def test_mockup_modify(self): s = mozz.Session(abs_path(__file__, "mockup_basic_test.bin")) d = {'got_sig': False, 'got_mockup': 0, 'goal_fn_execd': 0, 'won': 0} @s.on_signal_default() def sig_default(host, sig): d['got_sig'] = True @s.mockup(0x4006f4, 0x400786) def skip_file_stuff(host): self.assertEqual(host.inferior().reg_pc(), 0x4006f4) d['got_mockup'] += 1 @host.with_inferior() def seteax(host): host.inferior().reg_set("rax", ord('p')) @s.at_addr("try_to_get_here") def goal_fn(host): d['goal_fn_execd'] += 1 @s.at_addr(0x40069c) def victory(host): d['won'] += 1 mozz.run_session(s) self.assertFalse(d['got_sig']) self.assertEqual(d['got_mockup'], 1) self.assertEqual(d['goal_fn_execd'], 1) self.assertEqual(d['won'], 1)
def test_addr_basic(self): s = mozz.Session(abs_path(__file__, "addr_basic_test.bin")) d = { 'got_cb': 0, 'got_sig': False, 'got_sym_cb': 0, 'got_offset_cb': 0 } @s.on_signal_default() def sig_default(host, sig): d['got_sig'] = True @s.at_addr(0x4004f4) def at_main(host): d['got_cb'] += 1 @s.at_addr("main") def at_main(host): self.assertEqual(0x4004f4, host.inferior().reg_pc()) d['got_sym_cb'] += 1 @s.at_addr(("main", 1)) def at_main(host): self.assertEqual(0x4004f5, host.inferior().reg_pc()) d['got_offset_cb'] += 1 mozz.run_session(s) self.assertEqual(d['got_cb'], 1) self.assertFalse(d['got_sig']) self.assertEqual(d['got_sym_cb'], 1) self.assertEqual(d['got_offset_cb'], 1)
def test_mockup_modify(self): s = mozz.Session(abs_path(__file__, "skip_basic_test.bin")) d = { 'got_sig': False, 'goal_fn_execd': 0, 'won': 0 } @s.on_signal_default() def sig_default(host, sig): d['got_sig'] = True @s.at_addr("try_to_get_here") def goal_fn(host): d['goal_fn_execd'] += 1 @s.at_addr(0x40069c) def victory(host): d['won'] += 1 s.skip(0x4006f4, 0x400786) s.skip("try_to_get_here", 0x400697) mozz.run_session(s) self.assertFalse(d['got_sig']) self.assertEqual(d['goal_fn_execd'], 1) self.assertEqual(d['won'], 1)
def test_mockup_jump(self): s = mozz.Session(abs_path(__file__, "mockup_basic_test.bin")) d = { 'got_sig': False, 'got_mockup': 0, 'goal_fn_execd': 0 } @s.on_signal_default() def sig_default(host, sig): d['got_sig'] = True @s.mockup(0x4006f4, 0x400786) def skip_file_stuff(host): self.assertEqual(host.inferior().reg_pc(), 0x4006f4) d['got_mockup'] += 1 @s.at_addr("try_to_get_here") def goal_fn(host): d['goal_fn_execd'] += 1 mozz.run_session(s) self.assertFalse(d['got_sig']) self.assertEqual(d['got_mockup'], 1) self.assertEqual(d['goal_fn_execd'], 1)
def test_mockup_function5(self): arch = mozz.system.architecture() if arch != mozz.system.ARCH_X86_64: return #this test not yet supported on non x86_64 systems s = mozz.Session(abs_path(__file__, "function_test.bin")) s.set_calling_convention(native_convention()) result = { 'count': 0, 'params_correct': [0, 0, 0], 'default_case': 0, 'checkpoint3': 0 } @s.at_addr("default_case") def default_case(host): result['default_case'] = 1 @s.at_function("checkpoint3", TCInt32, TCInt32) def checkpoint3(host, fn_ctx, n, status, status2): result['checkpoint3'] = 