def main():
parser = argparse.ArgumentParser(description='Follow a concrete trace')
parser.add_argument('-f', '--explore_from', help='Value of PC from which to explore symbolically', type=str)
parser.add_argument('-t', '--explore_to', type=str, default=sys.maxsize,
help="Value of PC until which to explore symbolically. (Probably don't want this set)")
parser.add_argument('--verbose', '-v', action='count', default=0, help='Increase verbosity')
parser.add_argument('cmd', type=str, nargs='+',
help='Program and arguments. Use "--" to separate script arguments from target arguments')
args = parser.parse_args(sys.argv[1:])
range = None
if args.explore_from:
range = (args.explore_from, args.explore_to)
# Create a concrete Manticore and record it
m1 = Manticore.linux(args.cmd[0], args.cmd[1:])
t = ExtendedTracer()
r = TraceReceiver(t)
m1.verbosity(args.verbose)
m1.register_plugin(t)
m1.register_plugin(r)
m1.run(procs=1)
time.sleep(3)
# Create a symbolic Manticore and follow last trace
symbolic_args = ['+'*len(arg) for arg in args.cmd[1:]]
m2 = Manticore.linux(args.cmd[0], symbolic_args)
f = Follower(r.trace)
if range:
f.add_symbolic_range(*range)
m2.verbosity(args.verbose)
m2.register_plugin(f)
m2.run()
def symbolic_run_get_cons(trace):
'''
Execute a symbolic run that follows a concrete run; return constraints generated
and the stdin data produced
'''
m2 = Manticore.linux(prog, workspace_url='mem:')
f = Follower(trace)
m2.verbosity(VERBOSITY)
m2.register_plugin(f)
def on_term_testcase(mcore, state, stateid, err):
with m2.locked_context() as ctx:
readdata = []
for name, fd, data in state.platform.syscall_trace:
if name in ('_receive', '_read') and fd == 0:
readdata.append(data)
ctx['readdata'] = readdata
ctx['constraints'] = list(state.constraints.constraints)
m2.subscribe('will_terminate_state', on_term_testcase)
m2.run()
constraints = m2.context['constraints']
datas = m2.context['readdata']
return constraints, datas
def concrete_run_get_trace(inp):
m1 = Manticore.linux(prog, concrete_start=inp, workspace_url='mem:')
t = ExtendedTracer()
r = TraceReceiver(t)
m1.verbosity(VERBOSITY)
m1.register_plugin(t)
m1.register_plugin(r)
m1.run(procs=1)
return r.trace
def test_symbolic_argv_envp(self):
self.m = Manticore.linux('tests/binaries/arguments_linux_amd64', argv=['+'],
envp={'TEST': '+'})
state = self.m.initial_state
ptr = state.cpu.read_int(state.cpu.RSP + (8*2)) # get argv[1]
mem = state.cpu.read_bytes(ptr, 2)
self.assertTrue(issymbolic(mem[0]))
self.assertEqual(mem[1], '\0')
ptr = state.cpu.read_int(state.cpu.RSP + (8*4)) # get envp[0]
mem = state.cpu.read_bytes(ptr, 7)
self.assertEqual(''.join(mem[:5]), 'TEST=')
self.assertEqual(mem[6], '\0')
self.assertTrue(issymbolic(mem[5]))
def test_symbolic_argv_envp(self):
dirname = os.path.dirname(__file__)
self.m = Manticore.linux(os.path.join(dirname, 'binaries',
'arguments_linux_amd64'),
argv=['+'],
envp={'TEST': '+'})
state = self.m.initial_state
ptr = state.cpu.read_int(state.cpu.RSP + (8 * 2)) # get argv[1]
mem = state.cpu.read_bytes(ptr, 2)
self.assertTrue(issymbolic(mem[0]))
self.assertEqual(mem[1], b'\0')
ptr = state.cpu.read_int(state.cpu.RSP + (8 * 4)) # get envp[0]
mem = state.cpu.read_bytes(ptr, 7)
self.assertEqual(b''.join(mem[:5]), b'TEST=')
self.assertEqual(mem[6], b'\0')
self.assertTrue(issymbolic(mem[5]))