def test_se_1(self):
binary = BinaryFile(get_full_path("/data/bin/check_serial_1"))
arch_info = X86ArchitectureInformation(binary.architecture_mode)
functions = [("check_serial", 0x0804841d, 0x08048452)]
reil_container = ReilContainerBuilder(binary).build(functions)
# Set up initial state
initial_state = State(arch_info, mode="initial")
# Set up stack
esp = 0xffffceec
initial_state.write_register("esp", esp)
# Set up parameters
user_password_addr = 0xdeadbeef
user_password_len = 0x6
initial_state.write_memory(esp + 0x4, 4,
user_password_addr) # password
initial_state.write_memory(esp + 0x0, 4,
0x41414141) # fake return address
# Each byte of the password should be an ascii char.
for i in xrange(0, user_password_len):
value = initial_state.query_memory(user_password_addr + i, 1)
initial_state.add_constraint(value.uge(0x21))
initial_state.add_constraint(value.ule(0x7e))
sym_exec = ReilSymbolicEmulator(arch_info)
paths = sym_exec.find_address(reil_container,
start=0x0804841d,
end=0x08048452,
find=0x08048451,
avoid=[0x0804843b],
initial_state=initial_state)
# There's only one way to reach 'find' address.
self.assertEqual(len(paths), 1)
final_state = State(arch_info, mode="final")
user_password_expected = bytearray("AAAAAA")
user_password = bytearray()
se_res = SymExecResult(arch_info, initial_state, paths[0], final_state)
for i in xrange(0, user_password_len):
value = se_res.query_memory(user_password_addr + i, 1)
user_password.append(value)
self.assertEqual(user_password, user_password_expected)
def test_se_6(self):
binary = BinaryFile(get_full_path("/data/bin/check_serial_6"))
arch_info = X86ArchitectureInformation(binary.architecture_mode)
functions = [("expand", 0x0804849b, 0x080484dd)]
reil_container = ReilContainerBuilder(binary).build(functions)
# Set up initial state
initial_state = State(arch_info, mode="initial")
# Set up stack
esp = 0xffffceec
initial_state.write_register("esp", esp)
# Set up parameters
out_array_addr = 0xdeadbeef
in_array_addr = 0xdeadbeef + 0x5
initial_state.write_memory(esp + 0x04, 4, out_array_addr) # out
initial_state.write_memory(esp + 0x08, 4, in_array_addr) # in
initial_state.write_memory(esp + 0x0c, 4, 0xAAAAAAAA)
initial_state.write_memory(esp + 0x10, 4, 0xBBBBBBBB)
# Set the in array
for i, b in enumerate(bytearray("\x02\x03\x05\x07")):
initial_state.write_memory(in_array_addr + i, 1, b)
#
# Set up final state
#
final_state = State(arch_info, mode="final")
# Set the B array
for i, b in enumerate(bytearray("\xFC\xFB\xF5\xF7")):
final_state.write_memory(out_array_addr + i, 1, b)
start_addr = 0x0804849b
end_addr = 0x080484dd
sym_exec = ReilSymbolicEmulator(arch_info)
paths = sym_exec.find_state(reil_container,
start=start_addr,
end=end_addr,
initial_state=initial_state,
final_state=final_state)
