Python claripy.Not() Examples
The following are 15
code examples of claripy.Not().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
claripy
, or try the search function
.
.
Example #1
| Source File: utils_sig.py From fiber with BSD 2-Clause "Simplified" License | 6 votes |
|
def excavate_if_tuple(t):
terms = [excavate_if(e) for e in t]
res = []
def _is_consistent(cl):
seen = set()
for e in cl:
for i in e:
if str(claripy.Not(i)) in seen:
return False
else:
seen.add(str(i))
return True
for e in itertools.product(*terms):
if _is_consistent(map(lambda x:x[0],e)):
#e: ((),(),..)
res += [tuple(map(lambda x:x[1],e))]
return res
#Excavate the 'if' conditions and ignore all 'state_merge' conditions.
Example #2
| Source File: utils_sig.py From fiber with BSD 2-Clause "Simplified" License | 6 votes |
|
def excavate_if(f):
if not isinstance(f,claripy.ast.Base):
return [([],f)]
fs = [([],f)]
prev = 0
while len(fs) > prev:
prev = len(fs)
new = []
for e in fs:
ee = e[1].ite_excavated
if ee.op == 'If':
if is_state_merge_condition(ee.args[0]):
new += [(e[0]+[ee.args[0]],ee.args[1]),(e[0]+[claripy.Not(ee.args[0])],ee.args[2])]
else:
#TODO: What can we do here? Maybe a deeper excavation..
new.append(e)
else:
new.append(e)
fs = new
return fs
#Decide whether a condition is about the state merge flag.
Example #3
| Source File: structurer.py From angr with BSD 2-Clause "Simplified" License | 6 votes |
|
def _refine_loop_while(loop_node):
if loop_node.sort == 'while' and loop_node.condition is None:
# it's an endless loop
first_node = loop_node.sequence_node.nodes[0]
if type(first_node) is CodeNode:
first_node = first_node.node
if type(first_node) is ConditionalBreakNode:
while_cond = ConditionProcessor.simplify_condition(claripy.Not(first_node.condition))
new_seq = loop_node.sequence_node.copy()
new_seq.nodes = new_seq.nodes[1:]
new_loop_node = LoopNode('while', while_cond, new_seq, addr=loop_node.addr)
return True, new_loop_node
return False, loop_node
Example #4
| Source File: heavy.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def _perform_vex_stmt_Exit(self, guard, target, jumpkind):
cont_state = None
exit_state = None
guard = guard != 0
if o.COPY_STATES not in self.state.options:
# very special logic to try to minimize copies
# first, check if this branch is impossible
if guard.is_false():
cont_state = self.state
elif o.LAZY_SOLVES not in self.state.options and not self.state.solver.satisfiable(extra_constraints=(guard,)):
cont_state = self.state
# then, check if it's impossible to continue from this branch
elif guard.is_true():
exit_state = self.state
elif o.LAZY_SOLVES not in self.state.options and not self.state.solver.satisfiable(extra_constraints=(claripy.Not(guard),)):
exit_state = self.state
else:
exit_state = self.state.copy()
cont_state = self.state
else:
exit_state = self.state.copy()
cont_state = self.state
if exit_state is not None:
self.successors.add_successor(exit_state, target, guard, jumpkind,
exit_stmt_idx=self.stmt_idx, exit_ins_addr=self.state.scratch.ins_addr)
if cont_state is None:
raise VEXEarlyExit
# Do our bookkeeping on the continuing self.state
cont_condition = ~guard
cont_state.add_constraints(cont_condition)
cont_state.scratch.guard = claripy.And(cont_state.scratch.guard, cont_condition)
Example #5
| Source File: structurer.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def _refine_loop_dowhile(loop_node):
if loop_node.sort == 'while' and loop_node.condition is None:
# it's an endless loop
last_node = loop_node.sequence_node.nodes[-1]
if type(last_node) is ConditionalBreakNode:
while_cond = ConditionProcessor.simplify_condition(claripy.Not(last_node.condition))
new_seq = loop_node.sequence_node.copy()
new_seq.nodes = new_seq.nodes[:-1]
new_loop_node = LoopNode('do-while', while_cond, new_seq)
return True, new_loop_node
return False, loop_node
Example #6
| Source File: structurer.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def _loop_create_break_node(self, last_stmt, loop_successor_addrs):
# This node has an exit to the outside of the loop
# add a break or a conditional break node
new_node = None
if type(last_stmt) is ailment.Stmt.Jump:
# shrink the block to remove the last statement
# self._remove_last_statement(node)
# add a break
new_node = BreakNode(last_stmt.ins_addr, last_stmt.target.value)
elif type(last_stmt) is ailment.Stmt.ConditionalJump:
# add a conditional break
if last_stmt.true_target.value in loop_successor_addrs and \
last_stmt.false_target.value not in loop_successor_addrs:
cond = last_stmt.condition
target = last_stmt.true_target.value
new_node = ConditionalBreakNode(
last_stmt.ins_addr,
self.cond_proc.claripy_ast_from_ail_condition(cond),
target
)
elif last_stmt.false_target.value in loop_successor_addrs and \
last_stmt.true_target.value not in loop_successor_addrs:
cond = ailment.Expr.UnaryOp(last_stmt.condition.idx, 'Not', (last_stmt.condition))
target = last_stmt.false_target.value
new_node = ConditionalBreakNode(
last_stmt.ins_addr,
self.cond_proc.claripy_ast_from_ail_condition(cond),
target
)
elif last_stmt.false_target.value in loop_successor_addrs and \
last_stmt.true_target.value in loop_successor_addrs:
# both targets are pointing outside the loop
# we should use just add a break node
new_node = BreakNode(last_stmt.ins_addr, last_stmt.false_target.value)
else:
l.warning("None of the branches is jumping to outside of the loop")
raise Exception()
return new_node
Example #7
| Source File: structurer.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def _make_ites(self, seq):
# search for a == ^a pairs
while True:
break_hard = False
for i in range(len(seq.nodes)):
node_0 = seq.nodes[i]
if not type(node_0) is CodeNode:
continue
rcond_0 = node_0.reaching_condition
if rcond_0 is None:
continue
if claripy.is_true(rcond_0) or claripy.is_false(rcond_0):
continue
for j in range(i + 1, len(seq.nodes)):
node_1 = seq.nodes[j]
if not type(node_1) is CodeNode:
continue
if node_0 is node_1:
continue
rcond_1 = node_1.reaching_condition
if rcond_1 is None:
continue
cond_ = claripy.simplify(claripy.Not(rcond_0) == rcond_1)
if claripy.is_true(cond_):
# node_0 and node_1 should be structured using an if-then-else
self._make_ite(seq, node_0, node_1)
break_hard = True
break
if break_hard:
break
else:
break
Example #8
| Source File: condition_processor.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def _fold_double_negations(cond):
# !(!A) ==> A
# !((!A) && (!B)) ==> A || B
# !((!A) && B) ==> A || !B
# !(A || B) ==> (!A && !B)
if cond.op != "Not":
return None
if cond.args[0].op == "Not":
return cond.args[0]
if cond.args[0].op == "And" and len(cond.args[0].args) == 2:
and_0, and_1 = cond.args[0].args
if and_0.op == "Not" and and_1.op == "Not":
expr = claripy.Or(and_0.args[0], and_1.args[0])
return expr
if and_0.op == "Not": # and_1.op != "Not"
expr = claripy.Or(
and_0.args[0],
ConditionProcessor.simplify_condition(
claripy.Not(and_1)
)
)
return expr
if cond.args[0].op == "Or" and len(cond.args[0].args) == 2:
or_0, or_1 = cond.args[0].args
