smallworld-re 1.0.0__py3-none-any.whl

smallworld/emulators/angr/default.py

@@ -0,0 +1,15 @@
+import angr
+
+from .exploration import DefaultExplorationTechnique
+from .memory import DefaultMemoryPlugin
+from .scratch import ExpandedScratchPlugin
+
+
+def configure_default_plugins(emu):
+    preset = angr.SimState._presets["default"]
+    preset.add_default_plugin("sym_memory", DefaultMemoryPlugin)
+    preset.add_default_plugin("scratch", ExpandedScratchPlugin)
+
+
+def configure_default_strategy(emu):
+    emu.mgr.use_technique(DefaultExplorationTechnique())

smallworld/emulators/angr/exceptions.py

@@ -0,0 +1,7 @@
+from ... import exceptions
+
+
+class PathTerminationSignal(exceptions.unstable.AnalysisSignal):
+    """Exception allowing an analysis to terminate an execution path."""
+
+    pass

smallworld/emulators/angr/exploration/__init__.py

@@ -0,0 +1,9 @@
+from .bounds import BoundedExplorationMixin
+from .default import DefaultExplorationTechnique
+from .terminate import TerminationExplorationMixin
+
+__all__ = [
+    "BoundedExplorationMixin",
+    "DefaultExplorationTechnique",
+    "TerminationExplorationMixin",
+]

smallworld/emulators/angr/exploration/bounds.py

@@ -0,0 +1,27 @@
+import logging
+
+log = logging.getLogger(__name__)
+
+
+class BoundedExplorationMixin:
+    """
+    Mixin forcing execution to obey our code bounds.
+    """
+
+    def step_state(self, simgr, state, **kwargs):
+        if not state._ip.symbolic:
+            ip = state._ip.concrete_value
+            (r, found) = state.scratch.memory_map.find_closest_range(ip)
+            if not found:
+                return dict()
+            (_, stop) = r
+            size = stop - ip
+            if not state.scratch.bounds.is_empty():
+                (r, found) = state.scratch.bounds.find_closest_range(ip)
+                if not found:
+                    return dict()
+                (_, stop) = r
+                size = min(size, stop - ip)
+
+            kwargs["size"] = size
+        return super().step_state(simgr, state, **kwargs)

smallworld/emulators/angr/exploration/default.py

@@ -0,0 +1,17 @@
+import angr
+
+from .bounds import BoundedExplorationMixin
+from .terminate import TerminationExplorationMixin
+
+
+class DefaultExplorationTechnique(
+    TerminationExplorationMixin,
+    BoundedExplorationMixin,
+    angr.exploration_techniques.suggestions.Suggestions,
+):
+    """Default exploration technique.
+
+    Registers a few default-useful plugins for the SimulationManager.
+    """
+
+    pass

smallworld/emulators/angr/exploration/terminate.py

@@ -0,0 +1,22 @@
+from ..exceptions import PathTerminationSignal
+
+
+class TerminationExplorationMixin:
+    """
+    Mixin allowing analyses to terminate a single path.
+
+    This allows analyses to raise an exception
+    that aborts successor computation cleanly,
+    rather than producing an 'error' state.
+
+    NOTE: To be effective, this needs to be at the top
+    of the mixin hierarchy
+    """
+
+    def step_state(self, simgr, state, **kwargs):
+        try:
+            out = super().step_state(simgr, state, **kwargs)
+        except PathTerminationSignal:
+            out = dict()
+
+        return out

