Esempi in Python per PointerWrapper

Esempio n. 1

 def main_state(argc, add_options=None):
     add_options = add_options or so.unicorn
     main_addr = p.loader.find_symbol("main").rebased_addr
     return p.factory.call_state(main_addr,
                                 argc,
                                 angr.PointerWrapper([]),
                                 add_options=add_options)

Esempio n. 2

File: sim_en.py Progetto: purseclab/qemusgx

        "sgx_is_within_enclave").relative_addr + proj.loader.min_addr
    proj.hook(addr, sgx_is_within_enclave())
    proj.hook_symbol("abort", abort())
    proj.hook_symbol("sgx_lfence", sgx_lfence())
    proj.hook_symbol("sgx_is_outside_enclave", sgx_is_outside_enclave())
    proj.hook_symbol("printf", printf())
    proj.hook_symbol("sgx_ocall", sgx_ocall())

#Get CFG
cfg = proj.analyses.CFGFast()
cfg.normalize()

#Get call syntax
val = claripy.BVS('val', 64)
val = val.reversed
ptr_val = angr.PointerWrapper(val)
size = claripy.BVS('size', 32)
char_val = claripy.BVS("char_val", 8)

struct_val = claripy.BVS('struct', 128)
struct_val_ptr = angr.PointerWrapper(struct_val)

array_size = 32 * 4
array = claripy.BVS('arr', array_size)

foo0 = claripy.BVS('foo0', 64)
foo1 = claripy.BVS('foo1', 64)

floatarg = claripy.FPS('float1', claripy.FSORT_DOUBLE)
array_ptr = angr.PointerWrapper(array)
val2 = claripy.BVS('val2', 32)

Esempio n. 3

File: solve.py Progetto: yanshu911/long-driller

def test():
    assert find_bug(
        setup_project(), 'grub_password_get',
        (angr.PointerWrapper('\0' * 64),
         64)) == '\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\r'

Esempio n. 4

File: solve.py Progetto: yanshu911/long-driller

def find_bug(project, function, args):
    # set up the most generic state that could enter this function
    func_addr = project.loader.find_symbol(function).rebased_addr
    start_state = project.factory.call_state(func_addr, *args)

    # create a new simulation manager to explore the state space of this function
    simgr = project.factory.simulation_manager(start_state)
    simgr.use_technique(SearchForNull())
    simgr.use_technique(CheckUniqueness())
    simgr.run()

    print 'we found a crashing input!'
    print 'crashing state:', simgr.found[0]
    print 'input:', repr(simgr.found[0].posix.dumps(0))
    return simgr.found[0].posix.dumps(0)


def test():
    assert find_bug(
        setup_project(), 'grub_password_get',
        (angr.PointerWrapper('\0' * 64),
         64)) == '\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\r'


if __name__ == '__main__':
    logging.getLogger('angr.manager').setLevel('DEBUG')
    p = setup_project()
    find_bug(p, 'grub_password_get', (angr.PointerWrapper('\0' * 64), 64))

Esempio n. 5

def test_stops():
    p = angr.Project(os.path.join(test_location, 'binaries', 'tests', 'i386',
                                  'uc_stop'),
                     auto_load_libs=False)

    # test STOP_NORMAL, STOP_STOPPOINT
    s_normal = p.factory.entry_state(args=["a"], add_options=so.unicorn)
    s_normal.unicorn.max_steps = 100
    pg_normal = p.factory.simulation_manager(s_normal).run()
    p_normal = pg_normal.one_deadended
    _compare_trace(
        p_normal.history.descriptions,
        [
            "<Unicorn (STOP_STOPPOINT after 4 steps) from 0x8048340: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8119990: 1 sat>",
            "<Unicorn (STOP_STOPPOINT after 14 steps) from 0x8048650: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8400044: 1 sat>",
            "<Unicorn (STOP_NORMAL after 100 steps) from 0x80485b5: 1 sat>",
            "<Unicorn (STOP_STOPPOINT after 12 steps) from 0x804846f: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8400048: 1 sat>",
        ],
    )

    s_normal_angr = p.factory.entry_state(args=["a"])
    pg_normal_angr = p.factory.simulation_manager(s_normal_angr).run()
    p_normal_angr = pg_normal_angr.one_deadended
    assert (p_normal_angr.history.bbl_addrs.hardcopy ==
            p_normal.history.bbl_addrs.hardcopy)