expr = claripy.And(
ConditionProcessor.simplify_condition(claripy.Not(or_0)),
ConditionProcessor.simplify_condition(claripy.Not(or_1)),
)
return expr
return None
# delayed import
Example #9
| Source File: test_simplify.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_bool_simplification():
def assert_correct(a, b):
nose.tools.assert_true(claripy.backends.z3.identical(claripy.simplify(a), b))
a, b, c = (claripy.BoolS(name) for name in ('a', 'b', 'c'))
assert_correct(claripy.And(a, claripy.Not(a)), claripy.false)
assert_correct(claripy.Or(a, claripy.Not(a)), claripy.true)
complex_true_expression = claripy.Or(
claripy.And(a,b),
claripy.Or(claripy.And(a, claripy.Not(b)), claripy.And(claripy.Not(a), c)),
claripy.Or(claripy.And(a, claripy.Not(b)), claripy.And(claripy.Not(a), claripy.Not(c))))
assert_correct(complex_true_expression, claripy.true)
Example #10
| Source File: test_solver.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def raw_replacement_solver(reuse_z3_solver):
claripy._backend_z3.reuse_z3_solver = reuse_z3_solver
sr = claripy.SolverReplacement()
x = claripy.BVS('x', 32)
nose.tools.assert_equal(len(sr.eval(x, 10)), 10)
sr.add_replacement(x, claripy.BVV(0x101, 32))
nose.tools.assert_equal(sr.eval(x, 10), (0x101,))
y = claripy.BVS('y', 32)
sr.add([y+1 == 200])
assert (y+1).cache_key in sr._replacements
assert sr._replacement(y+1) is claripy.BVV(200, 32)
srb = sr.branch()
assert len(srb.constraints) == len(sr.constraints) #pylint:disable=no-member
assert (y+1).cache_key in sr._replacements
assert sr._replacement(y+1) is claripy.BVV(200, 32)
sr = claripy.SolverReplacement()
b = claripy.BoolS('b')
assert sr._replacement(b) is b
sr.add(claripy.Not(b))
assert sr._replacement(b) is claripy.false
sr = claripy.SolverReplacement(claripy.SolverVSA(), complex_auto_replace=True)
x = claripy.BVS('x', 64)
sr.add([x + 8 <= 0xffffffffffffffff])
sr.add([x + 8 >= 0])
assert sr._replacement(x) is not x
Example #11
| Source File: condition_processor.py From angr with BSD 2-Clause "Simplified" License | 4 votes |
|
def _extract_predicate(self, src_block, dst_block, edge_type):
if edge_type == 'exception':
# TODO: THIS IS ABSOLUTELY A HACK. AT THIS MOMENT YOU SHOULD NOT ATTEMPT TO MAKE SENSE OF EXCEPTION EDGES.
self.EXC_COUNTER += 1
return self.claripy_ast_from_ail_condition(
ailment.Expr.BinaryOp(None, 'CmpEQ', (ailment.Expr.Register(0x400000 + self.EXC_COUNTER, None, self.EXC_COUNTER, 64),
ailment.Expr.Const(None, None, self.EXC_COUNTER, 64)), False)
)
if type(src_block) is ConditionalBreakNode:
# at this point ConditionalBreakNode stores a claripy AST
bool_var = src_block.condition
if src_block.target == dst_block.addr:
return bool_var
else:
return claripy.Not(bool_var)
if type(src_block) is GraphRegion:
return claripy.true
last_stmt = self.get_last_statement(src_block)
if last_stmt is None:
return claripy.true
if type(last_stmt) is ailment.Stmt.Jump:
if isinstance(last_stmt.target, ailment.Expr.Const):
return claripy.true
# indirect jump
target_ast = self.claripy_ast_from_ail_condition(last_stmt.target)
return target_ast == dst_block.addr
if type(last_stmt) is ailment.Stmt.ConditionalJump:
bool_var = self.claripy_ast_from_ail_condition(last_stmt.condition)
if isinstance(last_stmt.true_target, ailment.Expr.Const) and last_stmt.true_target.value == dst_block.addr:
return bool_var
else:
return claripy.Not(bool_var)
return claripy.true
#
# Expression conversion
#
Example #12
| Source File: condition_processor.py From angr with BSD 2-Clause "Simplified" License | 4 votes |
