Python BitVec Examples

Example #1

    def evalvalue(_state):
        addr=_state.rdi
        _state.solver.push()
        for i,v in enumerate(c):
            val=_state.mem_r(addr+i,1)
            if(type(val)==int):
                print(val)
                if(val!=v):
                    return Death
            else:
                _state.solver.add(val==v)
        if (_state.solver.check()==z3.sat):
            m=_state.solver.model()
            print("success    ")

            for a in args:
                k = z3.BitVec(a, 64, state.ctx)
                de.append(m.eval(k).as_long())
            _state.solver.pop()
            return Death
        else:
            print("faild    ")
            _state.solver.pop()
            return Death

Example #2

File: fight.py Project: UUUUnotfound/TriggerBug

import TriggerBug
import TriggerBug.z3 as z3

top_state = TriggerBug.TopState(
    file_name=r'./fight.xml',
    need_record=True,
    # 在需要合并(compress)state时，必须要保证被compress 的state对象的need_record=True，否则会报错，因为need_record=False的state是不会记录子state生命周期中所产生的修改,继而无法合并
    oep=0,
    Ijk_unsupport_call=
    None,  # if set,Ir jump kind call what I not support will call this func
    Ijk_hook_call=None  # if set, all the Ir jump kind call will call this func
)
flag = []

for i in range(420):
    k = z3.BitVec("C%d" % i, 32, top_state.ctx)
    flag.append(k)
    top_state.add(z3.ULE(k, 4), True)
    top_state.mem_w(0x0BE33D4 + i * 4, k, 4)


def evalvalue(_state=TriggerBug.State):
    global flag
    # for i in range(7):
    #     _state.add(_state.mem_r(_state.rdx + i*4, 4)== _state.mem_r(_state.rcx + i*4, 4), True)
    print("check")
    if _state.solver.check() == z3.sat:
        m = _state.solver.model()
        data = 0
        for i in flag:
            flagv = None

Example #3

File: confused.py Project: UUUUnotfound/TriggerBug

import ctypes
import TriggerBug
import TriggerBug.z3 as z3

top_state = TriggerBug.TopState(
    file_name=r'./confused.xml',
    need_record=True,
    # 在需要合并(compress)state时，必须要保证被compress 的state对象的need_record=True，否则会报错，因为need_record=False的state是不会记录子state生命周期中所产生的修改,继而无法合并
    oep=0,
    Ijk_unsupport_call=
    None,  # if set,Ir jump kind call what I not support will call this func
    Ijk_hook_call=None  # if set, all the Ir jump kind call will call this func
)
flag = []
for i in range(24):
    k = z3.BitVec("flag%d" % i, 8, top_state.ctx)
    flag.append(k)
    #top_state.add(z3.And(z3.UGT(k, 5), z3.ULE(k, 128), top_state.ctx), True)
    top_state.mem_w(top_state.ebp - 0x60 + i, k, 1)

top_state.mem_w(top_state.rbp - 0x60 + 24, 0, 1)


def evalvalue(_state=TriggerBug.State):
    global flag
    for i in range(7):
        _state.add(
            _state.mem_r(_state.rdx + i * 4,
                         4) == _state.mem_r(_state.rcx + i * 4, 4), True)
    print("check")
    if _state.solver.check() == z3.sat: