本文整理匯總了Python中angr.SimState方法的典型用法代碼示例。如果您正苦於以下問題:Python angr.SimState方法的具體用法?Python angr.SimState怎麽用?Python angr.SimState使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類angr
的用法示例。
在下文中一共展示了angr.SimState方法的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: test_state_merge_static
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_state_merge_static():
# With abstract memory
# Aligned memory merging
a = SimState(arch='AMD64', mode='static')
addr = a.solver.ValueSet(32, 'global', 0, 8)
a.memory.store(addr, a.solver.BVV(42, 32))
# Clear a_locs, so further writes will not try to merge with value 42
a.memory.regions['global']._alocs = { }
b = a.copy()
c = a.copy()
a.memory.store(addr, a.solver.BVV(50, 32), endness='Iend_LE')
b.memory.store(addr, a.solver.BVV(60, 32), endness='Iend_LE')
c.memory.store(addr, a.solver.BVV(70, 32), endness='Iend_LE')
merged, _, _ = a.merge(b, c)
actual = claripy.backends.vsa.convert(merged.memory.load(addr, 4))
expected = claripy.backends.vsa.convert(a.solver.SI(bits=32, stride=10, lower_bound=50, upper_bound=70))
nose.tools.assert_true(actual.identical(expected))
示例2: test_symbolic_write
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_symbolic_write():
s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
x = s.solver.BVS('x', 64)
y = s.solver.BVS('y', 64)
a = s.solver.BVV(b'A'*0x10)
b = s.solver.BVV(b'B')
c = s.solver.BVV(b'C')
d = s.solver.BVV(b'D')
s.memory.store(0x10, a)
s.add_constraints(x >= 0x10, x < 0x20)
s.memory.store(x, b)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s.memory.store(x, c)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s2 = s.copy()
s2.add_constraints(y >= 0x10, y < 0x20)
s2.memory.store(y, d)
for i in range(0x10, 0x20):
assert len(s2.solver.eval_upto(s2.memory.load(i, 1), 10)) == 3
示例3: test_light_memory
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_light_memory():
s = SimState(arch='AMD64', plugins={'registers': SimLightRegisters()})
assert type(s.registers) is SimLightRegisters
assert s.regs.rax.symbolic
s.regs.rax = 0x4142434445464748
assert (s.regs.rax == 0x4142434445464748).is_true()
assert s.regs.rbx.symbolic
s.regs.rbx = 0x5555555544444444
assert (s.regs.rbx == 0x5555555544444444).is_true()
assert s.regs.rcx.symbolic
s.regs.ah = 0
assert (s.regs.rax == 0x4142434445460048).is_true()
s.regs.cl = 0
assert s.regs.rcx.symbolic
示例4: test_crosspage_read
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_crosspage_read():
state = SimState(arch='ARM')
state.regs.sp = 0x7fff0008
state.stack_push(0x44556677)
state.stack_push(0x1)
state.stack_push(0x2)
state.stack_push(0x3)
state.stack_push(0x4)
state.stack_push(0x99887766)
state.stack_push(0x5)
state.stack_push(0x105c8)
state.stack_push(0x11223344)
r1 = state.memory.load(state.regs.sp, 36)
assert bytes.fromhex("77665544") in state.solver.eval(r1, cast_to=bytes)
state.stack_push(0x10564)
r2 = state.memory.load(state.regs.sp, 40)
assert bytes.fromhex("77665544") in state.solver.eval(r2, cast_to=bytes)
#assert s.solver.eval(r, 2) == ( 0xffeeddccbbaa998877665544, )
示例5: test_state_merge_3way
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_state_merge_3way():
a = SimState(arch='AMD64', mode='symbolic')
b = a.copy()
c = a.copy()
conds = [ a.solver.BoolS('cond_0'), a.solver.BoolS('cond_1') ]
a.add_constraints(conds[0])
b.add_constraints(a.solver.Not(conds[0]), conds[1])
c.add_constraints(a.solver.Not(conds[0]), a.solver.Not(conds[1]))
a.memory.store(0x400000, a.solver.BVV(8, 32))
b.memory.store(0x400000, b.solver.BVV(9, 32))
c.memory.store(0x400000, c.solver.BVV(10, 32))
m, _, _ = a.merge(b)
m, _, _ = m.merge(c)
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 8,))
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 9,))
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 10,))
示例6: test_loadg_no_constraint_creation
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_loadg_no_constraint_creation():
state = SimState(arch='armel', mode='symbolic')
engine = HeavyVEXMixin(None)
stmt = pyvex.IRStmt.LoadG('Iend_LE', 'ILGop_16Uto32',
0, # dst
pyvex.IRExpr.Const(pyvex.const.U32(0x2000)), # addr (src)
pyvex.IRExpr.Const(pyvex.const.U32(0x1337)), # alt
pyvex.IRExpr.RdTmp(1) # guard
)
tyenv = pyvex.IRTypeEnv(state.arch)
tyenv.types = [ 'Ity_I32', 'Ity_I32' ]
state.scratch.set_tyenv(tyenv)
state.scratch.temps[1] = state.solver.BVS('tmp_1', 32)
engine.state = state
engine._handle_vex_stmt(stmt)