|
def convert_claripy_bool_ast_core(self, cond, memo):
if isinstance(cond, ailment.Expr.Expression):
return cond
if cond.op == "BoolS" and claripy.is_true(cond):
return cond
if cond in self._condition_mapping:
return self._condition_mapping[cond]
def _binary_op_reduce(op, args, signed=False):
r = None
for arg in args:
if r is None:
r = self.convert_claripy_bool_ast(arg, memo=memo)
else:
r = ailment.Expr.BinaryOp(None, op, (r, self.convert_claripy_bool_ast(arg, memo=memo)), signed)
return r
_mapping = {
'Not': lambda cond_: _binary_op_reduce('Not', cond_.args),
'And': lambda cond_: _binary_op_reduce('LogicalAnd', cond_.args),
'Or': lambda cond_: _binary_op_reduce('LogicalOr', cond_.args),
'__le__': lambda cond_: _binary_op_reduce('CmpLE', cond_.args, signed=True),
'SLE': lambda cond_: _binary_op_reduce('CmpLE', cond_.args, signed=True),
'__lt__': lambda cond_: _binary_op_reduce('CmpLT', cond_.args, signed=True),
'SLT': lambda cond_: _binary_op_reduce('CmpLT', cond_.args, signed=True),
'UGT': lambda cond_: _binary_op_reduce('CmpGT', cond_.args),
'UGE': lambda cond_: _binary_op_reduce('CmpGE', cond_.args),
'__gt__': lambda cond_: _binary_op_reduce('CmpGT', cond_.args, signed=True),
'__ge__': lambda cond_: _binary_op_reduce('CmpGE', cond_.args, signed=True),
'SGT': lambda cond_: _binary_op_reduce('CmpGT', cond_.args, signed=True),
'SGE': lambda cond_: _binary_op_reduce('CmpGE', cond_.args, signed=True),
'ULT': lambda cond_: _binary_op_reduce('CmpLT', cond_.args),
'ULE': lambda cond_: _binary_op_reduce('CmpLE', cond_.args),
'__eq__': lambda cond_: _binary_op_reduce('CmpEQ', cond_.args),
'__ne__': lambda cond_: _binary_op_reduce('CmpNE', cond_.args),
'__add__': lambda cond_: _binary_op_reduce('Add', cond_.args, signed=False),
'__sub__': lambda cond_: _binary_op_reduce('Sub', cond_.args),
'__mul__': lambda cond_: _binary_op_reduce('Mul', cond_.args),
'__xor__': lambda cond_: _binary_op_reduce('Xor', cond_.args),
'__or__': lambda cond_: _binary_op_reduce('Or', cond_.args, signed=False),
'__and__': lambda cond_: _binary_op_reduce('And', cond_.args),
'__lshift__': lambda cond_: _binary_op_reduce('Shl', cond_.args),
'__rshift__': lambda cond_: _binary_op_reduce('Sar', cond_.args),
'LShR': lambda cond_: _binary_op_reduce('Shr', cond_.args),
'BVV': lambda cond_: ailment.Expr.Const(None, None, cond_.args[0], cond_.size()),
'BoolV': lambda cond_: ailment.Expr.Const(None, None, True, 1) if cond_.args[0] is True
else ailment.Expr.Const(None, None, False, 1),
}
if cond.op in _mapping:
return _mapping[cond.op](cond)
raise NotImplementedError(("Condition variable %s has an unsupported operator %s. "
"Consider implementing.") % (cond, cond.op))
Example #13
| Source File: condition_processor.py From angr with BSD 2-Clause "Simplified" License | 4 votes |
|
def _revert_short_circuit_conditions(cond):
# revert short-circuit conditions
# !A||(A&&!B) ==> !(A&&B)
if cond.op != "Or":
return cond
if len(cond.args) == 1:
# redundant operator. get rid of it
return cond.args[0]
or_arg0, or_arg1 = cond.args[:2]
if or_arg1.op == 'And':
pass
elif or_arg0.op == 'And':
or_arg0, or_arg1 = or_arg1, or_arg0
else:
return cond
not_a = or_arg0
solver = claripy.SolverCacheless()
if not_a.variables == or_arg1.args[0].variables:
solver.add(not_a == or_arg1.args[0])
not_b = or_arg1.args[1]
elif not_a.variables == or_arg1.args[1].variables:
solver.add(not_a == or_arg1.args[1])
not_b = or_arg1.args[0]
else:
return cond
if not solver.satisfiable():
