本文整理汇总了Python中claripy.BVS属性的典型用法代码示例。如果您正苦于以下问题:Python claripy.BVS属性的具体用法?Python claripy.BVS怎么用?Python claripy.BVS使用的例子?那么, 这里精选的属性代码示例或许可以为您提供帮助。您也可以进一步了解该属性所在类claripy的用法示例。
在下文中一共展示了claripy.BVS属性的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: set_register
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def set_register(self, register, chain, value_var):
ip_var = claripy.BVS('ip_value', self.crash.project.arch.bits, explicit_name=True)
chain, chain_addr = self._ip_overwrite_with_chain(chain, assert_next_ip_controlled=True)
l.debug("attempting to insert chain of length %d", len(chain.payload_str()))
ccp = self.crash.copy()
# add the constraints introduced by rop
cons = [a for a in chain._blank_state.solver.constraints if not any(v.startswith("next_addr") for v in a.variables)]
ccp.state.solver.add(*cons)
chain.add_value(ip_var)
chain_bv = chain.payload_bv()
ch_sym_mem = ccp.state.memory.load(chain_addr, len(chain_bv)//8)
ccp.state.add_constraints(ch_sym_mem == chain_bv)
ccp.state.add_constraints(ip_var == 0xc0debabe)
return CHESSExploitControl(ccp, True, False, registers={'rip': 0xc0debabe, register: 0xc0debabe}) 示例2: main
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
# You can either use a blank state or an entry state; just make sure to start
# at the beginning of the program.
initial_state = ???
class ReplacementScanf(angr.SimProcedure):
# Hint: scanf("%u %20s")
def run(self, format_string, ...???):
# %u
scanf0 = claripy.BVS('scanf0', ???)
# %20s
scanf1 = claripy.BVS('scanf1', ???)
for char in scanf1.chop(bits=8):
self.state.add_constraints(char >= ???, char <= ???)
scanf0_address = ???
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
...
self.state.globals['solutions'] = ??? 示例3: addr_concrete_after
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def addr_concrete_after(self, state):
"""
Hook for address concretization
:param state: Program state
"""
addr_expr = state.inspect.address_concretization_expr
state.inspect.address_concretization_result = [self._get_target_concretization(addr_expr, state)]
# a tainted buffer's location is used as address
if self._taint_buf in str(addr_expr):
self._set_deref_bounds(addr_expr)
self._deref_taint_address = True
self._deref_addr_expr = addr_expr
self._deref_instruction = state.ip.args[0]
if state.inspect.address_concretization_action == 'load':
name = "cnt_pt_by(" + self._taint_buf + ' [' + str(self._deref[0]) + ', ' + str(self._deref[1]) + ']' + ")"
bits = state.inspect.mem_read_length
var = claripy.BVS(name, bits)
state.memory.store(state.inspect.address_concretization_result[0], var) 示例4: memcpy
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def memcpy(_core, old_path, new_path):
# FIXME do taint untaint!
cp_new_p = new_path.copy()
try:
# if the second parameter is tainted (or pointing to a tainted location)
# or the third is tainted, we taint the first too
if _core._taint_buf in str(cp_new_p.state.regs.r1) or \
_core._taint_buf in str(cp_new_p.state.memory.load(cp_new_p.state.regs.r1)) or \
_core._taint_buf in str(cp_new_p.state.regs.r2):
t = claripy.BVS(_core._taint_buf, _core._taint_buf_size).reversed
new_path.state.memory.store(new_path.state.regs.r0, t)
except:
pass
# FIXME: do the untaint part!
return 示例5: register_variable
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def register_variable(self, v, key, eternal=True):
"""
Register a value with the variable tracking system
:param v: The BVS to register
:param key: A tuple to register the variable under
:parma eternal: Whether this is an eternal variable, default True. If False, an incrementing counter will be
appended to the key.
