本文整理汇总了Python中simuvex.SimState.add_constraints方法的典型用法代码示例。如果您正苦于以下问题:Python SimState.add_constraints方法的具体用法?Python SimState.add_constraints怎么用?Python SimState.add_constraints使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类simuvex.SimState的用法示例。
在下文中一共展示了SimState.add_constraints方法的11个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: test_strcpy
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_strcpy():
l.info("concrete src, concrete dst")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BitVecVal(0x41414100, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.se.BitVecVal(0x42420000, 32)
src_addr = s.se.BitVecVal(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strcpy(s, inline=True, arguments=[dst_addr, src_addr])
new_dst = s.memory.load(dst_addr, 4, endness="Iend_BE")
nose.tools.assert_equal(s.se.any_str(new_dst), "BB\x00\x00")
l.info("symbolic src, concrete dst")
dst = s.se.BitVecVal(0x41414100, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.BV("src", 32)
src_addr = s.se.BitVecVal(0x2000, 64)
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
ln = strlen(s, inline=True, arguments=[src_addr]).ret_expr
strcpy(s, inline=True, arguments=[dst_addr, src_addr])
cm = strcmp(s, inline=True, arguments=[dst_addr, src_addr]).ret_expr
s.add_constraints(cm == 0)
s.add_constraints(ln == 15)示例2: test_unsat_core
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_unsat_core():
s = SimState(arch='AMD64', mode='symbolic', add_options={ simuvex.options.CONSTRAINT_TRACKING_IN_SOLVER })
x = s.se.BVS('x', 32)
s.add_constraints(s.se.BVV(0, 32) == x)
s.add_constraints(s.se.BVV(1, 32) == x)
nose.tools.assert_false(s.satisfiable())
unsat_core = s.se.unsat_core()
nose.tools.assert_equal(len(unsat_core), 2)示例3: test_concretization_strategies
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_concretization_strategies():
initial_memory = {0: 'A', 1: 'B', 2: 'C', 3: 'D'}
s = SimState(memory_backer=initial_memory)
# sanity check
nose.tools.assert_equal(s.se.any_n_str(s.memory.load(3, 1), 2), ['D'])
x = s.se.BVS('x', s.arch.bits)
s.add_constraints(x >= 1)
ss = s.copy()
nose.tools.assert_equal(ss.se.any_n_str(ss.memory.load(x, 1), 2), ['B'])
ss = s.copy()
ss.options.add(simuvex.o.CONSERVATIVE_READ_STRATEGY)
nose.tools.assert_true('symbolic' in next(iter(ss.memory.load(x, 1).variables)))示例4: test_strstr_inconsistency
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_strstr_inconsistency(n=2):
l.info("symbolic haystack, symbolic needle")
s = SimState(arch="AMD64", mode="symbolic")
s.libc.buf_symbolic_bytes = n
addr_haystack = s.se.BitVecVal(0x10, 64)
addr_needle = s.se.BitVecVal(0xB0, 64)
# len_needle = strlen(s, inline=True, arguments=[addr_needle])
ss_res = strstr(s, inline=True, arguments=[addr_haystack, addr_needle]).ret_expr
# slh_res = strlen(s, inline=True, arguments=[addr_haystack]).ret_expr
# sln_res = strlen(s, inline=True, arguments=[addr_needle]).ret_expr
# print "LENH:", s.se.any_n_int(slh_res, 100)
# print "LENN:", s.se.any_n_int(sln_res, 100)
nose.tools.assert_false(s.se.unique(ss_res))
nose.tools.assert_items_equal(s.se.any_n_int(ss_res, 100), [0] + range(0x10, 0x10 + s.libc.buf_symbolic_bytes - 1))
s.add_constraints(ss_res != 0)
ss2 = strstr(s, inline=True, arguments=[addr_haystack, addr_needle]).ret_expr
s.add_constraints(ss2 == 0)
nose.tools.assert_false(s.satisfiable())示例5: test_copy
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_copy():
s = SimState()
s.memory.store(0x100, "ABCDEFGHIJKLMNOP")
s.memory.store(0x200, "XXXXXXXXXXXXXXXX")
x = s.se.BV('size', s.arch.bits)
s.add_constraints(s.se.ULT(x, 10))
s.memory.copy_contents(0x200, 0x100, x)
nose.tools.assert_equals(sorted(s.se.any_n_int(x, 100)), range(10))
