smallworld-re 1.0.0__py3-none-any.whl

smallworld/emulators/angr/machdefs/riscv.py

@@ -0,0 +1,261 @@
+import typing
+
+import angr
+import archinfo
+
+from ....platforms import Architecture, Byteorder
+from .machdef import AngrMachineDef
+
+# angr has no default calling convention for RISCV64
+# Let's fix that.
+
+
+class SimCCRISCV64(angr.calling_conventions.SimCC):
+    ARG_REGS = ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7"]
+    FP_ARG_REGS = ["fa0", "fa1", "fa2", "fa3", "fa4", "fa5", "fa6", "fa7"]
+    RETURN_VAL = angr.calling_conventions.SimRegArg("a0", 8)
+    RETURN_ADDR = angr.calling_conventions.SimRegArg("ra", 8)
+    # angr doesn't type this field correctly
+    ARCH = archinfo.ArchRISCV64  # type: ignore[assignment]
+
+
+angr.calling_conventions.register_default_cc("RISCV64", SimCCRISCV64)
+
+# angr ALSO has no default syscall calling convention for RISCV64
+# Let's fix that
+
+
+class SimCCRISCV64LinuxSyscall(angr.calling_conventions.SimCCSyscall):
+    # Since the RISCV peeps don't seem to have written their kernel ABI,
+    # I RE'd the syscall convention from glibc.
+    # It looks like they use the same arg and return regs,
+    # except that they repurpose a7 as the syscall number.
+    ARG_REGS = ["a0", "a1", "a2", "a3", "a4", "a5", "a6"]
+    FP_ARG_REGS: typing.List[str] = []
+    RETURN_VAL = angr.calling_conventions.SimRegArg("a0", 8)
+    RETURN_ADDR = angr.calling_conventions.SimRegArg("ip_at_syscall", 4)
+    # angr doesn't type this field correctly
+    ARCH = archinfo.ArchRISCV64  # type: ignore[assignment]
+
+    @classmethod
+    def _match(cls, arch, args, sp_data):
+        # Never match; only occurs durring syscalls
+        return False
+
+    @staticmethod
+    def syscall_num(state):
+        return state.regs.a7
+
+
+angr.calling_conventions.register_syscall_cc(
+    "RISCV64", "default", SimCCRISCV64LinuxSyscall
+)
+
+
+class RISCV64MachineDef(AngrMachineDef):
+    arch = Architecture.RISCV64
+    byteorder = Byteorder.LITTLE
+
+    angr_arch = archinfo.ArchRISCV64()
+
+    pc_reg = "pc"
+
+    _registers = {
+        # *** General-Purpose Registers ***
+        # x0 is wired to 0, and aliased as "zero"
+        "x0": "x0",
+        "zero": "zero",
+        # x1 acts as the link register
+        # NOTE: ra is the official name; lr might be an angr invention.
