本文整理汇总了Python中angr.SimState类的典型用法代码示例。如果您正苦于以下问题:Python SimState类的具体用法?Python SimState怎么用?Python SimState使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了SimState类的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: test_memset
def test_memset():
l.info("concrete src, concrete dst, concrete len")
s = SimState(arch="PPC32", mode="symbolic")
dst = s.solver.BVV(0, 128)
dst_addr = s.solver.BVV(0x1000, 32)
char = s.solver.BVV(0x00000041, 32)
char2 = s.solver.BVV(0x50505050, 32)
length = s.solver.BVS("some_length", 32)
s.memory.store(dst_addr, dst)
memset(s, arguments=[dst_addr, char, s.solver.BVV(3, 32)])
nose.tools.assert_equal(s.solver.eval(s.memory.load(dst_addr, 4)), 0x41414100)
l.debug("Symbolic length")
s = SimState(arch="PPC32", mode="symbolic")
s.memory.store(dst_addr, dst)
length = s.solver.BVS("some_length", 32)
memset(s, arguments=[dst_addr, char2, length])
l.debug("Trying 2")
s_two = s.copy()
s_two.add_constraints(length == 2)
nose.tools.assert_equal(s_two.solver.eval(s_two.memory.load(dst_addr, 4)), 0x50500000)
l.debug("Trying 0")
s_zero = s.copy()
s_zero.add_constraints(length == 0)
nose.tools.assert_equal(s_zero.solver.eval(s_zero.memory.load(dst_addr, 4)), 0x00000000)
l.debug("Trying 5")
s_five = s.copy()
s_five.add_constraints(length == 5)
nose.tools.assert_equal(s_five.solver.eval(s_five.memory.load(dst_addr, 6)), 0x505050505000)示例2: test_symbolic_write
def test_symbolic_write():
s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
x = s.solver.BVS('x', 64)
y = s.solver.BVS('y', 64)
a = s.solver.BVV(b'A'*0x10)
b = s.solver.BVV(b'B')
c = s.solver.BVV(b'C')
d = s.solver.BVV(b'D')
s.memory.store(0x10, a)
s.add_constraints(x >= 0x10, x < 0x20)
s.memory.store(x, b)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s.memory.store(x, c)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s2 = s.copy()
s2.add_constraints(y >= 0x10, y < 0x20)
s2.memory.store(y, d)
for i in range(0x10, 0x20):
assert len(s2.solver.eval_upto(s2.memory.load(i, 1), 10)) == 3示例3: test_fullpage_write
def test_fullpage_write():
s = SimState(arch='AMD64')
a = s.se.BVV('A'*0x2000)
s.memory.store(0, a)
#assert len(s.memory.mem._pages) == 2
#assert len(s.memory.mem._pages[0].keys()) == 0
#assert len(s.memory.mem._pages[1].keys()) == 0
assert s.memory.load(0, 0x2000) is a
assert a.variables != s.memory.load(0x2000, 1).variables
s = SimState(arch='AMD64')
a = s.se.BVV('A'*2)
s.memory.store(0x1000, a)
s.memory.store(0x2000, a)
assert a.variables == s.memory.load(0x2000, 1).variables
assert a.variables == s.memory.load(0x2001, 1).variables
assert a.variables != s.memory.load(0x2002, 1).variables
s = SimState(arch='AMD64')
x = s.se.BVV('X')
a = s.se.BVV('A'*0x1000)
s.memory.store(1, x)
s2 = s.copy()
s2.memory.store(0, a)
assert len(s.memory.changed_bytes(s2.memory)) == 0x1000
s = SimState(arch='AMD64')
s.memory._maximum_symbolic_size = 0x2000000
a = s.se.BVS('A', 0x1000000*8)
s.memory.store(0, a)
b = s.memory.load(0, 0x1000000)
assert b is a示例4: run_calloc_multiplies
def run_calloc_multiplies(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.heap.malloc(30)
sc = s.copy()
s.heap.malloc(100)
sc.heap.calloc(4, 25)