result = s.memory.load(0x200, 5)
nose.tools.assert_equals(sorted(s.se.any_n_str(result, 100)), [ "ABCDE", "ABCDX", "ABCXX", "ABXXX", "AXXXX", "XXXXX" ])
nose.tools.assert_equals(sorted(s.se.any_n_str(result, 100, extra_constraints=[x==3])), [ "ABCXX" ])
s = SimState()
s.posix.write(0, "ABCDEFGHIJKLMNOP", len("ABCDEFGHIJKLMNOP"))
s.posix.seek(0, 0)
s.memory.store(0x200, "XXXXXXXXXXXXXXXX")
x = s.se.BV('size', s.arch.bits)
s.add_constraints(s.se.ULT(x, 10))
s.posix.read(0, x, dst_addr=0x200)
nose.tools.assert_equals(sorted(s.se.any_n_int(x, 100)), range(10))
result = s.memory.load(0x200, 5)
nose.tools.assert_equals(sorted(s.se.any_n_str(result, 100)), [ "ABCDE", "ABCDX", "ABCXX", "ABXXX", "AXXXX", "XXXXX" ])
nose.tools.assert_equals(sorted(s.se.any_n_str(result, 100, extra_constraints=[x==3])), [ "ABCXX" ])
s = SimState()
s.posix.write(0, "ABCDEFGHIJKLMNOP", len("ABCDEFGHIJKLMNOP"))
s.posix.seek(0, 0)
s.memory.store(0x200, "XXXXXXXXXXXXXXXX")
x = s.se.BV('size', s.arch.bits)
s.add_constraints(s.se.ULT(x, 10))
ret_x = SimProcedures['libc.so.6']['read'](s, inline=True, arguments=[0, 0x200, x]).ret_expr
nose.tools.assert_equals(sorted(s.se.any_n_int(x, 100)), range(10))
result = s.memory.load(0x200, 5)
nose.tools.assert_equals(sorted(s.se.any_n_str(result, 100)), [ "ABCDE", "ABCDX", "ABCXX", "ABXXX", "AXXXX", "XXXXX" ])
nose.tools.assert_equals(sorted(s.se.any_n_str(result, 100, extra_constraints=[x==3])), [ "ABCXX" ])
nose.tools.assert_equals(sorted(s.se.any_n_int(ret_x, 100)), range(10))
nose.tools.assert_equals(sorted(s.se.any_n_str(result, 100, extra_constraints=[ret_x==3])), [ "ABCXX" ])示例6: broken_symbolic_write
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def broken_symbolic_write():
s = SimState(arch='AMD64', mode='symbolic')
addr = s.se.BVS('addr', 64)
s.add_constraints(s.se.Or(addr == 10, addr == 20, addr == 30))
nose.tools.assert_equals(len(s.se.any_n_int(addr, 10)), 3)
s.memory.store(10, s.se.BVV(1, 8))
s.memory.store(20, s.se.BVV(2, 8))
s.memory.store(30, s.se.BVV(3, 8))
nose.tools.assert_true(s.se.unique(s.memory.load(10, 1)))
nose.tools.assert_true(s.se.unique(s.memory.load(20, 1)))
nose.tools.assert_true(s.se.unique(s.memory.load(30, 1)))
#print "CONSTRAINTS BEFORE:", s.constraints._solver.constraints
#s.memory.store(addr, s.se.BVV(255, 8), strategy=['symbolic','any'], limit=100)
s.memory.store(addr, s.se.BVV(255, 8))
nose.tools.assert_true(s.satisfiable())
print "GO TIME"
nose.tools.assert_equals(len(s.se.any_n_int(addr, 10)), 3)
nose.tools.assert_items_equal(s.se.any_n_int(s.memory.load(10, 1), 3), [ 1, 255 ])
nose.tools.assert_items_equal(s.se.any_n_int(s.memory.load(20, 1), 3), [ 2, 255 ])
nose.tools.assert_items_equal(s.se.any_n_int(s.memory.load(30, 1), 3), [ 3, 255 ])
nose.tools.assert_equals(len(s.se.any_n_int(addr, 10)), 3)
# see if it works when constraining the write address
sa = s.copy()
sa.add_constraints(addr == 20)
nose.tools.assert_true(sa.satisfiable())
nose.tools.assert_items_equal(sa.se.any_n_int(sa.memory.load(10, 1), 3), [ 1 ])
nose.tools.assert_items_equal(sa.se.any_n_int(sa.memory.load(20, 1), 3), [ 255 ])
nose.tools.assert_items_equal(sa.se.any_n_int(sa.memory.load(30, 1), 3), [ 3 ])
nose.tools.assert_items_equal(sa.se.any_n_int(addr, 10), [ 20 ])
# see if it works when constraining a value to the written one
sv = s.copy()
sv.add_constraints(sv.memory.load(30, 1) == 255)
nose.tools.assert_true(sv.satisfiable())
nose.tools.assert_items_equal(sv.se.any_n_int(sv.memory.load(10, 1), 3), [ 1 ])
nose.tools.assert_items_equal(sv.se.any_n_int(sv.memory.load(20, 1), 3), [ 2 ])
nose.tools.assert_items_equal(sv.se.any_n_int(sv.memory.load(30, 1), 3), [ 255 ])
