def test_memset():
l.info("concrete src, concrete dst, concrete len")
s = SimState(arch="PPC32", mode="symbolic")
dst = s.solver.BVV(0, 128)
dst_addr = s.solver.BVV(0x1000, 32)
char = s.solver.BVV(0x00000041, 32)
char2 = s.solver.BVV(0x50505050, 32)
length = s.solver.BVS("some_length", 32)
s.memory.store(dst_addr, dst)
memset(s, arguments=[dst_addr, char, s.solver.BVV(3, 32)])
assert s.solver.eval(s.memory.load(dst_addr, 4)) == 0x41414100
l.debug("Symbolic length")
s = SimState(arch="PPC32", mode="symbolic")
s.memory.store(dst_addr, dst)
length = s.solver.BVS("some_length", 32)
s.add_constraints(length < 10)
memset(s, arguments=[dst_addr, char2, length])
l.debug("Trying 2")
s_two = s.copy()
s_two.add_constraints(length == 2)
assert s_two.solver.eval(s_two.memory.load(dst_addr, 4)) == 0x50500000
l.debug("Trying 0")
s_zero = s.copy()
s_zero.add_constraints(length == 0)
assert s_zero.solver.eval(s_zero.memory.load(dst_addr, 4)) == 0x00000000
l.debug("Trying 5")
s_five = s.copy()
s_five.add_constraints(length == 5)
assert s_five.solver.eval(s_five.memory.load(dst_addr, 6)) == 0x505050505000
def test_strcpy():
l.info("concrete src, concrete dst")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42420000, 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strcpy(s, arguments=[dst_addr, src_addr])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval(new_dst, cast_to=bytes),
b"BB\x00\x00")
l.info("symbolic src, concrete dst")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
ln = strlen(s, arguments=[src_addr])
strcpy(s, arguments=[dst_addr, src_addr])
cm = strcmp(s, arguments=[dst_addr, src_addr])
s.add_constraints(cm == 0)
s.add_constraints(ln == 15)
def test_symbolic_write():
s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
x = s.se.BVS('x', 64)
y = s.se.BVS('y', 64)
a = s.se.BVV('A' * 0x10)
b = s.se.BVV('B')
c = s.se.BVV('C')
d = s.se.BVV('D')
s.memory.store(0x10, a)
s.add_constraints(x >= 0x10, x < 0x20)
s.memory.store(x, b)
for i in range(0x10, 0x20):
assert len(s.se.any_n_int(s.memory.load(i, 1), 10)) == 2
s.memory.store(x, c)
for i in range(0x10, 0x20):
assert len(s.se.any_n_int(s.memory.load(i, 1), 10)) == 2
s2 = s.copy()
s2.add_constraints(y >= 0x10, y < 0x20)
s2.memory.store(y, d)
for i in range(0x10, 0x20):
assert len(s2.se.any_n_int(s2.memory.load(i, 1), 10)) == 3
def test_symbolic_write():
s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
x = s.solver.BVS('x', 64)
y = s.solver.BVS('y', 64)
a = s.solver.BVV(b'A'*0x10)
b = s.solver.BVV(b'B')
c = s.solver.BVV(b'C')
d = s.solver.BVV(b'D')
s.memory.store(0x10, a)
s.add_constraints(x >= 0x10, x < 0x20)
s.memory.store(x, b)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s.memory.store(x, c)
for i in range(0x10, 0x20):
assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2
s2 = s.copy()
s2.add_constraints(y >= 0x10, y < 0x20)
s2.memory.store(y, d)
for i in range(0x10, 0x20):
assert len(s2.solver.eval_upto(s2.memory.load(i, 1), 10)) == 3
def concretize_ip(self, state: SimState) -> None:
assert self.instruction is not None
ip = self.instruction.ip
if state.scratch.target.symbolic:
state.ip = ip
state.add_constraints(state.scratch.target == ip, action=True)
# avoid evaluation of symbolic target
state.scratch.target = ip
def test_state_merge_3way():
a = SimState(arch='AMD64', mode='symbolic')
b = a.copy()
c = a.copy()
conds = [ a.solver.BoolS('cond_0'), a.solver.BoolS('cond_1') ]
a.add_constraints(conds[0])
b.add_constraints(a.solver.Not(conds[0]), conds[1])
c.add_constraints(a.solver.Not(conds[0]), a.solver.Not(conds[1]))
a.memory.store(0x400000, a.solver.BVV(8, 32))
b.memory.store(0x400000, b.solver.BVV(9, 32))
c.memory.store(0x400000, c.solver.BVV(10, 32))
m, _, _ = a.merge(b)
m, _, _ = m.merge(c)
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 8,))
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 9,))
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 10,))
def test_state_merge_3way():
a = SimState(arch='AMD64', mode='symbolic')
b = a.copy()
c = a.copy()
conds = [ a.solver.BoolS('cond_0'), a.solver.BoolS('cond_1') ]
a.add_constraints(conds[0])
b.add_constraints(a.solver.Not(conds[0]), conds[1])
c.add_constraints(a.solver.Not(conds[0]), a.solver.Not(conds[1]))
a.memory.store(0x400000, a.solver.BVV(8, 32))
b.memory.store(0x400000, b.solver.BVV(9, 32))
c.memory.store(0x400000, c.solver.BVV(10, 32))
m, _, _ = a.merge(b)
m, _, _ = m.merge(c)
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 8,))
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 9,))
assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 10,))
def test_strstr_inconsistency():
l.info("symbolic haystack, symbolic needle")
s = SimState(arch="AMD64", mode="symbolic")
s.libc.buf_symbolic_bytes = 2
addr_haystack = s.solver.BVV(0x10, 64)
addr_needle = s.solver.BVV(0xb0, 64)
#len_needle = strlen(s, inline=True, arguments=[addr_needle])
ss_res = strstr(s, arguments=[addr_haystack, addr_needle])
#slh_res = strlen(s, inline=True, arguments=[addr_haystack])
#sln_res = strlen(s, inline=True, arguments=[addr_needle])
#print "LENH:", s.solver.eval_upto(slh_res, 100)
#print "LENN:", s.solver.eval_upto(sln_res, 100)