# LOADG should not create new constraints - it is a simple conditional memory read. The conditions should only be
# used inside the value AST to guard the memory read.
assert not state.solver.constraints
assert state.scratch.temps[0] is not None
assert state.scratch.temps[0].variables.issuperset(state.scratch.temps[1].variables)
assert state.scratch.temps[0].op == 'If'
示例7: test_lseek_unseekable
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_lseek_unseekable():
state = SimState(arch="AMD64", mode="symbolic")
# Illegal seek
current_pos = lseek(state,[0,0,SEEK_SET]).ret_expr
current_pos = state.solver.eval(current_pos)
# Assert we have a negative return value
nose.tools.assert_true(current_pos & (1 << 63) != 0)
# Illegal seek
current_pos = lseek(state,[1,0,SEEK_SET]).ret_expr
current_pos = state.solver.eval(current_pos)
# Assert we have a negative return value
nose.tools.assert_true(current_pos & (1 << 63) != 0)
# Illegal seek
current_pos = lseek(state,[2,0,SEEK_SET]).ret_expr
current_pos = state.solver.eval(current_pos)
# Assert we have a negative return value
nose.tools.assert_true(current_pos & (1 << 63) != 0)
示例8: test_gettimeofday
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_gettimeofday():
proc = angr.SIM_PROCEDURES['posix']['gettimeofday']()
s = angr.SimState(arch='amd64')
s.regs.rdi = 0x8000
s.regs.rsi = 0
s.options.add(angr.options.USE_SYSTEM_TIMES)
proc.execute(s)
assert not s.mem[0x8000].qword.resolved.symbolic
assert not s.mem[0x8008].qword.resolved.symbolic
s.options.discard(angr.options.USE_SYSTEM_TIMES)
proc.execute(s)
assert s.mem[0x8000].qword.resolved.symbolic
assert s.mem[0x8008].qword.resolved.symbolic
示例9: test_clock_gettime
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_clock_gettime():
proc = angr.SIM_PROCEDURES['posix']['clock_gettime']()
s = angr.SimState(arch='amd64')
s.regs.rdi = 0
s.regs.rsi = 0x8000
s.options.add(angr.options.USE_SYSTEM_TIMES)
proc.execute(s)
assert not s.mem[0x8000].qword.resolved.symbolic
assert not s.mem[0x8008].qword.resolved.symbolic
s.options.discard(angr.options.USE_SYSTEM_TIMES)
proc.execute(s)
assert s.mem[0x8000].qword.resolved.symbolic
assert s.mem[0x8008].qword.resolved.symbolic
示例10: test_pwrite
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_pwrite():
pwrite = SIM_PROCEDURES['posix']['pwrite64']()
state = SimState(arch="AMD64", mode='symbolic')
simfile = SimFile('concrete_file', content='hello world!\n')
state.fs.insert('test', simfile)
fd = state.posix.open(b"test", 1)
buf_addr = 0xd0000000
state.memory.store(buf_addr, b'test!')
