Python claripy.Solver() Examples
The following are 25
code examples of claripy.Solver().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
claripy
, or try the search function
.
.
Example #1
| Source File: test_callable.py From angr with BSD 2-Clause "Simplified" License | 6 votes |
|
def run_manyfloatsum_symbolic(arch):
global type_cache
if type_cache is None:
type_cache = parse_defns(open(os.path.join(location, 'tests_src', 'manyfloatsum.c')).read())
p = angr.Project(os.path.join(location, 'tests', arch, 'manyfloatsum'))
function = 'sum_doubles'
cc = p.factory.cc(func_ty=type_cache[function])
args = [claripy.FPS('arg_%d' % i, claripy.FSORT_DOUBLE) for i in range(len(type_cache[function].args))]
addr = p.loader.main_object.get_symbol(function).rebased_addr
my_callable = p.factory.callable(addr, cc=cc)
result = my_callable(*args)
nose.tools.assert_true(result.symbolic)
s = claripy.Solver(timeout=15*60*1000)
for arg in args:
s.add(arg > claripy.FPV(1.0, claripy.FSORT_DOUBLE))
s.add(result == claripy.FPV(27.7, claripy.FSORT_DOUBLE))
args_conc = s.batch_eval(args, 1)[0]
nose.tools.assert_equal(s.eval(result, 1)[0], 27.7)
# not almost equal!! totally equal!!! z3 is magic, if kinda slow!!!!!
for arg_conc in args_conc:
nose.tools.assert_greater(arg_conc, 1.0)
nose.tools.assert_equal(sum(args_conc), 27.7)
Example #2
| Source File: claripy_sha3.py From pakala with GNU General Public License v3.0 | 6 votes |
|
def combine(self, others):
other_claripy_solvers = [i.solver for i in others]
combined = Solver(
claripy_solver=self.solver.combine(other_claripy_solvers),
hashes=self.hashes,
)
for other in others:
for k, v in self.hashes.items():
# Make sure the hash symbols are distinct
if any(v is v2 for v2 in other.hashes.values()):
# Call regenerate_hash_symbols() on one of them first?
raise ValueError("Cannot combine with equivalent hashes.")
# TODO: If some hash input are equal, we should merge the hash
# symols here, it would be more efficient.
combined.hashes.update(other.hashes)
return combined
Example #3
| Source File: test_solver.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def raw_minmax(reuse_z3_solver):
claripy._backend_z3.reuse_z3_solver = reuse_z3_solver
s = claripy.Solver()
x = claripy.BVS("x", 32)
nose.tools.assert_equal(s.max(x), 2**32-1)
nose.tools.assert_equal(s.min(x), 0)
nose.tools.assert_true(s.satisfiable())
Example #4
| Source File: binary_data.py From fidget with BSD 2-Clause "Simplified" License | 5 votes |
|
def _get_patched_instruction(self, value=None, solver=None):
if not (value is None) ^ (solver is None):
raise ValueError('Must provide a value xor a solver!')
if value is not None:
solver = claripy.Solver()
solver.add(value == self.patch_value_expression)
try:
insn_int = solver.eval(self.patch_bytes_expression, 1)[0]
except claripy.UnsatError:
raise ValueNotFoundError('Unsat on solve!')
return self._insn_to_string(insn_int)
Example #5
| Source File: binary_data.py From fidget with BSD 2-Clause "Simplified" License | 5 votes |
|
def get_patch_data(self, value=None, solver=None):
'''
Produce the actual patch data for a modified instruction, in the form of a list of tuples
[(physaddr, patch_bytes), ...], where physaddr is the offset into the actual object file
and patch_bytes is a string to be written into the binary at that address.
There are two ways to call this function, one with :param value:, which should be the
integer you'd like to patch into the instruction, or :param solver:, which is a
claripy.Solver instance that can be queried for the value of self.patch_bytes_expression.
You must provide exactly one of these arguments.
'''
if not (value is None) ^ (solver is None):
raise ValueError('Must provide a value xor a solver!')
if self._already_patched:
return []
patch_bytes = self._get_patched_instruction(value=value, solver=solver)
if value is None:
value = solver.eval_to_ast(self.patch_value_expression, 1)[0]._model_concrete.signed
l.debug('Patching address %#x with value %#x', self.addr, value)
if patch_bytes == self._insbytes:
return []
physaddr = self._project.loader.main_object.addr_to_offset(self.addr)
if self._armthumb: physaddr -= 1
self._already_patched = True
if self.patch_bytes_size is None:
self.patch_bytes_size = len(patch_bytes)
real_bytes = patch_bytes[self.patch_bytes_offset:self.patch_bytes_offset+self.patch_bytes_size]
return [(physaddr + self.patch_bytes_offset, real_bytes)]
Example #6
| Source File: test_merging.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_simple_merging():
yield raw_simple_merging, claripy.Solver
yield raw_simple_merging, claripy.SolverHybrid
yield raw_simple_merging, claripy.SolverComposite
Example #7
| Source File: test_serial.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_identity():
l.info("Running test_identity")
a = claripy.BVV(1, 32)
b = claripy.BVS("x", 32)
c = a + b
d = a+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b+b
l.debug("Storing!")
c_info = pickle.dumps(c)
d_info = pickle.dumps(d)
cc = pickle.loads(c_info)
assert str(cc) == str(c)
cd = pickle.loads(d_info)
assert str(cd) == str(d)
assert c.args[0] is d.args[0]
l.debug("Time to test some solvers!")
s = claripy.Solver()
x = claripy.BVS("x", 32)
s.add(x == 3)
s.finalize()
ss = pickle.loads(pickle.dumps(s))
assert str(s.constraints) == str(ss.constraints)
assert str(s.variables) == str(ss.variables)
s = claripy.SolverComposite()
x = claripy.BVS("x", 32)
s.add(x == 3)
s.finalize()
ss = pickle.loads(pickle.dumps(s))
old_constraint_sets = [[hash(j) for j in k.constraints] for k in s._solver_list]
new_constraint_sets = [[hash(j) for j in k.constraints] for k in ss._solver_list]
assert old_constraint_sets == new_constraint_sets
assert str(s.variables) == str(ss.variables)
Example #8
| Source File: test_serial.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_pickle_frontend():
s = claripy.Solver()
x = claripy.BVS('x', 32)
s.add(x == 1)
assert s.eval(x, 10), (1,)
ss = pickle.dumps(s)
del s
import gc
gc.collect()
s = pickle.loads(ss)
assert s.eval(x, 10), (1,)
Example #9
| Source File: test_solver.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_exhaustion():
s = claripy.Solver()
x = claripy.BVS('x', 32)
s.add(x >= 19)
print(s.min(x, extra_constraints=[x >= 20]))
assert s.min(x) == 19
s = claripy.Solver()
x = claripy.BVS('x', 32)
s.add(x <= 19)
print(s.max(x, extra_constraints=[x <= 18]))
assert s.max(x) == 19
Example #10
| Source File: test_solver.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_zero_division_in_cache_mixin():
# Bug in the caching backend. See issue #49 on github.
num = claripy.BVS('num', 256)
denum = claripy.BVS('denum', 256)
e = claripy.BVS('e', 256)
s = claripy.Solver()
s.add(e == 8)
assert s.satisfiable()
s.add(claripy.If(denum == 0, 0, num / denum) == e)
assert s.satisfiable()
# As a bonus:
s.add(num == 16)
assert s.satisfiable()
s.add(denum == 3)
assert not s.satisfiable()
Example #11
| Source File: test_solver.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_unsat_core():
for s in (claripy.Solver, claripy.SolverComposite, claripy.SolverCacheless, claripy.SolverHybrid):
yield raw_unsat_core, s, True
yield raw_unsat_core, s, False
Example #12
| Source File: test_solver.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_simplification_annotations():
s = claripy.Solver()
x = claripy.BVS("x", 32)
s.add(x > 10)
s.add(x > 11)
s.add((x > 12).annotate(claripy.SimplificationAvoidanceAnnotation()))
assert len(s.constraints) == 3
s.simplify()
assert len(s.constraints) == 2
Example #13
| Source File: test_solver.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_unsatness():
x = claripy.BVS("x", 32)
s = claripy.Solver()
s.add(x == 10)
assert s.satisfiable()
s.add(claripy.false)
assert not s.satisfiable()
Example #14
| Source File: test_solver.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_model():
x = claripy.BVS("x", 32)
y = claripy.BVS("y", 32)
s = claripy.Solver()
s.add(x < 10)
assert sorted(s.eval(x, 20)) == list(range(10))
s.add(y == 1337)
assert sorted(s.eval(x, 20)) == list(range(10))
Example #15
