本文整理汇总了Python中angr.SimProcedure方法的典型用法代码示例。如果您正苦于以下问题:Python angr.SimProcedure方法的具体用法?Python angr.SimProcedure怎么用?Python angr.SimProcedure使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类angr的用法示例。
在下文中一共展示了angr.SimProcedure方法的13个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
# You can either use a blank state or an entry state; just make sure to start
# at the beginning of the program.
initial_state = ???
class ReplacementScanf(angr.SimProcedure):
# Hint: scanf("%u %20s")
def run(self, format_string, ...???):
# %u
scanf0 = claripy.BVS('scanf0', ???)
# %20s
scanf1 = claripy.BVS('scanf1', ???)
for char in scanf1.chop(bits=8):
self.state.add_constraints(char >= ???, char <= ???)
scanf0_address = ???
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
...
self.state.globals['solutions'] = ??? 示例2: test_ret_float
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def test_ret_float():
p = angr.load_shellcode(b'X', arch='i386')
class F1(angr.SimProcedure):
def run(self):
return 12.5
p.hook(0x1000, F1(cc=p.factory.cc(func_ty=angr.sim_type.parse_file('float (x)();')[0]['x'])))
p.hook(0x2000, F1(cc=p.factory.cc(func_ty=angr.sim_type.parse_file('double (x)();')[0]['x'])))
s = p.factory.call_state(addr=0x1000, ret_addr=0)
succ = s.step()
nose.tools.assert_equal(len(succ.successors), 1)
s2 = succ.flat_successors[0]
nose.tools.assert_false(s2.regs.st0.symbolic)
nose.tools.assert_equal(s2.solver.eval(s2.regs.st0.get_bytes(4, 4).raw_to_fp()), 12.5)
s = p.factory.call_state(addr=0x2000, ret_addr=0)
succ = s.step()
nose.tools.assert_equal(len(succ.successors), 1)
s2 = succ.flat_successors[0]
nose.tools.assert_false(s2.regs.st0.symbolic)
nose.tools.assert_equal(s2.solver.eval(s2.regs.st0.raw_to_fp()), 12.5) 示例3: __init__
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def __init__(
self,
project: Project,
trace: List[Instruction],
hooked_symbol: Dict[str, SimProcedure],
gdb: "CoredumpGDB",
omitted_section: List[List[int]],
static_link: bool,
name: str = "(unamed)",
) -> None:
super().__init__(project, trace, hooked_symbol, gdb, omitted_section)
self.trace_idx = [] # type: List[int]
self.hook_target = {} # type: Dict[int, int]
self.hook_entry = [] # type: List[Tuple[int, Instruction, str]]
self.static_link = static_link
self.name = name
self.analyze_trace() 示例4: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def main():
proj = angr.Project('./baby-re', auto_load_libs=False)
# let's provide the exact variables received through the scanf so we don't have to worry about parsing stdin into a bunch of ints.
flag_chars = [claripy.BVS('flag_%d' % i, 32) for i in range(13)]
class my_scanf(angr.SimProcedure):
def run(self, fmt, ptr): # pylint: disable=arguments-differ,unused-argument
self.state.mem[ptr].dword = flag_chars[self.state.globals['scanf_count']]
self.state.globals['scanf_count'] += 1
proj.hook_symbol('__isoc99_scanf', my_scanf(), replace=True)
sm = proj.factory.simulation_manager()
sm.one_active.options.add(angr.options.LAZY_SOLVES)
sm.one_active.globals['scanf_count'] = 0
# search for just before the printf("%c%c...")
# If we get to 0x402941, "Wrong" is going to be printed out, so definitely avoid that.
sm.explore(find=0x4028E9, avoid=0x402941)
# evaluate each of the flag chars against the constraints on the found state to construct the flag
flag = ''.join(chr(sm.one_found.solver.eval(c)) for c in flag_chars)
return flag 示例5: run
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def run(self, dirp): # pylint: disable=arguments-differ
# TODO: make sure argument is actually a dir struct
if self.state.arch.name != 'AMD64':
l.error('readdir SimProcedure is only implemented for AMD64')
return 0
self._build_amd64()
self.instrument()
malloc = angr.SIM_PROCEDURES['libc']['malloc']
pointer = self.inline_call(malloc, 19 + 256).ret_expr
self._store_amd64(pointer)
return self.state.solver.If(self.condition, pointer, self.state.solver.BVV(0, self.state.arch.bits)) 示例6: instrument
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def instrument(self):
"""
Override this function to instrument the SimProcedure.
