angr 9.2.115__py3-none-macosx_11_0_arm64.whl → 9.2.117__py3-none-macosx_11_0_arm64.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of angr might be problematic. Click here for more details.
- angr/__init__.py +1 -1
- angr/__main__.py +1 -1
- angr/analyses/cfg/cfg_emulated.py +4 -4
- angr/analyses/cfg/indirect_jump_resolvers/jumptable.py +7 -7
- angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py +3 -2
- angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py +5 -1
- angr/analyses/decompiler/structured_codegen/c.py +10 -13
- angr/analyses/decompiler/structuring/dream.py +3 -4
- angr/analyses/decompiler/structuring/phoenix.py +4 -5
- angr/analyses/decompiler/structuring/structurer_base.py +2 -3
- angr/analyses/decompiler/structuring/structurer_nodes.py +3 -3
- angr/analyses/identifier/functions/free.py +3 -1
- angr/analyses/identifier/identify.py +13 -15
- angr/analyses/identifier/runner.py +2 -2
- angr/analyses/reaching_definitions/dep_graph.py +62 -5
- angr/analyses/reaching_definitions/function_handler_library/__init__.py +11 -0
- angr/analyses/reaching_definitions/function_handler_library/stdio.py +15 -13
- angr/analyses/reaching_definitions/function_handler_library/stdlib.py +17 -11
- angr/analyses/reaching_definitions/function_handler_library/string.py +1 -1
- angr/analyses/reaching_definitions/function_handler_library/unistd.py +2 -2
- angr/analyses/reaching_definitions/rd_state.py +26 -29
- angr/analyses/variable_recovery/engine_vex.py +0 -9
- angr/analyses/vfg.py +4 -4
- angr/calling_conventions.py +4 -2
- angr/concretization_strategies/any_named.py +3 -1
- angr/concretization_strategies/controlled_data.py +4 -2
- angr/concretization_strategies/signed_add.py +3 -1
- angr/engines/concrete.py +3 -1
- angr/engines/pcode/behavior.py +2 -0
- angr/engines/pcode/cc.py +2 -0
- angr/engines/pcode/emulate.py +4 -4
- angr/engines/pcode/engine.py +3 -7
- angr/engines/soot/engine.py +7 -6
- angr/engines/soot/expressions/constants.py +6 -5
- angr/engines/soot/expressions/newArray.py +3 -1
- angr/engines/soot/expressions/newMultiArray.py +3 -1
- angr/engines/soot/statements/goto.py +3 -1
- angr/engines/soot/statements/if_.py +3 -1
- angr/engines/soot/statements/switch.py +3 -1
- angr/engines/soot/statements/throw.py +4 -2
- angr/engines/soot/values/arrayref.py +5 -5
- angr/engines/unicorn.py +8 -7
- angr/engines/vex/heavy/concretizers.py +6 -6
- angr/engines/vex/heavy/dirty.py +20 -22
- angr/engines/vex/heavy/heavy.py +4 -8
- angr/exploration_techniques/director.py +1 -1
- angr/exploration_techniques/driller_core.py +3 -1
- angr/exploration_techniques/tracer.py +2 -1
- angr/knowledge_plugins/key_definitions/live_definitions.py +12 -13
- angr/lib/angr_native.dylib +0 -0
- angr/procedures/cgc/allocate.py +8 -10
- angr/procedures/cgc/deallocate.py +10 -3
- angr/procedures/cgc/fdwait.py +15 -13
- angr/procedures/cgc/random.py +11 -5
- angr/procedures/cgc/receive.py +5 -3
- angr/procedures/cgc/transmit.py +5 -4
- angr/procedures/glibc/__libc_start_main.py +5 -4
- angr/procedures/java_jni/__init__.py +4 -4
- angr/procedures/java_jni/array_operations.py +3 -1
- angr/procedures/java_lang/string.py +1 -1
- angr/procedures/java_util/random.py +3 -1
- angr/procedures/libc/access.py +4 -2
- angr/procedures/libc/feof.py +4 -3
- angr/procedures/libc/fgetc.py +3 -1
- angr/procedures/libc/fgets.py +5 -5
- angr/procedures/libc/fopen.py +5 -4
- angr/procedures/libc/fread.py +4 -3
- angr/procedures/libc/fseek.py +4 -3
- angr/procedures/libc/getdelim.py +7 -4
- angr/procedures/libc/gets.py +4 -2
- angr/procedures/libc/memcmp.py +18 -15
- angr/procedures/libc/memset.py +9 -7
- angr/procedures/libc/puts.py +3 -1
- angr/procedures/libc/snprintf.py +4 -2
- angr/procedures/libc/sprintf.py +3 -1
- angr/procedures/libc/strchr.py +6 -3
- angr/procedures/libc/strcmp.py +5 -3
- angr/procedures/libc/strlen.py +3 -3
- angr/procedures/libc/strncmp.py +28 -28
- angr/procedures/libc/strncpy.py +5 -2
- angr/procedures/libc/strstr.py +10 -7
- angr/procedures/libc/strtol.py +32 -34
- angr/procedures/libc/tolower.py +3 -1
- angr/procedures/libc/toupper.py +3 -1
- angr/procedures/linux_kernel/fstat.py +13 -13
- angr/procedures/linux_kernel/fstat64.py +15 -15
- angr/procedures/linux_kernel/lseek.py +5 -3
- angr/procedures/linux_kernel/sigaction.py +4 -2
- angr/procedures/linux_kernel/sigprocmask.py +5 -3
- angr/procedures/linux_kernel/tgkill.py +3 -1
- angr/procedures/linux_kernel/time.py +7 -4
- angr/procedures/msvcr/fmode.py +3 -1
- angr/procedures/ntdll/exceptions.py +3 -1
- angr/procedures/posix/bzero.py +3 -1
- angr/procedures/posix/fdopen.py +6 -4
- angr/procedures/posix/fork.py +6 -4
- angr/procedures/posix/mmap.py +6 -3
- angr/procedures/posix/poll.py +6 -5
- angr/procedures/posix/readdir.py +10 -7
- angr/procedures/posix/select.py +4 -2
- angr/procedures/posix/send.py +4 -3
- angr/procedures/posix/sigaction.py +4 -2
- angr/procedures/posix/sim_time.py +3 -1
- angr/procedures/posix/strcasecmp.py +3 -1
- angr/procedures/posix/strtok_r.py +10 -7
- angr/procedures/stubs/Redirect.py +3 -1
- angr/procedures/stubs/ReturnChar.py +3 -3
- angr/procedures/stubs/UserHook.py +3 -1
- angr/procedures/stubs/b64_decode.py +3 -1
- angr/procedures/stubs/crazy_scanf.py +6 -4
- angr/procedures/stubs/format_parser.py +13 -15
- angr/procedures/tracer/receive.py +3 -1
- angr/procedures/tracer/transmit.py +3 -1
- angr/procedures/win32/GetLastInputInfo.py +4 -2
- angr/procedures/win32/GetProcessAffinityMask.py +4 -2
- angr/procedures/win32/gethostbyname.py +3 -1
- angr/procedures/win32/heap.py +3 -1
- angr/procedures/win32/local_storage.py +4 -2
- angr/procedures/win32/sim_time.py +7 -4
- angr/procedures/win_user32/chars.py +4 -2
- angr/procedures/win_user32/messagebox.py +3 -1
- angr/sim_procedure.py +7 -7
- angr/sim_state.py +10 -7
- angr/sim_type.py +3 -3
- angr/simos/cgc.py +2 -2
- angr/simos/simos.py +5 -4
- angr/simos/windows.py +5 -5
- angr/state_plugins/heap/heap_brk.py +5 -3
- angr/state_plugins/heap/heap_ptmalloc.py +5 -4
- angr/state_plugins/history.py +7 -5
- angr/state_plugins/light_registers.py +2 -2
- angr/state_plugins/plugin.py +2 -2
- angr/state_plugins/posix.py +28 -26
- angr/state_plugins/preconstrainer.py +2 -1
- angr/state_plugins/solver.py +11 -27
- angr/state_plugins/trace_additions.py +9 -13
- angr/state_plugins/uc_manager.py +4 -2
- angr/state_plugins/unicorn_engine.py +1 -1
- angr/state_plugins/view.py +1 -1
- angr/storage/file.py +21 -26
- angr/storage/memory_mixins/actions_mixin.py +4 -2
- angr/storage/memory_mixins/address_concretization_mixin.py +3 -3
- angr/storage/memory_mixins/default_filler_mixin.py +6 -4
- angr/storage/memory_mixins/javavm_memory/javavm_memory_mixin.py +7 -5
- angr/storage/memory_mixins/paged_memory/paged_memory_mixin.py +1 -1
- angr/storage/memory_mixins/paged_memory/pages/cooperation.py +2 -1
- angr/storage/memory_mixins/regioned_memory/abstract_merger_mixin.py +1 -1
- angr/storage/memory_mixins/regioned_memory/region_data.py +3 -1
- angr/storage/memory_mixins/regioned_memory/region_meta_mixin.py +1 -1
- angr/storage/memory_mixins/regioned_memory/regioned_memory_mixin.py +5 -4
- angr/storage/memory_mixins/simple_interface_mixin.py +2 -2
- angr/storage/memory_mixins/size_resolution_mixin.py +3 -1
- angr/storage/memory_mixins/slotted_memory.py +1 -1
- angr/storage/memory_mixins/smart_find_mixin.py +2 -2