| Source File: test_expression.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_arith_shift():
bc = claripy.backends.concrete
a = claripy.BVV(-4, 32)
assert bc.convert(a >> 1) == -2
solver = claripy.Solver()
a = claripy.BVS("a", 32)
solver.add(a == -4)
assert list(solver.eval(a >> 1, 2)) == [2**32-2]
Example #16
| Source File: test_expression.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_signed_symbolic():
solver = claripy.Solver()
a = claripy.BVS("a", 32)
b = claripy.BVS("b", 32)
c = claripy.BVS("c", 32)
d = claripy.BVS("d", 32)
solver.add(a == 5)
solver.add(b == -5)
solver.add(c == 3)
solver.add(d == -3)
# test unsigned
assert list(solver.eval(a / c, 2)) == [1]
assert list(solver.eval(a / d, 2)) == [0]
assert list(solver.eval(b / c, 2)) == [0x55555553]
assert list(solver.eval(b / d, 2)) == [0]
assert list(solver.eval(a % c, 2)) == [2]
assert list(solver.eval(a % d, 2)) == [5]
assert list(solver.eval(b % c, 2)) == [2]
assert list(solver.eval(b % d, 2)) == [2**32-5]
# test unsigned
assert list(solver.eval(a.SDiv(c), 2)) == [1]
assert list(solver.eval(a.SDiv(d), 2)) == [2**32-1]
assert list(solver.eval(b.SDiv(c), 2)) == [2**32-1]
assert list(solver.eval(b.SDiv(d), 2)) == [1]
assert list(solver.eval(a.SMod(c), 2)) == [2]
assert list(solver.eval(a.SMod(d), 2)) == [2]
assert list(solver.eval(b.SMod(c), 2)) == [2**32-2]
assert list(solver.eval(b.SMod(d), 2)) == [2**32-2]
Example #17
| Source File: test_expression.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_extract_concat_simplify():
a = claripy.BVS("a", 32)
assert a[31:0] is a
assert a[31:8].concat(a[7:0]) is a # pylint:disable=no-member
assert a[31:16].concat(a[15:8], a[7:0]) is a # pylint:disable=no-member
assert a[31:24].concat(a[23:16], a[15:8], a[7:0]) is a # pylint:disable=no-member
a = claripy.BVS("a", 32)
b = a + 100
b_concat = b[31:8].concat(b[7:0])
a100 = a + 100
assert claripy.is_false(b_concat == a100) is False
assert list(claripy.Solver().eval(b_concat == a100, 2)) == [ True ]
assert b_concat is a100
assert claripy.is_true(b_concat == a100)
Example #18
| Source File: test_expression.py From claripy with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_ite():
yield raw_ite, claripy.Solver
yield raw_ite, claripy.SolverHybrid
yield raw_ite, claripy.SolverComposite
Example #19
| Source File: claripy_sha3.py From pakala with GNU General Public License v3.0 | 5 votes |
|
def branch(self):
return Solver(claripy_solver=self.solver.branch(), hashes=self.hashes.copy())
Example #20
| Source File: claripy_sha3.py From pakala with GNU General Public License v3.0 | 5 votes |
|
def get_claripy_solver():
# TODO: What about SolverComposite? Tried, and seems slower.
return claripy.Solver()
Example #21
| Source File: history.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def reachable(self):
if self._satisfiable is not None:
pass
elif self.state is not None:
self._satisfiable = self.state.solver.satisfiable()
else:
solver = claripy.Solver()
solver.add(self._all_constraints)
self._satisfiable = solver.satisfiable()
return self._satisfiable
#
# Log handling
#
Example #22
| Source File: __init__.py From kepler-cfhp with MIT License | 5 votes |
|
def __init__(self, plock=None, q=None, kernel_path=None):
"""
:param kernel_path: the vmlinux path to the kernel
"""
if plock is not None:
self.lock = plock # this is the lock because all instances of osok share a qemu instance
else:
self.lock = None
self.queue = q
self.kernel_path = kernel_path
if os.path.isfile('angr_project.cache'):
with open('angr_project.cache', 'rb') as f:
print('[+] load kernel vmlinux binary from pickle dump')
self.b = pickle.load(f)
else:
self.b = angr.Project(kernel_path)
with open('angr_project.cache', 'wb') as f:
pickle.dump(self.b, f)
self.r = None
self.statebroker = statebroker.StateBroker()
self.claripy = claripy
self.sol = claripy.Solver()
self.md = Cs(CS_ARCH_X86, CS_MODE_64)
self.md.detail = True
self.debug_bloom_verbose = False
self.vm = None
self.reproduce_mode = False # reproduce exploit and generate payload
self.custom_rop_gadget_number = 10 # length of the rop payload we want to use
Example #23
| Source File: workers.py From DROP-IDA-plugin with GNU General Public License v3.0 | 4 votes |
|
def perform_opaqueness_checks(self, con_addr_asts, branch_addr, succ_addr, pos_unsat_addr, state, atoi_added_constraints):
# Phase 1: invariant check
solver = claripy.Solver()
solver.add(claripy.Not(con_addr_asts[branch_addr]))
