Example #1
0
    def static_exits(self, blocks):
        # Execute those blocks with a blank state, and then dump the arguments
        blank_state = angr.SimState(project=self.project, mode="fastpath")
        # set up the stack pointer
        blank_state.regs.sp = 0x7fffffff

        # Execute each block
        state = blank_state
        for b in blocks:
            # state.regs.ip = next(iter(stmt for stmt in b.statements if isinstance(stmt, pyvex.IRStmt.IMark))).addr
            irsb = angr.SimEngineVEX().process(state, b,
                    force_addr=next(iter(stmt for stmt in b.statements if isinstance(stmt, pyvex.IRStmt.IMark))).addr)
            if irsb.successors:
                state = irsb.successors[0]
            else:
                break

        cc = angr.DEFAULT_CC[self.arch.name](self.arch)
        args = [ cc.arg(state, _) for _ in xrange(5) ]
        main, _, _, init, fini = self._extract_args(blank_state, *args)

        all_exits = [
            (init, 'Ijk_Call'),
            (main, 'Ijk_Call'),
            (fini, 'Ijk_Call'),
        ]

        return all_exits
Example #2
0
    def static_exits(self, blocks):
        # Execute those blocks with a blank state, and then dump the arguments
        blank_state = angr.SimState(project=self.project, mode="fastpath")

        # Execute each block
        state = blank_state
        for b in blocks:
            irsb = angr.SimEngineVEX().process(
                state,
                b,
                force_addr=next(
                    iter(stmt for stmt in b.statements
                         if isinstance(stmt, pyvex.IRStmt.IMark))).addr)
            if irsb.successors:
                state = irsb.successors[0]
            else:
                break

        cc = angr.DEFAULT_CC[self.arch.name](self.arch)
        callfunc = cc.arg(state, 2)
        retaddr = state.memory.load(state.regs.sp, self.arch.bytes)

        all_exits = [(callfunc, 'Ijk_Call'), (retaddr, 'Ijk_Ret')]

        return all_exits
Example #3
0
    def __init__(self):
        self.engine = angr.SimEngineVEX()

        self.add_options = {
            angr.options.INITIALIZE_ZERO_REGISTERS,
            angr.options.CONCRETIZE,
        }
Example #4
0
def excption_0():
    import claripy

    ins_code = "mov eax,-1 ; test eax,eax"
    address = 0x76fcbcfe

    encoding = pwn.asm(ins_code)
    count = len(encoding)
    print((str(encoding)))
    print(count)

    add_options = {angr.options.NO_SYMBOLIC_SYSCALL_RESOLUTION,
                   angr.options.LAZY_SOLVES,
                   angr.options.INITIALIZE_ZERO_REGISTERS,
                   angr.options.SIMPLIFY_REGISTER_WRITES,
                   angr.options.SIMPLIFY_MEMORY_WRITES,
                   # angr.options.CONCRETIZE,
                   # angr.options.FAST_MEMORY
                   }

    bc_arr = ""
    bc_arr = encoding

    irsb = pyvex.IRSB(bc_arr, 0x76fcbcfe, archinfo.ArchX86(), len(bc_arr))

    state = SimState(arch='X86', add_options=add_options)
    state.regs.eax = 0x5a4d
    state.regs.esi = 0x753e0001
    state.regs.esp = 0x12f8c0
    state.regs.eip = 0x76fcbcfe

    taint_len = 0x8000
    # taint_len = 0xd4000

    state.memory.store(0x753e0000, claripy.BVS(
        "TAINT_MapView", taint_len * 8), endness="Iend_LE")

    engine = angr.SimEngineVEX()

    irsb.pp()
    engine.process(state, irsb, inline=True)
Example #5
0
# Athens 2019, Figure 2.
# addi r3, r3, 0x1
# put X in r3, execute, find X+1 in r3

import angr
import pyvex
import archinfo
import claripy

import pdb

arch = archinfo.ArchPPC32(archinfo.Endness.BE)
s = angr.SimState(arch=arch, mode="symbolic")

x = s.solver.BVS('X', 32, explicit_name=True)

code = bytes(bytearray.fromhex("38630001"))  # addi

irsb = pyvex.IRSB(code, 0x100, arch, opt_level=0)
irsb.pp()

s.regs.r3 = x

result = angr.SimEngineVEX().process(s, irsb).flat_successors[0]

r3 = result.regs.r3
result.regs.__dir__()
print "*************************"
print r3