def static_exits(self, blocks):
# Execute those blocks with a blank state, and then dump the arguments
blank_state = angr.SimState(project=self.project, mode="fastpath")
# set up the stack pointer
blank_state.regs.sp = 0x7fffffff
# Execute each block
state = blank_state
for b in blocks:
# state.regs.ip = next(iter(stmt for stmt in b.statements if isinstance(stmt, pyvex.IRStmt.IMark))).addr
irsb = angr.SimEngineVEX().process(state, b,
force_addr=next(iter(stmt for stmt in b.statements if isinstance(stmt, pyvex.IRStmt.IMark))).addr)
if irsb.successors:
state = irsb.successors[0]
else:
break
cc = angr.DEFAULT_CC[self.arch.name](self.arch)
args = [ cc.arg(state, _) for _ in xrange(5) ]
main, _, _, init, fini = self._extract_args(blank_state, *args)
all_exits = [
(init, 'Ijk_Call'),
(main, 'Ijk_Call'),
(fini, 'Ijk_Call'),
]
return all_exits
def static_exits(self, blocks):
# Execute those blocks with a blank state, and then dump the arguments
blank_state = angr.SimState(project=self.project, mode="fastpath")
# Execute each block
state = blank_state
for b in blocks:
irsb = angr.SimEngineVEX().process(
state,
b,
force_addr=next(
iter(stmt for stmt in b.statements
if isinstance(stmt, pyvex.IRStmt.IMark))).addr)
if irsb.successors:
state = irsb.successors[0]
else:
break
cc = angr.DEFAULT_CC[self.arch.name](self.arch)
callfunc = cc.arg(state, 2)
retaddr = state.memory.load(state.regs.sp, self.arch.bytes)
all_exits = [(callfunc, 'Ijk_Call'), (retaddr, 'Ijk_Ret')]
return all_exits
def __init__(self):
self.engine = angr.SimEngineVEX()
self.add_options = {
angr.options.INITIALIZE_ZERO_REGISTERS,
angr.options.CONCRETIZE,
}
def excption_0():
import claripy
ins_code = "mov eax,-1 ; test eax,eax"
address = 0x76fcbcfe
encoding = pwn.asm(ins_code)
count = len(encoding)
print((str(encoding)))
print(count)
add_options = {angr.options.NO_SYMBOLIC_SYSCALL_RESOLUTION,
angr.options.LAZY_SOLVES,
angr.options.INITIALIZE_ZERO_REGISTERS,
angr.options.SIMPLIFY_REGISTER_WRITES,
angr.options.SIMPLIFY_MEMORY_WRITES,
# angr.options.CONCRETIZE,
# angr.options.FAST_MEMORY
}
bc_arr = ""
bc_arr = encoding
irsb = pyvex.IRSB(bc_arr, 0x76fcbcfe, archinfo.ArchX86(), len(bc_arr))
state = SimState(arch='X86', add_options=add_options)
state.regs.eax = 0x5a4d
state.regs.esi = 0x753e0001
state.regs.esp = 0x12f8c0
state.regs.eip = 0x76fcbcfe
taint_len = 0x8000
# taint_len = 0xd4000
state.memory.store(0x753e0000, claripy.BVS(
"TAINT_MapView", taint_len * 8), endness="Iend_LE")
engine = angr.SimEngineVEX()
irsb.pp()
engine.process(state, irsb, inline=True)
# Athens 2019, Figure 2.
# addi r3, r3, 0x1
# put X in r3, execute, find X+1 in r3
import angr
import pyvex
import archinfo
import claripy
import pdb
arch = archinfo.ArchPPC32(archinfo.Endness.BE)
s = angr.SimState(arch=arch, mode="symbolic")
x = s.solver.BVS('X', 32, explicit_name=True)
code = bytes(bytearray.fromhex("38630001")) # addi
irsb = pyvex.IRSB(code, 0x100, arch, opt_level=0)
irsb.pp()
s.regs.r3 = x
result = angr.SimEngineVEX().process(s, irsb).flat_successors[0]
r3 = result.regs.r3
result.regs.__dir__()
print "*************************"
print r3