smallworld/emulators/angr/factory.py

@@ -0,0 +1,55 @@
+import logging
+
+from angr.factory import AngrObjectFactory
+
+from ...exceptions import AnalysisError
+
+log = logging.getLogger(__name__)
+
+
+class PatchedObjectFactory(AngrObjectFactory):
+    """Extension of AngrObjectFactory to allow function overrides
+
+    There are a couple of core functions (blocks)
+    which need to get overloaded, but which are not exposed
+    to any kind of plugin interface.
+    """
+
+    def block(self, *args, **kwargs):
+        if "backup_state" in kwargs:
+            # Bound block lifting based on our code bounds
+            # Angr's Vex lifter will happily run off the edge of memory,
+            # interpreting undefined memory as zeroes.
+            state = kwargs["backup_state"]
+            if state._ip.symbolic:
+                raise AnalysisError("Cannot build a block for a symbolic IP")
+            ip = state._ip.concrete_value
+
+            # Check if the ip is mapped
+            (r, found) = state.scratch.memory_map.find_closest_range(ip)
+            if not found:
+                # Nope.  No code here.
+                log.warn(f"No block mapped at {state._ip}")
+                max_size = 0
+            else:
+                # Yep.  We have an upper bound on our block
+                (start, stop) = r
+                max_size = stop - ip
+                if not state.scratch.bounds.is_empty():
+                    # We also have bounds.  Test if we're in those
+                    (r, found) = state.scratch.bounds.find_closest_range(ip)
+                    if not found:
+                        # Nope.  Out of bounds.
+                        log.warn(f"{state._ip} is out of bounds")
+                        max_size = 0
+                    else:
+                        # Yep.  Allow anything in bounds and in memory
+                        (start, stop) = r
+                        max_size = min(max_size, stop - ip)
+
+            if max_size == 0:
+                log.warn(f"Empty block at {state._ip}")
+            max_size = min(max_size, 4096)
+            kwargs["size"] = max_size
+
+        return super().block(*args, **kwargs)

smallworld/emulators/angr/machdefs/__init__.py

@@ -0,0 +1,35 @@
+from .aarch64 import AArch64MachineDef
+from .amd64 import AMD64MachineDef
+from .arm import (
+    ARMv5TMachineDef,
+    ARMv6MMachineDef,
+    ARMv6MThumbMachineDef,
+    ARMv7MMachineDef,
+)
+from .i386 import i386MachineDef
+from .machdef import AngrMachineDef
+from .mips import MIPSBEMachineDef, MIPSELMachineDef
+from .mips64 import MIPS64BEMachineDef, MIPS64ELMachineDef
+from .ppc import PowerPC32MachineDef, PowerPC64MachineDef
+from .riscv import RISCV64MachineDef
+from .xtensa import XTensaBEMachineDef, XTensaELMachineDef
+
+__all__ = [
+    "AArch64MachineDef",
+    "AMD64MachineDef",
+    "AngrMachineDef",
+    "ARMv5TMachineDef",
+    "ARMv6MMachineDef",
+    "ARMv6MThumbMachineDef",
+    "ARMv7MMachineDef",
+    "i386MachineDef",
+    "MIPSBEMachineDef",
+    "MIPSELMachineDef",
+    "MIPS64BEMachineDef",
+    "MIPS64ELMachineDef",
+    "PowerPC32MachineDef",
+    "PowerPC64MachineDef",
+    "RISCV64MachineDef",
+    "XTensaBEMachineDef",
+    "XTensaELMachineDef",
+]