pwrite.execute(state, arguments=[fd, buf_addr, 5, 6])
simfd = state.posix.get_fd(fd)
simfd.seek(0)
res = 0xc0000000
simfd.read(res, 13)
data = state.solver.eval(state.mem[res].string.resolved, cast_to=bytes)
nose.tools.assert_true(data == b'hello test!!\n')
state.posix.close(fd)
示例11: test_alignment
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_alignment():
for arch in all_arches:
if arch.name in DEFAULT_CC:
# There is nothing to test for soot about stack alignment
if isinstance(arch, ArchSoot):
continue
l.info("Testing stack alignment for %s", arch.name)
st = SimState(arch=arch)
cc = DEFAULT_CC[arch.name](arch=arch)
st.regs.sp = -1
# setup callsite with one argument (0x1337), "returning" to 0
cc.setup_callsite(st, 0, [0x1337])
# ensure stack alignment is correct
nose.tools.assert_true(st.solver.is_true(((st.regs.sp + cc.STACKARG_SP_DIFF) % cc.STACK_ALIGNMENT == 0)),
'non-zero stack alignment after setup_callsite for %s'%cc)
示例12: test_simple_concrete
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_simple_concrete():
s = SimState(arch="AMD64")
addr = 0xba5e0
def check_read(val):
nose.tools.assert_equal(s.solver.eval(s.memory.load(addr, 8, endness=Endness.LE), cast_to=int), val)
nose.tools.assert_equal(s.mem[addr].char.concrete, chr(val & 0xFF).encode())
nose.tools.assert_equal(s.mem[addr].byte.concrete, val & 0xFF)
nose.tools.assert_equal(s.mem[addr].int16_t.concrete, ctypes.c_int16(val & 0xFFFF).value)
nose.tools.assert_equal(s.mem[addr].uint16_t.concrete, val & 0xFFFF)
nose.tools.assert_equal(s.mem[addr].qword.concrete, val)
s.memory.store(addr, claripy.BVV(0x11223344aabbcc7d, 64), endness=Endness.LE)
check_read(0x11223344aabbcc7d)
# test storing
s.mem[addr].uint16_t = 0xef6d
check_read(0x11223344aabbef6d)
示例13: test_string_concrete
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_string_concrete():
s = SimState(arch="AMD64")
addr = 0xba5e0
def check_read(val):
nose.tools.assert_equal(s.solver.eval(s.memory.load(addr, len(val)), cast_to=bytes), val)
nose.tools.assert_equal(s.solver.eval(s.memory.load(addr + len(val), 1), cast_to=int), 0)
nose.tools.assert_equal(s.mem[addr].string.concrete, val)
s.memory.store(addr, b"a string!\0")
check_read(b"a string!")
# not supported yet
# s.mem[addr].string = "shorter"
# check_read(b"shorter")
# s.mem[addr].string = "a longer string"
# check_read(b"a longer string")
示例14: test_array_concrete
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_array_concrete():
s = SimState(arch="AMD64")
addr = 0xba5e0
s.memory.store(addr, claripy.BVV(0x1, 32), endness=Endness.LE)
s.memory.store(addr + 4, claripy.BVV(0x2, 32), endness=Endness.LE)
s.memory.store(addr + 8, claripy.BVV(0x3, 32), endness=Endness.LE)
s.memory.store(addr + 12, claripy.BVV(0x4, 32), endness=Endness.LE)
s.memory.store(addr + 16, claripy.BVV(0x5, 32), endness=Endness.LE)
nose.tools.assert_equal(s.mem[addr].dword.array(5).concrete, [0x1, 0x2, 0x3, 0x4, 0x5])
nose.tools.assert_equal(s.mem[addr].dword.array(5)[2].concrete, 0x3)
nose.tools.assert_equal(s.mem[addr].qword.array(2).concrete, [0x0000000200000001, 0x0000000400000003])
nose.tools.assert_equal(s.mem[addr].dword.array(2).array(2).concrete, [[0x1, 0x2], [0x3, 0x4]])
s.mem[addr].dword.array(5)[3] = 10
nose.tools.assert_equal(s.solver.eval(s.memory.load(addr + 12, 4, endness=Endness.LE), cast_to=int), 10)
s.mem[addr].dword.array(5).store([20,2,3,4,5])
nose.tools.assert_equal(s.mem[addr].dword.array(4).concrete, [20,2,3,4])
s.mem[addr].dword.array(2).array(2).store([[1,2], [4,3]])
nose.tools.assert_equal(s.mem[addr].dword.array(4).concrete, [1,2,4,3])
示例15: test_strstr_inconsistency
# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SimState [as 別名]
def test_strstr_inconsistency():
l.info("symbolic haystack, symbolic needle")
s = SimState(arch="AMD64", mode="symbolic")
s.libc.buf_symbolic_bytes = 2
addr_haystack = s.solver.BVV(0x10, 64)
addr_needle = s.solver.BVV(0xb0, 64)
#len_needle = strlen(s, inline=True, arguments=[addr_needle])
ss_res = strstr(s, arguments=[addr_haystack, addr_needle])
#slh_res = strlen(s, inline=True, arguments=[addr_haystack])
#sln_res = strlen(s, inline=True, arguments=[addr_needle])
#print "LENH:", s.solver.eval_upto(slh_res, 100)
#print "LENN:", s.solver.eval_upto(sln_res, 100)
nose.tools.assert_false(s.solver.unique(ss_res))
nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(ss_res, 100)), [0] + list(range(0x10, 0x10 + s.libc.buf_symbolic_bytes - 1)))
s.add_constraints(ss_res != 0)
ss2 = strstr(s, arguments=[addr_haystack, addr_needle])
s.add_constraints(ss2 == 0)
nose.tools.assert_false(s.satisfiable())
#@nose.tools.timed(10)