def state_blank(self, addr=None, initial_prefix=None, stack_size=1024 * 1024 * 8, **kwargs): """ Initialize a blank state. All parameters are optional. :param addr: The execution start address. :param initial_prefix: :param stack_size: The number of bytes to allocate for stack space :return: The initialized SimState. Any additional arguments will be passed to the SimState constructor """ if kwargs.get('mode', None) is None: kwargs['mode'] = self.project._default_analysis_mode if kwargs.get('permissions_backer', None) is None: # just a dict of address ranges to permission bits permission_map = {} for obj in self.project.loader.all_objects: for seg in obj.segments: perms = 0 # bit values based off of protection bit values from sys/mman.h if seg.is_readable: perms |= 1 # PROT_READ if seg.is_writable: perms |= 2 # PROT_WRITE if seg.is_executable: perms |= 4 # PROT_EXEC permission_map[(seg.min_addr, seg.max_addr)] = perms permissions_backer = (self.project.loader.main_bin.execstack, permission_map) kwargs['permissions_backer'] = permissions_backer if kwargs.get('memory_backer', None) is None: kwargs['memory_backer'] = self.project.loader.memory if kwargs.get('os_name', None) is None: kwargs['os_name'] = self.name state = SimState(self.project, **kwargs) stack_end = state.arch.initial_sp if o.ABSTRACT_MEMORY not in state.options: state.memory.mem._preapproved_stack = IRange( stack_end - stack_size, stack_end) if o.INITIALIZE_ZERO_REGISTERS in state.options: highest_reg_offset, reg_size = max(state.arch.registers.values()) for i in range(0, highest_reg_offset + reg_size, state.arch.bytes): state.registers.store(i, state.se.BVV(0, state.arch.bits)) if hasattr(state.regs, "sp"): state.regs.sp = stack_end if initial_prefix is not None: for reg in state.arch.default_symbolic_registers: state.registers.store( reg, claripy.BVS(initial_prefix + "_" + reg, state.arch.bits, explicit_name=True)) for reg, val, is_addr, mem_region in state.arch.default_register_values: region_base = None # so pycharm does not complain if is_addr: if isinstance(mem_region, tuple): # unpack it mem_region, region_base = mem_region elif mem_region == 'global': # Backward compatibility region_base = 0 else: raise AngrSimOSError( 'You must specify the base address for memory region "%s". ' % mem_region) if o.ABSTRACT_MEMORY in state.options and is_addr: address = claripy.ValueSet(state.arch.bits, mem_region, region_base, val) state.registers.store(reg, address) else: state.registers.store(reg, val) if addr is None: addr = self.project.entry state.regs.ip = addr # set up the "root history" node state.scratch.ins_addr = addr state.scratch.bbl_addr = addr state.scratch.stmt_idx = 0 state.history.jumpkind = 'Ijk_Boring' return state
def state_blank(self, addr=None, initial_prefix=None, brk=None, stack_end=None, stack_size=1024 * 1024 * 8, stdin=None, **kwargs): """ Initialize a blank state. All parameters are optional. :param addr: The execution start address. :param initial_prefix: :param stack_end: The end of the stack (i.e., the byte after the last valid stack address). :param stack_size: The number of bytes to allocate for stack space :param brk: The address of the process' break. :return: The initialized SimState. Any additional arguments will be passed to the SimState constructor """ # TODO: move ALL of this into the SimState constructor if kwargs.get('mode', None) is None: kwargs['mode'] = self.project._default_analysis_mode if kwargs.get('permissions_backer', None) is None: # just a dict of address ranges to permission bits permission_map = {} for obj in self.project.loader.all_objects: for seg in obj.segments: perms = 0 # bit values based off of protection bit values from sys/mman.h if seg.is_readable: perms |= 1 # PROT_READ if seg.is_writable: perms |= 2 # PROT_WRITE if seg.is_executable: perms |= 4 # PROT_EXEC permission_map[(seg.min_addr, seg.max_addr)] = perms permissions_backer = (self.project.loader.main_object.execstack, permission_map) kwargs['permissions_backer'] = permissions_backer if kwargs.get('memory_backer', None) is None: kwargs['memory_backer'] = self.project.loader.memory if kwargs.get('os_name', None) is None: kwargs['os_name'] = self.name state = SimState(self.project, **kwargs) if stdin is not None and not isinstance(stdin, SimFileBase): if type(stdin) is type: stdin = stdin(name='stdin', has_end=False) else: stdin = SimFileStream(name='stdin', content=stdin, has_end=True) last_addr = self.project.loader.main_object.max_addr actual_brk = (last_addr - last_addr % 0x1000 + 0x1000) if brk is None else brk state.register_plugin('posix', SimSystemPosix(stdin=stdin, brk=actual_brk)) actual_stack_end = state.arch.initial_sp if stack_end is None else stack_end if o.ABSTRACT_MEMORY not in state.options: state.memory.mem._preapproved_stack = IRange( actual_stack_end - stack_size, actual_stack_end) if o.INITIALIZE_ZERO_REGISTERS in state.options: highest_reg_offset, reg_size = max(state.arch.registers.values()) for i in range(0, highest_reg_offset + reg_size, state.arch.bytes): state.registers.store(i, state.solver.BVV(0, state.arch.bits)) if state.arch.sp_offset is not None: state.regs.sp = actual_stack_end if initial_prefix is not None: for reg in state.arch.default_symbolic_registers: state.registers.store( reg, state.solver.BVS(initial_prefix + "_" + reg, state.arch.bits, explicit_name=True, key=('reg', reg), eternal=True)) for reg, val, is_addr, mem_region in state.arch.default_register_values: region_base = None # so pycharm does not complain if is_addr: if isinstance(mem_region, tuple): # unpack it mem_region, region_base = mem_region elif mem_region == 'global': # Backward compatibility region_base = 0 else: raise AngrSimOSError( 'You must specify the base address for memory region "%s". ' % mem_region) # special case for stack pointer override if actual_stack_end is not None and state.arch.registers[reg][ 0] == state.arch.sp_offset: continue if o.ABSTRACT_MEMORY in state.options and is_addr: address = claripy.ValueSet(state.arch.bits, mem_region, region_base, val) state.registers.store(reg, address) else: state.registers.store(reg, val) if addr is None: addr = self.project.entry state.regs.ip = addr # set up the "root history" node state.scratch.ins_addr = addr state.scratch.bbl_addr = addr state.scratch.stmt_idx = 0 state.history.jumpkind = 'Ijk_Boring' return state
def test_vsa(): # Set backend b = claripy.backend_vsa SI = claripy.StridedInterval VS = claripy.ValueSet BVV = claripy.BVV # Disable the use of DiscreteStridedIntervalSet claripy.vsa.strided_interval.allow_dsis = False def is_equal(ast_0, ast_1): return ast_0.identical(ast_1) si1 = claripy.TSI(32, name="foo") nose.tools.assert_equal(si1.model.name, "foo") # Normalization si1 = SI(bits=32, stride=1, lower_bound=10, upper_bound=10) nose.tools.assert_equal(si1.model.stride, 0) # Integers si1 = claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10) si2 = claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10) si3 = claripy.SI(bits=32, stride=0, lower_bound=28, upper_bound=28) # Strided intervals si_a = claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=20) si_b = claripy.SI(bits=32, stride=2, lower_bound=-100, upper_bound=200) si_c = claripy.SI(bits=32, stride=3, lower_bound=-100, upper_bound=200) si_d = claripy.SI(bits=32, stride=2, lower_bound=50, upper_bound=60) si_e = claripy.SI(bits=16, stride=1, lower_bound=0x2000, upper_bound=0x3000) si_f = claripy.SI(bits=16, stride=1, lower_bound=0, upper_bound=255) si_g = claripy.SI(bits=16, stride=1, lower_bound=0, upper_bound=0xff) si_h = claripy.SI(bits=32, stride=0, lower_bound=0x80000000, upper_bound=0x80000000) nose.tools.assert_true(is_equal(si1, claripy.SI(bits=32, to_conv=10))) nose.tools.assert_true(is_equal(si2, claripy.SI(bits=32, to_conv=10))) nose.tools.assert_true(is_equal(si1, si2)) # __add__ si_add_1 = si1 + si2 nose.tools.assert_true( is_equal(si_add_1, claripy.SI(bits=32, stride=0, lower_bound=20, upper_bound=20))) si_add_2 = si1 + si_a nose.tools.assert_true( is_equal(si_add_2, claripy.SI(bits=32, stride=2, lower_bound=20, upper_bound=30))) si_add_3 = si_a + si_b nose.tools.assert_true( is_equal( si_add_3, claripy.SI(bits=32, stride=2, lower_bound=-90, upper_bound=220))) si_add_4 = si_b + si_c nose.tools.assert_true( is_equal( si_add_4, claripy.SI(bits=32, stride=1, lower_bound=-200, upper_bound=400))) # __add__ with overflow si_add_5 = si_h + 0xffffffff nose.tools.assert_true( is_equal( si_add_5, claripy.SI(bits=32, stride=0, lower_bound=0x7fffffff, upper_bound=0x7fffffff))) # __sub__ si_minus_1 = si1 - si2 nose.tools.assert_true( is_equal(si_minus_1, claripy.SI(bits=32, stride=0, lower_bound=0, upper_bound=0))) si_minus_2 = si_a - si_b nose.tools.assert_true( is_equal( si_minus_2, claripy.SI(bits=32, stride=2, lower_bound=-190, upper_bound=120))) si_minus_3 = si_b - si_c nose.tools.assert_true( is_equal( si_minus_3, claripy.SI(bits=32, stride=1, lower_bound=-300, upper_bound=300))) # __neg__ / __invert__ / bitwise not si_neg_1 = ~si1 nose.tools.assert_true(is_equal(si_neg_1, claripy.SI(bits=32, to_conv=-11))) si_neg_2 = ~si_b nose.tools.assert_true( is_equal( si_neg_2, claripy.SI(bits=32, stride=2, lower_bound=-201, upper_bound=99))) # __or__ si_or_1 = si1 | si3 nose.tools.assert_true(is_equal(si_or_1, claripy.SI(bits=32, to_conv=30))) si_or_2 = si1 | si2 nose.tools.assert_true(is_equal(si_or_2, claripy.SI(bits=32, to_conv=10))) si_or_3 = si1 | si_a # An integer | a strided interval nose.tools.assert_true( is_equal(si_or_3, claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=30))) si_or_3 = si_a | si1 # Exchange the operands nose.tools.assert_true( is_equal(si_or_3, claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=30))) si_or_4 = si_a | si_d # A strided interval | another strided interval nose.tools.assert_true( is_equal(si_or_4, claripy.SI(bits=32, stride=2, lower_bound=50, upper_bound=62))) si_or_4 = si_d | si_a # Exchange the operands nose.tools.assert_true( is_equal(si_or_4, claripy.SI(bits=32, stride=2, lower_bound=50, upper_bound=62))) si_or_5 = si_e | si_f # nose.tools.assert_true( is_equal( si_or_5, claripy.SI(bits=16, stride=1, lower_bound=0x2000, upper_bound=0x30ff))) si_or_6 = si_e | si_g # nose.tools.assert_true( is_equal( si_or_6, claripy.SI(bits=16, stride=1, lower_bound=0x2000, upper_bound=0x30ff))) # Shifting si_shl_1 = si1 << 3 nose.tools.assert_equal(si_shl_1.size(), 32) nose.tools.assert_true( is_equal(si_shl_1, claripy.SI(bits=32, stride=0, lower_bound=80, upper_bound=80))) # Multiplication si_mul_1 = si1 * 3 nose.tools.assert_equal(si_mul_1.size(), 32) nose.tools.assert_true( is_equal(si_mul_1, claripy.SI(bits=32, stride=0, lower_bound=30, upper_bound=30))) si_mul_2 = si_a * 3 nose.tools.assert_equal(si_mul_2.size(), 32) nose.tools.assert_true( is_equal(si_mul_2, claripy.SI(bits=32, stride=6, lower_bound=30, upper_bound=60))) si_mul_3 = si_a * si_b nose.tools.assert_equal(si_mul_3.size(), 32) nose.tools.assert_true( is_equal( si_mul_3, claripy.SI(bits=32, stride=2, lower_bound=-2000, upper_bound=4000))) # Division si_div_1 = si1 / 3 nose.tools.assert_equal(si_div_1.size(), 32) nose.tools.assert_true( is_equal(si_div_1, claripy.SI(bits=32, stride=0, lower_bound=3, upper_bound=3))) si_div_2 = si_a / 3 nose.tools.assert_equal(si_div_2.size(), 32) nose.tools.assert_true( is_equal(si_div_2, claripy.SI(bits=32, stride=1, lower_bound=3, upper_bound=6))) # Modulo si_mo_1 = si1 % 3 nose.tools.assert_equal(si_mo_1.size(), 32) nose.tools.assert_true( is_equal(si_mo_1, claripy.SI(bits=32, stride=0, lower_bound=1, upper_bound=1))) si_mo_2 = si_a % 3 nose.tools.assert_equal(si_mo_2.size(), 32) nose.tools.assert_true( is_equal(si_mo_2, claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=2))) # # Extracting the sign bit # # a negative integer si = claripy.SI(bits=64, stride=0, lower_bound=-1, upper_bound=-1) sb = si[63:63] nose.tools.assert_true(is_equal(sb, claripy.SI(bits=1, to_conv=1))) # non-positive integers si = claripy.SI(bits=64, stride=1, lower_bound=-1, upper_bound=0) sb = si[63:63] nose.tools.assert_true( is_equal(sb, claripy.SI(bits=1, stride=1, lower_bound=0, upper_bound=1))) # Extracting an integer si = claripy.SI(bits=64, stride=0, lower_bound=0x7fffffffffff0000, upper_bound=0x7fffffffffff0000) part1 = si[63:32] part2 = si[31:0] nose.tools.assert_true( is_equal( part1, claripy.SI(bits=32, stride=0, lower_bound=0x7fffffff, upper_bound=0x7fffffff))) nose.tools.assert_true( is_equal( part2, claripy.SI(bits=32, stride=0, lower_bound=0xffff0000, upper_bound=0xffff0000))) # Concatenating two integers si_concat = part1.concat(part2) nose.tools.assert_true(is_equal(si_concat, si)) # Extracting a claripy.SI si = claripy.SI(bits=64, stride=0x9, lower_bound=0x1, upper_bound=0xa) part1 = si[63:32] part2 = si[31:0] nose.tools.assert_true( is_equal( part1, claripy.SI(bits=32, stride=0, lower_bound=0x0, upper_bound=0x0))) nose.tools.assert_true( is_equal(part2, claripy.SI(bits=32, stride=9, lower_bound=1, upper_bound=10))) # Concatenating two claripy.SIs si_concat = part1.concat(part2) nose.tools.assert_true(is_equal(si_concat, si)) # Zero-Extend the low part si_zeroextended = part2.zero_extend(32) nose.tools.assert_true( is_equal(si_zeroextended, claripy.SI(bits=64, stride=9, lower_bound=1, upper_bound=10))) # Sign-extension si_signextended = part2.sign_extend(32) nose.tools.assert_true( is_equal(si_signextended, claripy.SI(bits=64, stride=9, lower_bound=1, upper_bound=10))) # Extract from the result above si_extracted = si_zeroextended[31:0] nose.tools.assert_true( is_equal(si_extracted, claripy.SI(bits=32, stride=9, lower_bound=1, upper_bound=10))) # Union si_union_1 = si1.union(si2) nose.tools.assert_true( is_equal(si_union_1, claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10))) si_union_2 = si1.union(si3) nose.tools.assert_true( is_equal( si_union_2, claripy.SI(bits=32, stride=18, lower_bound=10, upper_bound=28))) si_union_3 = si1.union(si_a) nose.tools.assert_true( is_equal(si_union_3, claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=20))) si_union_4 = si_a.union(si_b) nose.tools.assert_true( is_equal( si_union_4, claripy.SI(bits=32, stride=2, lower_bound=-100, upper_bound=200))) si_union_5 = si_b.union(si_c) nose.tools.assert_true( is_equal( si_union_5, claripy.SI(bits=32, stride=1, lower_bound=-100, upper_bound=200))) # Intersection si_intersection_1 = si1.intersection(si1) nose.tools.assert_true(is_equal(si_intersection_1, si2)) si_intersection_2 = si1.intersection(si2) nose.tools.assert_true( is_equal(si_intersection_2, claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10))) si_intersection_3 = si1.intersection(si_a) nose.tools.assert_true( is_equal(si_intersection_3, claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10))) si_intersection_4 = si_a.intersection(si_b) nose.tools.assert_true( is_equal(si_intersection_4, claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=20))) si_intersection_5 = si_b.intersection(si_c) nose.tools.assert_true( is_equal( si_intersection_5, claripy.SI(bits=32, stride=6, lower_bound=-100, upper_bound=200))) # Sign-extension si = claripy.SI(bits=1, stride=0, lower_bound=1, upper_bound=1) si_signextended = si.sign_extend(31) nose.tools.assert_true( is_equal( si_signextended, claripy.SI(bits=32, stride=0, lower_bound=0xffffffff, upper_bound=0xffffffff))) # Comparison between claripy.SI and BVV si = claripy.SI(bits=32, stride=1, lower_bound=-0x7f, upper_bound=0x7f) si.uninitialized = True bvv = BVV(0x30, 32) comp = (si < bvv) nose.tools.assert_equal(comp.model, MaybeResult()) # Better extraction # si = <32>0x1000000[0xcffffff, 0xdffffff]R si = claripy.SI(bits=32, stride=0x1000000, lower_bound=0xcffffff, upper_bound=0xdffffff) si_byte0 = si[7:0] si_byte1 = si[15:8] si_byte2 = si[23:16] si_byte3 = si[31:24] nose.tools.assert_true( is_equal( si_byte0, claripy.SI(bits=8, stride=0, lower_bound=0xff, upper_bound=0xff))) nose.tools.assert_true( is_equal( si_byte1, claripy.SI(bits=8, stride=0, lower_bound=0xff, upper_bound=0xff))) nose.tools.assert_true( is_equal( si_byte2, claripy.SI(bits=8, stride=0, lower_bound=0xff, upper_bound=0xff))) nose.tools.assert_true( is_equal( si_byte3, claripy.SI(bits=8, stride=1, lower_bound=0xc, upper_bound=0xd))) # Optimization