Python angr.SimState() Examples

def test_string_concrete():
    s = SimState(arch="AMD64")
    addr = 0xba5e0

    def check_read(val):
        nose.tools.assert_equal(s.solver.eval(s.memory.load(addr, len(val)), cast_to=bytes), val)
        nose.tools.assert_equal(s.solver.eval(s.memory.load(addr + len(val), 1), cast_to=int), 0)

        nose.tools.assert_equal(s.mem[addr].string.concrete, val)

    s.memory.store(addr, b"a string!\0")
    check_read(b"a string!")

    # not supported yet
    # s.mem[addr].string = "shorter"
    # check_read(b"shorter")

    # s.mem[addr].string = "a longer string"
    # check_read(b"a longer string") 

def test_lseek_unseekable():
    state = SimState(arch="AMD64", mode="symbolic")

    # Illegal seek
    current_pos = lseek(state,[0,0,SEEK_SET]).ret_expr
    current_pos = state.solver.eval(current_pos)

    # Assert we have a negative return value
    nose.tools.assert_true(current_pos & (1 << 63) != 0)

    # Illegal seek
    current_pos = lseek(state,[1,0,SEEK_SET]).ret_expr
    current_pos = state.solver.eval(current_pos)

    # Assert we have a negative return value
    nose.tools.assert_true(current_pos & (1 << 63) != 0)

    # Illegal seek
    current_pos = lseek(state,[2,0,SEEK_SET]).ret_expr
    current_pos = state.solver.eval(current_pos)

    # Assert we have a negative return value
    nose.tools.assert_true(current_pos & (1 << 63) != 0) 

def test_strstr_inconsistency():
    l.info("symbolic haystack, symbolic needle")
    s = SimState(arch="AMD64", mode="symbolic")
    s.libc.buf_symbolic_bytes = 2
    addr_haystack = s.solver.BVV(0x10, 64)
    addr_needle = s.solver.BVV(0xb0, 64)
    #len_needle = strlen(s, inline=True, arguments=[addr_needle])

    ss_res = strstr(s, arguments=[addr_haystack, addr_needle])

    #slh_res = strlen(s, inline=True, arguments=[addr_haystack])
    #sln_res = strlen(s, inline=True, arguments=[addr_needle])
    #print "LENH:", s.solver.eval_upto(slh_res, 100)
    #print "LENN:", s.solver.eval_upto(sln_res, 100)

    nose.tools.assert_false(s.solver.unique(ss_res))
    nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(ss_res, 100)), [0] + list(range(0x10, 0x10 + s.libc.buf_symbolic_bytes - 1)))

    s.add_constraints(ss_res != 0)
    ss2 = strstr(s, arguments=[addr_haystack, addr_needle])
    s.add_constraints(ss2 == 0)
    nose.tools.assert_false(s.satisfiable())

#@nose.tools.timed(10) 

def test_clock_gettime():
    proc = angr.SIM_PROCEDURES['posix']['clock_gettime']()

    s = angr.SimState(arch='amd64')
    s.regs.rdi = 0
    s.regs.rsi = 0x8000

    s.options.add(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert not s.mem[0x8000].qword.resolved.symbolic
    assert not s.mem[0x8008].qword.resolved.symbolic

    s.options.discard(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert s.mem[0x8000].qword.resolved.symbolic
    assert s.mem[0x8008].qword.resolved.symbolic 

def test_state_merge_3way():

    a = SimState(arch='AMD64', mode='symbolic')
    b = a.copy()
    c = a.copy()
    conds = [ a.solver.BoolS('cond_0'), a.solver.BoolS('cond_1') ]
    a.add_constraints(conds[0])
    b.add_constraints(a.solver.Not(conds[0]), conds[1])
    c.add_constraints(a.solver.Not(conds[0]), a.solver.Not(conds[1]))

    a.memory.store(0x400000, a.solver.BVV(8, 32))
    b.memory.store(0x400000, b.solver.BVV(9, 32))
    c.memory.store(0x400000, c.solver.BVV(10, 32))

    m, _, _ = a.merge(b)
    m, _, _ = m.merge(c)

    assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 8,))
    assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 9,))
    assert m.satisfiable(extra_constraints=(m.memory.load(0x400000, 4) == 10,)) 

def test_state_merge_static():
    # With abstract memory
    # Aligned memory merging
    a = SimState(arch='AMD64', mode='static')

    addr = a.solver.ValueSet(32, 'global', 0, 8)
    a.memory.store(addr, a.solver.BVV(42, 32))
    # Clear a_locs, so further writes will not try to merge with value 42
    a.memory.regions['global']._alocs = { }