nose.tools.assert_items_equal(sv.se.any_n_int(addr, 10), [ 30 ])
# see if it works when constraining a value to the unwritten one
sv = s.copy()
sv.add_constraints(sv.memory.load(30, 1) == 3)
nose.tools.assert_true(sv.satisfiable())
nose.tools.assert_items_equal(sv.se.any_n_int(sv.memory.load(10, 1), 3), [ 1, 255 ])
nose.tools.assert_items_equal(sv.se.any_n_int(sv.memory.load(20, 1), 3), [ 2, 255 ])
nose.tools.assert_items_equal(sv.se.any_n_int(sv.memory.load(30, 1), 3), [ 3 ])
nose.tools.assert_items_equal(sv.se.any_n_int(addr, 10), [ 10, 20 ])
s = SimState(arch='AMD64', mode='symbolic')
s.memory.store(0, s.se.BVV(0x4141414141414141, 64))
length = s.se.BVS("length", 32)
#s.memory.store(0, s.se.BVV(0x4242424242424242, 64), symbolic_length=length)
s.memory.store(0, s.se.BVV(0x4242424242424242, 64))
for i in range(8):
ss = s.copy()
ss.add_constraints(length == i)
nose.tools.assert_equal(ss.se.any_str(s.memory.load(0, 8)), "B"*i + "A"*(8-i))
print "GROOVY"示例7: broken_strtok_r
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def broken_strtok_r():
l.debug("CONCRETE MODE")
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(100, s.se.BitVecVal(0x4141414241414241424300, 88), endness="Iend_BE")
s.memory.store(200, s.se.BitVecVal(0x4200, 16), endness="Iend_BE")
str_ptr = s.se.BitVecVal(100, s.arch.bits)
delim_ptr = s.se.BitVecVal(200, s.arch.bits)
state_ptr = s.se.BitVecVal(300, s.arch.bits)
st1 = strtok_r(s, inline=True, arguments=[str_ptr, delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st1.ret_expr, 10), [104])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(st1.ret_expr - 1, 1), 10), [0])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(200, 2), 10), [0x4200])
st2 = strtok_r(s, inline=True, arguments=[s.se.BitVecVal(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st2.ret_expr, 10), [107])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(st2.ret_expr - 1, 1), 10), [0])
st3 = strtok_r(s, inline=True, arguments=[s.se.BitVecVal(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st3.ret_expr, 10), [109])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(st3.ret_expr - 1, 1), 10), [0])
st4 = strtok_r(s, inline=True, arguments=[s.se.BitVecVal(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st4.ret_expr, 10), [0])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(300, s.arch.bytes, endness=s.arch.memory_endness), 10), [109])
st5 = strtok_r(s, inline=True, arguments=[s.se.BitVecVal(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st5.ret_expr, 10), [0])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(300, s.arch.bytes, endness=s.arch.memory_endness), 10), [109])
s.memory.store(1000, s.se.BitVecVal(0x4141414241414241424300, 88), endness="Iend_BE")
s.memory.store(2000, s.se.BitVecVal(0x4200, 16), endness="Iend_BE")
str_ptr = s.se.BitVecVal(1000, s.arch.bits)
delim_ptr = s.se.BitVecVal(2000, s.arch.bits)
state_ptr = s.se.BitVecVal(3000, s.arch.bits)
st1 = strtok_r(s, inline=True, arguments=[str_ptr, delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st1.ret_expr, 10), [1004])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(st1.ret_expr - 1, 1), 10), [0])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(2000, 2), 10), [0x4200])
st2 = strtok_r(s, inline=True, arguments=[s.se.BitVecVal(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st2.ret_expr, 10), [1007])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(st2.ret_expr - 1, 1), 10), [0])
st3 = strtok_r(s, inline=True, arguments=[s.se.BitVecVal(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st3.ret_expr, 10), [1009])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(st3.ret_expr - 1, 1), 10), [0])