smallworld/emulators/angr/machdefs/aarch64.py

@@ -0,0 +1,292 @@
+import archinfo
+
+from ....platforms import Architecture, Byteorder
+from .machdef import AngrMachineDef
+
+
+class AArch64MachineDef(AngrMachineDef):
+    arch = Architecture.AARCH64
+    byteorder = Byteorder.LITTLE
+
+    angr_arch = archinfo.arch_aarch64.ArchAArch64()
+    pc_reg = "pc"
+
+    _registers = {
+        # *** General Purpose Registers ***
+        "x0": "x0",
+        "w0": "w0",
+        "x1": "x1",
+        "w1": "w1",
+        "x2": "x2",
+        "w2": "w2",
+        "x3": "x3",
+        "w3": "w3",
+        "x4": "x4",
+        "w4": "w4",
+        "x5": "x5",
+        "w5": "w5",
+        "x6": "x6",
+        "w6": "w6",
+        "x7": "x7",
+        "w7": "w7",
+        "x8": "x8",
+        "w8": "w8",
+        "x9": "x9",
+        "w9": "w9",
+        "x10": "x10",
+        "w10": "w10",
+        "x11": "x11",
+        "w11": "w11",
+        "x12": "x12",
+        "w12": "w12",
+        "x13": "x13",
+        "w13": "w13",
+        "x14": "x14",
+        "w14": "w14",
+        "x15": "x15",
+        "w15": "w15",
+        "x16": "x16",
+        "w16": "w16",
+        "x17": "x17",
+        "w17": "w17",
+        "x18": "x18",
+        "w18": "w18",
+        "x19": "x19",
+        "w19": "w19",
+        "x20": "x20",
+        "w20": "w20",
+        "x21": "x21",
+        "w21": "w21",
+        "x22": "x22",
+        "w22": "w22",
+        "x23": "x23",
+        "w23": "w23",
+        "x24": "x24",
+        "w24": "w24",
+        "x25": "x25",
+        "w25": "w25",
+        "x26": "x26",
+        "w26": "w26",
+        "x27": "x27",
+        "w27": "w27",
+        "x28": "x28",
+        "w28": "w28",
+        "x29": "x29",
+        "w29": "w29",
+        "x30": "x30",
+        "w30": "w30",
+        "pc": "pc",
+        "sp": "sp",
+        "fp": "fp",
+        "lr": "lr",
+        "xzr": "xzr",
+        "wzr": "wzr",
+        # *** System Control Registers ***
+        # NOTE: "_elX" indicates that only exception level X or greater can access this register.
+        # NOTE: This list is far from complete; it only covers what Unicorn supports
+        # NOTE: angr's aarch64 model is aggressively userspace-only.  None of these are supported
+        # Condition Code Register
+        "fpcr": "",
+        # Floating Point Status Register
+        "fpsr": "",
+        # Banked stack pointers for exception handlers
+        "sp_el0": "",
+        "sp_el1": "",
+        "sp_el2": "",
+        "sp_el3": "",
+        # Banked link registers for exception handlers
+        # NOTE: Unicorn thinks there's an elr_el0; according to docs, it doesn't exist
+        "elr_el1": "",
+        "elr_el2": "",
+        "elr_el3": "",
+        # Banked exception syndrome registers for exception handlers
+        # NOTE: Unicorn thinks there's a far_el0; according to docs, it doesn't exist
+        "far_el1": "",
+        "far_el2": "",
+        "far_el3": "",
+        # Banked vector base address registers for exception handlers
+        # NOTE: vbar_el0 and vbar_el1 are aliases for each other.
+        # Since vbar_el0 doesn't exist in angr, vbar_el1 has to be the "real" copy.
+        "vbar_el1": "",
+        "vbar_el0": "",
+        "vbar_el2": "",
+        "vbar_el3": "",
+        # Coprocessor access control register
+        "cpacr_el1": "",
+        # Memory Attribute Indirection Register
+        "mair_el1": "",
+        # Physical Address Register
+        "par_el1": "",
+        # Translation Table Zero Base Register
+        "ttbr0_el1": "",
+        # Translation Table One Base Register
+        "ttbr1_el1": "",
+        # Thread ID Register
+        # NOTE: According to docs, there should be an el2 and el3 copy, too.
+        "tpidr_el0": "",
