbeef>
189 | <BV64 ocall_r8_34_64>
190 | <BV64 ocall_r9_35_64>
191 | <BV64 ocall_r10_36_64>
192 | <BV64 ocall_r11_37_64>
193 | <BV64 ocall_r12_38_64>
194 | <BV64 ocall_r13_39_64>
195 | <BV64 ocall_r14_40_64>
196 | <BV64 ocall_r15_41_64>
197 | *********************************
198 | gadget 6:
199 | *********************************
200 | address:
201 | 0x103a5L
202 | gtype:
203 | 3
204 | regs affected:
205 | r8
206 | r9
207 | r10
208 | r11
209 | r12
210 | r13
211 | r14
212 | r15
213 | regs:
214 | <BV64 mem_22a4c0_48_64>
215 | <BV64 0x100>
216 | <BV64 init_r9_7_64>
217 | <BV64 0xffffffffffffff58 + rsp_14_64>
218 | <BV64 0xffffffffffffff48 + rsp_14_64>
219 | <BV64 0xdeaddeadbeefbeef>
220 | <BV64 ocall_r8_34_64>
221 | <BV64 ocall_r9_35_64>
222 | <BV64 ocall_r10_36_64>
223 | <BV64 ocall_r11_37_64>
224 | <BV64 ocall_r12_38_64>
225 | <BV64 ocall_r13_39_64>
226 | <BV64 ocall_r14_40_64>
227 | <BV64 ocall_r15_41_64>
228 | *********************************
229 | gadget 7:
230 | *********************************
231 | address:
232 | 0x7120L
233 | gtype:
234 | 3
235 | regs affected:
236 | rdi
237 | r8
238 | r9
239 | r10
240 | r11
241 | r12
242 | r13
243 | r14
244 | r15
245 | regs:
246 | <BV64 mem_fffffffffffff008_54_64>
247 | <BV64 0xffffffffffffff98 + rsp_14_64>
248 | <BV64 init_r10_8_64>
249 | <BV64 0xffffffffffffff58 + rsp_14_64>
250 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_50_64>
251 | <BV64 0xdeaddeadbeefbeef>
252 | <BV64 ocall_r8_34_64>
253 | <BV64 ocall_r9_35_64>
254 | <BV64 ocall_r10_36_64>
255 | <BV64 ocall_r11_37_64>
256 | <BV64 ocall_rsi_33_64>
257 | <BV64 ocall_r13_39_64>
258 | <BV64 ocall_r14_40_64>
259 | <BV64 ocall_r15_41_64>
260 | *********************************
261 | gadget 8:
262 | *********************************
263 | address:
264 | 0x103a5L
265 | gtype:
266 | 3
267 | regs affected:
268 | r8
269 | r9
270 | r10
271 | r11
272 | r12
273 | r13
274 | r14
275 | r15
276 | regs:
277 | <BV64 mem_22a4c0_56_64>
278 | <BV64 0x100>
279 | <BV64 init_r8_6_64>
280 | <BV64 0xffffffffffffff58 + rsp_14_64>
281 | <BV64 0xffffffffffffff48 + rsp_14_64>
282 | <BV64 0xdeaddeadbeefbeef>
283 | <BV64 ocall_r8_34_64>
284 | <BV64 ocall_r9_35_64>
285 | <BV64 ocall_r10_36_64>
286 | <BV64 ocall_r11_37_64>
287 | <BV64 ocall_r12_38_64>
288 | <BV64 ocall_r13_39_64>
289 | <BV64 ocall_r14_40_64>
290 | <BV64 ocall_r15_41_64>
291 | *********************************
292 | gadget 9:
293 | *********************************
294 | address:
295 | 0x7120L
296 | gtype:
297 | 3
298 | regs affected:
299 | rdi
300 | r8
301 | r9
302 | r10
303 | r11
304 | r12
305 | r13
306 | r14
307 | r15
308 | regs:
309 | <BV64 mem_ffffc00000000008_58_64>
310 | <BV64 0xffffffffffffff98 + rsp_14_64>
311 | <BV64 init_r10_8_64>
312 | <BV64 0xffffffffffffff58 + rsp_14_64>
313 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_52_64>
314 | <BV64 0xdeaddeadbeefbeef>
315 | <BV64 ocall_r8_34_64>
316 | <BV64 ocall_r9_35_64>
317 | <BV64 ocall_r10_36_64>
318 | <BV64 ocall_r11_37_64>
319 | <BV64 ocall_rsi_33_64>
320 | <BV64 ocall_r13_39_64>
321 | <BV64 ocall_r14_40_64>
322 | <BV64 ocall_r15_41_64>
323 | *********************************
324 | gadget 10:
325 | *********************************
326 | address:
327 | 0x7120L
328 | gtype:
329 | 3
330 | regs affected:
331 | rdi
332 | r8
333 | r9
334 | r10
335 | r11
336 | r12
337 | r13
338 | r14
339 | r15
340 | regs:
341 | <BV64 0#8 .. init_r15_13_64[63:8]>
342 | <BV64 0xffffffffffffff90 + rsp_14_64>
343 | <BV64 init_r9_7_64>
344 | <BV64 0xffffffffffffff58 + rsp_14_64>
345 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_59_64>
346 | <BV64 0xdeaddeadbeefbeef>
347 | <BV64 ocall_r8_34_64>
348 | <BV64 ocall_r9_35_64>
349 | <BV64 ocall_r10_36_64>
350 | <BV64 ocall_r11_37_64>
351 | <BV64 ocall_rsi_33_64>
352 | <BV64 ocall_r13_39_64>
353 | <BV64 ocall_r14_40_64>
354 | <BV64 ocall_r15_41_64>
355 | *********************************
356 | gadget 11:
357 | *********************************
358 | address:
359 | 0x7120L
360 | gtype:
361 | 3
362 | regs affected:
363 | rdi
364 | r8
365 | r9
366 | r10
367 | r11
368 | r12
369 | r13
370 | r14
371 | r15
372 | regs:
373 | <BV64 0x4000000000000150>
374 | <BV64 0xffffffffffffff90 + rsp_14_64>
375 | <BV64 init_r9_7_64>
376 | <BV64 0xffffffffffffff58 + rsp_14_64>
377 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_61_64>
378 | <BV64 0xdeaddeadbeefbeef>
379 | <BV64 ocall_r8_34_64>
380 | <BV64 ocall_r9_35_64>
381 | <BV64 ocall_r10_36_64>
382 | <BV64 ocall_r11_37_64>
383 | <BV64 ocall_rsi_33_64>
384 | <BV64 ocall_r13_39_64>
385 | <BV64 ocall_r14_40_64>
386 | <BV64 ocall_r15_41_64>
387 | *********************************
388 | gadget 12:
389 | *********************************
390 | address:
391 | 0x103a5L
392 | gtype:
393 | 3
394 | regs affected:
395 | rdi
396 | r8
397 | r9
398 | r10
399 | r11
400 | r12
401 | r13
402 | r14
403 | r15
404 | regs:
405 | <BV64 mem_ffffc00000000008_58_64>
406 | <BV64 0x100>
407 | <BV64 init_r10_8_64>
408 | <BV64 0xffffffffffffff58 + rsp_14_64>
409 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_52_64>
410 | <BV64 0xdeaddeadbeefbeef>
411 | <BV64 ocall_r8_34_64>
412 | <BV64 ocall_r9_35_64>
413 | <BV64 ocall_r10_36_64>
414 | <BV64 ocall_r11_37_64>
415 | <BV64 ocall_r12_38_64>
416 | <BV64 ocall_r13_39_64>
417 | <BV64 ocall_r14_40_64>
418 | <BV64 ocall_r15_41_64>
419 | *********************************
420 | gadget 13:
421 | *********************************
422 | address:
423 | 0x7120L
424 | gtype:
425 | 3
426 | regs affected:
427 | rdi
428 | r8
429 | r9
430 | r10
431 | r11
432 | r12
433 | r13
434 | r14
435 | r15
436 | regs:
437 | <BV64 mem_fffffffffffffe08_72_64>
438 | <BV64 0xffffffffffffff88 + rsp_14_64>
439 | <BV64 init_r8_6_64>
440 | <BV64 0xffffffffffffff58 + rsp_14_64>
441 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_64_64>
442 | <BV64 0xdeaddeadbeefbeef>
443 | <BV64 ocall_r8_34_64>
444 | <BV64 ocall_r9_35_64>
445 | <BV64 ocall_r10_36_64>
446 | <BV64 ocall_r11_37_64>
447 | <BV64 ocall_rsi_33_64>
448 | <BV64 ocall_r13_39_64>
449 | <BV64 ocall_r14_40_64>
450 | <BV64 ocall_r15_41_64>
451 | *********************************
452 | gadget 14:
453 | *********************************
454 | address:
455 | 0x7120L
456 | gtype:
457 | 3
458 | regs affected:
459 | rdi
460 | r8
461 | r9
462 | r10
463 | r11
464 | r12
465 | r13
466 | r14
467 | r15
468 | regs:
469 | <BV64 mem_ffffffe000000008_75_64>
470 | <BV64 (0xfffffffffffffec7 + rsp_14_64)[63:4] .. 0#4>
471 | <BV64 mem_22a5d8_42_64>
472 | <BV64 0xfffffffffffffff8 + rsp_14_64>
473 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_66_64>
474 | <BV64 0xffffffffffffff48 + rsp_14_64>
475 | <BV64 ocall_r8_34_64>
476 | <BV64 ocall_r9_35_64>
477 | <BV64 ocall_r10_36_64>
478 | <BV64 ocall_r11_37_64>
479 | <BV64 ocall_rsi_33_64>
480 | <BV64 ocall_r13_39_64>
481 | <BV64 ocall_r14_40_64>
482 | <BV64 ocall_r15_41_64>
483 | *********************************
484 | gadget 15:
485 | *********************************
486 | address:
487 | 0x7120L
488 | gtype:
489 | 3
490 | regs affected:
491 | rdi
492 | r8
493 | r9
494 | r10
495 | r11
496 | r12
497 | r13
498 | r14
499 | r15
500 | regs:
501 | <BV64 mem_8830118_79_64>
502 | <BV64 (0xfffffffffffffec7 + rsp_14_64)[63:4] .. 0#4>
503 | <BV64 mem_22a5d8_42_64>
504 | <BV64 0xfffffffffffffff8 + rsp_14_64>
505 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_68_64>
506 | <BV64 0xffffffffffffff48 + rsp_14_64>
507 | <BV64 ocall_r8_34_64>
508 | <BV64 ocall_r9_35_64>
509 | <BV64 ocall_r10_36_64>
510 | <BV64 ocall_r11_37_64>
511 | <BV64 ocall_rsi_33_64>
512 | <BV64 ocall_r13_39_64>
513 | <BV64 ocall_r14_40_64>
514 | <BV64 ocall_r15_41_64>
515 | *********************************
516 | gadget 16:
517 | *********************************
518 | address:
519 | 0x7120L
520 | gtype:
521 | 3
522 | regs affected:
523 | rdi
524 | r8
525 | r9
526 | r10
527 | r11
528 | r12
529 | r13
530 | r14
531 | r15
532 | regs:
533 | <BV64 mem_ffffffffffc00068_81_64>
534 | <BV64 0xffffffffffffff88 + rsp_14_64>
535 | <BV64 init_r8_6_64>
536 | <BV64 0xffffffffffffff58 + rsp_14_64>
537 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_70_64>
538 | <BV64 0xdeaddeadbeefbeef>
539 | <BV64 ocall_r8_34_64>
540 | <BV64 ocall_r9_35_64>
541 | <BV64 ocall_r10_36_64>
542 | <BV64 ocall_r11_37_64>
543 | <BV64 ocall_rsi_33_64>
544 | <BV64 ocall_r13_39_64>
545 | <BV64 ocall_r14_40_64>
546 | <BV64 ocall_r15_41_64>
547 | *********************************
548 | gadget 17:
549 | *********************************
550 | address:
551 | 0x7120L
552 | gtype:
553 | 3
554 | regs affected:
555 | rdi
556 | r8
557 | r9
558 | r10
559 | r11
560 | r12
561 | r13
562 | r14
563 | r15
564 | regs:
565 | <BV64 mem_ff80000000000008_83_64>
566 | <BV64 (0xfffffffffffffec7 + rsp_14_64)[63:4] .. 0#4>
567 | <BV64 mem_22a5d8_42_64>
568 | <BV64 0xfffffffffffffff8 + rsp_14_64>
569 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_73_64>
570 | <BV64 0xffffffffffffff48 + rsp_14_64>
571 | <BV64 ocall_r8_34_64>
572 | <BV64 ocall_r9_35_64>
573 | <BV64 ocall_r10_36_64>
574 | <BV64 ocall_r11_37_64>
575 | <BV64 ocall_rsi_33_64>
576 | <BV64 ocall_r13_39_64>
577 | <BV64 ocall_r14_40_64>
578 | <BV64 ocall_r15_41_64>
579 | *********************************
580 | gadget 18:
581 | *********************************
582 | address:
583 | 0x7120L
584 | gtype:
585 | 3
586 | regs affected:
587 | rdi
588 | r8
589 | r9
590 | r10
591 | r11
592 | r12
593 | r13
594 | r14
595 | r15
596 | regs:
597 | <BV64 mem_ffffff0000000014_85_64>
598 | <BV64 (0xfffffffffffffec7 + rsp_14_64)[63:4] .. 0#4>
599 | <BV64 mem_22a5d8_42_64>
600 | <BV64 0xfffffffffffffff8 + rsp_14_64>
601 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_77_64>
602 | <BV64 0xffffffffffffff48 + rsp_14_64>
603 | <BV64 ocall_r8_34_64>
604 | <BV64 ocall_r9_35_64>
605 | <BV64 ocall_r10_36_64>
606 | <BV64 ocall_r11_37_64>
607 | <BV64 ocall_rsi_33_64>
608 | <BV64 ocall_r13_39_64>
609 | <BV64 ocall_r14_40_64>
610 | <BV64 ocall_r15_41_64>
611 | *********************************
612 | gadget 19:
613 | *********************************
614 | address:
615 | 0x10220L
616 | gtype:
617 | 2
618 | regs affected:
619 | r9
620 | r10
621 | r11
622 | r12
623 | r13
624 | r14
625 | r15
626 | regs:
627 | <BV64 mem_fffffffffffff008_54_64>
628 | <BV64 0xffffffffffffff98 + rsp_14_64>
629 | <BV64 0xffffffffffffff98 + rsp_14_64>
630 | <BV64 0x0>
631 | <BV64 0xfffffffffffffef8 + rsp_14_64>
632 | <BV64 0x0>
633 | <BV64 0x0>
634 | <BV64 ocall_r9_35_64>
635 | <BV64 ocall_r10_36_64>
636 | <BV64 ocall_r11_37_64>
637 | <BV64 ocall_rsi_33_64>
638 | <BV64 ocall_r13_39_64>
639 | <BV64 ocall_r14_40_64>
640 | <BV64 ocall_r15_41_64>
641 | *********************************
642 | *********************************
643 | 16.039048 seconds.
644 | *********************************
645 | *********************************
646 | 
647 | 