1 self.assertEqual(status.value(), 0x8000) self.assertEqual(status2.value(), 345987) @s.mockup_function("test_function", TCInt32, TCInt8, TCInt16, TCUInt32, TCInt32, Pointer64, Pointer64, Pointer64) def test_function(host, fn_ctx, n, a, b, c, d, e, \ buf1, buf2, output_var): host.log("test_function(%d):" % n) host.log(" a=%d" % a.value()) host.log(" b=%d" % b.value()) host.log(" c=%d" % c.value()) host.log(" d=%d" % d.value()) host.log(" e=%d" % e.value()) host.log(" buf1=%x:%r" % (buf1.value(), buf1.string(host))) host.log(" buf2=%x:%r" % (buf2.value(), buf2.string(host))) host.log(" output_var=%x" % output_var.value()) result['count'] += 1 if n < 3 and self.check_params(n, host, a, b, c, d, e, buf1, buf2): result['params_correct'][n] = 1 if n == 2: d.set(0x98989898) e.set(0) c.set(0) a.set(0) return None # dont do mockup, execute function else: return 0 mozz.run_session(s) self.assertEqual(result['count'], 3) for i in range(3): print("check params #%d" % i) self.assertEqual(result['params_correct'][i], 1) self.assertEqual(result['checkpoint3'], 1) self.assertEqual(result['default_case'], 1)
def test_session_iter(self): s = mozz.Session(abs_path(__file__, "session_iter_test.bin"), 10) state = [0] @s.on_inferior_pre() def inf_pre(host): state[0] += 1 mozz.debug("i=%d" % state[0]) self.assertEqual(s.iteration(), state[0]) mozz.run_session(s) self.assertEqual(s.iteration(), 10)
def test_run_exit(self): s = mozz.Session(abs_path(__file__, "run_exit_test.bin"), 2) state = [0] @s.on_run() def run(host): mozz.debug("cb run") self.assertEqual(s.iteration(), 0) self.assertEqual(state[0], 0) state[0] += 1 def offset(): return (s.iteration() - 1) * 4 @s.on_inferior_pre() def inf_pre(host): mozz.debug("cb inf pre") self.assertEqual(state[0], offset() + 1) state[0] += 1 @s.at_entry() def entry(host): pc = host.inferior().reg_pc() mozz.debug("entry point is 0x%x" % (pc)) self.assertEqual(pc, 0x400410) self.assertEqual(state[0], offset() + 2) state[0] += 1 @s.on_exit() def on_exit(host): mozz.debug("cb exit") self.assertEqual(state[0], offset() + 3) state[0] += 1 @s.on_inferior_post() def on_inf_post(host): mozz.debug("cb inf post") self.assertEqual(state[0], offset() + 4) state[0] += 1 @s.on_finish() def finish(host): mozz.debug("cb finish") self.assertEqual(s.iteration(), 2) self.assertEqual(state[0], offset() + 5) state[0] += 1 mozz.run_session(s) mozz.debug("session over") self.assertEqual(s.iteration(), 2) self.assertEqual(state[0], offset() + 6)
def test_run_exit(self): s = mozz.Session(abs_path(__file__, "run_exit_test.bin"), 2) state = [0] @s.on_run() def run(host): mozz.debug("cb run") self.assertEqual(s.iteration(), 0) self.assertEqual(state[0], 0) state[0] += 1 def offset(): return (s.iteration()-1)*4 @s.on_inferior_pre() def inf_pre(host): mozz.debug("cb inf pre") self.assertEqual(state[0], offset() + 1) state[0] += 1 @s.at_entry() def entry(host): pc = host.inferior().reg_pc() mozz.debug("entry point is 0x%x" % (pc)) self.assertEqual(pc, 0x400410) self.assertEqual(state[0], offset() + 2) state[0] += 