Last active
December 18, 2017 07:49
-
-
Save ercoppa/fa83bf082b5cc28e6e5a1b161ae35a53 to your computer and use it in GitHub Desktop.
angr issue #777
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0804848b |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
00400860 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
080484cb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
004008f8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
080484ab |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
004008ac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ana==0.3 | |
angr==7.7.12.16 | |
archinfo==7.7.12.16 | |
bintrees==2.0.7 | |
bitstring==3.1.5 | |
cachetools==2.0.1 | |
capstone==3.0.5rc2 | |
cffi==1.11.2 | |
claripy==7.7.12.16 | |
cle==7.7.12.16 | |
cooldict==1.2 | |
decorator==4.1.2 | |
dpkt-fix==1.7 | |
future==0.16.0 | |
futures==3.2.0 | |
idalink==0.11 | |
mulpyplexer==0.8 | |
namedlist==1.7 | |
networkx==2.0 | |
pefile==2017.11.5 | |
plumbum==1.6.4 | |
progressbar==2.3 | |
pycparser==2.18 | |
pyelftools==0.24 | |
pygit==0.1 | |
Pympler==0.5 | |
pyvex==7.7.12.16 | |
rpyc==3.4.4 | |
sortedcontainers==1.5.7 | |
unicorn==1.0.1 | |
z3-solver==4.5.1.0.post2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
void avoid() { printf("Avoid\n"); exit(1); } | |
void found() { printf("Found\n"); exit(0); } | |
void failure() { printf("Failure\n"); exit(1); } | |
int main(int argc, char * argv[]) { | |
if (argc != 2) avoid(); | |
char n = argv[1][0] - 97; | |
if (n < 0 || n > 1) avoid(); | |
int m[2] = {0x0, 0x0}; | |
*((int *)(((char *) m) + n)) = 0x01020304; | |
//printf("%d\n", *((int *)(m + n))); | |
if (*((int *)(((char *) m) + n)) == 0x01020304) found(); | |
else failure(); | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
all: | |
gcc -o main-i386 main.c -m32 | |
mips-linux-gnu-gcc -o main-mips main.c | |
clean: | |
-rm main-i386 main-mips | |
gen: | |
objdump -d main-i386 | grep '<avoid>' | cut -f1 -d' ' | head -n 1 > avoid-i386.txt | |
objdump -d main-mips | grep '<avoid>' | cut -f1 -d' ' | head -n 1 > avoid-mips.txt | |
objdump -d main-i386 | grep '<found>' | cut -f1 -d' ' | head -n 1 > found-i386.txt | |
objdump -d main-mips | grep '<found>' | cut -f1 -d' ' | head -n 1 > found-mips.txt | |
objdump -d main-i386 | grep '<failure>' | cut -f1 -d' ' | head -n 1 > failure-i386.txt | |
objdump -d main-mips | grep '<failure>' | cut -f1 -d' ' | head -n 1 > failure-mips.txt | |
run: | |
@echo "Running i386" | |
./main-i386 a | |
./main-i386 b | |
@echo | |
@echo "Running mips (qemu-mips)" | |
./main-mips a | |
./main-mips b | |
@echo | |
@echo "angr i386" | |
python run.py i386 | |
@echo | |
@echo "angr mips" | |
python run.py mips |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Running i386 | |
./main-i386 a | |
Found | |
./main-i386 b | |
Found | |
Running mips (qemu-mips) | |
./main-mips a | |
Found | |
./main-mips b | |
Found | |
angr i386 | |
python run.py i386 | |
binary: main-i386 | |
avoid: [134513803, 4196600] | |
found: 134513835 | |
<SimulationManager with 1 found, 2 avoid> | |
Correct: argv[1]=[98L, 97] | |
angr mips | |
python run.py mips | |
binary: main-mips | |
avoid: [4196448, 4196600] | |
found: 4196524 | |
<SimulationManager with 1 found, 2 avoid> | |
Correct: argv[1]=[98L, 97] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Running i386 | |
./main-i386 a | |
Found | |
./main-i386 b | |
Found | |
Running mips (qemu-mips) | |
./main-mips a | |
Found | |
./main-mips b | |
Found | |
angr i386 | |
python run.py i386 | |
binary: main-i386 | |
avoid: [134513803, 4196600] | |
found: 134513835 | |
<SimulationManager with 1 found, 2 avoid> | |
Correct: argv[1]=[98L, 97] | |
angr mips | |
python run.py mips | |
binary: main-mips | |
avoid: [4196448, 4196600] | |
found: 4196524 | |
Error: <SimulationManager with 3 avoid> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import angr | |
import claripy # It is optimal to use claripy.BVV/BVS over state.solver.BVV/BVS | |
import sys | |
def main(): | |
if len(sys.argv) == 2 and sys.argv[1] in ('i386', 'mips'): | |
if sys.argv[1] == 'mips': | |
found = int(open('found-mips.txt', 'r').read().rstrip('\n'), 16) | |
avoid = [int(open('avoid-mips.txt', 'r').read().rstrip('\n'), 16), int(open('failure-mips.txt', 'r').read().rstrip('\n'), 16)] | |
binary = "main-mips" | |
else: | |
found = int(open('found-i386.txt', 'r').read().rstrip('\n'), 16) | |
avoid = [int(open('avoid-i386.txt', 'r').read().rstrip('\n'), 16), int(open('failure-mips.txt', 'r').read().rstrip('\n'), 16)] | |
binary = "main-i386" | |
else: | |
print sys.argv[0] + " <i386|mips>" | |
sys.exit(1) | |
print "binary: " + str(binary) | |
print "avoid: " + str(avoid) | |
print "found: " + str(found) | |
project = angr.Project(binary, load_options={'auto_load_libs':False}, ) | |
argv = [project.filename] # argv[0] | |
sym_arg_size = 1 # max number of bytes we'll try to solve for | |
sym_arg = claripy.BVS('sym_arg', 8*sym_arg_size) | |
argv.append(sym_arg) # argv[1] | |
state = project.factory.entry_state(args=argv, add_options={angr.options.SYMBOLIC_WRITE_ADDRESSES}) | |
sm = project.factory.simulation_manager(state) | |
sm = sm.explore(find=found, avoid=avoid) | |
if len(sm.found) > 0: | |
#assert len(sm.found) == 1 | |
#assert len(sm.active) == 0 | |
found = sm.found[0] | |
result = found.solver.eval_upto(argv[1], 10) | |
print sm | |
return "Correct: argv[1]=" + str(result) | |
return "Error: " + str(sm) | |
if __name__ == "__main__": | |
print main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment