angr 9.2.116__py3-none-manylinux2014_aarch64.whl → 9.2.117__py3-none-manylinux2014_aarch64.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of angr might be problematic. Click here for more details.
- angr/__init__.py +1 -1
- angr/analyses/cfg/cfg_emulated.py +4 -4
- angr/analyses/cfg/indirect_jump_resolvers/jumptable.py +7 -7
- angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py +3 -2
- angr/analyses/identifier/functions/free.py +3 -1
- angr/analyses/identifier/identify.py +13 -15
- angr/analyses/identifier/runner.py +2 -2
- angr/analyses/vfg.py +4 -4
- angr/calling_conventions.py +4 -2
- angr/concretization_strategies/any_named.py +3 -1
- angr/concretization_strategies/controlled_data.py +4 -2
- angr/concretization_strategies/signed_add.py +3 -1
- angr/engines/concrete.py +3 -1
- angr/engines/pcode/behavior.py +2 -0
- angr/engines/pcode/emulate.py +4 -4
- angr/engines/pcode/engine.py +3 -7
- angr/engines/soot/engine.py +7 -6
- angr/engines/soot/expressions/constants.py +6 -5
- angr/engines/soot/expressions/newArray.py +3 -1
- angr/engines/soot/expressions/newMultiArray.py +3 -1
- angr/engines/soot/statements/goto.py +3 -1
- angr/engines/soot/statements/if_.py +3 -1
- angr/engines/soot/statements/switch.py +3 -1
- angr/engines/soot/statements/throw.py +4 -2
- angr/engines/soot/values/arrayref.py +5 -5
- angr/engines/unicorn.py +8 -7
- angr/engines/vex/heavy/concretizers.py +6 -6
- angr/engines/vex/heavy/dirty.py +20 -22
- angr/engines/vex/heavy/heavy.py +4 -8
- angr/exploration_techniques/director.py +1 -1
- angr/exploration_techniques/driller_core.py +3 -1
- angr/exploration_techniques/tracer.py +2 -1
- angr/procedures/cgc/allocate.py +8 -10
- angr/procedures/cgc/deallocate.py +10 -3
- angr/procedures/cgc/fdwait.py +15 -13
- angr/procedures/cgc/random.py +11 -5
- angr/procedures/cgc/receive.py +5 -3
- angr/procedures/cgc/transmit.py +5 -4
- angr/procedures/glibc/__libc_start_main.py +5 -4
- angr/procedures/java_jni/__init__.py +4 -4
- angr/procedures/java_jni/array_operations.py +3 -1
- angr/procedures/java_lang/string.py +1 -1
- angr/procedures/java_util/random.py +3 -1
- angr/procedures/libc/access.py +4 -2
- angr/procedures/libc/feof.py +4 -3
- angr/procedures/libc/fgetc.py +3 -1
- angr/procedures/libc/fgets.py +5 -5
- angr/procedures/libc/fopen.py +5 -4
- angr/procedures/libc/fread.py +4 -3
- angr/procedures/libc/fseek.py +4 -3
- angr/procedures/libc/getdelim.py +7 -4
- angr/procedures/libc/gets.py +4 -2
- angr/procedures/libc/memcmp.py +18 -15
- angr/procedures/libc/memset.py +9 -7
- angr/procedures/libc/puts.py +3 -1
- angr/procedures/libc/snprintf.py +4 -2
- angr/procedures/libc/sprintf.py +3 -1
- angr/procedures/libc/strchr.py +6 -3
- angr/procedures/libc/strcmp.py +5 -3
- angr/procedures/libc/strlen.py +3 -3
- angr/procedures/libc/strncmp.py +28 -28
- angr/procedures/libc/strncpy.py +5 -2
- angr/procedures/libc/strstr.py +10 -7
- angr/procedures/libc/strtol.py +32 -34
- angr/procedures/libc/tolower.py +3 -1
- angr/procedures/libc/toupper.py +3 -1
- angr/procedures/linux_kernel/fstat.py +13 -13
- angr/procedures/linux_kernel/fstat64.py +15 -15
- angr/procedures/linux_kernel/lseek.py +5 -3
- angr/procedures/linux_kernel/sigaction.py +4 -2
- angr/procedures/linux_kernel/sigprocmask.py +5 -3
- angr/procedures/linux_kernel/tgkill.py +3 -1
- angr/procedures/linux_kernel/time.py +7 -4
- angr/procedures/msvcr/fmode.py +3 -1
- angr/procedures/ntdll/exceptions.py +3 -1
- angr/procedures/posix/bzero.py +3 -1
- angr/procedures/posix/fdopen.py +6 -4
- angr/procedures/posix/fork.py +6 -4
- angr/procedures/posix/mmap.py +6 -3
- angr/procedures/posix/poll.py +6 -5
- angr/procedures/posix/readdir.py +10 -7
- angr/procedures/posix/select.py +4 -2
- angr/procedures/posix/send.py +4 -3
- angr/procedures/posix/sigaction.py +4 -2
- angr/procedures/posix/sim_time.py +3 -1
- angr/procedures/posix/strcasecmp.py +3 -1
- angr/procedures/posix/strtok_r.py +10 -7
- angr/procedures/stubs/Redirect.py +3 -1