    b = a.copy()
    c = a.copy()
    a.memory.store(addr, a.solver.BVV(50, 32), endness='Iend_LE')
    b.memory.store(addr, a.solver.BVV(60, 32), endness='Iend_LE')
    c.memory.store(addr, a.solver.BVV(70, 32), endness='Iend_LE')

    merged, _, _ = a.merge(b, c)
    actual = claripy.backends.vsa.convert(merged.memory.load(addr, 4))
    expected = claripy.backends.vsa.convert(a.solver.SI(bits=32, stride=10, lower_bound=50, upper_bound=70))
    nose.tools.assert_true(actual.identical(expected)) 

def test_gettimeofday():
    proc = angr.SIM_PROCEDURES['posix']['gettimeofday']()

    s = angr.SimState(arch='amd64')
    s.regs.rdi = 0x8000
    s.regs.rsi = 0

    s.options.add(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert not s.mem[0x8000].qword.resolved.symbolic
    assert not s.mem[0x8008].qword.resolved.symbolic

    s.options.discard(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert s.mem[0x8000].qword.resolved.symbolic
    assert s.mem[0x8008].qword.resolved.symbolic 

def test_array_concrete():
    s = SimState(arch="AMD64")
    addr = 0xba5e0

    s.memory.store(addr, claripy.BVV(0x1, 32), endness=Endness.LE)
    s.memory.store(addr + 4, claripy.BVV(0x2, 32), endness=Endness.LE)
    s.memory.store(addr + 8, claripy.BVV(0x3, 32), endness=Endness.LE)
    s.memory.store(addr + 12, claripy.BVV(0x4, 32), endness=Endness.LE)
    s.memory.store(addr + 16, claripy.BVV(0x5, 32), endness=Endness.LE)

    nose.tools.assert_equal(s.mem[addr].dword.array(5).concrete, [0x1, 0x2, 0x3, 0x4, 0x5])
    nose.tools.assert_equal(s.mem[addr].dword.array(5)[2].concrete, 0x3)
    nose.tools.assert_equal(s.mem[addr].qword.array(2).concrete, [0x0000000200000001, 0x0000000400000003])
    nose.tools.assert_equal(s.mem[addr].dword.array(2).array(2).concrete, [[0x1, 0x2], [0x3, 0x4]])

    s.mem[addr].dword.array(5)[3] = 10
    nose.tools.assert_equal(s.solver.eval(s.memory.load(addr + 12, 4, endness=Endness.LE), cast_to=int), 10)

    s.mem[addr].dword.array(5).store([20,2,3,4,5])
    nose.tools.assert_equal(s.mem[addr].dword.array(4).concrete, [20,2,3,4])

    s.mem[addr].dword.array(2).array(2).store([[1,2], [4,3]])
    nose.tools.assert_equal(s.mem[addr].dword.array(4).concrete, [1,2,4,3]) 

def __init__(self, project, addr, state=None, taint_region=None):
        self.project = project
        self.addr = addr
        self.block_addr = addr
        self.taint_region = taint_region
        self.state = state

        self.tempstore = None
        self.tags = []
        self.write_targets = []

        if self.state is None:
            self.state = SimState(arch=project.arch,
                    mode='symbolic',
                    special_memory_filler=lambda name, bits, _state: BiHead(claripy.BVV(0, bits), claripy.BVV(0, bits)),
                    add_options={sim_options.ABSTRACT_MEMORY, sim_options.SPECIAL_MEMORY_FILL}
                )
            self.state.scratch.ins_addr = 0
            if project.arch.name.startswith('ARM'):
                it = self.state.regs.itstate
                it.taints['it'] = True
                self.state.regs.itstate = it 

def test_crosspage_read():
    state = SimState(arch='ARM')
    state.regs.sp = 0x7fff0008
    state.stack_push(0x44556677)
    state.stack_push(0x1)
    state.stack_push(0x2)
    state.stack_push(0x3)
    state.stack_push(0x4)
    state.stack_push(0x99887766)
    state.stack_push(0x5)
    state.stack_push(0x105c8)
    state.stack_push(0x11223344)


    r1 = state.memory.load(state.regs.sp, 36)
    assert bytes.fromhex("77665544") in state.solver.eval(r1, cast_to=bytes)

    state.stack_push(0x10564)

    r2 = state.memory.load(state.regs.sp, 40)
    assert bytes.fromhex("77665544") in state.solver.eval(r2, cast_to=bytes)
    #assert s.solver.eval(r, 2) == ( 0xffeeddccbbaa998877665544, ) 

def test_light_memory():
    s = SimState(arch='AMD64', plugins={'registers': SimLightRegisters()})
    assert type(s.registers) is SimLightRegisters

