Python angr.Project() Examples

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  # You can either use a blank state or an entry state; just make sure to start
  # at the beginning of the program.
  initial_state = ???

  class ReplacementScanf(angr.SimProcedure):
    # Hint: scanf("%u %20s")
    def run(self, format_string, ...???):
      # %u
      scanf0 = claripy.BVS('scanf0', ???)
      
      # %20s
      scanf1 = claripy.BVS('scanf1', ???)

      for char in scanf1.chop(bits=8):
        self.state.add_constraints(char >= ???, char <= ???)

      scanf0_address = ???
      self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
      ...

      self.state.globals['solutions'] = ??? 

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state, veritesting=True)

  # Define a function that checks if you have found the state you are looking
  # for.
  def is_successful(state):
    # Dump whatever has been printed out by the binary so far into a string.
    stdout_output = state.posix.dumps(sys.stdout.fileno())

    # Return whether 'Good Job.' has been printed yet.
    # (!)
    return 'Good Job.' in stdout_output  # :boolean

  # Same as above, but this time check if the state should abort. If you return
  # False, Angr will continue to step the state. In this specific challenge, the
  # only time at which you will know you should abort is when the program prints
  # "Try again."
  def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Try again.' in stdout_output  # :boolean

  # Tell Angr to explore the binary and find any state that is_successful identfies
  # as a successful state by returning True.
  simulation.explore(find=is_successful, avoid=should_abort)

  if simulation.found:
    solution_state = simulation.found[0]
    print solution_state.posix.dumps(sys.stdin.fileno())
  else:
    raise Exception('Could not find the solution') 

def main(argv):
  path_to_binary = ???
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state)

  # Explore the binary, but this time, instead of only looking for a state that
  # reaches the print_good_address, also find a state that does not reach 
  # will_not_succeed_address. The binary is pretty large, to save you some time,
  # everything you will need to look at is near the beginning of the address 
  # space.
  # (!)
  print_good_address = ???
  will_not_succeed_address = ???
  simulation.explore(find=print_good_address, avoid=will_not_succeed_address)

  if simulation.found:
    solution_state = simulation.found[0]
    print solution_state.posix.dumps(sys.stdin.fileno())
  else:
    raise Exception('Could not find the solution') 

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state)

  # Explore the binary, but this time, instead of only looking for a state that
  # reaches the print_good_address, also find a state that does not reach 
  # will_not_succeed_address. The binary is pretty large, to save you some time,
  # everything you will need to look at is near the beginning of the address 
  # space.
  # (!)
  print_good_address = 0x080485e5
  will_not_succeed_address = 0x080485a8
  simulation.explore(find=print_good_address, avoid=will_not_succeed_address)

  if simulation.found:
    solution_state = simulation.found[0]
    print solution_state.posix.dumps(sys.stdin.fileno())
  else:
    raise Exception('Could not find the solution') 

def load_kernel_image(path,arch,base,segments=None):
    load_options = {}
    load_options['auto_load_libs'] = False
    load_options['main_opts'] = {'backend': 'blob', 'custom_arch': arch, 'custom_base_addr': base, 'segments':segments}

    #Use loader.provide_symbol() or loader.provide_symbol_batch() to import symbol table.
    #-----------------------------------------------------------------------------------
    #def provide_symbol(self, owner, name, offset, size=0, sym_type=None):
    #    return self.provide_symbol_batch(owner, {name: (offset, size, sym_type)})
    #-----------------------------------------------------------------------------------
    #Usage: owner --> the Backend object, we can use loader.main_bin
    #       offset --> the offset relative to 0, not actual kernel load address
    #       sym_type --> https://github.com/angr/cle/blob/master/cle/backends/__init__.py#L148
    b = angr.Project(path, load_options=load_options, arch=arch)
    
