with m.locked_context() as context: context['count'] += 1 if state.cpu.PC == 0x406f10: # puts s = state.cpu.read_string(state.cpu.X0) assert s == 'hello' print(f'puts argument: {s}') elif state.cpu.PC == 0x40706c: # puts result result = state.cpu.X0 assert result >= 0 print(f'puts result: {result}') elif state.cpu.PC == 0x415e50: # exit status = state.cpu.X0 syscall = state.cpu.X8 assert syscall == 94 # sys_exit_group print(f'exit status: {status}') def execute_instruction(self, insn, msg): print(f'{msg}: 0x{insn.address:x}: {insn.mnemonic} {insn.op_str}') m.subscribe('will_execute_instruction', lambda self, state, pc, insn: execute_instruction(self, insn, 'next')) m.subscribe('did_execute_instruction', lambda self, state, last_pc, pc, insn: execute_instruction(self, insn, 'done')) m.run(procs=1) print(f"Executed {m.context['count']} instructions")
import sys from manticore.native.plugins import Merger from manticore.utils import config from manticore.native import Manticore from manticore import set_verbosity """ Demonstrates the ability to do state merging on a simple program by merging states with id 2, 4 that happen to be at the same program location 0x40060d. This script uses the Merger plugin to apply opportunistic state merging. """ if __name__ == "__main__": config.get_group("core").seed = 2 config.get_group("core").mprocessing = config.get_group( "core").mprocessing.single path = sys.argv[1] m = Manticore(path, policy="random") def will_load_state_callback(_mc, state_id): print("about to load state_id = " + str(state_id)) def did_load_state_callback(_mc, state): print("loaded state_id = " + str(state.id) + " at cpu = " + hex(state.cpu.PC)) m.subscribe("will_load_state", will_load_state_callback) m.subscribe("did_load_state", did_load_state_callback) m.register_plugin(Merger()) m.run()
s = state.cpu.read_string(state.cpu.X0) assert s == "hello" print(f"puts argument: {s}") elif state.cpu.PC == 0x40706C: # puts result result = state.cpu.X0 assert result >= 0 print(f"puts result: {result}") elif state.cpu.PC == 0x415E50: # exit status = state.cpu.X0 syscall = state.cpu.X8 assert syscall == 94 # sys_exit_group print(f"exit status: {status}") def execute_instruction(self, insn, msg): print(f"{msg}: 0x{insn.address:x}: {insn.mnemonic} {insn.op_str}") m.subscribe( "will_execute_instruction", lambda self, state, pc, insn: execute_instruction(self, insn, "next"), ) m.subscribe( "did_execute_instruction", lambda self, state, last_pc, pc, insn: execute_instruction(self, insn, "done"), ) m.run() print(f"Executed {m.context['count']} instructions")