assert not s.solver.unique(ss_res)
assert sorted(s.solver.eval_upto(ss_res, 100)) == [0] + list(range(0x10, 0x10 + s.libc.buf_symbolic_bytes - 1))
s.add_constraints(ss_res != 0)
ss2 = strstr(s, arguments=[addr_haystack, addr_needle])
s.add_constraints(ss2 == 0)
assert not s.satisfiable()
def test_strstr_inconsistency():
l.info("symbolic haystack, symbolic needle")
s = SimState(arch="AMD64", mode="symbolic")
s.libc.buf_symbolic_bytes = 2
addr_haystack = s.solver.BVV(0x10, 64)
addr_needle = s.solver.BVV(0xb0, 64)
#len_needle = strlen(s, inline=True, arguments=[addr_needle])
ss_res = strstr(s, arguments=[addr_haystack, addr_needle])
#slh_res = strlen(s, inline=True, arguments=[addr_haystack])
#sln_res = strlen(s, inline=True, arguments=[addr_needle])
#print "LENH:", s.solver.eval_upto(slh_res, 100)
#print "LENN:", s.solver.eval_upto(sln_res, 100)
nose.tools.assert_false(s.solver.unique(ss_res))
nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(ss_res, 100)), [0] + list(range(0x10, 0x10 + s.libc.buf_symbolic_bytes - 1)))
s.add_constraints(ss_res != 0)
ss2 = strstr(s, arguments=[addr_haystack, addr_needle])
s.add_constraints(ss2 == 0)
nose.tools.assert_false(s.satisfiable())
def test_strstr_inconsistency(n=2):
l.info("symbolic haystack, symbolic needle")
s = SimState(arch="AMD64", mode="symbolic")
s.libc.buf_symbolic_bytes = n
addr_haystack = s.se.BVV(0x10, 64)
addr_needle = s.se.BVV(0xb0, 64)
#len_needle = strlen(s, inline=True, arguments=[addr_needle])
ss_res = strstr(s, arguments=[addr_haystack, addr_needle]).ret_expr
#slh_res = strlen(s, inline=True, arguments=[addr_haystack]).ret_expr
#sln_res = strlen(s, inline=True, arguments=[addr_needle]).ret_expr
#print "LENH:", s.se.any_n_int(slh_res, 100)
#print "LENN:", s.se.any_n_int(sln_res, 100)
nose.tools.assert_false(s.se.unique(ss_res))
nose.tools.assert_items_equal(s.se.any_n_int(
ss_res, 100), [0] + range(0x10, 0x10 + s.libc.buf_symbolic_bytes - 1))
s.add_constraints(ss_res != 0)
ss2 = strstr(s, arguments=[addr_haystack, addr_needle]).ret_expr
s.add_constraints(ss2 == 0)
nose.tools.assert_false(s.satisfiable())
def test_strcpy():
l.info("concrete src, concrete dst")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42420000, 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strcpy(s, arguments=[dst_addr, src_addr])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval(new_dst, cast_to=bytes), b"BB\x00\x00")
l.info("symbolic src, concrete dst")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
ln = strlen(s, arguments=[src_addr])
strcpy(s, arguments=[dst_addr, src_addr])
cm = strcmp(s, arguments=[dst_addr, src_addr])
s.add_constraints(cm == 0)
s.add_constraints(ln == 15)
def test_copy():
s = SimState(arch="AMD64")
s.memory.store(0x100, "ABCDEFGHIJKLMNOP")
s.memory.store(0x200, "XXXXXXXXXXXXXXXX")
x = s.se.BVS('size', s.arch.bits)
s.add_constraints(s.se.ULT(x, 10))
s.memory.copy_contents(0x200, 0x100, x)
nose.tools.assert_equals(sorted(s.se.any_n_int(x, 100)), range(10))
result = s.memory.load(0x200, 5)
nose.tools.assert_equals(sorted(s.se.any_n_str(
result, 100)), ["ABCDE", "ABCDX", "ABCXX", "ABXXX", "AXXXX", "XXXXX"])
nose.tools.assert_equals(
sorted(s.se.any_n_str(result, 100, extra_constraints=[x == 3])),
["ABCXX"])
s = SimState(arch="AMD64")
s.posix.write(0, "ABCDEFGHIJKLMNOP", len("ABCDEFGHIJKLMNOP"))
s.posix.set_pos(0, 0)
s.memory.store(0x200, "XXXXXXXXXXXXXXXX")
x = s.se.BVS('size', s.arch.bits)
s.add_constraints(s.se.ULT(x, 10))
s.posix.read(0, 0x200, x)
nose.tools.assert_equals(sorted(s.se.any_n_int(x, 100)), range(10))
result = s.memory.load(0x200, 5)
nose.tools.assert_equals(sorted(s.se.any_n_str(
result, 100)), ["ABCDE", "ABCDX", "ABCXX", "ABXXX", "AXXXX", "XXXXX"])
nose.tools.assert_equals(
sorted(s.se.any_n_str(result, 100, extra_constraints=[x == 3])),
["ABCXX"])
s = SimState(arch="AMD64")
s.posix.write(0, "ABCDEFGHIJKLMNOP", len("ABCDEFGHIJKLMNOP"))
s.posix.set_pos(0, 0)
s.memory.store(0x200, "XXXXXXXXXXXXXXXX")
x = s.se.BVS('size', s.arch.bits)
s.add_constraints(s.se.ULT(x, 10))
read_proc = SIM_PROCEDURES['posix']['read']()
ret_x = read_proc.execute(s, arguments=(0, 0x200, x)).ret_expr
nose.tools.assert_equals(sorted(s.se.any_n_int(x, 100)), range(10))
result = s.memory.load(0x200, 5)
nose.tools.assert_equals(sorted(s.se.any_n_str(
result, 100)), ["ABCDE", "ABCDX", "ABCXX", "ABXXX", "AXXXX", "XXXXX"])
nose.tools.assert_equals(
sorted(s.se.any_n_str(result, 100, extra_constraints=[x == 3])),
["ABCXX"])
nose.tools.assert_equals(sorted(s.se.any_n_int(ret_x, 100)), range(10))
nose.tools.assert_equals(
sorted(s.se.any_n_str(result, 100, extra_constraints=[ret_x == 3])),
["ABCXX"])
def test_copy():
s = SimState(arch="AMD64")
s.memory.store(0x100, b"ABCDEFGHIJKLMNOP")
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
s.memory.copy_contents(0x200, 0x100, x)
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
s = SimState(arch="AMD64")
s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP', has_end=True)))
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
s.posix.get_fd(0).read(0x200, x)
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
s = SimState(arch="AMD64")
s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP')))
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
read_proc = SIM_PROCEDURES['posix']['read']()
ret_x = read_proc.execute(s, arguments=(0, 0x200, x)).ret_expr
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(ret_x, 100)), list(range(10)))
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[ret_x==3])), [ b"ABCXX" ])
def test_copy():
s = SimState(arch="AMD64")
s.memory.store(0x100, b"ABCDEFGHIJKLMNOP")
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
s.memory.copy_contents(0x200, 0x100, x)
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
s = SimState(arch="AMD64")
s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP', has_end=True)))
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
s.posix.get_fd(0).read(0x200, x)
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
s = SimState(arch="AMD64")
s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP')))
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
read_proc = SIM_PROCEDURES['posix']['read']()
ret_x = read_proc.execute(s, arguments=(0, 0x200, x)).ret_expr
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(ret_x, 100)), list(range(10)))
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[ret_x==3])), [ b"ABCXX" ])
def test_strncpy():
l.info("concrete src, concrete dst, concrete len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42420000, 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(3, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval(new_dst, cast_to=bytes),
b"BB\x00\x00")
l.debug("... partial copy")
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(2, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval_upto(new_dst, 2, cast_to=bytes),
[b"BBA\x00"])
l.info("symbolic src, concrete dst, concrete len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
s.add_constraints(strlen(s, arguments=[src_addr]) == 2)
# sanity check
s_false = s.copy()
s_false.add_constraints(strlen(s_false, arguments=[src_addr]) == 3)
nose.tools.assert_false(s_false.satisfiable())
strncpy(s, arguments=[dst_addr, src_addr, 3])
nose.tools.assert_true(s.satisfiable())
c = strcmp(s, arguments=[dst_addr, src_addr])
nose.tools.assert_sequence_equal(s.solver.eval_upto(c, 10), [0])
l.info("symbolic src, concrete dst, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
s.add_constraints(strlen(s, arguments=[src_addr]) == 2)
strncpy(s, arguments=[dst_addr, src_addr, maxlen])
c = strcmp(s, arguments=[dst_addr, src_addr])
s_match = s.copy()
s_match.add_constraints(c == 0)
nose.tools.assert_equal(s_match.solver.min_int(maxlen), 3)
s_nomatch = s.copy()
s_nomatch.add_constraints(c != 0)
nose.tools.assert_equal(s_nomatch.solver.max_int(maxlen), 2)
l.info("concrete src, concrete dst, symbolic len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42420000, 32)
src_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, arguments=[dst_addr, src_addr, maxlen])
r = s.memory.load(dst_addr, 4, endness='Iend_BE')
#print repr(r.solver.eval_upto(r, 10, cast_to=bytes))
nose.tools.assert_sequence_equal(
sorted(s.solver.eval_upto(r, 10, cast_to=bytes)),
[b"AAA\x00", b'BAA\x00', b'BB\x00\x00', b'BBA\x00'])
def test_inline_strncmp():
l.info("symbolic left, symbolic right, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
left = s.solver.BVS("left", 32)
left_addr = s.solver.BVV(0x1000, 64)
right = s.solver.BVS("right", 32)
right_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
s.memory.store(left_addr, left)
s.memory.store(right_addr, right)
s.add_constraints(strlen(s, arguments=[left_addr]) == 3)
s.add_constraints(strlen(s, arguments=[right_addr]) == 0)
s.add_constraints(maxlen != 0)
c = strncmp(s, arguments=[left_addr, right_addr, maxlen])
s_match = s.copy()
s_match.add_constraints(c == 0)
nose.tools.assert_false(s_match.satisfiable())
#nose.tools.assert_equal(s_match.solver.min_int(maxlen), 3)
s_nomatch = s.copy()
s_nomatch.add_constraints(c != 0)
nose.tools.assert_true(s_nomatch.satisfiable())
#nose.tools.assert_equal(s_nomatch.solver.max_int(maxlen), 2)
l.info("zero-length")
s = SimState(arch="AMD64", mode="symbolic")
left = s.solver.BVS("left", 32)
left_addr = s.solver.BVV(0x1000, 64)
right = s.solver.BVS("right", 32)
right_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
left_len = strlen(s, arguments=[left_addr])
right_len = strlen(s, arguments=[right_addr])
c = strncmp(s, arguments=[left_addr, right_addr, maxlen])
s.add_constraints(right_len == 0)
s.add_constraints(left_len == 0)
#s.add_constraints(c == 0)
s.add_constraints(maxlen == 0)
nose.tools.assert_true(s.satisfiable())
def test_memcpy():
l.info("concrete src, concrete dst, concrete len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414141, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42424242, 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(4, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval_upto(new_dst, 2, cast_to=bytes),
[b"BBBB"])
l.info("giant copy")
s = SimState(arch="AMD64",
mode="symbolic",
remove_options=angr.options.simplification)
s.memory._maximum_symbolic_size = 0x2000000
size = s.solver.BVV(0x1000000, 64)
data = s.solver.BVS('giant', 8 * 0x1000000)
dst_addr = s.solver.BVV(0x2000000, 64)
