How to use the angr.SimState function in angr
To help you get started, we’ve selected a few angr examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / tests / test_state.py View on Github 
a_a.add_constraints(merge_conditions[0])
nose.tools.assert_true(a_a.solver.unique(a_a.memory.load(2, 1)))
nose.tools.assert_equal(a_a.solver.eval(a_a.memory.load(2, 1)), 43)
a_b = m.copy()
a_b.add_constraints(merge_conditions[1])
nose.tools.assert_true(a_b.solver.unique(a_b.memory.load(2, 1)))
nose.tools.assert_equal(a_b.solver.eval(a_b.memory.load(2, 1)), 84)
a_c = m.copy()
a_c.add_constraints(merge_conditions[2])
nose.tools.assert_true(a_c.solver.unique(a_c.memory.load(2, 1)))
nose.tools.assert_equal(a_c.solver.eval(a_c.memory.load(2, 1)), 21)
# test different sets of plugins
a = SimState(arch='AMD64', mode='symbolic')
nose.tools.assert_true(a.has_plugin('memory'))
nose.tools.assert_true(a.has_plugin('registers'))
nose.tools.assert_false(a.has_plugin('libc'))
b = a.copy()
a.get_plugin('libc')
nose.tools.assert_true(a.has_plugin('libc'))
nose.tools.assert_false(b.has_plugin('libc'))
c = a.copy().merge(b.copy())[0]
d = b.copy().merge(a.copy())[0]
nose.tools.assert_true(c.has_plugin('libc'))
nose.tools.assert_true(d.has_plugin('libc'))
# test merging posix with different open files (illegal!)
a = SimState(arch='AMD64', mode='symbolic')
b = a.copy()nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
s = SimState(arch="AMD64")
s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP', has_end=True)))
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
s.posix.get_fd(0).read(0x200, x)
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
s = SimState(arch="AMD64")
s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP')))
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
read_proc = SIM_PROCEDURES['posix']['read']()
ret_x = read_proc.execute(s, arguments=(0, 0x200, x)).ret_expr
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(ret_x, 100)), list(range(10)))
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[ret_x==3])), [ b"ABCXX" ])# make sure it copies it all
s.add_constraints(strlen(s, arguments=[src_addr]) == 2)
strncpy(s, arguments=[dst_addr, src_addr, maxlen])
c = strcmp(s, arguments=[dst_addr, src_addr])
s_match = s.copy()
s_match.add_constraints(c == 0)
nose.tools.assert_equal(s_match.solver.min_int(maxlen), 3)
s_nomatch = s.copy()
s_nomatch.add_constraints(c != 0)
nose.tools.assert_equal(s_nomatch.solver.max_int(maxlen), 2)
l.info("concrete src, concrete dst, symbolic len")
l.debug("... full copy")
s = SimState(arch="AMD64", mode="symbolic")
dst = s.solver.BVV(0x41414100, 32)
dst_addr = s.solver.BVV(0x1000, 64)
src = s.solver.BVV(0x42420000, 32)
src_addr = s.solver.BVV(0x2000, 64)
maxlen = s.solver.BVS("len", 64)
s.memory.store(dst_addr, dst)
s.memory.store(src_addr, src)
strncpy(s, arguments=[dst_addr, src_addr, maxlen])
r = s.memory.load(dst_addr, 4, endness='Iend_BE')
#print repr(r.solver.eval_upto(r, 10, cast_to=bytes))
nose.tools.assert_sequence_equal(sorted(s.solver.eval_upto(r, 10, cast_to=bytes)), [ b"AAA\x00", b'BAA\x00', b'BB\x00\x00', b'BBA\x00' ] )def test_clock_gettime():
proc = angr.SIM_PROCEDURES['posix']['clock_gettime']()
s = angr.SimState(arch='amd64')
s.regs.rdi = 0
s.regs.rsi = 0x8000
s.options.add(angr.options.USE_SYSTEM_TIMES)
proc.execute(s)
assert not s.mem[0x8000].qword.resolved.symbolic
assert not s.mem[0x8008].qword.resolved.symbolic
s.options.discard(angr.options.USE_SYSTEM_TIMES)
proc.execute(s)
assert s.mem[0x8000].qword.resolved.symbolic
assert s.mem[0x8008].qword.resolved.symbolicdef test_state_merge():
a = SimState(arch='AMD64', mode='symbolic')
a.memory.store(1, a.solver.BVV(42, 8))
b = a.copy()
c = b.copy()
a.memory.store(2, a.memory.load(1, 1)+1)
b.memory.store(2, b.memory.load(1, 1)*2)
c.memory.store(2, c.memory.load(1, 1)/2)
# make sure the byte at 1 is right
nose.tools.assert_equal(a.solver.eval(a.memory.load(1, 1)), 42)
nose.tools.assert_equal(b.solver.eval(b.memory.load(1, 1)), 42)
nose.tools.assert_equal(c.solver.eval(c.memory.load(1, 1)), 42)
# make sure the byte at 2 is right
nose.tools.assert_equal(a.solver.eval(a.memory.load(2, 1)), 43)
nose.tools.assert_equal(b.solver.eval(b.memory.load(2, 1)), 84)def test_crosspage_read():
state = SimState(arch='ARM')
state.regs.sp = 0x7fff0008
state.stack_push(0x44556677)
state.stack_push(0x1)
state.stack_push(0x2)
state.stack_push(0x3)
state.stack_push(0x4)
state.stack_push(0x99887766)
state.stack_push(0x5)
state.stack_push(0x105c8)
state.stack_push(0x11223344)
state.stack_push(0x10564)
r = state.memory.load(state.regs.sp, 40)
assert bytes.fromhex("77665544") in state.solver.eval(r, cast_to=bytes)
#assert s.solver.eval(r, 2) == ( 0xffeeddccbbaa998877665544, )def test_ccall():
s = SimState(arch="AMD64")
l.debug("Testing amd64_actions_ADD")
l.debug("(8-bit) 1 + 1...")
arg_l = s.solver.BVV(1, 8)
arg_r = s.solver.BVV(1, 8)
cf, pf, af, zf, sf, of = s_ccall.pc_actions_ADD(s, 8, arg_l, arg_r, 0, platform='AMD64')
nose.tools.assert_true(s.solver.is_true(cf == 0))
nose.tools.assert_true(s.solver.is_true(pf == 0))
nose.tools.assert_true(s.solver.is_true(af == 0))
nose.tools.assert_true(s.solver.is_true(zf == 0))
nose.tools.assert_true(s.solver.is_true(sf == 0))
nose.tools.assert_true(s.solver.is_true(of == 0))
l.debug("(32-bit) (-1) + (-2)...")
arg_l = s.solver.BVV(-1, 32)
arg_r = s.solver.BVV(-1, 32)def test_abstract_memory():
initial_memory = {0: b'A', 1: b'B', 2: b'C', 3: b'D'}
s = SimState(mode='static',
arch="AMD64",
memory_backer=initial_memory,
add_options={o.ABSTRACT_SOLVER, o.ABSTRACT_MEMORY})
se = s.se
def to_vs(region, offset):
return s.solver.VS(s.arch.bits, region, 0, offset)
# Load a single-byte constant from global region
expr = s.memory.load(to_vs('global', 2), 1)
nose.tools.assert_equal(s.solver.eval(expr), 0x43)
nose.tools.assert_equal(s.solver.max_int(expr), 0x43)
nose.tools.assert_equal(s.solver.min_int(expr), 0x43)
# Store a single-byte constant to global region
s.memory.store(to_vs('global', 1), s.solver.BVV(b'D'), 1)def test_copy():
s = SimState(arch="AMD64")
s.memory.store(0x100, b"ABCDEFGHIJKLMNOP")
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
s.memory.copy_contents(0x200, 0x100, x)
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
s = SimState(arch="AMD64")
s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP', has_end=True)))
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))
s.posix.get_fd(0).read(0x200, x)
nose.tools.assert_equal(sorted(s.solver.eval_upto(x, 100)), list(range(10)))
result = s.memory.load(0x200, 5)
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes)), [ b"ABCDE", b"ABCDX", b"ABCXX", b"ABXXX", b"AXXXX", b"XXXXX" ])
nose.tools.assert_equal(sorted(s.solver.eval_upto(result, 100, cast_to=bytes, extra_constraints=[x==3])), [ b"ABCXX" ])
s = SimState(arch="AMD64")
s.register_plugin('posix', SimSystemPosix(stdin=SimFile(name='stdin', content=b'ABCDEFGHIJKLMNOP')))
s.memory.store(0x200, b"XXXXXXXXXXXXXXXX")
x = s.solver.BVS('size', s.arch.bits)
s.add_constraints(s.solver.ULT(x, 10))def test_procedure_actions():
s = SimState(arch='AMD64')
s.registers.store('rbx', 2)
proc = SIM_PROCEDURES['testing']['retreg'](reg='rbx')
succ = SimEngineProcedure().process(s, proc)
rbx = succ.artifacts['procedure'].ret_expr
nose.tools.assert_is(type(rbx), angr.state_plugins.SimActionObject)
nose.tools.assert_equal(s.solver.eval(rbx), 2)
nose.tools.assert_equal(rbx.reg_deps, { s.arch.registers['rbx'][0] })angr
A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
Package Health Score
88 / 100Popular angr functions
- angr.analyses.AnalysesHub.register_default
- angr.analyses.identifier.func.TestData
- angr.errors
- angr.errors.AngrError
- angr.errors.SimMemoryError
- angr.errors.SimMergeError
- angr.errors.SimValueError
- angr.exploration_techniques
- angr.options
- angr.Project
- angr.sim_options
- angr.SIM_PROCEDURES
- angr.sim_state.SimState
- angr.sim_state.SimState.register_default
- angr.sim_type.SimTypeInt
- angr.SimProcedure
- angr.SimState
- angr.state_plugins.plugin.SimStatePlugin
- angr.state_plugins.sim_action.SimActionData
- angr.storage.memory_object.SimMemoryObject