st4 = strtok_r(s, inline=True, arguments=[s.se.BitVecVal(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st4.ret_expr, 10), [0])
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(3000, s.arch.bytes, endness=s.arch.memory_endness), 10), [1009]
)
st5 = strtok_r(s, inline=True, arguments=[s.se.BitVecVal(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st5.ret_expr, 10), [0])
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(3000, s.arch.bytes, endness=s.arch.memory_endness), 10), [1009]
)
print "LIGHT FULLY SYMBOLIC TEST"
s = SimState(arch="AMD64", mode="symbolic")
str_ptr = s.se.BitVecVal(100, s.arch.bits)
delim_ptr = s.se.BitVecVal(200, s.arch.bits)
state_ptr = s.se.BitVecVal(300, s.arch.bits)
s.add_constraints(s.memory.load(delim_ptr, 1) != 0)
st1 = strtok_r(s, inline=True, arguments=[str_ptr, delim_ptr, state_ptr])
s.add_constraints(st1.ret_expr != 0)
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(st1.ret_expr - 1, 1), 10), [0])示例8: test_strncpy
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_strncpy():
l.info("concrete src, concrete dst, concrete len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BitVecVal(0x41414100, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.se.BitVecVal(0x42420000, 32)
src_addr = s.se.BitVecVal(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, inline=True, arguments=[dst_addr, src_addr, s.se.BitVecVal(3, 64)])
new_dst = s.memory.load(dst_addr, 4, endness="Iend_BE")
nose.tools.assert_equal(s.se.any_str(new_dst), "BB\x00\x00")
l.debug("... partial copy")
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, inline=True, arguments=[dst_addr, src_addr, s.se.BitVecVal(2, 64)])
new_dst = s.memory.load(dst_addr, 4, endness="Iend_BE")
nose.tools.assert_equal(s.se.any_n_str(new_dst, 2), ["BBA\x00"])
l.info("symbolic src, concrete dst, concrete len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BitVecVal(0x41414100, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.BV("src", 32)
src_addr = s.se.BitVecVal(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
s.add_constraints(strlen(s, inline=True, arguments=[src_addr]).ret_expr == 2)
# sanity check
s_false = s.copy()
s_false.add_constraints(strlen(s_false, inline=True, arguments=[src_addr]).ret_expr == 3)
nose.tools.assert_false(s_false.satisfiable())
strncpy(s, inline=True, arguments=[dst_addr, src_addr, 3])
nose.tools.assert_true(s.satisfiable())
c = strcmp(s, inline=True, arguments=[dst_addr, src_addr]).ret_expr
nose.tools.assert_items_equal(s.se.any_n_int(c, 10), [0])
l.info("symbolic src, concrete dst, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BitVecVal(0x41414100, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.BV("src", 32)
src_addr = s.se.BitVecVal(0x2000, 64)
maxlen = s.BV("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
s.add_constraints(strlen(s, inline=True, arguments=[src_addr]).ret_expr == 2)
strncpy(s, inline=True, arguments=[dst_addr, src_addr, maxlen])
c = strcmp(s, inline=True, arguments=[dst_addr, src_addr]).ret_expr
s_match = s.copy()
s_match.add_constraints(c == 0)
nose.tools.assert_equals(s_match.se.min_int(maxlen), 3)
s_nomatch = s.copy()
s_nomatch.add_constraints(c != 0)
nose.tools.assert_equals(s_nomatch.se.max_int(maxlen), 2)
l.info("concrete src, concrete dst, symbolic len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BitVecVal(0x41414100, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.se.BitVecVal(0x42420000, 32)
src_addr = s.se.BitVecVal(0x2000, 64)
maxlen = s.BV("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, inline=True, arguments=[dst_addr, src_addr, maxlen])
r = s.memory.load(dst_addr, 4, endness="Iend_BE")
