angr 9.2.115__py3-none-macosx_11_0_arm64.whl → 9.2.117__py3-none-macosx_11_0_arm64.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of angr might be problematic. Click here for more details.
- angr/__init__.py +1 -1
- angr/__main__.py +1 -1
- angr/analyses/cfg/cfg_emulated.py +4 -4
- angr/analyses/cfg/indirect_jump_resolvers/jumptable.py +7 -7
- angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py +3 -2
- angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py +5 -1
- angr/analyses/decompiler/structured_codegen/c.py +10 -13
- angr/analyses/decompiler/structuring/dream.py +3 -4
- angr/analyses/decompiler/structuring/phoenix.py +4 -5
- angr/analyses/decompiler/structuring/structurer_base.py +2 -3
- angr/analyses/decompiler/structuring/structurer_nodes.py +3 -3
- angr/analyses/identifier/functions/free.py +3 -1
- angr/analyses/identifier/identify.py +13 -15
- angr/analyses/identifier/runner.py +2 -2
- angr/analyses/reaching_definitions/dep_graph.py +62 -5
- angr/analyses/reaching_definitions/function_handler_library/__init__.py +11 -0
- angr/analyses/reaching_definitions/function_handler_library/stdio.py +15 -13
- angr/analyses/reaching_definitions/function_handler_library/stdlib.py +17 -11
- angr/analyses/reaching_definitions/function_handler_library/string.py +1 -1
- angr/analyses/reaching_definitions/function_handler_library/unistd.py +2 -2
- angr/analyses/reaching_definitions/rd_state.py +26 -29
- angr/analyses/variable_recovery/engine_vex.py +0 -9
- angr/analyses/vfg.py +4 -4
- angr/calling_conventions.py +4 -2
- angr/concretization_strategies/any_named.py +3 -1
- angr/concretization_strategies/controlled_data.py +4 -2
- angr/concretization_strategies/signed_add.py +3 -1
- angr/engines/concrete.py +3 -1
- angr/engines/pcode/behavior.py +2 -0
- angr/engines/pcode/cc.py +2 -0
- angr/engines/pcode/emulate.py +4 -4
- angr/engines/pcode/engine.py +3 -7
- angr/engines/soot/engine.py +7 -6
- angr/engines/soot/expressions/constants.py +6 -5
- angr/engines/soot/expressions/newArray.py +3 -1
- angr/engines/soot/expressions/newMultiArray.py +3 -1
- angr/engines/soot/statements/goto.py +3 -1
- angr/engines/soot/statements/if_.py +3 -1
- angr/engines/soot/statements/switch.py +3 -1
- angr/engines/soot/statements/throw.py +4 -2
- angr/engines/soot/values/arrayref.py +5 -5
- angr/engines/unicorn.py +8 -7
- angr/engines/vex/heavy/concretizers.py +6 -6
- angr/engines/vex/heavy/dirty.py +20 -22
- angr/engines/vex/heavy/heavy.py +4 -8
- angr/exploration_techniques/director.py +1 -1
- angr/exploration_techniques/driller_core.py +3 -1
- angr/exploration_techniques/tracer.py +2 -1
- angr/knowledge_plugins/key_definitions/live_definitions.py +12 -13
- angr/lib/angr_native.dylib +0 -0
- angr/procedures/cgc/allocate.py +8 -10
- angr/procedures/cgc/deallocate.py +10 -3
- angr/procedures/cgc/fdwait.py +15 -13
- angr/procedures/cgc/random.py +11 -5
- angr/procedures/cgc/receive.py +5 -3
- angr/procedures/cgc/transmit.py +5 -4
- angr/procedures/glibc/__libc_start_main.py +5 -4
- angr/procedures/java_jni/__init__.py +4 -4
- angr/procedures/java_jni/array_operations.py +3 -1
- angr/procedures/java_lang/string.py +1 -1
- angr/procedures/java_util/random.py +3 -1
- angr/procedures/libc/access.py +4 -2
- angr/procedures/libc/feof.py +4 -3
- angr/procedures/libc/fgetc.py +3 -1
- angr/procedures/libc/fgets.py +5 -5
- angr/procedures/libc/fopen.py +5 -4
- angr/procedures/libc/fread.py +4 -3
- angr/procedures/libc/fseek.py +4 -3
- angr/procedures/libc/getdelim.py +7 -4
- angr/procedures/libc/gets.py +4 -2
- angr/procedures/libc/memcmp.py +18 -15
- angr/procedures/libc/memset.py +9 -7
- angr/procedures/libc/puts.py +3 -1
- angr/procedures/libc/snprintf.py +4 -2
- angr/procedures/libc/sprintf.py +3 -1
- angr/procedures/libc/strchr.py +6 -3
- angr/procedures/libc/strcmp.py +5 -3
- angr/procedures/libc/strlen.py +3 -3
- angr/procedures/libc/strncmp.py +28 -28
- angr/procedures/libc/strncpy.py +5 -2
- angr/procedures/libc/strstr.py +10 -7
- angr/procedures/libc/strtol.py +32 -34
- angr/procedures/libc/tolower.py +3 -1
- angr/procedures/libc/toupper.py +3 -1
- angr/procedures/linux_kernel/fstat.py +13 -13
- angr/procedures/linux_kernel/fstat64.py +15 -15
- angr/procedures/linux_kernel/lseek.py +5 -3
- angr/procedures/linux_kernel/sigaction.py +4 -2
- angr/procedures/linux_kernel/sigprocmask.py +5 -3
- angr/procedures/linux_kernel/tgkill.py +3 -1
- angr/procedures/linux_kernel/time.py +7 -4
- angr/procedures/msvcr/fmode.py +3 -1
- angr/procedures/ntdll/exceptions.py +3 -1
- angr/procedures/posix/bzero.py +3 -1
- angr/procedures/posix/fdopen.py +6 -4
- angr/procedures/posix/fork.py +6 -4
- angr/procedures/posix/mmap.py +6 -3
