本文整理汇总了Python中angr.SimState.copy方法的典型用法代码示例。如果您正苦于以下问题:Python SimState.copy方法的具体用法?Python SimState.copy怎么用?Python SimState.copy使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类angr.SimState的用法示例。
在下文中一共展示了SimState.copy方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: test_memset
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def test_memset():
l.info("concrete src, concrete dst, concrete len")
s = SimState(arch="PPC32", mode="symbolic")
dst = s.solver.BVV(0, 128)
dst_addr = s.solver.BVV(0x1000, 32)
char = s.solver.BVV(0x00000041, 32)
char2 = s.solver.BVV(0x50505050, 32)
length = s.solver.BVS("some_length", 32)
s.memory.store(dst_addr, dst)
memset(s, arguments=[dst_addr, char, s.solver.BVV(3, 32)])
nose.tools.assert_equal(s.solver.eval(s.memory.load(dst_addr, 4)), 0x41414100)
l.debug("Symbolic length")
s = SimState(arch="PPC32", mode="symbolic")
s.memory.store(dst_addr, dst)
length = s.solver.BVS("some_length", 32)
memset(s, arguments=[dst_addr, char2, length])
l.debug("Trying 2")
s_two = s.copy()
s_two.add_constraints(length == 2)
nose.tools.assert_equal(s_two.solver.eval(s_two.memory.load(dst_addr, 4)), 0x50500000)
l.debug("Trying 0")
s_zero = s.copy()
s_zero.add_constraints(length == 0)
nose.tools.assert_equal(s_zero.solver.eval(s_zero.memory.load(dst_addr, 4)), 0x00000000)
l.debug("Trying 5")
s_five = s.copy()
s_five.add_constraints(length == 5)
nose.tools.assert_equal(s_five.solver.eval(s_five.memory.load(dst_addr, 6)), 0x505050505000)示例2: test_inline_strlen
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def test_inline_strlen():
s = SimState(arch="AMD64", mode="symbolic")
l.info("fully concrete string")
a_str = s.solver.BVV(0x41414100, 32)
a_addr = s.solver.BVV(0x10, 64)
s.memory.store(a_addr, a_str, endness="Iend_BE")
a_len = strlen(s, arguments=[a_addr])
nose.tools.assert_true(s.solver.unique(a_len))
nose.tools.assert_equal(s.solver.eval(a_len), 3)
l.info("concrete-terminated string")
b_str = s.solver.Concat(s.solver.BVS("mystring", 24), s.solver.BVV(0, 8))
b_addr = s.solver.BVV(0x20, 64)
s.memory.store(b_addr, b_str, endness="Iend_BE")
b_len = strlen(s, arguments=[b_addr])
nose.tools.assert_equal(s.solver.max_int(b_len), 3)
nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(b_len, 10)), (0,1,2,3))
l.info("fully unconstrained")
u_addr = s.solver.BVV(0x50, 64)
u_len_sp = strlen(s, arguments=[u_addr])
u_len = u_len_sp
nose.tools.assert_equal(len(s.solver.eval_upto(u_len, 100)), s.libc.buf_symbolic_bytes)
nose.tools.assert_equal(s.solver.max_int(u_len), s.libc.buf_symbolic_bytes-1)
#print u_len_sp.solver.maximum_null
#s.add_constraints(u_len < 16)
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(0x50 + u_len, 1), 300), [0])
#
# This tests if a strlen can influence a symbolic str.
#
l.info("Trying to influence length.")
s = SimState(arch="AMD64", mode="symbolic")
str_c = s.solver.BVS("some_string", 8*16)
c_addr = s.solver.BVV(0x10, 64)
s.memory.store(c_addr, str_c, endness='Iend_BE')
c_len = strlen(s, arguments=[c_addr])
nose.tools.assert_equal(len(s.solver.eval_upto(c_len, 100)), s.libc.buf_symbolic_bytes)
nose.tools.assert_equal(s.solver.max_int(c_len), s.libc.buf_symbolic_bytes-1)
one_s = s.copy()
one_s.add_constraints(c_len == 1)
nose.tools.assert_equal(one_s.solver.eval(str_c, cast_to=bytes).index(b'\x00'), 1)
str_test = one_s.memory.load(c_addr, 2, endness='Iend_BE')
nose.tools.assert_equal(len(one_s.solver.eval_upto(str_test, 300, cast_to=bytes)), 255)
for i in range(16):
test_s = s.copy()
test_s.add_constraints(c_len == i)
str_test = test_s.memory.load(c_addr, i + 1, endness='Iend_BE')
nose.tools.assert_equal(test_s.solver.eval(str_test, cast_to=bytes).index(b'\x00'), i)
for j in range(i):
nose.tools.assert_false(test_s.solver.unique(test_s.memory.load(c_addr+j, 1)))示例3: run_calloc_multiplies
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def run_calloc_multiplies(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.heap.malloc(30)
sc = s.copy()
s.heap.malloc(100)
sc.heap.calloc(4, 25)
nose.tools.assert_true(same_heap_states(s, sc))示例4: run_unusable_amount_returns_null