# print repr(r.se.any_n_str(10))
nose.tools.assert_items_equal(s.se.any_n_str(r, 10), ["AAA\x00", "BAA\x00", "BBA\x00", "BB\x00\x00"])示例9: test_memcpy
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_memcpy():
l.info("concrete src, concrete dst, concrete len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BitVecVal(0x41414141, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.se.BitVecVal(0x42424242, 32)
src_addr = s.se.BitVecVal(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, inline=True, arguments=[dst_addr, src_addr, s.se.BitVecVal(4, 64)])
new_dst = s.memory.load(dst_addr, 4, endness="Iend_BE")
nose.tools.assert_equal(s.se.any_n_str(new_dst, 2), ["BBBB"])
l.debug("... partial copy")
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, inline=True, arguments=[dst_addr, src_addr, s.se.BitVecVal(2, 64)])
new_dst = s.memory.load(dst_addr, 4, endness="Iend_BE")
nose.tools.assert_equal(s.se.any_n_str(new_dst, 2), ["BBAA"])
l.info("symbolic src, concrete dst, concrete len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BitVecVal(0x41414141, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.BV("src", 32)
src_addr = s.se.BitVecVal(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
memcpy(s, inline=True, arguments=[dst_addr, src_addr, s.se.BitVecVal(4, 64)])
nose.tools.assert_true(s.satisfiable())
s.add_constraints(src != s.memory.load(dst_addr, 4))
nose.tools.assert_false(s.satisfiable())
l.info("symbolic src, concrete dst, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BitVecVal(0x41414141, 32)
dst_addr = s.se.BitVecVal(0x1000, 64)
src = s.BV("src", 32)
src_addr = s.se.BitVecVal(0x2000, 64)
cpylen = s.BV("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, inline=True, arguments=[dst_addr, src_addr, cpylen])
result = s.memory.load(dst_addr, 4, endness="Iend_BE")
# make sure it copies it all
s1 = s.copy()
s1.add_constraints(cpylen == 1)
nose.tools.assert_true(s1.se.unique(s1.memory.load(dst_addr + 1, 3)))
nose.tools.assert_equals(len(s1.se.any_n_int(s1.memory.load(dst_addr, 1), 300)), 256)
s2 = s.copy()
s2.add_constraints(cpylen == 2)
nose.tools.assert_equals(len(s2.se.any_n_int(result[31:24], 300)), 256)
nose.tools.assert_equals(len(s2.se.any_n_int(result[23:16], 300)), 256)
nose.tools.assert_equals(s2.se.any_n_str(result[15:0], 300), ["AA"])
l.info("concrete src, concrete dst, symbolic len")
dst = s2.se.BitVecVal(0x41414141, 32)
dst_addr = s2.se.BitVecVal(0x1000, 64)
src = s2.se.BitVecVal(0x42424242, 32)
src_addr = s2.se.BitVecVal(0x2000, 64)
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
cpylen = s.BV("len", 64)
s.add_constraints(s.se.ULE(cpylen, 4))
memcpy(s, inline=True, arguments=[dst_addr, src_addr, cpylen])
new_dst = s.memory.load(dst_addr, 4, endness="Iend_BE")
nose.tools.assert_items_equal(s.se.any_n_str(new_dst, 300), ["AAAA", "BAAA", "BBAA", "BBBA", "BBBB"])示例10: test_inline_strncmp
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_inline_strncmp():
l.info("symbolic left, symbolic right, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
left = s.BV("left", 32)
left_addr = s.se.BitVecVal(0x1000, 64)
right = s.BV("right", 32)
right_addr = s.se.BitVecVal(0x2000, 64)
maxlen = s.BV("len", 64)
s.memory.store(left_addr, left)
s.memory.store(right_addr, right)
s.add_constraints(strlen(s, inline=True, arguments=[left_addr]).ret_expr == 3)
s.add_constraints(strlen(s, inline=True, arguments=[right_addr]).ret_expr == 0)
s.add_constraints(maxlen != 0)
c = strncmp(s, inline=True, arguments=[left_addr, right_addr, maxlen]).ret_expr
s_match = s.copy()
s_match.add_constraints(c == 0)
nose.tools.assert_false(s_match.satisfiable())
# nose.tools.assert_equals(s_match.se.min_int(maxlen), 3)
s_nomatch = s.copy()
s_nomatch.add_constraints(c != 0)