+        "tpidr_el1": "",
+        # Userspace-visible Thread ID register
+        "tpidrro_el0": "",
+        # *** Floating Point Registers ***
+        # Scalar Floating Point Registers
+        "q0": "q0",
+        "d0": "d0",
+        "s0": "s0",
+        "h0": "h0",
+        "b0": "b0",
+        "q1": "q1",
+        "d1": "d1",
+        "s1": "s1",
+        "h1": "h1",
+        "b1": "b1",
+        "q2": "q2",
+        "d2": "d2",
+        "s2": "s2",
+        "h2": "h2",
+        "b2": "b2",
+        "q3": "q3",
+        "d3": "d3",
+        "s3": "s3",
+        "h3": "h3",
+        "b3": "b3",
+        "q4": "q4",
+        "d4": "d4",
+        "s4": "s4",
+        "h4": "h4",
+        "b4": "b4",
+        "q5": "q5",
+        "d5": "d5",
+        "s5": "s5",
+        "h5": "h5",
+        "b5": "b5",
+        "q6": "q6",
+        "d6": "d6",
+        "s6": "s6",
+        "h6": "h6",
+        "b6": "b6",
+        "q7": "q7",
+        "d7": "d7",
+        "s7": "s7",
+        "h7": "h7",
+        "b7": "b7",
+        "q8": "q8",
+        "d8": "d8",
+        "s8": "s8",
+        "h8": "h8",
+        "b8": "b8",
+        "q9": "q9",
+        "d9": "d9",
+        "s9": "s9",
+        "h9": "h9",
+        "b9": "b9",
+        "q10": "q10",
+        "d10": "d10",
+        "s10": "s10",
+        "h10": "h10",
+        "b10": "b10",
+        "q11": "q11",
+        "d11": "d11",
+        "s11": "s11",
+        "h11": "h11",
+        "b11": "b11",
+        "q12": "q12",
+        "d12": "d12",
+        "s12": "s12",
+        "h12": "h12",
+        "b12": "b12",
+        "q13": "q13",
+        "d13": "d13",
+        "s13": "s13",
+        "h13": "h13",
+        "b13": "b13",
+        "q14": "q14",
+        "d14": "d14",
+        "s14": "s14",
+        "h14": "h14",
+        "b14": "b14",
+        "q15": "q15",
+        "d15": "d15",
+        "s15": "s15",
+        "h15": "h15",
+        "b15": "b15",
+        "q16": "q16",
+        "d16": "d16",
+        "s16": "s16",
+        "h16": "h16",
+        "b16": "b16",
+        "q17": "q17",
+        "d17": "d17",
+        "s17": "s17",
+        "h17": "h17",
+        "b17": "b17",
+        "q18": "q18",
+        "d18": "d18",
+        "s18": "s18",
+        "h18": "h18",
+        "b18": "b18",
+        "q19": "q19",
+        "d19": "d19",
+        "s19": "s19",
+        "h19": "h19",
+        "b19": "b19",
+        "q20": "q20",
+        "d20": "d20",
+        "s20": "s20",
+        "h20": "h20",
+        "b20": "b20",
+        "q21": "q21",
+        "d21": "d21",
+        "s21": "s21",
+        "h21": "h21",
+        "b21": "b21",
+        "q22": "q22",
+        "d22": "d22",
+        "s22": "s22",
+        "h22": "h22",
+        "b22": "b22",
+        "q23": "q23",
+        "d23": "d23",
+        "s23": "s23",
+        "h23": "h23",
+        "b23": "b23",
+        "q24": "q24",
+        "d24": "d24",
+        "s24": "s24",
+        "h24": "h24",
+        "b24": "b24",
+        "q25": "q25",
+        "d25": "d25",
+        "s25": "s25",
+        "h25": "h25",
+        "b25": "b25",
+        "q26": "q26",
+        "d26": "d26",
+        "s26": "s26",
+        "h26": "h26",
+        "b26": "b26",
+        "q27": "q27",
+        "d27": "d27",
+        "s27": "s27",
+        "h27": "h27",
+        "b27": "b27",
+        "q28": "q28",
+        "d28": "d28",
+        "s28": "s28",
+        "h28": "h28",
+        "b28": "b28",
+        "q29": "q29",
+        "d29": "d29",
+        "s29": "s29",
+        "h29": "h29",
+        "b29": "b29",
+        "q30": "q30",
+        "d30": "d30",
+        "s30": "s30",
+        "h30": "h30",
+        "b30": "b30",
+        "q31": "q31",
+        "d31": "d31",
+        "s31": "s31",
+        "h31": "h31",
+        "b31": "b31",
+    }

