def main():
args = parse_arguments()
m = Manticore(args.programs[0], args.programs[1:])
m.policy = args.policy
m.args = args
if args.data:
m.concrete_data = args.data
if args.workspace:
m.workspace = args.workspace
if args.profile:
m.should_profile = args.profile
if args.dumpafter != 0:
m.dumpafter = args.dumpafter
if args.maxstorage != 0:
m.maxstorage = args.maxstorage
if args.maxstates != 0:
m.maxstates = args.maxstates
if args.coverage:
m.coverage_file = args.coverage
if args.names is not None:
m.apply_model_hooks(args.names)
if args.env:
for entry in args.env:
name, val = entry[0].split('=')
m.env_add(name, val)
if args.files:
for file in args.files:
m.add_symbolic_file(file)
if args.assertions:
m.load_assertions(args.assertions)
m.verbosity = args.v
m.run(args.procs, args.timeout)
def mcore_calloc(filename, call, seed=None):
#FASTBINS
m = Manticore(filename)
if seed:
m.concrete_data = seed
@m.hook(0x555555554000 + call)
def fastbin_hook(state):
cpu = state.cpu
state.add(cpu.RDI * cpu.RSI <= 0x80)
rdi = state.solve_one(cpu.read_register("RDI"))
rsi = state.solve_one(cpu.read_register("RSI"))
print "Fastbin with calloc(%d, %d)" % (rdi, rsi)
fastbins.append(call)
m.terminate()
#m.verbosity = 2
m.workers = 8
m.run()
#SMALL BINS
m = Manticore(filename)
if seed:
m.concrete_data = seed
@m.hook(0x555555554000 + call)
def fastbin_hook(state):
cpu = state.cpu
state.add(cpu.RSI >= 0x80)
state.add(cpu.RSI <= 0x400)
rdi = state.solve_one(cpu.read_register("RDI"))
rsi = state.solve_one(cpu.read_register("RSI"))
print "Smallbins with calloc(%d, %d)" % (rdi, rsi)
fastbins.append(call)
m.terminate()
m.verbosity = 2
m.workers = 8
m.run()
exit(1)
#LARGE BINS
m = Manticore(filename)
if seed:
m.concrete_data = seed
@m.hook(0x555555554000 + call)
def fastbin_hook(state):
cpu = state.cpu
state.add(cpu.RSI >= 0x400)
state.add(cpu.RSI <= 0x4000)
rdi = state.solve_one(cpu.read_register("RDI"))
rsi = state.solve_one(cpu.read_register("RSI"))
print "Largebins with calloc(%d, %d)" % (rdi, rsi)
fastbins.append(call)
m.terminate()
#m.verbosity = 2
m.workers = 8
m.run()
#LARGE BINS
m = Manticore(filename)
if seed:
m.concrete_data = seed
@m.hook(0x555555554000 + call)
def fastbin_hook(state):
cpu = state.cpu
state.add(cpu.RDI * cpu.RSI >= 0x400)
state.add(cpu.RDI * cpu.RSI <= 0x4000)
rdi = state.solve_one(cpu.read_register("RDI"))
rsi = state.solve_one(cpu.read_register("RSI"))
print "MMAPbins with calloc(%d, %d)" % (rdi, rsi)
fastbins.append(call)
m.terminate()
#m.verbosity = 2
m.workers = 8
m.run()
from manticore import Manticore
def fixme():
raise Exception("Fill in the blanks!")
# Let's initialize the manticore control object
m = Manticore('multiple-styles')
# First, let's give it some fake data for the input. Anything the same size as
# the real flag should work fine!
m.concrete_data = "infiltrate miami!"
# Now we're going to want to execute a few different hooks and share data, so
# let's use the m.context dict to keep our solution in
m.context['solution'] = ''
# Now we want to hook that compare instruction that controls the main loop.
# Where is it again?
@m.hook(fixme())
def solve(state):
# Our actual flag should have something to do with AL at this point, let's
# just read it out real quick
flag_byte = state.cpu.AL - fixme()
m.context['solution'] += chr(flag_byte)
# But how can we make the comparison pass? There are a couple solutions here
fixme()
# play with these numbers!
m.verbosity = 0
def mcore_calloc(filename, call, seed = None):
#FASTBINS
m = Manticore(filename)
if seed:
m.concrete_data = seed
@m.hook(0x555555554000+call)
def fastbin_hook(state):
cpu = state.cpu
state.add(cpu.RDI * cpu.RSI <= 0x80)
rdi = state.solve_one(cpu.read_register("RDI"))
rsi = state.solve_one(cpu.read_register("RSI"))
print "Fastbin with calloc(%d, %d)" % (rdi, rsi)
fastbins.append(call)
m.terminate()
#m.verbosity = 2
m.workers = 8
m.run()
#SMALL BINS
m = Manticore(filename)
if seed:
m.concrete_data = seed
@m.hook(0x555555554000+call)
def fastbin_hook(state):
cpu = state.cpu
state.add(cpu.RSI >= 0x80)
state.add(cpu.RSI <= 0x400)
rdi = state.solve_one(cpu.read_register("RDI"))
rsi = state.solve_one(cpu.read_register("RSI"))
print "Smallbins with calloc(%d, %d)" % (rdi, rsi)
fastbins.append(call)
m.terminate()
m.verbosity = 2
m.workers = 8
m.run()
exit(1)
#LARGE BINS
m = Manticore(filename)
if seed:
m.concrete_data = seed
@m.hook(0x555555554000+call)
def fastbin_hook(state):
cpu = state.cpu
state.add(cpu.RSI >= 0x400)
state.add(cpu.RSI <= 0x4000)
rdi = state.solve_one(cpu.read_register("RDI"))
rsi = state.solve_one(cpu.read_register("RSI"))
print "Largebins with calloc(%d, %d)" % (rdi, rsi)
fastbins.append(call)
m.terminate()
#m.verbosity = 2
m.workers = 8
m.run()
#LARGE BINS
m = Manticore(filename)
if seed:
m.concrete_data = seed
@m.hook(0x555555554000+call)
def fastbin_hook(state):
cpu = state.cpu
state.add(cpu.RDI * cpu.RSI >= 0x400)
state.add(cpu.RDI * cpu.RSI <= 0x4000)
rdi = state.solve_one(cpu.read_register("RDI"))
rsi = state.solve_one(cpu.read_register("RSI"))
print "MMAPbins with calloc(%d, %d)" % (rdi, rsi)
fastbins.append(call)
m.terminate()
#m.verbosity = 2
m.workers = 8
m.run()
from manticore import Manticore
def fixme():
raise Exception("Fill in the blanks!")
# Let's initialize the manticore control object
m = Manticore('multiple-styles')
# First, let's give it some fake data for the input. Anything the same size as
# the real flag should work fine!
m.concrete_data = "infiltrate miami!"
# Now we're going to want to execute a few different hooks and share data, so
# let's use the m.context dict to keep our solution in
m.context['solution'] = ''
# Now we want to hook that compare instruction that controls the main loop.
# Where is it again?
@m.hook(fixme())
def solve(state):
# Our actual flag should have something to do with AL at this point, let's
# just read it out real quick
flag_byte = state.cpu.AL - fixme()
m.context['solution'] += chr(flag_byte)
# But how can we make the comparison pass? There are a couple solutions here
fixme()
# play with these numbers!
m.verbosity = 0