- angr/procedures/stubs/ReturnChar.py +3 -3
- angr/procedures/stubs/UserHook.py +3 -1
- angr/procedures/stubs/b64_decode.py +3 -1
- angr/procedures/stubs/crazy_scanf.py +6 -4
- angr/procedures/stubs/format_parser.py +13 -15
- angr/procedures/tracer/receive.py +3 -1
- angr/procedures/tracer/transmit.py +3 -1
- angr/procedures/win32/GetLastInputInfo.py +4 -2
- angr/procedures/win32/GetProcessAffinityMask.py +4 -2
- angr/procedures/win32/gethostbyname.py +3 -1
- angr/procedures/win32/heap.py +3 -1
- angr/procedures/win32/local_storage.py +4 -2
- angr/procedures/win32/sim_time.py +7 -4
- angr/procedures/win_user32/chars.py +4 -2
- angr/procedures/win_user32/messagebox.py +3 -1
- angr/sim_procedure.py +7 -7
- angr/sim_state.py +10 -7
- angr/sim_type.py +3 -3
- angr/simos/cgc.py +2 -2
- angr/simos/simos.py +5 -4
- angr/simos/windows.py +5 -5
- angr/state_plugins/heap/heap_brk.py +5 -3
- angr/state_plugins/heap/heap_ptmalloc.py +5 -4
- angr/state_plugins/history.py +7 -5
- angr/state_plugins/light_registers.py +2 -2
- angr/state_plugins/plugin.py +2 -2
- angr/state_plugins/posix.py +28 -26
- angr/state_plugins/preconstrainer.py +2 -1
- angr/state_plugins/solver.py +11 -27
- angr/state_plugins/trace_additions.py +9 -13
- angr/state_plugins/uc_manager.py +4 -2
- angr/state_plugins/unicorn_engine.py +1 -1
- angr/state_plugins/view.py +1 -1
- angr/storage/file.py +21 -26
- angr/storage/memory_mixins/actions_mixin.py +4 -2
- angr/storage/memory_mixins/address_concretization_mixin.py +3 -3
- angr/storage/memory_mixins/default_filler_mixin.py +6 -4
- angr/storage/memory_mixins/javavm_memory/javavm_memory_mixin.py +7 -5
- angr/storage/memory_mixins/paged_memory/paged_memory_mixin.py +1 -1
- angr/storage/memory_mixins/regioned_memory/abstract_merger_mixin.py +1 -1
- angr/storage/memory_mixins/regioned_memory/region_data.py +3 -1
- angr/storage/memory_mixins/regioned_memory/region_meta_mixin.py +1 -1
- angr/storage/memory_mixins/regioned_memory/regioned_memory_mixin.py +5 -4
- angr/storage/memory_mixins/simple_interface_mixin.py +2 -2
- angr/storage/memory_mixins/size_resolution_mixin.py +3 -1
- angr/storage/memory_mixins/slotted_memory.py +1 -1
- angr/storage/memory_mixins/smart_find_mixin.py +2 -2
- angr/storage/memory_mixins/symbolic_merger_mixin.py +5 -3
- angr/tablespecs.py +3 -3
- {angr-9.2.116.dist-info → angr-9.2.117.dist-info}/METADATA +6 -6
- {angr-9.2.116.dist-info → angr-9.2.117.dist-info}/RECORD +143 -143
- {angr-9.2.116.dist-info → angr-9.2.117.dist-info}/WHEEL +1 -1
- {angr-9.2.116.dist-info → angr-9.2.117.dist-info}/LICENSE +0 -0
- {angr-9.2.116.dist-info → angr-9.2.117.dist-info}/entry_points.txt +0 -0
- {angr-9.2.116.dist-info → angr-9.2.117.dist-info}/top_level.txt +0 -0
angr/procedures/libc/strstr.py
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
|
+
import logging
|
|
2
|
+
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
1
5
|
import angr
|
|
2
6
|
from angr.sim_options import MEMORY_CHUNK_INDIVIDUAL_READS
|
|
3
7
|
|
|
4
|
-
import logging
|
|
5
8
|
|
|
6
9
|
l = logging.getLogger(name=__name__)
|
|
7
10
|
|
|
@@ -27,7 +30,7 @@ class strstr(angr.SimProcedure):
|
|
|
27
30
|
return haystack_addr
|
|
28
31
|
elif haystack_maxlen == 0:
|
|
29
32
|
l.debug("... zero-length haystack.")
|
|
30
|
-
return
|
|
33
|
+
return claripy.BVV(0, self.state.arch.bits)
|
|
31
34
|
|
|
32
35
|
if self.state.solver.symbolic(needle_strlen.ret_expr):
|
|
33
36
|
cases = [[needle_strlen.ret_expr == 0, haystack_addr]]
|
|
@@ -49,9 +52,9 @@ class strstr(angr.SimProcedure):
|
|
|
49
52
|
b_len=needle_strlen,
|
|
50
53
|
)
|
|
51
54
|
|
|
52
|
-
c =
|
|
55
|
+
c = claripy.And(
|
|
53
56
|
*(
|
|
54
|
-
[
|
|
57
|
+
[claripy.UGE(haystack_strlen.ret_expr, needle_strlen.ret_expr), cmp_res.ret_expr == 0]
|
|
55
58
|
+ not_terminated_yet_constraints
|
|
56
59
|
+ exclusions
|
|
57
60
|
)
|
|
@@ -69,10 +72,10 @@ class strstr(angr.SimProcedure):
|
|
|
69
72
|
l.debug("... exhausted remaining symbolic checks.")
