angr issue #777

avoid-i386.txt

0804848b

avoid-mips.txt

00400860

failure-i386.txt

080484cb

failure-mips.txt

004008f8

found-i386.txt

080484ab

found-mips.txt

004008ac

freeze.txt

ana==0.3
angr==7.7.12.16
archinfo==7.7.12.16
bintrees==2.0.7
bitstring==3.1.5
cachetools==2.0.1
capstone==3.0.5rc2
cffi==1.11.2
claripy==7.7.12.16
cle==7.7.12.16
cooldict==1.2
decorator==4.1.2
dpkt-fix==1.7
future==0.16.0
futures==3.2.0
idalink==0.11
mulpyplexer==0.8
namedlist==1.7
networkx==2.0
pefile==2017.11.5
plumbum==1.6.4
progressbar==2.3
pycparser==2.18
pyelftools==0.24
pygit==0.1
Pympler==0.5
pyvex==7.7.12.16
rpyc==3.4.4
sortedcontainers==1.5.7
unicorn==1.0.1
z3-solver==4.5.1.0.post2

main-i386

main-mips

main.c

#include <stdio.h>
#include <stdlib.h>

void avoid() { printf("Avoid\n"); exit(1); }
void found() { printf("Found\n"); exit(0); }
void failure() { printf("Failure\n"); exit(1); }

int main(int argc, char * argv[]) {

    if (argc != 2) avoid();
    char n = argv[1][0] - 97;
    if (n < 0 || n > 1) avoid();

    int m[2] = {0x0, 0x0};
    *((int *)(((char *) m) + n)) = 0x01020304;

    //printf("%d\n", *((int *)(m + n)));

    if (*((int *)(((char *) m) + n)) == 0x01020304) found();
    else failure();

    return 0;
}

Makefile

all:
	gcc -o main-i386 main.c -m32
	mips-linux-gnu-gcc -o main-mips main.c

clean:
	-rm main-i386 main-mips

gen:
	objdump -d main-i386 | grep '<avoid>' | cut -f1 -d' ' | head -n 1 > avoid-i386.txt
	objdump -d main-mips | grep '<avoid>' | cut -f1 -d' ' | head -n 1 > avoid-mips.txt
	objdump -d main-i386 | grep '<found>' | cut -f1 -d' ' | head -n 1 > found-i386.txt
	objdump -d main-mips | grep '<found>' | cut -f1 -d' ' | head -n 1 > found-mips.txt
	objdump -d main-i386 | grep '<failure>' | cut -f1 -d' ' | head -n 1 > failure-i386.txt
	objdump -d main-mips | grep '<failure>' | cut -f1 -d' ' | head -n 1 > failure-mips.txt

run:
	@echo "Running i386"
	./main-i386 a
	./main-i386 b
	@echo
	@echo "Running mips (qemu-mips)"
	./main-mips a
	./main-mips b
	@echo
	@echo "angr i386"
	python run.py i386
	@echo
	@echo "angr mips"
	python run.py mips

output-with-patch.txt

Running i386
./main-i386 a
Found
./main-i386 b
Found

Running mips (qemu-mips)
./main-mips a
Found
./main-mips b
Found

angr i386
python run.py i386
binary: main-i386
avoid: [134513803, 4196600]
found: 134513835
<SimulationManager with 1 found, 2 avoid>
Correct: argv[1]=[98L, 97]

angr mips
python run.py mips
binary: main-mips
avoid: [4196448, 4196600]
found: 4196524
<SimulationManager with 1 found, 2 avoid>
Correct: argv[1]=[98L, 97]

output.txt

Running i386
./main-i386 a
Found
./main-i386 b
Found

Running mips (qemu-mips)
./main-mips a
Found
./main-mips b
Found

angr i386
python run.py i386
binary: main-i386
avoid: [134513803, 4196600]
found: 134513835
<SimulationManager with 1 found, 2 avoid>
Correct: argv[1]=[98L, 97]

angr mips
python run.py mips
binary: main-mips
avoid: [4196448, 4196600]
found: 4196524
Error: <SimulationManager with 3 avoid>

run.py

import angr
import claripy  # It is optimal to use claripy.BVV/BVS over state.solver.BVV/BVS
import sys

def main():

    if len(sys.argv) == 2 and sys.argv[1] in ('i386', 'mips'):
        if sys.argv[1] == 'mips':
            found = int(open('found-mips.txt', 'r').read().rstrip('\n'), 16)
            avoid = [int(open('avoid-mips.txt', 'r').read().rstrip('\n'), 16), int(open('failure-mips.txt', 'r').read().rstrip('\n'), 16)]
            binary = "main-mips"
        else:
            found = int(open('found-i386.txt', 'r').read().rstrip('\n'), 16)
            avoid = [int(open('avoid-i386.txt', 'r').read().rstrip('\n'), 16), int(open('failure-mips.txt', 'r').read().rstrip('\n'), 16)]
            binary = "main-i386"
    else:
        print sys.argv[0] + " <i386|mips>"
        sys.exit(1)

    print "binary: " + str(binary)
    print "avoid: " + str(avoid)
    print "found: " + str(found)

    project = angr.Project(binary, load_options={'auto_load_libs':False}, )

    argv = [project.filename]   # argv[0]
    sym_arg_size = 1   # max number of bytes we'll try to solve for
    sym_arg = claripy.BVS('sym_arg', 8*sym_arg_size)
    argv.append(sym_arg)    # argv[1]

    state = project.factory.entry_state(args=argv, add_options={angr.options.SYMBOLIC_WRITE_ADDRESSES})
    sm = project.factory.simulation_manager(state)

    sm = sm.explore(find=found, avoid=avoid)
    if len(sm.found) > 0:

        #assert len(sm.found) == 1
        #assert len(sm.active) == 0

        found = sm.found[0]
        result = found.solver.eval_upto(argv[1], 10)
        print sm
        return "Correct: argv[1]=" + str(result)
    
    return "Error: " + str(sm)

if __name__ == "__main__":
    print main()