--------------------------------------------------------------------------------
/type1ocallfinder/results/Graphene-SGX/Graphene-SGX_14:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x101e4L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | r8
 20 | r9
 21 | r10
 22 | r11
 23 | r12
 24 | r13
 25 | r14
 26 | r15
 27 | regs:
 28 | <BV64 0x0>
 29 | <BV64 0x100>
 30 | <BV64 mem_22a5d8_42_64>
 31 | <BV64 0xfffffffffffffff8 + rsp_14_64>
 32 | <BV64 0xffffffffffffff48 + rsp_14_64>
 33 | <BV64 0xffffffffffffff48 + rsp_14_64>
 34 | <BV64 ocall_r8_34_64>
 35 | <BV64 ocall_r9_35_64>
 36 | <BV64 ocall_r10_36_64>
 37 | <BV64 ocall_r11_37_64>
 38 | <BV64 ocall_rsi_33_64>
 39 | <BV64 ocall_r13_39_64>
 40 | <BV64 ocall_r14_40_64>
 41 | <BV64 ocall_r15_41_64>
 42 | *********************************
 43 | gadget 1:
 44 | *********************************
 45 | address:
 46 | 0x101e4L
 47 | gtype:
 48 | 3
 49 | regs affected:
 50 | r8
 51 | r9
 52 | r10
 53 | r11
 54 | r12
 55 | r13
 56 | r14
 57 | r15
 58 | regs:
 59 | <BV64 0x0>
 60 | <BV64 0x100>
 61 | <BV64 mem_22a5d8_42_64>
 62 | <BV64 0xfffffffffffffff8 + rsp_14_64>
 63 | <BV64 0xffffffffffffff48 + rsp_14_64>
 64 | <BV64 0xffffffffffffff48 + rsp_14_64>
 65 | <BV64 ocall_r8_34_64>
 66 | <BV64 ocall_r9_35_64>
 67 | <BV64 ocall_r10_36_64>
 68 | <BV64 ocall_r11_37_64>
 69 | <BV64 ocall_rsi_33_64>
 70 | <BV64 ocall_r13_39_64>
 71 | <BV64 ocall_r14_40_64>
 72 | <BV64 ocall_r15_41_64>
 73 | *********************************
 74 | gadget 2:
 75 | *********************************
 76 | address:
 77 | 0x101e4L
 78 | gtype:
 79 | 3
 80 | regs affected:
 81 | r8
 82 | r9
 83 | r10
 84 | r11
 85 | r12
 86 | r13
 87 | r14
 88 | r15
 89 | regs:
 90 | <BV64 0xffffffffffffff98 + rsp_14_64>
 91 | <BV64 0x100>
 92 | <BV64 init_r10_8_64>
 93 | <BV64 0xffffffffffffff58 + rsp_14_64>
 94 | <BV64 0xffffffffffffff48 + rsp_14_64>
 95 | <BV64 0xdeaddeadbeefbeef>
 96 | <BV64 ocall_r8_34_64>
 97 | <BV64 ocall_r9_35_64>
 98 | <BV64 ocall_r10_36_64>
 99 | <BV64 ocall_r11_37_64>
100 | <BV64 ocall_rsi_33_64>
101 | <BV64 ocall_r13_39_64>
102 | <BV64 ocall_r14_40_64>
103 | <BV64 ocall_r15_41_64>
104 | *********************************
105 | gadget 3:
106 | *********************************
107 | address:
108 | 0x101e4L
109 | gtype:
110 | 3
111 | regs affected:
112 | r8
113 | r9
114 | r10
115 | r11
116 | r12
117 | r13
118 | r14
119 | r15
120 | regs:
121 | <BV64 0xffffffffffffff90 + rsp_14_64>
122 | <BV64 0x100>
123 | <BV64 init_r9_7_64>
124 | <BV64 0xffffffffffffff58 + rsp_14_64>
125 | <BV64 0xffffffffffffff48 + rsp_14_64>
126 | <BV64 0xdeaddeadbeefbeef>
127 | <BV64 ocall_r8_34_64>
128 | <BV64 ocall_r9_35_64>
129 | <BV64 ocall_r10_36_64>
130 | <BV64 ocall_r11_37_64>
131 | <BV64 ocall_rsi_33_64>
132 | <BV64 ocall_r13_39_64>
133 | <BV64 ocall_r14_40_64>
134 | <BV64 ocall_r15_41_64>
135 | *********************************
136 | gadget 4:
137 | *********************************
138 | address:
139 | 0x101e4L
140 | gtype:
141 | 3
142 | regs affected:
143 | r8
144 | r9
145 | r10
146 | r11
147 | r12
148 | r13
149 | r14
150 | r15
151 | regs:
152 | <BV64 0xffffffffffffff88 + rsp_14_64>
153 | <BV64 0x100>
154 | <BV64 init_r8_6_64>
155 | <BV64 0xffffffffffffff58 + rsp_14_64>
156 | <BV64 0xffffffffffffff48 + rsp_14_64>
157 | <BV64 0xdeaddeadbeefbeef>
158 | <BV64 ocall_r8_34_64>
159 | <BV64 ocall_r9_35_64>
160 | <BV64 ocall_r10_36_64>
161 | <BV64 ocall_r11_37_64>
162 | <BV64 ocall_rsi_33_64>
163 | <BV64 ocall_r13_39_64>
164 | <BV64 ocall_r14_40_64>
165 | <BV64 ocall_r15_41_64>
166 | *********************************
167 | gadget 5:
168 | *********************************
169 | address:
170 | 0x103a5L
171 | gtype:
172 | 3
173 | regs affected:
174 | r8
175 | r9
176 | r10
177 | r11
178 | r12
179 | r13
180 | r14
181 | r15
182 | regs:
183 | <BV64 mem_22a4c0_46_64>
184 | <BV64 0x100>
185 | <BV64 init_r10_8_64>
186 | <BV64 0xffffffffffffff58 + rsp_14_64>
187 | <BV64 0xffffffffffffff48 + rsp_14_64>
188 | <BV64 0xdeaddeadbeefbeef>
189 | <BV64 ocall_r8_34_64>
190 | <BV64 ocall_r9_35_64>
191 | <BV64 ocall_r10_36_64>
192 | <BV64 ocall_r11_37_64>
193 | <BV64 ocall_r12_38_64>
194 | <BV64 ocall_r13_39_64>
195 | <BV64 ocall_r14_40_64>
196 | <BV64 ocall_r15_41_64>
197 | *********************************
198 | gadget 6:
199 | *********************************
200 | address:
201 | 0x103a5L
202 | gtype:
203 | 3
204 | regs affected:
205 | r8
206 | r9
207 | r10
208 | r11
209 | r12
210 | r13
211 | r14
212 | r15
213 | regs:
214 | <BV64 mem_22a4c0_48_64>
215 | <BV64 0x100>
216 | <BV64 init_r9_7_64>
217 | <BV64 0xffffffffffffff58 + rsp_14_64>
218 | <BV64 0xffffffffffffff48 + rsp_14_64>
219 | <BV64 0xdeaddeadbeefbeef>
220 | <BV64 ocall_r8_34_64>
221 | <BV64 ocall_r9_35_64>
222 | <BV64 ocall_r10_36_64>
223 | <BV64 ocall_r11_37_64>
224 | <BV64 ocall_r12_38_64>
225 | <BV64 ocall_r13_39_64>
226 | <BV64 ocall_r14_40_64>
227 | <BV64 ocall_r15_41_64>
228 | *********************************
229 | gadget 7:
230 | *********************************
231 | address:
232 | 0x7120L
233 | gtype:
234 | 3
235 | regs affected:
236 | rdi
237 | r8
238 | r9
239 | r10
240 | r11
241 | r12
242 | r13
243 | r14
244 | r15
245 | regs:
246 | <BV64 mem_fffffffffffff008_54_64>
247 | <BV64 0xffffffffffffff98 + rsp_14_64>
248 | <BV64 init_r10_8_64>
249 | <BV64 0xffffffffffffff58 + rsp_14_64>
250 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_50_64>
251 | <BV64 0xdeaddeadbeefbeef>
252 | <BV64 ocall_r8_34_64>
253 | <BV64 ocall_r9_35_64>
254 | <BV64 ocall_r10_36_64>
255 | <BV64 ocall_r11_37_64>
256 | <BV64 ocall_rsi_33_64>
257 | <BV64 ocall_r13_39_64>
258 | <BV64 ocall_r14_40_64>
259 | <BV64 ocall_r15_41_64>
260 | *********************************
261 | gadget 8:
262 | *********************************
263 | address:
264 | 0x103a5L
265 | gtype:
266 | 3
267 | regs affected:
268 | r8
269 | r9
270 | r10
271 | r11
272 | r12
273 | r13
274 | r14
275 | r15
276 | regs:
277 | <BV64 mem_22a4c0_56_64>
278 | <BV64 0x100>
279 | <BV64 init_r8_6_64>
280 | <BV64 0xffffffffffffff58 + rsp_14_64>
281 | <BV64 0xffffffffffffff48 + rsp_14_64>
282 | <BV64 0xdeaddeadbeefbeef>
283 | <BV64 ocall_r8_34_64>
284 | <BV64 ocall_r9_35_64>
285 | <BV64 ocall_r10_36_64>
286 | <BV64 ocall_r11_37_64>
287 | <BV64 ocall_r12_38_64>
288 | <BV64 ocall_r13_39_64>
289 | <BV64 ocall_r14_40_64>
290 | <BV64 ocall_r15_41_64>
291 | *********************************
292 | gadget 9:
293 | *********************************
294 | address:
295 | 0x7120L
296 | gtype:
297 | 3
298 | regs affected:
299 | rdi
300 | r8
301 | r9
302 | r10
303 | r11
304 | r12
305 | r13
306 | r14
307 | r15
308 | regs:
309 | <BV64 mem_ffffffffffffff04_58_64>
310 | <BV64 0xffffffffffffff98 + rsp_14_64>
311 | <BV64 init_r10_8_64>
312 | <BV64 0xffffffffffffff58 + rsp_14_64>
313 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_52_64>
314 | <BV64 0xdeaddeadbeefbeef>
315 | <BV64 ocall_r8_34_64>
316 | <BV64 ocall_r9_35_64>
317 | <BV64 ocall_r10_36_64>
318 | <BV64 ocall_r11_37_64>
319 | <BV64 ocall_rsi_33_64>
320 | <BV64 ocall_r13_39_64>
321 | <BV64 ocall_r14_40_64>
322 | <BV64 ocall_r15_41_64>
323 | *********************************
324 | gadget 10:
325 | *********************************
326 | address:
327 | 0x7120L
328 | gtype:
329 | 3
330 | regs affected:
331 | rdi
332 | r8
333 | r9
334 | r10
335 | r11
336 | r12
337 | r13
338 | r14
339 | r15
340 | regs:
341 | <BV64 rbp_15_64[63:16] .. init_rsi_5_64[15:0]>
342 | <BV64 0xffffffffffffff90 + rsp_14_64>
343 | <BV64 init_r9_7_64>
344 | <BV64 0xffffffffffffff58 + rsp_14_64>
345 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_59_64>
346 | <BV64 0xdeaddeadbeefbeef>
347 | <BV64 ocall_r8_34_64>
348 | <BV64 ocall_r9_35_64>
349 | <BV64 ocall_r10_36_64>
350 | <BV64 ocall_r11_37_64>
351 | <BV64 ocall_rsi_33_64>
352 | <BV64 ocall_r13_39_64>
353 | <BV64 ocall_r14_40_64>
354 | <BV64 ocall_r15_41_64>
355 | *********************************
356 | gadget 11:
357 | *********************************
358 | address:
359 | 0x7120L
360 | gtype:
361 | 3
362 | regs affected:
363 | rdi
364 | r8
365 | r9
366 | r10
367 | r11
368 | r12
369 | r13
370 | r14
371 | r15
372 | regs:
373 | <BV64 0x4000000000000150>
374 | <BV64 0xffffffffffffff90 + rsp_14_64>
375 | <BV64 init_r9_7_64>
376 | <BV64 0xffffffffffffff58 + rsp_14_64>
377 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_61_64>
378 | <BV64 0xdeaddeadbeefbeef>
379 | <BV64 ocall_r8_34_64>
380 | <BV64 ocall_r9_35_64>
381 | <BV64 ocall_r10_36_64>
382 | <BV64 ocall_r11_37_64>
383 | <BV64 ocall_rsi_33_64>
384 | <BV64 ocall_r13_39_64>
385 | <BV64 ocall_r14_40_64>
386 | <BV64 ocall_r15_41_64>
387 | *********************************
388 | gadget 12:
389 | *********************************
390 | address:
391 | 0x103a5L
392 | gtype:
393 | 3
394 | regs affected:
395 | rdi
396 | r8
397 | r9
398 | r10
399 | r11
400 | r12
401 | r13
402 | r14
403 | r15
404 | regs:
405 | <BV64 mem_ffffffffffffff04_58_64>
406 | <BV64 0x100>
407 | <BV64 init_r10_8_64>
408 | <BV64 0xffffffffffffff58 + rsp_14_64>
409 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_52_64>
410 | <BV64 0xdeaddeadbeefbeef>
411 | <BV64 ocall_r8_34_64>
412 | <BV64 ocall_r9_35_64>
413 | <BV64 ocall_r10_36_64>
414 | <BV64 ocall_r11_37_64>
415 | <BV64 ocall_r12_38_64>
416 | <BV64 ocall_r13_39_64>
417 | <BV64 ocall_r14_40_64>
418 | <BV64 ocall_r15_41_64>
419 | *********************************
420 | gadget 13:
421 | *********************************
422 | address:
423 | 0x7120L
424 | gtype:
425 | 3
426 | regs affected:
427 | rdi
428 | r8
429 | r9
430 | r10
431 | r11
432 | r12
433 | r13
434 | r14
435 | r15
436 | regs:
437 | <BV64 mem_ffffffffffffe200_71_64>
438 | <BV64 0xffffffffffffff88 + rsp_14_64>
439 | <BV64 init_r8_6_64>
440 | <BV64 0xffffffffffffff58 + rsp_14_64>
441 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_63_64>
442 | <BV64 0xdeaddeadbeefbeef>
443 | <BV64 ocall_r8_34_64>
444 | <BV64 ocall_r9_35_64>
445 | <BV64 ocall_r10_36_64>
446 | <BV64 ocall_r11_37_64>
447 | <BV64 ocall_rsi_33_64>
448 | <BV64 ocall_r13_39_64>
449 | <BV64 ocall_r14_40_64>
450 | <BV64 ocall_r15_41_64>
451 | *********************************
452 | gadget 14:
453 | *********************************
454 | address:
455 | 0x7120L
456 | gtype:
457 | 3
458 | regs affected:
459 | rdi
460 | r8
461 | r9
462 | r10
463 | r11
464 | r12
465 | r13
466 | r14
467 | r15
468 | regs:
469 | <BV64 mem_fffffffffffffc00_75_64>
470 | <BV64 (0xfffffffffffffec7 + rsp_14_64)[63:4] .. 0#4>
471 | <BV64 mem_22a5d8_42_64>
472 | <BV64 0xfffffffffffffff8 + rsp_14_64>
473 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_65_64>
474 | <BV64 0xffffffffffffff48 + rsp_14_64>
475 | <BV64 ocall_r8_34_64>
476 | <BV64 ocall_r9_35_64>
477 | <BV64 ocall_r10_36_64>
478 | <BV64 ocall_r11_37_64>
479 | <BV64 ocall_rsi_33_64>
480 | <BV64 ocall_r13_39_64>
481 | <BV64 ocall_r14_40_64>
482 | <BV64 ocall_r15_41_64>
483 | *********************************
484 | gadget 15:
485 | *********************************
486 | address:
487 | 0x7120L
488 | gtype:
489 | 3
490 | regs affected:
491 | rdi
492 | r8
493 | r9
494 | r10
495 | r11
496 | r12
497 | r13
498 | r14
499 | r15
500 | regs:
501 | <BV64 mem_fffffffffffe0008_78_64>
502 | <BV64 (0xfffffffffffffec7 + rsp_14_64)[63:4] .. 0#4>
503 | <BV64 mem_22a5d8_42_64>
504 | <BV64 0xfffffffffffffff8 + rsp_14_64>
505 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_67_64>
506 | <BV64 0xffffffffffffff48 + rsp_14_64>
507 | <BV64 ocall_r8_34_64>
508 | <BV64 ocall_r9_35_64>
509 | <BV64 ocall_r10_36_64>
510 | <BV64 ocall_r11_37_64>
511 | <BV64 ocall_rsi_33_64>
512 | <BV64 ocall_r13_39_64>
513 | <BV64 ocall_r14_40_64>
514 | <BV64 ocall_r15_41_64>
515 | *********************************
516 | gadget 16:
517 | *********************************
518 | address:
519 | 0x7120L
520 | gtype:
521 | 3
522 | regs affected:
523 | rdi
524 | r8
525 | r9
526 | r10
527 | r11
528 | r12
529 | r13
530 | r14
531 | r15
532 | regs:
533 | <BV64 0x10102464c457f>
534 | <BV64 0xffffffffffffff88 + rsp_14_64>
535 | <BV64 init_r8_6_64>
536 | <BV64 0xffffffffffffff58 + rsp_14_64>
537 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_69_64>
538 | <BV64 0xdeaddeadbeefbeef>
539 | <BV64 ocall_r8_34_64>
540 | <BV64 ocall_r9_35_64>
541 | <BV64 ocall_r10_36_64>
542 | <BV64 ocall_r11_37_64>
543 | <BV64 ocall_rsi_33_64>
544 | <BV64 ocall_r13_39_64>
545 | <BV64 ocall_r14_40_64>
546 | <BV64 ocall_r15_41_64>
547 | *********************************
548 | gadget 17:
549 | *********************************
550 | address:
551 | 0x7120L
552 | gtype:
553 | 3
554 | regs affected:
555 | rdi
556 | r8
557 | r9
558 | r10
559 | r11
560 | r12
561 | r13
562 | r14
563 | r15
564 | regs:
565 | <BV64 mem_ffc0000000000008_81_64>
566 | <BV64 (0xfffffffffffffec7 + rsp_14_64)[63:4] .. 0#4>
567 | <BV64 mem_22a5d8_42_64>
568 | <BV64 0xfffffffffffffff8 + rsp_14_64>
569 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_73_64>
570 | <BV64 0xffffffffffffff48 + rsp_14_64>
571 | <BV64 ocall_r8_34_64>
572 | <BV64 ocall_r9_35_64>
573 | <BV64 ocall_r10_36_64>
574 | <BV64 ocall_r11_37_64>
575 | <BV64 ocall_rsi_33_64>
576 | <BV64 ocall_r13_39_64>
577 | <BV64 ocall_r14_40_64>
578 | <BV64 ocall_r15_41_64>
579 | *********************************
580 | gadget 18:
581 | *********************************
582 | address:
583 | 0x7120L
584 | gtype:
585 | 3
586 | regs affected:
587 | rdi
588 | r8
589 | r9
590 | r10
591 | r11
592 | r12
593 | r13
594 | r14
595 | r15
596 | regs:
597 | <BV64 mem_fffffffffff7fe00_82_64>
598 | <BV64 (0xfffffffffffffec7 + rsp_14_64)[63:4] .. 0#4>
599 | <BV64 mem_22a5d8_42_64>
600 | <BV64 0xfffffffffffffff8 + rsp_14_64>
601 | <BV64 ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:31] .. ocall_rsi_33_64[31:0] .. 0#4 + mem_22a5a0_76_64>
602 | <BV64 0xffffffffffffff48 + rsp_14_64>
603 | <BV64 ocall_r8_34_64>
604 | <BV64 ocall_r9_35_64>
605 | <BV64 ocall_r10_36_64>
606 | <BV64 ocall_r11_37_64>
607 | <BV64 ocall_rsi_33_64>
608 | <BV64 ocall_r13_39_64>
609 | <BV64 ocall_r14_40_64>
610 | <BV64 ocall_r15_41_64>
611 | *********************************
612 | gadget 19:
613 | *********************************
614 | address:
615 | 0x10220L
616 | gtype:
617 | 2
618 | regs affected:
619 | r9
620 | r10
621 | r11
622 | r12
623 | r13
624 | r14
625 | r15
626 | regs:
627 | <BV64 mem_fffffffffffff008_54_64>
628 | <BV64 0xffffffffffffff98 + rsp_14_64>
629 | <BV64 0xffffffffffffff98 + rsp_14_64>
630 | <BV64 0x0>
631 | <BV64 0xfffffffffffffef8 + rsp_14_64>
632 | <BV64 0x0>
633 | <BV64 0x0>
634 | <BV64 ocall_r9_35_64>
635 | <BV64 ocall_r10_36_64>
636 | <BV64 ocall_r11_37_64>
637 | <BV64 ocall_rsi_33_64>
638 | <BV64 ocall_r13_39_64>
639 | <BV64 ocall_r14_40_64>
640 | <BV64 ocall_r15_41_64>
641 | *********************************
642 | *********************************
643 | 16.214543 seconds.
644 | *********************************
645 | *********************************
646 | 
647 | 


