def test_symbolic_concrete(self): s1 = "hi\0" s2 = self.state.symbolicate_buffer("+++\0") strs = self._push2(s1, s2) ret = strcmp(self.state, *strs) self.assertTrue(Z3Solver.instance().can_be_true( self.state.constraints, ret != 0)) self.assertTrue(Z3Solver.instance().can_be_true( self.state.constraints, ret == 0)) self.state.constrain(s2[0] == ord("a")) ret = strcmp(self.state, *strs) self.assertTrue(self.state.must_be_true(ret > 0)) self._clear_constraints() self.state.constrain(s2[0] == ord("z")) ret = strcmp(self.state, *strs) self.assertTrue(self.state.must_be_true(ret < 0)) self._clear_constraints() self.state.constrain(s2[0] == ord("h")) self.state.constrain(s2[1] == ord("i")) ret = strcmp(self.state, *strs) self.assertTrue(self.state.must_be_true(ret <= 0)) self.state.constrain(s2[2] == ord("\0")) ret = strcmp(self.state, *strs) self.assertTrue(self.state.must_be_true(ret == 0))
def test_symbolic_concrete(self): s1 = 'hi\0' s2 = self.state.symbolicate_buffer('+++\0') strs = self._push2(s1, s2) ret = strcmp(self.state, *strs) self.assertTrue(Z3Solver.instance().can_be_true( self.state.constraints, ret != 0)) self.assertTrue(Z3Solver.instance().can_be_true( self.state.constraints, ret == 0)) self.state.constrain(s2[0] == ord('a')) ret = strcmp(self.state, *strs) self.assertTrue(self.state.must_be_true(ret > 0)) self._clear_constraints() self.state.constrain(s2[0] == ord('z')) ret = strcmp(self.state, *strs) self.assertTrue(self.state.must_be_true(ret < 0)) self._clear_constraints() self.state.constrain(s2[0] == ord('h')) self.state.constrain(s2[1] == ord('i')) ret = strcmp(self.state, *strs) self.assertTrue(self.state.must_be_true(ret <= 0)) self.state.constrain(s2[2] == ord('\0')) ret = strcmp(self.state, *strs) self.assertTrue(self.state.must_be_true(ret == 0))
def test_symbolic(self): sy = self.state.symbolicate_buffer("+++\0") s = self._push_string(sy) ret = strlen(self.state, s) self.assertItemsEqual( range(4), Z3Solver.instance().get_all_values(self.state.constraints, ret)) self.state.constrain(sy[0] == 0) ret = strlen(self.state, s) self.assertTrue(self.state.must_be_true(ret == 0)) self._clear_constraints() self.state.constrain(sy[0] != 0) self.state.constrain(sy[1] == 0) ret = strlen(self.state, s) self.assertTrue(self.state.must_be_true(ret == 1)) self._clear_constraints() self.state.constrain(sy[0] != 0) self.state.constrain(sy[1] != 0) self.state.constrain(sy[2] == 0) ret = strlen(self.state, s) self.assertTrue(self.state.must_be_true(ret == 2)) self._clear_constraints() self.state.constrain(sy[0] != 0) self.state.constrain(sy[1] != 0) self.state.constrain(sy[2] != 0) ret = strlen(self.state, s) self.assertTrue(self.state.must_be_true(ret == 3))
def _solve(self, constraints, val): results = Z3Solver.instance().get_all_values(constraints, val, maxcnt=3) # We constrain all values to single values! self.assertEqual(len(results), 1) return results[0]
def test_addmod(self): """ (declare-fun BV () (_ BitVec 256)) (declare-fun BV_2 () (_ BitVec 256)) (declare-fun BV_1 () (_ BitVec 256)) (declare-fun a_1 () (_ BitVec 256))(assert (= a_1 (bvmul BV BV_1))) (declare-fun a_2 () (_ BitVec 512))(assert (= a_2 ((_ zero_extend 256) BV))) (declare-fun a_3 () (_ BitVec 512))(assert (= a_3 ((_ zero_extend 256) BV_1))) (declare-fun a_4 () (_ BitVec 512))(assert (= a_4 (bvmul a_2 a_3))) (declare-fun a_5 () (_ BitVec 512))(assert (= a_5 ((_ zero_extend 256) BV_2))) (declare-fun a_6 () (_ BitVec 512))(assert (= a_6 (bvsmod a_4 a_5))) (declare-fun a_7 () (_ BitVec 256))(assert (= a_7 ((_ extract 255 0) a_6))) (declare-fun a_8 () (_ BitVec 256))(assert (= a_8 (bvsmod a_1 