|
|
70
73
|
break
|
|
71
74
|
|
|
72
|
-
cases.append([
|
|
75
|
+
cases.append([claripy.And(*exclusions), claripy.BVV(0, self.state.arch.bits)])
|
|
73
76
|
l.debug("... created %d cases", len(cases))
|
|
74
|
-
r =
|
|
75
|
-
c = [
|
|
77
|
+
r = claripy.ite_cases(cases, 0)
|
|
78
|
+
c = [claripy.Or(*[c for c, _ in cases])]
|
|
76
79
|
else:
|
|
77
80
|
needle_length = self.state.solver.eval(needle_strlen.ret_expr)
|
|
78
81
|
needle_str = self.state.memory.load(needle_addr, needle_length)
|
angr/procedures/libc/strtol.py
CHANGED
|
@@ -49,9 +49,9 @@ class strtol(angr.SimProcedure):
|
|
|
49
49
|
possible_num_bytes.append(num_bytes)
|
|
50
50
|
|
|
51
51
|
# only one of the cases needed to match
|
|
52
|
-
result =
|
|
53
|
-
expression =
|
|
54
|
-
num_bytes =
|
|
52
|
+
result = claripy.ite_cases(cases[:-1], cases[-1][1])
|
|
53
|
+
expression = claripy.Or(*conditions)
|
|
54
|
+
num_bytes = claripy.ite_cases(zip(conditions, possible_num_bytes), 0)
|
|
55
55
|
return expression, result, num_bytes
|
|
56
56
|
|
|
57
57
|
@staticmethod
|
|
@@ -66,12 +66,12 @@ class strtol(angr.SimProcedure):
|
|
|
66
66
|
# the prefix must match
|
|
67
67
|
if len(prefix) > 0:
|
|
68
68
|
loaded_prefix = region.load(addr, length)
|
|
69
|
-
condition =
|
|
69
|
+
condition = claripy.And(loaded_prefix == claripy.BVV(prefix), condition)
|
|
70
70
|
total_num_bytes = num_bytes + length
|
|
71
71
|
|
|
72
72
|
# negatives
|
|
73
73
|
if prefix.startswith(b"-"):
|
|
74
|
-
value =
|
|
74
|
+
value = claripy.BVV(0, state.arch.bits) - value
|
|
75
75
|
return condition, value, total_num_bytes
|
|
76
76
|
|
|
77
77
|
@staticmethod
|
|
@@ -92,8 +92,8 @@ class strtol(angr.SimProcedure):
|
|
|
92
92
|
|
|
93
93
|
# to detect overflows we keep it in a larger bv and extract it at the end
|
|
94
94
|
num_bits = min(state.arch.bits * 2, 128)
|
|
95
|
-
current_val =
|
|
96
|
-
num_bytes =
|
|
95
|
+
current_val = claripy.BVV(0, num_bits)
|
|
96
|
+
num_bytes = claripy.BVS("num_bytes", state.arch.bits)
|
|
97
97
|
# constarints_num_bytes: a series of constraints of the form:
|
|
98
98
|
# AND(<constraint on the string guaranteeing that the number of digits is n>, num_bytes == n)
|
|
99
99
|
# these will be combined via OR and added to the state together num_bytes and the string
|
|
@@ -115,8 +115,8 @@ class strtol(angr.SimProcedure):
|
|
|
115
115
|
# identify the constraints necessary to set num_bytes to the current value
|
|
116
116
|
# the current char (i.e. the terminator if this is satisfied) should not be a char,
|
|
117
117
|
# so `condition` should be false, plus all the previous conditions should be satisfied
|
|
118
|
-
case_constraints = conditions + [
|
|
119
|
-
constraints_num_bytes.append(
|
|
118
|
+
case_constraints = conditions + [claripy.Not(condition), num_bytes == i]
|
|
119
|
+
constraints_num_bytes.append(claripy.And(*case_constraints))
|
|
120
120
|
|
|
121
121
|
# break the loop early if no value past this is viable
|
|
122
122
|
if condition.is_false():
|
|
@@ -136,13 +136,13 @@ class strtol(angr.SimProcedure):
|
|
|
136
136
|
# a digit in order for this case to generate correct models
|
|
137
137
|
char = region.load(s + length, 1)
|
|
138
138
|
condition, _ = strtol._char_to_val(char, base)
|
|
139
|
-
case_constraints.append(
|
|
140
|
-
constraints_num_bytes.append(
|
|
139
|
+
case_constraints.append(claripy.Not(condition))
|
|
140
|
+
constraints_num_bytes.append(claripy.And(*case_constraints))
|
|
141
141
|
|
|
142
142
|
# only one of the constraints need to hold
|
|
143
143
|
# since the constraints look like (num_bytes == 2 and the first 2 chars are valid, and the 3rd isn't)
|
|
144
144
|
|
|
145
|
-
final_constraint =
|
|
145
|
+
final_constraint = claripy.Or(*constraints_num_bytes)
|
|
146
146
|
if (
|
|
147
147
|
final_constraint.op == "__eq__"
|
|
148
148
|
