当前位置: 首页>>代码示例>>Python>>正文

Python angr.SimState方法代码示例

本文整理汇总了Python中angr.SimState方法的典型用法代码示例。如果您正苦于以下问题:Python angr.SimState方法的具体用法?Python angr.SimState怎么用?Python angr.SimState使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在angr的用法示例。


在下文中一共展示了angr.SimState方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: test_state_merge_static

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_state_merge_static():
    # With abstract memory
    # Aligned memory merging
    a = SimState(arch='AMD64', mode='static')

    addr = a.solver.ValueSet(32, 'global', 0, 8)
    a.memory.store(addr, a.solver.BVV(42, 32))
    # Clear a_locs, so further writes will not try to merge with value 42
    a.memory.regions['global']._alocs = { }

    b = a.copy()
    c = a.copy()
    a.memory.store(addr, a.solver.BVV(50, 32), endness='Iend_LE')
    b.memory.store(addr, a.solver.BVV(60, 32), endness='Iend_LE')
    c.memory.store(addr, a.solver.BVV(70, 32), endness='Iend_LE')

    merged, _, _ = a.merge(b, c)
    actual = claripy.backends.vsa.convert(merged.memory.load(addr, 4))
    expected = claripy.backends.vsa.convert(a.solver.SI(bits=32, stride=10, lower_bound=50, upper_bound=70))
    nose.tools.assert_true(actual.identical(expected))
开发者ID:angr,项目名称:angr,代码行数:22,代码来源:test_state.py

示例2: test_symbolic_write

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_symbolic_write():
    s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
    x = s.solver.BVS('x', 64)
    y = s.solver.BVS('y', 64)
    a = s.solver.BVV(b'A'*0x10)
    b = s.solver.BVV(b'B')
    c = s.solver.BVV(b'C')
    d = s.solver.BVV(b'D')

    s.memory.store(0x10, a)
    s.add_constraints(x >= 0x10, x < 0x20)
    s.memory.store(x, b)

    for i in range(0x10, 0x20):
        assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2

    s.memory.store(x, c)
    for i in range(0x10, 0x20):
        assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2

    s2 = s.copy()
    s2.add_constraints(y >= 0x10, y < 0x20)
    s2.memory.store(y, d)
    for i in range(0x10, 0x20):
        assert len(s2.solver.eval_upto(s2.memory.load(i, 1), 10)) == 3
开发者ID:angr,项目名称:angr,代码行数:27,代码来源:test_memory.py

示例3: test_light_memory

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_light_memory():
    s = SimState(arch='AMD64', plugins={'registers': SimLightRegisters()})
    assert type(s.registers) is SimLightRegisters

    assert s.regs.rax.symbolic
    s.regs.rax = 0x4142434445464748
    assert (s.regs.rax == 0x4142434445464748).is_true()

    assert s.regs.rbx.symbolic
    s.regs.rbx = 0x5555555544444444
    assert (s.regs.rbx == 0x5555555544444444).is_true()

    assert s.regs.rcx.symbolic

    s.regs.ah = 0
    assert (s.regs.rax == 0x4142434445460048).is_true()

    s.regs.cl = 0
    assert s.regs.rcx.symbolic
开发者ID:angr,项目名称:angr,代码行数:21,代码来源:test_memory.py

示例4: test_crosspage_read

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_crosspage_read():
    state = SimState(arch='ARM')
    state.regs.sp = 0x7fff0008
    state.stack_push(0x44556677)
    state.stack_push(0x1)
    state.stack_push(0x2)
    state.stack_push(0x3)
    state.stack_push(0x4)
    state.stack_push(0x99887766)
    state.stack_push(0x5)
    state.stack_push(0x105c8)
    state.stack_push(0x11223344)


    r1 = state.memory.load(state.regs.sp, 36)
    assert bytes.fromhex("77665544") in state.solver.eval(r1, cast_to=bytes)

    state.stack_push(0x10564)

    r2 = state.memory.load(state.regs.sp, 40)
    assert bytes.fromhex("77665544") in state.solver.eval(r2, cast_to=bytes)
    #assert s.solver.eval(r, 2) == ( 0xffeeddccbbaa998877665544, )
开发者ID:angr,项目名称:angr,代码行数:24,代码来源:test_memory.py