nose.tools.assert_true(s_nomatch.satisfiable())
# nose.tools.assert_equals(s_nomatch.se.max_int(maxlen), 2)
l.info("zero-length")
s = SimState(arch="AMD64", mode="symbolic")
left = s.BV("left", 32)
left_addr = s.se.BitVecVal(0x1000, 64)
right = s.BV("right", 32)
right_addr = s.se.BitVecVal(0x2000, 64)
maxlen = s.BV("len", 64)
left_len = strlen(s, inline=True, arguments=[left_addr]).ret_expr
right_len = strlen(s, inline=True, arguments=[right_addr]).ret_expr
c = strncmp(s, inline=True, arguments=[left_addr, right_addr, maxlen]).ret_expr
s.add_constraints(right_len == 0)
s.add_constraints(left_len == 0)
# s.add_constraints(c == 0)
s.add_constraints(maxlen == 0)
nose.tools.assert_true(s.satisfiable())示例11: test_memcpy
# 需要导入模块: from simuvex import SimState [as 别名]
# 或者: from simuvex.SimState import add_constraints [as 别名]
def test_memcpy():
l.info("concrete src, concrete dst, concrete len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BVV(0x41414141, 32)
dst_addr = s.se.BVV(0x1000, 64)
src = s.se.BVV(0x42424242, 32)
src_addr = s.se.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, inline=True, arguments=[dst_addr, src_addr, s.se.BVV(4, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.se.any_n_str(new_dst, 2), [ "BBBB" ])
l.info("giant copy")
s = SimState(arch="AMD64", mode="symbolic", remove_options=simuvex.o.simplification)
s.memory._maximum_symbolic_size = 0x2000000
size = s.se.BVV(0x1000000, 64)
dst_addr = s.se.BVV(0x2000000, 64)
src_addr = s.se.BVV(0x4000000, 64)
memcpy(s, inline=True, arguments=[dst_addr, src_addr, size])
nose.tools.assert_is(s.memory.load(dst_addr, size), s.memory.load(src_addr, size))
l.debug("... partial copy")
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, inline=True, arguments=[dst_addr, src_addr, s.se.BVV(2, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.se.any_n_str(new_dst, 2), [ "BBAA" ])
l.info("symbolic src, concrete dst, concrete len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BVV(0x41414141, 32)
dst_addr = s.se.BVV(0x1000, 64)
src = s.se.BVS("src", 32)
src_addr = s.se.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
memcpy(s, inline=True, arguments=[dst_addr, src_addr, s.se.BVV(4, 64)])
nose.tools.assert_true(s.satisfiable())
s.add_constraints(src != s.memory.load(dst_addr, 4))
nose.tools.assert_false(s.satisfiable())
l.info("symbolic src, concrete dst, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.se.BVV(0x41414141, 32)
dst_addr = s.se.BVV(0x1000, 64)
src = s.se.BVS("src", 32)
src_addr = s.se.BVV(0x2000, 64)
cpylen = s.se.BVS("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, inline=True, arguments=[dst_addr, src_addr, cpylen])
result = s.memory.load(dst_addr, 4, endness='Iend_BE')
# make sure it copies it all
s1 = s.copy()
s1.add_constraints(cpylen == 1)
nose.tools.assert_true(s1.se.unique(s1.memory.load(dst_addr+1, 3)))
nose.tools.assert_equals(len(s1.se.any_n_int(s1.memory.load(dst_addr, 1), 300)), 256)
s2 = s.copy()
s2.add_constraints(cpylen == 2)
nose.tools.assert_equals(len(s2.se.any_n_int(result[31:24], 300)), 256)
nose.tools.assert_equals(len(s2.se.any_n_int(result[23:16], 300)), 256)
nose.tools.assert_equals(s2.se.any_n_str(result[15:0], 300), [ 'AA' ])
l.info("concrete src, concrete dst, symbolic len")
dst = s2.se.BVV(0x41414141, 32)
dst_addr = s2.se.BVV(0x1000, 64)
src = s2.se.BVV(0x42424242, 32)
src_addr = s2.se.BVV(0x2000, 64)
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
cpylen = s.se.BVS("len", 64)
s.add_constraints(s.se.ULE(cpylen, 4))
memcpy(s, inline=True, arguments=[dst_addr, src_addr, cpylen])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_items_equal(s.se.any_n_str(new_dst, 300), [ 'AAAA', 'BAAA', 'BBAA', 'BBBA', 'BBBB' ])