# found it!
b = claripy.Not(not_b)
a = claripy.Not(not_a)
if len(cond.args) <= 2:
return claripy.Not(claripy.And(a, b))
else:
return claripy.Or(claripy.Not(claripy.And(a, b)), *cond.args[2:])
else:
return cond
Example #14
| Source File: specvex.py From pitchfork with BSD 3-Clause "New" or "Revised" License | 4 votes |
|
def _handleLoadGWithPossibleForwarding(self, state, successors, stmt):
# Like for WrTmpLoads, we also duplicate the processing for LoadG's ourselves, because we potentially need to fork during load processing
# this is again basically an inlined version of what goes on in angr for a LoadG, patched to handle possible forwarding
with state.history.subscribe_actions() as addr_deps:
addr = self.handle_expression(state, stmt.addr)
with state.history.subscribe_actions() as alt_deps:
alt = self.handle_expression(state, stmt.alt)
with state.history.subscribe_actions() as guard_deps:
guard = self.handle_expression(state, stmt.guard)
if guard is not None and state.solver.satisfiable(extra_constraints=[claripy.Not(guard)]):
raise ValueError("not implemented yet: conditional load with condition that could be false")
read_type, converted_type = stmt.cvt_types
read_size_bits = pyvex.const.get_type_size(read_type)
converted_size_bits = pyvex.const.get_type_size(converted_type)
read_size = read_size_bits // state.arch.byte_width
results = performLoadWithPossibleForwarding(state, addr, read_size, load_endness=stmt.end)
for (l_state, l_value) in results:
if read_size_bits == converted_size_bits:
converted_expr = l_value
elif "S" in stmt.cvt:
converted_expr = l_value.sign_extend(converted_size_bits - read_size_bits)
elif "U" in stmt.cvt:
converted_expr = l_value.zero_extend()
else:
raise SimStatementError("Unrecognized IRLoadGOp %s!" % stmt.cvt)
l_value = l_state.solver.If(guard != 0, converted_expr, alt)
l_state.scratch.store_tmp(stmt.dst, l_value, deps=addr_deps + alt_deps + guard_deps)
if angr.options.TRACK_MEMORY_ACTIONS in l_state.options:
data_ao = SimActionObject(converted_expr)
alt_ao = SimActionObject(alt, deps=alt_deps, state=l_state)
addr_ao = SimActionObject(addr, deps=addr_deps, state=l_state)
guard_ao = SimActionObject(guard, deps=guard_deps, state=l_state)
size_ao = SimActionObject(converted_size_bits)
r = SimActionData(l_state, l_state.memory.id, SimActionData.READ, addr=addr_ao, data=data_ao, condition=guard_ao, size=size_ao, fallback=alt_ao)
l_state.history.add_action(r)
# for comments on the below, see comments in our handling of WrTmp loads above
if l_state is not state:
(next_instr_addr, next_instr_stmt_idx) = nextInstruction(state.scratch.irsb, stmt)
self._handle_irsb(l_state, successors, l_state.scratch.irsb, state.scratch.stmt_idx+1, next_instr_stmt_idx-1 if next_instr_stmt_idx is not None else None, None)
l.debug("time {}: forking for misforwarding on a load of addr {}".format(state.spec.ins_executed, addr))
target = next_instr_addr if next_instr_addr is not None else self.handle_expression(l_state, l_state.scratch.irsb.next) # if next_instr_addr is None, then target the first instruction of the next irsb
jumpkind = 'Ijk_Boring' # seems like a reasonable choice? what is this used for?
guard = claripy.BVV(1, 1) # boolean True
successors.add_successor(l_state, target, guard, jumpkind, add_guard=False, exit_stmt_idx=None, exit_ins_addr=None)
Example #15
| Source File: workers.py From DROP-IDA-plugin with GNU General Public License v3.0 | 4 votes |
|
def perform_opaqueness_checks(self, con_addr_asts, branch_addr, succ_addr, pos_unsat_addr, state, atoi_added_constraints):
# Phase 1: invariant check
solver = claripy.Solver()
solver.add(claripy.Not(con_addr_asts[branch_addr]))
# If the negation is unsatisfiable, the predicate is a tautology!
if not solver.satisfiable():
cons_str = self._pretty_constraint_str(con_addr_asts[branch_addr])
self.log_signal.emit(
"{:x}: Invariant OP found! succ {:x} unreachable.\n Constraint: {}\n".format(
branch_addr, pos_unsat_addr, cons_str)
)
self.result_signal.emit(self.ida_func.startEA, [(branch_addr, 0, cons_str)], [(branch_addr, succ_addr, pos_unsat_addr)], [], False)
return True
# Phase 2: contextual check
# predicate p_n is not a tautology, but it might still be
# contextually opaque, i.e.: (p_1 && p_2 && ...) -> p_n
solver = claripy.Solver() # fresh solver
# This is a bit ugly
# sorted list of conditions, filtered on addr <= branch_addr
prev_conds = list(zip(*sorted(filter(
lambda (x,_): x <= branch_addr,
con_addr_asts.items()),
key=operator.itemgetter(0)))[1])
# If no previous conditions AND no extra added constraints
if len(prev_conds) < 1 and self.ida_func.startEA not in self.plugin.extra_constraints:
self.log_signal.emit("{:x}: No previous conditions, can't be contextual.\n".format(branch_addr))
return False
# Check if AND(prev_conds[:-1]) -> prev_conds[-1]
cond_conj = claripy.And(*(prev_conds[:-1] + [claripy.Not(prev_conds[-1])]))
self.log_signal.emit("prev_conds[:-1] = {}".format(prev_conds[:-1]))
self.log_signal.emit("claripy.Not(prev_conds[-1]) = {}".format(claripy.Not(prev_conds[-1])))
# Make sure to add any extra user-added constraints to the solver
self.add_extra_constraints(solver, state)
# If we have extra atoi-constraints, add to conjunction
for con in atoi_added_constraints:
self.log_signal.emit("Adding extra atoi constraint: {}".format(con))
cond_conj = claripy.And(cond_conj, con)
solver.add(cond_conj)
# Is it satisfiable?
self.log_signal.emit("Solver constraints: {}".format(solver.constraints))
if not solver.satisfiable():
#set_block_color(pos_unsat_addr, 0xFFFF00)
self.log_signal.emit("cond_conj = {}".format(cond_conj))
cons_str = self._pretty_constraint_str(cond_conj)
self.log_signal.emit("{:x}: Contextual OP found! succ {:x} unreachable.\n Constraint: {}\n".format(
branch_addr, pos_unsat_addr, cons_str)
)
self.result_signal.emit(self.ida_func.startEA, [(branch_addr, 1, cons_str)], [], [(branch_addr, succ_addr, pos_unsat_addr)], False)
return True
else:
self.log_signal.emit("{:x}: Not a contextual OP, context: {}.\n".format(branch_addr, prev_conds))
return False