- angr/storage/memory_mixins/symbolic_merger_mixin.py +5 -3
- angr/tablespecs.py +3 -3
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/METADATA +7 -7
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/RECORD +162 -162
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/WHEEL +1 -1
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/LICENSE +0 -0
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/entry_points.txt +0 -0
- {angr-9.2.115.dist-info → angr-9.2.117.dist-info}/top_level.txt +0 -0
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -13,7 +15,7 @@ class KiUserExceptionDispatcher(angr.SimProcedure):
|
|
|
13
15
|
if self.state.arch.name != "X86":
|
|
14
16
|
raise angr.errors.SimUnsupportedError("KiUserDispatchException is only implemented for X86")
|
|
15
17
|
|
|
16
|
-
self.tib_ptr = self.state.regs._fs.concat(
|
|
18
|
+
self.tib_ptr = self.state.regs._fs.concat(claripy.BVV(0, 16))
|
|
17
19
|
self.top_record = self.state.mem[self.tib_ptr].uint32_t.resolved
|
|
18
20
|
self.cur_ptr = self.top_record
|
|
19
21
|
|
angr/procedures/posix/bzero.py
CHANGED
angr/procedures/posix/fdopen.py
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
from cle.backends.externs.simdata.io_file import io_file_data_for_arch
|
|
3
|
+
|
|
1
4
|
import angr
|
|
2
5
|
|
|
3
|
-
from cle.backends.externs.simdata.io_file import io_file_data_for_arch
|
|
4
6
|
|
|
5
7
|
# Reference for implementation: glibc-2.25/libio/iofdopen.c
|
|
6
8
|
|
|
@@ -65,7 +67,7 @@ class fdopen(angr.SimProcedure):
|
|
|
65
67
|
file_struct_ptr = self.inline_call(malloc, io_file_data["size"]).ret_expr
|
|
66
68
|
|
|
67
69
|
# Write the fd
|
|
68
|
-
fd_bvv =
|
|
70
|
+
fd_bvv = claripy.BVV(fd_concr, 4 * 8) # int
|
|
69
71
|
self.state.memory.store(
|
|
70
72
|
file_struct_ptr + io_file_data["fd"], fd_bvv, endness=self.state.arch.memory_endness
|
|
71
73
|
)
|
|
@@ -73,5 +75,5 @@ class fdopen(angr.SimProcedure):
|
|
|
73
75
|
if self.state.solver.is_true(fd_int == fd_concr):
|
|
74
76
|
return file_struct_ptr
|
|
75
77
|
else:
|
|
76
|
-
null =
|
|
77
|
-
return
|
|
78
|
+
null = claripy.BVV(0, self.state.arch.bits)
|
|
79
|
+
return claripy.If(fd_int == fd_concr, file_struct_ptr, null)
|
angr/procedures/posix/fork.py
CHANGED
|
@@ -1,10 +1,12 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class fork(angr.SimProcedure):
|
|
5
7
|
def run(self):
|
|
6
|
-
return
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
8
|
+
return claripy.If(
|
|
9
|
+
claripy.BoolS("fork_parent"),
|
|
10
|
+
claripy.BVV(1338, self.arch.sizeof["int"]),
|
|
11
|
+
claripy.BVV(0, self.arch.sizeof["int"]),
|
|
10
12
|
)
|
angr/procedures/posix/mmap.py
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
|
+
import logging
|
|
2
|
+
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
1
5
|
import angr
|
|
2
6
|
from ...storage.file import SimFileDescriptor
|
|
3
7
|
|
|
4
|
-
import logging
|
|
5
8
|
|
|
6
9
|
l = logging.getLogger(name=__name__)
|
|
7
10
|
|
|
@@ -89,7 +92,7 @@ class mmap(angr.SimProcedure):
|
|
|
89
92
|
# Sanity check. All mmap must have exactly one of MAP_SHARED or MAP_PRIVATE
|
|
90
93
|
if (flags & MAP_SHARED and flags & MAP_PRIVATE) or flags & (MAP_SHARED | MAP_PRIVATE) == 0:
|
|
91
94
|
l.debug("... = -1 (bad flags)")
|
|
92
|
-
return
|
|
95
|
+
return claripy.BVV(-1, self.state.arch.bits)
|
|
93
96
|
|
|
94
97
|
# Do region mapping
|
|
95
98
|
while True:
|
|
@@ -103,7 +106,7 @@ class mmap(angr.SimProcedure):
|
|
|
103
106
|
|
|
104
107
|
if flags & MAP_FIXED:
|
|
105
108
|
l.debug("... = -1 (MAP_FIXED failure)")
|
|
106
|
-
return
|
|
109
|
+
return claripy.BVV(-1, self.state.arch.bits)
