def test_mockup_modify(self):
s = mozz.Session(abs_path(__file__, "mockup_basic_test.bin"))
d = {'got_sig': False, 'got_mockup': 0, 'goal_fn_execd': 0, 'won': 0}
@s.on_signal_default()
def sig_default(host, sig):
d['got_sig'] = True
@s.mockup(0x4006f4, 0x400786)
def skip_file_stuff(host):
self.assertEqual(host.inferior().reg_pc(), 0x4006f4)
d['got_mockup'] += 1
@host.with_inferior()
def seteax(host):
host.inferior().reg_set("rax", ord('p'))
@s.at_addr("try_to_get_here")
def goal_fn(host):
d['goal_fn_execd'] += 1
@s.at_addr(0x40069c)
def victory(host):
d['won'] += 1
mozz.run_session(s)
self.assertFalse(d['got_sig'])
self.assertEqual(d['got_mockup'], 1)
self.assertEqual(d['goal_fn_execd'], 1)
self.assertEqual(d['won'], 1)
def test_addr_basic(self):
s = mozz.Session(abs_path(__file__, "addr_basic_test.bin"))
d = {
'got_cb': 0,
'got_sig': False,
'got_sym_cb': 0,
'got_offset_cb': 0
}
@s.on_signal_default()
def sig_default(host, sig):
d['got_sig'] = True
@s.at_addr(0x4004f4)
def at_main(host):
d['got_cb'] += 1
@s.at_addr("main")
def at_main(host):
self.assertEqual(0x4004f4, host.inferior().reg_pc())
d['got_sym_cb'] += 1
@s.at_addr(("main", 1))
def at_main(host):
self.assertEqual(0x4004f5, host.inferior().reg_pc())
d['got_offset_cb'] += 1
mozz.run_session(s)
self.assertEqual(d['got_cb'], 1)
self.assertFalse(d['got_sig'])
self.assertEqual(d['got_sym_cb'], 1)
self.assertEqual(d['got_offset_cb'], 1)
def test_mockup_function5(self):
arch = mozz.system.architecture()
if arch != mozz.system.ARCH_X86_64:
return #this test not yet supported on non x86_64 systems
s = mozz.Session(abs_path(__file__, "function_test.bin"))
s.set_calling_convention(native_convention())
result = {
'count': 0,
'params_correct': [0, 0, 0],
'default_case': 0,
'checkpoint3': 0
}
@s.at_addr("default_case")
def default_case(host):
result['default_case'] = 1
@s.at_function("checkpoint3", TCInt32, TCInt32)
def checkpoint3(host, fn_ctx, n, status, status2):
result['checkpoint3'] = 1
self.assertEqual(status.value(), 0x8000)
self.assertEqual(status2.value(), 345987)
@s.mockup_function("test_function", TCInt32, TCInt8, TCInt16, TCUInt32,
TCInt32, Pointer64, Pointer64, Pointer64)
def test_function(host, fn_ctx, n, a, b, c, d, e, \
buf1, buf2, output_var):
host.log("test_function(%d):" % n)
host.log(" a=%d" % a.value())
host.log(" b=%d" % b.value())
host.log(" c=%d" % c.value())
host.log(" d=%d" % d.value())
host.log(" e=%d" % e.value())
host.log(" buf1=%x:%r" % (buf1.value(), buf1.string(host)))
host.log(" buf2=%x:%r" % (buf2.value(), buf2.string(host)))
host.log(" output_var=%x" % output_var.value())
result['count'] += 1
if n < 3 and self.check_params(n, host, a, b, c, d, e, buf1, buf2):
result['params_correct'][n] = 1
if n == 2:
d.set(0x98989898)
e.set(0)
c.set(0)
a.set(0)
return None # dont do mockup, execute function
else:
return 0
mozz.run_session(s)
self.assertEqual(result['count'], 3)
for i in range(3):
print("check params #%d" % i)
self.assertEqual(result['params_correct'][i], 1)
self.assertEqual(result['checkpoint3'], 1)
self.assertEqual(result['default_case'], 1)
def test_run_exit(self):
s = mozz.Session(abs_path(__file__, "run_exit_test.bin"), 2)
state = [0]
@s.on_run()
def run(host):
mozz.debug("cb run")
self.assertEqual(s.iteration(), 0)
self.assertEqual(state[0], 0)
state[0] += 1
def offset():
return (s.iteration() - 1) * 4
@s.on_inferior_pre()
def inf_pre(host):
mozz.debug("cb inf pre")
self.assertEqual(state[0], offset() + 1)
state[0] += 1
@s.at_entry()
def entry(host):
pc = host.inferior().reg_pc()
mozz.debug("entry point is 0x%x" % (pc))
self.assertEqual(pc, 0x400410)
self.assertEqual(state[0], offset() + 2)
state[0] += 1
@s.on_exit()
def on_exit(host):
mozz.debug("cb exit")
self.assertEqual(state[0], offset() + 3)
state[0] += 1
@s.on_inferior_post()
def on_inf_post(host):
mozz.debug("cb inf post")
self.assertEqual(state[0], offset() + 4)
state[0] += 1
@s.on_finish()
def finish(host):
mozz.debug("cb finish")
self.assertEqual(s.iteration(), 2)
self.assertEqual(state[0], offset() + 5)
state[0] += 1
mozz.run_session(s)
mozz.debug("session over")
self.assertEqual(s.iteration(), 2)
self.assertEqual(state[0], offset() + 6)
def test_session_iter(self):
s = mozz.Session(abs_path(__file__, "session_iter_test.bin"), 10)
state = [0]
@s.on_inferior_pre()
def inf_pre(host):
state[0] += 1
mozz.debug("i=%d" % state[0])
self.assertEqual(s.iteration(), state[0])
mozz.run_session(s)
self.assertEqual(s.iteration(), 10)
def test_mockup_fake_file(self):
s = mozz.Session(abs_path(__file__, "mockup_fakefile_test.bin"))
d = {
'got_sig': False,
'got_fake_fp': 0,
'got_fake_read': 0,
'goal_fn_execd': 0,
'won': 0
}
@s.on_signal_default()
def sig_default(host, sig):
d['got_sig'] = True
@s.at_addr("try_to_get_here")
def goal_fn(host):
d['goal_fn_execd'] += 1
@s.at_addr(0x40069c)
def victory(host):
d['won'] += 1
fp = 0xc0ffee
@s.mockup(0x4006f4, 0x4006f9)
def fake_fp(host):
d['got_fake_fp'] += 1
@host.with_inferior()
def seteax(host):
host.inferior().reg_set("rax", fp)
@s.mockup(0x400730, 0x400735, locs=('rdi', ))
def fake_read(host, rdi):
host.log("rdi=0x%x" % rdi)
d['got_fake_read'] += 1
@host.with_inferior()
def blah(host):
inf = host.inferior()
inf.mem_write_buf(rdi, "purpledrank\x00")
inf.reg_set("rax", 0x10)
mozz.run_session(s)
self.assertFalse(d['got_sig'])
self.assertEqual(d['got_fake_fp'], 1)
self.assertEqual(d['got_fake_read'], 1)
self.assertEqual(d['goal_fn_execd'], 1)
self.assertEqual(d['won'], 1)
def test_default_sig(self):
s = mozz.Session(abs_path(__file__, "signal1_test.bin"))
d = {
'sig_count': 0
}
@s.on_signal_default()
def default_sig(host, sig):
d['sig_count'] += 1
self.assertEqual(sig, mozz.sig.SIGINT)
mozz.run_session(s)
self.assertEqual(d['sig_count'], 1)
def test_sigstop(self):
s = mozz.Session(abs_path(__file__, "sigstop1_test.bin"))
d = {'stop_count': 0}
@s.on_signal_default()
def default_sig(host, sig):
self.assertTrue(False) # shouldnt get here
@s.on_signal(mozz.sig.SIGSTOP)
def on_sigstop(host):
d['stop_count'] += 1
mozz.run_session(s)
self.assertEqual(d['stop_count'], 1)
def test_sig_handler(self):
s = mozz.Session(abs_path(__file__, "signal1_test.bin"))
d = {
'int_count': 0
}
@s.on_signal_default()
def default_sig(host, sig):
self.assertTrue(False) # shouldnt get here
@s.on_signal(mozz.sig.SIGINT)
def on_sigint(host):
d['int_count'] += 1
mozz.run_session(s)
self.assertEqual(d['int_count'], 1)
def test_mockup_function3(self):
arch = mozz.system.architecture()
if arch != mozz.system.ARCH_X86_64:
return #this test not yet supported on non x86_64 systems
s = mozz.Session(abs_path(__file__, "function_test.bin"))
s.set_calling_convention(native_convention())
result = {'count': 0, 'params_correct': [0, 0, 0], 'default_case': 0}
@s.at_addr("default_case")
def default_case(host):
result['default_case'] = 1
@s.mockup_function("test_function", TCInt32, TCInt8, TCInt16, TCUInt32,
TCInt32, Pointer64, Pointer64, Pointer64)
def test_function(host, fn_ctx, n, a, b, c, d, e, \
buf1, buf2, output_var):
host.log("test_function(%d):" % n)
host.log(" a=%d" % a.value())
host.log(" b=%d" % b.value())
host.log(" c=%d" % c.value())
host.log(" d=%d" % d.value())
host.log(" e=%d" % e.value())
host.log(" buf1=%x:%r" % (buf1.value(), buf1.string(host)))
host.log(" buf2=%x:%r" % (buf2.value(), buf2.string(host)))
host.log(" output_var=%x" % output_var.value())
result['count'] += 1
if n < 3 and self.check_params(n, host, a, b, c, d, e, buf1, buf2):
result['params_correct'][n] = 1
if n == 1:
output_var.deref(host, TCUInt32).set(0xc001f00d)
return 84739
else:
return 0
mozz.run_session(s)
self.assertEqual(result['count'], 2)
for i in range(2):
print("check params #%d" % i)
self.assertEqual(result['params_correct'][i], 1)
self.assertEqual(result['default_case'], 0)
def test_start(self):
s = mozz.Session(abs_path(__file__, "signal1_test.bin"))
d = {
'start': 0,
'sigs': 0
}
@s.on_start()
def on_start(host):
d['start'] += 1
@s.on_signal(mozz.sig.SIGINT)
def on_sigint(host):
d['sigs'] += 1
self.assertEqual(d['start'], 1)
mozz.run_session(s)
self.assertEqual(d['start'], 2)
self.assertEqual(d['sigs'], 1)
def test_mockup_modify(self):
s = mozz.Session(abs_path(__file__, "skip_basic_test.bin"))
d = {'got_sig': False, 'goal_fn_execd': 0, 'won': 0}
@s.on_signal_default()
def sig_default(host, sig):
d['got_sig'] = True
@s.at_addr("try_to_get_here")
def goal_fn(host):
d['goal_fn_execd'] += 1
@s.at_addr(0x40069c)
def victory(host):
d['won'] += 1
s.skip(0x4006f4, 0x400786)
s.skip("try_to_get_here", 0x400697)
mozz.run_session(s)
self.assertFalse(d['got_sig'])
self.assertEqual(d['goal_fn_execd'], 1)
self.assertEqual(d['won'], 1)
def test_basic_step(self):
s = mozz.Session(abs_path(__file__, "step_basic_test.bin"))
state = [0]
d = {
'got_step': 0,
'got_at_write': 0,
'got_after_write': 0,
'steps_after_write': 0,
'got_start': 0,
'got_sig': 0,
'got_on_exit': 0,
'got_main_ret': 0
}
@s.on_start()
def on_start(host):
#host.log("start")
d['got_start'] += 1
@s.on_signal_default()
def on_sig(host):
d['got_sig'] += 1
@s.on_step()
def each_step(host):
if host.inferior().is_in_step_into_mode():
lend = "\r"
else:
lend = "\n"
sys.stdout.write("step %d%s" % (d['got_step'], lend))
d['got_step'] += 1
@s.at_addr("main")
def main(host):
self.assertEqual(state[0], 0)
self.assertEqual(d['got_step'], 0)
state[0] += 1
host.inferior().enter_step_over_mode()
host.log("oiajsdofij")
self.assertTrue(host.inferior().is_in_step_mode())
self.assertTrue(host.inferior().is_in_step_over_mode())
@s.at_addr(0x400622)
def at_write(host):
d['got_at_write'] += 1
self.assertEqual(d['got_step'], 22)
self.assertEqual(state[0], 1)
state[0] += 1
host.inferior().enter_step_into_mode()
self.assertTrue(host.inferior().is_in_step_mode())
self.assertTrue(host.inferior().is_in_step_into_mode())
@s.at_addr(0x400627)
def after_write(host):
d['got_after_write'] += 1
self.assertGreater(d['got_step'], 22+1+1)
d['steps_after_write'] = d['got_step']
self.assertEqual(state[0], 2)
state[0] += 1
host.inferior().enter_step_over_mode()
self.assertTrue(host.inferior().is_in_step_mode())
self.assertTrue(host.inferior().is_in_step_over_mode())
@s.at_addr(0x400658)
def main_ret(host):
d['got_main_ret'] += 1
self.assertEqual(state[0], 3)
self.assertEqual(d['got_step'], d['steps_after_write']+10)
state[0] += 1
host.inferior().exit_step_mode()
self.assertFalse(host.inferior().is_in_step_mode())
@s.on_exit()
def on_exit(host):
host.log("inferior exited")
self.assertEqual(state[0], 4)
self.assertEqual(d['got_step'], d['steps_after_write']+10)
d['got_on_exit'] += 1
state[0] += 1
host.log("asdfoaisjdfoij")
mozz.run_session(s)
self.assertEqual(d['got_at_write'], 1)
self.assertEqual(d['got_after_write'], 1)
self.assertEqual(state[0], 5)
self.assertEqual(d['got_step'], d['steps_after_write']+10)
self.assertEqual(d['got_start'], d['steps_after_write']+10+3)
self.assertEqual(d['got_sig'], 0)
self.assertEqual(d['got_on_exit'], 1)
self.assertEqual(d['got_main_ret'], 1)
def test_run_exit(self):
s = mozz.Session(abs_path(__file__, "cb_remove_test.bin"), 3)
d = {
'on_pre': 0,
'on_post': 0,
'at_entry': 0,
'on_run': 0,
'on_finish': 0,
'on_sigint': 0,
'on_sig_default': 0,
'on_start': 0,
'on_start2': 0,
'on_exit': 0,
'main': 0,
'main2': 0
}
@s.on_run()
def run():
d['on_run'] += 1
s.del_cb_run(run)
@s.on_inferior_pre()
def on_pre(host):
d['on_pre'] += 1
s.del_cb_inferior_pre(on_pre)
@s.on_inferior_post()
def on_post(host):
d['on_post'] += 1
s.del_cb_inferior_post(on_post)
@s.at_entry()
def entry(host):
d['at_entry'] += 1
s.del_cb_entry(entry)
@s.on_signal(mozz.sig.SIGINT)
def sigint(host):
d['on_sigint'] += 1
s.del_cb_signal(mozz.sig.SIGINT, sigint)
@s.on_signal_default()
def sig_default(host, sig):
d['on_sig_default'] += 1
s.del_cb_signal_default(sig_default)
start1_first = [0]
@s.on_start()
def start(host):
start1_first[0] += 1
d['on_start'] += 1
s.del_cb_start(start)
@s.on_start()
def start2(host):
d['on_start2'] += 1
self.assertEqual(start1_first[0], 1)
if d['on_start2'] >= 3:
s.del_cb_start(start2)
@s.on_exit()
def on_exit(host):
d['on_exit'] += 1
s.del_cb_exit(on_exit)
@s.on_finish()
def finish():
d['on_finish'] += 1
s.del_cb_finish(finish)
main1_first = [0]
@s.at_addr("main")
def main(host):
d['main'] += 1
main1_first[0] += 1
s.del_addr_cb_fn("main", main)
@s.at_addr("main")
def main2(host):
d['main2'] += 1
self.assertEqual(main1_first[0], 1)
mozz.run_session(s)
self.assertEqual(s.iteration(), 3)
self.assertEqual(d['on_pre'], 1)
self.assertEqual(d['on_post'], 1)
self.assertEqual(d['at_entry'], 1)
self.assertEqual(d['on_run'], 0)
self.assertEqual(d['on_finish'], 0)
self.assertEqual(d['on_sigint'], 1)
self.assertEqual(d['on_sig_default'], 1)
self.assertEqual(d['on_start'], 1)
self.assertEqual(d['on_start2'], 3)
self.assertEqual(d['on_exit'], 1)
self.assertEqual(d['main'], 1)
self.assertEqual(d['main2'], 3)
#!/usr/bin/env python
import mozz
import mozz.sig
import mozz.rand
s = mozz.Session("./example-bin", 100)
s.set_target_kwargs(
stdout=mozz.redirect_stdout_to('example-bin.out')
)
@s.on_inferior_pre()
def on_inferior_pre(host):
host.log("start inferior")
s.set_target_args(
'guy',
'chuy',
'stuff',
'blah',
'A'*(mozz.rand.intrange(1, 200))
)
@s.on_exit()
def on_exit(host):
host.log("inferior exited")
@s.on_signal(mozz.sig.SIGSEGV)
def on_seg(host):
host.log("may have found vuln!")