1 @s.on_exit() def on_exit(host): mozz.debug("cb exit") self.assertEqual(state[0], offset() + 3) state[0] += 1 @s.on_inferior_post() def on_inf_post(host): mozz.debug("cb inf post") self.assertEqual(state[0], offset() + 4) state[0] += 1 @s.on_finish() def finish(host): mozz.debug("cb finish") self.assertEqual(s.iteration(), 2) self.assertEqual(state[0], offset() + 5) state[0] += 1 mozz.run_session(s) mozz.debug("session over") self.assertEqual(s.iteration(), 2) self.assertEqual(state[0], offset() + 6)
def test_mockup_function4(self): arch = mozz.system.architecture() if arch != mozz.system.ARCH_X86_64: return #this test not yet supported on non x86_64 systems s = mozz.Session(abs_path(__file__, "function_test.bin")) s.set_calling_convention(native_convention()) result = { 'count': 0, 'params_correct': [0,0,0], 'default_case': 0 } @s.at_addr("default_case") def default_case(host): result['default_case'] = 1 @s.mockup_function( "test_function", TCInt32, TCInt8, TCInt16, TCUInt32, TCInt32, Pointer64, Pointer64, Pointer64 ) def test_function(host, fn_ctx, n, a, b, c, d, e, \ buf1, buf2, output_var): host.log("test_function(%d):" % n) host.log(" a=%d" % a.value()) host.log(" b=%d" % b.value()) host.log(" c=%d" % c.value()) host.log(" d=%d" % d.value()) host.log(" e=%d" % e.value()) host.log(" buf1=%x:%r" % (buf1.value(), buf1.string(host))) host.log(" buf2=%x:%r" % (buf2.value(), buf2.string(host))) host.log(" output_var=%x" % output_var.value()) result['count'] += 1 if n < 3 and self.check_params(n,host,a,b,c,d,e,buf1,buf2): result['params_correct'][n] = 1 if n == 2: output_var.deref(host, TCInt32).set(0xc0bb13) return 4567 else: return 0 mozz.run_session(s) self.assertEqual(result['count'], 3) for i in range(3): print("check params #%d" % i) self.assertEqual(result['params_correct'][i], 1) self.assertEqual(result['default_case'], 0)
def test_default_sig(self): s = mozz.Session(abs_path(__file__, "signal1_test.bin")) d = { 'sig_count': 0 } @s.on_signal_default() def default_sig(host, sig): d['sig_count'] += 1 self.assertEqual(sig, mozz.sig.SIGINT) mozz.run_session(s) self.assertEqual(d['sig_count'], 1)
def test_mockup_fake_file(self): s = mozz.Session(abs_path(__file__, "mockup_fakefile_test.bin")) d = { 'got_sig': False, 'got_fake_fp': 0, 'got_fake_read': 0, 'goal_fn_execd': 0, 'won': 0 } @s.on_signal_default() def sig_default(host, sig): d['got_sig'] = True @s.at_addr("try_to_get_here") def goal_fn(host): d['goal_fn_execd'] += 1 @s.at_addr(0x40069c) def victory(host): d['won'] += 1 fp = 0xc0ffee @s.mockup(0x4006f4, 0x4006f9) def fake_fp(host): d['got_fake_fp'] += 1 @host.with_inferior() def seteax(host): host.inferior().reg_set("rax", fp) @s.mockup(0x400730, 0x400735, locs=('rdi', )) def fake_read(host, rdi): host.log("rdi=0x%x" % rdi) d['got_fake_read'] += 1 @host.with_inferior() def blah(host): inf = host.inferior() inf.mem_write_buf(rdi, "purpledrank\x00") inf.reg_set("rax", 0x10) mozz.run_session(s) self.assertFalse(d['got_sig']) self.assertEqual(d['got_fake_fp'], 1) self.assertEqual(d['got_fake_read'], 1) self.assertEqual(d['goal_fn_execd'], 1) self.assertEqual(d['won'], 1)
