Python z3.BitVecVal() Examples
The following are 30
code examples of z3.BitVecVal().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
z3
, or try the search function
.
.
Example #1
| Source File: esil.py From winapi-deobfuscation with GNU Lesser General Public License v3.0 | 6 votes |
|
def execute(self, expr):
expr = expr.encode('utf-8')
for op in expr.split(','):
val = to_int(op)
if val:
self.push(z3.BitVecVal(val, 32))
elif op in self.instr_table:
self.instr_table[op]()
elif op == '':
# Sometimes a value might be absent, set to 0 as a
# temporary workaround, probably a bug in ESIL
self.push(zero())
else:
# Otherwise it's either register or
# a flag
self.push(op)
# Commands
Example #2
| Source File: z3_ir.py From miasm with GNU General Public License v2.0 | 6 votes |
|
def check_interp(interp, constraints, bits=32, valbits=8):
"""Checks that a list of @constraints (addr, value) (as python ints)
match a z3 FuncInterp (@interp).
"""
constraints = dict((addr,
z3.BitVecVal(val, valbits))
for addr, val in constraints)
entry = interp.children()
assert len(entry) == 3
_, addr, value = entry
addr = addr.as_long()
assert addr in constraints
assert equiv(value, constraints[addr])
# equiv short test
# --------------------------------------------------------------------------
Example #3
| Source File: svm.py From ilf with Apache License 2.0 | 6 votes |
|
def update_storages(self, sstore_data):
for address, index, value in sstore_data:
address = int(address[2:], 16)
assert address in self.root_wstate.address_to_account
if index > 100:
if index in self.log_sha_to_sym_sha:
store_index = self.log_sha_to_sym_sha[index]
else:
log_shas = list(self.log_sha_to_sym_sha.keys())
diffs = [abs(l - index) for l in log_shas]
min_index = diffs.index(min(diffs))
diff = diffs[min_index]
if diff < 10:
relative_index = log_shas[min_index]
store_index = z3.simplify(self.log_sha_to_sym_sha[relative_index] + z3.BitVecVal(diff, 256))
self.log_sha_to_sym_sha[index] = store_index
else:
store_index = z3.BitVecVal(index, 256)
else:
store_index = z3.BitVecVal(index, 256)
store_value = self.log_sha_to_sym_sha.get(value, z3.BitVecVal(value, 256))
account = self.root_wstate.address_to_account[address]
account.storage.store(store_index, store_value)
Example #4
| Source File: svm.py From ilf with Apache License 2.0 | 6 votes |
|
def update_sha(self, sha_data):
for arg, log_value, length_bytes in sha_data:
if log_value in self.log_sha_to_sym_sha:
continue
data = z3.BitVecVal(arg, length_bytes * 8)
if data.size() == 512:
data_words = svm_utils.split_bv_by_words(data)
data_words = [d.as_long() for d in data_words]
data_words = [self.log_sha_to_sym_sha.get(d, z3.BitVecVal(d, 256)) for d in data_words]
data = z3.simplify(z3.Concat(data_words))
sha_constraints, hash_vector = svm_utils.symbolic_keccak(self, data)
self.log_sha_to_sym_sha[log_value] = hash_vector
self.root_wstate.constraints.extend(sha_constraints)
solver = z3.Solver()
solver.add(self.root_wstate.constraints)
assert solver.check() == z3.sat
Example #5
| Source File: execution.py From ilf with Apache License 2.0 | 6 votes |
|
def SHA3(self, gstate, index, length):
if svm_utils.is_bv_concrete(index) and svm_utils.is_bv_concrete(length):
index = svm_utils.get_concrete_int(index)
length = svm_utils.get_concrete_int(length)
if length == 0:
gstate.mstate.stack.append(z3.BitVecVal(SHA_EMPTY_ARGS_VALUE, 256))
return
data = z3.simplify(svm_utils.get_memory_data(gstate.mstate.memory, index, length))
sha_constraints, hash_vector = svm_utils.symbolic_keccak(self, data)
gstate.wstate.constraints.extend(sha_constraints)
gstate.mstate.stack.append(hash_vector)
return
hash_vector = self.svm.sym_bv_generator.get_sym_bitvec(constraints.ConstraintType.SHA3,
gstate.wstate.gen,
unique=True)
logging.debug('SHA index or len not resolved. Using the symbolic vector')
gstate.mstate.stack.append(hash_vector)
return
Example #6
| Source File: svm_utils.py From ilf with Apache License 2.0 | 5 votes |
|
def convert_to_bitvec(val):
if isinstance(val, z3.BoolRef):
return z3.If(val, z3.BitVecVal(1, 256), z3.BitVecVal(0, 256))
elif isinstance(val, bool):
return z3.BitVecVal(1, 256) if val else z3.BitVecVal(0, 256)
elif isinstance(val, int):
return z3.BitVecVal(val, 256)
else:
return z3.simplify(val)
Example #7
| Source File: find_name_for_bits.py From on-pwning with MIT License | 5 votes |
|
def hash3(name):
h = z3.BitVecVal(0, 32)
for i in range(len(name)):
for j in range(8):
h = z3.If(z3.LShR(name[i], j) & 1 == 1, (h + 1) & 0xff, h)
h &= 0x1f
return h
Example #8
| Source File: svm_utils.py From ilf with Apache License 2.0 | 5 votes |
|
def zpad_bv_right(bv, target_len):
bv_len = bv.size()
if bv_len == target_len:
return bv
elif bv_len < target_len:
return z3.Concat(z3.BitVecVal(0, target_len-bv_len), bv)
else:
raise ValueError('Target length is less then vector size!')
Example #9
| Source File: svm_utils.py From ilf with Apache License 2.0 | 5 votes |
|
def zpad_bv_left(bv, target_len):
bv_len = bv.size()
if bv_len == target_len:
return bv
elif bv_len < target_len:
return z3.Concat(bv, z3.BitVecVal(0, target_len-bv_len))
else:
raise ValueError('Target length is less then vector size!')
# Checks if wstate_a subsumes wstate_b
Example #10
| Source File: svm_utils.py From ilf with Apache License 2.0 | 5 votes |
|
def symbolic_keccak(svm, data):
sha_constraints = []
sha_func, sha_func_inv = constraints.get_sha_functions(data.size())
hash_vector = sha_func(data)
sha_constraints.append(sha_func_inv(sha_func(data)) == data)
hash_vector_features = extract_index_features(hash_vector)
data_concrete = svm_utils.is_bv_concrete(data)
if data_concrete:
concrete_data = svm_utils.get_concrete_int(data)
data_bytes = ethereum.utils.zpad(ethereum.utils.int_to_bytes(concrete_data), data.size()//8)
hash_value = int.from_bytes(ethereum.utils.sha3_256(data_bytes), 'big')
SIZE_PER_SHA_LEN = 2**100
limit_left = 1024 + SIZE_PER_SHA_LEN * data.size()
limit_right = limit_left + SIZE_PER_SHA_LEN
if not data_concrete:
sha_constraints.append(z3.ULT(limit_left, hash_vector))
sha_constraints.append(z3.ULT(hash_vector, limit_right))
# last 4 bits are 0 => hashes are 16 words between each other
sha_constraints.append(z3.Extract(3, 0, hash_vector) == 0)
elif data_concrete:
storage_range = limit_right - limit_left
scaled_hash_value = limit_left + int((hash_value/svm_utils.TT256M1)*storage_range)
scaled_hash_value = scaled_hash_value // 16 * 16
sha_constraints.append(hash_vector == z3.BitVecVal(scaled_hash_value, VECTOR_LEN))
# elif storage_node == svm.storage_root and data_concrete:
# hash_value = hash_value // 16 * 16
# sha_constraints.append(hash_vector == z3.BitVecVal(hash_value, VECTOR_LEN))
return sha_constraints, hash_vector
Example #11
| Source File: chicken_scheme.py From acsploit with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def chicken_hash(bytes, m, r):
return z3.URem(chicken_hash_xor(bytes, m, r), z3.BitVecVal(m, 64))
Example #12
| Source File: chicken_scheme.py From acsploit with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def chicken_hash_xor(bytes, m, r):
key = z3.BitVecVal(r, 64)
for byte in bytes:
key ^= ((key << 6) + (z3.LShR(key, 2)) + z3.ZeroExt(56, byte))
return key
Example #13
| Source File: crc32.py From acsploit with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def z3crc32(bytes, hash_table_size): # computes the crc32 checksum in z3 format
checksum = 0x00000000ffffffff
for byte in bytes:
checksum ^= z3.ZeroExt(56, byte) & 0xff
for _ in range(8): # test each bit in the byte we just xor'd in
checksum = z3.If(checksum & 1 == z3.BitVecVal(1, 64),
z3.LShR(checksum, 1) ^ 0xedb88320, # the binary representation of the CRC-32 polynomial
z3.LShR(checksum, 1))
return (checksum ^ 0xffffffff) % hash_table_size
Example #14
| Source File: z3_common.py From acsploit with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def _str_to_BitVecVals8(string): # transforms the target string into z3 BitVecVals
return [z3.BitVecVal(ord(x), 8) for x in string]
Example #15
| Source File: custom_hash.py From acsploit with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def convert_to_z3(self, variables):
if self.operation == Node.CONSTANT:
return z3.BitVecVal(self.left, self.target_width)
elif self.operation == Node.VARIABLE:
if self.left in variables:
return variables[self.left]
else:
var = z3.BitVec(self.left, self.variable_width)
ext_var = z3.ZeroExt(self.target_width - self.variable_width, var)
variables[self.left] = ext_var
return ext_var
else: # operation
left = self.left.convert_to_z3(variables)
right = self.right.convert_to_z3(variables)
if self.operation == Node.ADDITION:
return left + right
elif self.operation == Node.SUBTRACTION:
return left - right
elif self.operation == Node.MULTIPLICATION:
return left * right
elif self.operation == Node.DIVISION:
return left / right
elif self.operation == Node.LEFT_SHIFT:
return left << right
elif self.operation == Node.RIGHT_SHIFT:
return left >> right
elif self.operation == Node.AND:
return left & right
elif self.operation == Node.OR:
return left | right
elif self.operation == Node.XOR:
return left ^ right
raise LookupError('Unknown operation: %s' % str(self.operation))
Example #16
| Source File: find_name_with_negative_index.py From on-pwning with MIT License | 5 votes |
|
def hash1(name):
h = z3.BitVecVal(4919, 32)
for i in range(len(name)):
h = h * name[i] + 1
return h
Example #17
| Source File: find_name_for_bits.py From on-pwning with MIT License | 5 votes |
|
def hash1(name):
h = z3.BitVecVal(4919, 32)
for i in range(len(name)):
h = h * name[i] + 1
return h
Example #18
| Source File: find_name_for_bits.py From on-pwning with MIT License | 5 votes |
|
def hash2(name):
h = z3.BitVecVal(0, 16)
assert len(name) % 2 == 0 # for simplicity
for i in range(0, len(name), 2):
a = z3.BitVecVal(0, 16)
a |= z3.Extract(15, 0, name[i])
a |= z3.Extract(15, 0, name[i + 1]) << 8
h ^= a
a = z3.LShR(h, 10)
b = z3.ZeroExt(8, z3.Extract(7, 0, h ^ z3.LShR(h, 5)))
h = (a ^ b) & 0x1f
return h
Example #19
| Source File: esil.py From winapi-deobfuscation with GNU Lesser General Public License v3.0 | 5 votes |
|
def zero():
return z3.BitVecVal(0, BITS)
Example #20
| Source File: svm_utils.py From ilf with Apache License 2.0 | 5 votes |
|
def get_zero_array(index_size=VECTOR_LEN, value_size=VECTOR_LEN):
return z3.K(z3.BitVecSort(index_size), z3.BitVecVal(0, value_size))
Example #21
| Source File: execution.py From ilf with Apache License 2.0 | 5 votes |
|
def RETURNDATASIZE(self, gstate):
ret_data_size = gstate.return_data.size() // 8 if gstate.return_data is not None else 0
gstate.mstate.stack.append(z3.BitVecVal(ret_data_size, 256))
Example #22
| Source File: execution.py From ilf with Apache License 2.0 | 5 votes |
|
def MSTORE(self, gstate, index, value):
if isinstance(value, z3.BoolRef):
value = z3.If(value, z3.BitVecVal(1, 256), z3.BitVecVal(0, 256))
value_bytes = svm_utils.split_bv_into_bytes(value)
for i in range(32):
if svm_utils.is_bv_concrete(index):
gstate.mstate.memory_dict[svm_utils.get_concrete_int(index)+i] = value_bytes[i]
gstate.mstate.memory = z3.Store(gstate.mstate.memory, index+i, value_bytes[i])
Example #23
| Source File: execution.py From ilf with Apache License 2.0 | 5 votes |
|
def CODECOPY(self, gstate, dest_offset, offset, length):
active_address = gstate.environment.active_address
active_account = gstate.wstate.address_to_account[active_address]
offset = svm_utils.get_concrete_int(offset)
if svm_utils.is_bv_concrete(length):
length = svm_utils.get_concrete_int(length)
else:
length = 0
assert isinstance(gstate.environment.runtime_bytecode_bytes, list)
bytecode_bytes = gstate.environment.runtime_bytecode_bytes
for i in range(length):
if offset + i < len(bytecode_bytes):
data_byte = bytecode_bytes[offset+i]
else:
data_byte = z3.BitVecVal(0, 8)
gstate.mstate.memory = z3.Store(gstate.mstate.memory, dest_offset+i, data_byte)
gstate.mstate.memory_dict[svm_utils.get_concrete_int(dest_offset+i)] = data_byte
# if offset+length-1 >= len(bytecode_bytes):
# instr = gstate.environment.disassembly.instruction_list[gstate.mstate.pc]
# instr_address = instr['address']
# current_contract = active_account.contract
# line = solidity_utils.offset_to_line(current_contract.src_code, instr_address, current_contract.src_map)
# src_code = current_contract.src_code.split('\n')[line].strip()
# raise SVMRuntimeError('CODECOPY index out of bounds!')
Example #24
| Source File: execution.py From ilf with Apache License 2.0 | 5 votes |
|
def CODESIZE(self, gstate):
gstate.mstate.stack.append(z3.BitVecVal(len(gstate.environment.runtime_bytecode_bytes), 256))
Example #25
| Source File: execution.py From ilf with Apache License 2.0 | 5 votes |
|
def ADDRESS(self, gstate):
gstate.mstate.stack.append(z3.BitVecVal(gstate.environment.active_address, 256))
Example #26
| Source File: execution.py From ilf with Apache License 2.0 | 5 votes |
|
def CALLDATACOPY(self, gstate, dest_offset, offset, length):
length_concrete = svm_utils.is_bv_concrete(length)
if not length_concrete:
logging.warning('Symbolic calldata size')
length = z3.BitVecVal(64, 256)
if gstate.environment.calldata_type == CalldataType.UNDEFINED:
length = svm_utils.get_concrete_int(length)
if svm_utils.is_bv_concrete(offset):
offset = svm_utils.get_concrete_int(offset)
for i in range(length):
data_word = self.svm.sym_bv_generator.get_sym_bitvec(constraints.ConstraintType.CALLDATA,
gstate.wstate.gen,
index=offset+(i//32))
slot = i % 32
data_bytes = svm_utils.split_bv_into_bytes(data_word)
data = data_bytes[slot]
gstate.mstate.memory = z3.Store(gstate.mstate.memory, dest_offset+i, data)
else:
for i in range(length):
data = self.svm.sym_bv_generator.get_sym_bitvec(constraints.ConstraintType.CALLDATA,
gstate.wstate.gen,
unique=True,
bv_size=8)
gstate.mstate.memory = z3.Store(gstate.mstate.memory, dest_offset+i, data)
elif gstate.environment.calldata_type == CalldataType.DEFINED:
length = svm_utils.get_concrete_int(length)
offset_concrete = svm_utils.is_bv_concrete(offset)
calldata_bytes = svm_utils.split_bv_into_bytes(gstate.environment.calldata)
offset_concrete = svm_utils.is_bv_concrete(offset)
for i in range(length):
gstate.mstate.memory = z3.Store(gstate.mstate.memory, dest_offset+i, calldata_bytes[offset_concrete+i])
else:
raise SVMRuntimeError('Unknown calldata type')
Example #27
| Source File: execution.py From ilf with Apache License 2.0 | 5 votes |
|
def EXP(self, gstate, base, exponent):
base, exponent = map(svm_utils.convert_to_bitvec, (base, exponent))
if svm_utils.is_bv_concrete(base) and svm_utils.is_bv_concrete(exponent):
base = svm_utils.get_concrete_int(base)
exponent = svm_utils.get_concrete_int(exponent)
value = pow(base, exponent, 2**256)
gstate.mstate.stack.append(z3.BitVecVal(value, 256))
else:
active_account = gstate.wstate.address_to_account[gstate.environment.active_address]
gstate.mstate.stack.append(self.svm.sym_bv_generator.get_sym_bitvec(constraints.ConstraintType.EXP,
gstate.wstate.gen,
unique=True,
acc=active_account.id))
Example #28
| Source File: execution.py From ilf with Apache License 2.0 | 5 votes |
|
def PUSH(self, gstate):
instr = gstate.environment.disassembly.instruction_list[gstate.mstate.pc]
value = z3.BitVecVal(int(instr['argument'][2:], 16), 256)
gstate.mstate.stack.append(value)
Example #29
| Source File: z3_ir.py From miasm with GNU General Public License v2.0 | 5 votes |
|
def _sdivC(self, num, den):
"""Divide (signed) @num by @den (z3 values) as C would
See modint.__div__ for implementation choice
"""
result_sign = z3.If(num * den >= 0,
z3.BitVecVal(1, num.size()),
z3.BitVecVal(-1, num.size()),
)
return z3.UDiv(self._abs(num), self._abs(den)) * result_sign
Example #30
| Source File: z3_ir.py From miasm with GNU General Public License v2.0 | 5 votes |
|
def from_ExprLoc(self, expr):
if self.loc_db is None:
# No loc_db, fallback to default name
return z3.BitVec(str(expr), expr.size)
loc_key = expr.loc_key
offset = self.loc_db.get_location_offset(loc_key)
if offset is not None:
return z3.BitVecVal(offset, expr.size)
# fallback to default name
return z3.BitVec(str(loc_key), expr.size)