示例5: test_state_merge_3way

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_state_merge_3way():

    a = SimState(arch='AMD64', mode='symbolic')
    b = a.copy()
    c = a.copy()
    conds = [ a.solver.BoolS('cond_0'), a.solver.BoolS('cond_1') ]
    a.add_constraints(conds[0])
    b.add_constraints(a.solver.Not(conds[0]), conds[1])
    c.add_constraints(a.solver.Not(conds[0]), a.solver.Not(conds[1]))

    a.memory.store(0x400000, a.solver.BVV(8, 32))
    b.memory.store(0x400000, b.solver.BVV(9, 32))
    c.memory.store(0x400000, c.solver.BVV(10, 32))

    m, _, _ = a.merge(b)
    m, _, _ = m.merge(c)

    assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 8,))
    assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 9,))
    assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 10,))
开发者ID:angr,项目名称:angr,代码行数:22,代码来源:test_state.py

示例6: test_loadg_no_constraint_creation

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_loadg_no_constraint_creation():

    state = SimState(arch='armel', mode='symbolic')
    engine = HeavyVEXMixin(None)

    stmt = pyvex.IRStmt.LoadG('Iend_LE', 'ILGop_16Uto32',
                              0, # dst
                              pyvex.IRExpr.Const(pyvex.const.U32(0x2000)), # addr (src)
                              pyvex.IRExpr.Const(pyvex.const.U32(0x1337)), # alt
                              pyvex.IRExpr.RdTmp(1)  # guard
                              )
    tyenv = pyvex.IRTypeEnv(state.arch)
    tyenv.types = [ 'Ity_I32', 'Ity_I32' ]
    state.scratch.set_tyenv(tyenv)
    state.scratch.temps[1] = state.solver.BVS('tmp_1', 32)
    engine.state = state
    engine._handle_vex_stmt(stmt)

    # LOADG should not create new constraints - it is a simple conditional memory read. The conditions should only be
    # used inside the value AST to guard the memory read.
    assert not state.solver.constraints
    assert state.scratch.temps[0] is not None
    assert state.scratch.temps[0].variables.issuperset(state.scratch.temps[1].variables)
    assert state.scratch.temps[0].op == 'If'
开发者ID:angr,项目名称:angr,代码行数:26,代码来源:test_vex.py

示例7: test_lseek_unseekable

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_lseek_unseekable():
    state = SimState(arch="AMD64", mode="symbolic")

    # Illegal seek
    current_pos = lseek(state,[0,0,SEEK_SET]).ret_expr
    current_pos = state.solver.eval(current_pos)

    # Assert we have a negative return value
    nose.tools.assert_true(current_pos & (1 << 63) != 0)

    # Illegal seek
    current_pos = lseek(state,[1,0,SEEK_SET]).ret_expr
    current_pos = state.solver.eval(current_pos)

    # Assert we have a negative return value
    nose.tools.assert_true(current_pos & (1 << 63) != 0)

    # Illegal seek
    current_pos = lseek(state,[2,0,SEEK_SET]).ret_expr
    current_pos = state.solver.eval(current_pos)

    # Assert we have a negative return value
    nose.tools.assert_true(current_pos & (1 << 63) != 0)
开发者ID:angr,项目名称:angr,代码行数:25,代码来源:test_lseek.py

示例8: test_gettimeofday

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_gettimeofday():
    proc = angr.SIM_PROCEDURES['posix']['gettimeofday']()

    s = angr.SimState(arch='amd64')
    s.regs.rdi = 0x8000
    s.regs.rsi = 0

    s.options.add(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert not s.mem[0x8000].qword.resolved.symbolic
    assert not s.mem[0x8008].qword.resolved.symbolic

    s.options.discard(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert s.mem[0x8000].qword.resolved.symbolic
    assert s.mem[0x8008].qword.resolved.symbolic
开发者ID:angr,项目名称:angr,代码行数:18,代码来源:test_sim_time.py