"""
if type(key) is not tuple:
raise TypeError("Variable tracking key must be a tuple")
if eternal:
self.eternal_tracked_variables[key] = v
else:
self.temporal_tracked_variables = dict(self.temporal_tracked_variables)
ctrkey = key + (None,)
ctrval = self.temporal_tracked_variables.get(ctrkey, 0) + 1
self.temporal_tracked_variables[ctrkey] = ctrval
tempkey = key + (ctrval,)
self.temporal_tracked_variables[tempkey] = v 示例6: syscall_hook
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def syscall_hook(state):
if not state.has_plugin("chall_resp_info"):
return
# here we detect how much stdout we have when a byte is first read in
syscall_name = state.inspect.syscall_name
if syscall_name == "receive":
# track the amount of stdout we had when we first read the byte
stdin_min_stdout_reads = state.get_plugin("chall_resp_info").stdin_min_stdout_reads
stdout_pos = state.solver.eval(state.posix.fd[1].write_pos)
stdin_pos = state.solver.eval(state.posix.fd[0].read_pos)
for i in range(0, stdin_pos):
if i not in stdin_min_stdout_reads:
stdin_min_stdout_reads[i] = stdout_pos
# here we make random preconstrained instead of concrete A's
if syscall_name == "random":
num_bytes = state.solver.eval(state.regs.ecx)
buf = state.solver.eval(state.regs.ebx)
if num_bytes != 0:
rand_bytes = state.solver.BVS("random", num_bytes*8)
concrete_val = state.solver.BVV("A"*num_bytes)
state.solver._solver.add_replacement(rand_bytes, concrete_val, invalidate_cache=False)
state.memory.store(buf, rand_bytes) 示例7: run
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def run(self, this_ref, separator_ref):
log.debug('Called SimProcedure java.lang.String.split with args: {}, {}'.format(this_ref, separator_ref))
self.this_ref = this_ref
this = self.state.memory.load(this_ref)
separator = self.state.memory.load(separator_ref)
if this.concrete and separator.concrete:
# FIXME: escaping should be fixed in claripy
separator_value = self.state.solver.eval(separator).replace('\\n', '\n')
values = self.state.solver.eval(this).split(separator_value)
str_array = SimSootExpr_NewArray.new_array(self.state, 'java.lang.String', claripy.BVV(len(values), 32))
for idx, value in enumerate(values):
value_ref = SimSootValue_StringRef.new_string(self.state, claripy.StringV(value))
elem_ref = SimSootValue_ArrayRef(str_array, idx)
self.state.memory.store(elem_ref, value_ref)
else:
str_array = SimSootExpr_NewArray.new_array(self.state, 'java.lang.String', claripy.BVS('array_size', 32))
str_array.add_default_value_generator(self.generate_symbolic_array)
return str_array 示例8: _init_object_pe_security_cookie
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def _init_object_pe_security_cookie(self, pe_object, state, state_kwargs):
sc_init = state_kwargs.pop('security_cookie_init', SecurityCookieInit.STATIC)
if sc_init is SecurityCookieInit.NONE or sc_init is None:
return
cookie = pe_object.load_config.get('SecurityCookie', None)
if not cookie:
return
vs_cookie = VS_SECURITY_COOKIES.get(self.project.arch.name)
if vs_cookie is None:
_l.warning('Unsupported architecture: %s for /GS, leaving _security_cookie uninitialized', self.project.arch.name)
return
if sc_init is SecurityCookieInit.RANDOM:
sc_value = random.randint(1, (2 ** vs_cookie.width - 1))
if sc_value == vs_cookie.default:
sc_value += 1
elif sc_init is SecurityCookieInit.STATIC:
sc_value = struct.unpack('>I', b'cook')[0]
elif sc_init is SecurityCookieInit.SYMBOLIC:
sc_value = claripy.BVS('_security_cookie', state.arch.bits)
else:
raise TypeError("security_cookie_init must SecurityCookieInit, not {0}".format(type(sc_init).__name__))
setattr(state.mem[cookie], "uint{0}_t".format(state.arch.bits), sc_value) 示例9: _get_default_symbolic_value_by_type
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def _get_default_symbolic_value_by_type(type_, state):
if type_ in ['byte', 'char', 'short', 'int', 'boolean']:
return BVS('default_value_{}'.format(type_), 32)
if type_ == "long":
return BVS('default_value_{}'.format(type_), 64)
if type_ == 'float':
return FPS('default_value_{}'.format(type_), FSORT_FLOAT)
if type_ == 'double':
return FPS('default_value_{}'.format(type_), FSORT_DOUBLE)
if type_ == 'java.lang.String':
return SimSootValue_StringRef.new_string(state, StringS('default_value_{}'.format(type_), 1000))
if type_.endswith('[][]'):
raise NotImplementedError
# multiarray = SimSootExpr_NewMultiArray.new_array(self.state, element_type, size)
# multiarray.add_default_value_generator(lambda s: SimSootExpr_NewMultiArray._generate_inner_array(s, element_type, sizes))
# return multiarray
if type_.endswith('[]'):
array = SimSootExpr_NewArray.new_array(state, type_[:-2], BVV(2, 32))