src_addr = s.solver.BVV(0x4000000, 64)
s.memory.store(src_addr, data)
memcpy(s, arguments=[dst_addr, src_addr, size])
nose.tools.assert_is(s.memory.load(dst_addr, size),
s.memory.load(src_addr, size))
l.debug("... partial copy")
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(2, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval_upto(new_dst, 2, cast_to=bytes),
[b"BBAA"])
l.info("symbolic src, concrete dst, concrete len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414141, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
memcpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(4, 64)])
nose.tools.assert_true(s.satisfiable())
s.add_constraints(src != s.memory.load(dst_addr, 4))
nose.tools.assert_false(s.satisfiable())
l.info("symbolic src, concrete dst, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414141, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
cpylen = s.solver.BVS("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
s.add_constraints(cpylen < 10)
memcpy(s, arguments=[dst_addr, src_addr, cpylen])
result = s.memory.load(dst_addr, 4, endness='Iend_BE')
# make sure it copies it all
s1 = s.copy()
s1.add_constraints(cpylen == 1)
nose.tools.assert_true(s1.solver.unique(s1.memory.load(dst_addr + 1, 3)))
nose.tools.assert_equal(
len(s1.solver.eval_upto(s1.memory.load(dst_addr, 1), 300)), 256)
s2 = s.copy()
s2.add_constraints(cpylen == 2)
nose.tools.assert_equal(len(s2.solver.eval_upto(result[31:24], 300)), 256)
nose.tools.assert_equal(len(s2.solver.eval_upto(result[23:16], 300)), 256)
nose.tools.assert_equal(
s2.solver.eval_upto(result[15:0], 300, cast_to=bytes), [b'AA'])
l.info("concrete src, concrete dst, symbolic len")
dst = s2.solver.BVV(0x41414141, 32)
dst_addr = s2.solver.BVV(0x1000, 64)
src = s2.solver.BVV(0x42424242, 32)
src_addr = s2.solver.BVV(0x2000, 64)
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
cpylen = s.solver.BVS("len", 64)
s.add_constraints(s.solver.ULE(cpylen, 4))
memcpy(s, arguments=[dst_addr, src_addr, cpylen])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_sequence_equal(
sorted(s.solver.eval_upto(new_dst, 300, cast_to=bytes)),
[b'AAAA', b'BAAA', b'BBAA', b'BBBA', b'BBBB'])
def test_memory():
initial_memory = { 0: b'A', 1: b'A', 2: b'A', 3: b'A', 10: b'B' }
s = SimState(arch="AMD64", dict_memory_backer=initial_memory, add_options={o.REVERSE_MEMORY_NAME_MAP, o.REVERSE_MEMORY_HASH_MAP})
_concrete_memory_tests(s)
# concrete address and partially symbolic result
expr = s.memory.load(2, 4)
expr = s.memory.load(2, 4)
expr = s.memory.load(2, 4)
expr = s.memory.load(2, 4)
nose.tools.assert_true(s.solver.symbolic(expr))
nose.tools.assert_false(s.solver.unique(expr))
nose.tools.assert_greater_equal(s.solver.eval(expr), 0x41410000)
nose.tools.assert_less_equal(s.solver.eval(expr), 0x41420000)
nose.tools.assert_equal(s.solver.min_int(expr), 0x41410000)
nose.tools.assert_equal(s.solver.max_int(expr), 0x4141ffff)
# concrete address and concrete result
expr = s.memory.load(0, 4) # Returns: a z3 BVS representing 0x41414141
nose.tools.assert_false(s.solver.symbolic(expr))
nose.tools.assert_equal(s.solver.eval(expr), 0x41414141)
c = s.solver.BVS('condition', 8)
expr = s.memory.load(10, 1, condition=c==1, fallback=s.solver.BVV(b'X'))
nose.tools.assert_equal(s.solver.eval_upto(expr, 10, cast_to=bytes, extra_constraints=[c==1]), [ b'B' ])
nose.tools.assert_equal(s.solver.eval_upto(expr, 10, cast_to=bytes, extra_constraints=[c!=1]), [ b'X' ])
x = s.solver.BVS('ref_test', 16, explicit_name=True)
s.memory.store(0x1000, x)
s.memory.store(0x2000, x)
nose.tools.assert_equal(set(s.memory.addrs_for_name('ref_test')), {0x1000,0x1001,0x2000,0x2001})
nose.tools.assert_equal(set(s.memory.addrs_for_hash(x.cache_key)), {0x1000, 0x1001, 0x2000, 0x2001})
s2 = s.copy()
y = s2.solver.BVS('ref_test2', 16, explicit_name=True)
s2.memory.store(0x2000, y)
assert s2.memory.load(0x2000, 2) is y
assert s.memory.load(0x2000, 2) is x
nose.tools.assert_equal(set(s.memory.addrs_for_name('ref_test')), {0x1000,0x1001,0x2000,0x2001})
nose.tools.assert_equal(set(s.memory.addrs_for_hash(x.cache_key)), {0x1000,0x1001,0x2000,0x2001})
nose.tools.assert_equal(set(s2.memory.addrs_for_name('ref_test')), {0x1000, 0x1001})
nose.tools.assert_equal(set(s2.memory.addrs_for_hash(x.cache_key)), {0x1000, 0x1001})
nose.tools.assert_equal(set(s2.memory.addrs_for_name('ref_test2')), {0x2000, 0x2001})
nose.tools.assert_equal(set(s2.memory.addrs_for_hash(y.cache_key)), {0x2000, 0x2001})
s.memory.store(0x3000, s.solver.BVS('replace_old', 32, explicit_name=True))
s.memory.store(0x3001, s.solver.BVV(b'AB'))
nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_old')), {0x3000, 0x3003})
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(0x3001, 2), 10, cast_to=bytes), [b"AB"])
#n = s.solver.BVS('replace_new', 32, explicit_name=True)
#c = s.solver.BVS('replace_cool', 32, explicit_name=True)
#mo = s.memory.memory_objects_for_name('replace_old')
#nose.tools.assert_equal(len(mo), 1)
#s.memory.replace_memory_object(next(iter(mo)), n)
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_old')), set())
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_new')), {0x3000, 0x3003})
#nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(0x3001, 2), 10, cast_to=bytes), [b"AB"])
#s.memory.store(0x4000, s.solver.If(n == 0, n+10, n+20))
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_new')), {0x3000, 0x3003, 0x4000, 0x4001, 0x4002, 0x4003})
#s.memory.replace_all(n, c)
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_old')), set())
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_new')), set())
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_cool')), {0x3000, 0x3003, 0x4000, 0x4001, 0x4002, 0x4003})
#nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(0x3001, 2), 10, cast_to=bytes), [b"AB"])
#z = s.solver.BVV(0, 32)
#s.memory.replace_all(c, z)
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_old')), set())
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_new')), set())
#nose.tools.assert_equal(set(s.memory.addrs_for_name('replace_cool')), set())
#nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(0x3001, 2), 10, cast_to=bytes), [b"AB"])
#nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(0x3000, 4), 10), [0x00414200])
#nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(0x4000, 4), 10), [0x0000000a])
# symbolic length
x = s.solver.BVV(0x11223344, 32)
y = s.solver.BVV(0xAABBCCDD, 32)
n = s.solver.BVS('size', 32)
s.add_constraints(n <= 4)
s.memory.store(0x5000, x)
s.memory.store(0x5000, y, size=n)
nose.tools.assert_equal(set(s.solver.eval_upto(s.memory.load(0x5000, 4), 10)), { 0x11223344, 0xAA223344, 0xAABB3344, 0xAABBCC44, 0xAABBCCDD })
s1 = s.copy()
s1.add_constraints(n == 1)
nose.tools.assert_equal(set(s1.solver.eval_upto(s1.memory.load(0x5000, 4), 10)), { 0xAA223344 })
s4 = s.copy()
s4.add_constraints(n == 4)
nose.tools.assert_equal(set(s4.solver.eval_upto(s4.memory.load(0x5000, 4), 10)), { 0xAABBCCDD })
# condition without fallback
x = s.solver.BVV(0x11223344, 32)
y = s.solver.BVV(0xAABBCCDD, 32)
c = s.solver.BVS('condition', 32)
s.memory.store(0x6000, x)
s.memory.store(0x6000, y, condition=c==1)
nose.tools.assert_equal(set(s.solver.eval_upto(s.memory.load(0x6000, 4), 10)), { 0x11223344, 0xAABBCCDD })
s0 = s.copy()
s0.add_constraints(c == 0)
nose.tools.assert_equal(set(s0.solver.eval_upto(s0.memory.load(0x6000, 4), 10)), { 0x11223344 })
s1 = s.copy()
s1.add_constraints(c == 1)
nose.tools.assert_equal(set(s1.solver.eval_upto(s1.memory.load(0x6000, 4), 10)), { 0xAABBCCDD })
# condition with symbolic size
x = s.solver.BVV(0x11223344, 32)
y = s.solver.BVV(0xAABBCCDD, 32)
c = s.solver.BVS('condition', 32)
n = s.solver.BVS('size', 32)
s.add_constraints(n <= 4)
s.memory.store(0x8000, x)
s.memory.store(0x8000, y, condition=c==1, size=n)
s0 = s.copy()
s0.add_constraints(c == 0)
nose.tools.assert_equal(set(s0.solver.eval_upto(s0.memory.load(0x8000, 4), 10)), { 0x11223344 })
s1 = s.copy()
s1.add_constraints(c == 1)
nose.tools.assert_equal(set(s1.solver.eval_upto(s1.memory.load(0x8000, 4), 10)), { 0x11223344, 0xAA223344, 0xAABB3344, 0xAABBCC44, 0xAABBCCDD })
def test_inspect_concretization():
# some values for the test
x = claripy.BVS('x', 64)
y = claripy.BVS('y', 64)
#
# This tests concretization-time address redirection.
#
def change_symbolic_target(state):
if state.inspect.address_concretization_action == 'store':
state.inspect.address_concretization_expr = claripy.BVV(
0x1000, state.arch.bits)
s = SimState(arch='AMD64')
s.inspect.b('address_concretization',
BP_BEFORE,
action=change_symbolic_target)
s.memory.store(x, 'A')
assert list(s.solver.eval_upto(x, 10)) == [0x1000]
assert list(s.solver.eval_upto(s.memory.load(0x1000, 1), 10)) == [0x41]
#
# This tests disabling constraint adding through siminspect -- the write still happens
#
def dont_add_constraints(state):
state.inspect.address_concretization_add_constraints = False
s = SimState(arch='AMD64')
s.inspect.b('address_concretization',
BP_BEFORE,
action=dont_add_constraints)
s.memory.store(x, 'A')
assert len(s.solver.eval_upto(x, 10)) == 10
#
# This tests raising an exception if symbolic concretization fails (i.e., if the address
# is too unconstrained). The write aborts.
#
class UnconstrainedAbort(Exception):
def __init__(self, message, state):
Exception.__init__(self, message)
self.state = state
def abort_unconstrained(state):
print(state.inspect.address_concretization_strategy,
state.inspect.address_concretization_result)
if (isinstance(
state.inspect.address_concretization_strategy,
concretization_strategies.SimConcretizationStrategyRange)
and state.inspect.address_concretization_result is None):
raise UnconstrainedAbort("uh oh", state)
s = SimState(arch='AMD64')
s.memory.write_strategies.insert(
0, concretization_strategies.SimConcretizationStrategyRange(128))
s.memory._write_address_range = 1
s.memory._write_address_range_approx = 1
s.add_constraints(y == 10)
s.inspect.b('address_concretization', BP_AFTER, action=abort_unconstrained)
s.memory.store(y, 'A')
assert list(s.solver.eval_upto(s.memory.load(y, 1), 10)) == [0x41]
try:
s.memory.store(x, 'A')
print("THIS SHOULD NOT BE REACHED")
assert False
except UnconstrainedAbort as e:
assert e.state.memory is s.memory
def test_inspect_concretization():
# some values for the test
x = claripy.BVS('x', 64)
y = claripy.BVS('y', 64)