# There's only one way to reach 'find' address.
self.assertEqual(len(paths), 1)
se_res = SymExecResult(arch_info, initial_state, paths[0], final_state)
self.assertEqual(se_res.query_memory(esp + 0x4, 4), 0xdeadbeef)
self.assertEqual(se_res.query_memory(esp + 0x8, 4), 0xdeadbef4)
def test_se_6(self):
binary = BinaryFile(get_full_path("/data/bin/check_serial_6"))
arch_info = X86ArchitectureInformation(binary.architecture_mode)
functions = [
("expand", 0x0804849b, 0x080484dd)
]
reil_container = ReilContainerBuilder(binary).build(functions)
# Set up initial state
initial_state = State(arch_info, mode="initial")
# Set up stack
esp = 0xffffceec
initial_state.write_register("esp", esp)
# Set up parameters
out_array_addr = 0xdeadbeef
in_array_addr = 0xdeadbeef + 0x5
initial_state.write_memory(esp + 0x04, 4, out_array_addr) # out
initial_state.write_memory(esp + 0x08, 4, in_array_addr) # in
initial_state.write_memory(esp + 0x0c, 4, 0xAAAAAAAA)
initial_state.write_memory(esp + 0x10, 4, 0xBBBBBBBB)
# Set the in array
for i, b in enumerate(bytearray(b"\x02\x03\x05\x07")):
initial_state.write_memory(in_array_addr + i, 1, b)
#
# Set up final state
#
final_state = State(arch_info, mode="final")
# Set the B array
for i, b in enumerate(bytearray(b"\xFC\xFB\xF5\xF7")):
final_state.write_memory(out_array_addr + i, 1, b)
start_addr = 0x0804849b
end_addr = 0x080484dd
sym_exec = ReilSymbolicEmulator(arch_info)
paths = sym_exec.find_state(reil_container, start=start_addr, end=end_addr,
initial_state=initial_state, final_state=final_state)
# There's only one way to reach 'find' address.
self.assertEqual(len(paths), 1)
se_res = SymExecResult(arch_info, initial_state, paths[0], final_state)
self.assertEqual(se_res.query_memory(esp + 0x4, 4), 0xdeadbeef)
self.assertEqual(se_res.query_memory(esp + 0x8, 4), 0xdeadbef4)
def test_se_1(self):
binary = BinaryFile(get_full_path("/data/bin/check_serial_1"))
arch_info = X86ArchitectureInformation(binary.architecture_mode)
functions = [
("check_serial", 0x0804841d, 0x08048452)
]
reil_container = ReilContainerBuilder(binary).build(functions)
# Set up initial state
initial_state = State(arch_info, mode="initial")
# Set up stack
esp = 0xffffceec
initial_state.write_register("esp", esp)
# Set up parameters
user_password_addr = 0xdeadbeef
user_password_len = 0x6
initial_state.write_memory(esp + 0x4, 4, user_password_addr) # password
initial_state.write_memory(esp + 0x0, 4, 0x41414141) # fake return address
# Each byte of the password should be an ascii char.
for i in range(0, user_password_len):
value = initial_state.query_memory(user_password_addr + i, 1)
initial_state.add_constraint(value.uge(0x21))
initial_state.add_constraint(value.ule(0x7e))
sym_exec = ReilSymbolicEmulator(arch_info)
paths = sym_exec.find_address(
reil_container, start=0x0804841d, end=0x08048452,
find=0x08048451, avoid=[0x0804843b], initial_state=initial_state)
# There's only one way to reach 'find' address.
self.assertEqual(len(paths), 1)
final_state = State(arch_info, mode="final")
user_password_expected = bytearray(b"AAAAAA")
user_password = bytearray()
se_res = SymExecResult(arch_info, initial_state, paths[0], final_state)
for i in range(0, user_password_len):
value = se_res.query_memory(user_password_addr + i, 1)
user_password.append(value)
self.assertEqual(user_password, user_password_expected)
def solve():
#
# Load binary
#
binary = BinaryFile("bin/very_success")
arch_info = X86ArchitectureInformation(binary.architecture_mode)
# Create a REIL container for the function of interest
functions = [("sub_401084", 0x00401084, 0x004010de)]
reil_container = ReilContainerBuilder(binary).build(functions)
#
# Set up initial state
#
initial_state = State(arch_info, mode="initial")
# Set up stack
esp = 0xffffceec
initial_state.write_register("esp", esp)
# Set up parameters
user_password_addr = 0x00402159
user_password_len = 0x25
ref_key_addr = 0x004010e4
initial_state.write_memory(esp + 0xc, 4, user_password_len)
initial_state.write_memory(esp + 0x8, 4, user_password_addr)
initial_state.write_memory(esp + 0x4, 4, ref_key_addr)
initial_state.write_memory(esp + 0x0, 4, 0x41414141) # return address
# Set memory
for i in xrange(user_password_len):
initial_state.write_memory(ref_key_addr + i, 1,
ord(binary.text_section[ref_key_addr + i]))
#
# Run concolic execution
#
sym_exec = ReilSymbolicEmulator(arch_info)
paths = sym_exec.find_address(reil_container,
start=0x00401084,
end=0x004010de,
find=0x004010d5,
avoid=[0x004010d7],
initial_state=initial_state)