and final_constraint.args[0] is num_bytes
|
|
@@ -154,15 +154,15 @@ class strtol(angr.SimProcedure):
|
|
|
154
154
|
else:
|
|
155
155
|
# symbolic case
|
|
156
156
|
state.add_constraints(final_constraint)
|
|
157
|
-
result =
|
|
157
|
+
result = claripy.ite_cases(cases, 0)
|
|
158
158
|
|
|
159
159
|
# overflow check
|
|
160
160
|
max_bits = state.arch.bits - 1 if signed else state.arch.bits
|
|
161
161
|
max_val = 2**max_bits - 1
|
|
162
|
-
result =
|
|
162
|
+
result = claripy.If(
|
|
163
163
|
result < max_val,
|
|
164
|
-
|
|
165
|
-
|
|
164
|
+
claripy.Extract(state.arch.bits - 1, 0, result),
|
|
165
|
+
claripy.BVV(max_val, state.arch.bits),
|
|
166
166
|
)
|
|
167
167
|
|
|
168
168
|
return expression, result, num_bytes
|
|
@@ -215,22 +215,20 @@ class strtol(angr.SimProcedure):
|
|
|
215
215
|
if base == 0:
|
|
216
216
|
# in this case the base is 16 if it starts with 0x, 8 if it starts with 0, 10 otherwise
|
|
217
217
|
# here's the possibilities
|
|
218
|
-
base_16_pred =
|
|
219
|
-
self.state.memory.load(nptr, 2) ==
|
|
220
|
-
self.state.memory.load(nptr, 3) ==
|
|
221
|
-
self.state.memory.load(nptr, 3) ==
|
|
218
|
+
base_16_pred = claripy.Or(
|
|
219
|
+
self.state.memory.load(nptr, 2) == claripy.BVV(b"0x"),
|
|
220
|
+
self.state.memory.load(nptr, 3) == claripy.BVV(b"+0x"),
|
|
221
|
+
self.state.memory.load(nptr, 3) == claripy.BVV(b"-0x"),
|
|
222
222
|
)
|
|
223
|
-
base_8_pred =
|
|
224
|
-
|
|
225
|
-
self.state.memory.load(nptr, 1) ==
|
|
226
|
-
self.state.memory.load(nptr, 2) ==
|
|
227
|
-
self.state.memory.load(nptr, 2) ==
|
|
223
|
+
base_8_pred = claripy.And(
|
|
224
|
+
claripy.Or(
|
|
225
|
+
self.state.memory.load(nptr, 1) == claripy.BVV(b"0"),
|
|
226
|
+
self.state.memory.load(nptr, 2) == claripy.BVV(b"+0"),
|
|
227
|
+
self.state.memory.load(nptr, 2) == claripy.BVV(b"-0"),
|
|
228
228
|
),
|
|
229
|
-
|
|
230
|
-
)
|
|
231
|
-
base_10_pred = self.state.solver.And(
|
|
232
|
-
self.state.solver.Not(base_16_pred), self.state.solver.Not(base_8_pred)
|
|
229
|
+
claripy.Not(base_16_pred),
|
|
233
230
|
)
|
|
231
|
+
base_10_pred = claripy.And(claripy.Not(base_16_pred), claripy.Not(base_8_pred))
|
|
234
232
|
expressions = []
|
|
235
233
|
values = []
|
|
236
234
|
num_bytes_arr = []
|
|
@@ -239,15 +237,15 @@ class strtol(angr.SimProcedure):
|
|
|
239
237
|
pred_base = zip([base_16_pred, base_10_pred, base_8_pred], [16, 10, 8])
|
|
240
238
|
for pred, sub_base in pred_base:
|
|
241
239
|
expression, value, num_bytes = self.strtol_inner(nptr, self.state, self.state.memory, sub_base, True)
|
|
242
|
-
expressions.append(
|
|
240
|
+
expressions.append(claripy.And(expression, pred))
|
|
243
241
|
values.append(value)
|
|
244
242
|
num_bytes_arr.append(num_bytes)
|
|
245
243
|
|
|
246
244
|
# we would return the Or(expressions) as the indicator whether or not it succeeded, but it's not needed
|
|
247
245
|
# for strtol
|
|
248
|
-
# expression =
|
|
249
|
-
value =
|
|
250
|
-
num_bytes =
|
|
246
|
+
# expression = claripy.Or(expressions)
|
|
247
|
+
value = claripy.ite_cases(zip(expressions, values), 0)
|
|
248
|
+
num_bytes = claripy.ite_cases(zip(expressions, num_bytes_arr), 0)
|
|
251
249
|
|
|
252
250
|
self.state.memory.store(
|
|
253
251
|
endptr, nptr + num_bytes, condition=(endptr != 0), endness=self.state.arch.memory_endness
|
|
@@ -260,4 +258,4 @@ class strtol(angr.SimProcedure):
|
|
|
260
258
|
self.state.memory.store(
|
|
261
259
|
endptr, nptr + num_bytes, condition=(endptr != 0), endness=self.state.arch.memory_endness
|
|
262
260
|
)
|
|
263
|
-
return
|
|
261
|
+
return claripy.If(expression, value, 0)
|
angr/procedures/libc/tolower.py
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class tolower(angr.SimProcedure):
|
|
5
7
|
# pylint: disable=arguments-differ
|
|
6
8
|
def run(self, c):
|
|
7
|
-
return
|
|
9
|
+
