def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
with hook0(b):
cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=5, keep_state=True, call_depth=100, normalize=True)
plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=False, remove_path_terminator=False)
start_state = b.factory.blank_state(addr=addr, add_options={angr.sim_options.CONSERVATIVE_READ_STRATEGY} | angr.sim_options.resilience_options)
start_state.stack_push(0x0)
simgr = b.factory.simgr(start_state)
simgr.use_technique(NormalizedSteps(cfg))
def check_loops(state):
last = state.history.bbl_addrs[-1]
c = 0
for p in state.history.bbl_addrs:
if p == last:
c += 1
return c > 1
def step_func(lsimgr):
lsimgr.stash(filter_func=check_loops, from_stash='active', to_stash='looping')
lsimgr.stash(filter_func=lambda state: state.addr == 0, from_stash='active', to_stash='found')
print(lsimgr)
return lsimgr
simgr.run(step_func=step_func, until=lambda lsimgr: len(lsimgr.active) == 0, n=100)
for stash in simgr.stashes:
c = 0
for state in simgr.stashes[stash]:
plot_cfg(cfg, "%s_cfg_%s_%d" % (name, stash, c), state=state, asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
c += 1
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
with hook0(b):
cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True)
plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
cdg = b.analyses.CDG(cfg=cfg, start=addr)
plot_cdg(cfg, cdg, "%s_cdg" % name, pd_edges=True, cg_edges=True)
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
with hook0(b):
cfg = b.analyses.CFGEmulated(fail_fast=True,
starts=[addr],
initial_state=start_state,
context_sensitivity_level=2,
keep_state=True,
call_depth=100,
normalize=True)
for addr, func in proj.kb.functions.items():
if func.name in ['main', 'verify']:
plot_cfg(cfg,
"%s_%s_cfg" % (name, func.name),
asminst=True,
vexinst=False,
func_addr={addr: True},
debug_info=False,
remove_imports=True,
remove_path_terminator=True)
plot_cfg(cfg,
"%s_cfg_full" % (name),
asminst=True,
vexinst=True,
debug_info=True,
remove_imports=False,
remove_path_terminator=False)
plot_cfg(cfg,
"%s_cfg_classic" % (name),
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=True,
remove_path_terminator=True)
plot_cfg(cfg,
"%s_cfg_classic" % (name),
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=True,
remove_path_terminator=True,
format="raw")
for style in ['thick', 'dark', 'light', 'black', 'kyle']:
set_plot_style(style)
plot_cfg(cfg,
"%s_cfg_%s" % (name, style),
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=True,
remove_path_terminator=True)
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
with hook0(b):
cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True)
for func in b.kb.functions.values():
if func.is_simprocedure:
continue
ri = b.analyses.RegionIdentifier(func)
plot_func_graph(b, func.transition_graph, "%s" % (func.name), asminst=True, vexinst=False, structure=ri.region, color_depth=True)
def emulated_cg(project, func_addr):
with hook0(project):
return project.analyses.CFGEmulated(
fail_fast=False,
starts=[func_addr],
context_sensitivity_level=1,
enable_function_hints=False,
keep_state=True,
enable_advanced_backward_slicing=False,
enable_symbolic_back_traversal=False,
normalize=True)
def emulated_normal(project, func_addr):
# 初始化状态机
start_state = AngrProj.project_start_state(project, func_addr)
with hook0(project):
return project.analyses.CFGEmulated(fail_fast=True,
starts=[func_addr],
initial_state=start_state,
context_sensitivity_level=2,
keep_state=True,
call_depth=100,
normalize=True)
def _cfg_emulated(self, start_addr=[0x0], initial_state=None):
# 仿真模式生成 CFG
with hook0(self.proj):
cfg_emu = self.proj.analyses.CFGEmulated(
fail_fast=False,
context_sensitivity_level=1,
starts=start_addr,
initial_state=initial_state,
enable_function_hints=False,
keep_state=True,
enable_advanced_backward_slicing=False,
enable_symbolic_back_traversal=False,
normalize=True)