+        "x1": "x1",
+        "ra": "ra",
+        # x2 acts as the stack pointer
+        "x2": "x2",
+        "sp": "sp",
+        # x3 acts as the global pointer
+        "x3": "x3",
+        "gp": "gp",
+        # x4 acts as the thread pointer
+        "x4": "x4",
+        "tp": "tp",
+        # x5 is a temporary register
+        "x5": "x5",
+        "t0": "t0",
+        # x6 is a temporary register
+        "x6": "x6",
+        "t1": "t1",
+        # x7 is a temporary register
+        "x7": "x7",
+        "t2": "t2",
+        # x8 is a callee-saved register
+        "x8": "x8",
+        "s0": "s0",
+        # x9 is a callee-saved register
+        "x9": "x9",
+        "s1": "s1",
+        # x10 is argument 0
+        "x10": "x10",
+        "a0": "a0",
+        # x11 is argument 1
+        "x11": "x11",
+        "a1": "a1",
+        # x12 is argument 2
+        "x12": "x12",
+        "a2": "a2",
+        # x13 is argument 3
+        "x13": "x13",
+        "a3": "a3",
+        # x14 is argument 4
+        "x14": "x14",
+        "a4": "a4",
+        # x15 is argument 5
+        "x15": "x15",
+        "a5": "a5",
+        # x16 is argument 6
+        "x16": "x16",
+        "a6": "a6",
+        # x17 is argument 7
+        "x17": "x17",
+        "a7": "a7",
+        # x18 is a callee-saved register
+        "x18": "x18",
+        "s2": "s2",
+        # x19 is a callee-saved register
+        "x19": "x19",
+        "s3": "s3",
+        # x20 is a callee-saved register
+        "x20": "x20",
+        "s4": "s4",
+        # x21 is a callee-saved register
+        "x21": "x21",
+        "s5": "s5",
+        # x22 is a callee-saved register
+        "x22": "x22",
+        "s6": "s6",
+        # x23 is a callee-saved register
+        "x23": "x23",
+        "s7": "s7",
+        # x24 is a callee-saved register
+        "x24": "x24",
+        "s8": "s8",
+        # x25 is a callee-saved register
+        "x25": "x25",
+        "s9": "s9",
+        # x26 is a callee-saved register
+        "x26": "x26",
+        "s10": "s10",
+        # x27 is a callee-saved register
+        "x27": "x27",
+        "s11": "s11",
+        # x28 is a temporary register
+        "x28": "x28",
+        "t3": "t3",
+        # x29 is a temporary register
+        "x29": "x29",
+        "t4": "t4",
+        # x30 is a temporary register
+        "x30": "x30",
+        "t5": "t5",
+        # x31 is a temporary register
+        "x31": "x31",
+        "t6": "t6",
+        # *** Program Counter ***
+        "pc": "pc",
+        # *** Floating-Point Registers ***
+        # f0 is a temporary register
+        "f0": "f0",
+        "ft0": "ft0",
+        # f1 is a temporary register
+        "f1": "f1",
+        "ft1": "ft1",
+        # f2 is a temporary register
+        "f2": "f2",
+        "ft2": "ft2",
+        # f3 is a temporary register
+        "f3": "f3",
+        "ft3": "ft3",
+        # f4 is a temporary register
+        "f4": "f4",
+        "ft4": "ft4",
+        # f5 is a temporary register
+        "f5": "f5",
+        "ft5": "ft5",
+        # f6 is a temporary register
+        "f6": "f6",
+        "ft6": "ft6",
+        # f7 is a temporary register
+        "f7": "f7",
+        "ft7": "ft7",
+        # f8 is a callee saved register
+        "f8": "f8",
+        "fs0": "fs0",
+        # f9 is a callee saved register
+        "f9": "f9",
+        "fs1": "fs1",
+        # f10 is argument 0
+        "f10": "f10",
+        "a0": "a0",
+        # f11 is argument 1
+        "f11": "f11",
+        "a1": "a1",
+        # f12 is argument 2
+        "f12": "f12",
+        "a2": "a2",
+        # f13 is argument 3
+        "f13": "f13",
+        "a3": "a3",
+        # f14 is argument 4
+        "f14": "f14",
+        "a4": "a4",
+        # f15 is argument 5
+        "f15": "f15",
+        "a5": "a5",
+        # f16 is argument 6
+        "f16": "f16",
+        "a6": "a6",
+        # f7 is argument 7
+        "f17": "f17",
+        "a7": "a7",
+        # f18 is a callee-saved register
+        "f18": "f18",
+        "fs2": "fs2",
+        # f19 is a callee-saved register
+        "f19": "f19",
+        "fs3": "fs3",
+        # f20 is a callee-saved register
+        "f20": "f20",
+        "fs4": "fs4",
+        # f21 is a callee-saved register
+        "f21": "f21",
+        "fs5": "fs5",
+        # f22 is a callee-saved register
+        "f22": "f22",
+        "fs6": "fs6",
+        # f23 is a callee-saved register
+        "f23": "f23",
+        "fs7": "fs7",
+        # f24 is a callee-saved register
+        "f24": "f24",
+        "fs8": "fs8",
+        # f25 is a callee-saved register
+        "f25": "f25",
+        "fs9": "fs9",
+        # f26 is a callee-saved register
+        "f26": "f26",
+        "fs10": "fs10",
+        # f27 is a callee-saved register
+        "f27": "f27",
+        "fs11": "fs11",
+        # f28 is a temporary register
+        "f28": "f28",
+        "ft8": "ft8",
+        # f29 is a temporary register
+        "f29": "f29",
+        "ft9": "ft9",
+        # f30 is a temporary register
+        "f30": "f30",
+        "ft10": "ft10",
+        # f31 is a temporary register
+        "f31": "f31",
+        "ft11": "ft11",
+    }

smallworld/emulators/angr/machdefs/xtensa.py

@@ -0,0 +1,255 @@
+import enum
+import typing
+
+import angr
+import pypcode
+
+from ....exceptions import EmulationError
+from ....platforms import Architecture, Byteorder
+from .machdef import PcodeMachineDef
+
+
+def handle_nop(irsb, i):
+    # This op has no impact on user-facing machine state.