def test_sigstop(self): s = mozz.Session(abs_path(__file__, "sigstop1_test.bin")) d = {'stop_count': 0} @s.on_signal_default() def default_sig(host, sig): self.assertTrue(False) # shouldnt get here @s.on_signal(mozz.sig.SIGSTOP) def on_sigstop(host): d['stop_count'] += 1 mozz.run_session(s) self.assertEqual(d['stop_count'], 1)
def test_mockup_fake_file(self): s = mozz.Session(abs_path(__file__, "mockup_fakefile_test.bin")) d = { 'got_sig': False, 'got_fake_fp': 0, 'got_fake_read': 0, 'goal_fn_execd': 0, 'won': 0 } @s.on_signal_default() def sig_default(host, sig): d['got_sig'] = True @s.at_addr("try_to_get_here") def goal_fn(host): d['goal_fn_execd'] += 1 @s.at_addr(0x40069c) def victory(host): d['won'] += 1 fp = 0xc0ffee @s.mockup(0x4006f4, 0x4006f9) def fake_fp(host): d['got_fake_fp'] += 1 @host.with_inferior() def seteax(host): host.inferior().reg_set("rax", fp) @s.mockup(0x400730, 0x400735, locs=('rdi',) ) def fake_read(host, rdi): host.log("rdi=0x%x" % rdi) d['got_fake_read'] += 1 @host.with_inferior() def blah(host): inf = host.inferior() inf.mem_write_buf(rdi, "purpledrank\x00") inf.reg_set("rax", 0x10) mozz.run_session(s) self.assertFalse(d['got_sig']) self.assertEqual(d['got_fake_fp'], 1) self.assertEqual(d['got_fake_read'], 1) self.assertEqual(d['goal_fn_execd'], 1) self.assertEqual(d['won'], 1)
def test_sigstop(self): s = mozz.Session(abs_path(__file__, "sigstop1_test.bin")) d = { 'stop_count': 0 } @s.on_signal_default() def default_sig(host, sig): self.assertTrue(False) # shouldnt get here @s.on_signal(mozz.sig.SIGSTOP) def on_sigstop(host): d['stop_count'] += 1 mozz.run_session(s) self.assertEqual(d['stop_count'], 1)
def test_sig_handler(self): s = mozz.Session(abs_path(__file__, "signal1_test.bin")) d = { 'int_count': 0 } @s.on_signal_default() def default_sig(host, sig): self.assertTrue(False) # shouldnt get here @s.on_signal(mozz.sig.SIGINT) def on_sigint(host): d['int_count'] += 1 mozz.run_session(s) self.assertEqual(d['int_count'], 1)
def test_mockup_function3(self): arch = mozz.system.architecture() if arch != mozz.system.ARCH_X86_64: return #this test not yet supported on non x86_64 systems s = mozz.Session(abs_path(__file__, "function_test.bin")) s.set_calling_convention(native_convention()) result = {'count': 0, 'params_correct': [0, 0, 0], 'default_case': 0} @s.at_addr("default_case") def default_case(host): result['default_case'] = 1 @s.mockup_function("test_function", TCInt32, TCInt8, TCInt16, TCUInt32, TCInt32, Pointer64, Pointer64, Pointer64) def test_function(host, fn_ctx, n, a, b, c, d, e, \ buf1, buf2, output_var): host.log("test_function(%d):" % n) host.log(" a=%d" % a.value()) host.log(" b=%d" % b.value()) host.log(" c=%d" % c.value()) host.log(" d=%d" % d.value()) host.log(" e=%d" % e.value()) host.log(" buf1=%x:%r" % (buf1.value(), buf1.string(host))) host.log(" buf2=%x:%r" % (buf2.value(), buf2.string(host))) host.log(" output_var=%x" % output_var.value()) result['count'] += 1 if n < 3 and self.check_params(n, host, a, b, c, d, e, buf1, buf2): result['params_correct'][n] = 1 if n == 1: output_var.deref(host, TCUInt32).set(0xc001f00d) return 84739 else: return 0 mozz.run_session(s) self.assertEqual(result['count'], 2) for i in range(2): print("check params #%d" % i) self.assertEqual(result['params_correct'][i], 1) self.assertEqual(result['default_case'], 0)