return cfg_emu
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
with hook0(b):
cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True)
for addr,func in proj.kb.functions.items():
if func.name in ['main','verify']:
plot_cfg(cfg, "%s_%s_cfg" % (name, func.name), asminst=True, vexinst=False, func_addr={addr:True}, debug_info=False, remove_imports=True, remove_path_terminator=True)
plot_cfg(cfg, "%s_cfg_full" % (name), asminst=True, vexinst=True, debug_info=True, remove_imports=False, remove_path_terminator=False)
plot_cfg(cfg, "%s_cfg_classic" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
plot_cfg(cfg, "%s_cfg_classic" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True, format="raw")
for style in ['thick', 'dark', 'light', 'black', 'kyle']:
set_plot_style(style)
plot_cfg(cfg, "%s_cfg_%s" % (name, style), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
with hook0(b):
cfg = b.analyses.CFGEmulated(fail_fast=True,
starts=[addr],
initial_state=start_state,
context_sensitivity_level=2,
keep_state=True,
call_depth=100,
normalize=True)
plot_cfg(cfg,
"%s_cfg" % (name),
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=True,
remove_path_terminator=True,
color_depth=True)
def test_angr_plot_graph(request):
file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex'])
if len(file_id) == 0:
if len(file_name) == 0:
return sys_app_err_p('INVALID_REQ_PARAM', 'file_id 或 file_name 必填其一')
file_path = os.path.join(MyPath.samples(), file_name)
project = angr.Project(file_path, load_options={'auto_load_libs': False})
start_state = project.factory.blank_state(addr=func_addr)
start_state.stack_push(0x0)
with hook0(project):
cfg = project.analyses.CFGEmulated(fail_fast=True, starts=[func_addr], initial_state=start_state,
context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True)
graph_file = os.path.join(MyPath.temporary(), StrUtils.uuid_str())
plot_cfg(cfg, graph_file, asminst=True, vexinst=False, func_addr={func_addr: True},
debug_info=False, remove_imports=True, remove_path_terminator=True)
else:
func_parse = FunctionParse(file_id, func_addr)
content = func_parse.cfg_graph()
return sys_app_ok()
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
with hook0(b):
cfg = b.analyses.CFGEmulated(fail_fast=True,
starts=[addr],
initial_state=start_state,
context_sensitivity_level=2,
keep_state=True,
call_depth=100,
normalize=True)
for func in b.kb.functions.values():
if func.is_simprocedure:
continue
ri = b.analyses.RegionIdentifier(func)
plot_func_graph(b,
func.transition_graph,
"%s" % (func.name),
asminst=True,
vexinst=False,
structure=ri.region,
color_depth=True)
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
with hook0(b):
cfg = b.analyses.CFGEmulated(fail_fast=True,
starts=[addr],
initial_state=start_state,
context_sensitivity_level=5,
keep_state=True,
call_depth=100,
normalize=True)
plot_cfg(cfg,
"%s_cfg" % (name),
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=False,
remove_path_terminator=False)
start_state = b.factory.blank_state(
addr=addr,
add_options={angr.sim_options.CONSERVATIVE_READ_STRATEGY}
| angr.sim_options.resilience_options)
start_state.stack_push(0x0)
simgr = b.factory.simgr(start_state)
simgr.use_technique(NormalizedSteps(cfg))
def check_loops(state):
last = state.history.bbl_addrs[-1]
c = 0
for p in state.history.bbl_addrs:
if p == last:
c += 1
return c > 1
def step_func(lsimgr):
lsimgr.stash(filter_func=check_loops,
from_stash='active',
to_stash='looping')
lsimgr.stash(filter_func=lambda state: state.addr == 0,
from_stash='active',
to_stash='found')
print(lsimgr)
return lsimgr
simgr.run(step_func=step_func,
until=lambda lsimgr: len(lsimgr.active) == 0,
n=100)
for stash in simgr.stashes:
c = 0
for state in simgr.stashes[stash]:
plot_cfg(cfg,
"%s_cfg_%s_%d" % (name, stash, c),
state=state,
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=True,
remove_path_terminator=True)
c += 1