+    irsb._ops.pop(i)
+    return i
+
+
+def handle_sigtrap(irsb, i):
+    # This op should terminate this block with SIGTRAP
+    next_addr = irsb._ops[i - 1].inputs[0].offset + 3
+    irsb._ops = irsb._ops[0:i]
+    irsb.next = next_addr
+    irsb._size = next_addr - irsb.addr
+    irsb._instruction_addresses = list(
+        filter(lambda x: x < next_addr, irsb._instruction_addresses)
+    )
+    irsb.jumpkind = "Ijk_SigTRAP"
+    return i
+
+
+def handle_sigill(irsb, i):
+    # This op should terminate this block with SIGILL
+    next_addr = irsb._ops[i - 1].inputs[0].offset + 3
+    irsb._ops = irsb._ops[0:i]
+    irsb.next = next_addr
+    irsb._size = next_addr - irsb.addr
+    irsb._instruction_addresses = list(
+        filter(lambda x: x < next_addr, irsb._instruction_addresses)
+    )
+    irsb.jumpkind = "Ijk_SigILL"
+    return i
+
+
+def handle_syscall(irsb, i):
+    # This op should terminate this block with a syscall
+    next_addr = irsb._ops[i - 1].inputs[0].offset + 3
+    irsb._ops = irsb._ops[0:i]
+    irsb.next = next_addr
+    irsb._size = next_addr - irsb.addr
+    irsb._instruction_addresses = list(
+        filter(lambda x: x < next_addr, irsb._instruction_addresses)
+    )
+    irsb.jumpkind = "Ijk_Sys_syscall"
+
+    return i
+
+
+def handle_nope(irsb, i):
+    # This op cannot be handled by angr
+    userop = XtensaUserOp(irsb._ops[i].inputs[0].offset)
+    raise EmulationError(f"Unhandled user op {userop!r}")
+
+
+def handle_unimpl(irsb, i):
+    # I don't know what this op does yet
+    userop = XtensaUserOp(irsb._ops[i].inputs[0].offset)
+    raise EmulationError(f"Unimplemented user op {userop!r}")
+
+
+class UpdatedEnumMeta(enum.EnumMeta):
+    def __contains__(cls, obj):
+        if isinstance(obj, int):
+            return obj in cls._value2member_map_
+        return enum.EnumMeta.__contains__(enum.EnumMeta, obj)
+
+
+class XtensaUserOp(enum.IntEnum, metaclass=UpdatedEnumMeta):
+    def __new__(
+        cls, val: int, name: str = "", handler: typing.Any = None, desc: str = ""
+    ):
+        obj = int.__new__(cls, val)
+        obj._value_ = val
+        obj.short_name = name
+        obj.handler = handler
+        obj.description = desc
+        return obj
+
+    def __init__(
+        self, val: int, name: str = "", handler: typing.Any = None, desc: str = ""
+    ):
+        self._value_: int = val
+        self.short_name: str = name
+        self.handler: typing.Any = handler
+        self.description: str = desc
+
+    def __repr__(self):
+        return f"{hex(self.value)}: {self.short_name} - {self.description}"
+
+    BREAKPOINT = 0x00, "breakpoint", handle_sigtrap, "Breakpoint Instruction"
