def test_branching(): argv1 = claripy.BVS("argv1", 8 * 16) state = proj.factory.entry_state(args=[proj.filename, argv1]) e = ExploreInteractive(proj, state) e.do_run("") state = e.state # Try stepping and check that the state has not been changed e.do_step("") assert state == e.state, "State is not equal anymore" # Check that branch info is as expected. Bit hacky because the generated name of the variable might change during testing e.g. to argv1_51_128 instead of argv1_0_128 assert e.state.context_view._pstr_branch_info( ) == "IP: 0x40119a <main+0x51 in sym_exec.elf (0x119a)>\tCond: <Bool %s[127:120] == 80>\n\tVars: frozenset({'%s'})\n" % ( argv1.args[0], argv1.args[0]), "Branch info not as expected" s1, s2 = e.simgr.active # Pick wrong branch e.do_run("1") # One state should be deadended assert len(e.simgr.deadended) == 1, "Incorrect number of deadended states" # The other state of the last branch should now be the active one assert e.state == s1 for _ in range(0, 8): e.do_run("0") assert b'PASSWORD' in e.simgr.deadended[1].solver.eval(argv1, cast_to=bytes)
class ExplorePlugin(SimStatePlugin): def __init__( self, explorer: Optional[ExploreInteractive] = None, ): super(ExplorePlugin, self).__init__() self._explorer = explorer def set_state(self, state: SimState) -> None: super(ExplorePlugin, self).set_state(state) @SimStatePlugin.memo def copy(self, memo: Any) -> "ExplorePlugin": return ExplorePlugin(self._explorer) def __call__(self): self._explorer = ExploreInteractive(self.state.project, self.state) self._explorer.cmdloop() return self._explorer.simgr
def test_proper_termination(): state = proj.factory.entry_state() e = ExploreInteractive(proj, state) for _ in range(0, 20): e.do_step("") # Final step e.do_step("") # One state should be deadended assert len(e.simgr.deadended) == 1 # Stepping without active states should not throw an exception e.do_step("")
'base_addr': 0x555555554000 # To match gdb } }) argv = claripy.BVS('argv1', 8 * 0x17) s = p.factory.entry_state(args=[p.filename, argv]) #s.register_plugin("context_view", cv()) class NotVeryRand(angr.SimProcedure): def run(self, return_values=None): rand_idx = self.state.globals.get('rand_idx', 0) % len(return_values) out = return_values[rand_idx] self.state.globals['rand_idx'] = rand_idx + 1 return out p.hook_symbol('time', NotVeryRand(return_values=[0])) p.hook_symbol('rand', NotVeryRand(return_values=[0])) s.watches.add_watch(lambda state: state.solver.eval(argv, cast_to=bytes), "argv[1]") simgr = p.factory.simgr(s, save_unsat=True) s.context_view.pprint() e = ExploreInteractive(p, s) e.cmdloop() print("Done! e.simgr has the simgr from your session")
import claripy import angrcli.plugins.ContextView.context_view from angrcli.interaction.explore import ExploreInteractive from angrcli.plugins.ContextView.colors import Color Color.disable_colors = True location = os.path.join(os.path.dirname(os.path.realpath(__file__)), "simproc_demo.elf") proj = angr.Project(location, load_options={'auto_load_libs': False}) cfg = proj.analyses.CFGFast() state = proj.factory.entry_state() e = ExploreInteractive(proj, state) def test_sims(): e.do_step("") lines = e.state.context_view._pstr_current_codeblock().split('\n') nose.tools.assert_equal( lines[0], '__libc_start_main+0x0 in extern-address space (0x0)', "Incorrect location for __libc_start_main") nose.tools.assert_equal(lines[1], '<SimProcedure __libc_start_main>', "Incorrect code for __libc_start_main") for _ in range(0, 14): e.do_step("")
def test_interactive(): state = proj.factory.entry_state() e = ExploreInteractive(proj, state)
def __call__(self): self._explorer = ExploreInteractive(self.state.project, self.state) self._explorer.cmdloop() return self._explorer.simgr
f1 = open("mars_state1", "rb") f2 = open("mars_state2", "rb") s1 = pickle.loads(f1.read()) s2 = pickle.loads(f2.read()) f1.close() f2.close() sm = p.factory.simgr([s1, s2]) print("starting exploring") # Strategy: Explore from this point. Most constrained is good! # active[0].history.jump_guard: 0x317 == mul(__reverse(...)) # active[1].history.jump_guard: 0x317 != mul(__reverse(...)) while len(sm.deadended) == 0: print(sm) # Drop every state from 'active', except the first one (which is the most constrained one) sm.drop(stash='active', filter_func=lambda s: s != sm.active[0]) print(sm.one_active.posix.dumps(0)) # Continue to next branch sm.run(until=lambda lpg: len(lpg.deadended) > 1 or len(lpg.active) > 1) IPython.embed() print("Done!") s.context_view.pprint() # noqa: F821 e = ExploreInteractive(p, s) # noqa: F821 e.cmdloop() import IPython IPython.embed()