# There's only one way to reach 'find' address.
assert len(paths) == 1
#
# Query input buffer and print content
#
final_state = State(arch_info, mode="final")
se_res = SymExecResult(arch_info, initial_state, paths[0], final_state)
user_password = bytearray()
for i in xrange(user_password_len):
user_password.append(se_res.query_memory(user_password_addr + i, 1))
print("User password: {}".format(user_password))
assert user_password == bytearray("*****@*****.**")
def solve():
#
# Load Binary
#
binary = BinaryFile("bin/toyproject.exe")
arch_info = X86ArchitectureInformation(binary.architecture_mode)
# Identify functions of interest
functions = [("sub_4010ec", 0x004010ec, 0x004010ec + 0x3a)]
# Create a REIL container
reil_container_builder = ReilContainerBuilder(binary)
reil_container = reil_container_builder.build(functions)
#
# Set up initial state
#
initial_state = State(arch_info, mode="initial")
# Set up stack
esp = 0x00001500
initial_state.write_register("esp", esp)
# Set up parameters
out_array_addr = esp - 0x25
in_array_addr = 0x4093a8
initial_state.write_memory(esp + 0x0, 4, 0x41414141) # fake return address
# TODO: Find a way to mark 'x' and 'y' as symbolic variables.
# initial_state.write_memory(esp + 0x4, 4, x) # Mark as Symbolic
# initial_state.write_memory(esp + 0x8, 4, y) # Mark as Symbolic
# Set the A array
in_array_expected = bytearray(__get_in_array())
for i in range(len(in_array_expected)):
initial_state.write_memory(in_array_addr + i, 1, in_array_expected[i])
#
# Set up final state
#
final_state = State(arch_info, mode="final")
# Set the B array
out_array_expected = bytearray(__get_out_array(), encoding='ascii')
for i in range(32):
# Avoid trivial solution
initial_state.write_memory(out_array_addr + i, 1, 0)
# Assert final (desired) state
final_state.write_memory(out_array_addr + i, 1, out_array_expected[i])
#
# Run concolic execution
#
sym_exec = ReilSymbolicEmulator(arch_info)
paths = sym_exec.find_state(reil_container,
start=0x004010ec,
end=0x0040111d,
initial_state=initial_state,
final_state=final_state)
# There's only one way to reach the final state.
# assert len(paths) == 1
print("[+] Number of paths: {}".format(len(paths)))
# for index, path in enumerate(paths):
# __save_path(path, index)
#
# Query input buffer and print content
#
print("A (in) : {:s}".format(" ".join(
["{:02x}".format(b) for b in in_array_expected])))
print("B (out) : {:s}".format(" ".join(
["{:02x}".format(b) for b in out_array_expected])))
if len(paths) > 0:
se_res = SymExecResult(arch_info, initial_state, paths[0], final_state)
print("x: {0:#010x} ({0:d})".format(se_res.query_memory(esp + 0x4, 4)))
print("y: {0:#010x} ({0:d})".format(se_res.query_memory(esp + 0x8, 4)))
else:
print("[-] State Not Found!")