|
|
107
110
|
|
|
108
111
|
# Can't give you that address. Find a different one and loop back around to try again.
|
|
109
112
|
addr = self.allocate_memory(size)
|
angr/procedures/posix/poll.py
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
|
-
import angr
|
|
2
1
|
import select
|
|
3
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
5
|
+
import angr
|
|
6
|
+
|
|
4
7
|
|
|
5
8
|
class poll(angr.SimProcedure):
|
|
6
9
|
# pylint:disable=arguments-differ
|
|
@@ -43,12 +46,10 @@ class poll(angr.SimProcedure):
|
|
|
43
46
|
raise angr.errors.SimProcedureArgumentError("Can't handle symbolic pollfd arguments") from e
|
|
44
47
|
|
|
45
48
|
if events & select.POLLIN and fd >= 0:
|
|
46
|
-
revents = pollfd["revents"][self.arch.sizeof["short"] - 1 : 1].concat(
|
|
47
|
-
self.state.solver.BVS("fd_POLLIN", 1)
|
|
48
|
-
)
|
|
49
|
+
revents = pollfd["revents"][self.arch.sizeof["short"] - 1 : 1].concat(claripy.BVS("fd_POLLIN", 1))
|
|
49
50
|
self.state.memory.store(
|
|
50
51
|
fds + offset * size_of_pollfd + offset_revents, revents, endness=self.arch.memory_endness
|
|
51
52
|
)
|
|
52
53
|
|
|
53
|
-
retval =
|
|
54
|
+
retval = claripy.BVV(0, 1).concat(claripy.BVS("poll_ret", self.state.arch.bits - 1))
|
|
54
55
|
return retval
|
angr/procedures/posix/readdir.py
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
|
-
import
|
|
1
|
+
import logging
|
|
2
2
|
from collections import namedtuple
|
|
3
3
|
|
|
4
|
-
import
|
|
4
|
+
import claripy
|
|
5
|
+
|
|
6
|
+
import angr
|
|
7
|
+
|
|
5
8
|
|
|
6
9
|
l = logging.getLogger(name=__name__)
|
|
7
10
|
|
|
@@ -23,7 +26,7 @@ class readdir(angr.SimProcedure):
|
|
|
23
26
|
malloc = angr.SIM_PROCEDURES["libc"]["malloc"]
|
|
24
27
|
pointer = self.inline_call(malloc, 19 + 256).ret_expr
|
|
25
28
|
self._store_amd64(pointer)
|
|
26
|
-
return
|
|
29
|
+
return claripy.If(self.condition, pointer, 0)
|
|
27
30
|
|
|
28
31
|
def instrument(self):
|
|
29
32
|
"""
|
|
@@ -36,13 +39,13 @@ class readdir(angr.SimProcedure):
|
|
|
36
39
|
|
|
37
40
|
def _build_amd64(self):
|
|
38
41
|
self.struct = Dirent(
|
|
39
|
-
|
|
40
|
-
|
|
42
|
+
claripy.BVV(0, 64), # d_ino
|
|
43
|
+
claripy.BVV(0, 64), # d_off
|
|
41
44
|
self.state.solver.BVS("d_reclen", 16, key=("api", "readdir", "d_reclen")), # d_reclen
|
|
42
45
|
self.state.solver.BVS("d_type", 8, key=("api", "readdir", "d_type")), # d_type
|
|
43
46
|
self.state.solver.BVS("d_name", 255 * 8, key=("api", "readdir", "d_name")),
|
|
44
47
|
) # d_name
|
|
45
|
-
self.condition =
|
|
48
|
+
self.condition = claripy.BoolS("readdir_cond") # TODO: variable key
|
|
46
49
|
|
|
47
50
|
def _store_amd64(self, ptr):
|
|
48
51
|
def stores(offset, val):
|
|
@@ -56,4 +59,4 @@ class readdir(angr.SimProcedure):
|
|
|
56
59
|
storei(16, self.struct.d_reclen)
|
|
57
60
|
storei(18, self.struct.d_type)
|
|
58
61
|
stores(19, self.struct.d_name)
|
|
59
|
-
stores(19 + 255,
|
|
62
|
+
stores(19 + 255, claripy.BVV(0, 8))
|
angr/procedures/posix/select.py
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -34,7 +36,7 @@ class select(angr.SimProcedure):
|
|
|
34
36
|
# set this bit to symbolic
|
|
35
37
|
long_array[long_pos] = (
|
|
36
38
|
long_array[long_pos][arch_bits - 1 : bit_offset + 1]
|
|
37
|
-
.concat(
|
|
39
|
+
.concat(claripy.BVS("fd_state", 1))
|
|
38
40
|
.concat(long_array[long_pos][bit_offset - 1 :])
|
|
39
41
|
)
|
|
40
42
|
|
|
@@ -42,5 +44,5 @@ class select(angr.SimProcedure):
|
|
|
42
44
|
for offset in range(0, long_array_size):
|
|
43
45
|
self.state.memory.store(readfds + offset * arch_bytes, long_array[offset], endness=self.arch.memory_endness)
|
|
44
46
|
|
|
45
|
-
retval =
|
|
47
|
+
retval = claripy.BVV(0, 1).concat(claripy.BVS("select_ret", 31))
|
|
46
48
|
return retval
|
angr/procedures/posix/send.py
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