--------------------------------------------------------------------------------
/type1ocallfinder/results/Graphene-SGX/Graphene-SGX_19:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x101e4L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | r8
 20 | r9
 21 | r10
 22 | r11
 23 | r12
 24 | r13
 25 | r14
 26 | r15
 27 | regs:
 28 | <BV64 0x0>
 29 | <BV64 0x100>
 30 | <BV64 mem_22a5d8_44_64>
 31 | <BV64 rbp_15_64>
 32 | <BV64 0xffffffffffffff68 + rsp_14_64>
 33 | <BV64 0xffffffffffffff68 + rsp_14_64>
 34 | <BV64 ocall_r8_36_64>
 35 | <BV64 ocall_r9_37_64>
 36 | <BV64 ocall_r10_38_64>
 37 | <BV64 ocall_r11_39_64>
 38 | <BV64 ocall_rsi_35_64>
 39 | <BV64 ocall_r13_41_64>
 40 | <BV64 ocall_r14_42_64>
 41 | <BV64 ocall_r15_43_64>
 42 | *********************************
 43 | gadget 1:
 44 | *********************************
 45 | address:
 46 | 0x101e4L
 47 | gtype:
 48 | 3
 49 | regs affected:
 50 | r8
 51 | r9
 52 | r10
 53 | r11
 54 | r12
 55 | r13
 56 | r14
 57 | r15
 58 | regs:
 59 | <BV64 0x0>
 60 | <BV64 0x100>
 61 | <BV64 mem_22a5d8_44_64>
 62 | <BV64 rbp_15_64>
 63 | <BV64 0xffffffffffffff68 + rsp_14_64>
 64 | <BV64 0xffffffffffffff68 + rsp_14_64>
 65 | <BV64 ocall_r8_36_64>
 66 | <BV64 ocall_r9_37_64>
 67 | <BV64 ocall_r10_38_64>
 68 | <BV64 ocall_r11_39_64>
 69 | <BV64 ocall_rsi_35_64>
 70 | <BV64 ocall_r13_41_64>
 71 | <BV64 ocall_r14_42_64>
 72 | <BV64 ocall_r15_43_64>
 73 | *********************************
 74 | gadget 2:
 75 | *********************************
 76 | address:
 77 | 0x7120L
 78 | gtype:
 79 | 3
 80 | regs affected:
 81 | rax
 82 | rdi
 83 | r8
 84 | r9
 85 | r10
 86 | r11
 87 | r12
 88 | r13
 89 | r14
 90 | r15
 91 | regs:
 92 | <BV64 ocall_r15_43_64>
 93 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
 94 | <BV64 mem_22a5d8_44_64>
 95 | <BV64 rbp_15_64>
 96 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_48_64>
 97 | <BV64 0xffffffffffffff68 + rsp_14_64>
 98 | <BV64 ocall_r8_36_64>
 99 | <BV64 ocall_r9_37_64>
100 | <BV64 ocall_r10_38_64>
101 | <BV64 ocall_r11_39_64>
102 | <BV64 ocall_rsi_35_64>
103 | <BV64 ocall_r13_41_64>
104 | <BV64 ocall_r14_42_64>
105 | <BV64 ocall_r15_43_64>
106 | *********************************
107 | gadget 3:
108 | *********************************
109 | address:
110 | 0x7120L
111 | gtype:
112 | 3
113 | regs affected:
114 | rdi
115 | r8
116 | r9
117 | r10
118 | r11
119 | r12
120 | r13
121 | r14
122 | r15
123 | regs:
124 | <BV64 mem_ffffffff00000008_57_64>
125 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
126 | <BV64 mem_22a5d8_44_64>
127 | <BV64 rbp_15_64>
128 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_50_64>
129 | <BV64 0xffffffffffffff68 + rsp_14_64>
130 | <BV64 ocall_r8_36_64>
131 | <BV64 ocall_r9_37_64>
132 | <BV64 ocall_r10_38_64>
133 | <BV64 ocall_r11_39_64>
134 | <BV64 ocall_rsi_35_64>
135 | <BV64 ocall_r13_41_64>
136 | <BV64 ocall_r14_42_64>
137 | <BV64 ocall_r15_43_64>
138 | *********************************
139 | gadget 4:
140 | *********************************
141 | address:
142 | 0x7120L
143 | gtype:
144 | 3
145 | regs affected:
146 | rdi
147 | r8
148 | r9
149 | r10
150 | r11
151 | r12
152 | r13
153 | r14
154 | r15
155 | regs:
156 | <BV64 mem_fffffffffffffc08_59_64>
157 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
158 | <BV64 mem_22a5d8_44_64>
159 | <BV64 rbp_15_64>
160 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_52_64>
161 | <BV64 0xffffffffffffff68 + rsp_14_64>
162 | <BV64 ocall_r8_36_64>
163 | <BV64 ocall_r9_37_64>
164 | <BV64 ocall_r10_38_64>
165 | <BV64 ocall_r11_39_64>
166 | <BV64 ocall_rsi_35_64>
167 | <BV64 ocall_r13_41_64>
168 | <BV64 ocall_r14_42_64>
169 | <BV64 ocall_r15_43_64>
170 | *********************************
171 | gadget 5:
172 | *********************************
173 | address:
174 | 0x7120L
175 | gtype:
176 | 3
177 | regs affected:
178 | rdi
179 | r8
180 | r9
181 | r10
182 | r11
183 | r12
184 | r13
185 | r14
186 | r15
187 | regs:
188 | <BV64 reg_98_16_64[7:6] .. 0#1 .. reg_98_16_64[4:4] .. 0#1 .. reg_98_16_64[2:2] .. 0#1 .. reg_98_16_64[0:0] .. init_r15_13_64[63:8]>
189 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
190 | <BV64 mem_22a5d8_44_64>
191 | <BV64 rbp_15_64>
192 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_55_64>
193 | <BV64 0xffffffffffffff68 + rsp_14_64>
194 | <BV64 ocall_r8_36_64>
195 | <BV64 ocall_r9_37_64>
196 | <BV64 ocall_r10_38_64>
197 | <BV64 ocall_r11_39_64>
198 | <BV64 ocall_rsi_35_64>
199 | <BV64 ocall_r13_41_64>
200 | <BV64 ocall_r14_42_64>
201 | <BV64 ocall_r15_43_64>
202 | *********************************
203 | gadget 6:
204 | *********************************
205 | address:
206 | 0x103a5L
207 | gtype:
208 | 3
209 | regs affected:
210 | rdi
211 | r8
212 | r9
213 | r10
214 | r11
215 | r12
216 | r13
217 | r14
218 | r15
219 | regs:
220 | <BV64 mem_fffffffffffffc08_59_64>
221 | <BV64 0x100>
222 | <BV64 mem_22a5d8_44_64>
223 | <BV64 rbp_15_64>
224 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_52_64>
225 | <BV64 0xffffffffffffff68 + rsp_14_64>
226 | <BV64 ocall_r8_36_64>
227 | <BV64 ocall_r9_37_64>
228 | <BV64 ocall_r10_38_64>
229 | <BV64 ocall_r11_39_64>
230 | <BV64 ocall_r12_40_64>
231 | <BV64 ocall_r13_41_64>
232 | <BV64 ocall_r14_42_64>
233 | <BV64 ocall_r15_43_64>
234 | *********************************
235 | gadget 7:
236 | *********************************
237 | address:
238 | 0x103a5L
239 | gtype:
240 | 3
241 | regs affected:
242 | rdi
243 | r8
244 | r9
245 | r10
246 | r11
247 | r12
248 | r13
249 | r14
250 | r15
251 | regs:
252 | <BV64 reg_98_16_64[7:6] .. 0#1 .. reg_98_16_64[4:4] .. 0#1 .. reg_98_16_64[2:2] .. 0#1 .. reg_98_16_64[0:0] .. init_r15_13_64[63:8]>
253 | <BV64 0x100>
254 | <BV64 mem_22a5d8_44_64>
255 | <BV64 rbp_15_64>
256 | <BV64 ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:31] .. ocall_rsi_35_64[31:0] .. 0#4 + mem_22a5a0_55_64>
257 | <BV64 0xffffffffffffff68 + rsp_14_64>
258 | <BV64 ocall_r8_36_64>
259 | <BV64 ocall_r9_37_64>
260 | <BV64 ocall_r10_38_64>
261 | <BV64 ocall_r11_39_64>
262 | <BV64 ocall_r12_40_64>
263 | <BV64 ocall_r13_41_64>
264 | <BV64 ocall_r14_42_64>
265 | <BV64 ocall_r15_43_64>
266 | *********************************
267 | gadget 8:
268 | *********************************
269 | address:
270 | 0x10220L
271 | gtype:
272 | 2
273 | regs affected:
274 | rax
275 | r9
276 | r10
277 | r11
278 | r12
279 | r13
280 | r14
281 | r15
282 | regs:
283 | <BV64 ocall_r15_43_64>
284 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
285 | <BV64 (0xfffffffffffffee7 + rsp_14_64)[63:4] .. 0#4>
286 | <BV64 0x0>
287 | <BV64 0xfffffffffffffea8 + rsp_14_64>
288 | <BV64 0x0>
289 | <BV64 0x0>
290 | <BV64 ocall_r9_37_64>
291 | <BV64 ocall_r10_38_64>
292 | <BV64 ocall_r11_39_64>
293 | <BV64 ocall_rsi_35_64>
294 | <BV64 ocall_r13_41_64>
295 | <BV64 ocall_r14_42_64>
296 | <BV64 ocall_r15_43_64>
297 | *********************************
298 | *********************************
299 | 7.995234 seconds.
300 | *********************************
301 | *********************************
302 | 
303 | 


--------------------------------------------------------------------------------
/type1ocallfinder/results/RUST-SGX-SDK:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x4065a7L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | rdx
 20 | rdi
 21 | r8
 22 | r9
 23 | r10
 24 | r11
 25 | r12
 26 | r14
 27 | r15
 28 | regs:
 29 | <BV64 0x0>
 30 | <BV64 0xfffffffe>
 31 | <BV64 0x6520c8>
 32 | <BV64 ocall_rbx_88_64>
 33 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_91_64)[31:0])>
 34 | <BV64 0x0>
 35 | <BV64 ocall_r8_93_64>
 36 | <BV64 ocall_r9_94_64>
 37 | <BV64 ocall_r10_95_64>
 38 | <BV64 ocall_r11_96_64>
 39 | <BV64 ocall_rbx_88_64>
 40 | <BV64 0x0>
 41 | <BV64 ocall_r14_99_64>
 42 | <BV64 ocall_r15_100_64>
 43 | *********************************
 44 | gadget 1:
 45 | *********************************
 46 | address:
 47 | 0x4065a7L
 48 | gtype:
 49 | 3
 50 | regs affected:
 51 | rdx
 52 | rdi
 53 | r8
 54 | r9
 55 | r10
 56 | r11
 57 | r12
 58 | r14
 59 | r15
 60 | regs:
 61 | <BV64 0x0>
 62 | <BV64 0xfffffffe>
 63 | <BV64 0x6520c8>
 64 | <BV64 ocall_rbx_102_64>
 65 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_105_64)[31:0])>
 66 | <BV64 0x0>
 67 | <BV64 ocall_r8_107_64>
 68 | <BV64 ocall_r9_108_64>
 69 | <BV64 ocall_r10_109_64>
 70 | <BV64 ocall_r11_110_64>
 71 | <BV64 ocall_rbx_102_64>
 72 | <BV64 0x0>
 73 | <BV64 ocall_r14_113_64>
 74 | <BV64 ocall_r15_114_64>
 75 | *********************************
 76 | gadget 2:
 77 | *********************************
 78 | address:
 79 | 0x4065a7L
 80 | gtype:
 81 | 3
 82 | regs affected:
 83 | rdx
 84 | rdi
 85 | r8
 86 | r9
 87 | r10
 88 | r11
 89 | r12
 90 | r14
 91 | r15
 92 | regs:
 93 | <BV64 0x0>
 94 | <BV64 0xfffffffe>
 95 | <BV64 0x6520c8>
 96 | <BV64 ocall_rbx_116_64>
 97 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_119_64)[31:0])>
 98 | <BV64 0x0>
 99 | <BV64 ocall_r8_121_64>
100 | <BV64 ocall_r9_122_64>
101 | <BV64 ocall_r10_123_64>
102 | <BV64 ocall_r11_124_64>
103 | <BV64 ocall_rbx_116_64>
104 | <BV64 0x0>
105 | <BV64 ocall_r14_127_64>
106 | <BV64 ocall_r15_128_64>
107 | *********************************
108 | gadget 3:
109 | *********************************
110 | address:
111 | 0x4065a7L
112 | gtype:
113 | 3
114 | regs affected:
115 | rdx
116 | rdi
117 | r8
118 | r9
119 | r10
120 | r11
121 | r12
122 | r14
123 | r15
124 | regs:
125 | <BV64 0x0>
126 | <BV64 0xfffffffe>
127 | <BV64 0x6520c8>
128 | <BV64 ocall_rbx_130_64>
129 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_133_64)[31:0])>
130 | <BV64 0x0>
131 | <BV64 ocall_r8_135_64>
132 | <BV64 ocall_r9_136_64>
133 | <BV64 ocall_r10_137_64>
134 | <BV64 ocall_r11_138_64>
135 | <BV64 ocall_rbx_130_64>
136 | <BV64 0x0>
137 | <BV64 ocall_r14_141_64>
138 | <BV64 ocall_r15_142_64>
139 | *********************************
140 | gadget 4:
141 | *********************************
142 | address:
143 | 0x4065a7L
144 | gtype:
145 | 3
146 | regs affected:
147 | rdx
148 | rdi
149 | r8
150 | r9
151 | r10
152 | r11
153 | r12
154 | r14
155 | r15
156 | regs:
157 | <BV64 0x0>
158 | <BV64 0xfffffffe>
159 | <BV64 0x6520c8>
160 | <BV64 ocall_rbx_144_64>
161 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_147_64)[31:0])>
162 | <BV64 0x0>
163 | <BV64 ocall_r8_149_64>
164 | <BV64 ocall_r9_150_64>
165 | <BV64 ocall_r10_151_64>
166 | <BV64 ocall_r11_152_64>
167 | <BV64 ocall_rbx_144_64>
168 | <BV64 0x0>
169 | <BV64 ocall_r14_155_64>
170 | <BV64 ocall_r15_156_64>
171 | *********************************
172 | gadget 5:
173 | *********************************
174 | address:
175 | 0x4065a7L
176 | gtype:
177 | 3
178 | regs affected:
179 | rdx
180 | rdi
181 | r8
182 | r9
183 | r10
184 | r11
185 | r12
186 | r14
187 | r15
188 | regs:
189 | <BV64 0x0>
190 | <BV64 0xfffffffe>
191 | <BV64 0x6520c8>
192 | <BV64 ocall_rbx_158_64>
193 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_161_64)[31:0])>
194 | <BV64 0x0>
195 | <BV64 ocall_r8_163_64>
196 | <BV64 ocall_r9_164_64>
197 | <BV64 ocall_r10_165_64>
198 | <BV64 ocall_r11_166_64>
199 | <BV64 ocall_rbx_158_64>
200 | <BV64 0x0>
201 | <BV64 ocall_r14_169_64>
202 | <BV64 ocall_r15_170_64>
203 | *********************************
204 | gadget 6:
205 | *********************************
206 | address:
207 | 0x4065d7L
208 | gtype:
209 | 3
210 | regs affected:
211 | r8
212 | r9
213 | r10
214 | r11
215 | r12
216 | r14
217 | r15
218 | regs:
219 | <BV64 0x7f000000>
220 | <BV64 0x0>
221 | <BV64 0x6520c8>
222 | <BV64 0x1006>
223 | <BV64 0x0>
224 | <BV64 0x0>
225 | <BV64 ocall_r8_93_64>
226 | <BV64 ocall_r9_94_64>
227 | <BV64 ocall_r10_95_64>
228 | <BV64 ocall_r11_96_64>
229 | <BV64 ocall_rbx_88_64>
230 | <BV64 0x0>
231 | <BV64 ocall_r14_99_64>
232 | <BV64 ocall_r15_100_64>
233 | *********************************
234 | gadget 7:
235 | *********************************
236 | address:
237 | 0x4065d7L
238 | gtype:
239 | 3
240 | regs affected:
241 | r8
242 | r9
243 | r10
244 | r11
245 | r12
246 | r14
247 | r15
248 | regs:
249 | <BV64 0x7f000000>
250 | <BV64 0x0>
251 | <BV64 0x6520c8>
252 | <BV64 0x1006>
253 | <BV64 0x0>
254 | <BV64 0x0>
255 | <BV64 ocall_r8_107_64>
256 | <BV64 ocall_r9_108_64>
257 | <BV64 ocall_r10_109_64>
258 | <BV64 ocall_r11_110_64>
259 | <BV64 ocall_rbx_102_64>
260 | <BV64 0x0>
261 | <BV64 ocall_r14_113_64>
262 | <BV64 ocall_r15_114_64>
263 | *********************************
264 | gadget 8:
265 | *********************************
266 | address:
267 | 0x4065d7L
268 | gtype:
269 | 3
270 | regs affected:
271 | r8
272 | r9
273 | r10
274 | r11
275 | r12
276 | r14
277 | r15
278 | regs:
279 | <BV64 0x7f000000>
280 | <BV64 0x0>
281 | <BV64 0x6520c8>
282 | <BV64 0x1006>
283 | <BV64 0x0>
284 | <BV64 0x0>
285 | <BV64 ocall_r8_121_64>
286 | <BV64 ocall_r9_122_64>
287 | <BV64 ocall_r10_123_64>
288 | <BV64 ocall_r11_124_64>
289 | <BV64 ocall_rbx_116_64>
290 | <BV64 0x0>
291 | <BV64 ocall_r14_127_64>
292 | <BV64 ocall_r15_128_64>
293 | *********************************
294 | gadget 9:
295 | *********************************
296 | address:
297 | 0x4065d7L
298 | gtype:
299 | 3
300 | regs affected:
301 | r8
302 | r9
303 | r10
304 | r11
305 | r12
306 | r14
307 | r15
308 | regs:
309 | <BV64 0x7f000000>
310 | <BV64 0x0>
311 | <BV64 0x6520c8>
312 | <BV64 0x1006>
313 | <BV64 0x0>
314 | <BV64 0x0>
315 | <BV64 ocall_r8_135_64>
316 | <BV64 ocall_r9_136_64>
317 | <BV64 ocall_r10_137_64>
318 | <BV64 ocall_r11_138_64>
319 | <BV64 ocall_rbx_130_64>
320 | <BV64 0x0>
321 | <BV64 ocall_r14_141_64>
322 | <BV64 ocall_r15_142_64>
323 | *********************************
324 | gadget 10:
325 | *********************************
326 | address:
327 | 0x4065d7L
328 | gtype:
329 | 3
330 | regs affected:
331 | r8
332 | r9
333 | r10
334 | r11
335 | r12
336 | r14
337 | r15
338 | regs:
339 | <BV64 0x7f000000>
340 | <BV64 0x0>
341 | <BV64 0x6520c8>
342 | <BV64 0x1006>
343 | <BV64 0x0>
344 | <BV64 0x0>
345 | <BV64 ocall_r8_149_64>
346 | <BV64 ocall_r9_150_64>
347 | <BV64 ocall_r10_151_64>
348 | <BV64 ocall_r11_152_64>
349 | <BV64 ocall_rbx_144_64>
350 | <BV64 0x0>
351 | <BV64 ocall_r14_155_64>
352 | <BV64 ocall_r15_156_64>
353 | *********************************
354 | gadget 11:
355 | *********************************
356 | address:
357 | 0x4065d7L
358 | gtype:
359 | 3
360 | regs affected:
361 | r8
362 | r9
363 | r10
364 | r11
365 | r12
366 | r14
367 | r15
368 | regs:
369 | <BV64 0x7f000000>
370 | <BV64 0x0>
371 | <BV64 0x6520c8>
372 | <BV64 0x1006>
373 | <BV64 0x0>
374 | <BV64 0x0>
375 | <BV64 ocall_r8_163_64>
376 | <BV64 ocall_r9_164_64>
377 | <BV64 ocall_r10_165_64>
378 | <BV64 ocall_r11_166_64>
379 | <BV64 ocall_rbx_158_64>
380 | <BV64 0x0>
381 | <BV64 ocall_r14_169_64>
382 | <BV64 ocall_r15_170_64>
383 | *********************************
384 | gadget 12:
385 | *********************************
386 | address:
387 | 0x405b17L
388 | gtype:
389 | 3
390 | regs affected:
391 | r8
392 | r9
393 | r10
394 | r11
395 | r12
396 | r14
397 | r15
398 | regs:
399 | <BV64 0x0>
400 | <BV64 0xfffffffffffffec8 + (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
401 | <BV64 (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
402 | <BV64 mem_7f000010_34_64>
403 | <BV64 (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
404 | <BV64 0x0>
405 | <BV64 ocall_r8_135_64>
406 | <BV64 ocall_r9_136_64>
407 | <BV64 ocall_r10_137_64>
408 | <BV64 ocall_r11_138_64>
409 | <BV64 ocall_rbx_130_64>
410 | <BV64 0x0>
411 | <BV64 ocall_r14_141_64>
412 | <BV64 ocall_r15_142_64>
413 | *********************************
414 | gadget 13:
415 | *********************************
416 | address:
417 | 0x405b17L
418 | gtype:
419 | 3
420 | regs affected:
421 | r8
422 | r9
423 | r10
424 | r11
425 | r12
426 | r14
427 | r15
428 | regs:
429 | <BV64 0x0>
430 | <BV64 0xfffffffffffffec8 + (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
431 | <BV64 (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
432 | <BV64 mem_7f000010_39_64>
433 | <BV64 (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
434 | <BV64 0x0>
435 | <BV64 ocall_r8_163_64>
436 | <BV64 ocall_r9_164_64>
437 | <BV64 ocall_r10_165_64>
438 | <BV64 ocall_r11_166_64>
439 | <BV64 ocall_rbx_158_64>
440 | <BV64 0x0>
441 | <BV64 ocall_r14_169_64>
442 | <BV64 ocall_r15_170_64>
443 | *********************************
444 | gadget 14:
445 | *********************************
446 | address:
447 | 0x406827L
448 | gtype:
449 | 3
450 | regs affected:
451 | r8
452 | r9
453 | r10
454 | r11
455 | regs:
456 | <BV64 0x0>
457 | <BV64 init_rbx_1_64>
458 | <BV64 0#2 .. __add__(0xffffffffffffffc0, rsp_14_64, (0xffffffffffffffff * (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6))[63:2]>
459 | <BV64 mem_7f000010_34_64>
460 | <BV64 0x0#32 .. init_rdi_4_64[31:0]>
461 | <BV64 init_rsi_5_64>
462 | <BV64 ocall_r8_135_64>
463 | <BV64 ocall_r9_136_64>
464 | <BV64 ocall_r10_137_64>
465 | <BV64 ocall_r11_138_64>
466 | <BV64 init_r12_10_64>
467 | <BV64 init_r13_11_64>
468 | <BV64 init_r14_12_64>
469 | <BV64 init_r15_13_64>
470 | *********************************
471 | gadget 15:
472 | *********************************
473 | address:
474 | 0x4067c2L
475 | gtype:
476 | 3
477 | regs affected:
478 | r8
479 | r9
480 | r10
481 | r11
482 | regs:
483 | <BV64 0x0>
484 | <BV64 init_rbx_1_64>
485 | <BV64 0#2 .. __add__(0xffffffffffffffc0, rsp_14_64, (0xffffffffffffffff * (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6))[63:2]>
486 | <BV64 mem_7f000010_34_64>
487 | <BV64 0x0#32 .. init_rdi_4_64[31:0]>
488 | <BV64 init_rsi_5_64>
489 | <BV64 ocall_r8_135_64>
490 | <BV64 ocall_r9_136_64>
491 | <BV64 ocall_r10_137_64>
492 | <BV64 ocall_r11_138_64>
493 | <BV64 init_r12_10_64>
494 | <BV64 init_r13_11_64>
495 | <BV64 init_r14_12_64>
496 | <BV64 init_r15_13_64>
497 | *********************************
498 | gadget 16:
499 | *********************************
500 | address:
501 | 0x406827L
502 | gtype:
503 | 3
504 | regs affected:
505 | r8
506 | r9
507 | r10
508 | r11
509 | regs:
510 | <BV64 0x0>
511 | <BV64 init_rbx_1_64>
512 | <BV64 0#2 .. __add__(0xffffffffffffffc0, rsp_14_64, (0xffffffffffffffff * (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6))[63:2]>
513 | <BV64 mem_7f000010_39_64>
514 | <BV64 0x0#32 .. init_rdi_4_64[31:0]>
515 | <BV64 init_rsi_5_64>
516 | <BV64 ocall_r8_163_64>
517 | <BV64 ocall_r9_164_64>
518 | <BV64 ocall_r10_165_64>
519 | <BV64 ocall_r11_166_64>
520 | <BV64 init_r12_10_64>
521 | <BV64 init_r13_11_64>
522 | <BV64 init_r14_12_64>
523 | <BV64 init_r15_13_64>
524 | *********************************
525 | gadget 17:
526 | *********************************
527 | address:
528 | 0x4067c2L
529 | gtype:
530 | 3
531 | regs affected:
532 | r8
533 | r9
534 | r10
535 | r11
536 | regs:
537 | <BV64 0x0>
538 | <BV64 init_rbx_1_64>
539 | <BV64 0#2 .. __add__(0xffffffffffffffc0, rsp_14_64, (0xffffffffffffffff * (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6))[63:2]>
540 | <BV64 mem_7f000010_39_64>
541 | <BV64 0x0#32 .. init_rdi_4_64[31:0]>
542 | <BV64 init_rsi_5_64>
543 | <BV64 ocall_r8_163_64>
544 | <BV64 ocall_r9_164_64>
545 | <BV64 ocall_r10_165_64>
546 | <BV64 ocall_r11_166_64>
547 | <BV64 init_r12_10_64>
548 | <BV64 init_r13_11_64>
549 | <BV64 init_r14_12_64>
550 | <BV64 init_r15_13_64>
551 | 
552 | 


--------------------------------------------------------------------------------
/type1ocallfinder/results/SGX_SDK:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | *************gadgets:************
 10 | *********************************
 11 | *********************************
 12 | gadget 0:
 13 | *********************************
 14 | address:
 15 | 0x404967L
 16 | gtype:
 17 | 3
 18 | regs affected:
 19 | rdx
 20 | rdi
 21 | r8
 22 | r9
 23 | r10
 24 | r11
 25 | r12
 26 | r14
 27 | r15
 28 | regs:
 29 | <BV64 0x0>
 30 | <BV64 0xfffffffe>
 31 | <BV64 0x624ec8>
 32 | <BV64 ocall_rbx_92_64>
 33 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_95_64)[31:0])>
 34 | <BV64 0x0>
 35 | <BV64 ocall_r8_97_64>
 36 | <BV64 ocall_r9_98_64>
 37 | <BV64 ocall_r10_99_64>
 38 | <BV64 ocall_r11_100_64>
 39 | <BV64 ocall_rbx_92_64>
 40 | <BV64 0x0>
 41 | <BV64 ocall_r14_103_64>
 42 | <BV64 ocall_r15_104_64>
 43 | *********************************
 44 | gadget 1:
 45 | *********************************
 46 | address:
 47 | 0x404967L
 48 | gtype:
 49 | 3
 50 | regs affected:
 51 | rdx
 52 | rdi
 53 | r8
 54 | r9
 55 | r10
 56 | r11
 57 | r12
 58 | r14
 59 | r15
 60 | regs:
 61 | <BV64 0x0>
 62 | <BV64 0xfffffffe>
 63 | <BV64 0x624ec8>
 64 | <BV64 ocall_rbx_106_64>
 65 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_109_64)[31:0])>
 66 | <BV64 0x0>
 67 | <BV64 ocall_r8_111_64>
 68 | <BV64 ocall_r9_112_64>
 69 | <BV64 ocall_r10_113_64>
 70 | <BV64 ocall_r11_114_64>
 71 | <BV64 ocall_rbx_106_64>
 72 | <BV64 0x0>
 73 | <BV64 ocall_r14_117_64>
 74 | <BV64 ocall_r15_118_64>
 75 | *********************************
 76 | gadget 2:
 77 | *********************************
 78 | address:
 79 | 0x404967L
 80 | gtype:
 81 | 3
 82 | regs affected:
 83 | rdx
 84 | rdi
 85 | r8
 86 | r9
 87 | r10
 88 | r11
 89 | r12
 90 | r14
 91 | r15
 92 | regs:
 93 | <BV64 0x0>
 94 | <BV64 0xfffffffe>
 95 | <BV64 0x624ec8>
 96 | <BV64 ocall_rbx_120_64>
 97 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_123_64)[31:0])>
 98 | <BV64 0x0>
 99 | <BV64 ocall_r8_125_64>
100 | <BV64 ocall_r9_126_64>
101 | <BV64 ocall_r10_127_64>
102 | <BV64 ocall_r11_128_64>
103 | <BV64 ocall_rbx_120_64>
104 | <BV64 0x0>
105 | <BV64 ocall_r14_131_64>
106 | <BV64 ocall_r15_132_64>
107 | *********************************
108 | gadget 3:
109 | *********************************
110 | address:
111 | 0x404967L
112 | gtype:
113 | 3
114 | regs affected:
115 | rdx
116 | rdi
117 | r8
118 | r9
119 | r10
120 | r11
121 | r12
122 | r14
123 | r15
124 | regs:
125 | <BV64 0x0>
126 | <BV64 0xfffffffe>
127 | <BV64 0x624ec8>
128 | <BV64 ocall_rbx_134_64>
129 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_137_64)[31:0])>
130 | <BV64 0x0>
131 | <BV64 ocall_r8_139_64>
132 | <BV64 ocall_r9_140_64>
133 | <BV64 ocall_r10_141_64>
134 | <BV64 ocall_r11_142_64>
135 | <BV64 ocall_rbx_134_64>
136 | <BV64 0x0>
137 | <BV64 ocall_r14_145_64>
138 | <BV64 ocall_r15_146_64>
139 | *********************************
140 | gadget 4:
141 | *********************************
142 | address:
143 | 0x404967L
144 | gtype:
145 | 3
146 | regs affected:
147 | rdx
148 | rdi
149 | r8
150 | r9
151 | r10
152 | r11
153 | r12
154 | r14
155 | r15
156 | regs:
157 | <BV64 0x0>
158 | <BV64 0xfffffffe>
159 | <BV64 0x624ec8>
160 | <BV64 ocall_rbx_148_64>
161 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_151_64)[31:0])>
162 | <BV64 0x0>
163 | <BV64 ocall_r8_153_64>
164 | <BV64 ocall_r9_154_64>
165 | <BV64 ocall_r10_155_64>
166 | <BV64 ocall_r11_156_64>
167 | <BV64 ocall_rbx_148_64>
168 | <BV64 0x0>
169 | <BV64 ocall_r14_159_64>
170 | <BV64 ocall_r15_160_64>
171 | *********************************
172 | gadget 5:
173 | *********************************
174 | address:
175 | 0x404967L
176 | gtype:
177 | 3
178 | regs affected:
179 | rdx
180 | rdi
181 | r8
182 | r9
183 | r10
184 | r11
185 | r12
186 | r14
187 | r15
188 | regs:
189 | <BV64 0x0>
190 | <BV64 0xfffffffe>
191 | <BV64 0x624ec8>
192 | <BV64 ocall_rbx_162_64>
193 | <BV64 Reverse(0xfeffffff#32 .. Reverse(ocall_rdi_165_64)[31:0])>
194 | <BV64 0x0>
195 | <BV64 ocall_r8_167_64>
196 | <BV64 ocall_r9_168_64>
197 | <BV64 ocall_r10_169_64>
198 | <BV64 ocall_r11_170_64>
199 | <BV64 ocall_rbx_162_64>
200 | <BV64 0x0>
201 | <BV64 ocall_r14_173_64>
202 | <BV64 ocall_r15_174_64>
203 | *********************************
204 | gadget 6:
205 | *********************************
206 | address:
207 | 0x404997L
208 | gtype:
209 | 3
210 | regs affected:
211 | r8
212 | r9
213 | r10
214 | r11
215 | r12
216 | r14
217 | r15
218 | regs:
219 | <BV64 0x7f000000>
220 | <BV64 0x0>
221 | <BV64 0x624ec8>
222 | <BV64 0x1006>
223 | <BV64 0x0>
224 | <BV64 0x0>
225 | <BV64 ocall_r8_97_64>
226 | <BV64 ocall_r9_98_64>
227 | <BV64 ocall_r10_99_64>
228 | <BV64 ocall_r11_100_64>
229 | <BV64 ocall_rbx_92_64>
230 | <BV64 0x0>
231 | <BV64 ocall_r14_103_64>
232 | <BV64 ocall_r15_104_64>
233 | *********************************
234 | gadget 7:
235 | *********************************
236 | address:
237 | 0x404997L
238 | gtype:
239 | 3
240 | regs affected:
241 | r8
242 | r9
243 | r10
244 | r11
245 | r12
246 | r14
247 | r15
248 | regs:
249 | <BV64 0x7f000000>
250 | <BV64 0x0>
251 | <BV64 0x624ec8>
252 | <BV64 0x1006>
253 | <BV64 0x0>
254 | <BV64 0x0>
255 | <BV64 ocall_r8_111_64>
256 | <BV64 ocall_r9_112_64>
257 | <BV64 ocall_r10_113_64>
258 | <BV64 ocall_r11_114_64>
259 | <BV64 ocall_rbx_106_64>
260 | <BV64 0x0>
261 | <BV64 ocall_r14_117_64>
262 | <BV64 ocall_r15_118_64>
263 | *********************************
264 | gadget 8:
265 | *********************************
266 | address:
267 | 0x404997L
268 | gtype:
269 | 3
270 | regs affected:
271 | r8
272 | r9
273 | r10
274 | r11
275 | r12
276 | r14
277 | r15
278 | regs:
279 | <BV64 0x7f000000>
280 | <BV64 0x0>
281 | <BV64 0x624ec8>
282 | <BV64 0x1006>
283 | <BV64 0x0>
284 | <BV64 0x0>
285 | <BV64 ocall_r8_125_64>
286 | <BV64 ocall_r9_126_64>
287 | <BV64 ocall_r10_127_64>
288 | <BV64 ocall_r11_128_64>
289 | <BV64 ocall_rbx_120_64>
290 | <BV64 0x0>
291 | <BV64 ocall_r14_131_64>
292 | <BV64 ocall_r15_132_64>
293 | *********************************
294 | gadget 9:
295 | *********************************
296 | address:
297 | 0x404997L
298 | gtype:
299 | 3
300 | regs affected:
301 | r8
302 | r9
303 | r10
304 | r11
305 | r12
306 | r14
307 | r15
308 | regs:
309 | <BV64 0x7f000000>
310 | <BV64 0x0>
311 | <BV64 0x624ec8>
312 | <BV64 0x1006>
313 | <BV64 0x0>
314 | <BV64 0x0>
315 | <BV64 ocall_r8_139_64>
316 | <BV64 ocall_r9_140_64>
317 | <BV64 ocall_r10_141_64>
318 | <BV64 ocall_r11_142_64>
319 | <BV64 ocall_rbx_134_64>
320 | <BV64 0x0>
321 | <BV64 ocall_r14_145_64>
322 | <BV64 ocall_r15_146_64>
323 | *********************************
324 | gadget 10:
325 | *********************************
326 | address:
327 | 0x404997L
328 | gtype:
329 | 3
330 | regs affected:
331 | r8
332 | r9
333 | r10
334 | r11
335 | r12
336 | r14
337 | r15
338 | regs:
339 | <BV64 0x7f000000>
340 | <BV64 0x0>
341 | <BV64 0x624ec8>
342 | <BV64 0x1006>
343 | <BV64 0x0>
344 | <BV64 0x0>
345 | <BV64 ocall_r8_153_64>
346 | <BV64 ocall_r9_154_64>
347 | <BV64 ocall_r10_155_64>
348 | <BV64 ocall_r11_156_64>
349 | <BV64 ocall_rbx_148_64>
350 | <BV64 0x0>
351 | <BV64 ocall_r14_159_64>
352 | <BV64 ocall_r15_160_64>
353 | *********************************
354 | gadget 11:
355 | *********************************
356 | address:
357 | 0x404997L
358 | gtype:
359 | 3
360 | regs affected:
361 | r8
362 | r9
363 | r10
364 | r11
365 | r12
366 | r14
367 | r15
368 | regs:
369 | <BV64 0x7f000000>
370 | <BV64 0x0>
371 | <BV64 0x624ec8>
372 | <BV64 0x1006>
373 | <BV64 0x0>
374 | <BV64 0x0>
375 | <BV64 ocall_r8_167_64>
376 | <BV64 ocall_r9_168_64>
377 | <BV64 ocall_r10_169_64>
378 | <BV64 ocall_r11_170_64>
379 | <BV64 ocall_rbx_162_64>
380 | <BV64 0x0>
381 | <BV64 ocall_r14_173_64>
382 | <BV64 ocall_r15_174_64>
383 | *********************************
384 | gadget 12:
385 | *********************************
386 | address:
387 | 0x403d97L
388 | gtype:
389 | 3
390 | regs affected:
391 | r8
392 | r9
393 | r10
394 | r11
395 | r12
396 | r14
397 | r15
398 | regs:
399 | <BV64 0x0>
400 | <BV64 0xfffffffffffffec8 + (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
401 | <BV64 (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
402 | <BV64 mem_7f000010_28_64>
403 | <BV64 (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6>
404 | <BV64 0x0>
405 | <BV64 ocall_r8_111_64>
406 | <BV64 ocall_r9_112_64>
407 | <BV64 ocall_r10_113_64>
408 | <BV64 ocall_r11_114_64>
409 | <BV64 ocall_rbx_106_64>
410 | <BV64 0x0>
411 | <BV64 ocall_r14_117_64>
412 | <BV64 ocall_r15_118_64>
413 | *********************************
414 | gadget 13:
415 | *********************************
416 | address:
417 | 0x404be7L
418 | gtype:
419 | 3
420 | regs affected:
421 | r8
422 | r9
423 | r10
424 | r11
425 | regs:
426 | <BV64 0x0>
427 | <BV64 init_rbx_1_64>
428 | <BV64 0#2 .. __add__(0xffffffffffffffc0, rsp_14_64, (0xffffffffffffffff * (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6))[63:2]>
429 | <BV64 mem_7f000010_28_64>
430 | <BV64 0x0#32 .. init_rdi_4_64[31:0]>
431 | <BV64 init_rsi_5_64>
432 | <BV64 ocall_r8_111_64>
433 | <BV64 ocall_r9_112_64>
434 | <BV64 ocall_r10_113_64>
435 | <BV64 ocall_r11_114_64>
436 | <BV64 init_r12_10_64>
437 | <BV64 init_r13_11_64>
438 | <BV64 init_r14_12_64>
439 | <BV64 init_r15_13_64>
440 | *********************************
441 | gadget 14:
442 | *********************************
443 | address:
444 | 0x404b82L
445 | gtype:
446 | 3
447 | regs affected:
448 | r8
449 | r9
450 | r10
451 | r11
452 | regs:
453 | <BV64 0x0>
454 | <BV64 init_rbx_1_64>
455 | <BV64 0#2 .. __add__(0xffffffffffffffc0, rsp_14_64, (0xffffffffffffffff * (0xfffffffffffffec8 + rsp_14_64)[63:6] .. 0#6))[63:2]>
456 | <BV64 mem_7f000010_28_64>
457 | <BV64 0x0#32 .. init_rdi_4_64[31:0]>
458 | <BV64 init_rsi_5_64>
459 | <BV64 ocall_r8_111_64>
460 | <BV64 ocall_r9_112_64>
461 | <BV64 ocall_r10_113_64>
462 | <BV64 ocall_r11_114_64>
463 | <BV64 init_r12_10_64>
464 | <BV64 init_r13_11_64>
465 | <BV64 init_r14_12_64>
466 | <BV64 init_r15_13_64>
467 | 
468 | 


