def test_branching():
argv1 = claripy.BVS("argv1", 8 * 16)
state = proj.factory.entry_state(args=[proj.filename, argv1])
e = ExploreInteractive(proj, state)
e.do_run("")
state = e.state
# Try stepping and check that the state has not been changed
e.do_step("")
assert state == e.state, "State is not equal anymore"
# Check that branch info is as expected. Bit hacky because the generated name of the variable might change during testing e.g. to argv1_51_128 instead of argv1_0_128
assert e.state.context_view._pstr_branch_info(
) == "IP: 0x40119a <main+0x51 in sym_exec.elf (0x119a)>\tCond: <Bool %s[127:120] == 80>\n\tVars: frozenset({'%s'})\n" % (
argv1.args[0], argv1.args[0]), "Branch info not as expected"
s1, s2 = e.simgr.active
# Pick wrong branch
e.do_run("1")
# One state should be deadended
assert len(e.simgr.deadended) == 1, "Incorrect number of deadended states"
# The other state of the last branch should now be the active one
assert e.state == s1
for _ in range(0, 8):
e.do_run("0")
assert b'PASSWORD' in e.simgr.deadended[1].solver.eval(argv1,
cast_to=bytes)
def test_proper_termination():
state = proj.factory.entry_state()
e = ExploreInteractive(proj, state)
for _ in range(0, 20):
e.do_step("")
# Final step
e.do_step("")
# One state should be deadended
assert len(e.simgr.deadended) == 1
# Stepping without active states should not throw an exception
e.do_step("")
'base_addr': 0x555555554000 # To match gdb
}
})
argv = claripy.BVS('argv1', 8 * 0x17)
s = p.factory.entry_state(args=[p.filename, argv])
#s.register_plugin("context_view", cv())
class NotVeryRand(angr.SimProcedure):
def run(self, return_values=None):
rand_idx = self.state.globals.get('rand_idx', 0) % len(return_values)
out = return_values[rand_idx]
self.state.globals['rand_idx'] = rand_idx + 1
return out
p.hook_symbol('time', NotVeryRand(return_values=[0]))
p.hook_symbol('rand', NotVeryRand(return_values=[0]))
s.watches.add_watch(lambda state: state.solver.eval(argv, cast_to=bytes),
"argv[1]")
simgr = p.factory.simgr(s, save_unsat=True)
s.context_view.pprint()
e = ExploreInteractive(p, s)
e.cmdloop()
print("Done! e.simgr has the simgr from your session")
import claripy
import angrcli.plugins.ContextView.context_view
from angrcli.interaction.explore import ExploreInteractive
from angrcli.plugins.ContextView.colors import Color
Color.disable_colors = True
location = os.path.join(os.path.dirname(os.path.realpath(__file__)),
"simproc_demo.elf")
proj = angr.Project(location, load_options={'auto_load_libs': False})
cfg = proj.analyses.CFGFast()
state = proj.factory.entry_state()
e = ExploreInteractive(proj, state)
def test_sims():
e.do_step("")
lines = e.state.context_view._pstr_current_codeblock().split('\n')
nose.tools.assert_equal(
lines[0], '__libc_start_main+0x0 in extern-address space (0x0)',
"Incorrect location for __libc_start_main")
nose.tools.assert_equal(lines[1], '<SimProcedure __libc_start_main>',
"Incorrect code for __libc_start_main")
for _ in range(0, 14):
e.do_step("")
def test_interactive():
state = proj.factory.entry_state()
e = ExploreInteractive(proj, state)
def __call__(self):
self._explorer = ExploreInteractive(self.state.project, self.state)
self._explorer.cmdloop()
return self._explorer.simgr
f1 = open("mars_state1", "rb")
f2 = open("mars_state2", "rb")
s1 = pickle.loads(f1.read())
s2 = pickle.loads(f2.read())
f1.close()
f2.close()
sm = p.factory.simgr([s1, s2])
print("starting exploring")
# Strategy: Explore from this point. Most constrained is good!
# active[0].history.jump_guard: 0x317 == mul(__reverse(...))
# active[1].history.jump_guard: 0x317 != mul(__reverse(...))
while len(sm.deadended) == 0:
print(sm)
# Drop every state from 'active', except the first one (which is the most constrained one)
sm.drop(stash='active', filter_func=lambda s: s != sm.active[0])
print(sm.one_active.posix.dumps(0))
# Continue to next branch
sm.run(until=lambda lpg: len(lpg.deadended) > 1 or len(lpg.active) > 1)
IPython.embed()
print("Done!")
s.context_view.pprint() # noqa: F821
e = ExploreInteractive(p, s) # noqa: F821
e.cmdloop()
import IPython
IPython.embed()