- angr/procedures/posix/poll.py +6 -5
- angr/procedures/posix/readdir.py +10 -7
- angr/procedures/posix/select.py +4 -2
- angr/procedures/posix/send.py +4 -3
- angr/procedures/posix/sigaction.py +4 -2
- angr/procedures/posix/sim_time.py +3 -1
- angr/procedures/posix/strcasecmp.py +3 -1
- angr/procedures/posix/strtok_r.py +10 -7
- angr/procedures/stubs/Redirect.py +3 -1
- angr/procedures/stubs/ReturnChar.py +3 -3
- angr/procedures/stubs/UserHook.py +3 -1
- angr/procedures/stubs/b64_decode.py +3 -1
- angr/procedures/stubs/crazy_scanf.py +6 -4
- angr/procedures/stubs/format_parser.py +13 -15
- angr/procedures/tracer/receive.py +3 -1
- angr/procedures/tracer/transmit.py +3 -1
- angr/procedures/win32/GetLastInputInfo.py +4 -2
- angr/procedures/win32/GetProcessAffinityMask.py +4 -2
- angr/procedures/win32/gethostbyname.py +3 -1
- angr/procedures/win32/heap.py +3 -1
- angr/procedures/win32/local_storage.py +4 -2
- angr/procedures/win32/sim_time.py +7 -4
- angr/procedures/win_user32/chars.py +4 -2
- angr/procedures/win_user32/messagebox.py +3 -1
- angr/sim_procedure.py +7 -7
- angr/sim_state.py +10 -7
- angr/sim_type.py +3 -3
- angr/simos/cgc.py +2 -2
- angr/simos/simos.py +5 -4
- angr/simos/windows.py +5 -5
- angr/state_plugins/heap/heap_brk.py +5 -3
- angr/state_plugins/heap/heap_ptmalloc.py +5 -4
- angr/state_plugins/history.py +7 -5
- angr/state_plugins/light_registers.py +2 -2
- angr/state_plugins/plugin.py +2 -2
- angr/state_plugins/posix.py +28 -26
- angr/state_plugins/preconstrainer.py +2 -1
- angr/state_plugins/solver.py +11 -27
- angr/state_plugins/trace_additions.py +9 -13
- angr/state_plugins/uc_manager.py +4 -2
- angr/state_plugins/unicorn_engine.py +1 -1
- angr/state_plugins/view.py +1 -1
- angr/storage/file.py +21 -26
- angr/storage/memory_mixins/actions_mixin.py +4 -2
- angr/storage/memory_mixins/address_concretization_mixin.py +3 -3
- angr/storage/memory_mixins/default_filler_mixin.py +6 -4
- angr/storage/memory_mixins/javavm_memory/javavm_memory_mixin.py +7 -5
- angr/storage/memory_mixins/paged_memory/paged_memory_mixin.py +1 -1
- angr/storage/memory_mixins/paged_memory/pages/cooperation.py +2 -1
- angr/storage/memory_mixins/regioned_memory/abstract_merger_mixin.py +1 -1
- angr/storage/memory_mixins/regioned_memory/region_data.py +3 -1
- angr/storage/memory_mixins/regioned_memory/region_meta_mixin.py +1 -1
- angr/storage/memory_mixins/regioned_memory/regioned_memory_mixin.py +5 -4
- angr/storage/memory_mixins/simple_interface_mixin.py +2 -2
- angr/storage/memory_mixins/size_resolution_mixin.py +3 -1
- angr/storage/memory_mixins/slotted_memory.py +1 -1
- angr/storage/memory_mixins/smart_find_mixin.py +2 -2
- angr/storage/memory_mixins/symbolic_merger_mixin.py +5 -3
- angr/tablespecs.py +3 -3
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/METADATA +7 -7
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/RECORD +162 -162
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/WHEEL +1 -1
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/LICENSE +0 -0
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/entry_points.txt +0 -0
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/top_level.txt +0 -0
angr/procedures/libc/strncmp.py
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
import angr
|
|
2
|
-
|
|
3
1
|
import logging
|
|
4
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
5
|
+
import angr
|
|
6
|
+
|
|
5
7
|
l = logging.getLogger(name=__name__)
|
|
6
8
|
|
|
7
9
|
|
|
@@ -50,9 +52,9 @@ class strncmp(angr.SimProcedure):
|
|
|
50
52
|
maxlen = max(a_strlen.max_null_index, b_strlen.max_null_index)
|
|
51
53
|
|
|
52
54
|
match_constraints.append(
|
|
53
|
-
|
|
55
|
+
claripy.Or(
|
|
54
56
|
a_len == b_len,
|
|
55
|
-
|
|
57
|
+
claripy.And(claripy.UGE(a_len, limit), claripy.UGE(b_len, limit)),
|
|
56
58
|
)
|
|
57
59
|
)
|
|
58
60
|
|
|
@@ -62,7 +64,7 @@ class strncmp(angr.SimProcedure):
|
|
|
62
64
|
if self.state.solver.single_valued(limit) and self.state.solver.eval(limit) == 0:
|
|
63
65
|
# limit is 0
|
|
64
66
|
l.debug("returning equal for 0-limit")
|
|
65
|
-
return
|
|
67
|
+
return claripy.BVV(0, 32)
|
|
66
68
|
elif (
|
|
67
69
|
self.state.solver.single_valued(a_len)
|
|
68
70
|
and self.state.solver.single_valued(b_len)
|
|
@@ -70,14 +72,14 @@ class strncmp(angr.SimProcedure):
|
|
|
70
72
|
):
|
|
71
73
|
# two empty strings
|
|
72
74
|
l.debug("returning equal for two empty strings")
|
|
73
|
-
return
|
|
75
|
+
return claripy.BVV(0, 32)
|
|
74
76
|
else:
|
|
75
77
|
# all other cases fall into this branch
|
|
76
78
|
l.debug("returning non-equal for comparison of an empty string and a non-empty string")
|
|
77
79
|
if a_strlen.max_null_index == 0:
|
|
78
|
-
return