return claripy.If(claripy.And(c >= 65, c <= 90), c + 32, c) # A - Z
|
angr/procedures/libc/toupper.py
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class toupper(angr.SimProcedure):
|
|
5
7
|
# pylint: disable=arguments-differ
|
|
6
8
|
def run(self, c):
|
|
7
|
-
return
|
|
9
|
+
return claripy.If(claripy.And(c >= 97, c <= 122), c - 32, c) # a - z
|
|
@@ -31,7 +31,7 @@ class fstat(angr.SimProcedure):
|
|
|
31
31
|
store(0x18, stat.st_mode)
|
|
32
32
|
store(0x1C, stat.st_uid)
|
|
33
33
|
store(0x20, stat.st_gid)
|
|
34
|
-
store(0x24,
|
|
34
|
+
store(0x24, claripy.BVV(0, 32))
|
|
35
35
|
store(0x28, stat.st_rdev)
|
|
36
36
|
store(0x30, stat.st_size)
|
|
37
37
|
store(0x38, stat.st_blksize)
|
|
@@ -42,9 +42,9 @@ class fstat(angr.SimProcedure):
|
|
|
42
42
|
store(0x60, stat.st_mtimensec)
|
|
43
43
|
store(0x68, stat.st_ctime)
|
|
44
44
|
store(0x70, stat.st_ctimensec)
|
|
45
|
-
store(0x78,
|
|
46
|
-
store(0x80,
|
|
47
|
-
store(0x88,
|
|
45
|
+
store(0x78, claripy.BVV(0, 64))
|
|
46
|
+
store(0x80, claripy.BVV(0, 64))
|
|
47
|
+
store(0x88, claripy.BVV(0, 64))
|
|
48
48
|
|
|
49
49
|
# return struct.pack('<QQQLLLxxxxQqqqQqQqQxxxxxxxxxxxxxxxxxxxxxxxx',
|
|
50
50
|
# stat.st_dev,
|
|
@@ -84,23 +84,23 @@ class fstat(angr.SimProcedure):
|
|
|
84
84
|
store(0x60, stat.st_mtimensec)
|
|
85
85
|
store(0x68, stat.st_ctime)
|
|
86
86
|
store(0x70, stat.st_ctimensec)
|
|
87
|
-
store(0x78,
|
|
88
|
-
store(0x80,
|
|
89
|
-
store(0x88,
|
|
87
|
+
store(0x78, claripy.BVV(0, 64))
|
|
88
|
+
store(0x80, claripy.BVV(0, 64))
|
|
89
|
+
store(0x88, claripy.BVV(0, 64))
|
|
90
90
|
|
|
91
91
|
def _store_mips64(self, stat_buf, stat):
|
|
92
92
|
def store(offset, val):
|
|
93
93
|
return self.state.memory.store(stat_buf + offset, val, endness=self.state.arch.memory_endness)
|
|
94
94
|
|
|
95
95
|
store(0x00, stat.st_dev)
|
|
96
|
-
store(0x04,
|
|
96
|
+
store(0x04, claripy.BVV(0, 32 * 3))
|
|
97
97
|
store(0x10, stat.st_ino)
|
|
98
98
|
store(0x18, stat.st_mode)
|
|
99
99
|
store(0x1C, stat.st_nlink)
|
|
100
100
|
store(0x20, stat.st_uid)
|
|
101
101
|
store(0x24, stat.st_gid)
|
|
102
102
|
store(0x28, stat.st_rdev)
|
|
103
|
-
store(0x2C,
|
|
103
|
+
store(0x2C, claripy.BVV(0, 32 * 3))
|
|
104
104
|
store(0x38, stat.st_size)
|
|
105
105
|
store(0x40, stat.st_atime)
|
|
106
106
|
store(0x44, stat.st_atimensec)
|
|
@@ -109,7 +109,7 @@ class fstat(angr.SimProcedure):
|
|
|
109
109
|
store(0x50, stat.st_ctime)
|
|
110
110
|
store(0x54, stat.st_ctimensec)
|
|
111
111
|
store(0x58, stat.st_blksize)
|
|
112
|
-
store(0x5C,
|
|
112
|
+
store(0x5C, claripy.BVV(0, 32))
|
|
113
113
|
store(0x60, stat.st_blocks)
|
|
114
114
|
|
|
115
115
|
def _store_aarch64(self, stat_buf, stat):
|
|
@@ -123,10 +123,10 @@ class fstat(angr.SimProcedure):
|
|
|
123
123
|
store(0x18, stat.st_uid)
|
|
124
124
|
store(0x1C, stat.st_gid)
|
|
125
125
|
store(0x20, stat.st_rdev)
|
|
126
|
-
store(0x28,
|
|
126
|
+
store(0x28, claripy.BVV(0, 64))
|
|
127
127
|
store(0x30, stat.st_size)
|
|
128
128
|
store(0x38, stat.st_blksize)
|
|
129
|
-
store(0x3C,
|
|
129
|
+
store(0x3C, claripy.BVV(0, 32))
|
|
130
130
|
store(0x40, stat.st_blocks)
|
|
131
131
|
store(0x48, stat.st_atime)
|
|
132
132
|
store(0x50, stat.st_atimensec)
|
|
@@ -134,4 +134,4 @@ class fstat(angr.SimProcedure):
|
|
|
134
134
|
store(0x60, stat.st_mtimensec)
|
|
135
135
|
store(0x68, stat.st_ctime)
|
|
136
136
|
store(0x70, stat.st_ctimensec)
|
|
137
|
-
store(0x78,
|
|
137
|
+
store(0x78, claripy.BVV(0, 64))
|
|
@@ -62,7 +62,7 @@ class fstat64(angr.SimProcedure):
|
|
|
62
62
|
store(0x2C, stat.st_size)
|
|
63
63
|
store(0x34, stat.st_blksize)
|
|
64
64
|
store(0x38, stat.st_blocks)
|
|
65
|
-
store(0x3C,
|
|
65
|
+
store(0x3C, claripy.BVV(0, 32)) # padding
|
|
66
66
|
store(0x40, stat.st_atime)
|
|
67
67
|
store(0x44, stat.st_atimensec)
|
|
68
68
|
store(0x48, stat.st_mtime)
