def test_mips():
arger_mips = angr.Project(test_location + "/mips/argc_symbol")
r_addr = [0x400720, 0x40076c, 0x4007bc]
s = arger_mips.factory.path(args = [angr.StringSpec(sym_length=40), angr.StringSpec(sym_length=40), angr.StringSpec(sym_length=40)], env ={"HOME": "/home/angr"}, sargc=True)
xpl = arger_mips.surveyors.Explorer(find=r_addr, num_find=100, start=s)
xpl.run()
nose.tools.assert_equals(len(xpl.found), 3)
found = xpl.found[0]
argc = found.state.se.any_int(found.state.posix.argc)
nose.tools.assert_equals(argc, 0)
found = xpl.found[1]
argc = found.state.se.any_int(found.state.posix.argc)
conc = found.state.se.any_str(found.state.memory.load(found.state.registers.load('sp'), 400))
nose.tools.assert_equals("Good man" in conc, True)
nose.tools.assert_equals(argc, 1)
found = xpl.found[2]
argc = found.state.se.any_int(found.state.posix.argc)
conc = found.state.se.any_str(found.state.memory.load(found.state.registers.load('sp'), 400))
nose.tools.assert_equals("Very Good man" in conc, True)
nose.tools.assert_equals(argc, 2)
def test_amd64():
arger_amd64 = angr.Project(test_location + "/x86_64/argc_symbol", load_options={'auto_load_libs': False})
r_addr = [0x40051B, 0x400540, 0x400569]
s = arger_amd64.factory.path(args = [angr.StringSpec(sym_length=40), angr.StringSpec(sym_length=40), angr.StringSpec(sym_length=40)], env ={"HOME": "/home/angr"}, sargc=True)
xpl = arger_amd64.surveyors.Explorer(find=r_addr, num_find=100, start=s)
xpl.run()
nose.tools.assert_equals(len(xpl.found), 3)
found = xpl.found[0]
argc = found.state.se.any_int(found.state.posix.argc)
nose.tools.assert_equals(argc, 0)
found = xpl.found[1]
argc = found.state.se.any_int(found.state.posix.argc)
conc = found.state.se.any_str(found.state.memory.load(found.state.registers.load('sp'), 800))
nose.tools.assert_equals("Good man" in conc, True)
nose.tools.assert_equals(argc, 1)
found = xpl.found[2]
argc = found.state.se.any_int(found.state.posix.argc)
conc = found.state.se.any_str(found.state.memory.load(found.state.registers.load('sp'), 800))
nose.tools.assert_equals("Very Good man" in conc, True)
nose.tools.assert_equals(argc, 2)
# from playing with the binary, we can easily see that it requires strings of
# length 8, so we'll hook the strlen calls and make sure we pass an 8-byte
# string
def hook_length(state):
state.regs.rax = 8
p.hook(0x40168e, func=hook_length, length=5)
p.hook(0x4016BE, func=hook_length, length=5)
# here, we create the initial state to start execution. argv[1] is our 8-byte
# string, and we add an angr option to gracefully handle unsupported syscalls
initial_state = p.factory.entry_state(
args=[
angr.StringSpec(string="crypto400"),
angr.StringSpec(sym_length=8, nonnull=True)
],
add_options={"BYPASS_UNSUPPORTED_SYSCALL"})
# PathGroups are a basic building block of the symbolic execution engine. They
# track a group of paths as the binary is executed, and allows for easier
# management, pruning, and so forth of those paths
pg = p.factory.path_group(initial_state, immutable=False)
# here, we get to stage 2 using the PathGroup's find() functionality. This
# executes until at least one path reaches the specified address, and can
# discard paths that hit certain other addresses.
print '[*] executing'
pg.explore(find=0x4016A3).unstash(from_stash='found', to_stash='active')
pg.explore(find=0x4016B7, avoid=[0x4017D6, 0x401699,