#
# This tests concretization-time address redirection.
#
def change_symbolic_target(state):
if state.inspect.address_concretization_action == 'store':
state.inspect.address_concretization_expr = claripy.BVV(0x1000, state.arch.bits)
s = SimState(arch='AMD64')
s.inspect.b('address_concretization', BP_BEFORE, action=change_symbolic_target)
s.memory.store(x, 'A')
assert list(s.se.eval_upto(x, 10)) == [ 0x1000 ]
assert list(s.se.eval_upto(s.memory.load(0x1000, 1), 10)) == [ 0x41 ]
#
# This tests disabling constraint adding through siminspect -- the write still happens
#
def dont_add_constraints(state):
state.inspect.address_concretization_add_constraints = False
s = SimState(arch='AMD64')
s.inspect.b('address_concretization', BP_BEFORE, action=dont_add_constraints)
s.memory.store(x, 'A')
assert len(s.se.eval_upto(x, 10)) == 10
#
# This tests raising an exception if symbolic concretization fails (i.e., if the address
# is too unconstrained). The write aborts.
#
class UnconstrainedAbort(Exception):
def __init__(self, message, state):
Exception.__init__(self, message)
self.state = state
def abort_unconstrained(state):
print state.inspect.address_concretization_strategy, state.inspect.address_concretization_result
if (
isinstance(
state.inspect.address_concretization_strategy,
concretization_strategies.SimConcretizationStrategyRange
) and state.inspect.address_concretization_result is None
):
raise UnconstrainedAbort("uh oh", state)
s = SimState(arch='AMD64')
s.memory.write_strategies.insert(
0, concretization_strategies.SimConcretizationStrategyRange(128)
)
s.memory._write_address_range = 1
s.memory._write_address_range_approx = 1
s.add_constraints(y == 10)
s.inspect.b('address_concretization', BP_AFTER, action=abort_unconstrained)
s.memory.store(y, 'A')
assert list(s.se.eval_upto(s.memory.load(y, 1), 10)) == [ 0x41 ]
try:
s.memory.store(x, 'A')
print "THIS SHOULD NOT BE REACHED"
assert False
except UnconstrainedAbort as e:
assert e.state.memory is s.memory
def test_inline_strncmp():
l.info("symbolic left, symbolic right, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
left = s.solver.BVS("left", 32)
left_addr = s.solver.BVV(0x1000, 64)
right = s.solver.BVS("right", 32)
right_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
s.memory.store(left_addr, left)
s.memory.store(right_addr, right)
s.add_constraints(strlen(s, arguments=[left_addr]) == 3)
s.add_constraints(strlen(s, arguments=[right_addr]) == 0)
s.add_constraints(maxlen != 0)
c = strncmp(s, arguments=[left_addr, right_addr, maxlen])
s_match = s.copy()
s_match.add_constraints(c == 0)
nose.tools.assert_false(s_match.satisfiable())
#nose.tools.assert_equal(s_match.solver.min_int(maxlen), 3)
s_nomatch = s.copy()
s_nomatch.add_constraints(c != 0)
nose.tools.assert_true(s_nomatch.satisfiable())
#nose.tools.assert_equal(s_nomatch.solver.max_int(maxlen), 2)
l.info("zero-length")
s = SimState(arch="AMD64", mode="symbolic")
left = s.solver.BVS("left", 32)
left_addr = s.solver.BVV(0x1000, 64)
right = s.solver.BVS("right", 32)
right_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
left_len = strlen(s, arguments=[left_addr])
right_len = strlen(s, arguments=[right_addr])
c = strncmp(s, arguments=[left_addr, right_addr, maxlen])
s.add_constraints(right_len == 0)
s.add_constraints(left_len == 0)
#s.add_constraints(c == 0)
s.add_constraints(maxlen == 0)
nose.tools.assert_true(s.satisfiable())
def test_memcpy():
l.info("concrete src, concrete dst, concrete len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414141, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42424242, 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(4, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval_upto(new_dst, 2, cast_to=bytes), [ b"BBBB" ])
l.info("giant copy")
s = SimState(arch="AMD64", mode="symbolic", remove_options=angr.options.simplification)
s.memory._maximum_symbolic_size = 0x2000000
size = s.solver.BVV(0x1000000, 64)
dst_addr = s.solver.BVV(0x2000000, 64)
src_addr = s.solver.BVV(0x4000000, 64)
memcpy(s, arguments=[dst_addr, src_addr, size])
nose.tools.assert_is(s.memory.load(dst_addr, size), s.memory.load(src_addr, size))
l.debug("... partial copy")
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(2, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval_upto(new_dst, 2, cast_to=bytes), [ b"BBAA" ])
l.info("symbolic src, concrete dst, concrete len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414141, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
memcpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(4, 64)])
nose.tools.assert_true(s.satisfiable())
s.add_constraints(src != s.memory.load(dst_addr, 4))
nose.tools.assert_false(s.satisfiable())
l.info("symbolic src, concrete dst, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414141, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
cpylen = s.solver.BVS("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
memcpy(s, arguments=[dst_addr, src_addr, cpylen])
result = s.memory.load(dst_addr, 4, endness='Iend_BE')
# make sure it copies it all
s1 = s.copy()
s1.add_constraints(cpylen == 1)
nose.tools.assert_true(s1.solver.unique(s1.memory.load(dst_addr+1, 3)))
nose.tools.assert_equal(len(s1.solver.eval_upto(s1.memory.load(dst_addr, 1), 300)), 256)
s2 = s.copy()
s2.add_constraints(cpylen == 2)
nose.tools.assert_equal(len(s2.solver.eval_upto(result[31:24], 300)), 256)
nose.tools.assert_equal(len(s2.solver.eval_upto(result[23:16], 300)), 256)
nose.tools.assert_equal(s2.solver.eval_upto(result[15:0], 300, cast_to=bytes), [ b'AA' ])
l.info("concrete src, concrete dst, symbolic len")
dst = s2.solver.BVV(0x41414141, 32)
dst_addr = s2.solver.BVV(0x1000, 64)
src = s2.solver.BVV(0x42424242, 32)
src_addr = s2.solver.BVV(0x2000, 64)
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