--------------------------------------------------------------------------------
/type1ocallfinder/test.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | #
  4 | # SGX SDK
  5 | #
  6 | #python main.py "./libenclave.signed.so" 0x404b74
  7 | #python main.py "./libenclave.signed.so" 0x4033d9
  8 | #python main.py "./libenclave.signed.so" 0x401402
  9 | 
 10 | # sgx_ocall:
 11 | #python main.py "./libenclave.signed.so" 0x403380
 12 | 
 13 | #
 14 | # Rust-SGX
 15 | #
 16 | #python main.py "./enclave.signed.so" 0x4052d0
 17 | #python main.py "./enclave.signed.so" 0x4067b4
 18 | 
 19 | # sgx_ocall:
 20 | #python main.py "./enclave.signed.so" 0x4052d0
 21 | 
 22 | 
 23 | 
 24 | #
 25 | # Graphene-SGX
 26 | #
 27 | 
 28 | # sgx_ocall
 29 | python main.py "./libpal-Linux-SGX.so" 0x151ed
 30 | 
 31 | # ocall No.1
 32 | # ocall_exit
 33 | #python main.py "./libpal-Linux-SGX.so" 0x10d20
 34 | 
 35 | # ocall No.2
 36 | # ocall_print_string
 37 | #python main.py "./libpal-Linux-SGX.so" 0x10d40
 38 | 
 39 | # ocall No.3
 40 | # ocall_alloc_untrusted
 41 | #python main.py "./libpal-Linux-SGX.so" 0x10df0
 42 | 
 43 | # ocall No.4
 44 | # ocall_map_untrusted
 45 | #python main.py "./libpal-Linux-SGX.so" 0x10e70
 46 | 
 47 | # ocall No.5
 48 | # ocall_unmap_untrusted
 49 | #python main.py "./libpal-Linux-SGX.so" 0x10f10
 50 | 
 51 | # ocall No.6
 52 | # ocall_cpuid
 53 | #python main.py "./libpal-Linux-SGX.so" 0x10f80
 54 | 
 55 | # ocall No.7
 56 | # ocall_open
 57 | 
 58 | ###python main.py "./libpal-Linux-SGX.so" 0x11010
 59 | 
 60 | 
 61 | # ocall No.8
 62 | # ocall_close
 63 | #python main.py "./libpal-Linux-SGX.so" 0x110d0
 64 | 
 65 | 
 66 | 
 67 | # ocall No.9
 68 | # ocall_read
 69 | ###python main.py "./libpal-Linux-SGX.so" 0x11120
 70 | 
 71 | # ocall No.10
 72 | # ocall_write
 73 | ###python main.py "./libpal-Linux-SGX.so" 0x11220
 74 | 
 75 | # ocall No.11
 76 | # ocall_fstat
 77 | #python main.py "./libpal-Linux-SGX.so" 0x11340
 78 | 
 79 | # ocall No.12
 80 | # ocall_fionread
 81 | #python main.py "./libpal-Linux-SGX.so" 0x113b0
 82 | 
 83 | # ocall No.13
 84 | # ocall_fsetnonblock
 85 | #python main.py "./libpal-Linux-SGX.so" 0x11400
 86 | 
 87 | # ocall No.14
 88 | # ocall_fchmod
 89 | #python main.py "./libpal-Linux-SGX.so" 0x11450
 90 | 
 91 | # ocall No.15
 92 | # ocall_fsync
 93 | #python main.py "./libpal-Linux-SGX.so" 0x114a0
 94 | 
 95 | # ocall No.16
 96 | # ocall_ftruncate
 97 | #python main.py "./libpal-Linux-SGX.so" 0x114f0
 98 | 
 99 | # ocall No.17
100 | # ocall_mkdir
101 | ###python main.py "./libpal-Linux-SGX.so" 0x11540
102 | 
103 | # ocall No.18
104 | # ocall_getdents
105 | #python main.py "./libpal-Linux-SGX.so" 0x115f0
106 | 
107 | # ocall No.19
108 | # ocall_wake_thread
109 | #python main.py "./libpal-Linux-SGX.so" 0x116c0
110 | 
111 | # ocall No.20
112 | # ocall_create_process
113 | ###python main.py "./libpal-Linux-SGX.so" 0x116e0
114 | 
115 | # ocall No.21
116 | # ocall_futex
117 | ###python main.py "./libpal-Linux-SGX.so" 0x118c0
118 | 
119 | # ocall No.22
120 | # ocall_socketpair
121 | #python main.py "./libpal-Linux-SGX.so" 0x11960
122 | 
123 | # ocall No.23
124 | # ocall_sock_listen
125 | ###python main.py "./libpal-Linux-SGX.so" 0x119f0
126 | 
127 | # ocall No.24
128 | # ocall_sock_accept
129 | #python main.py "./libpal-Linux-SGX.so" 0x11b60
130 | 
131 | # ocall No.25
132 | # ocall_sock_connect
133 | ###python main.py "./libpal-Linux-SGX.so" 0x11ce0
134 | 
135 | # ocall No.26
136 | # ocall_sock_recv
137 | ###python main.py "./libpal-Linux-SGX.so" 0x11ef0
138 | 
139 | # ocall No.27
140 | # ocall_sock_send
141 | #python main.py "./libpal-Linux-SGX.so" 0x120e0
142 | 
143 | # ocall No.28
144 | # ocall_sock_recv_fd
145 | ###python main.py "./libpal-Linux-SGX.so" 0x12200
146 | 
147 | # ocall No.29
148 | # ocall_sock_send_fd
149 | ###python main.py "./libpal-Linux-SGX.so" 0x123e0
150 | 
151 | # ocall No.30
152 | # ocall_sock_setopt
153 | ###python main.py "./libpal-Linux-SGX.so" 0x12500
154 | 
155 | # ocall No.31
156 | # ocall_sock_shutdown
157 | #python main.py "./libpal-Linux-SGX.so" 0x125b0
158 | 
159 | # ocall No.32
160 | # ocall_gettime
161 | #python main.py "./libpal-Linux-SGX.so" 0x12600
162 | 
163 | # ocall No.33
164 | # ocall_sleep
165 | #python main.py "./libpal-Linux-SGX.so" 0x12670
166 | 
167 | # ocall No.34
168 | # ocall_poll
169 | ###python main.py "./libpal-Linux-SGX.so" 0x12720
170 | 
171 | # ocall No.35
172 | # ocall_rename
173 | ###python main.py "./libpal-Linux-SGX.so" 0x12850
174 | 
175 | # ocall No.36
176 | # ocall_delete
177 | ###python main.py "./libpal-Linux-SGX.so" 0x12950
178 | 
179 | # ocall No.37
180 | # ocall_load_debug
181 | #python main.py "./libpal-Linux-SGX.so" 0x129f0
182 | 
183 | 
184 | 
185 | 
186 | 
187 | 
188 | 
189 | 
190 | 
191 | 
192 | 
193 | 
194 | 
195 | 
196 | 
197 | 
198 | 
199 | 
200 | 
201 | 
202 | 
203 | 
204 | 
205 | 
206 | 
207 | 
208 | 
209 | 
210 | 
211 | 
212 | 
213 | 
214 | 
215 | 
216 | 
217 | 
218 | 


--------------------------------------------------------------------------------
/type2finder/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: all
2 | 
3 | 
4 | all:
5 | 	
6 | 
7 | clean:
8 | 	rm -f *_asm
9 | 


--------------------------------------------------------------------------------
/type2finder/README.md:
--------------------------------------------------------------------------------
 1 | # type2finder
 2 | 
 3 | 1.Prerequisites:
 4 | 
 5 | Make sure you have angr binary analysis framework installed.
 6 | 
 7 | * [angr](http://angr.io/) - angr, a binary analysis framework
 8 | 
 9 | You may follow [angr documentaion](https://docs.angr.io/INSTALL.html) for installation.
10 | 
11 | Or a more simple way to install is to install [angr-dev](https://github.com/angr/angr-dev) which has a install script.
12 | 
13 | After installation of angr, our tool can be used instantly.
14 | 
15 | 
16 | 2.Run command:
17 | 
18 | ```
19 | bash test.sh
20 | ```
21 | You may also uncomment or change the content of test.sh to run different tests. 
22 | 
23 | All tests in the paper can be run by uncomment lines of test.sh.
24 | 
25 | And all the authors' tested results are in result folder.
26 | 
27 | 3.File Description:
28 | 
29 | * [libenclave.signed.so] - A typical SGX enclave .so file.
30 | * [libpal-Linux-SGX.so] - A typical Graphene SGX enclave .so file.
31 | * [enclave.signed.so] - A typical Rust SGX enclave .so file.
32 | 
33 | 
34 | 


--------------------------------------------------------------------------------
/type2finder/enclave.signed.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type2finder/enclave.signed.so


--------------------------------------------------------------------------------
/type2finder/libenclave.signed.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type2finder/libenclave.signed.so


--------------------------------------------------------------------------------
/type2finder/libpal-Linux-SGX.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OSUSecLab/SgxPectre/815068911f35abcc1ddbbcd45ea67b54d5749e36/type2finder/libpal-Linux-SGX.so


