def sim_block(self,
state,
stmt_whitelist=None,
last_stmt=None,
addr=None,
opt_level=None,
**block_opts):
"""
Returns a SimIRSB object with execution based on state.
:param state: The state to tick forward with this block.
The following parameters are optional:
:param stmt_whitelist: A list of stmt indexes to which to confine execution.
:param last_stmt: A statement index at which to stop execution.
:param addr: The address at which to start the block.
:param thumb: Whether the block should be lifted in ARM's THUMB mode.
:param backup_state: A state to read bytes from instead of using project memory.
:param opt_level: The VEX optimization level to use.
:param insn_bytes: A string of bytes to use for the block instead of the project.
:param max_size: The maximum size of the block, in bytes.
:param num_inst: The maximum number of instructions.
:param traceflags: traceflags to be passed to VEX. Default: 0
"""
if 'thumb' in block_opts:
raise AngrValueError(
'You are not allowed to pass in a thumb=x property to sim_block'
)
if addr is None:
addr = state.se.any_int(state.regs.ip)
thumb = False
if addr % state.arch.instruction_alignment != 0:
if state.thumb:
thumb = True
else:
raise AngrExitError(
"Address %#x does not align to alignment %d "
"for architecture %s." %
(addr, state.arch.instruction_alignment, state.arch.name))
if opt_level is None:
opt_level = 1 if o.OPTIMIZE_IR in state.options else 0
backup_state = state if self._project._support_selfmodifying_code else None
bb = self.block(addr,
arch=state.arch,
opt_level=opt_level,
thumb=thumb,
backup_state=backup_state,
**block_opts)
return SimIRSB(state,
bb.vex,
addr=addr,
whitelist=stmt_whitelist,
last_stmt=last_stmt)
def test_store_simplification():
state = SimState(arch='X86')
state.regs.esp = state.se.BVS('stack_pointer', 32)
state.regs.ebp = state.se.BVS('base_pointer', 32)
state.regs.eax = state.se.BVS('base_eax', 32)
irsb = pyvex.IRSB('PT]\xc2\x10\x00', 0x4000, state.arch)
sirsb = SimIRSB(state, irsb)
exit_state = sirsb.default_exit
nose.tools.assert_true(
claripy.backends.z3.is_true(exit_state.regs.ebp == state.regs.esp - 4))
def run(self):
if self.cleanup:
self.state.options.discard(o.AST_DEPS)
self.state.options.discard(o.AUTO_REFS)
ret_irsb = self.state.arch.disassemble_vex(self.state.arch.ret_instruction, mem_addr=self.addr)
ret_simirsb = SimIRSB(self.state, ret_irsb, inline=True, addr=self.addr)
if not ret_simirsb.flat_successors + ret_simirsb.unsat_successors:
ret_state = ret_simirsb.default_exit
else:
ret_state = (ret_simirsb.flat_successors + ret_simirsb.unsat_successors)[0]
if self.cleanup:
self.state.options.add(o.AST_DEPS)
self.state.options.add(o.AUTO_REFS)
self.add_successor(ret_state, ret_state.scratch.target, ret_state.scratch.guard, 'Ijk_Sys')
def sim_block(self,
state,
stmt_whitelist=None,
last_stmt=None,
addr=None,
opt_level=None,
**block_opts):
"""
Returns a SimIRSB object with execution based on state.
:param state: The state to tick forward with this block.
The following parameters are optional:
:param stmt_whitelist: A list of stmt indexes to which to confine execution.
:param last_stmt: A statement index at which to stop execution.
:param addr: The address at which to start the block.
:param thumb: Whether the block should be lifted in ARM's THUMB mode.
:param backup_state: A state to read bytes from instead of using project memory.
:param opt_level: The VEX optimization level to use.
:param insn_bytes: A string of bytes to use for the block instead of the project.
:param max_size: The maximum size of the block, in bytes.
:param num_inst: The maximum number of instructions.
:param traceflags: traceflags to be passed to VEX. Default: 0
"""
if 'thumb' in block_opts:
raise AngrValueError(
'You are not allowed to pass in a thumb=x property to sim_block'
)
if addr is None:
addr = state.se.any_int(state.regs.ip)
if o.STRICT_PAGE_ACCESS in state.options:
try:
perms = state.memory.permissions(addr)
except KeyError:
raise SimSegfaultError(addr, 'exec-miss')
else:
if not perms.symbolic:
perms = perms.args[0]
if not perms & 4:
raise SimSegfaultError(addr, 'non-executable')
thumb = False
if addr % state.arch.instruction_alignment != 0:
if state.thumb:
thumb = True
else:
raise AngrExitError(
"Address %#x does not align to alignment %d "
"for architecture %s." %
(addr, state.arch.instruction_alignment, state.arch.name))
if self._project._support_selfmodifying_code:
if o.OPTIMIZE_IR in state.options:
state.options.remove(o.OPTIMIZE_IR)
l.warning(
"Disabling VEX optmizations (OPTIMIZE_IR) because support for self-modifying code is enabled."
)
if opt_level > 0:
l.warning(
"Self-modifying code is not always correctly optimized by PyVEX. To guarantee correctness, VEX optimizations have been disabled."
)
opt_level = 0
if opt_level is None:
opt_level = 1 if o.OPTIMIZE_IR in state.options else 0
force_bbl_addr = block_opts.pop('force_bbl_addr', None)
while True:
bb = self.block(addr,
arch=state.arch,
opt_level=opt_level,
thumb=thumb,
backup_state=state,
**block_opts)
try:
return SimIRSB(state,
bb.vex,
addr=addr,
whitelist=stmt_whitelist,
last_stmt=last_stmt,
force_bbl_addr=force_bbl_addr)
except SimReliftException as e:
state = e.state
force_bbl_addr = state.scratch.bbl_addr
if 'insn_bytes' in block_opts:
raise AngrValueError(
"You cannot pass self-modifying code as insn_bytes!!!")
new_ip = state.scratch.ins_addr
if 'max_size' in block_opts:
block_opts['max_size'] -= new_ip - addr
if 'num_inst' in block_opts:
block_opts['num_inst'] -= state.scratch.num_insns
addr = new_ip