|
-
import
|
|
1
|
+
import claripy
|
|
2
2
|
|
|
3
|
+
import angr
|
|
3
4
|
from ...sim_options import ALLOW_SEND_FAILURES
|
|
4
5
|
|
|
5
6
|
|
|
@@ -14,9 +15,9 @@ class send(angr.SimProcedure):
|
|
|
14
15
|
send_succeeded = simfd.write(src, length) # if send succeeds
|
|
15
16
|
|
|
16
17
|
if ALLOW_SEND_FAILURES in self.state.options:
|
|
17
|
-
retval =
|
|
18
|
+
retval = claripy.BVS("send_ret", self.arch.bits)
|
|
18
19
|
send_failed = -1
|
|
19
|
-
self.state.add_constraints(
|
|
20
|
+
self.state.add_constraints(claripy.Or(retval == send_succeeded, retval == send_failed))
|
|
20
21
|
return retval
|
|
21
22
|
else:
|
|
22
23
|
return send_succeeded
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -9,7 +11,7 @@ class strcasecmp(angr.SimProcedure):
|
|
|
9
11
|
|
|
10
12
|
a_strlen = self.inline_call(strlen, a_addr)
|
|
11
13
|
b_strlen = self.inline_call(strlen, b_addr)
|
|
12
|
-
maxlen =
|
|
14
|
+
maxlen = claripy.BVV(max(a_strlen.max_null_index, b_strlen.max_null_index), self.state.arch.bits)
|
|
13
15
|
|
|
14
16
|
strncmp = self.inline_call(
|
|
15
17
|
angr.SIM_PROCEDURES["libc"]["strncmp"],
|
|
@@ -1,6 +1,9 @@
|
|
|
1
|
+
import logging
|
|
2
|
+
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
1
5
|
import angr
|
|
2
6
|
|
|
3
|
-
import logging
|
|
4
7
|
|
|
5
8
|
l = logging.getLogger(name=__name__)
|
|
6
9
|
|
|
@@ -12,10 +15,10 @@ class strtok_r(angr.SimProcedure):
|
|
|
12
15
|
if self.state.libc.simple_strtok:
|
|
13
16
|
malloc = angr.SIM_PROCEDURES["libc"]["malloc"]
|
|
14
17
|
token_ptr = self.inline_call(malloc, self.state.libc.strtok_token_size).ret_expr
|
|
15
|
-
r =
|
|
18
|
+
r = claripy.If(
|
|
16
19
|
self.state.solver.Unconstrained("strtok_case", self.state.arch.bits) == 0,
|
|
17
20
|
token_ptr,
|
|
18
|
-
|
|
21
|
+
claripy.BVV(0, self.state.arch.bits),
|
|
19
22
|
)
|
|
20
23
|
self.state.libc.strtok_heap.append(token_ptr)
|
|
21
24
|
return r
|
|
@@ -29,7 +32,7 @@ class strtok_r(angr.SimProcedure):
|
|
|
29
32
|
saved_str_ptr = self.state.memory.load(
|
|
30
33
|
save_ptr, self.state.arch.bytes, endness=self.state.arch.memory_endness
|
|
31
34
|
)
|
|
32
|
-
start_ptr =
|
|
35
|
+
start_ptr = claripy.If(str_ptr == 0, saved_str_ptr, str_ptr)
|
|
33
36
|
|
|
34
37
|
l.debug("... getting the lengths")
|
|
35
38
|
str_strlen = self.inline_call(strlen, start_ptr) if str_strlen is None else str_strlen
|
|
@@ -40,8 +43,8 @@ class strtok_r(angr.SimProcedure):
|
|
|
40
43
|
where = self.inline_call(
|
|
41
44
|
strstr, start_ptr, delim_ptr, haystack_strlen=str_strlen, needle_strlen=delim_strlen
|
|
42
45
|
)
|
|
43
|
-
write_length =
|
|
44
|
-
write_content =
|
|
46
|
+
write_length = claripy.If(where.ret_expr != 0, delim_strlen.ret_expr, 0)
|
|
47
|
+
write_content = claripy.BVV(0, delim_strlen.max_null_index * 8)
|
|
45
48
|
|
|
46
49
|
# do a symbolic write (we increment the limit because of the possibility that the write target is 0,
|
|
47
50
|
# in which case the length will be 0, anyways)
|
|
@@ -56,7 +59,7 @@ class strtok_r(angr.SimProcedure):
|
|
|
56
59
|
|
|
57
60
|
l.debug("... creating the return address")
|
|
58
61
|
new_start = write_length + where.ret_expr
|
|
59
|
-
new_state =
|
|
62
|
+
new_state = claripy.If(new_start != 0, new_start, start_ptr)
|
|
60
63
|
|
|
61
64
|
l.debug("... saving the state")
|
|
62
65
|
self.state.memory.store(save_ptr, new_state, endness=self.state.arch.memory_endness)
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -12,4 +14,4 @@ class Redirect(angr.SimProcedure):
|
|
|
12
14
|
|
|
13
15
|
self._custom_name = "Redirect to 0x%08x" % redirect_to
|
|
14
16
|
# There is definitely no refs
|
|
15
|
-
self.add_successor(self.state, redirect_to,
|
|
17
|
+
self.add_successor(self.state, redirect_to, claripy.true, "Ijk_Boring")