def solve():
#
# Load Binary
#
binary = BinaryFile("bin/toyproject.exe")
arch_info = X86ArchitectureInformation(binary.architecture_mode)
# Identify functions of interest
functions = [
("sub_4010ec", 0x004010ec, 0x004010ec + 0x3a)
]
# Create a REIL container
reil_container_builder = ReilContainerBuilder(binary)
reil_container = reil_container_builder.build(functions)
#
# Set up initial state
#
initial_state = State(arch_info, mode="initial")
# Set up stack
esp = 0x00001500
initial_state.write_register("esp", esp)
# Set up parameters
out_array_addr = esp - 0x25
in_array_addr = 0x4093a8
initial_state.write_memory(esp + 0x0, 4, 0x41414141) # fake return address
# TODO: Find a way to mark 'x' and 'y' as symbolic variables.
# initial_state.write_memory(esp + 0x4, 4, x) # Mark as Symbolic
# initial_state.write_memory(esp + 0x8, 4, y) # Mark as Symbolic
# Set the A array
in_array_expected = bytearray(__get_in_array())
for i in range(len(in_array_expected)):
initial_state.write_memory(in_array_addr + i, 1, in_array_expected[i])
#
# Set up final state
#
final_state = State(arch_info, mode="final")
# Set the B array
out_array_expected = bytearray(__get_out_array(), encoding='ascii')
for i in range(32):
# Avoid trivial solution
initial_state.write_memory(out_array_addr + i, 1, 0)
# Assert final (desired) state
final_state.write_memory(out_array_addr + i, 1, out_array_expected[i])
#
# Run concolic execution
#
sym_exec = ReilSymbolicEmulator(arch_info)
paths = sym_exec.find_state(reil_container, start=0x004010ec, end=0x0040111d,
initial_state=initial_state, final_state=final_state)
# There's only one way to reach the final state.
# assert len(paths) == 1
print("[+] Number of paths: {}".format(len(paths)))
# for index, path in enumerate(paths):
# __save_path(path, index)
#
# Query input buffer and print content
#
print("A (in) : {:s}".format(" ".join(["{:02x}".format(b) for b in in_array_expected])))
print("B (out) : {:s}".format(" ".join(["{:02x}".format(b) for b in out_array_expected])))
if len(paths) > 0:
se_res = SymExecResult(arch_info, initial_state, paths[0], final_state)
print("x: {0:#010x} ({0:d})".format(se_res.query_memory(esp + 0x4, 4)))
print("y: {0:#010x} ({0:d})".format(se_res.query_memory(esp + 0x8, 4)))
else:
print("[-] State Not Found!")
def solve():
#
# Load binary
#
binary = BinaryFile("bin/very_success")
arch_info = X86ArchitectureInformation(binary.architecture_mode)
# Create a REIL container for the function of interest
functions = [
("sub_401084", 0x00401084, 0x004010de)
]
reil_container = ReilContainerBuilder(binary).build(functions)
#
# Set up initial state
#
initial_state = State(arch_info, mode="initial")
# Set up stack
esp = 0xffffceec
initial_state.write_register("esp", esp)
# Set up parameters
user_password_addr = 0x00402159
user_password_len = 0x25
ref_key_addr = 0x004010e4
initial_state.write_memory(esp + 0xc, 4, user_password_len)
initial_state.write_memory(esp + 0x8, 4, user_password_addr)
initial_state.write_memory(esp + 0x4, 4, ref_key_addr)
initial_state.write_memory(esp + 0x0, 4, 0x41414141) # return address
# Set memory
for i in range(user_password_len):
initial_state.write_memory(ref_key_addr + i, 1,
binary.text_section[ref_key_addr + i])
#
# Run concolic execution
#
sym_exec = ReilSymbolicEmulator(arch_info)
paths = sym_exec.find_address(
reil_container, start=0x00401084, end=0x004010de,
find=0x004010d5, avoid=[0x004010d7], initial_state=initial_state)
# There's only one way to reach 'find' address.
assert len(paths) == 1
#
# Query input buffer and print content
#
final_state = State(arch_info, mode="final")
se_res = SymExecResult(arch_info, initial_state, paths[0], final_state)
user_password = bytearray()
for i in range(user_password_len):
user_password.append(se_res.query_memory(user_password_addr + i, 1))
print("User password: {}".format(user_password))
assert user_password == bytearray("*****@*****.**")