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def run_unusable_amount_returns_null(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.heap.malloc(0x1000 - 4 * s.heap._chunk_size_t_size)
sc = s.copy()
p = s.heap.malloc(1)
nose.tools.assert_equals(p, 0)
nose.tools.assert_true(same_heap_states(s, sc))示例5: test_fullpage_write
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def test_fullpage_write():
s = SimState(arch='AMD64')
a = s.se.BVV('A'*0x2000)
s.memory.store(0, a)
#assert len(s.memory.mem._pages) == 2
#assert len(s.memory.mem._pages[0].keys()) == 0
#assert len(s.memory.mem._pages[1].keys()) == 0
assert s.memory.load(0, 0x2000) is a
assert a.variables != s.memory.load(0x2000, 1).variables
s = SimState(arch='AMD64')
a = s.se.BVV('A'*2)
s.memory.store(0x1000, a)
s.memory.store(0x2000, a)
assert a.variables == s.memory.load(0x2000, 1).variables
assert a.variables == s.memory.load(0x2001, 1).variables
assert a.variables != s.memory.load(0x2002, 1).variables
s = SimState(arch='AMD64')
x = s.se.BVV('X')
a = s.se.BVV('A'*0x1000)
s.memory.store(1, x)
s2 = s.copy()
s2.memory.store(0, a)
assert len(s.memory.changed_bytes(s2.memory)) == 0x1000
s = SimState(arch='AMD64')
s.memory._maximum_symbolic_size = 0x2000000
a = s.se.BVS('A', 0x1000000*8)
s.memory.store(0, a)
b = s.memory.load(0, 0x1000000)
assert b is a示例6: run_realloc_no_space_returns_null
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def run_realloc_no_space_returns_null(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
p1 = s.heap.malloc(20)
sc = s.copy()
p2 = s.heap.realloc(p1, 0x2000)
nose.tools.assert_equals(p2, 0)
nose.tools.assert_true(same_heap_states(s, sc))示例7: test_symbolic_write
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def test_symbolic_write():
s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
x = s.solver.BVS('x', 64)
y = s.solver.BVS('y', 64)
a = s.solver.BVV(b'A'*0x10)
b = s.solver.BVV(b'B')
c = s.solver.BVV(b'C')
d = s.solver.BVV(b'D')
s.memory.store(0x10, a)
s.add_constraints(x >= 0x10, x < 0x20)
s.memory.store(x, b)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s.memory.store(x, c)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s2 = s.copy()
s2.add_constraints(y >= 0x10, y < 0x20)
s2.memory.store(y, d)
for i in range(0x10, 0x20):
assert len(s2.solver.eval_upto(s2.memory.load(i, 1), 10)) == 3示例8: run_realloc_near_same_size
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def run_realloc_near_same_size(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.heap.malloc(20)
p1 = s.heap.malloc(61)
s.heap.malloc(80)
sc = s.copy()
p2 = s.heap.realloc(p1, 62)
nose.tools.assert_equals(p1, p2)
nose.tools.assert_true(same_heap_states(s, sc))示例9: run_free_null_preserves_state
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def run_free_null_preserves_state(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.heap.malloc(30)
p = s.heap.malloc(40)
s.heap.malloc(50)
s.heap.free(p)
s2 = s.copy()
s2.heap.free(0)
nose.tools.assert_true(same_heap_states(s, s2))示例10: run_malloc_maximizes_sym_arg
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def run_malloc_maximizes_sym_arg(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
sc = s.copy()
x = s.solver.BVS("x", 32)
s.solver.add(x.UGE(0))
s.solver.add(x.ULE(max_sym_var_val(s)))
s.heap.malloc(x)
sc.heap.malloc(max_sym_var_val(sc))
nose.tools.assert_true(same_heap_states(s, sc))示例11: test_inline_strncmp
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def test_inline_strncmp():
l.info("symbolic left, symbolic right, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
left = s.solver.BVS("left", 32)
left_addr = s.solver.BVV(0x1000, 64)
right = s.solver.BVS("right", 32)
right_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
s.memory.store(left_addr, left)
s.memory.store(right_addr, right)
s.add_constraints(strlen(s, arguments=[left_addr]) == 3)
s.add_constraints(strlen(s, arguments=[right_addr]) == 0)
s.add_constraints(maxlen != 0)
c = strncmp(s, arguments=[left_addr, right_addr, maxlen])
s_match = s.copy()
s_match.add_constraints(c == 0)
nose.tools.assert_false(s_match.satisfiable())
#nose.tools.assert_equal(s_match.solver.min_int(maxlen), 3)
s_nomatch = s.copy()
s_nomatch.add_constraints(c != 0)
nose.tools.assert_true(s_nomatch.satisfiable())