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class ReturnChar(angr.SimProcedure):
|
|
5
7
|
def run(self):
|
|
6
8
|
s_var = self.state.solver.Unconstrained("char_ret", self.state.arch.bits, key=("api", "?", self.display_name))
|
|
7
|
-
self.state.add_constraints(
|
|
8
|
-
self.state.solver.And(self.state.solver.ULE(s_var, 126), self.state.solver.UGE(s_var, 9))
|
|
9
|
-
)
|
|
9
|
+
self.state.add_constraints(claripy.And(claripy.ULE(s_var, 126), claripy.UGE(s_var, 9)))
|
|
10
10
|
return s_var
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -9,7 +11,7 @@ class UserHook(angr.SimProcedure):
|
|
|
9
11
|
result = user_func(self.state)
|
|
10
12
|
if result is None:
|
|
11
13
|
jumpkind = "Ijk_NoHook" if length == 0 else "Ijk_Boring"
|
|
12
|
-
self.successors.add_successor(self.state, self.state.addr + length,
|
|
14
|
+
self.successors.add_successor(self.state, self.state.addr + length, claripy.true, jumpkind)
|
|
13
15
|
else:
|
|
14
16
|
for state in result:
|
|
15
17
|
self.successors.add_successor(state, state.addr, state.scratch.guard, state.history.jumpkind)
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -8,5 +10,5 @@ class b64_decode(angr.SimProcedure):
|
|
|
8
10
|
strncpy = angr.SIM_PROCEDURES["libc"]["strncpy"]
|
|
9
11
|
|
|
10
12
|
cpy = self.inline_call(strncpy, dst, src, length)
|
|
11
|
-
self.state.memory.store(dst + 16,
|
|
13
|
+
self.state.memory.store(dst + 16, claripy.BVV(0, 8))
|
|
12
14
|
return cpy.ret_expr
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -8,10 +10,10 @@ class crazy_scanf(angr.SimProcedure):
|
|
|
8
10
|
memcpy = angr.SIM_PROCEDURES["libc"]["memcpy"]
|
|
9
11
|
|
|
10
12
|
self.inline_call(memcpy, one, src, 5)
|
|
11
|
-
self.state.memory.store(one + 4,
|
|
13
|
+
self.state.memory.store(one + 4, claripy.BVV(0, 8))
|
|
12
14
|
self.inline_call(memcpy, two, src + 6, 8192)
|
|
13
|
-
self.state.memory.store(two + 8191,
|
|
15
|
+
self.state.memory.store(two + 8191, claripy.BVV(0, 8))
|
|
14
16
|
self.inline_call(memcpy, three, src + 6 + 8193, 12)
|
|
15
|
-
self.state.memory.store(three + 11,
|
|
17
|
+
self.state.memory.store(three + 11, claripy.BVV(0, 8))
|
|
16
18
|
|
|
17
|
-
return
|
|
19
|
+
return claripy.BVV(3)
|
|
@@ -4,6 +4,7 @@ import logging
|
|
|
4
4
|
import math
|
|
5
5
|
import claripy
|
|
6
6
|
|
|
7
|
+
from angr.errors import SimProcedureArgumentError, SimProcedureError, SimSolverError
|
|
7
8
|
from ... import sim_type
|
|
8
9
|
from ...sim_procedure import SimProcedure
|
|
9
10
|
from ...storage.file import SimPackets
|
|
@@ -70,7 +71,7 @@ class FormatString:
|
|
|
70
71
|
for component in self.components:
|
|
71
72
|
# if this is just concrete data
|
|
72
73
|
if isinstance(component, bytes):
|
|
73
|
-
string = self._add_to_string(string,
|
|
74
|
+
string = self._add_to_string(string, claripy.BVV(component))
|
|
74
75
|
elif isinstance(component, str):
|
|
75
76
|
raise Exception("this branch should be impossible?")
|
|
76
77
|
elif isinstance(component, claripy.ast.BV): # pylint:disable=isinstance-second-argument-not-valid-type
|
|
@@ -113,7 +114,7 @@ class FormatString:
|
|
|
113
114
|
if isinstance(fmt_spec.length_spec, int):
|
|
114
115
|
s_val = s_val.rjust(fmt_spec.length_spec, fmt_spec.pad_chr)
|
|
115
116
|
|
|
116
|
-
string = self._add_to_string(string,
|
|
117
|
+
string = self._add_to_string(string, claripy.BVV(s_val.encode()))
|
|
117
118
|
|
|
118
119
|
return string
|
|
119
120
|
|
|
@@ -182,9 +183,9 @@ class FormatString:
|
|
|
182
183
|
# constrain target variable range explicitly if it can't take on all possible values
|
|
183
184
|
if not_enough_bits:
|
|
184
185
|
self.state.add_constraints(
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
186
|
+
claripy.And(
|
|
187
|
+
claripy.SLE(target_variable, (base**digits) - 1),
|
|
188
|
+
claripy.SGE(target_variable, -(base ** (digits - 1) - 1)),