    assert s.regs.rax.symbolic
    s.regs.rax = 0x4142434445464748
    assert (s.regs.rax == 0x4142434445464748).is_true()

    assert s.regs.rbx.symbolic
    s.regs.rbx = 0x5555555544444444
    assert (s.regs.rbx == 0x5555555544444444).is_true()

    assert s.regs.rcx.symbolic

    s.regs.ah = 0
    assert (s.regs.rax == 0x4142434445460048).is_true()

    s.regs.cl = 0
    assert s.regs.rcx.symbolic 

def test_loadg_no_constraint_creation():

    state = SimState(arch='armel', mode='symbolic')
    engine = HeavyVEXMixin(None)

    stmt = pyvex.IRStmt.LoadG('Iend_LE', 'ILGop_16Uto32',
                              0, # dst
                              pyvex.IRExpr.Const(pyvex.const.U32(0x2000)), # addr (src)
                              pyvex.IRExpr.Const(pyvex.const.U32(0x1337)), # alt
                              pyvex.IRExpr.RdTmp(1)  # guard
                              )
    tyenv = pyvex.IRTypeEnv(state.arch)
    tyenv.types = [ 'Ity_I32', 'Ity_I32' ]
    state.scratch.set_tyenv(tyenv)
    state.scratch.temps[1] = state.solver.BVS('tmp_1', 32)
    engine.state = state
    engine._handle_vex_stmt(stmt)

    # LOADG should not create new constraints - it is a simple conditional memory read. The conditions should only be
    # used inside the value AST to guard the memory read.
    assert not state.solver.constraints
    assert state.scratch.temps[0] is not None
    assert state.scratch.temps[0].variables.issuperset(state.scratch.temps[1].variables)
    assert state.scratch.temps[0].op == 'If' 

def test_simple_concrete():
    s = SimState(arch="AMD64")
    addr = 0xba5e0

    def check_read(val):
        nose.tools.assert_equal(s.solver.eval(s.memory.load(addr, 8, endness=Endness.LE), cast_to=int), val)

        nose.tools.assert_equal(s.mem[addr].char.concrete, chr(val & 0xFF).encode())
        nose.tools.assert_equal(s.mem[addr].byte.concrete, val & 0xFF)

        nose.tools.assert_equal(s.mem[addr].int16_t.concrete, ctypes.c_int16(val & 0xFFFF).value)
        nose.tools.assert_equal(s.mem[addr].uint16_t.concrete, val & 0xFFFF)

        nose.tools.assert_equal(s.mem[addr].qword.concrete, val)

    s.memory.store(addr, claripy.BVV(0x11223344aabbcc7d, 64), endness=Endness.LE)
    check_read(0x11223344aabbcc7d)

    # test storing
    s.mem[addr].uint16_t = 0xef6d
    check_read(0x11223344aabbef6d) 

def test_symbolic_write():
    s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
    x = s.solver.BVS('x', 64)
    y = s.solver.BVS('y', 64)
    a = s.solver.BVV(b'A'*0x10)
    b = s.solver.BVV(b'B')
    c = s.solver.BVV(b'C')
    d = s.solver.BVV(b'D')

    s.memory.store(0x10, a)
    s.add_constraints(x >= 0x10, x < 0x20)
    s.memory.store(x, b)

    for i in range(0x10, 0x20):
        assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2

    s.memory.store(x, c)
    for i in range(0x10, 0x20):
        assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2

    s2 = s.copy()
    s2.add_constraints(y >= 0x10, y < 0x20)
    s2.memory.store(y, d)
    for i in range(0x10, 0x20):
        assert len(s2.solver.eval_upto(s2.memory.load(i, 1), 10)) == 3 

def test_alignment():
    for arch in all_arches:
        if arch.name in DEFAULT_CC:
            # There is nothing to test for soot about stack alignment
            if isinstance(arch, ArchSoot):
                continue
            l.info("Testing stack alignment for %s", arch.name)
            st = SimState(arch=arch)
            cc = DEFAULT_CC[arch.name](arch=arch)

            st.regs.sp = -1

            # setup callsite with one argument (0x1337), "returning" to 0
            cc.setup_callsite(st, 0, [0x1337])

            # ensure stack alignment is correct
            nose.tools.assert_true(st.solver.is_true(((st.regs.sp + cc.STACKARG_SP_DIFF) % cc.STACK_ALIGNMENT == 0)),
                                   'non-zero stack alignment after setup_callsite for %s'%cc) 

def repair_ip(self, state: SimState) -> int:
        try:
            addr = state.solver.eval(state._ip)
            # NOTE: repair IFuncResolver
            if (
                self.project.loader.find_object_containing(addr)
                == self.project.loader.extern_object
            ):
                func = self.project._sim_procedures.get(addr, None)
                if func:
                    funcname = func.kwargs["funcname"]
                    libf = self.project.loader.find_symbol(funcname)
                    if libf:
                        addr = libf.rebased_addr
        except Exception:
            logging.exception("Error while repairing ip for {}".format(self.name))
            # NOTE: currently just try to repair ip for syscall
            addr = self.debug_state[-2].addr
        return addr 

def repair_func_resolver(self, state: SimState, step: SimSuccessors) -> SimState:
        artifacts = getattr(step, "artifacts", None)
        if (
            artifacts
            and "procedure" in artifacts.keys()
            and artifacts["name"] == "IFuncResolver"
        ):
            func = self.filter.find_function(self.debug_state[-2].addr)
            if func:
                addr = self.project.loader.find_symbol(func.name).rebased_addr
                step = self.project.factory.successors(
                    state, num_inst=1, force_addr=addr
                )
            else:
                raise HaseError("Cannot resolve function")
        return step 

def test_pwrite():
    pwrite = SIM_PROCEDURES['posix']['pwrite64']()

    state = SimState(arch="AMD64", mode='symbolic')
    simfile = SimFile('concrete_file', content='hello world!\n')
    state.fs.insert('test', simfile)
    fd = state.posix.open(b"test", 1)

    buf_addr = 0xd0000000
    state.memory.store(buf_addr, b'test!')
    pwrite.execute(state, arguments=[fd, buf_addr, 5, 6])

    simfd = state.posix.get_fd(fd)
    simfd.seek(0)
    res = 0xc0000000
    simfd.read(res, 13)
    data = state.solver.eval(state.mem[res].string.resolved, cast_to=bytes)

    nose.tools.assert_true(data == b'hello test!!\n')

    state.posix.close(fd) 

def concretize_ip(self, state: SimState) -> None:
        assert self.instruction is not None

        ip = self.instruction.ip
        if state.scratch.target.symbolic:
            state.ip = ip
            state.add_constraints(state.scratch.target == ip, action=True)
            # avoid evaluation of symbolic target
            state.scratch.target = ip 

def test_registration():
    s = angr.SimState(arch='AMD64')

    a1 = s.solver.BVS('a', 64, key=(1,), eternal=True)
    a2 = s.solver.BVS('a', 64, key=(1,), eternal=True)
    nose.tools.assert_is(a1, a2)

    b1 = s.solver.BVS('b', 64, key=(2,), eternal=False)
    s1 = s.copy()
    s2 = s.copy()

    b2 = s1.solver.BVS('b', 64, key=(2,), eternal=False)
    b3 = s2.solver.BVS('b', 64, key=(2,), eternal=False)
    nose.tools.assert_is_not(b1, b2)
    nose.tools.assert_is_not(b2, b3)
    nose.tools.assert_is_not(b1, b3)

    a3 = s1.solver.BVS('a', 64, key=(1,), eternal=True)
    a4 = s2.solver.BVS('a', 64, key=(1,), eternal=True)
    nose.tools.assert_is(a2, a3)
    nose.tools.assert_is(a3, a4)

    nose.tools.assert_equal(len(list(s.solver.get_variables(1))), 1)
    nose.tools.assert_equal(len(list(s1.solver.get_variables(1))), 1)
    nose.tools.assert_equal(len(list(s2.solver.get_variables(1))), 1)

    nose.tools.assert_equal(len(list(s.solver.get_variables(2))), 1)
    nose.tools.assert_equal(len(list(s1.solver.get_variables(2))), 2)
    nose.tools.assert_equal(len(list(s2.solver.get_variables(2))), 2)

    nose.tools.assert_equal(list(s.solver.describe_variables(a1)), [(1,)])
    nose.tools.assert_equal(list(s.solver.describe_variables(b1)), [(2, 1)])
    nose.tools.assert_equal(sorted(list(s.solver.describe_variables(a1 + b1))), [(1,), (2, 1)]) 

def test_structs():
    s = SimState(arch='AMD64')

    register_types(parse_types("""
struct test_structs {
  int a;
  long b;
};
"""))

    s.memory.store(0x8000, bytes(16))
    s.mem[0x8000].struct.test_structs = {'a': 10, 'b': 20}
    nose.tools.assert_equal(s.mem[0x8000].struct.test_structs.a.concrete, 10)
    nose.tools.assert_equal(s.solver.eval(s.memory.load(0x8000, 16), cast_to=bytes), bytes.fromhex('0a000000000000001400000000000000')) 