    #test_loader(b,base)
    return b; 

def __init__(self, binary, crash=None):
        """
        :param binary: path to the binary which crashed
        :param crash: string of input which crashed the binary
        """

        self.binary = binary
        self.crash = crash

        # verify it actually crashes the binary
        r = tracer.QEMURunner(self.binary, input=self.crash, record_core=True)
        if not r.crash_mode:
            raise CrashFuzzerException("input did not crash the binary")

        self._p = angr.Project(self.binary)

        self.orig_regs = r.reg_vals

        self.pool = None
        self.byte_analysis = dict()
        self._bases = dict()
        self.skip_bytes = set()
        self.skip_sets = set()
        self.regs_to_numbers = dict()
        self.used_bytes = set()
        self.byte_translation_funcs = list()
        self.byte_translation_calls = dict()
        self._bit_patterns = dict()

        self.make_bases()
        self.run() 

def test_jumptable_occupied_as_data():

    # GitHub issue #1671

    p = angr.Project(os.path.join(test_location, "i386", "windows", "printenv.exe"), auto_load_libs=False)
    cfg = p.analyses.CFGFast()

    # it has a jump table at 0x402e4d with 10 entries
    assert 0x402e4d in cfg.indirect_jumps
    assert cfg.indirect_jumps[0x402e4d].jumptable is True
    assert cfg.indirect_jumps[0x402e4d].jumptable_addr == 0x402e54
    assert cfg.indirect_jumps[0x402e4d].jumptable_size == 4 * 10
    assert cfg.indirect_jumps[0x402e4d].jumptable_entry_size == 4

    # 40 bytes starting at 0x402e4d should be marked as "data"
    for addr in range(0x402e54, 0x402e54 + 40, 4):
        assert cfg._seg_list.occupied_by_sort(addr) == "data"

    # node 0x402e4d should have 10 successors
    assert len(cfg.model.get_any_node(0x402e4d).successors) == 10 

def broken_cacher():
    p = angr.Project(os.path.join(location, 'x86_64', 'fauxware'), load_options={'auto_load_libs': False})

    tmp_dir = tempfile.mkdtemp(prefix='test_cacher_container')
    container = os.path.join(tmp_dir, '%s.cache' % os.path.basename(p.filename))

    pg = p.factory.simulation_manager()
    pg.use_technique(angr.exploration_techniques.Cacher(when=0x4006ee, container=container))
    pg.run()

    pg2 = p.factory.simulation_manager()
    pg2.use_technique(angr.exploration_techniques.Cacher(container=container))
    nose.tools.assert_equal(pg2.active[0].addr, 0x4006ed)

    pg2.run()

    nose.tools.assert_equal(len(pg2.deadended), len(pg.deadended))
    nose.tools.assert_true(pg2.deadended[0].addr in [s.addr for s in pg.deadended])
    nose.tools.assert_true(pg2.deadended[1].addr in [s.addr for s in pg.deadended])
    nose.tools.assert_true(pg2.deadended[2].addr in [s.addr for s in pg.deadended]) 

def test_abort_and_resume():

    angr.analyses.AnalysesHub.register_default('CFGEmulatedAborted', CFGEmulatedAborted)

    CFGEmulatedAborted.should_abort = False
    binary_path = os.path.join(test_location, "x86_64", "fauxware")
    b = angr.Project(binary_path, auto_load_libs=False)

    CFGEmulatedAborted.should_abort = True
    cfg = b.analyses.CFGEmulatedAborted()
    nose.tools.assert_greater(len(list(cfg.jobs)), 0)  # there should be left-over jobs

    CFGEmulatedAborted.should_abort = False
    cfg.resume()

    nose.tools.assert_equal(len(list(cfg.jobs)), 0)  # no left-over job 

def test_max_steps():

    binary_path = os.path.join(test_location, "x86_64", "fauxware")
    b = angr.Project(binary_path, load_options={'auto_load_libs': False})
    cfg = b.analyses.CFGEmulated(max_steps=5, fail_fast=True)

    dfs_edges = networkx.dfs_edges(cfg.graph)

    depth_map = {}
    for src, dst in dfs_edges:
        if src not in depth_map:
            depth_map[src] = 0
        if dst not in depth_map:
            depth_map[dst] = depth_map[src] + 1
        depth_map[dst] = max(depth_map[src] + 1, depth_map[dst])

    nose.tools.assert_less_equal(max(depth_map.values()), 5) 

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  # You can either use a blank state or an entry state; just make sure to start
  # at the beginning of the program.
  initial_state = ???

  class ReplacementScanf(angr.SimProcedure):
    # Hint: scanf("%u %20s")
    def run(self, format_string, ...???):
      # %u
      scanf0 = claripy.BVS('scanf0', ???)
      
