def test_symbolic(self):
sy = self.state.symbolicate_buffer('+++\0')
s = self._push_string(sy)
ret = strlen(self.state, s)
print solver.get_all_values(self.state.constraints, ret)
self.assertItemsEqual(range(4), solver.get_all_values(self.state.constraints, ret))
self.state.constrain(sy[0] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 0))
self._clear_constraints()
self.state.constrain(sy[0] != 0)
self.state.constrain(sy[1] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 1))
self._clear_constraints()
self.state.constrain(sy[0] != 0)
self.state.constrain(sy[1] != 0)
self.state.constrain(sy[2] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 2))
self._clear_constraints()
self.state.constrain(sy[0] != 0)
self.state.constrain(sy[1] != 0)
self.state.constrain(sy[2] != 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 3))
def test_symbolic_concrete(self):
s1 = 'hi\0'
s2 = self.state.symbolicate_buffer('+++\0')
strs = self._push2(s1, s2)
ret = strcmp(self.state, *strs)
self.assertTrue(solver.can_be_true(self.state.constraints, ret != 0))
self.assertTrue(solver.can_be_true(self.state.constraints, ret == 0))
self.state.constrain(s2[0] == ord('a'))
ret = strcmp(self.state, *strs)
self.assertTrue(self.state.must_be_true(ret > 0))
self._clear_constraints()
self.state.constrain(s2[0] == ord('z'))
ret = strcmp(self.state, *strs)
self.assertTrue(self.state.must_be_true(ret < 0))
self._clear_constraints()
self.state.constrain(s2[0] == ord('h'))
self.state.constrain(s2[1] == ord('i'))
ret = strcmp(self.state, *strs)
self.assertTrue(self.state.must_be_true(ret <= 0))
self.state.constrain(s2[2] == ord('\0'))
ret = strcmp(self.state, *strs)
self.assertTrue(self.state.must_be_true(ret == 0))
def test_symbolic(self):
sy = self.state.symbolicate_buffer('+++\0')
s = self._push_string(sy)
ret = strlen(self.state, s)
self.assertItemsEqual(
range(4), solver.get_all_values(self.state.constraints, ret))
self.state.constrain(sy[0] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 0))
self._clear_constraints()
self.state.constrain(sy[0] != 0)
self.state.constrain(sy[1] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 1))
self._clear_constraints()
self.state.constrain(sy[0] != 0)
self.state.constrain(sy[1] != 0)
self.state.constrain(sy[2] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 2))
self._clear_constraints()
self.state.constrain(sy[0] != 0)
self.state.constrain(sy[1] != 0)
self.state.constrain(sy[2] != 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 3))
def test_symbolic_actually_concrete(self):
s1 = 'ab\0'
s2 = self.state.symbolicate_buffer('d+\0')
strs = self._push2(s1, s2)
ret = strcmp(self.state, *strs)
self.assertFalse(solver.can_be_true(self.state.constraints, ret >= 0))
def test_symbolic_actually_concrete(self):
s1 = 'ab\0'
s2 = self.state.symbolicate_buffer('d+\0')
strs = self._push2(s1, s2)
ret = strcmp(self.state, *strs)
self.assertFalse(solver.can_be_true(self.state.constraints, ret >= 0))
def test_effective_null(self):
s1 = self.state.symbolicate_buffer('a+')
s2 = self.state.symbolicate_buffer('++')
strs = self._push2(s1, s2)
self.state.constrain(s1[1] == 0)
self.state.constrain(s2[0] == ord('z'))
ret = strcmp(self.state, *strs)
self.assertFalse(solver.can_be_true(self.state.constraints, ret >= 0))
def test_symbolic_mixed(self):
sy = self.state.symbolicate_buffer('a+b+\0')
s = self._push_string(sy)
self.state.constrain(sy[1] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 1))
self._clear_constraints()
self.state.constrain(sy[1] != 0)
self.state.constrain(sy[3] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 3))
self._clear_constraints()
self.state.constrain(sy[1] != 0)
self.state.constrain(sy[3] != 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 4))
