def test_stub_procedure_args():
# stub procedures should have the right number of arguments
lib.set_prototype(
"____a_random_stdcall_function__",
SimTypeFunction(
[
SimTypeInt(signed=True),
SimTypeInt(signed=True),
SimTypeInt(signed=False)
],
SimTypePointer(SimTypeChar(), offset=0),
arg_names=["_random_arg_0", "_random_arg_1", "_random_arg_2"]))
stub = lib.get_stub('____a_random_stdcall_function__', archinfo.ArchX86())
stub.cc = SimCCStdcall(archinfo.ArchX86())
lib._apply_metadata(stub, archinfo.ArchX86())
assert len(stub.cc.args) == 3
assert all(isinstance(arg, SimStackArg) for arg in stub.cc.args)
proj = angr.Project(os.path.join(binaries_base, "i386", "all"),
auto_load_libs=False)
state = proj.factory.blank_state()
initial_sp = state.regs.sp
stub.state = state
stub.successors = SimSuccessors(0, state)
stub.ret(0)
succ = stub.successors.all_successors[0]
assert state.solver.eval_one(succ.regs.sp - initial_sp) == 0x10
def run_fauxware(arch):
addr = addresses_fauxware[arch]
p = angr.Project(location + '/' + arch + '/fauxware')
charstar = SimTypePointer(SimTypeChar())
prototype = SimTypeFunction((charstar, charstar), SimTypeInt(False))
cc = p.factory.cc(func_ty=prototype)
authenticate = p.factory.callable(addr, toc=0x10018E80 if arch == 'ppc64' else None, concrete_only=True, cc=cc)
nose.tools.assert_equal(authenticate("asdf", "SOSNEAKY")._model_concrete.value, 1)
nose.tools.assert_raises(AngrCallableMultistateError, authenticate, "asdf", "NOSNEAKY")
def run_manysum(arch):
addr = addresses_manysum[arch]
p = angr.Project(os.path.join(location, 'tests', arch, 'manysum'))
inttype = SimTypeInt()
prototype = SimTypeFunction([inttype] * 11, inttype)
sumlots = p.factory.callable(addr, prototype=prototype)
result = sumlots(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
nose.tools.assert_false(result.symbolic)
nose.tools.assert_equal(result._model_concrete.value, sum(range(12)))
def run_manysum(arch):
addr = addresses_manysum[arch]
p = angr.Project(location + '/' + arch + '/manysum')
inttype = SimTypeInt()
prototype = SimTypeFunction([inttype]*11, inttype)
cc = p.factory.cc(func_ty=prototype)
sumlots = p.factory.callable(addr, cc=cc)
result = sumlots(1,2,3,4,5,6,7,8,9,10,11)
nose.tools.assert_false(result.symbolic)
nose.tools.assert_equal(result._model_concrete.value, sum(xrange(12)))
def run_fauxware(self, arch):
addr = addresses_fauxware[arch]
p = angr.Project(os.path.join(location, 'tests', arch, 'fauxware'))
charstar = SimTypePointer(SimTypeChar())
prototype = SimTypeFunction((charstar, charstar), SimTypeInt(False))
authenticate = p.factory.callable(
addr,
toc=0x10018E80 if arch == 'ppc64' else None,
concrete_only=True,
prototype=prototype)
assert authenticate("asdf", "SOSNEAKY")._model_concrete.value == 1
self.assertRaises(AngrCallableMultistateError, authenticate, "asdf",
"NOSNEAKY")
def main():
p = angr.Project('challenge-7.sys', load_options={'auto_load_libs': False})
# Set a zero-length hook, so our function got executed before calling the
# function tea_decrypt(0x100f0), and then we can keep executing the original
# code. Thanks to this awesome design by @rhelmot!
p.hook(0xadc31, before_tea_decrypt, length=0)
# Declare the prototype of the target function
prototype = SimTypeFunction((SimTypeInt(False),), SimTypeInt(False))
# Initialize the function instance
proc_big_68 = p.factory.callable(BIG_PROC, cc=p.factory.cc(func_ty=prototype), toc=None, concrete_only=True)
# Call the function and get the final state
proc_big_68.perform_call(0)
state = proc_big_68.result_state
# Load the string from memory
return state.solver.eval(state.memory.load(ARRAY_ADDRESS, 40), cast_to=bytes).strip(b'\0')