    # test STOP_STOPPOINT on an address that is not a basic block start
    s_stoppoints = p.factory.call_state(
        p.loader.find_symbol("main").rebased_addr,
        1,
        angr.PointerWrapper([]),
        add_options=so.unicorn)

    # this address is right before/after the bb for the stop_normal() function ends
    # we should not stop there, since that code is never hit
    stop_fake = [0x0804847C, 0x08048454]

    # this is an address inside main that is not the beginning of a basic block. we should stop here
    stop_in_bb = 0x08048638
    stop_bb = 0x08048633  # basic block of the above address
    pg_stoppoints = p.factory.simulation_manager(s_stoppoints).run(
        n=1, extra_stop_points=stop_fake + [stop_in_bb])
    assert len(pg_stoppoints.active) == 1
    p_stoppoints = pg_stoppoints.one_active
    assert p_stoppoints.addr == stop_bb
    _compare_trace(
        p_stoppoints.history.descriptions,
        ["<Unicorn (STOP_STOPPOINT after 111 steps) from 0x80485b5: 1 sat>"],
    )

    # test STOP_SYMBOLIC_READ_SYMBOLIC_TRACKING_DISABLED
    s_symbolic_read_tracking_disabled = p.factory.entry_state(
        args=["a", "a"],
        add_options=so.unicorn,
        remove_options={so.UNICORN_SYM_REGS_SUPPORT},
    )
    pg_symbolic_read_tracking_disabled = p.factory.simulation_manager(
        s_symbolic_read_tracking_disabled).run()
    p_symbolic_read_tracking_disabled = pg_symbolic_read_tracking_disabled.one_deadended
    _compare_trace(
        p_symbolic_read_tracking_disabled.history.descriptions,
        [
            "<Unicorn (STOP_STOPPOINT after 4 steps) from 0x8048340: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8119990: 1 sat>",
            "<Unicorn (STOP_STOPPOINT after 14 steps) from 0x8048650: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8400044: 1 sat>",
            "<Unicorn (STOP_SYMBOLIC_READ_SYMBOLIC_TRACKING_DISABLED after 7 steps) from 0x80485b5: 1 sat>",
            "<IRSB from 0x804848a: 1 sat 3 unsat>",
            "<Unicorn (STOP_STOPPOINT after 3 steps) from 0x80484bb: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8400048: 1 sat>",
        ],
    )

    s_symbolic_read_tracking_disabled_angr = p.factory.entry_state(
        args=["a", "a"])
    pg_symbolic_read_tracking_disabled_angr = p.factory.simulation_manager(
        s_symbolic_read_tracking_disabled_angr).run()
    p_symbolic_read_tracking_disabled_angr = (
        pg_symbolic_read_tracking_disabled_angr.one_deadended)
    assert (p_symbolic_read_tracking_disabled_angr.history.bbl_addrs.hardcopy
            == p_symbolic_read_tracking_disabled.history.bbl_addrs.hardcopy)

    # test STOP_SEGFAULT
    s_segfault = p.factory.entry_state(
        args=["a", "a", "a", "a", "a", "a", "a"],
        add_options=so.unicorn | {so.STRICT_PAGE_ACCESS, so.ENABLE_NX},
    )
    pg_segfault = p.factory.simulation_manager(s_segfault).run()
    p_segfault = pg_segfault.errored[0].state
    # TODO: fix the permissions segfault to commit if it's a MEM_FETCH
    # this will extend the last simunicorn one more block
    _compare_trace(
        p_segfault.history.descriptions,
        [
            "<Unicorn (STOP_STOPPOINT after 4 steps) from 0x8048340: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8119990: 1 sat>",
            "<Unicorn (STOP_STOPPOINT after 14 steps) from 0x8048650: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8400044: 1 sat>",
            "<Unicorn (STOP_SEGFAULT after 7 steps) from 0x80485b5: 1 sat>",
            "<IRSB from 0x8048508: 1 sat>",
        ],
    )