|
|
@@ -81,7 +81,7 @@ class fstat64(angr.SimProcedure):
|
|
|
81
81
|
store(0x18, stat.st_nlink)
|
|
82
82
|
store(0x1C, stat.st_uid)
|
|
83
83
|
store(0x20, stat.st_gid)
|
|
84
|
-
store(0x24,
|
|
84
|
+
store(0x24, claripy.BVV(0, 32))
|
|
85
85
|
store(0x28, stat.st_rdev)
|
|
86
86
|
store(0x30, stat.st_size)
|
|
87
87
|
store(0x38, stat.st_blksize)
|
|
@@ -92,9 +92,9 @@ class fstat64(angr.SimProcedure):
|
|
|
92
92
|
store(0x60, stat.st_mtimensec)
|
|
93
93
|
store(0x68, stat.st_ctime)
|
|
94
94
|
store(0x70, stat.st_ctimensec)
|
|
95
|
-
store(0x78,
|
|
96
|
-
store(0x80,
|
|
97
|
-
store(0x88,
|
|
95
|
+
store(0x78, claripy.BVV(0, 64))
|
|
96
|
+
store(0x80, claripy.BVV(0, 64))
|
|
97
|
+
store(0x88, claripy.BVV(0, 64))
|
|
98
98
|
|
|
99
99
|
def _store_ppc32(self, stat_buf, stat):
|
|
100
100
|
def store(offset, val):
|
|
@@ -107,10 +107,10 @@ class fstat64(angr.SimProcedure):
|
|
|
107
107
|
store(0x18, stat.st_uid)
|
|
108
108
|
store(0x1C, stat.st_gid)
|
|
109
109
|
store(0x20, stat.st_rdev)
|
|
110
|
-
store(0x28,
|
|
110
|
+
store(0x28, claripy.BVV(0, 64))
|
|
111
111
|
store(0x30, stat.st_size)
|
|
112
112
|
store(0x38, stat.st_blksize)
|
|
113
|
-
store(0x3C,
|
|
113
|
+
store(0x3C, claripy.BVV(0, 32))
|
|
114
114
|
store(0x40, stat.st_blocks)
|
|
115
115
|
store(0x48, stat.st_atime)
|
|
116
116
|
store(0x4C, stat.st_atimensec)
|
|
@@ -118,20 +118,20 @@ class fstat64(angr.SimProcedure):
|
|
|
118
118
|
store(0x54, stat.st_mtimensec)
|
|
119
119
|
store(0x58, stat.st_ctime)
|
|
120
120
|
store(0x5C, stat.st_ctimensec)
|
|
121
|
-
store(0x60,
|
|
122
|
-
store(0x64,
|
|
121
|
+
store(0x60, claripy.BVV(0, 32))
|
|
122
|
+
store(0x64, claripy.BVV(0, 32))
|
|
123
123
|
|
|
124
124
|
def _store_mips32(self, stat_buf, stat):
|
|
125
125
|
def store(offset, val):
|
|
126
126
|
return self.state.memory.store(stat_buf + offset, val, endness=self.state.arch.memory_endness)
|
|
127
127
|
|
|
128
128
|
store(0x00, stat.st_dev)
|
|
129
|
-
store(0x04,
|
|
129
|
+
store(0x04, claripy.BVV(0, 32 * 3))
|
|
130
130
|
store(0x10, stat.st_ino)
|
|
131
131
|
store(0x18, stat.st_uid)
|
|
132
132
|
store(0x1C, stat.st_gid)
|
|
133
133
|
store(0x20, stat.st_rdev)
|
|
134
|
-
store(0x24,
|
|
134
|
+
store(0x24, claripy.BVV(0, 32 * 3))
|
|
135
135
|
store(0x30, stat.st_size)
|
|
136
136
|
store(0x38, stat.st_atime)
|
|
137
137
|
store(0x3C, stat.st_atimensec)
|
|
@@ -140,7 +140,7 @@ class fstat64(angr.SimProcedure):
|
|
|
140
140
|
store(0x48, stat.st_ctime)
|
|
141
141
|
store(0x4C, stat.st_ctimensec)
|
|
142
142
|
store(0x50, stat.st_blksize)
|
|
143
|
-
store(0x54,
|
|
143
|
+
store(0x54, claripy.BVV(0, 32))
|
|
144
144
|
store(0x58, stat.st_blocks)
|
|
145
145
|
|
|
146
146
|
def _store_arm_eabi(self, stat_buf, stat):
|
|
@@ -148,18 +148,18 @@ class fstat64(angr.SimProcedure):
|
|
|
148
148
|
return self.state.memory.store(stat_buf + offset, val, endness=self.state.arch.memory_endness)
|
|
149
149
|
|
|
150
150
|
store(0x00, stat.st_dev)
|
|
151
|
-
store(0x02,
|
|
151
|
+
store(0x02, claripy.BVV(0, 8 * 10))
|
|
152
152
|
store(0x0C, stat.st_ino)
|
|
153
153
|
store(0x10, stat.st_mode)
|
|
154
154
|
store(0x14, stat.st_nlink)
|
|
155
155
|
store(0x18, stat.st_uid)
|
|
156
156
|
store(0x1C, stat.st_gid)
|
|
157
157
|
store(0x20, stat.st_rdev)
|
|
158
|
-
store(0x22,
|
|
158
|
+
store(0x22, claripy.BVV(0, 8 * 10))
|
|
159
159
|
store(0x2C, stat.st_size)
|
|
160
160
|
store(0x34, stat.st_blksize)
|
|
161
161
|
store(0x38, stat.st_blocks)
|
|
162
|
-
store(0x3C,
|
|
162
|
+
store(0x3C, claripy.BVV(0, 32))
|
|
163
163
|
store(0x40, stat.st_atime)
|
|
164
164
|
store(0x44, stat.st_atimensec)
|
|
165
165
|
store(0x48, stat.st_mtime)
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
import angr
|
|
2
|
-
|
|
3
1
|
import logging
|
|
4
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
