def test_mips(): arger_mips = angr.Project(test_location + "/mips/argc_symbol") r_addr = [0x400720, 0x40076c, 0x4007bc] s = arger_mips.factory.path(args = [angr.StringSpec(sym_length=40), angr.StringSpec(sym_length=40), angr.StringSpec(sym_length=40)], env ={"HOME": "/home/angr"}, sargc=True) xpl = arger_mips.surveyors.Explorer(find=r_addr, num_find=100, start=s) xpl.run() nose.tools.assert_equals(len(xpl.found), 3) found = xpl.found[0] argc = found.state.se.any_int(found.state.posix.argc) nose.tools.assert_equals(argc, 0) found = xpl.found[1] argc = found.state.se.any_int(found.state.posix.argc) conc = found.state.se.any_str(found.state.memory.load(found.state.registers.load('sp'), 400)) nose.tools.assert_equals("Good man" in conc, True) nose.tools.assert_equals(argc, 1) found = xpl.found[2] argc = found.state.se.any_int(found.state.posix.argc) conc = found.state.se.any_str(found.state.memory.load(found.state.registers.load('sp'), 400)) nose.tools.assert_equals("Very Good man" in conc, True) nose.tools.assert_equals(argc, 2)
def test_amd64(): arger_amd64 = angr.Project(test_location + "/x86_64/argc_symbol", load_options={'auto_load_libs': False}) r_addr = [0x40051B, 0x400540, 0x400569] s = arger_amd64.factory.path(args = [angr.StringSpec(sym_length=40), angr.StringSpec(sym_length=40), angr.StringSpec(sym_length=40)], env ={"HOME": "/home/angr"}, sargc=True) xpl = arger_amd64.surveyors.Explorer(find=r_addr, num_find=100, start=s) xpl.run() nose.tools.assert_equals(len(xpl.found), 3) found = xpl.found[0] argc = found.state.se.any_int(found.state.posix.argc) nose.tools.assert_equals(argc, 0) found = xpl.found[1] argc = found.state.se.any_int(found.state.posix.argc) conc = found.state.se.any_str(found.state.memory.load(found.state.registers.load('sp'), 800)) nose.tools.assert_equals("Good man" in conc, True) nose.tools.assert_equals(argc, 1) found = xpl.found[2] argc = found.state.se.any_int(found.state.posix.argc) conc = found.state.se.any_str(found.state.memory.load(found.state.registers.load('sp'), 800)) nose.tools.assert_equals("Very Good man" in conc, True) nose.tools.assert_equals(argc, 2)
# from playing with the binary, we can easily see that it requires strings of # length 8, so we'll hook the strlen calls and make sure we pass an 8-byte # string def hook_length(state): state.regs.rax = 8 p.hook(0x40168e, func=hook_length, length=5) p.hook(0x4016BE, func=hook_length, length=5) # here, we create the initial state to start execution. argv[1] is our 8-byte # string, and we add an angr option to gracefully handle unsupported syscalls initial_state = p.factory.entry_state( args=[ angr.StringSpec(string="crypto400"), angr.StringSpec(sym_length=8, nonnull=True) ], add_options={"BYPASS_UNSUPPORTED_SYSCALL"}) # PathGroups are a basic building block of the symbolic execution engine. They # track a group of paths as the binary is executed, and allows for easier # management, pruning, and so forth of those paths pg = p.factory.path_group(initial_state, immutable=False) # here, we get to stage 2 using the PathGroup's find() functionality. This # executes until at least one path reaches the specified address, and can # discard paths that hit certain other addresses. print '[*] executing' pg.explore(find=0x4016A3).unstash(from_stash='found', to_stash='active') pg.explore(find=0x4016B7, avoid=[0x4017D6, 0x401699,