+    DHI = 0x01, "dhi", handle_nop, "Data Cache Hit Invalidate"
+    DHU = 0x02, "dhu", handle_nop, "Data Cache Hit Unlock"
+    DHWB = 0x03, "dhwb", handle_nop, "Data Cache Hit Writeback"
+    DHWBI = 0x04, "dhwbi", handle_nop, "Data Cache Hit Writeback Invalidate"
+    DII = 0x05, "dii", handle_nop, "Data Cache Index Invalidate"
+    DIU = 0x06, "diu", handle_nop, "Data Cache Index Unlock"
+    DIWB = 0x07, "diwb", handle_nop, "Data Cache Index Writeback"
+    DIWBI = 0x08, "diwbi", handle_nop, "Data Cache Index Writeback Invalidate"
+    DPFL = 0x09, "dpfl", handle_nop, "Data Cache Prefetch And Lock"
+    DPFR = 0x0A, "dpfr", handle_nop, "Data Cache Prefetch For Read"
+    DPFRO = 0x0B, "dpfro", handle_nop, "Data Cache Prefetch For Read Once"
+    DPFW = 0x0C, "dpfw", handle_nop, "Data Cache Prefetch For Write"
+    DPFWO = 0x0D, "dpfwo", handle_nop, "Data Cache Prefetch For Write Once"
+    DSYNC = 0x0E, "dsync", handle_nop, "Load/Store Synchronize"
+    ESYNC = 0x0F, "esync", handle_nop, "Execute Synchronize"
+    EXCW = 0x10, "excw", handle_sigtrap, "Exception Wait"
+    EXTW = 0x11, "extw", handle_sigtrap, "External Wait"
+    IDTLB = 0x12, "idtlb", handle_nop, "Invalidate Data TLB Entry"
+    IHI = 0x13, "ihi", handle_nop, "Instruction Cache Hit Invalidate"
+    IHU = 0x14, "ihu", handle_nop, "Instruction Cache Hit Unlock"
+    III = 0x15, "iii", handle_nop, "Instruction Cache Index Invalidate"
+    IITLB = 0x16, "iitlb", handle_nop, "Invalidate Instruction TLB Entry"
+    IIU = 0x17, "iiu", handle_nop, "Instruction Cache Index Unlock"
+    ILL = 0x18, "ill", handle_sigill, "Illegal Instruction"
+    IPF = 0x19, "ipf", handle_nop, "Instruction Cache Prefetch"
+    IPFL = 0x1A, "ipfl", handle_nop, "Instruction Cache Prefetch And Lock"
+    ISYNC = 0x1B, "isync", handle_nop, "Instruction Fetch Synchronize"
+    ACQUIRE = 0x1C, "acquire", handle_unimpl, "???"
+    LDCT = 0x1D, "ldct", handle_nope, "Load Data Cache Tag"
+    LICT = 0x1E, "lict", handle_nope, "Load Instruction Cache Tag"
+    LICW = 0x1F, "licw", handle_nope, "Load Instruction Cache Word"
+    MEMW = 0x20, "memw", handle_sigtrap, "Memory Wait"
+    NSA = 0x21, "nsa", handle_unimpl, "Normalization Shift Amount"
+    NSAU = 0x22, "nsau", handle_unimpl, "Normalization Shift Amount Unsigned"
+    PDTLB = 0x23, "pdtlb", handle_nope, "Probe Data TLB"
+    PITLB = 0x24, "pitlb", handle_nope, "Probe Instruction TLB"
+    RDTLB0 = 0x25, "rdtlb0", handle_nope, "Read Data TLB Entry Virtual"
+    RDTLB1 = 0x26, "rdtlb1", handle_nope, "Read Data TLB Entry Translation"
+    RER = 0x27, "rer", handle_nope, "Read External Register"
+    RESTORE4 = 0x28, "restore4", handle_unimpl, "???"