      # %20s
      scanf1 = claripy.BVS('scanf1', ???)

      for char in scanf1.chop(bits=8):
        self.state.add_constraints(char >= ???, char <= ???)

      scanf0_address = ???
      self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
      ...

      self.state.globals['solutions'] = ??? 

def break_chall_resp_atoi():
    crash_input = b'-435982256\n-439864843\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'

    bin_path = bin_location + "/tests/i386/chall_resp_atoi"
    cfg_fast = angr.Project(bin_path).analyses.CFGFast()
    atoi_addr = cfg_fast.functions["atoi"].addr
    itoa_addr = cfg_fast.functions["itoa"].addr
    f1 = FormatInfoIntToStr(addr=itoa_addr, func_name="itoa", int_arg_num=1, str_dst_num=0, base=10, base_arg=None)
    f2 = FormatInfoStrToInt(addr=atoi_addr, func_name="atoi", str_arg_num=0, base=10, base_arg=None,
                            allows_negative=True)
    crash = rex.Crash(bin_path, crash=crash_input, format_infos=[f1, f2], rop_cache_path=os.path.join(cache_location, "chall_resp_atoi"))
    exploit_f = crash.exploit()
    for e in exploit_f.register_setters:
        nose.tools.assert_true(_do_pov_test(e))
    for e in exploit_f.leakers:
        nose.tools.assert_true(_do_pov_test(e)) 

def run_tracker(track_mem, use_bp):
    p = angr.Project(os.path.join(test_location, 'x86_64', 'fauxware'), auto_load_libs=False)
    p.analyses.CFGFast()
    main = p.kb.functions['main']
    sp = p.arch.sp_offset
    regs = {sp}
    if use_bp:
        bp = p.arch.bp_offset
        regs.add(bp)
    sptracker = p.analyses.StackPointerTracker(main, regs, track_memory=track_mem)
    sp_result = sptracker.offset_after(0x4007d4, sp)
    if use_bp:
        bp_result = sptracker.offset_after(0x4007d4, bp)
        return sp_result, bp_result
    else:
        return sp_result 

def test_find_prototype():
    proj = angr.Project(os.path.join(test_location, 'x86_64', 'all'), auto_load_libs=False)

    cfg = proj.analyses.CFG()

    func = cfg.kb.functions.function(name='strcmp', plt=False)
    func.calling_convention = angr.calling_conventions.DEFAULT_CC[proj.arch.name](proj.arch)

    # Calling SimCC.arg_locs() should fail when the function prototype is not provided.
    nose.tools.assert_raises(ValueError, func.calling_convention.arg_locs)

    func.find_declaration()

    arg_locs = func.calling_convention.arg_locs()  # now it won't fail

    nose.tools.assert_equal(len(arg_locs), 2)
    nose.tools.assert_equal(arg_locs[0].reg_name, 'rdi')
    nose.tools.assert_equal(arg_locs[1].reg_name, 'rsi') 

def test_additional_edges():
    # Test the `additional_edges` parameter for CFG generation

    binary_path = os.path.join(test_location, 'x86_64', 'switch')
    proj = angr.Project(binary_path,
                        use_sim_procedures=True,
                        default_analysis_mode='symbolic',
                        load_options={'auto_load_libs': False})
    additional_edges = {
        0x400573 : [ 0x400580, 0x40058f, 0x40059e ]
    }
    cfg = proj.analyses.CFGEmulated(context_sensitivity_level=0, additional_edges=additional_edges, fail_fast=True,
                                    resolve_indirect_jumps=False,  # For this test case, we need to disable the
                                                                   # jump table resolving, otherwise CFGEmulated
                                                                   # can automatically find the node 0x4005ad.
                                    )

    nose.tools.assert_not_equal(cfg.get_any_node(0x400580), None)
    nose.tools.assert_not_equal(cfg.get_any_node(0x40058f), None)
    nose.tools.assert_not_equal(cfg.get_any_node(0x40059e), None)
    nose.tools.assert_equal(cfg.get_any_node(0x4005ad), None) 