|
|
188
189
|
)
|
|
189
190
|
)
|
|
190
191
|
|
|
@@ -229,7 +230,7 @@ class FormatString:
|
|
|
229
230
|
region = self.parser.state.memory
|
|
230
231
|
|
|
231
232
|
bits = self.parser.state.arch.bits
|
|
232
|
-
failed =
|
|
233
|
+
failed = claripy.BVV(0, 32)
|
|
233
234
|
position = addr
|
|
234
235
|
for component in self.components:
|
|
235
236
|
if isinstance(component, bytes):
|
|
@@ -255,10 +256,10 @@ class FormatString:
|
|
|
255
256
|
# TODO: look for limits on other characters which scanf is sensitive to, '\x00', '\x20'
|
|
256
257
|
result, _, _ = region.find(
|
|
257
258
|
position,
|
|
258
|
-
|
|
259
|
+
claripy.BVV(b"\n"),
|
|
259
260
|
max_str_len,
|
|
260
261
|
max_symbolic_bytes=max_sym_bytes,
|
|
261
|
-
default=
|
|
262
|
+
default=claripy.BVV(position + max_str_len, 64),
|
|
262
263
|
)
|
|
263
264
|
|
|
264
265
|
# concretize the length
|
|
@@ -268,14 +269,14 @@ class FormatString:
|
|
|
268
269
|
# TODO all of these should be delimiters we search for above
|
|
269
270
|
# add that the contents of the string cannot be any scanf %s string delimiters
|
|
270
271
|
for delimiter in set(FormatString.SCANF_DELIMITERS):
|
|
271
|
-
delim_bvv =
|
|
272
|
+
delim_bvv = claripy.BVV(delimiter)
|
|
272
273
|
for i in range(length):
|
|
273
274
|
self.parser.state.add_constraints(region.load(position + i, 1) != delim_bvv)
|
|
274
275
|
|
|
275
276
|
# write it out to the pointer
|
|
276
277
|
self.parser.state.memory.store(dest, src_str)
|
|
277
278
|
# store the terminating null byte
|
|
278
|
-
self.parser.state.memory.store(dest + length,
|
|
279
|
+
self.parser.state.memory.store(dest + length, claripy.BVV(0, 8))
|
|
279
280
|
|
|
280
281
|
position += length
|
|
281
282
|
|
|
@@ -287,7 +288,7 @@ class FormatString:
|
|
|
287
288
|
position, region, base=base, read_length=fmt_spec.length_spec
|
|
288
289
|
)
|
|
289
290
|
# increase failed count if we were unable to parse it
|
|
290
|
-
failed =
|
|
291
|
+
failed = claripy.If(status, failed, failed + 1)
|
|
291
292
|
position += num_bytes
|
|
292
293
|
elif fmt_spec.spec_type == b"c":
|
|
293
294
|
i = region.load(position, 1)
|
|
@@ -296,7 +297,7 @@ class FormatString:
|
|
|
296
297
|
else:
|
|
297
298
|
raise SimProcedureError("unsupported format spec '%s' in interpret" % fmt_spec.spec_type)
|
|
298
299
|
|
|
299
|
-
i =
|
|
300
|
+
i = claripy.Extract(fmt_spec.size * 8 - 1, 0, i)
|
|
300
301
|
self.parser.state.memory.store(
|
|
301
302
|
dest, i, size=fmt_spec.size, endness=self.parser.state.arch.memory_endness
|
|
302
303
|
)
|
|
@@ -670,6 +671,3 @@ class ScanfFormatParser(FormatParser):
|
|
|
670
671
|
FormatParser._MOD_SPEC = mod_spec
|
|
671
672
|
|
|
672
673
|
return FormatParser._MOD_SPEC
|
|
673
|
-
|
|
674
|
-
|
|
675
|
-
from angr.errors import SimProcedureArgumentError, SimProcedureError, SimSolverError
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import logging
|
|
2
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
3
5
|
from ..cgc.receive import receive as orig_receive
|
|
4
6
|
|
|
5
7
|
|
|
@@ -16,6 +18,6 @@ class receive(orig_receive):
|
|
|
16
18
|
if len(self.state.solver.eval_upto(fd, 2)) < 2:
|
|
17
19
|
if self.state.solver.eval(fd) == 1:
|
|
18
20
|
l.debug("Fixed receive call's fd.")
|
|
19
|
-
fd =
|
|
21
|
+
fd = claripy.BVV(0, self.state.arch.bits)
|
|
20
22
|
|
|
21
23
|
return super().run(fd, buf, count, rx_bytes)
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import logging
|
|
2
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
3
5
|
from ..cgc.transmit import transmit as orig_transmit
|
|
4
6
|
|
|
5
7
|
|
|
@@ -16,7 +18,7 @@ class transmit(orig_transmit):
|
|
|
16
18
|
if len(self.state.solver.eval_upto(fd, 2)) < 2:
|
|
17
19
|
if self.state.solver.eval(fd) == 0:
|
|
18
20
|
l.debug("Fixed transmit's call fd.")