The two useful variables you can override are self.struct, a named tuple of all the struct
fields, and self.condition, the condition for whether the function succeeds.
"""
pass 示例7: hook_user_procedures
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def hook_user_procedures(dct: Dict[str, Any], hook_IO: bool = True) -> None:
procedures = [
memory_operation,
group_operation,
miscs,
socket_operation,
string_operation,
time_operation,
syscall,
]
if hook_IO:
procedures.append(file_operation)
for module in procedures:
for op in dir(module):
obj = getattr(module, op)
if isinstance(obj, type) and SimProcedure in obj.__mro__:
if not getattr(obj, "INCOMPLETE", False):
dct[op] = obj
if getattr(obj, "IS_SYSCALL", False):
ins = obj(display_name=op)
ins.cc = None
ins.is_syscall = True
ins.NO_RET = False
ins.ADDS_EXITS = False
SIM_LIBRARIES["linux"].procedures[op] = ins 示例8: hook_function
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def hook_function(project, ea, cls):
"""Hook the function `ea` with the SimProcedure `cls`."""
project.hook(ea, cls(project=project)) 示例9: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
# You can either use a blank state or an entry state; just make sure to start
# at the beginning of the program.
# (!)
initial_state = ???
# Again, scanf needs to be replaced.
class ReplacementScanf(angr.SimProcedure):
# Hint: scanf("%u %20s")
def run(self, format_string, ...???):
# %u
scanf0 = claripy.BVS('scanf0', ???)
# %20s
scanf1 = claripy.BVS('scanf1', ???)
# The bitvector.chop(bits=n) function splits the bitvector into a Python
# list containing the bitvector in segments of n bits each. In this case,
# we are splitting them into segments of 8 bits (one byte.)
for char in scanf1.chop(bits=8):
# Ensure that each character in the string is printable. An interesting
# experiment, once you have a working solution, would be to run the code
# without constraining the characters to the capital letters.
# Even though the solution will technically work without this, it's more
# difficult to enter in a solution that contains character you can't
# copy, paste, or type into your terminal or the web form that checks
# your solution.
# If you are using the web form to submit answers, your solution must be
# entirely alphanumeric except for spaces.
# (!)
self.state.add_constraints(char >= ???, char <= ???)
# Warning: Endianness only applies to integers. If you store a string in
# memory and treat it as a little-endian integer, it will be backwards.
scanf0_address = ???
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
...
self.state.globals['solution0'] = ???
... 示例10: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
# You can either use a blank state or an entry state; just make sure to start
# at the beginning of the program.
# (!)
initial_state = ???
# Again, scanf needs to be replaced.
class ReplacementScanf(angr.SimProcedure):
# Hint: scanf("%u %20s")
def run(self, format_string, ...???):
# %u
scanf0 = claripy.BVS('scanf0', ???)
# %20s
scanf1 = claripy.BVS('scanf1', ???)
# The bitvector.chop(bits=n) function splits the bitvector into a Python
# list containing the bitvector in segments of n bits each. In this case,
# we are splitting them into segments of 8 bits (one byte.)
for char in scanf1.chop(bits=8):
# Ensure that each character in the string is printable. An interesting
# experiment, once you have a working solution, would be to run the code
# without constraining the characters to the capital letters.
# Even though the solution will technically work without this, it's more
# difficult to enter in a solution that contains character you can't
# copy, paste, or type into your terminal or the web form that checks
# your solution.
# If you are using the web form to submit answers, your solution must be
# entirely alphanumeric except for spaces.
# (!)
self.state.add_constraints(char >= ???, char <= ???)
# Warning: Endianness only applies to integers. If you store a string in
# memory and treat it as a little-endian integer, it will be backwards.
scanf0_address = ???