cpylen = s.solver.BVS("len", 64)
s.add_constraints(s.solver.ULE(cpylen, 4))
memcpy(s, arguments=[dst_addr, src_addr, cpylen])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(new_dst, 300, cast_to=bytes)), [ b'AAAA', b'BAAA', b'BBAA', b'BBBA', b'BBBB' ])
def test_strncpy():
l.info("concrete src, concrete dst, concrete len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42420000, 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(3, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval(new_dst, cast_to=bytes), b"BB\x00\x00")
l.debug("... partial copy")
s = SimState(arch="AMD64", mode="symbolic")
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, arguments=[dst_addr, src_addr, s.solver.BVV(2, 64)])
new_dst = s.memory.load(dst_addr, 4, endness='Iend_BE')
nose.tools.assert_equal(s.solver.eval_upto(new_dst, 2, cast_to=bytes), [ b"BBA\x00" ])
l.info("symbolic src, concrete dst, concrete len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
s.add_constraints(strlen(s, arguments=[src_addr]) == 2)
# sanity check
s_false = s.copy()
s_false.add_constraints(strlen(s_false, arguments=[src_addr]) == 3)
nose.tools.assert_false(s_false.satisfiable())
strncpy(s, arguments=[dst_addr, src_addr, 3])
nose.tools.assert_true(s.satisfiable())
c = strcmp(s, arguments=[dst_addr, src_addr])
nose.tools.assert_sequence_equal(s.solver.eval_upto(c, 10), [0])
l.info("symbolic src, concrete dst, symbolic len")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVS("src", 32)
src_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
# make sure it copies it all
s.add_constraints(strlen(s, arguments=[src_addr]) == 2)
strncpy(s, arguments=[dst_addr, src_addr, maxlen])
c = strcmp(s, arguments=[dst_addr, src_addr])
s_match = s.copy()
s_match.add_constraints(c == 0)
nose.tools.assert_equal(s_match.solver.min_int(maxlen), 3)
s_nomatch = s.copy()
s_nomatch.add_constraints(c != 0)
nose.tools.assert_equal(s_nomatch.solver.max_int(maxlen), 2)
l.info("concrete src, concrete dst, symbolic len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42420000, 32)
src_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, arguments=[dst_addr, src_addr, maxlen])
r = s.memory.load(dst_addr, 4, endness='Iend_BE')
#print repr(r.solver.eval_upto(r, 10, cast_to=bytes))
nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(r, 10, cast_to=bytes)), [ b"AAA\x00", b'BAA\x00', b'BB\x00\x00', b'BBA\x00' ] )
def broken_strtok_r():
l.debug("CONCRETE MODE")
s = SimState(arch='AMD64', mode='symbolic')
s.memory.store(100, s.solver.BVV(0x4141414241414241424300, 88), endness='Iend_BE')
s.memory.store(200, s.solver.BVV(0x4200, 16), endness='Iend_BE')
str_ptr = s.solver.BVV(100, s.arch.bits)
delim_ptr = s.solver.BVV(200, s.arch.bits)
state_ptr = s.solver.BVV(300, s.arch.bits)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st1, 10), [104])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st1-1, 1), 10), [0])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(200, 2), 10), [0x4200])
st2 = strtok_r(s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st2, 10), [107])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st2-1, 1), 10), [0])
st3 = strtok_r(s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st3, 10), [109])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st3-1, 1), 10), [0])
st4 = strtok_r(s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st4, 10), [0])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(300, s.arch.bytes, endness=s.arch.memory_endness), 10), [109])
st5 = strtok_r(s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st5, 10), [0])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(300, s.arch.bytes, endness=s.arch.memory_endness), 10), [109])
s.memory.store(1000, s.solver.BVV(0x4141414241414241424300, 88), endness='Iend_BE')
s.memory.store(2000, s.solver.BVV(0x4200, 16), endness='Iend_BE')
str_ptr = s.solver.BVV(1000, s.arch.bits)
delim_ptr = s.solver.BVV(2000, s.arch.bits)
state_ptr = s.solver.BVV(3000, s.arch.bits)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st1, 10), [1004])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st1-1, 1), 10), [0])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(2000, 2), 10), [0x4200])
st2 = strtok_r(s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st2, 10), [1007])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st2-1, 1), 10), [0])
st3 = strtok_r(s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st3, 10), [1009])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st3-1, 1), 10), [0])
st4 = strtok_r(s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st4, 10), [0])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(3000, s.arch.bytes, endness=s.arch.memory_endness), 10), [1009])
st5 = strtok_r(s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st5, 10), [0])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(3000, s.arch.bytes, endness=s.arch.memory_endness), 10), [1009])
s = SimState(arch='AMD64', mode='symbolic')
str_ptr = s.solver.BVV(100, s.arch.bits)
delim_ptr = s.solver.BVV(200, s.arch.bits)
state_ptr = s.solver.BVV(300, s.arch.bits)
s.add_constraints(s.memory.load(delim_ptr, 1) != 0)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
s.add_constraints(st1 != 0)
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st1-1, 1), 10), [0])
def broken_strtok_r():
l.debug("CONCRETE MODE")
s = SimState(arch='AMD64', mode='symbolic')
s.memory.store(100,
s.solver.BVV(0x4141414241414241424300, 88),
endness='Iend_BE')
s.memory.store(200, s.solver.BVV(0x4200, 16), endness='Iend_BE')
str_ptr = s.solver.BVV(100, s.arch.bits)
delim_ptr = s.solver.BVV(200, s.arch.bits)
state_ptr = s.solver.BVV(300, s.arch.bits)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st1, 10), [104])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st1 - 1, 1), 10),