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  # You can either use a blank state or an entry state; just make sure to start
  # at the beginning of the program.
  initial_state = ???

  class ReplacementScanf(angr.SimProcedure):
    # Hint: scanf("%u %20s")
    def run(self, format_string, ...???):
      # %u
      scanf0 = claripy.BVS('scanf0', ???)
      
      # %20s
      scanf1 = claripy.BVS('scanf1', ???)

      for char in scanf1.chop(bits=8):
        self.state.add_constraints(char >= ???, char <= ???)

      scanf0_address = ???
      self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
      ...

      self.state.globals['solutions'] = ??? 

def test_cfg_6():
    function_addresses = [0xfa630, 0xfa683, 0xfa6d4, 0xfa707, 0xfa754, 0xfa779, 0xfa7a9, 0xfa7d6, 0xfa844, 0xfa857,
                          0xfa8d9, 0xfa92f, 0xfa959, 0xfa9fb, 0xfabd6, 0xfac61, 0xfacc2, 0xfad29, 0xfaf94, 0xfbd07,
                          0xfc100, 0xfc101, 0xfc14f, 0xfc18e, 0xfc25e, 0xfc261, 0xfc3c6, 0xfc42f, 0xfc4a3, 0xfc4cf,
                          0xfc4db, 0xfc5ba, 0xfc5ef, 0xfc5fe, 0xfc611, 0xfc682, 0xfc6b7, 0xfc7fc, 0xfc8a8, 0xfc8e7,
                          0xfcb42, 0xfcb50, 0xfcb72, 0xfcc3b, 0xfcc7a, 0xfcc8b, 0xfccdc, 0xfd1a3, 0xff06e]

    # We need to add DO_CCALLS to resolve long jmp and support real mode
    o.modes['fastpath'] |= {o.DO_CCALLS}
    binary_path = test_location + "/i386/bios.bin.elf"
    proj = angr.Project(binary_path,
                        use_sim_procedures=True,
                        page_size=1)
    cfg = proj.analyses.CFGEmulated(context_sensitivity_level=1, fail_fast=True)  # pylint:disable=unused-variable
    nose.tools.assert_greater_equal(set(f for f in proj.kb.functions), set(function_addresses))
    o.modes['fastpath'] ^= {o.DO_CCALLS} 

def main(argv):
  path_to_binary = ???
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state)

  # Explore the binary, but this time, instead of only looking for a state that
  # reaches the print_good_address, also find a state that does not reach 
  # will_not_succeed_address. The binary is pretty large, to save you some time,
  # everything you will need to look at is near the beginning of the address 
  # space.
  # (!)
  print_good_address = ???
  will_not_succeed_address = ???
  simulation.explore(find=print_good_address, avoid=will_not_succeed_address)

  if simulation.found:
    solution_state = simulation.found[0]
    print solution_state.posix.dumps(sys.stdin.fileno())
  else:
    raise Exception('Could not find the solution') 

def main(argv):
  path_to_binary = ???
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state)

  # Explore the binary, but this time, instead of only looking for a state that
  # reaches the print_good_address, also find a state that does not reach 
  # will_not_succeed_address. The binary is pretty large, to save you some time,
  # everything you will need to look at is near the beginning of the address 
  # space.
  # (!)
  print_good_address = ???
  will_not_succeed_address = ???
  simulation.explore(find=print_good_address, avoid=will_not_succeed_address)

  if simulation.found:
    solution_state = simulation.found[0]
    print solution_state.posix.dumps(sys.stdin.fileno())
  else:
    raise Exception('Could not find the solution') 

def angr_cfg(sample):
    proj = angr.Project(samples_dir + sample, load_options={'auto_load_libs':False})
    main = proj.loader.main_object.get_symbol("main")
    addr = main.rebased_addr
    start_state = proj.factory.blank_state(addr=addr)
    start_state.stack_push(0x0)
    cfg = proj.analyses.CFGFast(fail_fast=True, function_starts=[addr], base_state=start_state, normalize=False)