def test_start(self): s = mozz.Session(abs_path(__file__, "signal1_test.bin")) d = { 'start': 0, 'sigs': 0 } @s.on_start() def on_start(host): d['start'] += 1 @s.on_signal(mozz.sig.SIGINT) def on_sigint(host): d['sigs'] += 1 self.assertEqual(d['start'], 1) mozz.run_session(s) self.assertEqual(d['start'], 2) self.assertEqual(d['sigs'], 1)
def test_mockup_modify(self): s = mozz.Session(abs_path(__file__, "skip_basic_test.bin")) d = {'got_sig': False, 'goal_fn_execd': 0, 'won': 0} @s.on_signal_default() def sig_default(host, sig): d['got_sig'] = True @s.at_addr("try_to_get_here") def goal_fn(host): d['goal_fn_execd'] += 1 @s.at_addr(0x40069c) def victory(host): d['won'] += 1 s.skip(0x4006f4, 0x400786) s.skip("try_to_get_here", 0x400697) mozz.run_session(s) self.assertFalse(d['got_sig']) self.assertEqual(d['goal_fn_execd'], 1) self.assertEqual(d['won'], 1)
@s.mockup(0x40071c, 0x400721, regset=("rdi",)) def fake_read(host, rdi): @host.with_inferior() def do_read(host): itr = s.iteration() inf = host.inferior() l = mozz.rand.intrange(1, 16) v = mozz.rand.byte_buf(l) host.log("v=%r" % v) inf.mem_write_buf(rdi, v) inf.reg_set("rax", len(v)) s.skip(0x400820, 0x400825) @s.mockup(0x400850, 0x400853) def magic_div_by_0(host): @host.with_inferior() def seteax(host): host.inferior().reg_set("eax", 1234) @s.on_signal_default() def default_sig(host, sig): host.log("got signal: %r" % sig) @s.on_signal(mozz.sig.SIGFPE) def on_fpe(host): host.log("got fpe. set stop flag") host.session.set_flag_stop() mozz.run_session(s)
def test_run_exit(self): s = mozz.Session(abs_path(__file__, "cb_remove_test.bin"), 3) d = { 'on_pre': 0, 'on_post': 0, 'at_entry': 0, 'on_run': 0, 'on_finish': 0, 'on_sigint': 0, 'on_sig_default': 0, 'on_start': 0, 'on_start2': 0, 'on_exit': 0, 'main': 0, 'main2': 0 } @s.on_run() def run(): d['on_run'] += 1 s.del_cb_run(run) @s.on_inferior_pre() def on_pre(host): d['on_pre'] += 1 s.del_cb_inferior_pre(on_pre) @s.on_inferior_post() def on_post(host): d['on_post'] += 1 s.del_cb_inferior_post(on_post) @s.at_entry() def entry(host): d['at_entry'] += 1 s.del_cb_entry(entry) @s.on_signal(mozz.sig.SIGINT) def sigint(host): d['on_sigint'] += 1 s.del_cb_signal(mozz.sig.SIGINT, sigint) @s.on_signal_default() def sig_default(host, sig): d['on_sig_default'] += 1 s.del_cb_signal_default(sig_default) start1_first = [0] @s.on_start() def start(host): start1_first[0] += 1 d['on_start'] += 1 s.del_cb_start(start) @s.on_start() def start2(host): d['on_start2'] += 1 self.assertEqual(start1_first[0], 1) if d['on_start2'] >= 3: s.del_cb_start(start2) @s.on_exit() def on_exit(host): d['on_exit'] += 1 s.del_cb_exit(on_exit) @s.on_finish() def