5
|
+
import angr
|
|
6
|
+
|
|
5
7
|
l = logging.getLogger(name=__name__)
|
|
6
8
|
|
|
7
9
|
|
|
@@ -36,4 +38,4 @@ class lseek(angr.SimProcedure):
|
|
|
36
38
|
success = simfd.seek(seek, whence_str)
|
|
37
39
|
if self.state.solver.is_false(success):
|
|
38
40
|
return -1
|
|
39
|
-
return
|
|
41
|
+
return claripy.If(success, simfd.tell(), -1)
|
|
@@ -1,10 +1,12 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class sigaction(angr.SimProcedure):
|
|
5
7
|
def run(self, signum, act, oldact): # pylint:disable=arguments-differ,unused-argument
|
|
6
8
|
# TODO: actually do something
|
|
7
|
-
return
|
|
9
|
+
return claripy.BVV(0, self.arch.sizeof["long"])
|
|
8
10
|
|
|
9
11
|
|
|
10
12
|
class rt_sigaction(angr.SimProcedure):
|
|
@@ -13,4 +15,4 @@ class rt_sigaction(angr.SimProcedure):
|
|
|
13
15
|
# ...hack
|
|
14
16
|
if self.state.solver.is_true(signum == 33):
|
|
15
17
|
return self.state.libc.ret_errno("EINVAL")
|
|
16
|
-
return
|
|
18
|
+
return claripy.BVV(0, self.arch.sizeof["long"])
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -9,12 +11,12 @@ class sigprocmask(angr.SimProcedure):
|
|
|
9
11
|
self.state.posix.sigprocmask(how, self.state.memory.load(set_, sigsetsize), sigsetsize, valid_ptr=set_ != 0)
|
|
10
12
|
|
|
11
13
|
# TODO: EFAULT
|
|
12
|
-
return
|
|
13
|
-
|
|
14
|
+
return claripy.If(
|
|
15
|
+
claripy.And(
|
|
14
16
|
how != self.state.posix.SIG_BLOCK,
|
|
15
17
|
how != self.state.posix.SIG_UNBLOCK,
|
|
16
18
|
how != self.state.posix.SIG_SETMASK,
|
|
17
19
|
),
|
|
18
|
-
|
|
20
|
+
claripy.BVV(self.state.posix.EINVAL, self.arch.sizeof["int"]),
|
|
19
21
|
0,
|
|
20
22
|
)
|
|
@@ -1,7 +1,9 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class tgkill(angr.SimProcedure):
|
|
5
7
|
def run(self, tgid, tid, sig): # pylint:disable=arguments-differ,unused-argument
|
|
6
8
|
# TODO: actually do something
|
|
7
|
-
return
|
|
9
|
+
return claripy.BVV(0, self.arch.sizeof["int"])
|
|
@@ -1,5 +1,8 @@
|
|
|
1
|
+
import time as py_time
|
|
2
|
+
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
1
5
|
import angr
|
|
2
|
-
import time as _time
|
|
3
6
|
|
|
4
7
|
|
|
5
8
|
class time(angr.SimProcedure):
|
|
@@ -17,10 +20,10 @@ class time(angr.SimProcedure):
|
|
|
17
20
|
def run(self, pointer):
|
|
18
21
|
# TODO lord have mercy. how big is time_t?
|
|
19
22
|
if angr.options.USE_SYSTEM_TIMES in self.state.options:
|
|
20
|
-
ts = int(
|
|
21
|
-
result =
|
|
23
|
+
ts = int(py_time.time())
|
|
24
|
+
result = claripy.BVV(ts, self.state.arch.bits)
|
|
22
25
|
else:
|
|
23
|
-
result =
|
|
26
|
+
result = claripy.BVS("sys_time", self.state.arch.bits, key=("api", "time"))
|
|
24
27
|
if self.last_time is not None:
|
|
25
28
|
self.state.add_constraints(result.SGE(self.last_time))
|
|
26
29
|
else:
|
angr/procedures/msvcr/fmode.py
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -17,7 +19,7 @@ class _get_fmode(angr.SimProcedure):
|
|
|
17
19
|
|
|
18
20
|
class _set_fmode(angr.SimProcedure):
|
|
19
21
|
def run(self, val):
|
|
20
|
-
if not self.state.solver.is_true(
|
|
22
|
+
if not self.state.solver.is_true(claripy.Or(val == 0x4000, val == 0x8000)):
|
|
21
23
|
return 22
|
|
22
24
|
self.state.mem[self.project.simos.fmode_ptr].int = val
|
|
23
25
|
return 0
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
@@ -13,7 +15,7 @@ class KiUserExceptionDispatcher(angr.SimProcedure):
|
|
|
13
15
|
if self.state.arch.name != "X86":
|
|
14
16
|
raise angr.errors.SimUnsupportedError("KiUserDispatchException is only implemented for X86")
|
|
15
17
|
|
|
16
|
-
self.tib_ptr = self.state.regs._fs.concat(
|
|
18
|
+
self.tib_ptr = self.state.regs._fs.concat(claripy.BVV(0, 16))
|
|
17
19
|
self.top_record = self.state.mem[self.tib_ptr].uint32_t.resolved
|
|
18
20
|
self.cur_ptr = self.top_record
|
|
19
21
|
|
angr/procedures/posix/bzero.py