nose.tools.assert_true(same_heap_states(s, sc))示例5: run_unusable_amount_returns_null
def run_unusable_amount_returns_null(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.heap.malloc(0x1000 - 4 * s.heap._chunk_size_t_size)
sc = s.copy()
p = s.heap.malloc(1)
nose.tools.assert_equals(p, 0)
nose.tools.assert_true(same_heap_states(s, sc))示例6: run_realloc_no_space_returns_null
def run_realloc_no_space_returns_null(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
p1 = s.heap.malloc(20)
sc = s.copy()
p2 = s.heap.realloc(p1, 0x2000)
nose.tools.assert_equals(p2, 0)
nose.tools.assert_true(same_heap_states(s, sc))示例7: run_malloc_maximizes_sym_arg
def run_malloc_maximizes_sym_arg(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
sc = s.copy()
x = s.solver.BVS("x", 32)
s.solver.add(x.UGE(0))
s.solver.add(x.ULE(max_sym_var_val(s)))
s.heap.malloc(x)
sc.heap.malloc(max_sym_var_val(sc))
nose.tools.assert_true(same_heap_states(s, sc))示例8: run_free_null_preserves_state
def run_free_null_preserves_state(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.heap.malloc(30)
p = s.heap.malloc(40)
s.heap.malloc(50)
s.heap.free(p)
s2 = s.copy()
s2.heap.free(0)
nose.tools.assert_true(same_heap_states(s, s2))示例9: run_realloc_near_same_size
def run_realloc_near_same_size(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.heap.malloc(20)
p1 = s.heap.malloc(61)
s.heap.malloc(80)
sc = s.copy()
p2 = s.heap.realloc(p1, 62)
nose.tools.assert_equals(p1, p2)
nose.tools.assert_true(same_heap_states(s, sc))示例10: run_calloc_clears
def run_calloc_clears(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.memory.store(0xd0000000 + 2 * s.heap._chunk_size_t_size, s.solver.BVV(-1, 100 * 8))
sc = s.copy()
p1 = s.heap.calloc(6, 5)
p2 = sc.heap.malloc(30)
v1 = s.memory.load(p1, 30)
v2 = sc.memory.load(p2, 30)
nose.tools.assert_true(s.solver.is_true(v1 == 0))
nose.tools.assert_true(sc.solver.is_true(v2 == -1))示例11: test_inline_strlen
def test_inline_strlen():
s = SimState(arch="AMD64", mode="symbolic")
l.info("fully concrete string")
a_str = s.solver.BVV(0x41414100, 32)
a_addr = s.solver.BVV(0x10, 64)
s.memory.store(a_addr, a_str, endness="Iend_BE")
a_len = strlen(s, arguments=[a_addr])
nose.tools.assert_true(s.solver.unique(a_len))
nose.tools.assert_equal(s.solver.eval(a_len), 3)
l.info("concrete-terminated string")
b_str = s.solver.Concat(s.solver.BVS("mystring", 24), s.solver.BVV(0, 8))
b_addr = s.solver.BVV(0x20, 64)
s.memory.store(b_addr, b_str, endness="Iend_BE")
b_len = strlen(s, arguments=[b_addr])
nose.tools.assert_equal(s.solver.max_int(b_len), 3)
nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(b_len, 10)), (0,1,2,3))
l.info("fully unconstrained")
u_addr = s.solver.BVV(0x50, 64)
u_len_sp = strlen(s, arguments=[u_addr])
u_len = u_len_sp
nose.tools.assert_equal(len(s.solver.eval_upto(u_len, 100)), s.libc.buf_symbolic_bytes)
nose.tools.assert_equal(s.solver.max_int(u_len), s.libc.buf_symbolic_bytes-1)
#print u_len_sp.solver.maximum_null
#s.add_constraints(u_len < 16)
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(0x50 + u_len, 1), 300), [0])
#
# This tests if a strlen can influence a symbolic str.
#
l.info("Trying to influence length.")