|
|
80
|
+
return claripy.BVV(-1, 32)
|
|
79
81
|
else:
|
|
80
|
-
return
|
|
82
|
+
return claripy.BVV(1, 32)
|
|
81
83
|
|
|
82
84
|
# the bytes
|
|
83
85
|
max_byte_len = maxlen * char_size
|
|
@@ -111,9 +113,9 @@ class strncmp(angr.SimProcedure):
|
|
|
111
113
|
if a_conc != b_conc:
|
|
112
114
|
l.debug("... found mis-matching concrete bytes 0x%x and 0x%x", a_conc, b_conc)
|
|
113
115
|
if a_conc < b_conc:
|
|
114
|
-
return
|
|
116
|
+
return claripy.BVV(-1, 32)
|
|
115
117
|
else:
|
|
116
|
-
return
|
|
118
|
+
return claripy.BVV(1, 32)
|
|
117
119
|
else:
|
|
118
120
|
if self.state.mode == "static":
|
|
119
121
|
return_values.append(a_byte - b_byte)
|
|
@@ -122,17 +124,17 @@ class strncmp(angr.SimProcedure):
|
|
|
122
124
|
|
|
123
125
|
if self.state.mode != "static":
|
|
124
126
|
if ignore_case:
|
|
125
|
-
byte_constraint =
|
|
126
|
-
|
|
127
|
+
byte_constraint = claripy.Or(
|
|
128
|
+
claripy.Or(
|
|
127
129
|
a_byte == b_byte,
|
|
128
|
-
|
|
130
|
+
claripy.And(
|
|
129
131
|
ord("A") <= a_byte,
|
|
130
132
|
a_byte <= ord("Z"),
|
|
131
133
|
ord("a") <= b_byte,
|
|
132
134
|
b_byte <= ord("z"),
|
|
133
135
|
b_byte - ord(" ") == a_byte,
|
|
134
136
|
),
|
|
135
|
-
|
|
137
|
+
claripy.And(
|
|
136
138
|
ord("A") <= b_byte,
|
|
137
139
|
b_byte <= ord("Z"),
|
|
138
140
|
ord("a") <= a_byte,
|
|
@@ -140,21 +142,19 @@ class strncmp(angr.SimProcedure):
|
|
|
140
142
|
a_byte - ord(" ") == b_byte,
|
|
141
143
|
),
|
|
142
144
|
),
|
|
143
|
-
|
|
144
|
-
|
|
145
|
+
claripy.ULT(a_len, i),
|
|
146
|
+
claripy.ULE(limit, i),
|
|
145
147
|
)
|
|
146
148
|
else:
|
|
147
|
-
byte_constraint =
|
|
148
|
-
a_byte == b_byte, self.state.solver.ULT(a_len, i), self.state.solver.ULE(limit, i)
|
|
149
|
-
)
|
|
149
|
+
byte_constraint = claripy.Or(a_byte == b_byte, claripy.ULT(a_len, i), claripy.ULE(limit, i))
|
|
150
150
|
match_constraints.append(byte_constraint)
|
|
151
151
|
|
|
152
152
|
if concrete_run:
|
|
153
153
|
l.debug("concrete run made it to the end!")
|
|
154
|
-
return
|
|
154
|
+
return claripy.BVV(0, 32)
|
|
155
155
|
|
|
156
156
|
if self.state.mode == "static":
|
|
157
|
-
ret_expr =
|
|
157
|
+
ret_expr = claripy.ESI(8)
|
|
158
158
|
for expr in return_values:
|
|
159
159
|
ret_expr = ret_expr.union(expr)
|
|
160
160
|
|
|
@@ -164,17 +164,17 @@ class strncmp(angr.SimProcedure):
|
|
|
164
164
|
# make the constraints
|
|
165
165
|
|
|
166
166
|
l.debug("returning symbolic")
|
|
167
|
-
match_constraint =
|
|
168
|
-
nomatch_constraint =
|
|
167
|
+
match_constraint = claripy.And(*match_constraints)
|
|
168
|
+
nomatch_constraint = claripy.Not(match_constraint)
|
|
169
169
|
|
|
170
170
|
# l.debug("match constraints: %s", match_constraint)
|
|
171
171
|
# l.debug("nomatch constraints: %s", nomatch_constraint)
|
|
172
172
|
|
|
173
|
-
match_case =
|
|
174
|
-
nomatch_case =
|
|
175
|
-
l0_case =
|
|
176
|
-
empty_case =
|
|
173
|
+
match_case = claripy.And(limit != 0, match_constraint, ret_expr == 0)
|
|
174
|
+
nomatch_case = claripy.And(limit != 0, nomatch_constraint, ret_expr == 1)
|
|
175
|
+
l0_case = claripy.And(limit == 0, ret_expr == 0)
|
|
176
|
+
empty_case = claripy.And(a_strlen.ret_expr == 0, b_strlen.ret_expr == 0, ret_expr == 0)
|
|
177
177
|
|
|
178
|
-
self.state.add_constraints(
|
|
178
|
+
self.state.add_constraints(claripy.Or(match_case, nomatch_case, l0_case, empty_case))
|
|
179
179
|
|
|
180
180
|
return ret_expr
|
angr/procedures/libc/strncpy.py
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
|
-
import angr
|
|
2
1
|
import logging
|
|
3
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
5
|
+
import angr
|
|
6
|
+
|
|
4
7
|
l = logging.getLogger(name=__name__)
|
|
5
8
|
|
|
6
9
|
|
|
@@ -12,7 +15,7 @@ class strncpy(angr.SimProcedure):
|
|
|
12
15
|
memcpy = angr.SIM_PROCEDURES["libc"]["memcpy"]
|
|
13
16
|
|
|
14
17
|
src_len = src_len if src_len is not None else self.inline_call(strlen, src_addr).ret_expr
|
|
15
|
-
cpy_size =
|
|
18
|
+
cpy_size = claripy.If(claripy.ULE(limit, src_len + 1), limit, src_len + 1)
|
|
16
19
|
|
|
17
20
|
self.inline_call(memcpy, dst_addr, src_addr, cpy_size)
|
|
18
21
|
return dst_addr
|
angr/procedures/libc/strstr.py
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
|
+
import logging
|
|
2
|
+
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
1
5
|
import angr
|
|
2
6
|
from angr.sim_options import MEMORY_CHUNK_INDIVIDUAL_READS
|
|
3
7
|
|
|
4
|
-
import logging
|
|
5
8
|
|
|
6
9
|
l = logging.getLogger(name=__name__)
|
|
7
10
|
|
|
@@ -27,7 +30,7 @@ class strstr(angr.SimProcedure):
|
|
|
27
30
|
return haystack_addr
|
|
28
31
|
elif haystack_maxlen == 0:
|
|
29
32
|
l.debug("... zero-length haystack.")