return array
return SimSootValue_ThisRef.new_object(state, type_, symbolic=True, init_object=False) 示例10: regression_test_memcmp_strlen_simprocedure_interaction
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def regression_test_memcmp_strlen_simprocedure_interaction():
# import logging
# logging.getLogger('angr.manager').setLevel(logging.DEBUG)
bin_path = os.path.join(test_location, 'i386', 'cpp_regression_test_ch25')
p = angr.Project(bin_path, auto_load_libs=True) # this binary requires the loading of libstdc++.so.6
argv1 = cp.Concat(*[cp.BVS('argv%d' % i, 8) for i in range(48)])
state = p.factory.full_init_state(args=[bin_path, argv1],
add_options=angr.sim_options.unicorn
)
sm = p.factory.simulation_manager(state)
x = sm.explore(find=0x8048b9b, num_find=3)
nose.tools.assert_equal(len(x.found), 1)
for state in x.found:
solution = state.solver.eval_one(argv1, cast_to=bytes).strip(b"\x00")
nose.tools.assert_equal(solution, b"Here_you_have_to_understand_a_little_C++_stuffs") 示例11: test_symbolic_write
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def test_symbolic_write():
s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
x = s.solver.BVS('x', 64)
y = s.solver.BVS('y', 64)
a = s.solver.BVV(b'A'*0x10)
b = s.solver.BVV(b'B')
c = s.solver.BVV(b'C')
d = s.solver.BVV(b'D')
s.memory.store(0x10, a)
s.add_constraints(x >= 0x10, x < 0x20)
s.memory.store(x, b)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s.memory.store(x, c)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s2 = s.copy()
s2.add_constraints(y >= 0x10, y < 0x20)
s2.memory.store(y, d)
for i in range(0x10, 0x20):
assert len(s2.solver.eval_upto(s2.memory.load(i, 1), 10)) == 3 示例12: test_mips
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def test_mips():
proj = angr.Project(os.path.join(test_location, 'mips', 'argv_test'))
r_addr = 0x400768
s = proj.factory.entry_state(args = ['aaa', "Yan is a noob"], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
nose.tools.assert_equal(len(xpl.found), 1)
s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
nose.tools.assert_equal(len(xpl.found), 0)
# symbolic command line argument
arg = claripy.BVS('arg_2', 50*8)
s = proj.factory.entry_state(args = ['aaa', arg], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
found = xpl.found[0]
conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)
nose.tools.assert_equal(b"Yan is a noob" in conc, True) 示例13: test_mipsel
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def test_mipsel():
proj = angr.Project(os.path.join(test_location, 'mipsel', 'argv_test'))
r_addr = 0x400768
s = proj.factory.entry_state(args = ['aaa', 'Yan is a noob'], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
nose.tools.assert_equal(len(xpl.found), 1)
s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
nose.tools.assert_equal(len(xpl.found), 0)
# symbolic args
s = proj.factory.entry_state(args = ['aaa', claripy.BVS('arg_2', 50*8)], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
found = xpl.found[0]
conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)
nose.tools.assert_equal(b"Yan is a noob" in conc, True) 示例14: test_i386
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def test_i386():
proj = angr.Project(os.path.join(test_location, 'i386', 'argv_test'))
r_addr = 0x804845B
s = proj.factory.entry_state(args = ['aaa', 'Yan is a noob'], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
nose.tools.assert_equal(len(xpl.found), 1)
s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
nose.tools.assert_equal(len(xpl.found), 0)
# symbolic args
s = proj.factory.entry_state(args = ['aaa', claripy.BVS('arg_2', 50*8)], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
found = xpl.found[0]
conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)
nose.tools.assert_equal(b"Yan is a noob" in conc, True) 示例15: test_amd64
# 需要导入模块: import claripy [as 别名]
# 或者: from claripy import BVS [as 别名]
def test_amd64():
proj = angr.Project(os.path.join(test_location, 'x86_64', 'argv_test'))
r_addr = 0x400571
s = proj.factory.entry_state(args = ['aaa', 'Yan is a noob'], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
nose.tools.assert_equal(len(xpl.found), 1)
s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
nose.tools.assert_equal(len(xpl.found), 0)
# symbolic args
s = proj.factory.entry_state(args = ['aaa', claripy.BVS('arg_2', 50*8)], env ={"HOME": "/home/angr"})
xpl = proj.factory.simulation_manager(s).explore(find=r_addr)
found = xpl.found[0]
conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)
nose.tools.assert_equal(b"Yan is a noob" in conc, True)