+    RESTORE8 = 0x29, "restore8", handle_unimpl, "???"
+    RESTORE12 = 0x2A, "restore12", handle_unimpl, "???"
+    RFDD = 0x2B, "rfdd", handle_nope, "Return from Debug and Dispatch"
+    RFDE = 0x2C, "rfde", handle_nope, "Return from Double Exception"
+    RFDO = 0x2D, "rfdo", handle_nope, "Return from Debug Operation"
+    RFE = 0x2E, "rfe", handle_nope, "Return from Exception"
+    RFI = 0x2F, "rfi", handle_nope, "Return from Interrupt"
+    RFME = 0x30, "rfme", handle_nope, "Return from Memory Error"
+    RFUE = 0x31, "rfue", handle_nope, "Return from User Exception"
+    RFWO = 0x32, "rfwo", handle_nope, "Return from Window Overflow"
+    RFWU = 0x33, "rfwu", handle_nope, "Return from Window Underflow"
+    RITLB0 = 0x34, "ritlb0", handle_nope, "Read Instruction TLB Entry Virtual"
+    RITLB1 = 0x35, "ritlb1", handle_nope, "Read Instruction TLB Entry Translation"
+    RSIL = 0x36, "rsil", handle_nope, "Read and Set Interrupt Level"
+    RSR = 0x37, "rsr", handle_unimpl, "Read Special Register"
+    RSYNC = 0x38, "rsync", handle_nop, "Register Read Synchronize"
+    RUR = 0x39, "rur", handle_unimpl, "Read User Register"
+    S32C1I = 0x3A, "s32c1i", handle_unimpl, "Store 32-bit compare conditional"
+    RELEASE = 0x3B, "release", handle_unimpl, "???"
+    RESTOREREGWINDOW = 0x3C, "restoreregwindow", handle_unimpl, "???"
+    ROTATEREGWINDOW = 0x3D, "rotateregwindow", handle_unimpl, "???"
+    SDCT = 0x3E, "sdct", handle_nope, "Store Data Cache Tag"
+    SICT = 0x3F, "sict", handle_nope, "Store Instruction Cache Tag"
+    SICW = 0x40, "sicw", handle_nope, "Store Instruction Cache Word"
+    SIMCALL = 0x41, "simcall", handle_nop, "Simulator Call"
+    SYSCALL = 0x42, "syscall", handle_syscall, "System Call"
+    SWAP4 = 0x43, "swap4", handle_unimpl, "???"
+    SWAP8 = 0x44, "swap8", handle_unimpl, "???"
+    SWAP12 = 0x45, "swap12", handle_unimpl, "???"
+    WAITI = 0x46, "waiti", handle_sigtrap, "Wait for Interrupt"
+    WDTLB = 0x47, "wdtlb", handle_nop, "Write Data TLB Entry"
+    WER = 0x48, "wer", handle_nop, "Write External Register"
+    WITLB = 0x49, "witlb", handle_nop, "Write Instruction TLB Entry"
+    WSR = 0x4A, "wsr", handle_unimpl, "Write Special Register"
+    WUR = 0x4B, "wur", handle_unimpl, "Write User Register"
+    XSR = 0x4C, "xsr", handle_unimpl, "Exchange Special Register"
+
+
+# Angr doesn't have a syscall calling convention for xtensa.
+# Remedy that situation.
+class SimCCXtensaLinuxSyscall(angr.calling_conventions.SimCCSyscall):
+    ARG_REGS = ["a6", "a3", "a4", "a5", "a8", "a9"]
+    FP_ARG_REGS: typing.List[str] = []
+    RETURN_VAL = angr.calling_conventions.SimRegArg("a2", 4)
+    RETURN_ADDR = angr.calling_conventions.SimRegArg("ip_at_syscall", 4)
+    ARCH = None
+
+    @classmethod
+    def _match(cls, arch, args, sp_data):
+        # Never match; only occurs durring syscalls
+        return False
+
+    @staticmethod
+    def syscall_num(state):
+        return state.regs.a2
+
+
+angr.calling_conventions.register_syscall_cc(
+    "Xtensa:LE:32:default", "default", SimCCXtensaLinuxSyscall
+)
+
+
+class XTensaMachineDef(PcodeMachineDef):
+    arch = Architecture.XTENSA
+    _registers = {f"a{i}": f"a{i}" for i in range(0, 16)} | {"pc": "pc", "sar": "sar"}
+    pc_reg = "pc"
+
+    def successors(self, state: angr.SimState, **kwargs) -> typing.Any:
+        # xtensa includes a _LOT_ of custom pcode operations.