finish(): d['on_finish'] += 1 s.del_cb_finish(finish) main1_first = [0] @s.at_addr("main") def main(host): d['main'] += 1 main1_first[0] += 1 s.del_addr_cb_fn("main", main) @s.at_addr("main") def main2(host): d['main2'] += 1 self.assertEqual(main1_first[0], 1) mozz.run_session(s) self.assertEqual(s.iteration(), 3) self.assertEqual(d['on_pre'], 1) self.assertEqual(d['on_post'], 1) self.assertEqual(d['at_entry'], 1) self.assertEqual(d['on_run'], 0) self.assertEqual(d['on_finish'], 0) self.assertEqual(d['on_sigint'], 1) self.assertEqual(d['on_sig_default'], 1) self.assertEqual(d['on_start'], 1) self.assertEqual(d['on_start2'], 3) self.assertEqual(d['on_exit'], 1) self.assertEqual(d['main'], 1) self.assertEqual(d['main2'], 3)
def test_basic_step(self): s = mozz.Session(abs_path(__file__, "step_basic_test.bin")) state = [0] d = { 'got_step': 0, 'got_at_write': 0, 'got_after_write': 0, 'steps_after_write': 0, 'got_start': 0, 'got_sig': 0, 'got_on_exit': 0, 'got_main_ret': 0 } @s.on_start() def on_start(host): #host.log("start") d['got_start'] += 1 @s.on_signal_default() def on_sig(host): d['got_sig'] += 1 @s.on_step() def each_step(host): if host.inferior().is_in_step_into_mode(): lend = "\r" else: lend = "\n" sys.stdout.write("step %d%s" % (d['got_step'], lend)) d['got_step'] += 1 @s.at_addr("main") def main(host): self.assertEqual(state[0], 0) self.assertEqual(d['got_step'], 0) state[0] += 1 host.inferior().enter_step_over_mode() host.log("oiajsdofij") self.assertTrue(host.inferior().is_in_step_mode()) self.assertTrue(host.inferior().is_in_step_over_mode()) @s.at_addr(0x400622) def at_write(host): d['got_at_write'] += 1 self.assertEqual(d['got_step'], 22) self.assertEqual(state[0], 1) state[0] += 1 host.inferior().enter_step_into_mode() self.assertTrue(host.inferior().is_in_step_mode()) self.assertTrue(host.inferior().is_in_step_into_mode()) @s.at_addr(0x400627) def after_write(host): d['got_after_write'] += 1 self.assertGreater(d['got_step'], 22+1+1) d['steps_after_write'] = d['got_step'] self.assertEqual(state[0], 2) state[0] += 1 host.inferior().enter_step_over_mode() self.assertTrue(host.inferior().is_in_step_mode()) self.assertTrue(host.inferior().is_in_step_over_mode()) @s.at_addr(0x400658) def main_ret(host): d['got_main_ret'] += 1 self.assertEqual(state[0], 3) self.assertEqual(d['got_step'], d['steps_after_write']+10) state[0] += 1 host.inferior().exit_step_mode() self.assertFalse(host.inferior().is_in_step_mode()) @s.on_exit() def on_exit(host): host.log("inferior exited") self.assertEqual(state[0], 4) self.assertEqual(d['got_step'], d['steps_after_write']+10) d['got_on_exit'] += 1 state[0] += 1 host.log("asdfoaisjdfoij") mozz.run_session(s) self.assertEqual(d['got_at_write'], 1) self.assertEqual(d['got_after_write'], 1) self.assertEqual(state[0], 5) self.assertEqual(d['got_step'], d['steps_after_write']+10) self.assertEqual(d['got_start'], d['steps_after_write']+10+3) self.assertEqual(d['got_sig'], 0) self.assertEqual(d['got_on_exit'], 1) self.assertEqual(d['got_main_ret'], 1)