def test_procedure_actions():
    s = SimState(arch='AMD64')

    s.registers.store('rbx', 2)
    proc = SIM_PROCEDURES['testing']['retreg'](reg='rbx')
    succ = ProcedureEngine(None).process(s, procedure=proc)
    rbx = succ.artifacts['procedure'].ret_expr
    nose.tools.assert_is(type(rbx), angr.state_plugins.SimActionObject)
    nose.tools.assert_equal(s.solver.eval(rbx), 2)
    nose.tools.assert_equal(rbx.reg_deps, { s.arch.registers['rbx'][0] }) 

def test_inspect_exit():
    class counts: #pylint:disable=no-init
        exit_before = 0
        exit_after = 0

    def handle_exit_before(state):
        counts.exit_before += 1
        exit_target = state.inspect.exit_target
        nose.tools.assert_equal(state.solver.eval(exit_target), 0x3f8)
        # change exit target
        state.inspect.exit_target = 0x41414141
        nose.tools.assert_equal(state.inspect.exit_jumpkind, "Ijk_Boring")
        nose.tools.assert_true(state.inspect.exit_guard.is_true())

    def handle_exit_after(state): #pylint:disable=unused-argument
        counts.exit_after += 1

    s = SimState(arch="AMD64", mode="symbolic")
    irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a", mem_addr=1000, arch=archinfo.ArchAMD64())

    # break on exit
    s.inspect.b('exit', BP_BEFORE, action=handle_exit_before)
    s.inspect.b('exit', BP_AFTER, action=handle_exit_after)

    # step it
    succ = HeavyVEXMixin(None).process(s, irsb=irsb).flat_successors

    # check
    nose.tools.assert_equal( succ[0].solver.eval(succ[0].ip), 0x41414141)
    nose.tools.assert_equal(counts.exit_before, 1)
    nose.tools.assert_equal(counts.exit_after, 1) 

def setup_module():
    global never_nolibs
    never_nolibs = angr.Project( os.path.join(test_location, 'x86_64', 'never') )

# def test_slicing():
# addresses = [ 0x40050C, 0x40050D, 0x400514, 0x40051B, 0x400521, 0x400534 ]
#    addresses = [ 0x40043C, 0x400440, 0x400447 ]
#    state = angr.SimState(memory_backer=never_nolibs.mem)
#    s = simuvex.SimSlice(state, addresses, never_nolibs.sim_run, mode='symbolic')
#
# TODO: test stuff
#    return s 

def run_calloc_clears(arch):
    s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
    s.memory.store(0xd0000000 + 2 * s.heap._chunk_size_t_size, s.solver.BVV(-1, 100 * 8))
    sc = s.copy()
    p1 = s.heap.calloc(6, 5)
    p2 = sc.heap.malloc(30)
    v1 = s.memory.load(p1, 30)
    v2 = sc.memory.load(p2, 30)
    nose.tools.assert_true(s.solver.is_true(v1 == 0))
    nose.tools.assert_true(sc.solver.is_true(v2 == -1)) 

def run_calloc_multiplies(arch):
    s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
    s.heap.malloc(30)
    sc = s.copy()
    s.heap.malloc(100)
    sc.heap.calloc(4, 25)
    nose.tools.assert_true(same_heap_states(s, sc)) 

def run_skips_chunks_too_small(arch):
    s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
    s.heap.malloc(30)
    p = s.heap.malloc(50)
    s.heap.malloc(40)
    s.heap.free(p)
    p2 = s.heap.calloc(20, 5)
    nose.tools.assert_less(p, p2) 

def run_unusable_amount_returns_null(arch):
    s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
    s.heap.malloc(0x1000 - 4 * s.heap._chunk_size_t_size)
    sc = s.copy()
    p = s.heap.malloc(1)
    nose.tools.assert_equals(p, 0)
    nose.tools.assert_true(same_heap_states(s, sc)) 

def run_needs_space_for_metadata(arch):
    s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
    sc = s.copy()
    p1 = s.heap.malloc(0x1000)
    nose.tools.assert_equals(p1, 0)
    nose.tools.assert_true(same_heap_states(s, sc)) 

def run_realloc_near_same_size(arch):
    s = SimState(arch=arch, plugins={'heap': SimHeapPTMalloc(heap_base=0xd0000000, heap_size=0x1000)})
    s.heap.malloc(20)
    p1 = s.heap.malloc(61)
    s.heap.malloc(80)
    sc = s.copy()
    p2 = s.heap.realloc(p1, 62)
    nose.tools.assert_equals(p1, p2)
    nose.tools.assert_true(same_heap_states(s, sc))