+
+        # Fetch or compute the IR block for our state
+        if "irsb" in kwargs and kwargs["irsb"] is not None:
+            # Someone's already specified an IR block.
+            irsb = kwargs["irsb"]
+        else:
+            # Disable optimization; it doesn't work
+            kwargs["opt_level"] = 0
+
+            # Compute the block from the state.
+            # Pray to the Powers that kwargs are compatible.
+            irsb = state.block(**kwargs).vex
+
+        i = 0
+        while i < len(irsb._ops):
+            op = irsb._ops[i]
+            if op.opcode == pypcode.OpCode.CALLOTHER:
+                # This is a user-defined Pcode op.
+                # Alter irsb to mimic its behavior, if we can.
+                opnum = op.inputs[0].offset
+
+                if opnum not in XtensaUserOp:
+                    # Not a userop.
+                    raise EmulationError(f"Undefined user op {hex(opnum)}")
+                # get the enum struct
+                userop = XtensaUserOp(opnum)
+
+                # Invoke the handler
+                i = userop.handler(irsb, i)
+            else:
+                i += 1
+
+        # Force the engine to use our IR block
+        kwargs["irsb"] = irsb
+
+        # Turn the crank on the engine
+        return super().successors(state, **kwargs)
+
+
+class XTensaELMachineDef(XTensaMachineDef):
+    byteorder = Byteorder.LITTLE
+    pcode_language = "Xtensa:LE:32:default"
+
+
+class XTensaBEMachineDef(XTensaMachineDef):
+    byteorder = Byteorder.BIG
+    pcode_language = "Xtensa:BE:32:default"

smallworld/emulators/angr/memory/__init__.py

@@ -0,0 +1,7 @@
+from .default import DefaultMemoryPlugin
+from .memtrack import TrackerMemoryMixin
+
+__all__ = [
+    "DefaultMemoryPlugin",
+    "TrackerMemoryMixin",
+]

smallworld/emulators/angr/memory/default.py

@@ -0,0 +1,10 @@
+import angr
+
+from .fixups import FixupMemoryMixin
+from .memtrack import TrackerMemoryMixin
+
+
+class DefaultMemoryPlugin(  # type: ignore[misc]
+    TrackerMemoryMixin, FixupMemoryMixin, angr.storage.DefaultMemory
+):
+    pass

smallworld/emulators/angr/memory/fixups.py

@@ -0,0 +1,43 @@
+from angr.storage.memory_mixins.memory_mixin import MemoryMixin
+
+
+class FixupMemoryMixin(MemoryMixin):
+    """Mixin providing some basic bug-fixed/feature improvements
+
+    angr doesn't always behave as I'd expect.
+    This mixin helps things a little.
+    """
+
+    def _concretize_addr(self, supercall, addr, strategies=None, condition=None):
+        # Handle potential errors durring concretization
+        # This works the same for reads and writes, so why duplicate code?
+
+        if not self.state.solver.satisfiable():
+            # This state isn't satisfiable; concretization is impossible, but irrelevant.
+            #
+            # Under some conditions of which I'm uncertain,
+            # the concretizer will try to run even if the state is already unsat.
+            # Since the concretizer relies on the solver,
+            # it fails with a big ole' fatal exception.
+            #
+            # The successor computation will eventually kill these states anyway,
+            # so just return a dummy value to keep things running.