    s_segfault_angr = p.factory.entry_state(
        args=["a", "a", "a", "a", "a", "a", "a"],
        add_options={so.STRICT_PAGE_ACCESS, so.ENABLE_NX},
    )
    pg_segfault_angr = p.factory.simulation_manager(s_segfault_angr).run()
    p_segfault_angr = pg_segfault_angr.errored[0].state
    assert (p_segfault_angr.history.bbl_addrs.hardcopy ==
            p_segfault.history.bbl_addrs.hardcopy)
    assert pg_segfault_angr.errored[0].error.addr == pg_segfault.errored[
        0].error.addr

    # test STOP_SYMBOLIC_BLOCK_EXIT
    s_symbolic_exit = p.factory.entry_state(args=["a"] * 10,
                                            add_options=so.unicorn)
    pg_symbolic_exit = p.factory.simulation_manager(s_symbolic_exit).run()
    p_symbolic_exit = pg_symbolic_exit.one_deadended
    _compare_trace(
        p_symbolic_exit.history.descriptions,
        [
            "<Unicorn (STOP_STOPPOINT after 4 steps) from 0x8048340: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8119990: 1 sat>",
            "<Unicorn (STOP_STOPPOINT after 14 steps) from 0x8048650: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8400044: 1 sat>",
            "<Unicorn (STOP_SYMBOLIC_BLOCK_EXIT_CONDITION after 7 steps) from 0x80485b5: 1 sat>",
            "<IRSB from 0x804855d: 2 sat 1 unsat>",
            "<Unicorn (STOP_STOPPOINT after 4 steps) from 0x8048587: 1 sat>",
            "<SimProcedure __libc_start_main from 0x8400048: 1 sat>",
        ],
    )

    s_symbolic_exit_angr = p.factory.entry_state(args=["a"] * 10)
    pg_symbolic_exit_angr = p.factory.simulation_manager(
        s_symbolic_exit_angr).run()
    p_symbolic_exit_angr = pg_symbolic_exit_angr.one_deadended
    assert (p_symbolic_exit_angr.history.bbl_addrs.hardcopy ==
            p_symbolic_exit.history.bbl_addrs.hardcopy)

Esempio n. 6

File: grub.py Progetto: ohmygodlin/snippet

    start_state = project.factory.call_state(func_addr, *args)

    # create a new simulation manager to explore the state space of this function
    simgr = project.factory.simulation_manager(start_state)
    simgr.use_technique(SearchForNull())
    simgr.use_technique(CheckUniqueness())
    simgr.run()
    #tech = angr.exploration_techniques.Explorer(find = lambda s:s.addr == 0)
    #simgr.explore(find=lambda s:s.addr == 0) # explore NOT work with other technique would call step one more time, which call checkUniquess return true

    print 'we found a crashing input!'
    print 'crashing state:', simgr.found[0]
    print 'input:', repr(simgr.found[0].posix.dumps(0))
    return simgr.found[0].posix.dumps(0)


def test():
    assert find_bug(
        setup_project(), 'grub_password_get',
        (angr.PointerWrapper('\0' * 64),
         64)) == '\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\r'


if __name__ == '__main__':
    logging.getLogger('angr.manager').setLevel('DEBUG')
    p = setup_project()
    #If you want to have memory allocated and actually pass in a pointer to an object, you should wrap it in an PointerWrapper
    #.text:080008A1 arg_0           = dword ptr  8 just a pointer to argument
    #.text:080008A1 arg_4           = dword ptr  0Ch
    find_bug(p, 'grub_password_get', angr.PointerWrapper('\0'), 1)