[0])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(200, 2), 10),
[0x4200])
st2 = strtok_r(
s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st2, 10), [107])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st2 - 1, 1), 10),
[0])
st3 = strtok_r(
s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st3, 10), [109])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st3 - 1, 1), 10),
[0])
st4 = strtok_r(
s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st4, 10), [0])
nose.tools.assert_equal(
s.solver.eval_upto(
s.memory.load(300, s.arch.bytes, endness=s.arch.memory_endness),
10), [109])
st5 = strtok_r(
s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st5, 10), [0])
nose.tools.assert_equal(
s.solver.eval_upto(
s.memory.load(300, s.arch.bytes, endness=s.arch.memory_endness),
10), [109])
s.memory.store(1000,
s.solver.BVV(0x4141414241414241424300, 88),
endness='Iend_BE')
s.memory.store(2000, s.solver.BVV(0x4200, 16), endness='Iend_BE')
str_ptr = s.solver.BVV(1000, s.arch.bits)
delim_ptr = s.solver.BVV(2000, s.arch.bits)
state_ptr = s.solver.BVV(3000, s.arch.bits)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st1, 10), [1004])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st1 - 1, 1), 10),
[0])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(2000, 2), 10),
[0x4200])
st2 = strtok_r(
s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st2, 10), [1007])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st2 - 1, 1), 10),
[0])
st3 = strtok_r(
s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st3, 10), [1009])
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st3 - 1, 1), 10),
[0])
st4 = strtok_r(
s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st4, 10), [0])
nose.tools.assert_equal(
s.solver.eval_upto(
s.memory.load(3000, s.arch.bytes, endness=s.arch.memory_endness),
10), [1009])
st5 = strtok_r(
s, arguments=[s.solver.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.solver.eval_upto(st5, 10), [0])
nose.tools.assert_equal(
s.solver.eval_upto(
s.memory.load(3000, s.arch.bytes, endness=s.arch.memory_endness),
10), [1009])
s = SimState(arch='AMD64', mode='symbolic')
str_ptr = s.solver.BVV(100, s.arch.bits)
delim_ptr = s.solver.BVV(200, s.arch.bits)
state_ptr = s.solver.BVV(300, s.arch.bits)
s.add_constraints(s.memory.load(delim_ptr, 1) != 0)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
s.add_constraints(st1 != 0)
nose.tools.assert_equal(s.solver.eval_upto(s.memory.load(st1 - 1, 1), 10),
[0])
def broken_strtok_r():
l.debug("CONCRETE MODE")
s = SimState(arch='AMD64', mode='symbolic')
s.memory.store(100,
s.se.BVV(0x4141414241414241424300, 88),
endness='Iend_BE')
s.memory.store(200, s.se.BVV(0x4200, 16), endness='Iend_BE')
str_ptr = s.se.BVV(100, s.arch.bits)
delim_ptr = s.se.BVV(200, s.arch.bits)
state_ptr = s.se.BVV(300, s.arch.bits)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st1.ret_expr, 10), [104])
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(st1.ret_expr - 1, 1), 10), [0])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(200, 2), 10),
[0x4200])
st2 = strtok_r(s,
arguments=[s.se.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st2.ret_expr, 10), [107])
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(st2.ret_expr - 1, 1), 10), [0])
st3 = strtok_r(s,
arguments=[s.se.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st3.ret_expr, 10), [109])
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(st3.ret_expr - 1, 1), 10), [0])
st4 = strtok_r(s,
arguments=[s.se.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st4.ret_expr, 10), [0])
nose.tools.assert_equal(
s.se.any_n_int(
s.memory.load(300, s.arch.bytes, endness=s.arch.memory_endness),
10), [109])
st5 = strtok_r(s,
arguments=[s.se.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st5.ret_expr, 10), [0])
nose.tools.assert_equal(
s.se.any_n_int(
s.memory.load(300, s.arch.bytes, endness=s.arch.memory_endness),
10), [109])
s.memory.store(1000,
s.se.BVV(0x4141414241414241424300, 88),
endness='Iend_BE')
s.memory.store(2000, s.se.BVV(0x4200, 16), endness='Iend_BE')
str_ptr = s.se.BVV(1000, s.arch.bits)
delim_ptr = s.se.BVV(2000, s.arch.bits)
state_ptr = s.se.BVV(3000, s.arch.bits)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st1.ret_expr, 10), [1004])
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(st1.ret_expr - 1, 1), 10), [0])
nose.tools.assert_equal(s.se.any_n_int(s.memory.load(2000, 2), 10),
[0x4200])
st2 = strtok_r(s,
arguments=[s.se.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st2.ret_expr, 10), [1007])
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(st2.ret_expr - 1, 1), 10), [0])
st3 = strtok_r(s,
arguments=[s.se.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st3.ret_expr, 10), [1009])
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(st3.ret_expr - 1, 1), 10), [0])
st4 = strtok_r(s,
arguments=[s.se.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st4.ret_expr, 10), [0])
nose.tools.assert_equal(
s.se.any_n_int(
s.memory.load(3000, s.arch.bytes, endness=s.arch.memory_endness),
10), [1009])
st5 = strtok_r(s,
arguments=[s.se.BVV(0, s.arch.bits), delim_ptr, state_ptr])
nose.tools.assert_equal(s.se.any_n_int(st5.ret_expr, 10), [0])
nose.tools.assert_equal(
s.se.any_n_int(
s.memory.load(3000, s.arch.bytes, endness=s.arch.memory_endness),
10), [1009])
print "LIGHT FULLY SYMBOLIC TEST"
s = SimState(arch='AMD64', mode='symbolic')
str_ptr = s.se.BVV(100, s.arch.bits)
delim_ptr = s.se.BVV(200, s.arch.bits)
state_ptr = s.se.BVV(300, s.arch.bits)
s.add_constraints(s.memory.load(delim_ptr, 1) != 0)
st1 = strtok_r(s, arguments=[str_ptr, delim_ptr, state_ptr])
s.add_constraints(st1.ret_expr != 0)
nose.tools.assert_equal(
s.se.any_n_int(s.memory.load(st1.ret_expr - 1, 1), 10), [0])