|
|
19
|
-
fd =
|
|
21
|
+
fd = claripy.BVV(1, self.state.arch.bits)
|
|
20
22
|
|
|
21
23
|
if self.state.has_plugin("zen_plugin"):
|
|
22
24
|
self.state.get_plugin("zen_plugin").analyze_transmit(self.state, buf)
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import logging
|
|
2
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
3
5
|
import angr
|
|
4
6
|
|
|
5
7
|
|
|
@@ -33,5 +35,5 @@ class GetLastInputInfo(angr.SimProcedure):
|
|
|
33
35
|
self.dwTime = self.state.solver.BVS("tagLASTINPUTINFO_dwTime", 32, key=("api", "tagLASTINPUTINFO_dwTime"))
|
|
34
36
|
|
|
35
37
|
def fill_concrete(self):
|
|
36
|
-
self.cbSize =
|
|
37
|
-
self.dwTime =
|
|
38
|
+
self.cbSize = claripy.BVV(3, 32)
|
|
39
|
+
self.dwTime = claripy.BVV(3, 32)
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import logging
|
|
2
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
3
5
|
import angr
|
|
4
6
|
|
|
5
7
|
|
|
@@ -30,5 +32,5 @@ class GetProcessAffinityMask(angr.SimProcedure):
|
|
|
30
32
|
self.saffinity_mask = self.state.solver.BVS("lpSystemAffinityMask", 32, key=("api", "lpSystemAffinityMask"))
|
|
31
33
|
|
|
32
34
|
def fill_concrete(self):
|
|
33
|
-
self.paffinity_mask =
|
|
34
|
-
self.saffinity_mask =
|
|
35
|
+
self.paffinity_mask = claripy.BVV(3, 32)
|
|
36
|
+
self.saffinity_mask = claripy.BVV(3, 32)
|
angr/procedures/win32/heap.py
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -22,7 +24,7 @@ class HeapAlloc(angr.SimProcedure):
|
|
|
22
24
|
data_size = self.state.solver.eval_one(self.state.heap.chunk_from_mem(addr).get_data_size())
|
|
23
25
|
else:
|
|
24
26
|
data_size = self.state.heap._conc_alloc_size(Size)
|
|
25
|
-
data =
|
|
27
|
+
data = claripy.BVV(0, data_size * 8)
|
|
26
28
|
self.state.memory.store(addr, data, size=data_size, condition=Flags & 8 == 8)
|
|
27
29
|
return addr
|
|
28
30
|
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -19,7 +21,7 @@ class TlsAlloc(angr.SimProcedure):
|
|
|
19
21
|
def run(self):
|
|
20
22
|
d = mutate_dict(self.state, self.KEY)
|
|
21
23
|
new_key = len(d) + 1
|
|
22
|
-
d[new_key] =
|
|
24
|
+
d[new_key] = claripy.BVV(0, self.state.arch.bits)
|
|
23
25
|
return new_key
|
|
24
26
|
|
|
25
27
|
|
|
@@ -59,7 +61,7 @@ class TlsFree(angr.SimProcedure):
|
|
|
59
61
|
SETTER = TlsSetValue
|
|
60
62
|
|
|
61
63
|
def run(self, index):
|
|
62
|
-
set_val = self.inline_call(self.SETTER, index,
|
|
64
|
+
set_val = self.inline_call(self.SETTER, index, claripy.BVV(0, self.state.arch.bits))
|
|
63
65
|
return set_val.ret_expr
|
|
64
66
|
|
|
65
67
|
|
|
@@ -1,7 +1,10 @@
|
|
|
1
|
-
import angr
|
|
2
1
|
import datetime
|
|
3
2
|
import time
|
|
4
3
|
|
|
4
|
+
import claripy
|
|
5
|
+
|
|
6
|
+
import angr
|
|
7
|
+
|
|
5
8
|
|
|
6
9
|
class GetSystemTimeAsFileTime(angr.SimProcedure):
|
|
7
10
|
timestamp = None
|
|
@@ -110,7 +113,7 @@ class QueryPerformanceCounter(angr.SimProcedure):
|
|
|
110
113
|
val = int(time.clock() * 1000000) + 12345678
|
|
111
114
|
self.state.mem[ptr].qword = val
|
|
112
115
|
else:
|
|
113
|
-
self.state.mem[ptr].qword =
|
|
116
|
+
self.state.mem[ptr].qword = claripy.BVS(
|
|
114
117
|
"QueryPerformanceCounter_result", 64, key=("api", "QueryPerformanceCounter")
|
|
115
118
|
)
|
|
116
119
|
return 1
|
|
@@ -121,7 +124,7 @@ class GetTickCount(angr.SimProcedure):
|
|
|
121
124
|
if angr.options.USE_SYSTEM_TIMES in self.state.options:
|
|
122
125
|
return int(time.clock() * 1000) + 12345
|
|
123
126
|
else:
|
|
124
|
-
val =
|
|
127
|
+
val = claripy.BVS("GetTickCount_result", 32, key=("api", "GetTickCount"))
|
|
125
128
|
return val
|
|
126
129
|
|
|
127
130
|
|
|
@@ -132,4 +135,4 @@ class GetTickCount64(angr.SimProcedure):
|
|
|
132
135
|
if angr.options.USE_SYSTEM_TIMES in self.state.options:
|
|
133
136
|
return int(time.clock() * 1000) + 12345
|
|
134
137
|
else:
|
|
135
|
-
return
|
|
138
|
+
return claripy.BVS("GetTickCount64_result", 64, key=("api", "GetTickCount64"))
|
|
@@ -1,12 +1,14 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
# these are NOT suitable for multibyte characters
|
|
5
7
|
class CharNextA(angr.SimProcedure):
|
|
6
8
|
def run(self, ptr):
|
|
7
|
-
return
|
|
9
|
+
return claripy.If(self.state.mem[ptr].uint8_t.resolved == 0, ptr, ptr + 1)
|
|
8
10
|
|
|
9
11
|
|
|
10
12
|
class CharPrevA(angr.SimProcedure):
|
|
11
13
|
def run(self, start, ptr):
|
|
12
|
-
return
|
|
14
|
+
return claripy.If(start == ptr, start, ptr - 1)
|