BV_2))) (declare-fun a_9 () Bool)(assert (= a_9 (= a_7 a_8))) (assert (not a_9)) (check-sat) """ from manticore.platforms import evm from manticore.core.smtlib import ConstraintSet, Z3Solver, Operators constraints = ConstraintSet() address = 0x41414141414141414141 data = b"" caller = 0x42424242424242424242 value = 0 bytecode = "" vm = evm.EVM(constraints, address, data, caller, value, bytecode) self.assertEqual(vm.ADDMOD(12323, 2343, 20), 6) self.assertEqual(vm.ADDMOD(12323, 2343, 0), 0) A, B, C = ( 0x780000002090309A004201626B1400041D318000000200008A0080089C042DA7, 0xF000000740403F7007C012807BED003BE2CE800000060000FFFFBFF7E4087033, 0x338000080FFFFF64AAAACFFCF7DBFA408000000000000270120000001E7C2ACF, ) self.assertEqual( vm.ADDMOD(A, B, C), 23067954172474524581131069693479689311231082562138745684554374357070230297856, ) a, b, c = ( constraints.new_bitvec(256), constraints.new_bitvec(256), constraints.new_bitvec(256), ) constraints.add(a == A) constraints.add(b == B) constraints.add(c == C) result = vm.ADDMOD(a, b, c) # 0x32ffffd700d073ae080133f517d922bd000000000007f1611e003fffc9239d00 self.assertEqual( Z3Solver.instance().get_all_values(constraints, result), [ 0x32FFFFD700D073AE080133F517D922BD000000000007F1611E003FFFC9239D00 ], )
def test_mulmod(self): """ (declare-fun BV () (_ BitVec 256)) (declare-fun BV_2 () (_ BitVec 256)) (declare-fun BV_1 () (_ BitVec 256)) (declare-fun a_1 () (_ BitVec 256))(assert (= a_1 (bvmul BV BV_1))) (declare-fun a_2 () (_ BitVec 512))(assert (= a_2 ((_ zero_extend 256) BV))) (declare-fun a_3 () (_ BitVec 512))(assert (= a_3 ((_ zero_extend 256) BV_1))) (declare-fun a_4 () (_ BitVec 512))(assert (= a_4 (bvmul a_2 a_3))) (declare-fun a_5 () (_ BitVec 512))(assert (= a_5 ((_ zero_extend 256) BV_2))) (declare-fun a_6 () (_ BitVec 512))(assert (= a_6 (bvsmod a_4 a_5))) (declare-fun a_7 () (_ BitVec 256))(assert (= a_7 ((_ extract 255 0) a_6))) (declare-fun a_8 () (_ BitVec 256))(assert (= a_8 (bvsmod a_1 BV_2))) (declare-fun a_9 () Bool)(assert (= a_9 (= a_7 a_8))) (assert (not a_9)) (check-sat) """ from manticore.platforms import evm from manticore.core.smtlib import ConstraintSet, Z3Solver, Operators constraints = ConstraintSet() address = 0x41414141414141414141 data = b"" caller = 0x42424242424242424242 value = 0 bytecode = "" vm = evm.EVM(constraints, address, data, caller, value, bytecode, gas=23000) self.assertEqual(vm.MULMOD(12323, 2343, 20), 9) self.assertEqual(vm.MULMOD(12323, 2343, 0), 0) A, B, C = ( 110427941548649020598956093796432407239217743554726184882600387580788736, 1048576, 4194319, ) self.assertEqual(vm.MULMOD(A, B, C), 2423129) a, b, c = ( constraints.new_bitvec(256), constraints.new_bitvec(256), constraints.new_bitvec(256), ) constraints.add(a == A) constraints.add(b == B) constraints.add(c == C) result = vm.MULMOD(a, b, c) # 0x8000000000000000000000000000000000000000000000000000000082000011 self.assertEqual( Z3Solver.instance().get_all_values(constraints, result), [2423129])
import tempfile import os import gc import pickle import fcntl import resource from itertools import * import sys from manticore.native.memory import * from manticore.utils.helpers import issymbolic from manticore.core.smtlib import Z3Solver, Operators from manticore.core.smtlib.expression import * from manticore.core.smtlib.visitors import * solver = Z3Solver.instance() class LazyMemoryTest(unittest.TestCase): _multiprocess_can_split_ = True def test_basic(self): cs = ConstraintSet() mem = LazySMemory32(cs) mem.mmap(0, 4096, 'rwx', name='map') m = mem.maps.pop() self.assertIsInstance(m, AnonMap) self.assertEqual(m.name, 'map') def test_read(self):