How to use pyvex - 10 common examples
To help you get started, we’ve selected a few pyvex examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / angr / engines / vex / expressions / load.py View on Github 
def SimIRExpr_Load(engine, state, expr):
# size of the load
size_bits = get_type_size(expr.type)
size = size_bits // state.arch.byte_width
# get the address expression and track stuff
with state.history.subscribe_actions() as addr_actions:
addr = engine.handle_expression(state, expr.addr)
if o.UNINITIALIZED_ACCESS_AWARENESS in state.options:
if getattr(addr._model_vsa, 'uninitialized', False):
raise SimUninitializedAccessError('addr', addr)
if o.DO_LOADS not in state.options:
# only do the load if, uh, we have to
result = state.solver.Unconstrained("load_expr_%#x_%d" % (state.scratch.ins_addr, state.scratch.stmt_idx), size_bits)
else:
# load from memory and fix endianness
result = state.memory.load(addr, size, endness=expr.endness)def _ty_to_bytes(self, ty):
return pyvex.get_type_size(ty) // getattr(getattr(getattr(self, 'state', None), 'arch', None), 'byte_width', 8)def _expr(self, expr):
v = super()._expr(expr)
if v not in {None, BOTTOM, TOP} and v is not expr:
# Record the replacement
if type(expr) is pyvex.IRExpr.Get:
if expr.offset not in (self.arch.sp_offset, self.arch.ip_offset, ):
self.state.add_replacement(self._codeloc(),
VEXReg(expr.offset, expr.result_size(self.tyenv) // 8),
v)
return vl.info("CFG generated in %f seconds.", duration)
dfg = proj.analyses.DFG(cfg=cfg, fail_fast=True)
nose.tools.assert_true(len(dfg.dfgs) <= len(cfg.nodes()))
for addr, d in dfg.dfgs.items():
nose.tools.assert_true(cfg.get_any_node(addr) is not None)
# We check there is not node that we ignored
for n in d.nodes():
nose.tools.assert_not_equal(n.tag, 'Ist_IMark')
nose.tools.assert_not_equal(n.tag, 'Ist_AbiHint')
nose.tools.assert_not_equal(n.tag, 'Ist_Exit')
if n.tag == 'Ist_Put':
nose.tools.assert_not_equal(n.offset, proj.arch.ip_offset)
for (a, b) in d.edges():
if isinstance(a, pyvex.IRExpr.IRExpr):
# We check that there is no edge between two expressions/const
nose.tools.assert_false(isinstance(b, pyvex.IRExpr.IRExpr))
# If there is an edge coming from an expr/const it should be in
# the dependencies of the other node
# FIXME
# Impossible to check because of the Unop optimization in the
# DFG...
# nose.tools.assert_true(a in b.expressions)
elif hasattr(a, 'tmp'):
# If there is an edge between a tmp and another node
# be sure that this tmp is in the dependencies of this node
tmps = [ ]
for e in b.expressions:
if hasattr(e, 'tmp'):
tmps.append(e.tmp)exit_after = 0
def handle_exit_before(state):
counts.exit_before += 1
exit_target = state.inspect.exit_target
nose.tools.assert_equal(state.solver.eval(exit_target), 0x3f8)
# change exit target
state.inspect.exit_target = 0x41414141
nose.tools.assert_equal(state.inspect.exit_jumpkind, "Ijk_Boring")
nose.tools.assert_true(state.inspect.exit_guard.is_true())
def handle_exit_after(state): #pylint:disable=unused-argument
counts.exit_after += 1
s = SimState(arch="AMD64", mode="symbolic")
irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a", mem_addr=1000, arch=archinfo.ArchAMD64())
# break on exit
s.inspect.b('exit', BP_BEFORE, action=handle_exit_before)