|
|
30
|
-
return
|
|
33
|
+
return claripy.BVV(0, self.state.arch.bits)
|
|
31
34
|
|
|
32
35
|
if self.state.solver.symbolic(needle_strlen.ret_expr):
|
|
33
36
|
cases = [[needle_strlen.ret_expr == 0, haystack_addr]]
|
|
@@ -49,9 +52,9 @@ class strstr(angr.SimProcedure):
|
|
|
49
52
|
b_len=needle_strlen,
|
|
50
53
|
)
|
|
51
54
|
|
|
52
|
-
c =
|
|
55
|
+
c = claripy.And(
|
|
53
56
|
*(
|
|
54
|
-
[
|
|
57
|
+
[claripy.UGE(haystack_strlen.ret_expr, needle_strlen.ret_expr), cmp_res.ret_expr == 0]
|
|
55
58
|
+ not_terminated_yet_constraints
|
|
56
59
|
+ exclusions
|
|
57
60
|
)
|
|
@@ -69,10 +72,10 @@ class strstr(angr.SimProcedure):
|
|
|
69
72
|
l.debug("... exhausted remaining symbolic checks.")
|
|
70
73
|
break
|
|
71
74
|
|
|
72
|
-
cases.append([
|
|
75
|
+
cases.append([claripy.And(*exclusions), claripy.BVV(0, self.state.arch.bits)])
|
|
73
76
|
l.debug("... created %d cases", len(cases))
|
|
74
|
-
r =
|
|
75
|
-
c = [
|
|
77
|
+
r = claripy.ite_cases(cases, 0)
|
|
78
|
+
c = [claripy.Or(*[c for c, _ in cases])]
|
|
76
79
|
else:
|
|
77
80
|
needle_length = self.state.solver.eval(needle_strlen.ret_expr)
|
|
78
81
|
needle_str = self.state.memory.load(needle_addr, needle_length)
|
angr/procedures/libc/strtol.py
CHANGED
|
@@ -49,9 +49,9 @@ class strtol(angr.SimProcedure):
|
|
|
49
49
|
possible_num_bytes.append(num_bytes)
|
|
50
50
|
|
|
51
51
|
# only one of the cases needed to match
|
|
52
|
-
result =
|
|
53
|
-
expression =
|
|
54
|
-
num_bytes =
|
|
52
|
+
result = claripy.ite_cases(cases[:-1], cases[-1][1])
|
|
53
|
+
expression = claripy.Or(*conditions)
|
|
54
|
+
num_bytes = claripy.ite_cases(zip(conditions, possible_num_bytes), 0)
|
|
55
55
|
return expression, result, num_bytes
|
|
56
56
|
|
|
57
57
|
@staticmethod
|
|
@@ -66,12 +66,12 @@ class strtol(angr.SimProcedure):
|
|
|
66
66
|
# the prefix must match
|
|
67
67
|
if len(prefix) > 0:
|
|
68
68
|
loaded_prefix = region.load(addr, length)
|
|
69
|
-
condition =
|
|
69
|
+
condition = claripy.And(loaded_prefix == claripy.BVV(prefix), condition)
|
|
70
70
|
total_num_bytes = num_bytes + length
|
|
71
71
|
|
|
72
72
|
# negatives
|
|
73
73
|
if prefix.startswith(b"-"):
|
|
74
|
-
value =
|
|
74
|
+
value = claripy.BVV(0, state.arch.bits) - value
|
|
75
75
|
return condition, value, total_num_bytes
|
|
76
76
|
|
|
77
77
|
@staticmethod
|
|
@@ -92,8 +92,8 @@ class strtol(angr.SimProcedure):
|
|
|
92
92
|
|
|
93
93
|
# to detect overflows we keep it in a larger bv and extract it at the end
|
|
94
94
|
num_bits = min(state.arch.bits * 2, 128)
|
|
95
|
-
current_val =
|
|
96
|
-
num_bytes =
|
|
95
|
+
current_val = claripy.BVV(0, num_bits)
|
|
96
|
+
num_bytes = claripy.BVS("num_bytes", state.arch.bits)
|
|
97
97
|
# constarints_num_bytes: a series of constraints of the form:
|
|
98
98
|
# AND(<constraint on the string guaranteeing that the number of digits is n>, num_bytes == n)
|
|
99
99
|
# these will be combined via OR and added to the state together num_bytes and the string
|
|
@@ -115,8 +115,8 @@ class strtol(angr.SimProcedure):
|
|
|
115
115
|
# identify the constraints necessary to set num_bytes to the current value
|
|
116
116
|
# the current char (i.e. the terminator if this is satisfied) should not be a char,
|
|
117
117
|
# so `condition` should be false, plus all the previous conditions should be satisfied
|
|
118
|
-
case_constraints = conditions + [
|
|
119
|
-
constraints_num_bytes.append(
|
|
118
|
+
case_constraints = conditions + [claripy.Not(condition), num_bytes == i]
|
|
119
|
+
constraints_num_bytes.append(claripy.And(*case_constraints))
|
|
120
120
|
|
|
121
121
|
# break the loop early if no value past this is viable
|
|
122
122
|
if condition.is_false():
|
|
@@ -136,13 +136,13 @@ class strtol(angr.SimProcedure):
|
|
|
136
136
|
# a digit in order for this case to generate correct models
|
|
137
137
|
