def pre_test(self, func, runner):
result_buf = "A" * 6
in_buf = "a\x00bbbc"
test_input = [result_buf, in_buf, 6]
test_output = [in_buf, in_buf, None]
max_steps = 20
return_val = None
test = TestData(test_input, test_output, return_val, max_steps)
result = runner.test(func, test)
if not result:
return False
s = runner.get_base_call_state(func, test)
s.memory.store(0x2000, "ABC\x00\x00\x00\x00\x00")
inttype = SimTypeInt(runner.project.arch.bits, False)
func_ty = SimTypeFunction([inttype] * 3, inttype)
cc = runner.project.factory.cc(func_ty=func_ty)
call = Callable(runner.project,
func.startpoint.addr,
concrete_only=True,
cc=cc,
base_state=s,
max_steps=20)
_ = call(*[0x2003, 0x2000, 5])
result_state = call.result_state
if result_state.se.any_str(result_state.memory.load(
0x2000, 8)) == "ABCABC\x00\x00":
self.memmove_safe = True
else:
self.memmove_safe = False
s = runner.get_base_call_state(func, test)
s.memory.store(0x2000, "\x00\x00\x00\x00\x00CBA")
inttype = SimTypeInt(runner.project.arch.bits, False)
func_ty = SimTypeFunction([inttype] * 3, inttype)
cc = runner.project.factory.cc(func_ty=func_ty)
call = Callable(runner.project,
func.startpoint.addr,
concrete_only=True,
cc=cc,
base_state=s,
max_steps=20)
_ = call(*[0x2000, 0x2003, 5])
result_state = call.result_state
if result_state.se.any_str(result_state.memory.load(
0x2000, 8)) == "\x00\x00CBACBA":
self.memmove_safe = True and self.memmove_safe
else:
self.memmove_safe = False
return True
def get_base_call_state(self,
function,
test_data,
initial_state=None,
concrete_rand=False):
curr_buf_loc = 0x2000
mapped_input = []
s = self.setup_state(function,
test_data,
initial_state,
concrete_rand=concrete_rand)
for i in test_data.input_args:
if isinstance(i, (str, claripy.ast.BV)):
s.memory.store(curr_buf_loc, i)
mapped_input.append(curr_buf_loc)
curr_buf_loc += max(len(i), 0x1000)
else:
if not isinstance(i, (int, long)):
raise Exception("Expected int/long got %s", type(i))
mapped_input.append(i)
inttype = SimTypeInt(self.project.arch.bits, False)
func_ty = SimTypeFunction([inttype] * len(mapped_input), inttype)
cc = self.project.factory.cc(func_ty=func_ty)
call = IdentifierCallable(self.project,
function.startpoint.addr,
concrete_only=True,
cc=cc,
base_state=s,
max_steps=test_data.max_steps)
return call.get_base_state(*mapped_input)
def run_fauxware(arch):
addr = addresses_fauxware[arch]
p = angr.Project(location + '/' + arch + '/fauxware')
charstar = SimTypePointer(p.arch, SimTypeChar())
prototype = SimTypeFunction((charstar, charstar), SimTypeInt(p.arch.bits, False))
authenticate = Callable(p, addr, prototype, toc=0x10018E80 if arch == 'ppc64' else None)
nose.tools.assert_equal(authenticate("asdf", "SOSNEAKY").model.value, 1)
nose.tools.assert_raises(AngrCallableMultistateError, authenticate, "asdf", "NOSNEAKY")
def run_manysum(arch):
addr = addresses_manysum[arch]
p = angr.Project(location + '/' + arch + '/manysum')
inttype = SimTypeInt(p.arch.bits, False)
prototype = SimTypeFunction([inttype] * 11, inttype)
sumlots = Callable(p, addr, prototype=prototype)
result = sumlots(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
nose.tools.assert_false(result.symbolic)
nose.tools.assert_equal(result._model_concrete.value, sum(xrange(12)))
def run_fauxware(arch):
addr = addresses_fauxware[arch]
p = angr.Project(location + '/' + arch + '/fauxware')
charstar = SimTypePointer(SimTypeChar())
prototype = SimTypeFunction((charstar, charstar), SimTypeInt(False))
cc = p.factory.cc(func_ty=prototype)
authenticate = p.factory.callable(addr, toc=0x10018E80 if arch == 'ppc64' else None, concrete_only=True, cc=cc)
nose.tools.assert_equal(authenticate("asdf", "SOSNEAKY")._model_concrete.value, 1)
nose.tools.assert_raises(AngrCallableMultistateError, authenticate, "asdf", "NOSNEAKY")
def get_out_state(self,
function,
test_data,
initial_state=None,
concrete_rand=False,
custom_offs=None):
curr_buf_loc = 0x2000
mapped_input = []
s = self.setup_state(function,
test_data,
initial_state,
concrete_rand=concrete_rand)
if custom_offs is None:
for i in test_data.input_args:
if isinstance(i, str):
s.memory.store(curr_buf_loc, i + "\x00")
mapped_input.append(curr_buf_loc)
curr_buf_loc += max(len(i), 0x1000)
else:
if not isinstance(i, (int, long)):
raise Exception("Expected int/long got %s", type(i))
mapped_input.append(i)
else:
for i, off in zip(test_data.input_args, custom_offs):
if isinstance(i, str):
s.memory.store(curr_buf_loc, i + "\x00")
mapped_input.append(curr_buf_loc + off)
curr_buf_loc += max(len(i), 0x1000)
else:
if not isinstance(i, (int, long)):
raise Exception("Expected int/long got %s", type(i))
mapped_input.append(i)
inttype = SimTypeInt(self.project.arch.bits, False)
func_ty = SimTypeFunction([inttype] * len(mapped_input), inttype)
cc = self.project.factory.cc(func_ty=func_ty)
try:
call = IdentifierCallable(self.project,
function.startpoint.addr,
concrete_only=True,
cc=cc,
base_state=s,
max_steps=test_data.max_steps)
_ = call(*mapped_input)
result_state = call.result_state
except AngrCallableMultistateError as e:
l.info("multistate error: %s", e.message)
return None
except AngrCallableError as e:
l.info("other callable error: %s", e.message)
return None
return result_state
def run(self, proj=None, funcaddr=None, gotaddr=None, funcname=None):
resolve = Callable(
proj, funcaddr,
SimTypeFunction((), SimTypePointer(self.state.arch, SimTypeTop())))
try:
value = resolve()
except AngrCallableError:
l.critical("Ifunc \"%s\" failed to resolve!", funcname)
#import IPython; IPython.embed()
raise
self.state.memory.store(gotaddr,
value,
endness=self.state.arch.memory_endness)
self.add_successor(self.state, value, self.state.se.true, 'Ijk_Boring')
def main():
p = angr.Project('challenge-7.sys', load_options={'auto_load_libs': False})