示例9: test_clock_gettime

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_clock_gettime():
    proc = angr.SIM_PROCEDURES['posix']['clock_gettime']()

    s = angr.SimState(arch='amd64')
    s.regs.rdi = 0
    s.regs.rsi = 0x8000

    s.options.add(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert not s.mem[0x8000].qword.resolved.symbolic
    assert not s.mem[0x8008].qword.resolved.symbolic

    s.options.discard(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert s.mem[0x8000].qword.resolved.symbolic
    assert s.mem[0x8008].qword.resolved.symbolic
开发者ID:angr,项目名称:angr,代码行数:18,代码来源:test_sim_time.py

示例10: test_pwrite

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_pwrite():
    pwrite = SIM_PROCEDURES['posix']['pwrite64']()

    state = SimState(arch="AMD64", mode='symbolic')
    simfile = SimFile('concrete_file', content='hello world!\n')
    state.fs.insert('test', simfile)
    fd = state.posix.open(b"test", 1)

    buf_addr = 0xd0000000
    state.memory.store(buf_addr, b'test!')
    pwrite.execute(state, arguments=[fd, buf_addr, 5, 6])

    simfd = state.posix.get_fd(fd)
    simfd.seek(0)
    res = 0xc0000000
    simfd.read(res, 13)
    data = state.solver.eval(state.mem[res].string.resolved, cast_to=bytes)

    nose.tools.assert_true(data == b'hello test!!\n')

    state.posix.close(fd)
开发者ID:angr,项目名称:angr,代码行数:23,代码来源:test_pwrite_pread.py

示例11: test_alignment

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_alignment():
    for arch in all_arches:
        if arch.name in DEFAULT_CC:
            # There is nothing to test for soot about stack alignment
            if isinstance(arch, ArchSoot):
                continue
            l.info("Testing stack alignment for %s", arch.name)
            st = SimState(arch=arch)
            cc = DEFAULT_CC[arch.name](arch=arch)

            st.regs.sp = -1

            # setup callsite with one argument (0x1337), "returning" to 0
            cc.setup_callsite(st, 0, [0x1337])

            # ensure stack alignment is correct
            nose.tools.assert_true(st.solver.is_true(((st.regs.sp + cc.STACKARG_SP_DIFF) % cc.STACK_ALIGNMENT == 0)),
                                   'non-zero stack alignment after setup_callsite for %s'%cc)
开发者ID:angr,项目名称:angr,代码行数:20,代码来源:test_stack_alignment.py

示例12: test_simple_concrete

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_simple_concrete():
    s = SimState(arch="AMD64")
    addr = 0xba5e0

    def check_read(val):
        nose.tools.assert_equal(s.solver.eval(s.memory.load(addr, 8, endness=Endness.LE), cast_to=int), val)

        nose.tools.assert_equal(s.mem[addr].char.concrete, chr(val & 0xFF).encode())
        nose.tools.assert_equal(s.mem[addr].byte.concrete, val & 0xFF)

        nose.tools.assert_equal(s.mem[addr].int16_t.concrete, ctypes.c_int16(val & 0xFFFF).value)
        nose.tools.assert_equal(s.mem[addr].uint16_t.concrete, val & 0xFFFF)

        nose.tools.assert_equal(s.mem[addr].qword.concrete, val)

    s.memory.store(addr, claripy.BVV(0x11223344aabbcc7d, 64), endness=Endness.LE)
    check_read(0x11223344aabbcc7d)

    # test storing
    s.mem[addr].uint16_t = 0xef6d
    check_read(0x11223344aabbef6d)
开发者ID:angr,项目名称:angr,代码行数:23,代码来源:test_memview.py

示例13: test_string_concrete

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_string_concrete():
    s = SimState(arch="AMD64")
    addr = 0xba5e0

    def check_read(val):
        nose.tools.assert_equal(s.solver.eval(s.memory.load(addr, len(val)), cast_to=bytes), val)
        nose.tools.assert_equal(s.solver.eval(s.memory.load(addr + len(val), 1), cast_to=int), 0)

        nose.tools.assert_equal(s.mem[addr].string.concrete, val)

    s.memory.store(addr, b"a string!\0")
    check_read(b"a string!")