def test_effective_null(self):
s1 = self.state.symbolicate_buffer('a+')
s2 = self.state.symbolicate_buffer('++')
strs = self._push2(s1, s2)
self.state.constrain(s1[1] == 0)
self.state.constrain(s2[0] == ord('z'))
ret = strcmp(self.state, *strs)
self.assertFalse(solver.can_be_true(self.state.constraints, ret >= 0))
def test_symbolic_mixed(self):
sy = self.state.symbolicate_buffer('a+b+\0')
s = self._push_string(sy)
self.state.constrain(sy[1] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 1))
self._clear_constraints()
self.state.constrain(sy[1] != 0)
self.state.constrain(sy[3] == 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 3))
self._clear_constraints()
self.state.constrain(sy[1] != 0)
self.state.constrain(sy[3] != 0)
ret = strlen(self.state, s)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 4))
def test_symbolic_concrete(self):
s1 = 'hi\0'
s2 = self.state.symbolicate_buffer('+++\0')
strs = self._push2(s1, s2)
ret = strcmp(self.state, *strs)
self.assertTrue(solver.can_be_true(self.state.constraints, ret != 0))
self.assertTrue(solver.can_be_true(self.state.constraints, ret == 0))
self.state.constrain(s2[0] == ord('a'))
ret = strcmp(self.state, *strs)
self.assertFalse(solver.can_be_true(self.state.constraints, ret <= 0))
self._clear_constraints()
self.state.constrain(s2[0] == ord('z'))
ret = strcmp(self.state, *strs)
self.assertFalse(solver.can_be_true(self.state.constraints, ret >= 0))
self._clear_constraints()
self.state.constrain(s2[0] == ord('h'))
self.state.constrain(s2[1] == ord('i'))
ret = strcmp(self.state, *strs)
self.assertFalse(solver.can_be_true(self.state.constraints, ret > 0))
self.state.constrain(s2[2] == ord('\0'))
ret = strcmp(self.state, *strs)
self.assertFalse(solver.can_be_true(self.state.constraints, ret != 0))
def will_decode_instruction_callback(self, state, pc):
TRUE = bytearray((0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1))
FALSE = bytearray((0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0))
#print pc, state.platform.current_vm.instruction
#Once this address is reached the challenge is won
if pc == 0x4141414141414141414141414141414141414141:
func_id = to_constant(state.platform.current_transaction.data[:4])
if func_id == ABI.make_function_id("print(string)"):
func_name, args = ABI.parse("print(string)", state.platform.current_transaction.data)
raise Return()
elif func_id == ABI.make_function_id("terminate(string)"):
func_name, args = ABI.parse("terminate(string)", state.platform.current_transaction.data)
self.manticore.shutdown()
raise Return(TRUE)
elif func_id == ABI.make_function_id("assume(bool)"):
func_name, args = ABI.parse("assume(bool)", state.platform.current_transaction.data)
state.add(args[0])
raise Return(TRUE)
elif func_id == ABI.make_function_id("is_symbolic(bytes)"):
func_name, args = ABI.parse("is_symbolic(bytes)", state.platform.current_transaction.data)
try:
arg = to_constant(args[0])
except:
raise Return(TRUE)
raise Return(FALSE)
elif func_id == ABI.make_function_id("is_symbolic(uint256)"):
func_name, args = ABI.parse("is_symbolic(uint256)", state.platform.current_transaction.data)
try:
arg = to_constant(args[0])
except Exception,e:
raise Return(TRUE)
raise Return(FALSE)
elif func_id == ABI.make_function_id("shutdown(string)"):
func_name, args = ABI.parse("shutdown(string)", state.platform.current_transaction.data)
print "Shutdown", to_constant(args[0])
self.manticore.shutdown()
elif func_id == ABI.make_function_id("can_be_true(bool)"):
func_name, args = ABI.parse("can_be_true(bool)", state.platform.current_transaction.data)
result = solver.can_be_true(state.constraints, args[0] != 0)
if result:
raise Return(TRUE)
raise Return(FALSE)
raise Stop()