# Set a zero-length hook, so our function got executed before calling the
# function tea_decrypt(0x100f0), and then we can keep executing the original
# code. Thanks to this awesome design by @rhelmot!
p.hook(0xadc31, func=before_tea_decrypt, length=0)
# Declare the prototype of the target function
prototype = SimTypeFunction((SimTypeInt(False), ), SimTypeInt(False))
# Initialize the function instance
proc_big_68 = p.factory.callable(BIG_PROC,
cc=p.factory.cc(func_ty=prototype),
toc=None,
concrete_only=True)
# Call the function and get the final state
proc_big_68.perform_call(0)
state = proc_big_68.result_state
# Load the string from memory
return hex(state.se.any_int(state.memory.load(
ARRAY_ADDRESS, 40)))[2:-1].decode('hex').strip('\0')
def test(self, function, test_data, concrete_rand=False, custom_offs=None):
curr_buf_loc = 0x2000
mapped_input = []
s = self.setup_state(function, test_data, concrete_rand=concrete_rand)
if custom_offs is None:
for i in test_data.input_args:
if isinstance(i, str):
s.memory.store(curr_buf_loc, i + "\x00")
mapped_input.append(curr_buf_loc)
curr_buf_loc += max(len(i), 0x1000)
else:
if not isinstance(i, (int, long)):
raise Exception("Expected int/long got %s", type(i))
mapped_input.append(i)
else:
for i, off in zip(test_data.input_args, custom_offs):
if isinstance(i, str):
s.memory.store(curr_buf_loc, i + "\x00")
mapped_input.append(curr_buf_loc + off)
curr_buf_loc += max(len(i), 0x1000)
else:
if not isinstance(i, (int, long)):
raise Exception("Expected int/long got %s", type(i))
mapped_input.append(i)
inttype = SimTypeInt(self.project.arch.bits, False)
func_ty = SimTypeFunction([inttype] * len(mapped_input), inttype)
cc = self.project.factory.cc(func_ty=func_ty)
try:
call = IdentifierCallable(self.project,
function.startpoint.addr,
concrete_only=True,
cc=cc,
base_state=s,
max_steps=test_data.max_steps)
result = call(*mapped_input)
result_state = call.result_state
except AngrCallableMultistateError as e:
l.info("multistate error: %s", e.message)
return False
except AngrCallableError as e:
l.info("other callable error: %s", e.message)
return False
# check matches
outputs = []
for i, out in enumerate(test_data.expected_output_args):
if isinstance(out, str):
if len(out) == 0: #pylint disable=len-as-condition
raise Exception("len 0 out")
outputs.append(
result_state.memory.load(mapped_input[i], len(out)))
else:
outputs.append(None)
tmp_outputs = outputs
outputs = []
for out in tmp_outputs:
if out is None:
outputs.append(None)
elif result_state.se.symbolic(out):
l.info("symbolic memory output")
return False
else:
outputs.append(result_state.se.any_str(out))
if outputs != test_data.expected_output_args:
# print map(lambda x: x.encode('hex'), [a for a in outputs if a is not None]), map(lambda x: x.encode('hex'), [a for a in test_data.expected_output_args if a is not None])
l.info("mismatch output")
return False
if result_state.se.symbolic(result):
l.info("result value sybolic")
return False
if test_data.expected_return_val is not None and test_data.expected_return_val < 0:
test_data.expected_return_val &= (2**self.project.arch.bits - 1)
if test_data.expected_return_val is not None and \
result_state.se.any_int(result) != test_data.expected_return_val:
l.info("return val mismatch got %#x, expected %#x",
result_state.se.any_int(result),
test_data.expected_return_val)
return False
if result_state.se.symbolic(result_state.posix.files[1].pos):
l.info("symbolic stdout pos")
return False
if result_state.se.any_int(result_state.posix.files[1].pos) == 0:
stdout = ""
else:
stdout = result_state.posix.files[1].content.load(
0, result_state.posix.files[1].pos)
if stdout.symbolic:
l.info("symbolic stdout")
return False
stdout = result_state.se.any_str(stdout)
if stdout != test_data.expected_stdout:
l.info("mismatch stdout")
return False
return True