    vis = AngrVisFactory().default_cfg_pipeline(cfg, asminst=True, vexinst=False)
    vis.set_output(DotOutput(sample + '_angr_asm', format="png"))
    vis.process(cfg.graph)

    vis = AngrVisFactory().default_cfg_pipeline(cfg, asminst=False, vexinst=True)
    vis.set_output(DotOutput(sample + '_angr_vex', format="png"))
    vis.process(cfg.graph) 

def test_arm_libsoap():

    # This is the ADDLS type of jump table (IndirectJumpType.JumpTable_AddressComputed) where no actual table is used
    # libsoap.so seems to be compiled from gSOAP, which is an open-source product

    p = angr.Project(os.path.join(test_location, "armel", "libsoap.so"), auto_load_libs=False)
    cfg = p.analyses.CFGFast(data_references=True)

    all_jumptabes = {
        J(0x411c8c, None, [0x411c9c, 0x411ca0, 0x411ca4, 0x411ca8, 0x411cac, 0x411cb0, 0x411cb4, 0x411cb8, 0x411cbc, 0x411cc0, 0x411cc4, 0x411cc8, 0x411ccc, 0x411cd0, 0x411cd4, 0x411cd8, 0x411cdc, 0x411ce0, 0x411ce4, 0x411ce8, 0x411cec, 0x411cf0, 0x411cf4, 0x411cf8, 0x411cfc, 0x411d00, 0x411d04, 0x411d08, 0x411d0c, 0x411d10, 0x411d14, 0x411d18, 0x411d1c, 0x411d20, 0x411d24, 0x411d28, 0x411d2c, 0x411d30, 0x411d34, 0x411d38, 0x411d3c, 0x411d40, 0x411d44, 0x411d48, 0x411d4c, 0x411d50, 0x411d54, 0x411d58, 0x411d5c, 0x411d60, 0x411d64, 0x411d68, 0x411d6c, 0x411d70]),
        J(0x411f54, None, [0x411f64, 0x411f68, 0x411f6c, 0x411f70, 0x411f74, 0x411f78, 0x411f7c, 0x411f80, 0x411f84, 0x411f88, 0x411f8c, 0x411f90, 0x411f94, 0x411f98, 0x411f9c, 0x411fa0, 0x411fa4, 0x411fa8, 0x411fac, 0x411fb0, 0x411fb4, 0x411fb8, 0x411fbc, 0x411fc0, 0x411fc4, 0x411fc8, 0x411fcc, 0x411fd0, 0x411fd4, 0x411fd8, 0x411fdc, 0x411fe0, 0x411fe4, 0x411fe8, 0x411fec, 0x411ff0, 0x411ff4, 0x411ff8, 0x411ffc, 0x412000, 0x412004, 0x412008, 0x41200c, 0x412010, 0x412014, 0x412018, 0x41201c, 0x412020, 0x412024, 0x412028, 0x41202c, 0x412030, 0x412034, 0x412038]),
        J(0x41b0b4, None, [0x41b0c4, 0x41b0c8, 0x41b0cc, 0x41b0d0, 0x41b0d4]),
        # 0x41d0e8 and 0x41d0fc are the same jump table - they appear twice because the CFG is not normalized (the two
        # blocks 0x41d0e8 and 0x41d0fc overlap and end at the same instruction)
        J(0x41d0e8, None, [0x41d10c, 0x41d110, 0x41d114, 0x41d118, 0x41d11c, 0x41d120, 0x41d124, 0x41d128, 0x41d12c, 0x41d130, 0x41d134, 0x41d138, 0x41d13c, 0x41d140, 0x41d144, 0x41d148, 0x41d14c, 0x41d150, 0x41d154, 0x41d158, 0x41d15c, 0x41d160, 0x41d164, 0x41d168, 0x41d16c, 0x41d170, 0x41d174, 0x41d178, 0x41d17c]),
        J(0x41d0fc, None, [0x41d10c, 0x41d110, 0x41d114, 0x41d118, 0x41d11c, 0x41d120, 0x41d124, 0x41d128, 0x41d12c, 0x41d130, 0x41d134, 0x41d138, 0x41d13c, 0x41d140, 0x41d144, 0x41d148, 0x41d14c, 0x41d150, 0x41d154, 0x41d158, 0x41d15c, 0x41d160, 0x41d164, 0x41d168, 0x41d16c, 0x41d170, 0x41d174, 0x41d178, 0x41d17c]),
        J(0x41d9d0, None, [0x41d9e0, 0x41d9e4, 0x41d9e8, 0x41d9ec, 0x41d9f0, 0x41d9f4, 0x41d9f8, 0x41d9fc, 0x41da00, 0x41da04, 0x41da08, 0x41da0c, 0x41da10, 0x41da14, 0x41da18, 0x41da1c, 0x41da20, 0x41da24, 0x41da28, 0x41da2c, 0x41da30, 0x41da34, 0x41da38, 0x41da3c, 0x41da40, 0x41da44, 0x41da48, 0x41da4c, 0x41da50, 0x41da54, 0x41da58, 0x41da5c, 0x41da60, 0x41da64, 0x41da68, 0x41da6c, 0x41da70, 0x41da74, 0x41da78, 0x41da7c, 0x41da80, 0x41da84, 0x41da88, 0x41da8c, 0x41da90, 0x41da94, 0x41da98, 0x41da9c, 0x41daa0, 0x41daa4, 0x41daa8, 0x41daac, 0x41dab0, 0x41dab4]),
        J(0x41e070, None, [0x41e080, 0x41e084, 0x41e088, 0x41e08c, 0x41e090, 0x41e094, 0x41e098, 0x41e09c, 0x41e0a0, 0x41e0a4, 0x41e0a8, 0x41e0ac, 0x41e0b0, 0x41e0b4, 0x41e0b8, 0x41e0bc, 0x41e0c0, 0x41e0c4, 0x41e0c8, 0x41e0cc, 0x41e0d0, 0x41e0d4, 0x41e0d8, 0x41e0dc, 0x41e0e0, 0x41e0e4, 0x41e0e8, 0x41e0ec, 0x41e0f0, 0x41e0f4, 0x41e0f8, 0x41e0fc, 0x41e100, 0x41e104, 0x41e108, 0x41e10c, 0x41e110, 0x41e114, 0x41e118, 0x41e11c, 0x41e120, 0x41e124, 0x41e128, 0x41e12c, 0x41e130, 0x41e134, 0x41e138, 0x41e13c, 0x41e140, 0x41e144, 0x41e148, 0x41e14c, 0x41e150, 0x41e154, 0x41e158, 0x41e15c, 0x41e160, 0x41e164, 0x41e168, 0x41e16c, 0x41e170, 0x41e174, 0x41e178, 0x41e17c, 0x41e180, 0x41e184, 0x41e188, 0x41e18c, 0x41e190]),
    }

    compare(cfg.jump_tables, all_jumptabes)

    assert 0x41d0e8 in cfg.model.jump_tables
    # normalizing the CFG should remove 0x41d0e8
    cfg.normalize()
    assert 0x41d0e8 not in cfg.model.jump_tables


#
# The jump table should be occupied and marked as data
# 

def disabled_loop_unrolling():
    binary_path = os.path.join(test_location, 'x86_64', 'cfg_loop_unrolling')

    p = angr.Project(binary_path)
    cfg = p.analyses.CFGEmulated(fail_fast=True)

    cfg.normalize()
    cfg.unroll_loops(5)

    nose.tools.assert_equal(len(cfg.get_all_nodes(0x400636)), 7) 

def test_memmove():
    proj = angr.Project(os.path.join(test_location, 'x86_64', 'memmove'), load_options={'auto_load_libs': True}, exclude_sim_procedures_list=['memmove'])
    explorer = proj.factory.simulation_manager().explore(find=[0x4005D7])
    s = explorer.found[0]
    result = s.solver.eval(s.memory.load(s.registers.load(16), 13), cast_to=bytes)
    nose.tools.assert_equal(result, b'very useful.\x00') 

def test_not_returning():
    # Make sure we are properly labeling functions that do not return in function manager

    binary_path = os.path.join(test_location, 'x86_64', 'not_returning')
    proj = angr.Project(binary_path,
                        use_sim_procedures=True,
                        load_options={'auto_load_libs': False}
                        )
    cfg = proj.analyses.CFGEmulated(context_sensitivity_level=0, fail_fast=True)  # pylint:disable=unused-variable

    # function_a returns
    nose.tools.assert_not_equal(proj.kb.functions.function(name='function_a'), None)
    nose.tools.assert_true(proj.kb.functions.function(name='function_a').returning)

    # function_b does not return
    nose.tools.assert_not_equal(proj.kb.functions.function(name='function_b'), None)
    nose.tools.assert_false(proj.kb.functions.function(name='function_b').returning)

    # function_c does not return
    nose.tools.assert_not_equal(proj.kb.functions.function(name='function_c'), None)
    nose.tools.assert_false(proj.kb.functions.function(name='function_c').returning)

    # main does not return
    nose.tools.assert_not_equal(proj.kb.functions.function(name='main'), None)
    nose.tools.assert_false(proj.kb.functions.function(name='main').returning)

    # function_d should not be reachable
    nose.tools.assert_equal(proj.kb.functions.function(name='function_d'), None) 

def __init__(self, project: 'Project'):
        super().__init__()
        self._project = project
        self._new_block: Optional[Block] = None  # output 

def __init__(self, filename, arch, taint_info_file, function_info_file, thumb=False):
        """
        Initialization function.

        :param filename: bootloader filename
        :param arch: architecture (ARM32 or AARCH64)
        :param taint_info_file: file containing the taint sources and sinks
        """

        bt = bootloadertaint.BootloaderTaint(filename, arch, taint_info_file)

        self._filename = filename
        self._arch = arch
        self._p = angr.Project(filename, load_options={'main_opts': {'custom_arch': arch}})
        self._cfg = None
        self._core = None
        self._taint_buf = "taint_buf"
        self._bogus_return = 0x41414141
        self._taint_info_file = taint_info_file
        self._function_info_file = function_info_file
        self._info_functions = {}
        self._timeout = bt._timeout
        self._thumb = thumb
        self._blocks = set()
        self._functions_touched = set()
        self._base_addr = 0
        self._paths = 0
        self._errored_out = False 

def test_basic():
    project = angr.Project(_bin('tests', 'cgc', 'sc2_0b32aa01_01'))
    state = project.factory.entry_state()
    spiller = angr.exploration_techniques.Spiller(pickle_callback=pickle_callback, unpickle_callback=unpickle_callback)
    spiller._pickle([state])

    del state
    gc.collect()
    state = spiller._unpickle(1)[0]

    assert state.globals['pickled']
    assert state.globals['unpickled'] 

def __init__(self, project=None, **kwargs):
        if kwargs:
            raise TypeError("Unused initializer args: " + ", ".join(kwargs.keys()))
        self.project = project  # type: Optional[angr.Project]
        self.state = None 

def test_memset():
    proj = angr.Project(os.path.join(test_location, 'x86_64', 'memset'), load_options={'auto_load_libs': True}, exclude_sim_procedures_list=['memset'])
    explorer = proj.factory.simulation_manager().explore(find=[0x400608])
    s = explorer.found[0]
    result = s.solver.eval(s.memory.load(s.registers.load(16), 50), cast_to=bytes)
    nose.tools.assert_equal(result, b'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\x00') 

def test_function_prototype():

    proj = angr.Project(os.path.join(test_location, 'x86_64', 'all'))

    func = angr.knowledge_plugins.Function(proj.kb.functions, 0x100000, name='strcmp')
    func.prototype = angr.SIM_LIBRARIES['libc.so.6'].prototypes[func.name]
    func.calling_convention = angr.calling_conventions.DEFAULT_CC[proj.arch.name](
        proj.arch,
        func_ty=func.prototype,
    )