    # not supported yet
    # s.mem[addr].string = "shorter"
    # check_read(b"shorter")

    # s.mem[addr].string = "a longer string"
    # check_read(b"a longer string")
开发者ID:angr,项目名称:angr,代码行数:21,代码来源:test_memview.py

示例14: test_array_concrete

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_array_concrete():
    s = SimState(arch="AMD64")
    addr = 0xba5e0

    s.memory.store(addr, claripy.BVV(0x1, 32), endness=Endness.LE)
    s.memory.store(addr + 4, claripy.BVV(0x2, 32), endness=Endness.LE)
    s.memory.store(addr + 8, claripy.BVV(0x3, 32), endness=Endness.LE)
    s.memory.store(addr + 12, claripy.BVV(0x4, 32), endness=Endness.LE)
    s.memory.store(addr + 16, claripy.BVV(0x5, 32), endness=Endness.LE)

    nose.tools.assert_equal(s.mem[addr].dword.array(5).concrete, [0x1, 0x2, 0x3, 0x4, 0x5])
    nose.tools.assert_equal(s.mem[addr].dword.array(5)[2].concrete, 0x3)
    nose.tools.assert_equal(s.mem[addr].qword.array(2).concrete, [0x0000000200000001, 0x0000000400000003])
    nose.tools.assert_equal(s.mem[addr].dword.array(2).array(2).concrete, [[0x1, 0x2], [0x3, 0x4]])

    s.mem[addr].dword.array(5)[3] = 10
    nose.tools.assert_equal(s.solver.eval(s.memory.load(addr + 12, 4, endness=Endness.LE), cast_to=int), 10)

    s.mem[addr].dword.array(5).store([20,2,3,4,5])
    nose.tools.assert_equal(s.mem[addr].dword.array(4).concrete, [20,2,3,4])

    s.mem[addr].dword.array(2).array(2).store([[1,2], [4,3]])
    nose.tools.assert_equal(s.mem[addr].dword.array(4).concrete, [1,2,4,3])
开发者ID:angr,项目名称:angr,代码行数:25,代码来源:test_memview.py

示例15: test_strstr_inconsistency

# 需要导入模块: import angr [as 别名]
# 或者: from angr import SimState [as 别名]
def test_strstr_inconsistency():
    l.info("symbolic haystack, symbolic needle")
    s = SimState(arch="AMD64", mode="symbolic")
    s.libc.buf_symbolic_bytes = 2
    addr_haystack = s.solver.BVV(0x10, 64)
    addr_needle = s.solver.BVV(0xb0, 64)
    #len_needle = strlen(s, inline=True, arguments=[addr_needle])

    ss_res = strstr(s, arguments=[addr_haystack, addr_needle])

    #slh_res = strlen(s, inline=True, arguments=[addr_haystack])
    #sln_res = strlen(s, inline=True, arguments=[addr_needle])
    #print "LENH:", s.solver.eval_upto(slh_res, 100)
    #print "LENN:", s.solver.eval_upto(sln_res, 100)

    nose.tools.assert_false(s.solver.unique(ss_res))
    nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(ss_res, 100)), [0] + list(range(0x10, 0x10 + s.libc.buf_symbolic_bytes - 1)))

    s.add_constraints(ss_res != 0)
    ss2 = strstr(s, arguments=[addr_haystack, addr_needle])
    s.add_constraints(ss2 == 0)
    nose.tools.assert_false(s.satisfiable())

#@nose.tools.timed(10)
开发者ID:angr,项目名称:angr,代码行数:26,代码来源:test_string.py


注:本文中的angr.SimState方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。