CHANGED
angr/procedures/posix/fdopen.py
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
from cle.backends.externs.simdata.io_file import io_file_data_for_arch
|
|
3
|
+
|
|
1
4
|
import angr
|
|
2
5
|
|
|
3
|
-
from cle.backends.externs.simdata.io_file import io_file_data_for_arch
|
|
4
6
|
|
|
5
7
|
# Reference for implementation: glibc-2.25/libio/iofdopen.c
|
|
6
8
|
|
|
@@ -65,7 +67,7 @@ class fdopen(angr.SimProcedure):
|
|
|
65
67
|
file_struct_ptr = self.inline_call(malloc, io_file_data["size"]).ret_expr
|
|
66
68
|
|
|
67
69
|
# Write the fd
|
|
68
|
-
fd_bvv =
|
|
70
|
+
fd_bvv = claripy.BVV(fd_concr, 4 * 8) # int
|
|
69
71
|
self.state.memory.store(
|
|
70
72
|
file_struct_ptr + io_file_data["fd"], fd_bvv, endness=self.state.arch.memory_endness
|
|
71
73
|
)
|
|
@@ -73,5 +75,5 @@ class fdopen(angr.SimProcedure):
|
|
|
73
75
|
if self.state.solver.is_true(fd_int == fd_concr):
|
|
74
76
|
return file_struct_ptr
|
|
75
77
|
else:
|
|
76
|
-
null =
|
|
77
|
-
return
|
|
78
|
+
null = claripy.BVV(0, self.state.arch.bits)
|
|
79
|
+
return claripy.If(fd_int == fd_concr, file_struct_ptr, null)
|
angr/procedures/posix/fork.py
CHANGED
|
@@ -1,10 +1,12 @@
|
|
|
1
|
+
import claripy
|
|
2
|
+
|
|
1
3
|
import angr
|
|
2
4
|
|
|
3
5
|
|
|
4
6
|
class fork(angr.SimProcedure):
|
|
5
7
|
def run(self):
|
|
6
|
-
return
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
8
|
+
return claripy.If(
|
|
9
|
+
claripy.BoolS("fork_parent"),
|
|
10
|
+
claripy.BVV(1338, self.arch.sizeof["int"]),
|
|
11
|
+
claripy.BVV(0, self.arch.sizeof["int"]),
|
|
10
12
|
)
|
angr/procedures/posix/mmap.py
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
|
+
import logging
|
|
2
|
+
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
1
5
|
import angr
|
|
2
6
|
from ...storage.file import SimFileDescriptor
|
|
3
7
|
|
|
4
|
-
import logging
|
|
5
8
|
|
|
6
9
|
l = logging.getLogger(name=__name__)
|
|
7
10
|
|
|
@@ -89,7 +92,7 @@ class mmap(angr.SimProcedure):
|
|
|
89
92
|
# Sanity check. All mmap must have exactly one of MAP_SHARED or MAP_PRIVATE
|
|
90
93
|
if (flags & MAP_SHARED and flags & MAP_PRIVATE) or flags & (MAP_SHARED | MAP_PRIVATE) == 0:
|
|
91
94
|
l.debug("... = -1 (bad flags)")
|
|
92
|
-
return
|
|
95
|
+
return claripy.BVV(-1, self.state.arch.bits)
|
|
93
96
|
|
|
94
97
|
# Do region mapping
|
|
95
98
|
while True:
|
|
@@ -103,7 +106,7 @@ class mmap(angr.SimProcedure):
|
|
|
103
106
|
|
|
104
107
|
if flags & MAP_FIXED:
|
|
105
108
|
l.debug("... = -1 (MAP_FIXED failure)")
|
|
106
|
-
return
|
|
109
|
+
return claripy.BVV(-1, self.state.arch.bits)
|
|
107
110
|
|
|
108
111
|
# Can't give you that address. Find a different one and loop back around to try again.
|
|
109
112
|
addr = self.allocate_memory(size)
|
angr/procedures/posix/poll.py
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
|
-
import angr
|
|
2
1
|
import select
|
|
3
2
|
|
|
3
|
+
import claripy
|
|
4
|
+
|
|
5
|
+
import angr
|
|
6
|
+
|
|
4
7
|
|
|
5
8
|
class poll(angr.SimProcedure):
|
|
6
9
|
# pylint:disable=arguments-differ
|
|
@@ -43,12 +46,10 @@ class poll(angr.SimProcedure):
|
|
|
43
46
|
raise angr.errors.SimProcedureArgumentError("Can't handle symbolic pollfd arguments") from e
|
|
44
47
|
|
|
45
48
|
if events & select.POLLIN and fd >= 0:
|
|
46
|
-
revents = pollfd["revents"][self.arch.sizeof["short"] - 1 : 1].concat(
|
|
47
|
-
self.state.solver.BVS("fd_POLLIN", 1)
|
|
48
|
-
)
|
|
49
|
+
revents = pollfd["revents"][self.arch.sizeof["short"] - 1 : 1].concat(claripy.BVS("fd_POLLIN", 1))
|
|
49
50
|
self.state.memory.store(
|
|
50
51
|
fds + offset * size_of_pollfd + offset_revents, revents, endness=self.arch.memory_endness
|
|
51
52
|
)
|
|
52
53
|
|
|
53
|
-
retval =
|
|
54
|
+
retval = claripy.BVV(0, 1).concat(claripy.BVS("poll_ret", self.state.arch.bits - 1))
|
|
54
55
|
return retval
|