--------------------------------------------------------------------------------
/type2finder/main.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | import os
  4 | import sys
  5 | import angr
  6 | from angr import SimProcedure
  7 | from capstone.x86_const import *
  8 | 
  9 | class G1(object):
 10 | 	def __init__(self, start = None, end = None, rega = None, regb = None, regc = None):
 11 | 		self.start = start
 12 | 		self.end = end
 13 | 		self.rega = rega
 14 | 		self.regb = regb
 15 | 		self.regc = regc
 16 | 
 17 | class G2(object):
 18 | 	def __init__(self, start = None, end = None, rega = None, regb = None):
 19 | 		self.start = start
 20 | 		self.end = end
 21 | 		self.rega = rega
 22 | 		self.regb = regb
 23 | 
 24 | 
 25 | 
 26 | class Info(object):
 27 | 	def __init__(self):
 28 | 		self.picflag = None
 29 | 		self.b = None
 30 | 		self.asmfile = None
 31 | 		self.code = None
 32 | 		self.insns = []
 33 | 		self.insnsmap = {}
 34 | 		self.insnaddrs = []
 35 | 		self.codeoffset = None
 36 | 		self.interestedregs = [X86_REG_RAX, X86_REG_RBX, \
 37 | 					X86_REG_RCX, X86_REG_RDX, \
 38 | 					X86_REG_RDI, X86_REG_RSI, \
 39 | 					X86_REG_R8, \
 40 | 					X86_REG_R9, \
 41 | 					X86_REG_R10, \
 42 | 					X86_REG_R11, \
 43 | 					X86_REG_R12, \
 44 | 					X86_REG_R13, \
 45 | 					X86_REG_R14, \
 46 | 					X86_REG_R15,
 47 | 					X86_REG_EAX, X86_REG_EBX, \
 48 | 					X86_REG_ECX, X86_REG_EDX, \
 49 | 					X86_REG_EDI, X86_REG_ESI, \
 50 | 					X86_REG_R8D, \
 51 | 					X86_REG_R9D, \
 52 | 					X86_REG_R10D, \
 53 | 					X86_REG_R11D, \
 54 | 					X86_REG_R12D, \
 55 | 					X86_REG_R13D, \
 56 | 					X86_REG_R14D, \
 57 | 					X86_REG_R15D]
 58 | 		self.uncontrollableregs = [X86_REG_RAX, X86_REG_RCX, \
 59 | 					X86_REG_EAX, X86_REG_ECX]
 60 | 		self.startinsns = []
 61 | 		self.firstregs = []
 62 | 		self.secondregs = []
 63 | 		self.thirdregs = []
 64 | 		self.fourthregs = []
 65 | 		self.gflags = []
 66 | 		self.insnss = []
 67 | 		self.leakinsnind = []
 68 | 		self.g1 = []
 69 | 		self.g2 = []
 70 | 
 71 | 
 72 | 		self.xsavelist = []
 73 | 		self.xsaveclist = []
 74 | 		self.xsaveslist = []
 75 | 		self.xsave64list = []
 76 | 		self.xsavec64list = []
 77 | 		self.xsaves64list = []
 78 | 		self.fxsavelist = []
 79 | 		self.fxsave64list = []
 80 | 		self.xrstorlist = []
 81 | 		self.xrstorslist = []
 82 | 		self.xrstor64list = []
 83 | 		self.xrstors64list = []
 84 | 		self.fxrstorlist = []
 85 | 		self.fxrstor64list = []
 86 | 
 87 | 		self.repstoslist = []
 88 | 
 89 | 		self.rdrandlist = []
 90 | 
 91 | 		self.enclulist = []
 92 | 		self.enclaveentry = None
 93 | 
 94 | 		self.state = None
 95 | 		self.emptystate = None
 96 | 		self.states = []
 97 | 		self.targets1 = []
 98 | 		self.targets2 = []
 99 | 		self.succs = []
100 | 
101 | 		self.encluflag = 0
102 | 		
103 | 		
104 | global info
105 | info = Info()
106 | 
107 | 
108 | 
109 | def parseinsaddr(line, separator):
110 | 	temp = line[:line.find(separator)]
111 | 	try:
112 | 		temp1 = int(temp, 16)
113 | 	except:
114 | 		return -1
115 | 
116 | 
117 | 	if info.picflag == 1:
118 | 		temp2 = temp1 + 0x400000
119 | 	else:
120 | 		temp2 = temp1
121 | 	return temp2
122 | 
123 | def disassemble():
124 | 	global asmfile
125 | 	info.asmfile = sys.argv[1] + "_asm"
126 | 	comm = "objdump -S " + sys.argv[1] + " > " + info.asmfile
127 | 	#os.system(comm)
128 | 
129 | def findfirstins():
130 | 	funcflag = 0
131 | 	f1 = open(info.asmfile,'r')
132 | 	lines1 = f1.readlines()
133 | 	for line1 in lines1:
134 | 		if funcflag == 1 and ":" in line1:
135 | 			addr = parseinsaddr(line1, ":")
136 | 			#print line1
137 | 			#print hex(addr)
138 | 			info.codeoffset = addr
139 | 			break
140 | 		if ">:" in line1:
141 | 			funcflag = 1
142 | 	f1.close()
143 | 
144 | 
145 | def findinsaddr():
146 | 	f1 = open(info.asmfile,'r')
147 | 	lines1 = f1.readlines()
148 | 	for line1 in lines1:
149 | 		if ":" in line1:
150 | 			addr = parseinsaddr(line1, ":")
151 | 			if addr == -1:
152 | 				continue
153 | 			info.insnaddrs.append(addr)
154 | 
155 | 	f1.close()
156 | 
157 | 
158 | 	#for ad in info.insnaddrs:
159 | 	#	print hex(ad)
160 | 
161 | 
162 | 
163 | def findnextinsaddr(addr):
164 | 	# beginning
165 | 	if addr == -1:
166 | 		if info.insnaddrs:
167 | 			return info.insnaddrs[0]
168 | 		else:
169 | 			return -2
170 | 
171 | 
172 | 	# no more instruction
173 | 	if addr >= info.insnaddrs[-1]:
174 | 		return -1
175 | 
176 | 	try:
177 | 		oldindex = info.insnaddrs.index(addr)
178 | 		newindex = oldindex + 1
179 | 		ad = info.insnaddrs[newindex]
180 | 		#print "oldindex: %d" % oldindex
181 | 		#print "newindex: %d" % newindex
182 | 		#print "new ins addr: %x" % ad
183 | 
184 | 		return ad
185 | 
186 | 	except:
187 | 		return -3
188 | 
189 | 
190 | def capstoneparse():
191 | 	start = -1
192 | 	while True:
193 | 		addr = findnextinsaddr(start)
194 | 		if addr < 0:
195 | 			break
196 | 		#print hex(addr)
197 | 		with open(sys.argv[1], 'rb') as f:
198 | 			if info.picflag == 1:
199 | 				seekstart = addr - 0x400000
200 | 			else:
201 | 				seekstart = addr
202 | 
203 | 			f.seek(seekstart, 1)
204 | 			info.code = f.read()
205 | 			insns = info.b.arch.capstone.disasm(info.code, addr)
206 | 			insnlist = list(insns)
207 | 			info.insns.extend(insnlist)
208 | 			for ins in insnlist:
209 | 				info.insnsmap[ins.address] = ins
210 | 
211 | 		f.close()
212 | 
213 | 		if insnlist:
214 | 			start = insnlist[-1].address
215 | 		else:
216 | 			start = addr
217 | 
218 | 
219 | 	#for csinsn in info.insns:
220 | 	#	print hex(csinsn.address)
221 | 	#	print csinsn.mnemonic
222 | 	#	print csinsn.op_str
223 | 	#	print csinsn.size
224 | 
225 | 
226 | 
227 | 
228 | 
229 | 
230 | 
231 | def preprocessing():
232 | 	disassemble()
233 | 	findinsaddr()
234 | 	capstoneparse()
235 | 
236 | 
237 | #
238 | # param1: binary to load. Shared library .so file or executable.
239 | #
240 | def load_binary():
241 | 	if sys.argv[1].endswith(".so"):
242 | 		info.picflag = 1
243 | 	try:
244 | 		info.b = angr.Project(sys.argv[1],load_options={'auto_load_libs': False})
245 | 	except:
246 | 		info.picflag = 0
247 | 		info.b = angr.Project(sys.argv[1], 
248 | 			main_opts = {'backend': 'blob', 'custom_arch': 'amd64'},
249 | 			load_options={'auto_load_libs': False})
250 | 
251 | 
252 | 
253 | 
254 | 
255 | 
256 | 
257 | 
258 | def findgadget():
259 | 	# step 1: find mov MEM, reg instruction
260 | 	for csinsn in info.insns:
261 | 		if csinsn.id != X86_INS_LEA:
262 | 			if len(csinsn.operands) >= 2:
263 | 
264 | 				if csinsn.mnemonic.startswith("mov") \
265 | 					 and csinsn.operands[0].type == X86_OP_REG \
266 | 					 and csinsn.operands[0].value.reg in info.interestedregs \
267 | 					 and csinsn.operands[1].type == X86_OP_MEM:
268 | 
269 | 					if ((csinsn.operands[1].value.mem.base != 0 \
270 | 						 and csinsn.operands[1].value.mem.base in info.interestedregs \
271 | 						 and not csinsn.operands[1].value.mem.base in info.uncontrollableregs \
272 | 						 and csinsn.operands[1].value.mem.index == 0) \
273 | 						 or (csinsn.operands[1].value.mem.base == 0 \
274 | 						 and csinsn.operands[1].value.mem.index != 0 \
275 | 						 and csinsn.operands[1].value.mem.index in info.interestedregs
276 | 						 and not csinsn.operands[1].value.mem.index in info.uncontrollableregs)):
277 | 
278 | 							#print hex(csinsn.address)
279 | 							#print csinsn.operands[1].type # would like the one of MEM, 3
280 | 							#print csinsn.operands[0].type # would like the one of REG, 1
281 | 
282 | 							info.startinsns.append(csinsn)
283 | 
284 | 							if csinsn.operands[1].value.mem.base != 0:
285 | 								info.firstregs.append(csinsn.operands[1].value.mem.base)
286 | 								#print csinsn.reg_name(csinsn.operands[1].value.mem.base)
287 | 							if csinsn.operands[1].value.mem.index != 0:
288 | 								info.firstregs.append(csinsn.operands[1].value.mem.index)
289 | 								#print csinsn.reg_name(csinsn.operands[1].value.mem.index)
290 | 
291 | 							info.secondregs.append(csinsn.operands[0].value.reg)
292 | 							info.thirdregs.append(0)
293 | 							info.fourthregs.append(0)
294 | 							info.gflags.append(-1)
295 | 							info.leakinsnind.append(-1)
296 | 
297 | 	#for si in info.startinsns:
298 | 	#	print hex(si.address)
299 | 
300 | 
301 | 
302 | 	# step 2: do symbolic execution from each such potential beginning instruction
303 | 	for startinsn in info.startinsns:
304 | 		# get index, reg1, reg2
305 | 		ind = info.startinsns.index(startinsn)
306 | 		print "checking %dth of %d potential gadget (%.2f%% complete):" % (ind, len(info.startinsns), float(ind)/float(len(info.startinsns)) *100)
307 | 		print "at address: %s" % hex(startinsn.address)
308 | 		reg1 = info.firstregs[ind]
309 | 		reg2 = info.secondregs[ind]
310 | 		reg3 = None
311 | 		leareg = 0
312 | 		learegstr = None
313 | 		#print reg1
314 | 		#print reg2
315 | 
316 | 		#init rax, rbx, rcx... r15
317 | 		info.state = info.b.factory.entry_state(addr=startinsn.address, add_options={angr.options.CONSTRAINT_TRACKING_IN_SOLVER})
318 | 		
319 | 
320 | 		#print hex(info.state.addr)
321 | 
322 | 		# rax and rcx is not controllable since EENTER changes its value
323 | 		initregs = []
324 | 		for reg in ["rbx","rdx","rdi","rsi","r8","r9","r10","r11","r12","r13","r14","r15"]:
325 | 			vreg = info.state.se.BVS("init_" + reg, 64)
326 | 			initregs.append(vreg)
327 | 			info.state.registers.store(reg, vreg)
328 | 
329 | 
330 | 		#for ir in initregs:
331 | 		#	print ir
332 | 
333 | 		# init reg1 and reg2
334 | 		vreg1 = info.state.se.BVS("init_vreg1_" + startinsn.reg_name(reg1), 64)
335 | 		vreg2 = info.state.se.BVS("init_vreg2_" + startinsn.reg_name(reg2), 64)
336 | 
337 | 		#print list(vreg1.variables)[0]
338 | 		#print list(vreg2.variables)[0]
339 | 
340 | 
341 | 
342 | 		#print vreg1
343 | 		#print vreg2
344 | 
345 | 		insnmap = {"eax":"rax","ebx":"rbx","ecx":"rcx","edx":"rdx","edi":"rdi","esi":"rsi",
346 | 				"r8d":"r8","r9d":"r9","r10d":"r10","r11d":"r11","r12d":"r12","r13d":"r13",
347 | 				"r14d":"r14","r15d":"r15"}
348 | 		#print insnmap["eax"]
349 | 		#print "eax" in insnmap
350 | 		#print "rax" in insnmap
351 | 
352 | 		if str(startinsn.reg_name(reg1)) in insnmap:
353 | 			info.state.registers.store(insnmap[str(startinsn.reg_name(reg1))], vreg1)
354 | 			#print info.state.registers.load(insnmap[str(startinsn.reg_name(reg1))])
355 | 		else:
356 | 			info.state.registers.store(str(startinsn.reg_name(reg1)), vreg1)
357 | 			#print info.state.registers.load(str(startinsn.reg_name(reg1)))
358 | 
359 | 		if str(startinsn.reg_name(reg2)) in insnmap:
360 | 			info.state.registers.store(insnmap[str(startinsn.reg_name(reg2))], vreg2)
361 | 			#print info.state.registers.load(insnmap[str(startinsn.reg_name(reg2))])
362 | 		else:
363 | 			info.state.registers.store(str(startinsn.reg_name(reg2)), vreg2)
364 | 			#print info.state.registers.load(str(startinsn.reg_name(reg2)))
365 | 
366 | 
367 | 		# start SE
368 | 		info.states = []
369 | 		info.states.append(info.state)
370 | 
371 | 		instno = 0
372 | 		leaflag = 0
373 | 		findflag = 0
374 | 		leainitflag = 0
375 | 		#print "***"
376 | 		while True:
377 | 			# if nothing left in worklist, break
378 | 			if not info.states:
379 | 				break
380 | 			#print len(info.states)
381 | 
382 | 			# pop one state for symbolic execution
383 | 			info.state = info.states.pop(0)
384 | 
385 | 
386 | 			#
387 | 			# check the new state
388 | 			#
389 | 
390 | 			# if this path is unsatisfiable, continue
391 | 			if info.state.se.satisfiable() == False:
392 | 				continue
393 | 
394 | 			# if return to top function, stop doing this work, continue
395 | 
396 | 			if info.state.regs.rip.symbolic:
397 | 				continue
398 | 			if info.state.addr == 0:
399 | 				print "return to top function"
400 | 				print "continue"
401 | 				print hex(info.state.addr)
402 | 				continue
403 | 
404 | 
405 | 			if instno == 1:
406 | 				if str(startinsn.reg_name(reg1)) in insnmap:
407 | 					info.state.registers.store(insnmap[str(startinsn.reg_name(reg1))], vreg1)
408 | 					#print info.state.registers.load(insnmap[str(startinsn.reg_name(reg1))])
409 | 				else:
410 | 					info.state.registers.store(str(startinsn.reg_name(reg1)), vreg1)
411 | 					#print info.state.registers.load(str(startinsn.reg_name(reg1)))
412 | 
413 | 				if str(startinsn.reg_name(reg2)) in insnmap:
414 | 					info.state.registers.store(insnmap[str(startinsn.reg_name(reg2))], vreg2)
415 | 					#print info.state.registers.load(insnmap[str(startinsn.reg_name(reg2))])
416 | 				else:
417 | 					info.state.registers.store(str(startinsn.reg_name(reg2)), vreg2)
418 | 					#print info.state.registers.load(str(startinsn.reg_name(reg2)))
419 | 
420 | 			if leaflag == 1 and leainitflag == 0:
421 | 				leainitflag = 1
422 | 				vleareg = info.state.se.BVS("init_leareg", 64)
423 | 				if learegstr in insnmap:
424 | 					info.state.registers.store(insnmap[learegstr], vleareg)
425 | 				else:
426 | 					info.state.registers.store(learegstr, vleareg)
427 | 				#print "set lea reg"
428 | 				#print learegstr
429 | 				#print info.state.registers.load(learegstr)
430 | 				
431 | 
432 | 
433 | 			#print hex(info.state.addr)
434 | 
435 | 
436 | 			
437 | 			hazardousins = [X86_INS_JAE,X86_INS_JA,X86_INS_JBE,X86_INS_JB,X86_INS_JCXZ,X86_INS_JECXZ,X86_INS_JE,X86_INS_JGE,X86_INS_JG,
438 | 						X86_INS_JLE,X86_INS_JL,X86_INS_JMP,X86_INS_JNE,X86_INS_JNO,X86_INS_JNP,X86_INS_JNS,X86_INS_JO,
439 | 						X86_INS_JP,X86_INS_JRCXZ,X86_INS_JS, X86_INS_LJMP, X86_INS_CALL, X86_INS_LCALL, X86_INS_RET, 
440 | 						X86_INS_IRET, X86_INS_IRETD, X86_INS_IRETQ, X86_INS_RETF, X86_INS_RETFQ]
441 | 
442 | 			#print info.insnsmap[info.state.addr]
443 | 			#print info.insns.index(info.insnsmap[info.state.addr])
444 | 			currentinsn = info.insnsmap[info.state.addr]
445 | 
446 | 
447 | 
448 | 			if instno != 0:
449 | 				if len(currentinsn.operands) == 2:
450 | 					op = currentinsn.operands[1]
451 | 					if op.type == X86_OP_MEM:
452 | 						if op.value.mem.base != 0 and op.value.mem.index != 0:
453 | 							#print str(startinsn.reg_name(op.value.mem.base))
454 | 							#print info.state.registers.load(str(startinsn.reg_name(op.value.mem.base)))
455 | 							#print str(startinsn.reg_name(op.value.mem.index))
456 | 							#print info.state.registers.load(str(startinsn.reg_name(op.value.mem.index)))
457 | 							#print info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables
458 | 							#print info.state.registers.load(str(startinsn.reg_name(op.value.mem.index))).variables
459 | 							if list(vreg2.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables or \
460 | 								list(vreg2.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.index))).variables:
461 | 									# normal case
462 | 									if currentinsn.id != X86_INS_LEA:
463 | 										if list(vreg2.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables:
464 | 											# check index
465 | 											for ir in initregs:
466 | 												if list(ir.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.index))).variables:
467 | 													#found
468 | 													findflag = 1
469 | 													info.g1.append(G1(startinsn.address, currentinsn.address, reg1, reg2, op.value.mem.index))
470 | 													continue
471 | 
472 | 
473 | 
474 | 										if list(vreg2.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.index))).variables:
475 | 											# check base
476 | 											for ir in initregs:
477 | 												if list(ir.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables:
478 | 													#found
479 | 													findflag = 1
480 | 													info.g1.append(G1(startinsn.address, currentinsn.address, reg1, reg2, op.value.mem.base))
481 | 													continue
482 | 
483 | 									# lea case
484 | 									else:
485 | 										if list(vreg2.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables:
486 | 											# check index
487 | 											for ir in initregs:
488 | 												if list(ir.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.index))).variables:
489 | 													# look forward and find indirect memory access
490 | 													leaflag = 1
491 | 													leareg = currentinsn.operands[0].value.reg
492 | 													learegstr = str(startinsn.reg_name(leareg))
493 | 													reg3 = op.value.mem.index
494 | 													#print "leareg"
495 | 													#print leareg
496 | 													continue
497 | 
498 | 
499 | 
500 | 										if list(vreg2.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.index))).variables:
501 | 											# check base
502 | 											for ir in initregs:
503 | 												if list(ir.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables:
504 | 													leaflag = 1
505 | 													leareg = currentinsn.operands[0].value.reg
506 | 													learegstr = str(startinsn.reg_name(leareg))
507 | 													reg3 = op.value.mem.base
508 | 													#print "leareg"
509 | 													#print leareg
510 | 													continue
511 | 
512 | 
513 | 				for op in currentinsn.operands:
514 | 					if op.type == X86_OP_MEM:
515 | 						if op.value.mem.base != 0 and op.value.mem.index == 0:
516 | 							#lea case
517 | 							if leaflag == 1:
518 | 								if currentinsn.id != X86_INS_LEA:
519 | 									#print info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables
520 | 									if list(vleareg.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables:
521 | 										findflag = 1
522 | 										info.g1.append(G1(startinsn.address, currentinsn.address, reg1, reg2, reg3))
523 | 										continue
524 | 							# [regA, regB] case
525 | 							if currentinsn.id != X86_INS_LEA:
526 | 								if list(vreg2.variables)[0] in info.state.registers.load(str(startinsn.reg_name(op.value.mem.base))).variables:
527 | 									#print "[regA, regB]"
528 | 									#print hex(currentinsn.address)
529 | 									findflag = 2
530 | 									info.g2.append(G2(startinsn.address, currentinsn.address, reg1, reg2))
531 | 									continue
532 | 
533 | 							
534 | 
535 | 			# current instruction should not be jump/call/ret, memfence or any other hazardous instruction, stop doing this work, continue
536 | 			if currentinsn.id in hazardousins:
537 | 				#print "hazardous"
538 | 				#print currentinsn.id
539 | 				continue
540 | 
541 | 
542 | 
543 | 			#
544 | 			# get successor(s)
545 | 			#
546 | 			try:
547 | 				info.succs = info.b.factory.successors(info.state, num_inst=1).successors
548 | 			except:
549 | 				continue
550 | 
551 | 			#info.succs = info.b.factory.successors(info.state, num_inst=1).successors
552 | 
553 | 			#print "len of succs:"
554 | 			#print len(succs)
555 | 
556 | 			#
557 | 			# check the successor(s)
558 | 			#
559 | 
560 | 			# number of successors should be exactly one
561 | 			if len(info.succs) != 1:
562 | 				continue
563 | 
564 | 			# successor should be exactly next instruction
565 | 			#print hex(info.succs[0].addr)
566 | 			if info.insns.index(currentinsn) + 1 < len(info.insns):
567 | 				#print hex(info.insns[info.insns.index(csinsn) + 1].address)
568 | 				if info.insns[info.insns.index(currentinsn) + 1].address != info.succs[0].addr:
569 | 					continue
570 | 
571 | 
572 | 			# successor should be within 10 instructions of start instruction
573 | 			if info.insns.index(currentinsn) + 1 > info.insns.index(startinsn) + 9:
574 | 				continue
575 | 
576 | 			# now the control flow of successor seems right, we check the successor
577 | 
578 | 			instno = instno + 1
579 | 			info.states.extend(info.succs)
580 | 
581 | 	print "*********************************"
582 | 	print "*********************************"
583 | 	print "*********************************"
584 | 	print "*************RESULTS:************"
585 | 	print "*********************************"
586 | 	print "*********************************"
587 | 	print "*********************************"
588 | 	print "*********************************"
589 | 	print "[regA, regB, regC] gadgets:"
590 | 	print "*********************************"
591 | 	for ga in info.g1:
592 | 		print "Gadget %d:" % info.g1.index(ga)
593 | 		print "start address: %x" % ga.start
594 | 		print "end address: %x" % ga.end
595 | 		print "regA: %s" % str(startinsn.reg_name(ga.rega))
596 | 		print "regB: %s" % str(startinsn.reg_name(ga.regb))
597 | 		print "regC: %s" % str(startinsn.reg_name(ga.regc))
598 | 	print "*********************************"
599 | 	print "*********************************"
600 | 	print "*********************************"
601 | 	print "[regA, regB] gadgets:"
602 | 	print "*********************************"
603 | 	for ga in info.g2:
604 | 		print "Gadget %d:" % info.g2.index(ga)
605 | 		print "start address: %x" % ga.start
606 | 		print "end address: %x" % ga.end
607 | 		print "regA: %s" % str(startinsn.reg_name(ga.rega))
608 | 		print "regB: %s" % str(startinsn.reg_name(ga.regb))
609 | 
610 | 
611 | 
612 | 
613 | #
614 | # param1: binary to load. Shared library .so file or executable.
615 | # param2: function api address in binary.
616 | #
617 | def main():
618 | 	# parameter handling
619 | 	print "parameters:"
620 | 	for arg in sys.argv[1:]:
621 | 		print arg
622 | 	if len(sys.argv) != 2:
623 | 		print "ERROR: accept exactly 1 parameters."
624 | 		print "param1: binary to load. Shared library .so file or executable."
625 | 		exit()
626 | 
627 | 	#load binary
628 | 	load_binary()
629 | 
630 | 	#preprocessing
631 | 	preprocessing()
632 | 
633 | 	#find gadget
634 | 	findgadget()
635 | 
636 | 
637 | 
638 | 
639 | 
640 | 
641 | #
642 | #main function
643 | #
644 | if __name__ == "__main__":
645 | 	main()
646 | 