char = region.load(s + length, 1)
|
|
138
138
|
condition, _ = strtol._char_to_val(char, base)
|
|
139
|
-
case_constraints.append(
|
|
140
|
-
constraints_num_bytes.append(
|
|
139
|
+
case_constraints.append(claripy.Not(condition))
|
|
140
|
+
constraints_num_bytes.append(claripy.And(*case_constraints))
|
|
141
141
|
|
|
142
142
|
# only one of the constraints need to hold
|
|
143
143
|
# since the constraints look like (num_bytes == 2 and the first 2 chars are valid, and the 3rd isn't)
|
|
144
144
|
|
|
145
|
-
final_constraint =
|
|
145
|
+
final_constraint = claripy.Or(*constraints_num_bytes)
|
|
146
146
|
if (
|
|
147
147
|
final_constraint.op == "__eq__"
|
|
148
148
|
and final_constraint.args[0] is num_bytes
|
|
@@ -154,15 +154,15 @@ class strtol(angr.SimProcedure):
|
|
|
154
154
|
else:
|
|
155
155
|
# symbolic case
|
|
156
156
|
state.add_constraints(final_constraint)
|
|
157
|
-
result =
|
|
157
|
+
result = claripy.ite_cases(cases, 0)
|
|
158
158
|
|
|
159
159
|
# overflow check
|
|
160
160
|
max_bits = state.arch.bits - 1 if signed else state.arch.bits
|
|
161
161
|
max_val = 2**max_bits - 1
|
|
162
|
-
result =
|
|
162
|
+
result = claripy.If(
|
|
163
163
|
result < max_val,
|
|
164
|
-
|
|
165
|
-
|
|
164
|
+
claripy.Extract(state.arch.bits - 1, 0, result),
|
|
165
|
+
claripy.BVV(max_val, state.arch.bits),
|
|
166
166
|
)
|
|
167
167
|
|
|
168
168
|
return expression, result, num_bytes
|
|
@@ -215,22 +215,20 @@ class strtol(angr.SimProcedure):
|
|
|
215
215
|
if base == 0:
|
|
216
216
|
# in this case the base is 16 if it starts with 0x, 8 if it starts with 0, 10 otherwise
|
|
217
217
|
# here's the possibilities
|
|
218
|
-
base_16_pred =
|
|
219
|
-
self.state.memory.load(nptr, 2) ==
|
|
220
|
-
self.state.memory.load(nptr, 3) ==
|
|
221
|
-
self.state.memory.load(nptr, 3) ==
|
|
218
|
+
base_16_pred = claripy.Or(
|
|
219
|
+
self.state.memory.load(nptr, 2) == claripy.BVV(b"0x"),
|
|
220
|
+
self.state.memory.load(nptr, 3) == claripy.BVV(b"+0x"),
|
|
221
|
+
self.state.memory.load(nptr, 3) == claripy.BVV(b"-0x"),
|
|
222
222
|
)
|
|
223
|
-
base_8_pred =
|
|
224
|
-
|
|
225
|
-
self.state.memory.load(nptr, 1) ==
|
|
226
|
-
self.state.memory.load(nptr, 2) ==
|
|
227
|
-
self.state.memory.load(nptr, 2) ==
|
|
223
|
+
base_8_pred = claripy.And(
|
|
224
|
+
claripy.Or(
|
|
225
|
+
self.state.memory.load(nptr, 1) == claripy.BVV(b"0"),
|
|
226
|
+
self.state.memory.load(nptr, 2) == claripy.BVV(b"+0"),
|
|
227
|
+
self.state.memory.load(nptr, 2) == claripy.BVV(b"-0"),
|
|
228
228
|
),
|
|
229
|
-
|
|
230
|
-
)
|
|
231
|
-
base_10_pred = self.state.solver.And(
|
|
232
|
-
self.state.solver.Not(base_16_pred), self.state.solver.Not(base_8_pred)
|
|
229
|
+
claripy.Not(base_16_pred),
|
|
233
230
|
)
|
|
231
|
+
base_10_pred = claripy.And(claripy.Not(base_16_pred), claripy.Not(base_8_pred))
|
|
234
232
|
expressions = []
|
|
235
233
|
values = []
|
|
236
234
|
num_bytes_arr = []
|
|
@@ -239,15 +237,15 @@ class strtol(angr.SimProcedure):
|
|
|
239
237
|
pred_base = zip([base_16_pred, base_10_pred, base_8_pred], [16, 10, 8])
|
|
240
238
|
for pred, sub_base in pred_base:
|
|
241
239
|
expression, value, num_bytes = self.strtol_inner(nptr, self.state, self.state.memory, sub_base, True)
|
|
242
|
-
expressions.append(
|
|
240
|
+
expressions.append(claripy.And(expression, pred))
|
|
243
241
|
values.append(value)
|
|
244
242
|
num_bytes_arr.append(num_bytes)
|
|
245
243
|
|
|
246
244
|
# we would return the Or(expressions) as the indicator whether or not it succeeded, but it's not needed
|
|
247
245
|
# for strtol
|
|
248
|
-
# expression =
|
|
249
|
-
value =
|
|
250
|
-
num_bytes =
|
|
246
|
+
# expression = claripy.Or(expressions)
|
|
247
|
+
value = claripy.ite_cases(zip(expressions, values), 0)
|
|
248
|
+
num_bytes = claripy.ite_cases(zip(expressions, num_bytes_arr), 0)
|
|
251
249
|
|
|
252