on bitwise-and si_1 = claripy.SI(bits=32, stride=1, lower_bound=0x0, upper_bound=0xffffffff) si_2 = claripy.SI(bits=32, stride=0, lower_bound=0x80000000, upper_bound=0x80000000) si = si_1 & si_2 nose.tools.assert_true( is_equal( si, claripy.SI(bits=32, stride=0x80000000, lower_bound=0, upper_bound=0x80000000))) si_1 = claripy.SI(bits=32, stride=1, lower_bound=0x0, upper_bound=0x7fffffff) si_2 = claripy.SI(bits=32, stride=0, lower_bound=0x80000000, upper_bound=0x80000000) si = si_1 & si_2 nose.tools.assert_true( is_equal(si, claripy.SI(bits=32, stride=0, lower_bound=0, upper_bound=0))) # # ValueSet # vs_1 = claripy.ValueSet(bits=32) nose.tools.assert_true(vs_1.model.is_empty, True) # Test merging two addresses vs_1.model.merge_si('global', si1) vs_1.model.merge_si('global', si3) nose.tools.assert_true( vs_1.model.get_si('global').identical( SI(bits=32, stride=18, lower_bound=10, upper_bound=28).model)) # Length of this ValueSet nose.tools.assert_equal(len(vs_1.model), 32) vs_1 = claripy.ValueSet(name='boo', bits=32) vs_2 = claripy.ValueSet(name='boo', bits=32) nose.tools.assert_true(vs_1.identical(vs_1)) nose.tools.assert_true(vs_1.identical(vs_2)) vs_1.model.merge_si('global', si1) nose.tools.assert_false(vs_1.identical(vs_2)) vs_2.model.merge_si('global', si1) nose.tools.assert_true(vs_1.identical(vs_2)) vs_1.model.merge_si('global', si3) nose.tools.assert_false(vs_1.identical(vs_2)) # # IfProxy # # max and min on IfProxy si = claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=0xffffffff) if_0 = claripy.If(si == 0, si, si - 1) max_val = b.max(if_0) min_val = b.min(if_0) nose.tools.assert_true(max_val, 0xffffffff) nose.tools.assert_true(min_val, -0x80000000) # if_1 = And(VS_2, IfProxy(si == 0, 0, 1)) vs_2 = VS(region='global', bits=32, val=0xFA7B00B) si = claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=1) if_1 = (vs_2 & claripy.If( si == 0, claripy.SI(bits=32, stride=0, lower_bound=0, upper_bound=0), claripy.SI( bits=32, stride=0, lower_bound=0xffffffff, upper_bound=0xffffffff))) nose.tools.assert_true( claripy.is_true( if_1.model.trueexpr == VS(region='global', bits=32, val=0).model)) nose.tools.assert_true(claripy.is_true(if_1.model.falseexpr == vs_2.model)) # if_2 = And(VS_3, IfProxy(si != 0, 0, 1) vs_3 = claripy.ValueSet(region='global', bits=32, val=0xDEADCA7) si = claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=1) if_2 = (vs_3 & claripy.If( si != 0, claripy.SI(bits=32, stride=0, lower_bound=0, upper_bound=0), claripy.SI( bits=32, stride=0, lower_bound=0xffffffff, upper_bound=0xffffffff))) nose.tools.assert_true( claripy.is_true( if_2.model.trueexpr == VS(region='global', bits=32, val=0).model)) nose.tools.assert_true(claripy.is_true(if_2.model.falseexpr == vs_3.model)) # Something crazy is gonna happen... if_3 = if_1 + if_2 nose.tools.assert_true(claripy.is_true(if_3.model.trueexpr == vs_3.model)) nose.tools.assert_true(claripy.is_true(if_3.model.falseexpr == vs_2.model))
def VS(name=None, bits=None, region=None, val=None): region = 'foobar' if region is None else region return claripy.ValueSet(bits, region=region, region_base_addr=0, value=val, name=name)
def state_blank(self, addr=None, initial_prefix=None, brk=None, stack_end=None, stack_size=1024 * 1024 * 8, stdin=None, thread_idx=None, permissions_backer=None, **kwargs): """ Initialize a blank state. All parameters are optional. :param addr: The execution start address. :param initial_prefix: :param stack_end: The end of the stack (i.e., the byte after the last valid stack address). :param stack_size: The number of bytes to allocate for stack space :param brk: The address of the process' break. :return: The initialized SimState. Any additional arguments will be passed to the SimState constructor """ # TODO: move ALL of this into the SimState constructor if kwargs.get('mode', None) is None: kwargs['mode'] = self.project._default_analysis_mode if permissions_backer is not None: kwargs['permissions_map'] = permissions_backer[1] kwargs['default_permissions'] = 7 if permissions_backer[0] else 3 if kwargs.get('cle_memory_backer', None) is None: kwargs['cle_memory_backer'] = self.project.loader if kwargs.get('os_name', None) is None: kwargs['os_name'] = self.name actual_stack_end = stack_end if stack_end is None: stack_end = self.arch.initial_sp if kwargs.get('permissions_map', None) is None: # just a dict of address ranges to permission bits permission_map = {} for obj in self.project.loader.all_objects: for seg in obj.segments: perms = 0 # bit values based off of protection bit values from sys/mman.h if seg.is_readable: perms |= 1 # PROT_READ if seg.is_writable: perms |= 2 # PROT_WRITE if seg.is_executable: perms |= 4 # PROT_EXEC permission_map[(seg.min_addr, seg.max_addr)] = perms kwargs['permissions_map'] = permission_map if self.project.loader.main_object.execstack: stack_perms = 1 | 2 | 4 # RWX else: stack_perms = 1 | 2 # RW state = SimState(self.project, stack_end=stack_end, stack_size=stack_size, stack_perms=stack_perms, **kwargs) if stdin is not None and not isinstance(stdin, SimFileBase): if type(stdin) is type: stdin = stdin(name='stdin', has_end=False) else: if isinstance(stdin, claripy.Bits): num_bytes = len(stdin) // self.project.arch.byte_width else: num_bytes = len(stdin) _l.warning( "stdin is constrained to %d bytes (has_end=True). If you are only providing the first " "%d bytes instead of the entire stdin, please use " "stdin=SimFileStream(name='stdin', content=your_first_n_bytes, has_end=False).", num_bytes, num_bytes) stdin = SimFileStream(name='stdin', content=stdin, has_end=True) last_addr = self.project.loader.main_object.max_addr actual_brk = (last_addr - last_addr % 0x1000 + 0x1000) if brk is None else brk state.register_plugin('posix', SimSystemPosix(stdin=stdin, brk=actual_brk)) if state.arch.sp_offset is not None: state.regs.sp = stack_end if initial_prefix is not None: for reg in state.arch.default_symbolic_registers: state.registers.store( reg, state.solver.BVS(initial_prefix + "_" + reg, state.arch.bits, explicit_name=True, key=('reg', reg), eternal=True)) for reg, val, is_addr, mem_region in state.arch.default_register_values: region_base = None # so pycharm does not complain if is_addr: if isinstance(mem_region, tuple): # unpack it mem_region, region_base = mem_region elif mem_region == 'global': # Backward compatibility region_base = 0 else: raise AngrSimOSError( 'You must specify the base address for memory region "%s". ' % mem_region) # special case for stack_end overriding sp default if actual_stack_end is not None and state.arch.registers[reg][ 0] == state.arch.sp_offset: continue if o.ABSTRACT_MEMORY in state.options and is_addr: address = claripy.ValueSet(state.arch.bits, mem_region, region_base, val) state.registers.store(reg, address) else: state.registers.store(reg, val) if addr is None: state.regs.ip = self.project.entry thread_name = self.project.loader.main_object.threads[ thread_idx] if thread_idx is not None else None for reg, val in self.project.loader.main_object.thread_registers( thread_name).items(): if reg in ('fs', 'gs', 'cs', 'ds', 'es', 'ss') and state.arch.name == 'X86': state.registers.store(reg, val >> 16) # oh boy big hack elif reg in state.arch.registers or reg in ('flags', 'eflags', 'rflags'): state.registers.store(reg, val) elif reg == 'fctrl': state.regs.fpround = (val & 0xC00) >> 10 elif reg == 'fstat': state.regs.fc3210 = (val & 0x4700) elif reg == 'ftag': empty_bools = [((val >> (x * 2)) & 3) == 3 for x in range(8)] tag_chars = [ claripy.BVV(0 if x else 1, 8) for x in empty_bools ] for i, tag in enumerate(tag_chars): setattr(state.regs, 'fpu_t%d' % i, tag) elif reg in ('fiseg', 'fioff', 'foseg', 'fooff', 'fop'): pass elif reg == 'mxcsr': state.regs.sseround = (val & 0x600) >> 9 else: _l.error("What is this register %s I have to translate?", reg) if addr is not None: state.regs.ip = addr # set up the "root history" node state.scratch.ins_addr = addr state.scratch.bbl_addr = addr state.scratch.stmt_idx = 0 state.history.jumpkind = 'Ijk_Boring' return state
def state_blank(self, addr=None, initial_prefix=None, **kwargs): """ Initialize a blank state. All parameters are optional. :param addr: The execution start address. :param initial_prefix: :return: The initialized SimState. :rtype: simuvex.SimState """ if kwargs.get('mode', None) is None: kwargs['mode'] = self.proj._default_analysis_mode if kwargs.get('permissions_backer', None) is None: # just a dict of address ranges to permission bits permission_map = {} for obj in self.proj.loader.all_objects: for seg in obj.segments: perms = 0 # bit values based off of protection bit values from sys/mman.h if seg.is_readable: perms |= 1 # PROT_READ if seg.is_writable: perms |= 2 # PROT_WRITE if seg.is_executable: perms |= 4 # PROT_EXEC permission_map[(obj.rebase_addr + seg.min_addr, obj.rebase_addr + seg.max_addr)] = perms permissions_backer = (self.proj.loader.main_bin.execstack, permission_map) kwargs['permissions_backer'] = permissions_backer if kwargs.get('memory_backer', None) is None: kwargs['memory_backer'] = self.proj.loader.memory if kwargs.get('arch', None) is None: kwargs['arch'] = self.proj.arch state = SimState(**kwargs) if o.INITIALIZE_ZERO_REGISTERS in state.options: for r in self.arch.registers: setattr(state.regs, r, 0) state.regs.sp = self.arch.initial_sp if initial_prefix is not None: for reg in state.arch.default_symbolic_registers: state.registers.store( reg, claripy.BVS(initial_prefix + "_" + reg, state.arch.bits, explicit_name=True)) for reg, val, is_addr, mem_region in state.arch.default_register_values: if o.ABSTRACT_MEMORY in state.options and is_addr: address = claripy.ValueSet(region=mem_region, bits=state.arch.bits, val=val) state.registers.store(reg, address) else: state.registers.store(reg, val) if addr is None: addr = self.proj.entry state.regs.ip = addr state.scratch.ins_addr = addr state.scratch.bbl_addr = addr state.scratch.stmt_idx = 0 state.scratch.jumpkind = 'Ijk_Boring' state.procedure_data.hook_addr = self.continue_addr return state
def test_vsa(): # Set backend b = claripy.backends.vsa SI = claripy.SI VS = claripy.ValueSet BVV = claripy.BVV # Disable the use of DiscreteStridedIntervalSet claripy.vsa.strided_interval.allow_dsis = False def is_equal(ast_0, ast_1): return claripy.backends.vsa.identical(ast_0, ast_1) si1 = claripy.TSI(32, name="foo", explicit_name=True) nose.tools.assert_equal(vsa_model(si1).name, "foo") # Normalization si1 = SI(bits=32, stride=1, lower_bound=10, upper_bound=10) nose.tools.assert_equal(vsa_model(si1).stride, 0) # Integers si1 = claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10) si2 = claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10) si3 = claripy.SI(bits=32, stride=0, lower_bound=28, upper_bound=28) # Strided intervals si_a = claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=20) si_b = claripy.SI(bits=32, stride=2, lower_bound=-100, upper_bound=200) si_c = claripy.SI(bits=32, stride=3, lower_bound=-100, upper_bound=200) si_d = claripy.SI(bits=32, stride=2, lower_bound=50, upper_bound=60) si_e = claripy.SI(bits=16, stride=1, lower_bound=0x2000, upper_bound=0x3000) si_f = claripy.SI(bits=16, stride=1, lower_bound=0, upper_bound=255) si_g = claripy.SI(bits=16, stride=1, lower_bound=0, upper_bound=0xff) si_h = claripy.SI(bits=32, stride=0, lower_bound=0x80000000, upper_bound=0x80000000) nose.tools.assert_true(is_equal(si1, claripy.SI(bits=32, to_conv=10))) nose.tools.assert_true(is_equal(si2, claripy.SI(bits=32, to_conv=10))) nose.tools.assert_true(is_equal(si1, si2)) # __add__ si_add_1 = si1 + si2 nose.tools.assert_true( is_equal(si_add_1, claripy.SI(bits=32, stride=0, lower_bound=20, upper_bound=20))) si_add_2 = si1 + si_a nose.tools.assert_true( is_equal(si_add_2, claripy.SI(bits=32, stride=2, lower_bound=20, upper_bound=30))) si_add_3 = si_a + si_b nose.tools.assert_true( is_equal( si_add_3, claripy.SI(bits=32, stride=2, lower_bound=-90, upper_bound=220))) si_add_4 = si_b + si_c nose.tools.assert_true( is_equal( si_add_4, claripy.SI(bits=32, stride=1, lower_bound=-200, upper_bound=400))) # __add__ with overflow si_add_5 = si_h + 0xffffffff nose.tools.assert_true( is_equal( si_add_5, claripy.SI(bits=32, stride=0, lower_bound=0x7fffffff, upper_bound=0x7fffffff))) # __sub__ si_minus_1 = si1 - si2 nose.tools.assert_true( is_equal(si_minus_1, claripy.SI(bits=32, stride=0, lower_bound=0, upper_bound=0))) si_minus_2 = si_a - si_b nose.tools.assert_true( is_equal( si_minus_2, claripy.SI(bits=32, stride=2, lower_bound=-190, upper_bound=120))) si_minus_3 = si_b - si_c nose.tools.assert_true( is_equal( si_minus_3, claripy.SI(bits=32, stride=1, lower_bound=-300, upper_bound=300))) # __neg__ / __invert__ / bitwise not si_neg_1 = ~si1 nose.tools.assert_true(is_equal(si_neg_1, claripy.SI(bits=32, to_conv=-11))) si_neg_2 = ~si_b nose.tools.assert_true( is_equal( si_neg_2, claripy.SI(bits=32, stride=2, lower_bound=-201, upper_bound=99))) # __or__ si_or_1 = si1 | si3 nose.tools.assert_true(is_equal(si_or_1, claripy.SI(bits=32, to_conv=30))) si_or_2 = si1 | si2 nose.tools.assert_true(is_equal(si_or_2, claripy.SI(bits=32, to_conv=10))) si_or_3 = si1 | si_a # An integer | a strided interval nose.tools.assert_true( is_equal(si_or_3, claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=30))) si_or_3 = si_a | si1 # Exchange the operands nose.tools.assert_true( is_equal(si_or_3, claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=30))) si_or_4 = si_a | si_d # A strided interval | another strided interval nose.tools.assert_true( is_equal(si_or_4, claripy.SI(bits=32, stride=2, lower_bound=50, upper_bound=62))) si_or_4 = si_d | si_a # Exchange the operands nose.tools.assert_true( is_equal(si_or_4, claripy.SI(bits=32, stride=2, lower_bound=50, upper_bound=62))) si_or_5 = si_e | si_f # nose.tools.assert_true( is_equal( si_or_5, claripy.SI(bits=16, stride=1, lower_bound=0x2000, upper_bound=0x30ff))) si_or_6 = si_e | si_g # nose.tools.assert_true( is_equal( si_or_6, claripy.SI(bits=16, stride=1, lower_bound=0x2000, upper_bound=0x30ff))) # Shifting si_shl_1 = si1 << 3 nose.tools.assert_equal(si_shl_1.size(), 32) nose.tools.assert_true( is_equal(si_shl_1, claripy.SI(bits=32, stride=0, lower_bound=80, upper_bound=80))) # Multiplication si_mul_1 = si1 * 3 nose.tools.assert_equal(si_mul_1.size(), 32) nose.tools.assert_true( is_equal(si_mul_1, claripy.SI(bits=32, stride=0, lower_bound=30, upper_bound=30))) si_mul_2 = si_a * 3 nose.tools.assert_equal(si_mul_2.size(), 32) nose.tools.assert_true( is_equal(si_mul_2, claripy.SI(bits=32, stride=6, lower_bound=30, upper_bound=60))) si_mul_3 = si_a * si_b nose.tools.assert_equal(si_mul_3.size(), 32) nose.tools.assert_true( is_equal( si_mul_3, claripy.SI(bits=32, stride=2, lower_bound=-2000, upper_bound=4000))) # Division si_div_1 = si1 / 3 nose.tools.assert_equal(si_div_1.size(), 32) nose.tools.assert_true( is_equal(si_div_1, claripy.SI(bits=32, stride=0, lower_bound=3, upper_bound=3))) si_div_2 = si_a / 3 nose.tools.assert_equal(si_div_2.size(), 32) nose.tools.assert_true( is_equal(si_div_2, claripy.SI(bits=32, stride=1, lower_bound=3, upper_bound=6))) # Modulo si_mo_1 = si1 % 3 nose.tools.assert_equal(si_mo_1.size(), 32) nose.tools.assert_true( is_equal(si_mo_1, claripy.SI(bits=32, stride=0, lower_bound=1, upper_bound=1))) si_mo_2 = si_a % 3 nose.tools.assert_equal(si_mo_2.size(), 32) nose.tools.assert_true( is_equal(si_mo_2, claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=2))) # # Extracting the sign bit # # a negative integer si = claripy.SI(bits=64, stride=0, lower_bound=-1, upper_bound=-1) sb = si[63:63] nose.tools.assert_true(is_equal(sb, claripy.SI(bits=1, to_conv=1))) # non-positive integers si = claripy.SI(bits=64, stride=1, lower_bound=-1, upper_bound=0) sb = si[63:63] nose.tools.assert_true( is_equal(sb, claripy.SI(bits=1, stride=1, lower_bound=0, upper_bound=1))) # Extracting an integer si = claripy.SI(bits=64, stride=0, lower_bound=0x7fffffffffff0000, upper_bound=0x7fffffffffff0000) part1 = si[63:32] part2 = si[31:0] nose.tools.assert_true( is_equal( part1, claripy.SI(bits=32, stride=0, lower_bound=0x7fffffff, upper_bound=0x7fffffff))) nose.tools.assert_true( is_equal( part2, claripy.SI(bits=32, stride=0, lower_bound=0xffff0000, upper_bound=0xffff0000))) # Concatenating two integers si_concat = part1.concat(part2) nose.tools.assert_true(is_equal(si_concat, si)) # Extracting a claripy.SI si = claripy.SI(bits=64, stride=0x9, lower_bound=0x1, upper_bound=0xa) part1 = si[63:32] part2 = si[31:0] nose.tools.assert_true( is_equal( part1, claripy.SI(bits=32, stride=0, lower_bound=0x0, upper_bound=0x0))) nose.tools.assert_true( is_equal(part2, claripy.SI(bits=32, stride=9, lower_bound=1, upper_bound=10))) # Concatenating two claripy.SIs si_concat = part1.concat(part2) nose.tools.assert_true(is_equal(si_concat, si)) # Concatenating two SIs that are of different sizes si_1 = SI(bits=64, stride=1, lower_bound=0, upper_bound=0xffffffffffffffff) si_2 = SI(bits=32, stride=1, lower_bound=0, upper_bound=0xffffffff) si_concat = si_1.concat(si_2) nose.tools.assert_true( is_equal( si_concat, SI(bits=96, stride=1, lower_bound=0, upper_bound=0xffffffffffffffffffffffff))) # Zero-Extend the low part si_zeroextended = part2.zero_extend(32) nose.tools.assert_true( is_equal(si_zeroextended, claripy.SI(bits=64, stride=9, lower_bound=1, upper_bound=10))) # Sign-extension si_signextended = part2.sign_extend(32) nose.tools.assert_true( is_equal(si_signextended, claripy.SI(bits=64, stride=9, lower_bound=1, upper_bound=10))) # Extract from the result above si_extracted = si_zeroextended[31:0] nose.tools.assert_true( is_equal(si_extracted, claripy.SI(bits=32, stride=9, lower_bound=1, upper_bound=10))) # Union si_union_1 = si1.union(si2) nose.tools.assert_true( is_equal(si_union_1, claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10))) si_union_2 = si1.union(si3) nose.tools.assert_true( is_equal( si_union_2, claripy.SI(bits=32, stride=18, lower_bound=10, upper_bound=28))) si_union_3 = si1.union(si_a) nose.tools.assert_true( is_equal(si_union_3, claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=20))) si_union_4 = si_a.union(si_b) nose.tools.assert_true( is_equal( si_union_4, claripy.SI(bits=32, stride=2, lower_bound=-100, upper_bound=200))) si_union_5 = si_b.union(si_c) nose.tools.assert_true( is_equal( si_union_5, claripy.SI(bits=32, stride=1, lower_bound=-100, upper_bound=200))) # Intersection si_intersection_1 = si1.intersection(si1) nose.tools.assert_true(is_equal(si_intersection_1, si2)) si_intersection_2 = si1.intersection(si2) nose.tools.assert_true( is_equal(si_intersection_2, claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10))) si_intersection_3 = si1.intersection(si_a) nose.tools.assert_true( is_equal(si_intersection_3, claripy.SI(bits=32, stride=0, lower_bound=10, upper_bound=10))) si_intersection_4 = si_a.intersection(si_b) nose.tools.assert_true( is_equal(si_intersection_4, claripy.SI(bits=32, stride=2, lower_bound=10, upper_bound=20))) si_intersection_5 = si_b.intersection(si_c) nose.tools.assert_true( is_equal( si_intersection_5, claripy.SI(bits=32, stride=6, lower_bound=-100, upper_bound=200))) # More intersections t0 = claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=0x27) t1 = claripy.SI(bits=32, stride=0x7fffffff, lower_bound=0x80000002, upper_bound=1) si_is_6 = t0.intersection(t1) nose.tools.assert_true( is_equal(si_is_6, claripy.SI(bits=32, stride=0, lower_bound=1, upper_bound=1))) t2 = claripy.SI(bits=32, stride=5, lower_bound=20, upper_bound=30) t3 = claripy.SI(bits=32, stride=1, lower_bound=27, upper_bound=0xffffffff) si_is_7 = t2.intersection(t3) nose.tools.assert_true( is_equal(si_is_7, claripy.SI(bits=32, stride=0, lower_bound=30, upper_bound=30))) t4 = claripy.SI(bits=32, stride=5, lower_bound=-400, upper_bound=400) t5 = claripy.SI(bits=32, stride=1, lower_bound=395, upper_bound=-395) si_is_8 = t4.intersection(t5) nose.tools.assert_true( is_equal( si_is_8, claripy.SI(bits=32, stride=5, lower_bound=-400, upper_bound=400))) # Sign-extension si = claripy.SI(bits=1, stride=0, lower_bound=1, upper_bound=1) si_signextended = si.sign_extend(31) nose.tools.assert_true( is_equal( si_signextended, claripy.SI(bits=32, stride=0, lower_bound=0xffffffff, upper_bound=0xffffffff))) # Comparison between claripy.SI and BVV si = claripy.SI(bits=32, stride=1, lower_bound=-0x7f, upper_bound=0x7f) si._model_vsa.uninitialized = True bvv = BVV(0x30, 32) comp = (si < bvv) nose.tools.assert_true(vsa_model(comp).identical(MaybeResult())) # Better extraction # si = <32>0x1000000[0xcffffff, 0xdffffff]R si = claripy.SI(bits=32, stride=0x1000000, lower_bound=0xcffffff, upper_bound=0xdffffff) si_byte0 = si[7:0] si_byte1 = si[15:8] si_byte2 = si[23:16] si_byte3 = si[31:24] nose.tools.assert_true( is_equal( si_byte0, claripy.SI(bits=8, stride=0, lower_bound=0xff, upper_bound=0xff))) nose.tools.assert_true( is_equal( si_byte1, claripy.SI(bits=8, stride=0, lower_bound=0xff, upper_bound=0xff))) nose.tools.assert_true( is_equal( si_byte2, claripy.SI(bits=8, stride=0, lower_bound=0xff, upper_bound=0xff))) nose.tools.assert_true( is_equal( si_byte3, claripy.SI(bits=8, stride=1, lower_bound=0xc, upper_bound=0xd))) # Optimization