--------------------------------------------------------------------------------
/type2finder/results/Graphene-SGX:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | [regA, regB, regC] gadgets:
 10 | *********************************
 11 | Gadget 0:
 12 | start address: 7df7
 13 | end address: 7dfe
 14 | regA: r8
 15 | regB: rax
 16 | regC: rdx
 17 | Gadget 1:
 18 | start address: 7ed7
 19 | end address: 7ede
 20 | regA: r8
 21 | regB: rax
 22 | regC: rdx
 23 | Gadget 2:
 24 | start address: 7f60
 25 | end address: 7f67
 26 | regA: r8
 27 | regB: rax
 28 | regC: r15
 29 | Gadget 3:
 30 | start address: 1d148
 31 | end address: 1d153
 32 | regA: r12
 33 | regB: rcx
 34 | regC: rdx
 35 | Gadget 4:
 36 | start address: 1d303
 37 | end address: 1d310
 38 | regA: rdi
 39 | regB: rax
 40 | regC: rdx
 41 | Gadget 5:
 42 | start address: 1d352
 43 | end address: 1d36e
 44 | regA: r12
 45 | regB: rax
 46 | regC: r14
 47 | Gadget 6:
 48 | start address: 1d64a
 49 | end address: 1d655
 50 | regA: r13
 51 | regB: rdx
 52 | regC: rax
 53 | Gadget 7:
 54 | start address: 1d64a
 55 | end address: 1d658
 56 | regA: r13
 57 | regB: rdx
 58 | regC: rax
 59 | Gadget 8:
 60 | start address: 1d68a
 61 | end address: 1d6a0
 62 | regA: r13
 63 | regB: rsi
 64 | regC: rbx
 65 | Gadget 9:
 66 | start address: 1d87c
 67 | end address: 1d880
 68 | regA: rdi
 69 | regB: rax
 70 | regC: rdx
 71 | Gadget 10:
 72 | start address: 1d990
 73 | end address: 1d99b
 74 | regA: r15
 75 | regB: rdx
 76 | regC: r13
 77 | Gadget 11:
 78 | start address: 1db21
 79 | end address: 1db25
 80 | regA: rdi
 81 | regB: rcx
 82 | regC: rdx
 83 | Gadget 12:
 84 | start address: 1e0c0
 85 | end address: 1e0d3
 86 | regA: r13
 87 | regB: rax
 88 | regC: r11
 89 | Gadget 13:
 90 | start address: 1ebf7
 91 | end address: 1ec00
 92 | regA: rsi
 93 | regB: r11
 94 | regC: r10
 95 | Gadget 14:
 96 | start address: 1ee99
 97 | end address: 1eea4
 98 | regA: r14
 99 | regB: rax
100 | regC: r8
101 | Gadget 15:
102 | start address: 21248
103 | end address: 21259
104 | regA: rbx
105 | regB: edi
106 | regC: rsi
107 | Gadget 16:
108 | start address: 21328
109 | end address: 2133a
110 | regA: rbx
111 | regB: r8d
112 | regC: rsi
113 | Gadget 17:
114 | start address: 21378
115 | end address: 21391
116 | regA: rbx
117 | regB: edx
118 | regC: rsi
119 | Gadget 18:
120 | start address: 21408
121 | end address: 21419
122 | regA: rbx
123 | regB: edi
124 | regC: rsi
125 | *********************************
126 | *********************************
127 | *********************************
128 | [regA, regB] gadgets:
129 | *********************************
130 | Gadget 0:
131 | start address: 2ad1
132 | end address: 2ad4
133 | regA: rdi
134 | regB: r12
135 | Gadget 1:
136 | start address: 77ae
137 | end address: 77b5
138 | regA: rbx
139 | regB: rax
140 | Gadget 2:
141 | start address: 7d77
142 | end address: 7d7b
143 | regA: r8
144 | regB: rsi
145 | Gadget 3:
146 | start address: 7d7f
147 | end address: 7d83
148 | regA: r8
149 | regB: rsi
150 | Gadget 4:
151 | start address: 7e05
152 | end address: 7e18
153 | regA: r8
154 | regB: rdx
155 | Gadget 5:
156 | start address: 8248
157 | end address: 8256
158 | regA: rbx
159 | regB: rax
160 | Gadget 6:
161 | start address: 836d
162 | end address: 8371
163 | regA: rdi
164 | regB: rax
165 | Gadget 7:
166 | start address: 83b0
167 | end address: 83b7
168 | regA: rbx
169 | regB: rax
170 | Gadget 8:
171 | start address: 867a
172 | end address: 8681
173 | regA: rbx
174 | regB: rax
175 | Gadget 9:
176 | start address: 911b
177 | end address: 9123
178 | regA: r13
179 | regB: rax
180 | Gadget 10:
181 | start address: 9127
182 | end address: 912b
183 | regA: r13
184 | regB: rdx
185 | Gadget 11:
186 | start address: a9ba
187 | end address: a9bd
188 | regA: rdi
189 | regB: r12
190 | Gadget 12:
191 | start address: bc9a
192 | end address: bc9d
193 | regA: rdi
194 | regB: r15
195 | Gadget 13:
196 | start address: dc33
197 | end address: dc37
198 | regA: rbx
199 | regB: rdi
200 | Gadget 14:
201 | start address: dc33
202 | end address: dc3a
203 | regA: rbx
204 | regB: rdi
205 | Gadget 15:
206 | start address: de46
207 | end address: de49
208 | regA: rdi
209 | regB: rcx
210 | Gadget 16:
211 | start address: de8f
212 | end address: de9b
213 | regA: r12
214 | regB: rsi
215 | Gadget 17:
216 | start address: dfb0
217 | end address: dfb3
218 | regA: rdi
219 | regB: rax
220 | Gadget 18:
221 | start address: e092
222 | end address: e09d
223 | regA: rdi
224 | regB: rdx
225 | Gadget 19:
226 | start address: e0ce
227 | end address: e0d4
228 | regA: rbx
229 | regB: rdx
230 | Gadget 20:
231 | start address: e161
232 | end address: e165
233 | regA: rdi
234 | regB: rax
235 | Gadget 21:
236 | start address: e196
237 | end address: e19a
238 | regA: rbx
239 | regB: rdx
240 | Gadget 22:
241 | start address: e1ef
242 | end address: e1f3
243 | regA: rdi
244 | regB: rax
245 | Gadget 23:
246 | start address: e20e
247 | end address: e212
248 | regA: rbx
249 | regB: rdx
250 | Gadget 24:
251 | start address: e281
252 | end address: e28a
253 | regA: rdi
254 | regB: rax
255 | Gadget 25:
256 | start address: e975
257 | end address: e980
258 | regA: r13
259 | regB: rax
260 | Gadget 26:
261 | start address: efb2
262 | end address: efb5
263 | regA: rsi
264 | regB: rbx
265 | Gadget 27:
266 | start address: f31d
267 | end address: f344
268 | regA: rbx
269 | regB: rsi
270 | Gadget 28:
271 | start address: fbeb
272 | end address: fbf6
273 | regA: rdi
274 | regB: r15
275 | Gadget 29:
276 | start address: fbeb
277 | end address: fbfb
278 | regA: rdi
279 | regB: r15
280 | Gadget 30:
281 | start address: fc72
282 | end address: fc81
283 | regA: r15
284 | regB: ecx
285 | Gadget 31:
286 | start address: fc72
287 | end address: fc84
288 | regA: r15
289 | regB: ecx
290 | Gadget 32:
291 | start address: fd67
292 | end address: fd81
293 | regA: r15
294 | regB: edx
295 | Gadget 33:
296 | start address: fd67
297 | end address: fd85
298 | regA: r15
299 | regB: edx
300 | Gadget 34:
301 | start address: 10078
302 | end address: 10091
303 | regA: rdi
304 | regB: rax
305 | Gadget 35:
306 | start address: 10078
307 | end address: 1009f
308 | regA: rdi
309 | regB: rax
310 | Gadget 36:
311 | start address: 10078
312 | end address: 100a3
313 | regA: rdi
314 | regB: rax
315 | Gadget 37:
316 | start address: 101a0
317 | end address: 101a3
318 | regA: rdx
319 | regB: rdx
320 | Gadget 38:
321 | start address: 10450
322 | end address: 10467
323 | regA: rdi
324 | regB: rax
325 | Gadget 39:
326 | start address: 105e8
327 | end address: 105ef
328 | regA: rsi
329 | regB: rbx
330 | Gadget 40:
331 | start address: 12d23
332 | end address: 12d27
333 | regA: rbx
334 | regB: rax
335 | Gadget 41:
336 | start address: 14406
337 | end address: 14411
338 | regA: rdx
339 | regB: rcx
340 | Gadget 42:
341 | start address: 146b2
342 | end address: 146b9
343 | regA: r15
344 | regB: rsi
345 | Gadget 43:
346 | start address: 146bc
347 | end address: 146bf
348 | regA: r15
349 | regB: rcx
350 | Gadget 44:
351 | start address: 14873
352 | end address: 1487c
353 | regA: r14
354 | regB: rcx
355 | Gadget 45:
356 | start address: 14a75
357 | end address: 14a7c
358 | regA: rbx
359 | regB: rax
360 | Gadget 46:
361 | start address: 14a7f
362 | end address: 14a82
363 | regA: rbx
364 | regB: rdx
365 | Gadget 47:
366 | start address: 14b11
367 | end address: 14b17
368 | regA: rbx
369 | regB: rdx
370 | Gadget 48:
371 | start address: 14d74
372 | end address: 14d7c
373 | regA: r13
374 | regB: rax
375 | Gadget 49:
376 | start address: 14d80
377 | end address: 14d84
378 | regA: r13
379 | regB: rdx
380 | Gadget 50:
381 | start address: 1511f
382 | end address: 1512e
383 | regA: rbx
384 | regB: rsi
385 | Gadget 51:
386 | start address: 1511f
387 | end address: 15135
388 | regA: rbx
389 | regB: rsi
390 | Gadget 52:
391 | start address: 1511f
392 | end address: 1513c
393 | regA: rbx
394 | regB: rsi
395 | Gadget 53:
396 | start address: 1511f
397 | end address: 15144
398 | regA: rbx
399 | regB: rsi
400 | Gadget 54:
401 | start address: 16840
402 | end address: 1684c
403 | regA: rdi
404 | regB: rdx
405 | Gadget 55:
406 | start address: 16953
407 | end address: 1695f
408 | regA: rdi
409 | regB: rdx
410 | Gadget 56:
411 | start address: 17569
412 | end address: 1756d
413 | regA: rdx
414 | regB: rcx
415 | Gadget 57:
416 | start address: 175a5
417 | end address: 175a9
418 | regA: rdx
419 | regB: rcx
420 | Gadget 58:
421 | start address: 179cc
422 | end address: 179d0
423 | regA: rbx
424 | regB: rax
425 | Gadget 59:
426 | start address: 179d4
427 | end address: 179d8
428 | regA: rbx
429 | regB: rdx
430 | Gadget 60:
431 | start address: 179ea
432 | end address: 179f2
433 | regA: rbx
434 | regB: rax
435 | Gadget 61:
436 | start address: 179f6
437 | end address: 179fd
438 | regA: rbx
439 | regB: rdx
440 | Gadget 62:
441 | start address: 17bc8
442 | end address: 17bcc
443 | regA: rdx
444 | regB: rcx
445 | Gadget 63:
446 | start address: 17bfc
447 | end address: 17c00
448 | regA: rdx
449 | regB: rcx
450 | Gadget 64:
451 | start address: 198ae
452 | end address: 198b1
453 | regA: rbx
454 | regB: rax
455 | Gadget 65:
456 | start address: 19903
457 | end address: 19908
458 | regA: r12
459 | regB: rax
460 | Gadget 66:
461 | start address: 19ab8
462 | end address: 19ac8
463 | regA: r9
464 | regB: rax
465 | Gadget 67:
466 | start address: 1b07a
467 | end address: 1b07d
468 | regA: rbx
469 | regB: rax
470 | Gadget 68:
471 | start address: 1d2bb
472 | end address: 1d2c9
473 | regA: rbx
474 | regB: rdx
475 | Gadget 69:
476 | start address: 1d2bb
477 | end address: 1d2cc
478 | regA: rbx
479 | regB: rdx
480 | Gadget 70:
481 | start address: 1d46a
482 | end address: 1d46e
483 | regA: rdi
484 | regB: rax
485 | Gadget 71:
486 | start address: 1d994
487 | end address: 1d9b0
488 | regA: r14
489 | regB: rsi
490 | Gadget 72:
491 | start address: 1ec78
492 | end address: 1ec7d
493 | regA: rsi
494 | regB: rax
495 | Gadget 73:
496 | start address: 1ed1c
497 | end address: 1ed2b
498 | regA: r13
499 | regB: rdx
500 | Gadget 74:
501 | start address: 1ed38
502 | end address: 1ed47
503 | regA: r13
504 | regB: rdx
505 | Gadget 75:
506 | start address: 1ef60
507 | end address: 1ef64
508 | regA: rdi
509 | regB: rax
510 | Gadget 76:
511 | start address: 1f045
512 | end address: 1f04a
513 | regA: r12
514 | regB: rax
515 | Gadget 77:
516 | start address: 1f069
517 | end address: 1f073
518 | regA: r12
519 | regB: rax
520 | Gadget 78:
521 | start address: 20762
522 | end address: 20768
523 | regA: rbx
524 | regB: rdx
525 | Gadget 79:
526 | start address: 2168c
527 | end address: 216a5
528 | regA: rdi
529 | regB: rax
530 | Gadget 80:
531 | start address: 2168c
532 | end address: 216a8
533 | regA: rdi
534 | regB: rax
535 | Gadget 81:
536 | start address: 21b0c
537 | end address: 21b20
538 | regA: rdi
539 | regB: rax
540 | Gadget 82:
541 | start address: 21b0c
542 | end address: 21b22
543 | regA: rdi
544 | regB: rax
545 | Gadget 83:
546 | start address: 21b0c
547 | end address: 21b25
548 | regA: rdi
549 | regB: rax
550 | Gadget 84:
551 | start address: 21b0c
552 | end address: 21b29
553 | regA: rdi
554 | regB: rax
555 | Gadget 85:
556 | start address: 22003
557 | end address: 2200e
558 | regA: rdi
559 | regB: rdi
560 | 
561 | 