+            return [0xDEAD0000]
+
+        return supercall(addr, strategies=strategies, condition=condition)
+
+    def concretize_read_addr(self, addr, strategies=None, condition=None):
+        return self._concretize_addr(
+            super().concretize_read_addr,
+            addr,
+            strategies=strategies,
+            condition=condition,
+        )
+
+    def concretize_write_addr(self, addr, strategies=None, condition=None):
+        return self._concretize_addr(
+            super().concretize_write_addr,
+            addr,
+            strategies=strategies,
+            condition=condition,
+        )

smallworld/emulators/angr/memory/memtrack.py

@@ -0,0 +1,105 @@
+import logging
+
+from angr.storage.memory_mixins.memory_mixin import MemoryMixin
+
+from ..utils import reg_name_from_offset
+
+log = logging.getLogger(__name__)
+
+
+class TrackerMemoryMixin(MemoryMixin):
+    """Memory mixin for tracking used data.
+
+    Printing every AMD64 register is a pain,
+    and finding used memory in angr is a pain.
+    This tracks which parts of memory are in use,
+    mostly to avoid overprinting.
+
+    NOTE: This class needs to go in a pretty specific place in a memory mixin hierarchy.
+
+    It needs to go above anything that overrides _default_value(),
+    or else it will pick up defaulting addresses before they are defined,
+    possibly resulting in recursive calls if you try to use pp().
+
+    Conversely, it should go below anything that alters
+    what is actually getting passed to the default memory mixins,
+    such as changes to address concretization.
+    """
+
+    def __init__(self, **kwargs):
+        super().__init__(**kwargs)
+        self.dirty = dict()
+        self.dirty_addrs = set()
+
+    @MemoryMixin.memo
+    def copy(self, memo):
+        o = super().copy(memo)
+        o.dirty = dict()
+        o.dirty.update(self.dirty)
+        o.dirty_addrs = set()
+        o.dirty_addrs.update(self.dirty_addrs)
+        return o
+
+    def _track_memory(self, addr, size):
+        """Mark a memory range as 'in-use'"""
+        # TODO: Make this more efficient
+        # Detecting overlapping ranges is a pain.
+        # This implementation is easy, but its memory usage
+        # and runtime cost will explode violently
+        # if large amounts of memory are in use.
+        track = False
+        for i in range(0, size):
+            if not track and addr + i not in self.dirty_addrs:
+                track = True
+                self.dirty[addr] = size
+            self.dirty_addrs.add(addr + i)
+        if track:
+            log.debug(f"Tracking {addr:x}, {size}")
+
+    def _default_value(self, addr, size, **kwargs):
+        out = super()._default_value(addr, size, **kwargs)
+        self._track_memory(addr, size)
+        return out
+
+    def _store_one_addr(
+        self, concrete_addr, data, trivial, addr, condition, size, **kwargs
+    ):
+        out = super()._store_one_addr(
+            concrete_addr, data, trivial, addr, condition, size, **kwargs
+        )
+        self._track_memory(concrete_addr, size)
+        return out
+
+    def pp(self, log):
+        addrs = list(self.dirty.keys())
+        addrs.sort()
+        for addr in addrs:
+            code = False
+            size = self.dirty[addr]
+            if self.id == "reg":
+                name = reg_name_from_offset(self.state.arch, addr, size)
+            else:
+                name = f"0x{addr:x}"
+            if code:
+                log(f"\t{name}: <code [{hex(size)} bytes]>")
+            else:
+                val = self.load(addr, size, disable_actions=True)
+                log(f"\t{name}: {val}")
+
+    def create_hint(self):
+        if self.id == "reg":
+            return {
+                reg_name_from_offset(self.state.arch, addr, self.dirty[addr]): str(
+                    self.load(addr, self.dirty[addr], disable_actions=True)
+                )
+                for addr in list(self.dirty.keys())
+            }
+        else:
+            return {
+                addr: str(
+                    self.load(
+                        addr, self.dirty[addr], disable_actions=True, inspect=False
+                    )
+                )
+                for addr in list(self.dirty.keys())
+            }