def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
cfg = b.analyses.CFGAccurate(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=5, keep_state=True, call_depth=100, normalize=True)
plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=False, remove_path_terminator=False)
start_state = b.factory.blank_state(addr=addr, add_options={simuvex.o.CONSERVATIVE_READ_STRATEGY} | simuvex.o.resilience_options)
start_state.stack_push(0x0)
pg = b.factory.path_group(start_state)
pg.use_technique(NormalizedSteps(cfg))
unique_states = set()
def check_loops(path):
last = path.addr_trace[-1]
c = 0
for p in path.addr_trace:
if p == last:
c += 1
return c > 1
def step_func(lpg):
lpg.stash(filter_func=check_loops, from_stash='active', to_stash='looping')
lpg.stash(filter_func=lambda path: path.addr == 0, from_stash='active', to_stash='found')
print lpg
return lpg
pg.step(step_func=step_func, until=lambda lpg: len(lpg.active) == 0, n=100)
for stash in pg.stashes:
c = 0
for p in pg.stashes[stash]:
plot_cfg(cfg, "%s_cfg_%s_%d" % (name, stash, c), path=p, asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
c += 1
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
cfg = b.analyses.CFGFast(fail_fast=True,
function_starts=[addr],
base_state=start_state,
normalize=True)
plot_cfg(cfg,
"%s_cfg" % (name),
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=False,
remove_path_terminator=False)
start_state = b.factory.blank_state(
addr=addr,
add_options={simuvex.o.CONSERVATIVE_READ_STRATEGY}
| simuvex.o.resilience_options)
start_state.stack_push(0x0)
simgr = b.factory.simgr(start_state)
simgr.use_technique(NormalizedSteps(cfg))
def check_loops(state):
last = state.history.bbl_addrs[-1]
c = 0
for p in state.history.bbl_addrs:
if p == last:
c += 1
return c > 1
def step_func(lsimgr):
lsimgr.stash(filter_func=check_loops,
from_stash='active',
to_stash='looping')
lsimgr.stash(filter_func=lambda state: state.addr == 0,
from_stash='active',
to_stash='found')
print lsimgr
return lsimgr
simgr.run(step_func=step_func,
until=lambda lsimgr: len(lsimgr.active) == 0,
n=100)
for stash in simgr.stashes:
c = 0
for state in simgr.stashes[stash]:
plot_cfg(cfg,
"%s_cfg_%s_%d" % (name, stash, c),
state=state,
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=True,
remove_path_terminator=True)
c += 1
def analyze(b, addr, name=None):
start_state = b.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
cfg = b.analyses.CFGAccurate(fail_fast=True,
starts=[addr],
initial_state=start_state,
context_sensitivity_level=5,
keep_state=True,
call_depth=100,
normalize=True)
#plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=False,
# remove_path_terminator=False)
start_state = b.factory.blank_state(
addr=addr,
add_options={simuvex.o.CONSERVATIVE_READ_STRATEGY}
| simuvex.o.resilience_options)
#start_state = b.factory.blank_state(addr=addr, add_options=angr.options.unicorn)
start_state.stack_push(0x0)
pg = b.factory.path_group(start_state)
pg.use_technique(NormalizedSteps(cfg))
unique_states = set()
def check_loops(path):
last = path.addr_trace[-1]
c = 0
for p in path.addr_trace:
if p == last:
c += 1
return c > 1
def step_func(lpg):
#lpg.stash(filter_func=check_loops, from_stash='active', to_stash='looping')
lpg.stash(filter_func=lambda path: path.addr == 0,
from_stash='active',
to_stash='found')
print lpg
return lpg
pg.step(step_func=step_func, until=lambda lpg: len(lpg.active) == 0, n=100)
for stash in pg.stashes:
c = 0
i = 0
for p in pg.stashes[stash]:
#print p
filename = 'trace_' + str(i)
with open(
'/home/hongfa/workspace/bzip2_binary/train/3/' + filename,
'w') as f:
for addr in p.addr_trace:
f.write(format(addr, '#04x') + '\n')
i += 1
plot_cfg(cfg,
"%s_cfg_%s_%d" % (name, stash, c),
path=p,
asminst=True,
vexinst=False,
debug_info=False,
remove_imports=True,
remove_path_terminator=True)
def analyze(b, addr, function, name=None):
start_state = b.factory.blank_state(addr=addr,
add_options=angr.options.unicorn)
start_state.stack_push(0x0)
cfg = b.analyses.CFGAccurate(fail_fast=True,
starts=[addr],
initial_state=start_state,
context_sensitivity_level=1,
keep_state=True,
call_depth=50,
normalize=True)
nodes = cfg.get_all_nodes(addr)
#cfg = b.analyses.vfg.VFG(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=1)
#cfg = b.analyses.CFG(fail_fast=True, resolve_indirect_jumps=False,collect_data_reference=False, force_complete_scan=False)
#cfg= b.analyses.CFGFast(keep_state=True)
#plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=False,
# remove_path_terminator=False)
#start_state = b.factory.blank_state(addr=addr,add_options={
# simuvex.o.CONSERVATIVE_READ_STRATEGY} | simuvex.o.resilience_options)
start_state.options.add(angr.options.FAST_MEMORY)
start_state.options.add(angr.options.FAST_REGISTERS)
start_state.stack_push(0x0)
pg = b.factory.simgr(start_state)
#pg.use_technique(angr.exploration_techniques.veritesting.Veritesting())
#pg.use_technique(angr.exploration_techniques.DFS())
pg.use_technique(NormalizedSteps(cfg))
#pg.use_technique(angr.exploration_techniques.explorer.Explorer(cfg=cfg))
unique_states = set()
def check_loops(path):
last = path.bbl_addrs[-1]
c = 0
for p in path.bbl_addrs:
if p == last:
c += 1
return c > 1
def step_func(lpg):
#lpg.stash(filter_func=check_loops, from_stash='active', to_stash='looping')
lpg.stash(filter_func=lambda path: path.addr == 0,
from_stash='active',
to_stash='found')
#print lpg
return lpg
pg.step(step_func=step_func, until=lambda lpg: len(lpg.active) == 0, n=100)
subfolder = '/home/hongfa/workspace/bzip2_ML/train/' + str(function) + '/'
os.mkdir(subfolder)
i = 0
for stash in pg.stashes:
#subfolder = '/home/hongfa/Dropbox/openssl/openssl_path/' + str(function) + '/'
#os.mkdir(subfolder)
for p in pg.stashes[stash]:
#print p
filename = 'trace_' + str(i)
#subfolder='/home/hongfa/Dropbox/openssl/openssl_path/'+str(function)+'/'
#os.mkdir(subfolder)
with open(subfolder + filename, 'w') as f:
for addr in p.history.bbl_addrs:
f.write(format(addr, '#04x') + '\n')
i += 1
#entry_fun=cfg.kb.functions[hex(addr)]
#nodes = entry_fun.block_addrs
for n in nodes:
#print n
filename = 'trace_' + str(i)
with open(subfolder + filename, 'w') as f:
f.write(format(n.addr, '#04x') + '\n')
i += 1