from manticore.seth import ManticoreEVM ################ Script ####################### m = ManticoreEVM() #And now make the contract account to analyze # cat | solc --bin source_code = ''' pragma solidity ^0.4.13; contract NoDistpatcher { event Log(string); function() payable { if (msg.data[0] == 'A') { Log("Got an A"); } else{ Log("Got something else"); } } } ''' user_account = m.create_account(balance=1000) print "[+] Creating a user account", user_account contract_account = m.solidity_create_contract(source_code, owner=user_account) print "[+] Creating a contract account", contract_account print "[+] Source code:" print source_code print "[+] Now the symbolic values"
from manticore.seth import ManticoreEVM m = ManticoreEVM() m.verbosity(3) #And now make the contract account to analyze source_code = file('coverage.sol').read() user_account = m.create_account(balance=1000) bytecode = m.compile(source_code) #Initialize contract contract_account = m.create_contract(owner=user_account, balance=0, init=bytecode) m.transaction( caller=user_account, address=contract_account, value=None, data=m.SByte(164), ) #Up to here we get only ~30% coverage. #We need 2 transactions to fully explore the contract m.transaction( caller=user_account, address=contract_account, value=None, data=m.SByte(164), )
from manticore.seth import ManticoreEVM ################ Script ####################### seth = ManticoreEVM() seth.verbosity(0) #The contract account to analyze contract_source_code = ''' pragma solidity ^0.4.15; contract Reentrance { mapping (address => uint) userBalance; function getBalance(address u) constant returns(uint){ return userBalance[u]; } function addToBalance() payable{ userBalance[msg.sender] += msg.value; } function withdrawBalance(){ // send userBalance[msg.sender] ethers to msg.sender // if mgs.sender is a contract, it will call its fallback function if( ! (msg.sender.call.value(userBalance[msg.sender])() ) ){ revert(); } userBalance[msg.sender] = 0; } } '''
from manticore.seth import ManticoreEVM seth = ManticoreEVM() #And now make the contract account to analyze source_code = ''' pragma solidity ^0.4.15; contract Overflow { uint private sellerBalance=0; function add(uint value) returns (bool){ sellerBalance += value; // complicated math with possible overflow // possible auditor assert assert(sellerBalance >= value); } } ''' #Initialize user and contracts user_account = seth.create_account(balance=1000) contract_account = seth.solidity_create_contract(source_code, owner=user_account, balance=0) #First add won't overflow uint256 representation contract_account.add(seth.SValue) #Potential overflow contract_account.add(seth.SValue) print "[+] There are %d reverted states now"% len(seth.final_state_ids) for state_id in seth.final_state_ids: seth.report(state_id)
from manticore.seth import ManticoreEVM, ABI ################ Script ####################### seth = ManticoreEVM() seth.verbosity(0) #The contract account to analyze contract_source_code = ''' pragma solidity ^0.4.15; contract Reentrance { mapping (address => uint) userBalance; function getBalance(address u) constant returns(uint){ return userBalance[u]; } function addToBalance() payable{ userBalance[msg.sender] += msg.value; } function withdrawBalance(){ // send userBalance[msg.sender] ethers to msg.sender // if mgs.sender is a contract, it will call its fallback function if( ! (msg.sender.call.value(userBalance[msg.sender])() ) ){ revert(); } userBalance[msg.sender] = 0; } } //Function signatures: //c0e317fb: addToBalance()
from manticore.seth import ManticoreEVM, IntegerOverflow m = ManticoreEVM() m.register_detector(IntegerOverflow()) #And now make the contract account to analyze source_code = ''' pragma solidity ^0.4.15; contract Overflow { uint private sellerBalance=0; function add(uint value) returns (uint){ sellerBalance += value; // complicated math with possible overflow // possible auditor assert assert(sellerBalance >= value); return sellerBalance; } } ''' #Initialize user and contracts user_account = m.create_account(balance=1000) contract_account = m.solidity_create_contract(source_code, owner=user_account, balance=0) #First add won't overflow uint256 representation contract_account.add(m.make_symbolic_value()) #Potential overflow contract_account.add(m.make_symbolic_value())
from manticore.seth import ManticoreEVM ################ Script ####################### seth = ManticoreEVM() seth.verbosity(0) #And now make the contract account to analyze # cat | solc --bin source_code = ''' pragma solidity ^0.4.13; contract NoDistpatcher { event Log(string); function() payable { if (msg.data[0] == 'A') { Log("Got an A"); } else{ Log("Got something else"); } } } ''' print "[+] Creating a user account" user_account = seth.create_account(balance=1000) print "[+] Creating a contract account" contract_account = seth.solidity_create_contract(source_code, owner=user_account) print "[+] Now the symbolic values"
from manticore.seth import ManticoreEVM ################ Script ####################### m = ManticoreEVM() m.verbosity(2) #And now make the contract account to analyze # cat | solc --bin source_code = ''' pragma solidity ^0.4.13; contract Test { event Log(string); mapping(address => uint) private balances; function Test(){ balances[0x1111111111111111111111111111111111111111] = 10; balances[0x2222222222222222222222222222222222222222] = 20; balances[0x3333333333333333333333333333333333333333] = 30; balances[0x4444444444444444444444444444444444444444] = 40; balances[0x5555555555555555555555555555555555555555] = 50; } function target(address key) returns (bool){ if (balances[key] > 20) Log("Balance greater than 20"); else Log("Balance less or equal than 20"); } } '''
from manticore.seth import ManticoreEVM, ABI ################ Script ####################### m = ManticoreEVM() m.verbosity(0) #The contract account to analyze contract_source_code = ''' pragma solidity ^0.4.15; contract Reentrance { mapping (address => uint) userBalance; function getBalance(address u) constant returns(uint){ return userBalance[u]; } function addToBalance() payable{ userBalance[msg.sender] += msg.value; } function withdrawBalance(){ // send userBalance[msg.sender] ethers to msg.sender // if mgs.sender is a contract, it will call its fallback function if( ! (msg.sender.call.value(userBalance[msg.sender])() ) ){ revert(); } userBalance[msg.sender] = 0; } } //Function signatures: //c0e317fb: addToBalance()
from manticore.seth import ManticoreEVM ################ Script ####################### m = ManticoreEVM() m.verbosity(0) #And now make the contract account to analyze # cat | solc --bin source_code = ''' pragma solidity ^0.4.13; contract Test { event Log(string); function target() payable public { if (msg.value > 10) Log("Value greater than 10"); else Log("Value less or equal than 10"); } } ''' #Initialize accounts user_account = m.create_account(balance=1000) contract_account = m.solidity_create_contract(source_code, owner=user_account) contract_account.target(value=m.SValue)
from manticore.seth import ManticoreEVM ################ Script ####################### m = ManticoreEVM() m.verbosity(0) #The contract account to analyze contract_source_code = ''' pragma solidity ^0.4.15; contract Reentrance { mapping (address => uint) userBalance; function getBalance(address u) constant returns(uint){ return userBalance[u]; } function addToBalance() payable{ userBalance[msg.sender] += msg.value; } function withdrawBalance(){ // send userBalance[msg.sender] ethers to msg.sender // if mgs.sender is a contract, it will call its fallback function if( ! (msg.sender.call.value(userBalance[msg.sender])() ) ){ revert(); } userBalance[msg.sender] = 0; } } '''