on bitwise-and si_1 = claripy.SI(bits=32, stride=1, lower_bound=0x0, upper_bound=0xffffffff) si_2 = claripy.SI(bits=32, stride=0, lower_bound=0x80000000, upper_bound=0x80000000) si = si_1 & si_2 nose.tools.assert_true( is_equal( si, claripy.SI(bits=32, stride=0x80000000, lower_bound=0, upper_bound=0x80000000))) si_1 = claripy.SI(bits=32, stride=1, lower_bound=0x0, upper_bound=0x7fffffff) si_2 = claripy.SI(bits=32, stride=0, lower_bound=0x80000000, upper_bound=0x80000000) si = si_1 & si_2 nose.tools.assert_true( is_equal(si, claripy.SI(bits=32, stride=0, lower_bound=0, upper_bound=0))) # Concatenation: concat with zeros only increases the stride si_1 = claripy.SI(bits=8, stride=0xff, lower_bound=0x0, upper_bound=0xff) si_2 = claripy.SI(bits=8, stride=0, lower_bound=0, upper_bound=0) si = si_1.concat(si_2) nose.tools.assert_true( is_equal( si, claripy.SI(bits=16, stride=0xff00, lower_bound=0, upper_bound=0xff00))) # Extract from a reversed value si_1 = claripy.SI(bits=64, stride=0xff, lower_bound=0x0, upper_bound=0xff) si_2 = si_1.reversed[63:56] nose.tools.assert_true( is_equal( si_2, claripy.SI(bits=8, stride=0xff, lower_bound=0x0, upper_bound=0xff))) # # ValueSet # vs_1 = claripy.ValueSet(bits=32) nose.tools.assert_true(vsa_model(vs_1).is_empty, True) # Test merging two addresses vsa_model(vs_1).merge_si('global', vsa_model(si1)) vsa_model(vs_1).merge_si('global', vsa_model(si3)) nose.tools.assert_true( vsa_model(vs_1).get_si('global').identical( vsa_model(SI(bits=32, stride=18, lower_bound=10, upper_bound=28)))) # Length of this ValueSet nose.tools.assert_equal(len(vsa_model(vs_1)), 32) vs_1 = claripy.ValueSet(name='boo', bits=32) vs_2 = claripy.ValueSet(name='foo', bits=32) nose.tools.assert_true(claripy.backends.vsa.identical(vs_1, vs_1)) nose.tools.assert_true(claripy.backends.vsa.identical(vs_2, vs_2)) vsa_model(vs_1).merge_si('global', vsa_model(si1)) nose.tools.assert_false(claripy.backends.vsa.identical(vs_1, vs_2)) vsa_model(vs_2).merge_si('global', vsa_model(si1)) nose.tools.assert_true(claripy.backends.vsa.identical(vs_1, vs_2)) nose.tools.assert_true(claripy.backends.vsa.is_true((vs_1 & vs_2) == vs_1)) vsa_model(vs_1).merge_si('global', vsa_model(si3)) nose.tools.assert_false(claripy.backends.vsa.identical(vs_1, vs_2)) # Subtraction # Subtraction of two pointers yields a concrete value vs_1 = claripy.ValueSet(name='foo', region='global', bits=32, val=0x400010) vs_2 = claripy.ValueSet(name='bar', region='global', bits=32, val=0x400000) si = vs_1 - vs_2 nose.tools.assert_is(type(vsa_model(si)), StridedInterval) nose.tools.assert_true( claripy.backends.vsa.identical( si, claripy.SI(bits=32, stride=0, lower_bound=0x10, upper_bound=0x10))) # # IfProxy # si = claripy.SI(bits=32, stride=1, lower_bound=10, upper_bound=0xffffffff) if_0 = claripy.If(si == 0, si, si - 1) nose.tools.assert_true(claripy.backends.vsa.identical(if_0, if_0)) nose.tools.assert_false(claripy.backends.vsa.identical(if_0, si)) # max and min on IfProxy si = claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=0xffffffff) if_0 = claripy.If(si == 0, si, si - 1) max_val = b.max(if_0) min_val = b.min(if_0) nose.tools.assert_equal(max_val, 0xffffffff) nose.tools.assert_equal(min_val, 0x00000000) # identical nose.tools.assert_true(claripy.backends.vsa.identical(if_0, if_0)) nose.tools.assert_true(claripy.backends.vsa.identical(if_0, si)) if_0_copy = claripy.If(si == 0, si, si - 1) nose.tools.assert_true(claripy.backends.vsa.identical(if_0, if_0_copy)) if_1 = claripy.If(si == 1, si, si - 1) nose.tools.assert_true(claripy.backends.vsa.identical(if_0, if_1)) si = SI(bits=32, stride=0, lower_bound=1, upper_bound=1) if_0 = claripy.If(si == 0, si, si - 1) if_0_copy = claripy.If(si == 0, si, si - 1) nose.tools.assert_true(claripy.backends.vsa.identical(if_0, if_0_copy)) if_1 = claripy.If(si == 1, si, si - 1) nose.tools.assert_false(claripy.backends.vsa.identical(if_0, if_1)) if_1 = claripy.If(si == 0, si + 1, si - 1) nose.tools.assert_true(claripy.backends.vsa.identical(if_0, if_1)) if_1 = claripy.If(si == 0, si, si) nose.tools.assert_false(claripy.backends.vsa.identical(if_0, if_1)) # if_1 = And(VS_2, IfProxy(si == 0, 0, 1)) vs_2 = VS(region='global', bits=32, val=0xFA7B00B) si = claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=1) if_1 = (vs_2 & claripy.If( si == 0, claripy.SI(bits=32, stride=0, lower_bound=0, upper_bound=0), claripy.SI( bits=32, stride=0, lower_bound=0xffffffff, upper_bound=0xffffffff))) nose.tools.assert_true( claripy.backends.vsa.is_true( vsa_model(if_1.ite_excavated.args[1]) == vsa_model( VS(region='global', bits=32, val=0)))) nose.tools.assert_true( claripy.backends.vsa.is_true( vsa_model(if_1.ite_excavated.args[2]) == vsa_model(vs_2))) # if_2 = And(VS_3, IfProxy(si != 0, 0, 1) vs_3 = claripy.ValueSet(region='global', bits=32, val=0xDEADCA7) si = claripy.SI(bits=32, stride=1, lower_bound=0, upper_bound=1) if_2 = (vs_3 & claripy.If( si != 0, claripy.SI(bits=32, stride=0, lower_bound=0, upper_bound=0), claripy.SI( bits=32, stride=0, lower_bound=0xffffffff, upper_bound=0xffffffff))) nose.tools.assert_true( claripy.backends.vsa.is_true( vsa_model(if_2.ite_excavated.args[1]) == vsa_model( VS(region='global', bits=32, val=0)))) nose.tools.assert_true( claripy.backends.vsa.is_true( vsa_model(if_2.ite_excavated.args[2]) == vsa_model(vs_3)))