# If the negation is unsatisfiable, the predicate is a tautology!
if not solver.satisfiable():
cons_str = self._pretty_constraint_str(con_addr_asts[branch_addr])
self.log_signal.emit(
"{:x}: Invariant OP found! succ {:x} unreachable.\n Constraint: {}\n".format(
branch_addr, pos_unsat_addr, cons_str)
)
self.result_signal.emit(self.ida_func.startEA, [(branch_addr, 0, cons_str)], [(branch_addr, succ_addr, pos_unsat_addr)], [], False)
return True
# Phase 2: contextual check
# predicate p_n is not a tautology, but it might still be
# contextually opaque, i.e.: (p_1 && p_2 && ...) -> p_n
solver = claripy.Solver() # fresh solver
# This is a bit ugly
# sorted list of conditions, filtered on addr <= branch_addr
prev_conds = list(zip(*sorted(filter(
lambda (x,_): x <= branch_addr,
con_addr_asts.items()),
key=operator.itemgetter(0)))[1])
# If no previous conditions AND no extra added constraints
if len(prev_conds) < 1 and self.ida_func.startEA not in self.plugin.extra_constraints:
self.log_signal.emit("{:x}: No previous conditions, can't be contextual.\n".format(branch_addr))
return False
# Check if AND(prev_conds[:-1]) -> prev_conds[-1]
cond_conj = claripy.And(*(prev_conds[:-1] + [claripy.Not(prev_conds[-1])]))
self.log_signal.emit("prev_conds[:-1] = {}".format(prev_conds[:-1]))
self.log_signal.emit("claripy.Not(prev_conds[-1]) = {}".format(claripy.Not(prev_conds[-1])))
# Make sure to add any extra user-added constraints to the solver
self.add_extra_constraints(solver, state)
# If we have extra atoi-constraints, add to conjunction
for con in atoi_added_constraints:
self.log_signal.emit("Adding extra atoi constraint: {}".format(con))
cond_conj = claripy.And(cond_conj, con)
solver.add(cond_conj)
# Is it satisfiable?
self.log_signal.emit("Solver constraints: {}".format(solver.constraints))
if not solver.satisfiable():
#set_block_color(pos_unsat_addr, 0xFFFF00)
self.log_signal.emit("cond_conj = {}".format(cond_conj))
cons_str = self._pretty_constraint_str(cond_conj)
self.log_signal.emit("{:x}: Contextual OP found! succ {:x} unreachable.\n Constraint: {}\n".format(
branch_addr, pos_unsat_addr, cons_str)
)
self.result_signal.emit(self.ida_func.startEA, [(branch_addr, 1, cons_str)], [], [(branch_addr, succ_addr, pos_unsat_addr)], False)
return True
else:
self.log_signal.emit("{:x}: Not a contextual OP, context: {}.\n".format(branch_addr, prev_conds))
return False
Example #24
| Source File: workers.py From DROP-IDA-plugin with GNU General Public License v3.0 | 4 votes |
|
def add_extra_constraints(self, solver, state):
# Add any manually added extra constraints
if self.ida_func.startEA in self.plugin.extra_constraints:
con_tuples = self.plugin.extra_constraints[self.ida_func.startEA]
for (opr1, op, opr2) in con_tuples:
# (0, addr) -> a memory address
# (1, offs) -> an EBP offset TODO: arch-independent?
# (2, name) -> a register name
# (3, val) -> a constant
# (4, s) -> a string
# (5, (arr, idx)) -> an array with constant index.
# Skip the atoi-string-array constraints
if opr1[0] == 5:
continue
# TODO: check endiansness and don't Reverse? (memory.endness)
# Don't allow a string for the first operand or inequalities with a string as operand
if opr1[0] == 4 or (opr2[0] == 4 and op != '=='):
continue # TODO: show error about these impossible combinations
if opr2[0] == 4:
# Operand 2 is a string, op is '=='
# Allow a constant or memory address as first operand
# (treat both as start addr of string)
# TODO: currently it's a substring check, check for nullbyte to match exactly?
if opr1[0] == 0 or opr1[0] == 3:
for (i,c) in enumerate(opr2[1]):
c_bvv = claripy.BVV(c, 8)
solver.add(c_bvv == state.memory.load(opr1[1] + i, 1))
else:
continue # TODO: error about unsupported operand type
self.log_signal.emit("Added extra string constraint")
#self.log_signal.emit("Solver constraints: {}".format(solver.constraints))
else:
ast1, ast2 = None, None
if opr1[0] == 0:
ast1 = state.memory.load(opr1[1]).reversed
elif opr1[0] == 1:
ast1 = state.memory.load(state.regs.ebp + opr1[1]).reversed
elif opr1[0] == 2:
# TODO: fix archs where register names contain special characters
ast1 = getattr(state.regs, opr1[1].lower())
elif opr1[0] == 3:
ast1 = claripy.BVV(opr1[1], self.plugin.bitness)
if opr2[0] == 0:
ast2 = state.memory.load(opr2[1]).reversed
elif opr2[0] == 1:
ast2 = state.memory.load(state.regs.ebp + opr2[1]).reversed
elif opr2[0] == 2:
ast2 = getattr(state.regs, opr2[1].lower())
elif opr2[0] == 3:
ast2 = claripy.BVV(opr2[1], self.plugin.bitness)
solver.add(claripy_op_mapping[op](ast1, ast2))
self.log_signal.emit("Added extra constraint: {}".format(claripy_op_mapping[op](ast1, ast2)))
#self.log_signal.emit("Solver constraints: {}".format(solver.constraints))
Example #25
| Source File: solver.py From angr with BSD 2-Clause "Simplified" License | 4 votes |
|
def _solver(self):
"""
Creates or gets a Claripy solver, based on the state options.
"""
if self._stored_solver is not None:
return self._stored_solver
track = o.CONSTRAINT_TRACKING_IN_SOLVER in self.state.options
approximate_first = o.APPROXIMATE_FIRST in self.state.options
if o.STRINGS_ANALYSIS in self.state.options:
if 'smtlib_cvc4' in backend_manager.backends._backends_by_name:
our_backend = backend_manager.backends.smtlib_cvc4
elif 'smtlib_z3' in backend_manager.backends._backends_by_name:
our_backend = backend_manager.backends.smtlib_z3
elif 'smtlib_abc' in backend_manager.backends._backends_by_name:
our_backend = backend_manager.backends.smtlib_abc
else:
raise ValueError("Could not find suitable string solver!")
if o.COMPOSITE_SOLVER in self.state.options:
self._stored_solver = claripy.SolverComposite(
template_solver_string=claripy.SolverCompositeChild(backend=our_backend, track=track)
)
elif o.ABSTRACT_SOLVER in self.state.options:
self._stored_solver = claripy.SolverVSA()
elif o.SYMBOLIC in self.state.options and o.REPLACEMENT_SOLVER in self.state.options:
self._stored_solver = claripy.SolverReplacement(auto_replace=False)
elif o.SYMBOLIC in self.state.options and o.CACHELESS_SOLVER in self.state.options:
self._stored_solver = claripy.SolverCacheless(track=track)
elif o.SYMBOLIC in self.state.options and o.COMPOSITE_SOLVER in self.state.options:
self._stored_solver = claripy.SolverComposite(track=track)
elif o.SYMBOLIC in self.state.options and any(opt in self.state.options for opt in o.approximation):
self._stored_solver = claripy.SolverHybrid(track=track, approximate_first=approximate_first)
elif o.HYBRID_SOLVER in self.state.options:
self._stored_solver = claripy.SolverHybrid(track=track, approximate_first=approximate_first)
elif o.SYMBOLIC in self.state.options:
self._stored_solver = claripy.Solver(track=track)
else:
self._stored_solver = claripy.SolverConcrete()
return self._stored_solver
#
# Get unconstrained stuff
#