#nose.tools.assert_equal(s_nomatch.solver.max_int(maxlen), 2)
l.info("zero-length")
s = SimState(arch="AMD64", mode="symbolic")
left = s.solver.BVS("left", 32)
left_addr = s.solver.BVV(0x1000, 64)
right = s.solver.BVS("right", 32)
right_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
left_len = strlen(s, arguments=[left_addr])
right_len = strlen(s, arguments=[right_addr])
c = strncmp(s, arguments=[left_addr, right_addr, maxlen])
s.add_constraints(right_len == 0)
s.add_constraints(left_len == 0)
#s.add_constraints(c == 0)
s.add_constraints(maxlen == 0)
nose.tools.assert_true(s.satisfiable())示例12: test_strchr
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def test_strchr():
l.info("concrete haystack and needle")
s = SimState(arch="AMD64", mode="symbolic")
str_haystack = s.solver.BVV(0x41424300, 32)
str_needle = s.solver.BVV(0x42, 64)
addr_haystack = s.solver.BVV(0x10, 64)
s.memory.store(addr_haystack, str_haystack, endness="Iend_BE")
ss_res = strchr(s, arguments=[addr_haystack, str_needle])
nose.tools.assert_true(s.solver.unique(ss_res))
nose.tools.assert_equal(s.solver.eval(ss_res), 0x11)
l.info("concrete haystack, symbolic needle")
s = SimState(arch="AMD64", mode="symbolic")
str_haystack = s.solver.BVV(0x41424300, 32)
str_needle = s.solver.BVS("wtf", 64)
chr_needle = str_needle[7:0]
addr_haystack = s.solver.BVV(0x10, 64)
s.memory.store(addr_haystack, str_haystack, endness="Iend_BE")
ss_res = strchr(s, arguments=[addr_haystack, str_needle])
nose.tools.assert_false(s.solver.unique(ss_res))
nose.tools.assert_equal(len(s.solver.eval_upto(ss_res, 10)), 5)
s_match = s.copy()
s_nomatch = s.copy()
s_match.add_constraints(ss_res != 0)
s_nomatch.add_constraints(ss_res == 0)
nose.tools.assert_true(s_match.satisfiable())
nose.tools.assert_true(s_nomatch.satisfiable())
nose.tools.assert_equal(len(s_match.solver.eval_upto(chr_needle, 300)), 4)
nose.tools.assert_equal(len(s_nomatch.solver.eval_upto(chr_needle, 300)), 252)
nose.tools.assert_sequence_equal(sorted(s_match.solver.eval_upto(ss_res, 300)), [ 0x10, 0x11, 0x12, 0x13 ])
nose.tools.assert_sequence_equal(sorted(s_match.solver.eval_upto(chr_needle, 300)), [ 0x00, 0x41, 0x42, 0x43 ])
s_match.memory.store(ss_res, s_match.solver.BVV(0x44, 8))
nose.tools.assert_sequence_equal(sorted(s_match.solver.eval_upto(s_match.memory.load(0x10, 1), 300)), [ 0x41, 0x44 ])
nose.tools.assert_sequence_equal(sorted(s_match.solver.eval_upto(s_match.memory.load(0x11, 1), 300)), [ 0x42, 0x44 ])
nose.tools.assert_sequence_equal(sorted(s_match.solver.eval_upto(s_match.memory.load(0x12, 1), 300)), [ 0x43, 0x44 ])
nose.tools.assert_sequence_equal(sorted(s_match.solver.eval_upto(s_match.memory.load(0x13, 1), 300)), [ 0x00, 0x44 ])
return示例13: run_calloc_clears
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def run_calloc_clears(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
s.memory.store(0xd0000000 + 2 * s.heap._chunk_size_t_size, s.solver.BVV(-1, 100 * 8))
sc = s.copy()
p1 = s.heap.calloc(6, 5)
p2 = sc.heap.malloc(30)
v1 = s.memory.load(p1, 30)
v2 = sc.memory.load(p2, 30)
nose.tools.assert_true(s.solver.is_true(v1 == 0))
nose.tools.assert_true(sc.solver.is_true(v2 == -1))示例14: test_store_simplification
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def test_store_simplification():
state = SimState(arch='X86')
state.regs.esp = state.se.BVS('stack_pointer', 32)
state.regs.ebp = state.se.BVS('base_pointer', 32)
state.regs.eax = state.se.BVS('base_eax', 32)
irsb = pyvex.IRSB('PT]\xc2\x10\x00', 0x4000, state.arch)
sim_successors = SimEngineVEX().process(state.copy(), irsb)
exit_state = sim_successors.all_successors[0]
nose.tools.assert_true(claripy.backends.z3.is_true(exit_state.regs.ebp == state.regs.esp - 4))示例15: run_calloc_maximizes_sym_arg
# 需要导入模块: from angr import SimState [as 别名]
# 或者: from angr.SimState import copy [as 别名]
def run_calloc_maximizes_sym_arg(arch):
s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
sc = s.copy()
x = s.solver.BVS("x", 32)
s.solver.add(x.UGE(0))
s.solver.add(x.ULE(20))
y = s.solver.BVS("y", 32)
s.solver.add(y.UGE(0))
s.solver.add(y.ULE(6))
s.heap.calloc(x, y)
sc.heap.calloc(20, 6)
nose.tools.assert_true(same_heap_states(s, sc))