def test_cmd_line_args():
project = create_project("cmd_line_args", load_native_libs=False)
entry = project.factory.entry_state()
simgr = project.factory.simgr(entry)
simgr.run()
assert len(simgr.deadended) == 2
state1, state2 = tuple(simgr.deadended)
# get symbol of args[0] from memory
args = state1.globals['cmd_line_args']
args0_arrref = SimSootValue_ArrayRef(args, 0)
args0_strref = state1.memory.load(args0_arrref)
args0_strval = state1.memory.load(args0_strref)
# eval args[0] on both states
str1 = state1.solver.eval(args0_strval)
str2 = state2.solver.eval(args0_strval)
assert 'secret_value' in [str1, str2]
def _get_initialized_method_args(self, state, soot_method):
arg_vals = []
args_target_method = []
if 'STATIC' not in soot_method.attrs:
this = SimSootValue_ThisRef.new_object(state,
soot_method.class_name,
init_object=False)
args_target_method.append(
get_new_object_arg(this, is_this_ref=True))
for param in soot_method.params:
if param in ['byte', 'char']:
val = random.randint(0, 255)
arg_vals.append(val)
arg = get_new_primitive_arg(claripy.BVV(val, 8), param)
elif param in ['short', 'int', 'boolean']:
val = random.randint(0, 2**32)
arg_vals.append(val)
arg = get_new_primitive_arg(claripy.BVV(val, 32), param)
elif param == 'long':
val = random.randint(0, 2**64 - 1)
arg_vals.append(val)
arg = get_new_primitive_arg(claripy.BVV(val, 64), param)
elif param == 'float':
val = random.randint(0, 2**64 - 1)
arg_vals.append(val)
arg = get_new_primitive_arg(
claripy.FPV(val, claripy.FSORT_FLOAT), param)
elif param == 'double':
val = random.randint(0, 2**64 - 1)
arg_vals.append(val)
arg = get_new_primitive_arg(
claripy.FPV(val, claripy.FSORT_DOUBLE), param)
elif param == 'java.lang.String':
s = "A" * 20
arg_vals.append(s)
sym_str = claripy.StringV(s, 20)
str_ref = SimSootValue_StringRef.new_string(state, sym_str)
arg = get_new_object_arg(str_ref)
elif param.endswith('[][]'):
raise NotImplementedError
elif param.endswith('[]') and 'byte' in param:
# TODO: symbolic size?
base_ref = SimSootExpr_NewArray.new_array(
state, param[:-2], claripy.BVV(20, 32))
arg_vals.append([0x41] * 20)
for idx in range(20):
elem_ref = SimSootValue_ArrayRef(base_ref, idx)
state.memory.store(elem_ref, claripy.BVV(0x41, 8))
arg = get_new_object_arg(base_ref)
elif param.endswith('[]'):
# TODO: symbolic size?
array_ref = SimSootExpr_NewArray.new_array(
state, param[:-2], claripy.BVV(2, 32))
arg = get_new_object_arg(array_ref)
else:
obj_ref = SimSootValue_ThisRef.new_object(state,
param,
init_object=False)
if param in self.p.classes:
clx = self.p.classes[param]
for info in clx.fields.items():
# initialize strings and byte[] with some random values
name = info[0]
t = info[1][1]
if 'String' in t:
s = "A" * 20
arg_vals.append(s)
sym_str = claripy.StringV(s, 20)
str_ref = SimSootValue_StringRef.new_string(
state, sym_str)
obj_ref.set_field(state, name, t, str_ref)
if 'byte[]' in t:
print("Setting byte[]")
import ipdb
ipdb.set_trace()
arg_vals.append([0x41] * 20)
base_ref = SimSootExpr_NewArray.new_array(
state, 'byte', claripy.BVV(20, 32))
for idx in range(20):
elem_ref = SimSootValue_ArrayRef(base_ref, idx)
state.memory.store(elem_ref,
claripy.BVV(0x41, 8))
obj_ref.set_field(state, name, t, base_ref)
arg = get_new_object_arg(obj_ref)
args_target_method.append(arg)
return args_target_method, arg_vals