s = SimState(arch="AMD64", mode="symbolic")
str_c = s.solver.BVS("some_string", 8*16)
c_addr = s.solver.BVV(0x10, 64)
s.memory.store(c_addr, str_c, endness='Iend_BE')
c_len = strlen(s, arguments=[c_addr])
nose.tools.assert_equal(len(s.solver.eval_upto(c_len, 100)), s.libc.buf_symbolic_bytes)
nose.tools.assert_equal(s.solver.max_int(c_len), s.libc.buf_symbolic_bytes-1)
one_s = s.copy()
one_s.add_constraints(c_len == 1)
nose.tools.assert_equal(one_s.solver.eval(str_c, cast_to=bytes).index(b'\x00'), 1)
str_test = one_s.memory.load(c_addr, 2, endness='Iend_BE')
nose.tools.assert_equal(len(one_s.solver.eval_upto(str_test, 300, cast_to=bytes)), 255)
for i in range(16):
test_s = s.copy()
test_s.add_constraints(c_len == i)
str_test = test_s.memory.load(c_addr, i + 1, endness='Iend_BE')
nose.tools.assert_equal(test_s.solver.eval(str_test, cast_to=bytes).index(b'\x00'), i)
for j in range(i):
nose.tools.assert_false(test_s.solver.unique(test_s.memory.load(c_addr+j, 1)))示例12: test_store_simplification
def test_store_simplification():
state = SimState(arch='X86')
state.regs.esp = state.se.BVS('stack_pointer', 32)
state.regs.ebp = state.se.BVS('base_pointer', 32)
state.regs.eax = state.se.BVS('base_eax', 32)
irsb = pyvex.IRSB('PT]\xc2\x10\x00', 0x4000, state.arch)
sim_successors = SimEngineVEX().process(state.copy(), irsb)
exit_state = sim_successors.all_successors[0]
nose.tools.assert_true(claripy.backends.z3.is_true(exit_state.regs.ebp == state.regs.esp - 4))示例13: run_calloc_maximizes_sym_arg
def run_calloc_maximizes_sym_arg(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
sc = s.copy()
x = s.solver.BVS("x", 32)
s.solver.add(x.UGE(0))
s.solver.add(x.ULE(20))
y = s.solver.BVS("y", 32)
s.solver.add(y.UGE(0))
s.solver.add(y.ULE(6))
s.heap.calloc(x, y)
sc.heap.calloc(20, 6)
nose.tools.assert_true(same_heap_states(s, sc))示例14: test_mmap_base_copy
def test_mmap_base_copy():
state = SimState(arch="AMD64", mode="symbolic")
mmap_base = 0x12345678
state.libc.mmap_base = mmap_base
# Sanity check
nose.tools.assert_equal(state.libc.mmap_base, mmap_base)
state_copy = state.copy()
nose.tools.assert_equal(state_copy.libc.mmap_base, mmap_base)示例15: test_aarch64_32bit_ccalls
def test_aarch64_32bit_ccalls():
# GitHub issue #1238
s = SimState(arch="AArch64")
x = s.solver.BVS("x", 32)
# A normal operation
flag_z, _ = s_ccall.arm64g_calculate_flag_z(s, s_ccall.ARM64G_CC_OP_ADD32, x, s.solver.BVV(1, 32), 0)
nose.tools.assert_true(s.satisfiable(extra_constraints=(flag_z == 0,)))
nose.tools.assert_true(s.satisfiable(extra_constraints=(flag_z == 1,)))
# What VEX does
flag_z, _ = s_ccall.arm64g_calculate_flag_z(s, s_ccall.ARM64G_CC_OP_ADD32, x.zero_extend(32), s.solver.BVV(1, 64), 0)
nose.tools.assert_true(s.satisfiable(extra_constraints=(flag_z == 0,)))
nose.tools.assert_true(s.satisfiable(extra_constraints=(flag_z == 1,)))