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
...
self.state.globals['solutions'] = ??? 示例11: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state()
# Define a class that inherits angr.SimProcedure in order to take advantage
# of Angr's SimProcedures.
class ReplacementCheckEquals(angr.SimProcedure):
# A SimProcedure replaces a function in the binary with a simulated one
# written in Python. Other than it being written in Python, the function
# acts largely the same as any function written in C. Any parameter after
# 'self' will be treated as a parameter to the function you are replacing.
# The parameters will be bitvectors. Additionally, the Python can return in
# the ususal Pythonic way. Angr will treat this in the same way it would
# treat a native function in the binary returning. An example:
#
# int add_if_positive(int a, int b) {
# if (a >= 0 && b >= 0) return a + b;
# else return 0;
# }
#
# could be simulated with...
#
# class ReplacementAddIfPositive(angr.SimProcedure):
# def run(self, a, b):
# if a >= 0 and b >=0:
# return a + b
# else:
# return 0
#
# Finish the parameters to the check_equals_ function. Reminder:
# int check_equals_AABBCCDDEEFFGGHH(char* to_check, int length) { ...
# (!)
def run(self, to_check, ...???):
# We can almost copy and paste the solution from the previous challenge.
# Hint: Don't look up the address! It's passed as a parameter.
# (!)
user_input_buffer_address = ???
user_input_buffer_length = ???
# Note the use of self.state to find the state of the system in a
# SimProcedure.
user_input_string = self.state.memory.load(
user_input_buffer_address,
user_input_buffer_length
)
check_against_string = ???
# Finally, instead of setting eax, we can use a Pythonic return statement
# to return the output of this function.
# Hint: Look at the previous solution.
return claripy.If(???, ???, ???)
# Hook the check_equals symbol. Angr automatically looks up the address
# associated with the symbol. Alternatively, you can use 'hook' instead
# of 'hook_symbol' and specify the address of the function. To find the
# correct symbol, disassemble the binary.
# (!) 示例12: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state()
class ReplacementScanf(angr.SimProcedure):
# Finish the parameters to the scanf function. Hint: 'scanf("%u %u", ...)'.
# (!)
def run(self, format_string, param0, param1):
scanf0 = claripy.BVS('scanf0', 32)
scanf1 = claripy.BVS('scanf1', 32)
# The scanf function writes user input to the buffers to which the
# parameters point.
# Hint: scanf0_address is passed as a parameter, isn't it?
scanf0_address = param0
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
scanf1_address = param1
self.state.memory.store(scanf1_address, scanf1, endness=project.arch.memory_endness)
# Now, we want to 'set aside' references to our symbolic values in the
# globals plugin included by default with a state. You will need to
# store multiple bitvectors. You can either use a list, tuple, or multiple
# keys to reference the different bitvectors.
# (!)
self.state.globals['solutions'] = (scanf0, scanf1)
scanf_symbol = '__isoc99_scanf'
project.hook_symbol(scanf_symbol, ReplacementScanf())
simulation = project.factory.simgr(initial_state)
def is_successful(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return 'Good Job.' in stdout_output
def should_abort(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return 'Try again.' in stdout_output
simulation.explore(find=is_successful, avoid=should_abort)
if simulation.found:
solution_state = simulation.found[0]
# Grab whatever you set aside in the globals dict.
stored_solutions = solution_state.globals['solutions']
solution = ' '.join(map(str, map(solution_state.se.eval, stored_solutions)))
print solution
else:
raise Exception('Could not find the solution') 示例13: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimProcedure [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state()
class ReplacementScanf(angr.SimProcedure):
# Finish the parameters to the scanf function. Hint: 'scanf("%u %u", ...)'.
# (!)
def run(self, format_string, scanf0_address, ...):
scanf0 = claripy.BVS('scanf0', ???)
...
# The scanf function writes user input to the buffers to which the
# parameters point.
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
...
# Now, we want to 'set aside' references to our symbolic values in the
# globals plugin included by default with a state. You will need to
# store multiple bitvectors. You can either use a list, tuple, or multiple
# keys to reference the different bitvectors.
# (!)
self.state.globals['solution0'] = ???
self.state.globals['solution1'] = ???
scanf_symbol = ???
project.hook_symbol(scanf_symbol, ReplacementScanf())
simulation = project.factory.simgr(initial_state)
def is_successful(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return ???
def should_abort(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return ???
simulation.explore(find=is_successful, avoid=should_abort)
if simulation.found:
solution_state = simulation.found[0]
# Grab whatever you set aside in the globals dict.
stored_solutions0 = solution_state.globals['solution0']
...
solution = ???
print solution
else:
raise Exception('Could not find the solution')