--------------------------------------------------------------------------------
/type2finder/results/RUST-SGX-SDK:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | [regA, regB, regC] gadgets:
 10 | *********************************
 11 | Gadget 0:
 12 | start address: 406d1a
 13 | end address: 406d25
 14 | regA: rsi
 15 | regB: r9d
 16 | regC: rdi
 17 | Gadget 1:
 18 | start address: 406f29
 19 | end address: 406f34
 20 | regA: r8
 21 | regB: r9d
 22 | regC: rdi
 23 | Gadget 2:
 24 | start address: 40755b
 25 | end address: 407566
 26 | regA: rsi
 27 | regB: r9d
 28 | regC: r12
 29 | Gadget 3:
 30 | start address: 408ffb
 31 | end address: 409006
 32 | regA: rdx
 33 | regB: r12d
 34 | regC: rsi
 35 | Gadget 4:
 36 | start address: 4097a1
 37 | end address: 4097ac
 38 | regA: r8
 39 | regB: edi
 40 | regC: rbx
 41 | Gadget 5:
 42 | start address: 409877
 43 | end address: 409881
 44 | regA: rsi
 45 | regB: edi
 46 | regC: rbx
 47 | Gadget 6:
 48 | start address: 434600
 49 | end address: 434607
 50 | regA: rdx
 51 | regB: ecx
 52 | regC: r12
 53 | Gadget 7:
 54 | start address: 4348b8
 55 | end address: 4348bf
 56 | regA: rdx
 57 | regB: ecx
 58 | regC: r12
 59 | Gadget 8:
 60 | start address: 43555a
 61 | end address: 435562
 62 | regA: rdi
 63 | regB: rax
 64 | regC: r10
 65 | *********************************
 66 | *********************************
 67 | *********************************
 68 | [regA, regB] gadgets:
 69 | *********************************
 70 | Gadget 0:
 71 | start address: 4029b1
 72 | end address: 4029bd
 73 | regA: r14
 74 | regB: rdi
 75 | Gadget 1:
 76 | start address: 4029c7
 77 | end address: 4029db
 78 | regA: r14
 79 | regB: rdi
 80 | Gadget 2:
 81 | start address: 4029fe
 82 | end address: 402a0a
 83 | regA: r14
 84 | regB: rdi
 85 | Gadget 3:
 86 | start address: 402a2f
 87 | end address: 402a3b
 88 | regA: r14
 89 | regB: rdi
 90 | Gadget 4:
 91 | start address: 4030c7
 92 | end address: 4030cb
 93 | regA: r15
 94 | regB: rax
 95 | Gadget 5:
 96 | start address: 403254
 97 | end address: 403259
 98 | regA: r12
 99 | regB: rax
100 | Gadget 6:
101 | start address: 403387
102 | end address: 40338b
103 | regA: r15
104 | regB: rax
105 | Gadget 7:
106 | start address: 403500
107 | end address: 403504
108 | regA: r15
109 | regB: rax
110 | Gadget 8:
111 | start address: 406773
112 | end address: 406777
113 | regA: rbx
114 | regB: rdx
115 | Gadget 9:
116 | start address: 406773
117 | end address: 40677e
118 | regA: rbx
119 | regB: rdx
120 | Gadget 10:
121 | start address: 406918
122 | end address: 40691f
123 | regA: rdi
124 | regB: r8
125 | Gadget 11:
126 | start address: 407867
127 | end address: 40786b
128 | regA: r8
129 | regB: rax
130 | Gadget 12:
131 | start address: 407acc
132 | end address: 407ad0
133 | regA: r10
134 | regB: rax
135 | Gadget 13:
136 | start address: 417fe7
137 | end address: 417fea
138 | regA: r14
139 | regB: rbx
140 | Gadget 14:
141 | start address: 41800f
142 | end address: 418019
143 | regA: r14
144 | regB: rax
145 | Gadget 15:
146 | start address: 41866e
147 | end address: 418672
148 | regA: r15
149 | regB: rbx
150 | Gadget 16:
151 | start address: 41866e
152 | end address: 418675
153 | regA: r15
154 | regB: rbx
155 | Gadget 17:
156 | start address: 418675
157 | end address: 418679
158 | regA: rbx
159 | regB: rax
160 | Gadget 18:
161 | start address: 41867b
162 | end address: 41867f
163 | regA: rbx
164 | regB: rax
165 | Gadget 19:
166 | start address: 418710
167 | end address: 41871a
168 | regA: rdi
169 | regB: rax
170 | Gadget 20:
171 | start address: 41873e
172 | end address: 418742
173 | regA: r15
174 | regB: rbx
175 | Gadget 21:
176 | start address: 41873e
177 | end address: 418745
178 | regA: r15
179 | regB: rbx
180 | Gadget 22:
181 | start address: 418745
182 | end address: 418749
183 | regA: rbx
184 | regB: rax
185 | Gadget 23:
186 | start address: 41874b
187 | end address: 41874f
188 | regA: rbx
189 | regB: rax
190 | Gadget 24:
191 | start address: 4187c4
192 | end address: 4187c8
193 | regA: rbx
194 | regB: r15
195 | Gadget 25:
196 | start address: 4187c4
197 | end address: 4187cb
198 | regA: rbx
199 | regB: r15
200 | Gadget 26:
201 | start address: 4187cb
202 | end address: 4187cf
203 | regA: r15
204 | regB: rax
205 | Gadget 27:
206 | start address: 4187d1
207 | end address: 4187d5
208 | regA: r15
209 | regB: rax
210 | Gadget 28:
211 | start address: 4188e3
212 | end address: 4188e6
213 | regA: rdi
214 | regB: rcx
215 | Gadget 29:
216 | start address: 4188e3
217 | end address: 4188e9
218 | regA: rdi
219 | regB: rcx
220 | Gadget 30:
221 | start address: 41899d
222 | end address: 4189a1
223 | regA: rbx
224 | regB: rax
225 | Gadget 31:
226 | start address: 4189a3
227 | end address: 4189a7
228 | regA: rbx
229 | regB: rax
230 | Gadget 32:
231 | start address: 418d97
232 | end address: 418d9a
233 | regA: r14
234 | regB: rbx
235 | Gadget 33:
236 | start address: 418dbf
237 | end address: 418dc9
238 | regA: r14
239 | regB: rax
240 | Gadget 34:
241 | start address: 419190
242 | end address: 41919a
243 | regA: rdi
244 | regB: rax
245 | Gadget 35:
246 | start address: 4191fa
247 | end address: 4191fe
248 | regA: rbx
249 | regB: rax
250 | Gadget 36:
251 | start address: 419200
252 | end address: 419204
253 | regA: rbx
254 | regB: rax
255 | Gadget 37:
256 | start address: 41929d
257 | end address: 4192a0
258 | regA: rbx
259 | regB: rax
260 | Gadget 38:
261 | start address: 4192b8
262 | end address: 4192bb
263 | regA: rbx
264 | regB: rax
265 | Gadget 39:
266 | start address: 419384
267 | end address: 419388
268 | regA: rbx
269 | regB: r15
270 | Gadget 40:
271 | start address: 419384
272 | end address: 41938b
273 | regA: rbx
274 | regB: r15
275 | Gadget 41:
276 | start address: 41938b
277 | end address: 41938f
278 | regA: r15
279 | regB: rax
280 | Gadget 42:
281 | start address: 419391
282 | end address: 419395
283 | regA: r15
284 | regB: rax
285 | Gadget 43:
286 | start address: 4193ff
287 | end address: 419403
288 | regA: r15
289 | regB: rbx
290 | Gadget 44:
291 | start address: 4193ff
292 | end address: 419406
293 | regA: r15
294 | regB: rbx
295 | Gadget 45:
296 | start address: 419406
297 | end address: 41940a
298 | regA: rbx
299 | regB: rax
300 | Gadget 46:
301 | start address: 41940c
302 | end address: 419410
303 | regA: rbx
304 | regB: rax
305 | Gadget 47:
306 | start address: 4194d0
307 | end address: 4194da
308 | regA: rdi
309 | regB: rax
310 | Gadget 48:
311 | start address: 4194fe
312 | end address: 419502
313 | regA: r15
314 | regB: rbx
315 | Gadget 49:
316 | start address: 4194fe
317 | end address: 419505
318 | regA: r15
319 | regB: rbx
320 | Gadget 50:
321 | start address: 419505
322 | end address: 419509
323 | regA: rbx
324 | regB: rax
325 | Gadget 51:
326 | start address: 41950b
327 | end address: 41950f
328 | regA: rbx
329 | regB: rax
330 | Gadget 52:
331 | start address: 41957f
332 | end address: 419583
333 | regA: r15
334 | regB: rbx
335 | Gadget 53:
336 | start address: 41957f
337 | end address: 419586
338 | regA: r15
339 | regB: rbx
340 | Gadget 54:
341 | start address: 419586
342 | end address: 41958a
343 | regA: rbx
344 | regB: rax
345 | Gadget 55:
346 | start address: 41958c
347 | end address: 419590
348 | regA: rbx
349 | regB: rax
350 | Gadget 56:
351 | start address: 4195fe
352 | end address: 419602
353 | regA: r15
354 | regB: rbx
355 | Gadget 57:
356 | start address: 4195fe
357 | end address: 419605
358 | regA: r15
359 | regB: rbx
360 | Gadget 58:
361 | start address: 419605
362 | end address: 419609
363 | regA: rbx
364 | regB: rax
365 | Gadget 59:
366 | start address: 41960b
367 | end address: 41960f
368 | regA: rbx
369 | regB: rax
370 | Gadget 60:
371 | start address: 4196a1
372 | end address: 4196a5
373 | regA: r14
374 | regB: rax
375 | Gadget 61:
376 | start address: 4196a7
377 | end address: 4196ab
378 | regA: r14
379 | regB: rax
380 | Gadget 62:
381 | start address: 419d6f
382 | end address: 419d73
383 | regA: rbx
384 | regB: rax
385 | Gadget 63:
386 | start address: 419d75
387 | end address: 419d79
388 | regA: rbx
389 | regB: rax
390 | Gadget 64:
391 | start address: 41a9e3
392 | end address: 41a9e6
393 | regA: rdi
394 | regB: rcx
395 | Gadget 65:
396 | start address: 41a9e3
397 | end address: 41a9e9
398 | regA: rdi
399 | regB: rcx
400 | Gadget 66:
401 | start address: 41aa23
402 | end address: 41aa26
403 | regA: rdi
404 | regB: rcx
405 | Gadget 67:
406 | start address: 41aa23
407 | end address: 41aa29
408 | regA: rdi
409 | regB: rcx
410 | Gadget 68:
411 | start address: 41b962
412 | end address: 41b966
413 | regA: r13
414 | regB: rax
415 | Gadget 69:
416 | start address: 41b968
417 | end address: 41b96c
418 | regA: r13
419 | regB: rax
420 | Gadget 70:
421 | start address: 41bda8
422 | end address: 41bdac
423 | regA: rdi
424 | regB: rax
425 | Gadget 71:
426 | start address: 41be56
427 | end address: 41be5a
428 | regA: rdi
429 | regB: rax
430 | Gadget 72:
431 | start address: 41be56
432 | end address: 41be5d
433 | regA: rdi
434 | regB: rax
435 | Gadget 73:
436 | start address: 41c152
437 | end address: 41c156
438 | regA: rbx
439 | regB: rax
440 | Gadget 74:
441 | start address: 41c158
442 | end address: 41c15c
443 | regA: rbx
444 | regB: rax
445 | Gadget 75:
446 | start address: 41c4b7
447 | end address: 41c4ba
448 | regA: rsi
449 | regB: r13
450 | Gadget 76:
451 | start address: 41c5c1
452 | end address: 41c5c4
453 | regA: rsi
454 | regB: rbx
455 | Gadget 77:
456 | start address: 41c6c7
457 | end address: 41c6cb
458 | regA: rbx
459 | regB: rax
460 | Gadget 78:
461 | start address: 41c6cd
462 | end address: 41c6d1
463 | regA: rbx
464 | regB: rax
465 | Gadget 79:
466 | start address: 41c7c7
467 | end address: 41c7ca
468 | regA: rsi
469 | regB: r14
470 | Gadget 80:
471 | start address: 41c9e9
472 | end address: 41c9ed
473 | regA: rbx
474 | regB: rax
475 | Gadget 81:
476 | start address: 41c9ef
477 | end address: 41c9f3
478 | regA: rbx
479 | regB: rax
480 | Gadget 82:
481 | start address: 41ca24
482 | end address: 41ca28
483 | regA: rbx
484 | regB: rax
485 | Gadget 83:
486 | start address: 41ca2a
487 | end address: 41ca2e
488 | regA: rbx
489 | regB: rax
490 | Gadget 84:
491 | start address: 41cf85
492 | end address: 41cf89
493 | regA: rbx
494 | regB: r12
495 | Gadget 85:
496 | start address: 41cf85
497 | end address: 41cf8d
498 | regA: rbx
499 | regB: r12
500 | Gadget 86:
501 | start address: 41cf8d
502 | end address: 41cf92
503 | regA: r12
504 | regB: rax
505 | Gadget 87:
506 | start address: 41cf94
507 | end address: 41cf99
508 | regA: r12
509 | regB: rax
510 | Gadget 88:
511 | start address: 41d046
512 | end address: 41d04a
513 | regA: rbx
514 | regB: r12
515 | Gadget 89:
516 | start address: 41d046
517 | end address: 41d04e
518 | regA: rbx
519 | regB: r12
520 | Gadget 90:
521 | start address: 41d04e
522 | end address: 41d053
523 | regA: r12
524 | regB: rax
525 | Gadget 91:
526 | start address: 41d055
527 | end address: 41d05a
528 | regA: r12
529 | regB: rax
530 | Gadget 92:
531 | start address: 41d22e
532 | end address: 41d231
533 | regA: rdi
534 | regB: rsi
535 | Gadget 93:
536 | start address: 41d22e
537 | end address: 41d234
538 | regA: rdi
539 | regB: rsi
540 | Gadget 94:
541 | start address: 41d4bc
542 | end address: 41d4c0
543 | regA: rbx
544 | regB: rax
545 | Gadget 95:
546 | start address: 41d4c2
547 | end address: 41d4c6
548 | regA: rbx
549 | regB: rax
550 | Gadget 96:
551 | start address: 41dac4
552 | end address: 41dac8
553 | regA: rbx
554 | regB: rax
555 | Gadget 97:
556 | start address: 41daca
557 | end address: 41dace
558 | regA: rbx
559 | regB: rax
560 | Gadget 98:
561 | start address: 41db88
562 | end address: 41db8c
563 | regA: rbx
564 | regB: rax
565 | Gadget 99:
566 | start address: 41db8e
567 | end address: 41db92
568 | regA: rbx
569 | regB: rax
570 | Gadget 100:
571 | start address: 4200a8
572 | end address: 4200ac
573 | regA: rbx
574 | regB: rax
575 | Gadget 101:
576 | start address: 4200ae
577 | end address: 4200b2
578 | regA: rbx
579 | regB: rax
580 | Gadget 102:
581 | start address: 420156
582 | end address: 42015a
583 | regA: r15
584 | regB: rax
585 | Gadget 103:
586 | start address: 42015c
587 | end address: 420160
588 | regA: r15
589 | regB: rax
590 | Gadget 104:
591 | start address: 4233a3
592 | end address: 4233a7
593 | regA: rbx
594 | regB: rax
595 | Gadget 105:
596 | start address: 4233a9
597 | end address: 4233ad
598 | regA: rbx
599 | regB: rax
600 | Gadget 106:
601 | start address: 423544
602 | end address: 423547
603 | regA: rdi
604 | regB: rax
605 | Gadget 107:
606 | start address: 423554
607 | end address: 423557
608 | regA: rdi
609 | regB: rax
610 | Gadget 108:
611 | start address: 423bb1
612 | end address: 423bb4
613 | regA: rdi
614 | regB: rax
615 | Gadget 109:
616 | start address: 423bb1
617 | end address: 423bb7
618 | regA: rdi
619 | regB: rax
620 | Gadget 110:
621 | start address: 424e39
622 | end address: 424e45
623 | regA: r14
624 | regB: rax
625 | Gadget 111:
626 | start address: 424e58
627 | end address: 424e62
628 | regA: r14
629 | regB: rax
630 | Gadget 112:
631 | start address: 424fa2
632 | end address: 424fad
633 | regA: r14
634 | regB: rax
635 | Gadget 113:
636 | start address: 42507d
637 | end address: 425089
638 | regA: r14
639 | regB: rax
640 | Gadget 114:
641 | start address: 4251a3
642 | end address: 4251ad
643 | regA: r14
644 | regB: rax
645 | Gadget 115:
646 | start address: 4251c0
647 | end address: 4251cc
648 | regA: r14
649 | regB: rax
650 | Gadget 116:
651 | start address: 4251f2
652 | end address: 4251fc
653 | regA: r14
654 | regB: rax
655 | Gadget 117:
656 | start address: 42525b
657 | end address: 425267
658 | regA: r14
659 | regB: rax
660 | Gadget 118:
661 | start address: 425272
662 | end address: 42527e
663 | regA: r14
664 | regB: rax
665 | Gadget 119:
666 | start address: 4252a3
667 | end address: 4252ae
668 | regA: r14
669 | regB: rax
670 | Gadget 120:
671 | start address: 4255c1
672 | end address: 4255c6
673 | regA: r12
674 | regB: rax
675 | Gadget 121:
676 | start address: 4256f4
677 | end address: 4256ff
678 | regA: r12
679 | regB: rax
680 | Gadget 122:
681 | start address: 425710
682 | end address: 42571d
683 | regA: r12
684 | regB: rax
685 | Gadget 123:
686 | start address: 425743
687 | end address: 42574e
688 | regA: r12
689 | regB: rax
690 | Gadget 124:
691 | start address: 4257e1
692 | end address: 4257eb
693 | regA: r14
694 | regB: rax
695 | Gadget 125:
696 | start address: 425817
697 | end address: 425821
698 | regA: r15
699 | regB: rax
700 | Gadget 126:
701 | start address: 4258df
702 | end address: 4258e8
703 | regA: r15
704 | regB: rax
705 | Gadget 127:
706 | start address: 425c18
707 | end address: 425c1f
708 | regA: r15
709 | regB: rax
710 | Gadget 128:
711 | start address: 425c7c
712 | end address: 425c80
713 | regA: r15
714 | regB: rax
715 | Gadget 129:
716 | start address: 425de7
717 | end address: 425dee
718 | regA: r15
719 | regB: rax
720 | Gadget 130:
721 | start address: 425df9
722 | end address: 425e02
723 | regA: r15
724 | regB: rax
725 | Gadget 131:
726 | start address: 425e7b
727 | end address: 425e84
728 | regA: r15
729 | regB: rax
730 | Gadget 132:
731 | start address: 42606c
732 | end address: 426070
733 | regA: r15
734 | regB: rax
735 | Gadget 133:
736 | start address: 426109
737 | end address: 42610d
738 | regA: r15
739 | regB: rax
740 | Gadget 134:
741 | start address: 42613b
742 | end address: 42613e
743 | regA: rdi
744 | regB: rax
745 | Gadget 135:
746 | start address: 4261d7
747 | end address: 4261db
748 | regA: rdi
749 | regB: rcx
750 | Gadget 136:
751 | start address: 426328
752 | end address: 42632c
753 | regA: rsi
754 | regB: rax
755 | Gadget 137:
756 | start address: 426387
757 | end address: 42638a
758 | regA: r15
759 | regB: rax
760 | Gadget 138:
761 | start address: 426387
762 | end address: 42638e
763 | regA: r15
764 | regB: rax
765 | Gadget 139:
766 | start address: 4265bb
767 | end address: 4265be
768 | regA: rbx
769 | regB: rax
770 | Gadget 140:
771 | start address: 426708
772 | end address: 42670b
773 | regA: rbx
774 | regB: rax
775 | Gadget 141:
776 | start address: 426708
777 | end address: 426723
778 | regA: rbx
779 | regB: rax
780 | Gadget 142:
781 | start address: 426708
782 | end address: 426727
783 | regA: rbx
784 | regB: rax
785 | Gadget 143:
786 | start address: 4267bb
787 | end address: 4267be
788 | regA: rbx
789 | regB: rax
790 | Gadget 144:
791 | start address: 4268fd
792 | end address: 426900
793 | regA: rbx
794 | regB: rax
795 | Gadget 145:
796 | start address: 426931
797 | end address: 426934
798 | regA: rbx
799 | regB: rax
800 | Gadget 146:
801 | start address: 426931
802 | end address: 426938
803 | regA: rbx
804 | regB: rax
805 | Gadget 147:
806 | start address: 42694f
807 | end address: 426952
808 | regA: rbx
809 | regB: rax
810 | Gadget 148:
811 | start address: 42694f
812 | end address: 426956
813 | regA: rbx
814 | regB: rax
815 | Gadget 149:
816 | start address: 4269a4
817 | end address: 4269a7
818 | regA: rbx
819 | regB: rax
820 | Gadget 150:
821 | start address: 426b29
822 | end address: 426b2c
823 | regA: rbx
824 | regB: rax
825 | Gadget 151:
826 | start address: 426b7a
827 | end address: 426b7d
828 | regA: rbx
829 | regB: rax
830 | Gadget 152:
831 | start address: 426b7a
832 | end address: 426b81
833 | regA: rbx
834 | regB: rax
835 | Gadget 153:
836 | start address: 427035
837 | end address: 427045
838 | regA: rbx
839 | regB: rax
840 | Gadget 154:
841 | start address: 4270d4
842 | end address: 4270d7
843 | regA: rdi
844 | regB: rax
845 | Gadget 155:
846 | start address: 4270e9
847 | end address: 4270ed
848 | regA: rsi
849 | regB: rax
850 | Gadget 156:
851 | start address: 427104
852 | end address: 427108
853 | regA: rsi
854 | regB: rax
855 | Gadget 157:
856 | start address: 42711f
857 | end address: 427123
858 | regA: rsi
859 | regB: rax
860 | Gadget 158:
861 | start address: 42713a
862 | end address: 42713e
863 | regA: rsi
864 | regB: rax
865 | Gadget 159:
866 | start address: 427aee
867 | end address: 427af1
868 | regA: rdi
869 | regB: r14
870 | Gadget 160:
871 | start address: 427b02
872 | end address: 427b12
873 | regA: rbx
874 | regB: rax
875 | Gadget 161:
876 | start address: 427bd3
877 | end address: 427be3
878 | regA: rbx
879 | regB: rax
880 | Gadget 162:
881 | start address: 4282b5
882 | end address: 4282c5
883 | regA: rbx
884 | regB: rax
885 | Gadget 163:
886 | start address: 42e579
887 | end address: 42e587
888 | regA: rsi
889 | regB: rax
890 | Gadget 164:
891 | start address: 42e5bd
892 | end address: 42e5c0
893 | regA: rsi
894 | regB: rdi
895 | Gadget 165:
896 | start address: 42e5cc
897 | end address: 42e5cf
898 | regA: rsi
899 | regB: rdi
900 | Gadget 166:
901 | start address: 42e5d7
902 | end address: 42e5e0
903 | regA: rsi
904 | regB: rdi
905 | Gadget 167:
906 | start address: 42e616
907 | end address: 42e619
908 | regA: rsi
909 | regB: rdi
910 | Gadget 168:
911 | start address: 42e623
912 | end address: 42e630
913 | regA: rsi
914 | regB: rdi
915 | Gadget 169:
916 | start address: 42e64e
917 | end address: 42e651
918 | regA: rsi
919 | regB: rdi
920 | Gadget 170:
921 | start address: 42e65b
922 | end address: 42e65e
923 | regA: rsi
924 | regB: rdi
925 | Gadget 171:
926 | start address: 42e6a2
927 | end address: 42e6a6
928 | regA: rdx
929 | regB: rax
930 | Gadget 172:
931 | start address: 4314e7
932 | end address: 4314f8
933 | regA: rsi
934 | regB: rax
935 | Gadget 173:
936 | start address: 4315cf
937 | end address: 4315ec
938 | regA: rsi
939 | regB: rax
940 | Gadget 174:
941 | start address: 43414f
942 | end address: 434156
943 | regA: rsi
944 | regB: r12
945 | Gadget 175:
946 | start address: 43414f
947 | end address: 43415a
948 | regA: rsi
949 | regB: r12
950 | Gadget 176:
951 | start address: 434fdc
952 | end address: 434fed
953 | regA: r11
954 | regB: eax
955 | Gadget 177:
956 | start address: 43589f
957 | end address: 4358a2
958 | regA: rsi
959 | regB: r9
960 | Gadget 178:
961 | start address: 4358d7
962 | end address: 4358de
963 | regA: rsi
964 | regB: r8
965 | Gadget 179:
966 | start address: 435935
967 | end address: 435938
968 | regA: rsi
969 | regB: rsi
970 | 
971 | 


--------------------------------------------------------------------------------
/type2finder/results/SGX_SDK:
--------------------------------------------------------------------------------
  1 | *********************************
  2 | *********************************
  3 | *********************************
  4 | *************RESULTS:************
  5 | *********************************
  6 | *********************************
  7 | *********************************
  8 | *********************************
  9 | [regA, regB, regC] gadgets:
 10 | *********************************
 11 | Gadget 0:
 12 | start address: 404f0a
 13 | end address: 404f15
 14 | regA: rsi
 15 | regB: r9d
 16 | regC: rdi
 17 | Gadget 1:
 18 | start address: 405119
 19 | end address: 405124
 20 | regA: r8
 21 | regB: r9d
 22 | regC: rdi
 23 | Gadget 2:
 24 | start address: 406d6b
 25 | end address: 406d76
 26 | regA: rdx
 27 | regB: r12d
 28 | regC: rsi
 29 | Gadget 3:
 30 | start address: 4072d9
 31 | end address: 4072e4
 32 | regA: r8
 33 | regB: edi
 34 | regC: rbx
 35 | Gadget 4:
 36 | start address: 4073af
 37 | end address: 4073b9
 38 | regA: rsi
 39 | regB: edi
 40 | regC: rbx
 41 | Gadget 5:
 42 | start address: 407c41
 43 | end address: 407c4c
 44 | regA: rsi
 45 | regB: r10d
 46 | regC: rbx
 47 | Gadget 6:
 48 | start address: 418330
 49 | end address: 418337
 50 | regA: rdx
 51 | regB: ecx
 52 | regC: r12
 53 | Gadget 7:
 54 | start address: 4185e8
 55 | end address: 4185ef
 56 | regA: rdx
 57 | regB: ecx
 58 | regC: r12
 59 | Gadget 8:
 60 | start address: 41947a
 61 | end address: 419482
 62 | regA: rdi
 63 | regB: rax
 64 | regC: r10
 65 | *********************************
 66 | *********************************
 67 | *********************************
 68 | [regA, regB] gadgets:
 69 | *********************************
 70 | Gadget 0:
 71 | start address: 400f71
 72 | end address: 400f7d
 73 | regA: r14
 74 | regB: rdi
 75 | Gadget 1:
 76 | start address: 400f87
 77 | end address: 400f9b
 78 | regA: r14
 79 | regB: rdi
 80 | Gadget 2:
 81 | start address: 400fbe
 82 | end address: 400fca
 83 | regA: r14
 84 | regB: rdi
 85 | Gadget 3:
 86 | start address: 400fef
 87 | end address: 400ffb
 88 | regA: r14
 89 | regB: rdi
 90 | Gadget 4:
 91 | start address: 404b33
 92 | end address: 404b37
 93 | regA: rbx
 94 | regB: rdx
 95 | Gadget 5:
 96 | start address: 404b33
 97 | end address: 404b3e
 98 | regA: rbx
 99 | regB: rdx
100 | Gadget 6:
101 | start address: 404cd8
102 | end address: 404cdf
103 | regA: rdi
104 | regB: r8
105 | Gadget 7:
106 | start address: 4055d7
107 | end address: 4055db
108 | regA: r8
109 | regB: rax
110 | Gadget 8:
111 | start address: 40583c
112 | end address: 405840
113 | regA: r10
114 | regB: rax
115 | Gadget 9:
116 | start address: 407942
117 | end address: 407960
118 | regA: r14
119 | regB: r8
120 | Gadget 10:
121 | start address: 40b1e7
122 | end address: 40b1f8
123 | regA: rsi
124 | regB: rax
125 | Gadget 11:
126 | start address: 40b2cf
127 | end address: 40b2ec
128 | regA: rsi
129 | regB: rax
130 | Gadget 12:
131 | start address: 417e7f
132 | end address: 417e86
133 | regA: rsi
134 | regB: r12
135 | Gadget 13:
136 | start address: 417e7f
137 | end address: 417e8a
138 | regA: rsi
139 | regB: r12
140 | Gadget 14:
141 | start address: 418efc
142 | end address: 418f0d
143 | regA: r11
144 | regB: eax
145 | Gadget 15:
146 | start address: 41984f
147 | end address: 419852
148 | regA: rsi
149 | regB: r9
150 | Gadget 16:
151 | start address: 419887
152 | end address: 41988e
153 | regA: rsi
154 | regB: r8
155 | Gadget 17:
156 | start address: 4198e5
157 | end address: 4198e8
158 | regA: rsi
159 | regB: rsi
160 | 
161 | 


--------------------------------------------------------------------------------
/type2finder/test.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # For example SGX SDK enclave file test:
 4 | python main.py "./libenclave.signed.so"
 5 | 
 6 | # For example Rust SGX SDK enclave file test:
 7 | #python main.py "./enclave.signed.so"
 8 | 
 9 | # For example Graphene-SGX enclave file test:
10 | #python main.py "./libpal-Linux-SGX.so"
11 | 


--------------------------------------------------------------------------------