Python SimEngineVEX Beispiele

Beispiel #1

Datei: test_inspect.py Projekt: zyc1314/angr

def test_inspect_exit():
    class counts:  #pylint:disable=no-init
        exit_before = 0
        exit_after = 0

    def handle_exit_before(state):
        counts.exit_before += 1
        exit_target = state.inspect.exit_target
        nose.tools.assert_equal(state.solver.eval(exit_target), 0x3f8)
        # change exit target
        state.inspect.exit_target = 0x41414141
        nose.tools.assert_equal(state.inspect.exit_jumpkind, "Ijk_Boring")
        nose.tools.assert_true(state.inspect.exit_guard.is_true())

    def handle_exit_after(state):  #pylint:disable=unused-argument
        counts.exit_after += 1

    s = SimState(arch="AMD64", mode="symbolic")
    irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a",
                      mem_addr=1000,
                      arch=archinfo.ArchAMD64())

    # break on exit
    s.inspect.b('exit', BP_BEFORE, action=handle_exit_before)
    s.inspect.b('exit', BP_AFTER, action=handle_exit_after)

    # step it
    succ = SimEngineVEX().process(s, irsb).flat_successors

    # check
    nose.tools.assert_equal(succ[0].solver.eval(succ[0].ip), 0x41414141)
    nose.tools.assert_equal(counts.exit_before, 1)
    nose.tools.assert_equal(counts.exit_after, 1)

Beispiel #2

Datei: test_inspect.py Projekt: zyc1314/angr

def test_inspect():
    class counts:  #pylint:disable=no-init
        mem_read = 0
        mem_write = 0
        reg_read = 0
        reg_write = 0
        tmp_read = 0
        tmp_write = 0
        expr = 0
        statement = 0
        instruction = 0
        constraints = 0
        variables = 0

    def act_mem_read(state):  #pylint:disable=unused-argument
        counts.mem_read += 1

    def act_mem_write(state):  #pylint:disable=unused-argument
        counts.mem_write += 1

    def act_reg_read(state):  #pylint:disable=unused-argument
        counts.reg_read += 1

    def act_reg_write(state):  #pylint:disable=unused-argument
        counts.reg_write += 1

    def act_tmp_read(state):  #pylint:disable=unused-argument
        counts.tmp_read += 1

    def act_tmp_write(state):  #pylint:disable=unused-argument
        counts.tmp_write += 1

    def act_expr(state):  #pylint:disable=unused-argument
        counts.expr += 1

    def act_statement(state):  #pylint:disable=unused-argument
        counts.statement += 1

    def act_instruction(state):  #pylint:disable=unused-argument
        counts.instruction += 1

    def act_variables(state):  #pylint:disable=unused-argument
        #print "CREATING:", state.inspect.symbolic_name
        counts.variables += 1


#   def act_constraints(state): #pylint:disable=unused-argument
#       counts.constraints += 1

    s = SimState(arch="AMD64", mode="symbolic")

    s.inspect.b('mem_write', when=BP_AFTER, action=act_mem_write)
    nose.tools.assert_equal(counts.mem_write, 0)
    s.memory.store(100, s.solver.BVV(10, 32))
    nose.tools.assert_equal(counts.mem_write, 1)

    s.inspect.b('mem_read', when=BP_AFTER, action=act_mem_read)
    s.inspect.b('mem_read',
                when=BP_AFTER,
                action=act_mem_read,
                mem_read_address=100)
    s.inspect.b('mem_read',
                when=BP_AFTER,
                action=act_mem_read,
                mem_read_address=123)
    s.inspect.b('mem_read',
                when=BP_BEFORE,
                action=act_mem_read,
                mem_read_length=3)
    nose.tools.assert_equal(counts.mem_read, 0)
    s.memory.load(123, 4)
    s.memory.load(223, 3)
    nose.tools.assert_equal(counts.mem_read, 4)

    s.inspect.b('reg_read', when=BP_AFTER, action=act_reg_read)
    nose.tools.assert_equal(counts.reg_read, 0)
    s.registers.load(16)
    nose.tools.assert_equal(counts.reg_read, 1)

    s.inspect.b('reg_write', when=BP_AFTER, action=act_reg_write)
    nose.tools.assert_equal(counts.reg_write, 0)
    s.registers.store(16, s.solver.BVV(10, 32))
    nose.tools.assert_equal(counts.reg_write, 1)
    nose.tools.assert_equal(counts.mem_write, 1)
    nose.tools.assert_equal(counts.mem_read, 4)
    nose.tools.assert_equal(counts.reg_read, 1)

    s.inspect.b('tmp_read', when=BP_AFTER, action=act_tmp_read, tmp_read_num=0)
    s.inspect.b('tmp_write',
                when=BP_AFTER,
                action=act_tmp_write,
                tmp_write_num=0)
    s.inspect.b('expr', when=BP_AFTER, action=act_expr, expr_result=1016)
    s.inspect.b('statement', when=BP_AFTER, action=act_statement)
    s.inspect.b('instruction',
                when=BP_AFTER,
                action=act_instruction,
                instruction=1001)
    s.inspect.b('instruction',
                when=BP_AFTER,
                action=act_instruction,
                instruction=1000)
    irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a",
                      mem_addr=1000,
                      arch=archinfo.ArchAMD64(),
                      opt_level=0)
    irsb.pp()
    SimEngineVEX().process(s, irsb)
    nose.tools.assert_equal(counts.reg_write, 7)
    nose.tools.assert_equal(counts.reg_read, 2)
    nose.tools.assert_equal(counts.tmp_write, 1)
    nose.tools.assert_equal(counts.tmp_read, 1)
    nose.tools.assert_equal(
        counts.expr, 3
    )  # one for the Put, one for the WrTmp, and one to get the next address to jump to
    nose.tools.assert_equal(counts.statement, 11)
    nose.tools.assert_equal(counts.instruction, 2)
    nose.tools.assert_equal(counts.constraints, 0)
    nose.tools.assert_equal(counts.mem_write, 1)
    nose.tools.assert_equal(counts.mem_read, 4)

    s = SimState(arch="AMD64", mode="symbolic")
    s.inspect.b('symbolic_variable', when=BP_AFTER, action=act_variables)
    s.memory.load(0, 10)
    nose.tools.assert_equal(counts.variables, 1)