250
|
self.state.memory.store(
|
|
253
251
|
endptr, nptr + num_bytes, condition=(endptr != 0), endness=self.state.arch.memory_endness
|
|
@@ -260,4 +258,4 @@ class strtol(angr.SimProcedure):
|
|
|
260
258
|
self.state.memory.store(
|
|
261
259
|
endptr, nptr + num_bytes, condition=(endptr != 0), endness=self.state.arch.memory_endness
|
|
262
260
|
)
|
|
263
|
-
return
|
|
261
|
+
return claripy.If(expression, value, 0)
|
angr/procedures/libc/tolower.py
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class tolower(angr.SimProcedure):
|
|
5
7
|
# pylint: disable=arguments-differ
|
|
6
8
|
def run(self, c):
|
|
7
|
-
return
|
|
9
|
+
return claripy.If(claripy.And(c >= 65, c <= 90), c + 32, c) # A - Z
|
angr/procedures/libc/toupper.py
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class toupper(angr.SimProcedure):
|
|
5
7
|
# pylint: disable=arguments-differ
|
|
6
8
|
def run(self, c):
|
|
7
|
-
return
|
|
9
|
+
return claripy.If(claripy.And(c >= 97, c <= 122), c - 32, c) # a - z
|
|
@@ -31,7 +31,7 @@ class fstat(angr.SimProcedure):
|
|
|
31
31
|
store(0x18, stat.st_mode)
|
|
32
32
|
store(0x1C, stat.st_uid)
|
|
33
33
|
store(0x20, stat.st_gid)
|
|
34
|
-
store(0x24,
|
|
34
|
+
store(0x24, claripy.BVV(0, 32))
|
|
35
35
|
store(0x28, stat.st_rdev)
|
|
36
36
|
store(0x30, stat.st_size)
|
|
37
37
|
store(0x38, stat.st_blksize)
|
|
@@ -42,9 +42,9 @@ class fstat(angr.SimProcedure):
|
|
|
42
42
|
store(0x60, stat.st_mtimensec)
|
|
43
43
|
store(0x68, stat.st_ctime)
|
|
44
44
|
store(0x70, stat.st_ctimensec)
|
|
45
|
-
store(0x78,
|
|
46
|
-
store(0x80,
|
|
47
|
-
store(0x88,
|
|
45
|
+
store(0x78, claripy.BVV(0, 64))
|
|
46
|
+
store(0x80, claripy.BVV(0, 64))
|
|
47
|
+
store(0x88, claripy.BVV(0, 64))
|
|
48
48
|
|
|
49
49
|
# return struct.pack('<QQQLLLxxxxQqqqQqQqQxxxxxxxxxxxxxxxxxxxxxxxx',
|
|
50
50
|
# stat.st_dev,
|
|
@@ -84,23 +84,23 @@ class fstat(angr.SimProcedure):
|
|
|
84
84
|
store(0x60, stat.st_mtimensec)
|
|
85
85
|
store(0x68, stat.st_ctime)
|
|
86
86
|
store(0x70, stat.st_ctimensec)
|
|
87
|
-
store(0x78,
|
|
88
|
-
store(0x80,
|
|
89
|
-
store(0x88,
|
|
87
|
+
store(0x78, claripy.BVV(0, 64))
|
|
88
|
+
store(0x80, claripy.BVV(0, 64))
|
|
89
|
+
store(0x88, claripy.BVV(0, 64))
|
|
90
90
|
|
|
91
91
|
def _store_mips64(self, stat_buf, stat):
|
|
92
92
|
def store(offset, val):
|
|
93
93
|
return self.state.memory.store(stat_buf + offset, val, endness=self.state.arch.memory_endness)
|
|
94
94
|
|
|
95
95
|
store(0x00, stat.st_dev)
|
|
96
|
-
store(0x04,
|
|
96
|
+
store(0x04, claripy.BVV(0, 32 * 3))
|
|
97
97
|
store(0x10, stat.st_ino)
|
|
98
98
|
store(0x18, stat.st_mode)
|
|
99
99
|
store(0x1C, stat.st_nlink)
|
|
100
100
|
store(0x20, stat.st_uid)
|
|
101
101
|
store(0x24, stat.st_gid)
|
|
102
102
|
store(0x28, stat.st_rdev)
|
|
103
|
-
store(0x2C,
|
|
103
|
+
store(0x2C, claripy.BVV(0, 32 * 3))
|
|
104
104
|
store(0x38, stat.st_size)
|
|
105
105
|
store(0x40, stat.st_atime)
|
|
106
106
|
store(0x44, stat.st_atimensec)
|
|
@@ -109,7 +109,7 @@ class fstat(angr.SimProcedure):
|
|
|
109
109
|
store(0x50, stat.st_ctime)
|
|
110
110
|
store(0x54, stat.st_ctimensec)
|
|
111
111
|
store(0x58, stat.st_blksize)
|
|
112
|
-
store(0x5C,
|
|
112
|
+
store(0x5C, claripy.BVV(0, 32))
|
|
113
113
|
store(0x60, stat.st_blocks)
|
|
114
114
|
|
|
115
115
|
def _store_aarch64(self, stat_buf, stat):
|
|
@@ -123,10 +123,10 @@ class fstat(angr.SimProcedure):
|
|
|
123
123
|
store(0x18, stat.st_uid)
|
|
124
124
|
store(0x1C, stat.st_gid)
|
|
125
125
|
store(0x20, stat.st_rdev)
|
|
126
|
-
store(0x28,
|
|
126
|
+
store(0x28, claripy.BVV(0, 64))
|
|
127
127
|
store(0x30, stat.st_size)
|
|
128
128
|
store(0x38, stat.st_blksize)
|
|
129
|
-
store(0x3C,
|
|
129
|
+
store(0x3C, claripy.BVV(0, 32))
|
|
130
130
|
store(0x40, stat.st_blocks)
|
|
131
131
|
store(0x48, stat.st_atime)
|
|
132
132
|
store(0x50, stat.st_atimensec)
|
|
@@ -134,4 +134,4 @@ class fstat(angr.SimProcedure):
|
|
|
134
134
|
store(0x60, stat.st_mtimensec)
|
|
135
135
|
store(0x68, stat.st_ctime)
|
|
136
136
|
store(0x70, stat.st_ctimensec)
|
|
137
|
-
store(0x78,
|
|
137
|
+
store(0x78, claripy.BVV(0, 64))
|
|
@@ -62,7 +62,7 @@ class fstat64(angr.SimProcedure):
|
|
|
62
62
|
store(0x2C, stat.st_size)
|
|
63
63
|
store(0x34, stat.st_blksize)
|
|
64
64
|
store(0x38, stat.st_blocks)
|
|
65
|
-
store(0x3C,
|
|
65
|
+
store(0x3C, claripy.BVV(0, 32)) # padding
|
|
66
66
|
store(0x40, stat.st_atime)
|
|
67
67
|
store(0x44, stat.st_atimensec)
|
|
68
68
|
store(0x48, stat.st_mtime)
|
|
@@ -81,7 +81,7 @@ class fstat64(angr.SimProcedure):
|
|
|
81
81
|
store(0x18, stat.st_nlink)
|
|
82
82
|
store(0x1C, stat.st_uid)
|
|
83
83
|
store(0x20, stat.st_gid)
|
|
84
|
-
store(0x24,
|
|
84
|
+
store(0x24, claripy.BVV(0, 32))
|
|
85
85
|
store(0x28, stat.st_rdev)
|
|
86
86
|
store(0x30, stat.st_size)
|
|
87
87
|
store(0x38, stat.st_blksize)
|
|
@@ -92,9 +92,9 @@ class fstat64(angr.SimProcedure):
|
|
|
92
92
|
store(0x60, stat.st_mtimensec)
|
|
93
93
|
store(0x68, stat.st_ctime)
|
|
94
94
|
store(0x70, stat.st_ctimensec)
|
|
95
|
-
store(0x78,
|
|
96
|
-
store(0x80,
|
|
97
|
-
store(0x88,
|
|
95
|
+
store(0x78, claripy.BVV(0, 64))
|
|
96
|
+
store(0x80, claripy.BVV(0, 64))
|
|
97
|
+
store(0x88, claripy.BVV(0, 64))
|
|
98
98
|
|
|
99
99
|
def _store_ppc32(self, stat_buf, stat):
|
|
100
100
|
def store(offset, val):
|
|
@@ -107,10 +107,10 @@ class fstat64(angr.SimProcedure):
|
|
|
107
107
|
store(0x18, stat.st_uid)
|
|
108
108
|
store(0x1C, stat.st_gid)
|
|
109
109
|
store(0x20, stat.st_rdev)
|
|
110
|
-
store(0x28,
|
|
110
|
+
store(0x28, claripy.BVV(0, 64))
|
|
111
111
|
store(0x30, stat.st_size)
|
|
112
112
|
store(0x38, stat.st_blksize)
|
|
113
|
-
store(0x3C,
|
|
113
|
+
store(0x3C, claripy.BVV(0, 32))
|
|
114
114
|
store(0x40, stat.st_blocks)
|
|
115
115
|
store(0x48, stat.st_atime)
|
|
116
116
|
store(0x4C, stat.st_atimensec)
|
|
@@ -118,20 +118,20 @@ class fstat64(angr.SimProcedure):
|
|
|
118
118
|
store(0x54, stat.st_mtimensec)
|
|
119
119
|
store(0x58, stat.st_ctime)
|
|
120
120
|
store(0x5C, stat.st_ctimensec)
|
|
121
|
-
store(0x60,
|
|
122
|
-
store(0x64,
|
|
121
|
+
store(0x60, claripy.BVV(0, 32))
|
|
122
|
+
store(0x64, claripy.BVV(0, 32))
|
|
123
123
|
|
|
124
124
|
def _store_mips32(self, stat_buf, stat):
|
|
125
125
|
def store(offset, val):
|
|
126
126
|
return self.state.memory.store(stat_buf + offset, val, endness=self.state.arch.memory_endness)
|
|
127
127
|
|
|
128
128
|
store(0x00, stat.st_dev)
|
|
129
|
-
store(0x04,
|
|
129
|
+
store(0x04, claripy.BVV(0, 32 * 3))
|
|
130
130
|
store(0x10, stat.st_ino)
|
|
131
131
|
store(0x18, stat.st_uid)
|
|
132
132
|
store(0x1C, stat.st_gid)
|
|
133
133
|
store(0x20, stat.st_rdev)
|
|
134
|
-
store(0x24,
|
|
134
|
+
store(0x24, claripy.BVV(0, 32 * 3))
|
|
135
135
|
store(0x30, stat.st_size)
|
|
136
136
|
store(0x38, stat.st_atime)
|
|
137
137
|
store(0x3C, stat.st_atimensec)
|
|
@@ -140,7 +140,7 @@ class fstat64(angr.SimProcedure):
|
|
|
140
140
|
store(0x48, stat.st_ctime)
|
|
141
141
|
store(0x4C, stat.st_ctimensec)
|
|
142
142
|
store(0x50, stat.st_blksize)
|
|
143
|
-
store(0x54,
|
|
143
|
+
store(0x54, claripy.BVV(0, 32))
|
|
144
144
|
store(0x58, stat.st_blocks)
|
|
145
145
|
|
|
146
146
|
def _store_arm_eabi(self, stat_buf, stat):
|
|
@@ -148,18 +148,18 @@ class fstat64(angr.SimProcedure):
|
|
|
148
148
|
return self.state.memory.store(stat_buf + offset, val, endness=self.state.arch.memory_endness)
|
|
149
149
|
|
|
150
150
|
store(0x00, stat.st_dev)
|
|
151
|
-
store(0x02,
|
|
151
|
+
store(0x02, claripy.BVV(0, 8 * 10))
|
|
152
152
|
store(0x0C, stat.st_ino)
|
|
153
153
|
store(0x10, stat.st_mode)
|
|
154
154
|
store(0x14, stat.st_nlink)
|
|
155
155
|
store(0x18, stat.st_uid)
|
|
156
156
|
store(0x1C, stat.st_gid)
|
|
157
157
|
store(0x20, stat.st_rdev)
|
|
158
|
-
store(0x22,
|
|
158
|
+
store(0x22, claripy.BVV(0, 8 * 10))
|
|
159
159
|
store(0x2C, stat.st_size)
|
|
160
160
|
store(0x34, stat.st_blksize)
|
|
161
161
|
store(0x38, stat.st_blocks)
|
|
162
|
-
store(0x3C,
|
|
162
|
+
store(0x3C, claripy.BVV(0, 32))
|
|
163
163
|
store(0x40, stat.st_atime)
|
|
164
164
|
store(0x44, stat.st_atimensec)
|
|
165
165
|
store(0x48, stat.st_mtime)
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
import angr
|
|
2
|
-
|
|
3
1
|
import logging
|
|
4
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
5
|
+
import angr
|
|
6
|
+
|
|
5
7
|
l = logging.getLogger(name=__name__)
|
|
6
8
|
|
|
7
9
|
|
|
@@ -36,4 +38,4 @@ class lseek(angr.SimProcedure):
|
|
|
36
38
|
success = simfd.seek(seek, whence_str)
|
|
37
39
|
if self.state.solver.is_false(success):
|
|
38
40
|
return -1
|
|
39
|
-
return
|
|
41
|
+
return claripy.If(success, simfd.tell(), -1)
|
|
@@ -1,10 +1,12 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class sigaction(angr.SimProcedure):
|
|
5
7
|
def run(self, signum, act, oldact): # pylint:disable=arguments-differ,unused-argument
|
|
6
8
|
# TODO: actually do something
|
|
7
|
-
return
|
|
9
|
+
return claripy.BVV(0, self.arch.sizeof["long"])
|
|
8
10
|
|
|
9
11
|
|
|
10
12
|
class rt_sigaction(angr.SimProcedure):
|
|
@@ -13,4 +15,4 @@ class rt_sigaction(angr.SimProcedure):
|
|
|
13
15
|
# ...hack
|
|
14
16
|
if self.state.solver.is_true(signum == 33):
|
|
15
17
|
return self.state.libc.ret_errno("EINVAL")
|
|
16
|
-
return
|
|
18
|
+
return claripy.BVV(0, self.arch.sizeof["long"])
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -9,12 +11,12 @@ class sigprocmask(angr.SimProcedure):
|
|
|
9
11
|
self.state.posix.sigprocmask(how, self.state.memory.load(set_, sigsetsize), sigsetsize, valid_ptr=set_ != 0)
|
|
10
12
|
|
|
11
13
|
# TODO: EFAULT
|
|
12
|
-
return
|
|
13
|
-
|
|
14
|
+
return claripy.If(
|
|
15
|
+
claripy.And(
|
|
14
16
|
how != self.state.posix.SIG_BLOCK,
|
|
15
17
|
how != self.state.posix.SIG_UNBLOCK,
|
|
16
18
|
how != self.state.posix.SIG_SETMASK,
|
|
17
19
|
),
|
|
18
|
-
|
|
20
|
+
claripy.BVV(self.state.posix.EINVAL, self.arch.sizeof["int"]),
|
|
19
21
|
0,
|
|
20
22
|
)
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class tgkill(angr.SimProcedure):
|
|
5
7
|
def run(self, tgid, tid, sig): # pylint:disable=arguments-differ,unused-argument
|
|
6
8
|
# TODO: actually do something
|
|
7
|
-
return
|
|
9
|
+
return claripy.BVV(0, self.arch.sizeof["int"])
|
|
@@ -1,5 +1,8 @@
|
|
|
1
|
+
import time as py_time
|
|
2
|
+
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
1
5
|
import angr
|
|
2
|
-
import time as _time
|
|
3
6
|
|
|
4
7
|
|
|
5
8
|
class time(angr.SimProcedure):
|
|
@@ -17,10 +20,10 @@ class time(angr.SimProcedure):
|
|
|
17
20
|
def run(self, pointer):
|
|
18
21
|
# TODO lord have mercy. how big is time_t?
|
|
19
22
|
if angr.options.USE_SYSTEM_TIMES in self.state.options:
|
|
20
|
-
ts = int(
|
|
21
|
-
result =
|
|
23
|
+
ts = int(py_time.time())
|
|
24
|
+
result = claripy.BVV(ts, self.state.arch.bits)
|
|
22
25
|
else:
|
|
23
|
-
result =
|
|
26
|
+
result = claripy.BVS("sys_time", self.state.arch.bits, key=("api", "time"))
|
|
24
27
|
if self.last_time is not None:
|
|
25
28
|
self.state.add_constraints(result.SGE(self.last_time))
|
|
26
29
|
else:
|
angr/procedures/msvcr/fmode.py
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -17,7 +19,7 @@ class _get_fmode(angr.SimProcedure):
|
|
|
17
19
|
|
|
18
20
|
class _set_fmode(angr.SimProcedure):
|
|
19
21
|
def run(self, val):
|
|
20
|
-
if not self.state.solver.is_true(
|
|
22
|
+
if not self.state.solver.is_true(claripy.Or(val == 0x4000, val == 0x8000)):
|
|
21
23
|
return 22
|
|
22
24
|
self.state.mem[self.project.simos.fmode_ptr].int = val
|
|
23
25
|
return 0
|