Python claripy.BVS Examples

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  # You can either use a blank state or an entry state; just make sure to start
  # at the beginning of the program.
  initial_state = ???

  class ReplacementScanf(angr.SimProcedure):
    # Hint: scanf("%u %20s")
    def run(self, format_string, ...???):
      # %u
      scanf0 = claripy.BVS('scanf0', ???)
      
      # %20s
      scanf1 = claripy.BVS('scanf1', ???)

      for char in scanf1.chop(bits=8):
        self.state.add_constraints(char >= ???, char <= ???)

      scanf0_address = ???
      self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
      ...

      self.state.globals['solutions'] = ??? 

def run(self, this_ref,  separator_ref):
        log.debug('Called SimProcedure java.lang.String.split with args: {}, {}'.format(this_ref, separator_ref))
        self.this_ref = this_ref
        this = self.state.memory.load(this_ref)
        separator = self.state.memory.load(separator_ref)

        if this.concrete and separator.concrete:
            # FIXME: escaping should be fixed in claripy
            separator_value = self.state.solver.eval(separator).replace('\\n', '\n')
            values = self.state.solver.eval(this).split(separator_value)
            str_array = SimSootExpr_NewArray.new_array(self.state, 'java.lang.String', claripy.BVV(len(values), 32))

            for idx, value in enumerate(values):
                value_ref = SimSootValue_StringRef.new_string(self.state, claripy.StringV(value))
                elem_ref = SimSootValue_ArrayRef(str_array, idx)
                self.state.memory.store(elem_ref, value_ref)

        else:
            str_array = SimSootExpr_NewArray.new_array(self.state, 'java.lang.String', claripy.BVS('array_size', 32))
            str_array.add_default_value_generator(self.generate_symbolic_array)

        return str_array 

def addr_concrete_after(self, state):
        """
        Hook for address concretization
        :param state: Program state
        """

        addr_expr = state.inspect.address_concretization_expr
        state.inspect.address_concretization_result = [self._get_target_concretization(addr_expr, state)]

        # a tainted buffer's location is used as address
        if self._taint_buf in str(addr_expr):
            self._set_deref_bounds(addr_expr)
            self._deref_taint_address = True
            self._deref_addr_expr = addr_expr
            self._deref_instruction = state.ip.args[0]

            if state.inspect.address_concretization_action == 'load':
                name = "cnt_pt_by(" + self._taint_buf + ' [' + str(self._deref[0]) + ', ' + str(self._deref[1]) + ']' + ")"
                bits = state.inspect.mem_read_length
                var = claripy.BVS(name, bits)
                state.memory.store(state.inspect.address_concretization_result[0], var) 

def test_ppc32():
    proj = angr.Project(os.path.join(test_location, 'ppc', 'argv_test'))
    r_addr = 0x10000498

    s = proj.factory.entry_state(args = ['aaa', 'Yan is a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 1)

    s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 0)

    # symbolic args
    s = proj.factory.entry_state(args = ['aaa', claripy.BVS('arg_2', 50*8)], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    found = xpl.found[0]
    conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)

    nose.tools.assert_equal(b"Yan is a noob" in conc, True) 

def test_i386():
    p = angr.Project(os.path.join(test_location, 'i386', 'test_strcasecmp'), auto_load_libs=False)
    arg1 = claripy.BVS('arg1', 20*8)
    s = p.factory.entry_state(args=("test_strcasecmp", arg1))
    sm = p.factory.simulation_manager(s)
    sm.explore()

    sm.move('deadended', 'found', filter_func=lambda s: b"Welcome" in s.posix.dumps(1))

    nose.tools.assert_equal(len(sm.found), 1)

    f = sm.found[0]
    sol = f.solver.eval(arg1, cast_to=bytes)
    nose.tools.assert_in(b'\x00', sol)
    nose.tools.assert_equal(sol[:sol.index(b'\x00')].lower(), b'letmein')
    nose.tools.assert_in(b'wchar works', f.posix.dumps(1)) 

def test_amd64():
    proj = angr.Project(os.path.join(test_location, 'x86_64', 'argv_test'))
    r_addr = 0x400571
    s = proj.factory.entry_state(args = ['aaa', 'Yan is a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 1)

    s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 0)

    # symbolic args
    s = proj.factory.entry_state(args = ['aaa', claripy.BVS('arg_2', 50*8)], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    found = xpl.found[0]
    conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)

    nose.tools.assert_equal(b"Yan is a noob" in conc, True) 

def do_ast_vault(v_factory):
	v = v_factory()
	x = claripy.BVS("x", 32)
	y = claripy.BVS("y", 32)
	z = x + y

	v.store(x)
	assert len(v.keys()) == 1
	zid = v.store(z)
	assert len(v.keys()) == 3
	zz = v.load(zid)
	assert z is zz

	zs = v.dumps(z)
	zzz = v.loads(zs)
	assert zzz is z 

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  # You can either use a blank state or an entry state; just make sure to start
  # at the beginning of the program.
  initial_state = ???

  class ReplacementScanf(angr.SimProcedure):
    # Hint: scanf("%u %20s")
    def run(self, format_string, ...???):
      # %u
      scanf0 = claripy.BVS('scanf0', ???)
      
      # %20s
      scanf1 = claripy.BVS('scanf1', ???)

      for char in scanf1.chop(bits=8):
        self.state.add_constraints(char >= ???, char <= ???)

      scanf0_address = ???
      self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
      ...

      self.state.globals['solutions'] = ??? 

def memcpy(_core, old_path, new_path):
    # FIXME do taint untaint!
    cp_new_p = new_path.copy()
    try:
        # if the second parameter is tainted (or pointing to a tainted location)
        # or the third is tainted, we taint the first too
        if _core._taint_buf in str(cp_new_p.state.regs.r1) or \
                        _core._taint_buf in str(cp_new_p.state.memory.load(cp_new_p.state.regs.r1)) or \
                        _core._taint_buf in str(cp_new_p.state.regs.r2):
            t = claripy.BVS(_core._taint_buf, _core._taint_buf_size).reversed
            new_path.state.memory.store(new_path.state.regs.r0, t)
    except:
        pass

    # FIXME: do the untaint part!

    return 

def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  # You can either use a blank state or an entry state; just make sure to start
  # at the beginning of the program.
  initial_state = ???

  class ReplacementScanf(angr.SimProcedure):
    # Hint: scanf("%u %20s")
    def run(self, format_string, ...???):
      # %u
      scanf0 = claripy.BVS('scanf0', ???)
      
      # %20s
      scanf1 = claripy.BVS('scanf1', ???)

      for char in scanf1.chop(bits=8):
        self.state.add_constraints(char >= ???, char <= ???)

      scanf0_address = ???
      self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
      ...

      self.state.globals['solutions'] = ??? 

def test_i386():
    proj = angr.Project(os.path.join(test_location, 'i386', 'argv_test'))
    r_addr = 0x804845B
    s = proj.factory.entry_state(args = ['aaa', 'Yan is a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 1)

    s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 0)

    # symbolic args
    s = proj.factory.entry_state(args = ['aaa', claripy.BVS('arg_2', 50*8)], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    found = xpl.found[0]
    conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)

    nose.tools.assert_equal(b"Yan is a noob" in conc, True) 

def test_mipsel():
    proj = angr.Project(os.path.join(test_location, 'mipsel', 'argv_test'))
    r_addr = 0x400768
    s = proj.factory.entry_state(args = ['aaa', 'Yan is a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 1)

    s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 0)

    # symbolic args
    s = proj.factory.entry_state(args = ['aaa', claripy.BVS('arg_2', 50*8)], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    found = xpl.found[0]
    conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)

    nose.tools.assert_equal(b"Yan is a noob" in conc, True) 

def test_mips():
    proj = angr.Project(os.path.join(test_location, 'mips', 'argv_test'))
    r_addr = 0x400768

    s = proj.factory.entry_state(args = ['aaa', "Yan is a noob"], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 1)

    s = proj.factory.entry_state(args = ['aaa', 'Yan is not a noob'], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    nose.tools.assert_equal(len(xpl.found), 0)

    # symbolic command line argument
    arg = claripy.BVS('arg_2', 50*8)
    s = proj.factory.entry_state(args = ['aaa', arg], env ={"HOME": "/home/angr"})
    xpl = proj.factory.simulation_manager(s).explore(find=r_addr)

    found = xpl.found[0]
    conc = found.solver.eval(found.memory.load(found.registers.load('sp'), 400), cast_to=bytes)

    nose.tools.assert_equal(b"Yan is a noob" in conc, True) 

def register_variable(self, v, key, eternal=True):
        """
        Register a value with the variable tracking system

        :param v:       The BVS to register
        :param key:     A tuple to register the variable under
        :parma eternal: Whether this is an eternal variable, default True. If False, an incrementing counter will be
                        appended to the key.
        """
        if type(key) is not tuple:
            raise TypeError("Variable tracking key must be a tuple")
        if eternal:
            self.eternal_tracked_variables[key] = v
        else:
            self.temporal_tracked_variables = dict(self.temporal_tracked_variables)
            ctrkey = key + (None,)
            ctrval = self.temporal_tracked_variables.get(ctrkey, 0) + 1
            self.temporal_tracked_variables[ctrkey] = ctrval
            tempkey = key + (ctrval,)
            self.temporal_tracked_variables[tempkey] = v 

def _symbolize_hashes(ast, hashes):
    if not isinstance(ast, claripy.ast.base.Base):
        return ast

    # Replace SHA3 with a BVS
    if ast.op == "SHA3":
        hash_input, = ast.args
        hash_input = _symbolize_hashes(hash_input, hashes)
        try:
            return hashes[hash_input]
        except KeyError:
            hash_symbol = claripy.BVS("SHA3", 256)
            hashes[hash_input] = hash_symbol
            logger.debug("Registering new hash: %s(%s)", hash_symbol, hash_input)
            return hash_symbol

    # Recursively apply to children
    args = [_symbolize_hashes(child, hashes) for child in ast.args]
    return ast.swap_args(args) 

def test_symbolic_write():
    s = SimState(arch='AMD64', add_options={o.SYMBOLIC_WRITE_ADDRESSES})
    x = s.solver.BVS('x', 64)
    y = s.solver.BVS('y', 64)
    a = s.solver.BVV(b'A'*0x10)
    b = s.solver.BVV(b'B')
    c = s.solver.BVV(b'C')
    d = s.solver.BVV(b'D')

    s.memory.store(0x10, a)
    s.add_constraints(x >= 0x10, x < 0x20)
    s.memory.store(x, b)

    for i in range(0x10, 0x20):
        assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2

    s.memory.store(x, c)
    for i in range(0x10, 0x20):
        assert len(s.solver.eval_upto(s.memory.load(i, 1), 10)) == 2

    s2 = s.copy()
    s2.add_constraints(y >= 0x10, y < 0x20)
    s2.memory.store(y, d)
    for i in range(0x10, 0x20):
        assert len(s2.solver.eval_upto(s2.memory.load(i, 1), 10)) == 3 

def syscall_hook(state):
    if not state.has_plugin("chall_resp_info"):
        return

    # here we detect how much stdout we have when a byte is first read in
    syscall_name = state.inspect.syscall_name
    if syscall_name == "receive":
        # track the amount of stdout we had when we first read the byte
        stdin_min_stdout_reads = state.get_plugin("chall_resp_info").stdin_min_stdout_reads
        stdout_pos = state.solver.eval(state.posix.fd[1].write_pos)
        stdin_pos = state.solver.eval(state.posix.fd[0].read_pos)
        for i in range(0, stdin_pos):
            if i not in stdin_min_stdout_reads:
                stdin_min_stdout_reads[i] = stdout_pos

    # here we make random preconstrained instead of concrete A's
    if syscall_name == "random":
        num_bytes = state.solver.eval(state.regs.ecx)
        buf = state.solver.eval(state.regs.ebx)
        if num_bytes != 0:
            rand_bytes = state.solver.BVS("random", num_bytes*8)
            concrete_val = state.solver.BVV("A"*num_bytes)
            state.solver._solver.add_replacement(rand_bytes, concrete_val, invalidate_cache=False)
            state.memory.store(buf, rand_bytes) 

def regression_test_memcmp_strlen_simprocedure_interaction():
    # import logging
    # logging.getLogger('angr.manager').setLevel(logging.DEBUG)

    bin_path = os.path.join(test_location, 'i386', 'cpp_regression_test_ch25')
    p = angr.Project(bin_path, auto_load_libs=True)  # this binary requires the loading of libstdc++.so.6
    argv1 = cp.Concat(*[cp.BVS('argv%d' % i, 8) for i in range(48)])

    state = p.factory.full_init_state(args=[bin_path, argv1],
                                      add_options=angr.sim_options.unicorn
                                      )

    sm = p.factory.simulation_manager(state)
    x = sm.explore(find=0x8048b9b, num_find=3)

    nose.tools.assert_equal(len(x.found), 1)
    for state in x.found:
        solution = state.solver.eval_one(argv1, cast_to=bytes).strip(b"\x00")
        nose.tools.assert_equal(solution, b"Here_you_have_to_understand_a_little_C++_stuffs") 

def clean_copy(self):
        """Create a new env, which is a copy of the current one but with
        new symbolic variables (with the same name)"""
        new_env = Env(self.code)

        for name, _, _ in ENV_VARS:
            value = getattr(self, name)
            if value.symbolic:
                setattr(new_env, name, claripy.BVS(name, 256))
            else:
                setattr(new_env, name, value)

        new_env.calldata = self.calldata.copy()
        for addr, value in self.calldata._mem.items():
            new_env.calldata._mem[addr] = claripy.BVS(
                "calldata[%i]" % addr, value.size()
            )

        # Block hashes are always the same (but the current number can change)
        new_env.block_hashes = self.block_hashes.copy()
        return new_env 

def test_write_and_selfdestruct(self):
        state = State(self.env)

        state_write = state.copy()
        state_write.storage_written = {utils.bvv(0): self.env.calldata.read(4, 32)}

        state_selfdestruct = state.copy()
        state_selfdestruct.selfdestruct_to = self.env.calldata.read(4, 32)
        storage_0 = claripy.BVS("storage[0]", 256)
        state_selfdestruct.storage_read = {utils.bvv(0): storage_0}
        state_selfdestruct.solver.add(storage_0 == 0xDEADBEEF0101)

        storage = {0: 0xBAD1DEA}
        self.assertTrue(
            self.check_states([state_write, state_selfdestruct], mock_storage=storage)
        )
        self.assertFalse(self.check_states([state_selfdestruct], mock_storage=storage))
        self.assertFalse(self.check_states([state_write])) 

def _get_default_symbolic_value_by_type(type_, state):
        if type_ in ['byte', 'char', 'short', 'int', 'boolean']:
            return BVS('default_value_{}'.format(type_), 32)
        if type_ == "long":
            return BVS('default_value_{}'.format(type_), 64)
        if type_ == 'float':
            return FPS('default_value_{}'.format(type_), FSORT_FLOAT)
        if type_ == 'double':
            return FPS('default_value_{}'.format(type_), FSORT_DOUBLE)
        if type_ == 'java.lang.String':
            return SimSootValue_StringRef.new_string(state, StringS('default_value_{}'.format(type_), 1000))
        if type_.endswith('[][]'):
            raise NotImplementedError
            # multiarray = SimSootExpr_NewMultiArray.new_array(self.state, element_type, size)
            # multiarray.add_default_value_generator(lambda s: SimSootExpr_NewMultiArray._generate_inner_array(s, element_type, sizes))
            # return  multiarray
        if type_.endswith('[]'):
            array = SimSootExpr_NewArray.new_array(state, type_[:-2], BVV(2, 32))
            return array
        return SimSootValue_ThisRef.new_object(state, type_, symbolic=True, init_object=False) 

def test_sha3_value2(self):
        """Same as above, but we need to pass the computed SHA3."""
        state = State(self.env)

        state_write = state.copy()
        state_write.storage_written = {
            utils.bvv(0): Sha3(self.env.calldata.read(4, 32))
        }

        state_selfdestruct = state.copy()
        state_selfdestruct.selfdestruct_to = self.env.calldata.read(36, 32)
        storage_input = claripy.BVS("storage[0]", 256)
        state_selfdestruct.storage_read = {utils.bvv(0): storage_input}
        state_selfdestruct.solver.add(storage_input == self.env.calldata.read(4, 32))
        state_selfdestruct.solver.add(storage_input != 0)

        storage = {0: 0}
        self.assertTrue(
            self.check_states([state_write, state_selfdestruct], mock_storage=storage)
        )
        self.assertFalse(self.check_states([state_selfdestruct], mock_storage=storage))
        self.assertFalse(self.check_states([state_write], mock_storage=storage)) 

def _init_object_pe_security_cookie(self, pe_object, state, state_kwargs):
        sc_init = state_kwargs.pop('security_cookie_init', SecurityCookieInit.STATIC)
        if sc_init is SecurityCookieInit.NONE or sc_init is None:
            return
        cookie = pe_object.load_config.get('SecurityCookie', None)
        if not cookie:
            return
        vs_cookie = VS_SECURITY_COOKIES.get(self.project.arch.name)
        if vs_cookie is None:
            _l.warning('Unsupported architecture: %s for /GS, leaving _security_cookie uninitialized', self.project.arch.name)
            return
        if sc_init is SecurityCookieInit.RANDOM:
            sc_value = random.randint(1, (2 ** vs_cookie.width - 1))
            if sc_value == vs_cookie.default:
                sc_value += 1
        elif sc_init is SecurityCookieInit.STATIC:
            sc_value = struct.unpack('>I', b'cook')[0]
        elif sc_init is SecurityCookieInit.SYMBOLIC:
            sc_value = claripy.BVS('_security_cookie', state.arch.bits)
        else:
            raise TypeError("security_cookie_init must SecurityCookieInit, not {0}".format(type(sc_init).__name__))
        setattr(state.mem[cookie], "uint{0}_t".format(state.arch.bits), sc_value) 

def set_register(self, register, chain, value_var):

        ip_var = claripy.BVS('ip_value', self.crash.project.arch.bits, explicit_name=True)

        chain, chain_addr = self._ip_overwrite_with_chain(chain, assert_next_ip_controlled=True)

        l.debug("attempting to insert chain of length %d", len(chain.payload_str()))

        ccp = self.crash.copy()

        # add the constraints introduced by rop
        cons = [a for a in chain._blank_state.solver.constraints if not any(v.startswith("next_addr") for v in a.variables)]
        ccp.state.solver.add(*cons)

        chain.add_value(ip_var)
        chain_bv = chain.payload_bv()

        ch_sym_mem = ccp.state.memory.load(chain_addr, len(chain_bv)//8)
        ccp.state.add_constraints(ch_sym_mem == chain_bv)

        ccp.state.add_constraints(ip_var == 0xc0debabe)

        return CHESSExploitControl(ccp, True, False, registers={'rip': 0xc0debabe, register: 0xc0debabe}) 

def test_hex_dump():
    s = SimState(arch='AMD64')
    addr = s.heap.allocate(0x20)
    s.memory.store(
        addr,
        claripy.Concat(
            claripy.BVV('ABCDEFGH'),
            claripy.BVS('symbolic_part', 24 * s.arch.bits)
        )
    )
    dump = s.memory.hex_dump(addr, 0x20)
    nose.tools.assert_equal(
        dump,
        'c0000000: 41424344 45464748 ???????? ???????? ABCDEFGH????????\n'
        'c0000010: ???????? ???????? ???????? ???????? ????????????????\n'
    )

    dump = s.memory.hex_dump(
        addr,
        0x20,
        extra_constraints=(s.memory.load(addr+0x10, 4) == 0xdeadbeef,),
        solve=True,
        endianness='Iend_LE'
    )
    nose.tools.assert_equal(
        dump,
        'c0000000: 44434241 48474645 ???????? ???????? ABCDEFGH????????\n'
        'c0000010: efbeadde ???????? ???????? ???????? ....????????????\n'
    ) 

def test_fullpage_write():
    if os.environ.get("APPVEYOR", "false").lower() == "true":
        # Skip as AppVeyor boxes do not have enough memory to run this test
        raise nose.SkipTest()

    s = SimState(arch='AMD64')
    a = s.solver.BVV(b'A'*0x2000)
    s.memory.store(0, a)
    #assert len(s.memory.mem._pages) == 2
    #assert len(s.memory.mem._pages[0].keys()) == 0
    #assert len(s.memory.mem._pages[1].keys()) == 0
    assert s.memory.load(0, 0x2000) is a
    assert a.variables != s.memory.load(0x2000, 1).variables

    s = SimState(arch='AMD64')
    a = s.solver.BVV(b'A'*2)
    s.memory.store(0x1000, a)
    s.memory.store(0x2000, a)
    assert a.variables == s.memory.load(0x2000, 1).variables
    assert a.variables == s.memory.load(0x2001, 1).variables
    assert a.variables != s.memory.load(0x2002, 1).variables

    s = SimState(arch='AMD64')
    x = s.solver.BVV(b'X')
    a = s.solver.BVV(b'A'*0x1000)
    s.memory.store(1, x)
    s2 = s.copy()
    s2.memory.store(0, a)
    assert len(s.memory.changed_bytes(s2.memory)) == 0x1000

    s = SimState(arch='AMD64')
    s.memory._maximum_symbolic_size = 0x2000000
    a = s.solver.BVS('A', 0x1000000*8)
    s.memory.store(0, a)
    b = s.memory.load(0, 0x1000000)
    assert b is a 

def test_copy():
    s = SimState(arch="AMD64")
    s.memory.store(0x100, b"ABCDEFGHIJKLMNOP")
    s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
    x = s.solver.BVS('size', s.arch.bits)
    s.add_constraints(s.solver.ULT(x, 10))
    s.memory.copy_contents(0x200, 0x100, x)

    nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
    result = s.memory.load(0x200, 5)
    nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
    nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])

    s = SimState(arch="AMD64")
    s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP', has_end=True)))
    s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
    x = s.solver.BVS('size', s.arch.bits)
    s.add_constraints(s.solver.ULT(x, 10))

    s.posix.get_fd(0).read(0x200, x)
    nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
    result = s.memory.load(0x200, 5)
    nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
    nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])

    s = SimState(arch="AMD64")
    s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP')))
    s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
    x = s.solver.BVS('size', s.arch.bits)
    s.add_constraints(s.solver.ULT(x, 10))

    read_proc = SIM_PROCEDURES['posix']['read']()
    ret_x = read_proc.execute(s, arguments=(0, 0x200, x)).ret_expr
    nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
    result = s.memory.load(0x200, 5)
    nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
    nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])

    nose.tools.assert_equal(sorted(s.solver.eval_upto(ret_x, 100)), list(range(10)))
    nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[ret_x==3])), [ b"ABCXX" ]) 

def make_pickles():
    p = angr.Project(os.path.join(tests_location, 'i386', 'fauxware'))

    fs = {
        '/dev/stdin': SimFile('/dev/stdin'),
        '/dev/stdout': SimFile('/dev/stdout'),
        '/dev/stderr': SimFile('/dev/stderr'),
        #'/dev/urandom': SimFile('/dev/urandom', 0),
    }

    MEM_SIZE = 1024
    mem_bvv = {}
    for f in fs:
        mem = BVS(f, MEM_SIZE * 8)
        mem_bvv[f] = mem
        # debug_wait()

    f = open("pickletest_good", "wb")
    #fname = f.name
    pickle.dump(mem_bvv, f, -1)
    f.close()

    # If you do not have a state you cannot write
    entry_state = p.factory.entry_state(fs=fs) #pylint:disable=unused-variable
    for f in fs:
        mem = mem_bvv[f]
        fs[f].write(0, mem, MEM_SIZE)

    f = open("pickletest_bad", "wb")
    #fname = f.name
    pickle.dump(mem_bvv, f, -1)
    f.close()
    #print "Test case generated run '%s <something>' to execute the test" % sys.argv[0] 

def test_non_exhaustive_storage(self):
        self.analyzer.actual_storage = {1: 0xBAD1DEA}
        self.analyzer.actual_storage_exhaustive = False

        self.state.storage_read[utils.bvv(0)] = claripy.BVS("storage[0]", 256)
        self.state.selfdestruct_to = self.state.storage_read[utils.bvv(0)]

        # Suicide to storage[0] that contains our address (state.env.caller)
        with patch.object(self.analyzer, "_read_storage_key") as mock_read_storage_key:
            mock_read_storage_key.return_value = utils.bvv_to_number(
                self.state.env.caller
            )
            self.assertTrue(self.check_state(self.state))
            mock_read_storage_key.assert_called_with(0) 

def test_non_exhaustive_storage2(self):
        """Same as the previous test, but we suicide to 0 so it doesn't work."""
        self.analyzer.actual_storage = {1: 0xBAD1DEA}
        self.analyzer.actual_storage_exhaustive = False

        self.state.storage_read[utils.bvv(0)] = claripy.BVS("storage[0]", 256)
        self.state.selfdestruct_to = self.state.storage_read[utils.bvv(0)]

        # Same as above, but we suicide to 0 instead of caller.
        with patch.object(self.analyzer, "_read_storage_key") as mock_read_storage_key:
            mock_read_storage_key.return_value = 0
            self.assertFalse(self.check_state(self.state))
            mock_read_storage_key.assert_called_with(0)