smallworld/emulators/angr/machdefs/amd64.py

@@ -0,0 +1,192 @@
+import archinfo
+
+from ....platforms import Architecture, Byteorder
+from .machdef import AngrMachineDef
+
+
+class AMD64MachineDef(AngrMachineDef):
+    # NOTE: angr doesn't support AVX512
+    # Thus, this is our only amd64 machdef
+    arch = Architecture.X86_64
+    byteorder = Byteorder.LITTLE
+
+    angr_arch = archinfo.arch_amd64.ArchAMD64()
+
+    pc_reg = "rip"
+
+    _registers = {
+        # *** General Purpose Registers ***
+        "rax": "rax",
+        "eax": "eax",
+        "ax": "ax",
+        "al": "al",
+        "ah": "ah",
+        "rbx": "rbx",
+        "ebx": "ebx",
+        "bx": "bx",
+        "bl": "bl",
+        "bh": "bh",
+        "rcx": "rcx",
+        "ecx": "ecx",
+        "cx": "cx",
+        "cl": "cl",
+        "ch": "ch",
+        "rdx": "rdx",
+        "edx": "edx",
+        "dx": "dx",
+        "dl": "dl",
+        "dh": "dh",
+        "r8": "r8",
+        "r8d": "r8d",
+        "r8w": "r8w",
+        "r8b": "r8b",
+        "r9": "r9",
+        "r9d": "r9d",
+        "r9w": "r9w",
+        "r9b": "r9b",
+        "r10": "r10",
+        "r10d": "r10d",
+        "r10w": "r10w",
+        "r10b": "r10b",
+        "r11": "r11",
+        "r11d": "r11d",
+        "r11w": "r11w",
+        "r11b": "r11b",
+        "r12": "r12",
+        "r12d": "r12d",
+        "r12w": "r12w",
+        "r12b": "r12b",
+        "r13": "r13",
+        "r13d": "r13d",
+        "r13w": "r13w",
+        "r13b": "r13b",
+        "r14": "r14",
+        "r14d": "r14d",
+        "r14w": "r14w",
+        "r14b": "r14b",
+        "r15": "r15",
+        "r15d": "r15d",
+        "r15w": "r15w",
+        "r15b": "r15b",
+        "rsi": "rsi",
+        "esi": "esi",
+        "si": "si",
+        "sil": "sil",
+        "rdi": "rdi",
+        "edi": "edi",
+        "di": "di",
+        "dil": "dil",
+        "rbp": "rbp",
+        "ebp": "ebp",
+        "bp": "bp",
+        "bpl": "bpl",
+        "rsp": "rsp",
+        "esp": "esp",
+        "sp": "sp",
+        "spl": "spl",
+        # *** Instruction Pointer ***
+        "rip": "rip",
+        "eip": "eip",
+        "ip": "ip",
+        # *** Segment Registers ***
+        "cs": "",
+        "ds": "",
+        "es": "",
+        "fs": "fs",
+        "gs": "gs",
+        "ss": "",
+        # *** Flags Register ***
+        "rflags": "rflags",
+        "eflags": "eflags",
+        "flags": "flags",
+        # *** Control Registers ***
+        "cr0": "cr0",
+        "cr1": "",
+        "cr2": "cr2",
+        "cr3": "cr3",
+        "cr4": "cr4",
+        "cr8": "cr8",
+        # *** Debug Registers ***
+        "dr0": "",
+        "dr1": "",
+        "dr2": "",
+        "dr3": "",
+        "dr6": "",
+        "dr7": "",
+        "dr8": "",
+        "dr9": "",
+        "dr10": "",
+        "dr11": "",
+        "dr12": "",
+        "dr13": "",
+        "dr14": "",
+        "dr15": "",
+        # *** Descriptor Table Registers ***
+        "gdtr": "",
+        "idtr": "",
+        "ldtr": "",
+        # *** Task Register ***
+        "tr": "",
+        # *** x87 Registers ***
+        # TODO: angr seems to support x87, but I have no idea how its register file works
+        # I can't find most of the control registers,
+        # and there don't seem to be separate "fprN" registers; just one giant blob
+        "fpr0": "",
+        "fpr1": "",
+        "fpr2": "",
+        "fpr3": "",
+        "fpr4": "",
+        "fpr5": "",
+        "fpr6": "",
+        "fpr7": "",
+        "fctrl": "",
+        "fstat": "",
+        "ftag": "fptag",
+        "fip": "",
+        "fdp": "",
+        "fop": "",
+        # *** MMX Registers ***
+        "mm0": "mm0",
+        "mm1": "mm1",
+        "mm2": "mm2",
+        "mm3": "mm3",
+        "mm4": "mm4",
+        "mm5": "mm5",
+        "mm6": "mm6",
+        "mm7": "mm7",
+        # SSE/AVX registers
+        "ymm0": "ymm0",
+        "xmm0": "xmm0",
+        "ymm1": "ymm1",
+        "xmm1": "xmm1",
+        "ymm2": "ymm2",
+        "xmm2": "xmm2",
+        "ymm3": "ymm3",
+        "xmm3": "xmm3",
+        "ymm4": "ymm4",
+        "xmm4": "xmm4",
+        "ymm5": "ymm5",
+        "xmm5": "xmm5",
+        "ymm6": "ymm6",
+        "xmm6": "xmm6",
+        "ymm7": "ymm7",
+        "xmm7": "xmm7",
+        "ymm8": "ymm8",
+        "xmm8": "xmm8",
+        "ymm9": "ymm9",
+        "xmm9": "xmm9",
+        "ymm10": "ymm10",
+        "xmm10": "xmm10",
+        "ymm11": "ymm11",
+        "xmm11": "xmm11",
+        "ymm12": "ymm12",
+        "xmm12": "xmm12",
+        "ymm13": "ymm13",
+        "xmm13": "xmm13",
+        "ymm14": "ymm14",
+        "xmm14": "xmm14",
+        "ymm15": "ymm15",
+        "xmm15": "xmm15",
+        "ymm16": "ymm16",
+        "xmm16": "xmm16",
+    }