s.inspect.b('exit', BP_AFTER, action=handle_exit_after)
# step it
succ = SimEngineVEX().process(s, irsb).flat_successors
# check
nose.tools.assert_equal( succ[0].solver.eval(succ[0].ip), 0x41414141)
nose.tools.assert_equal(counts.exit_before, 1)
nose.tools.assert_equal(counts.exit_after, 1)s.inspect.b('reg_write', when=BP_AFTER, action=act_reg_write)
nose.tools.assert_equal(counts.reg_write, 0)
s.registers.store(16, s.solver.BVV(10, 32))
nose.tools.assert_equal(counts.reg_write, 1)
nose.tools.assert_equal(counts.mem_write, 1)
nose.tools.assert_equal(counts.mem_read, 4)
nose.tools.assert_equal(counts.reg_read, 1)
s.inspect.b('tmp_read', when=BP_AFTER, action=act_tmp_read, tmp_read_num=0)
s.inspect.b('tmp_write', when=BP_AFTER, action=act_tmp_write, tmp_write_num=0)
s.inspect.b('expr', when=BP_AFTER, action=act_expr, expr_result=1016)
s.inspect.b('statement', when=BP_AFTER, action=act_statement)
s.inspect.b('instruction', when=BP_AFTER, action=act_instruction, instruction=1001)
s.inspect.b('instruction', when=BP_AFTER, action=act_instruction, instruction=1000)
irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a", mem_addr=1000, arch=archinfo.ArchAMD64(), opt_level=0)
irsb.pp()
SimEngineVEX().process(s, irsb)
nose.tools.assert_equal(counts.reg_write, 7)
nose.tools.assert_equal(counts.reg_read, 2)
nose.tools.assert_equal(counts.tmp_write, 1)
nose.tools.assert_equal(counts.tmp_read, 1)
nose.tools.assert_equal(counts.expr, 3) # one for the Put, one for the WrTmp, and one to get the next address to jump to
nose.tools.assert_equal(counts.statement, 11)
nose.tools.assert_equal(counts.instruction, 2)
nose.tools.assert_equal(counts.constraints, 0)
nose.tools.assert_equal(counts.mem_write, 1)
nose.tools.assert_equal(counts.mem_read, 4)
s = SimState(arch="AMD64", mode="symbolic")
s.inspect.b('symbolic_variable', when=BP_AFTER, action=act_variables)
s.memory.load(0, 10)def test_loadg_no_constraint_creation():
state = SimState(arch='armel', mode='symbolic')
engine = SimEngineVEX()
from angr.engines.vex.statements.loadg import SimIRStmt_LoadG
stmt = pyvex.IRStmt.LoadG('Iend_LE', 'ILGop_16Uto32',
0, # dst
pyvex.IRExpr.Const(pyvex.const.U32(0x2000)), # addr (src)
pyvex.IRExpr.Const(pyvex.const.U32(0x1337)), # alt
pyvex.IRExpr.RdTmp(1) # guard
)
tyenv = pyvex.IRTypeEnv(state.arch)
tyenv.types = [ 'Ity_I32', 'Ity_I32' ]
state.scratch.set_tyenv(tyenv)
state.scratch.temps[1] = state.solver.BVS('tmp_1', 32)
SimIRStmt_LoadG(engine, state, stmt)
# LOADG should not create new constraints - it is a simple conditional memory read. The conditions should only be
# used inside the value AST to guard the memory read.
assert not state.solver.constraints
assert state.scratch.temps[0] is not None
assert state.scratch.temps[0].variables.issuperset(state.scratch.temps[1].variables)
assert state.scratch.temps[0].op == 'If'def test_loadg_no_constraint_creation():
state = SimState(arch='armel', mode='symbolic')
engine = SimEngineVEX()
from angr.engines.vex.statements.loadg import SimIRStmt_LoadG
stmt = pyvex.IRStmt.LoadG('Iend_LE', 'ILGop_16Uto32',
0, # dst
pyvex.IRExpr.Const(pyvex.const.U32(0x2000)), # addr (src)
pyvex.IRExpr.Const(pyvex.const.U32(0x1337)), # alt
pyvex.IRExpr.RdTmp(1) # guard
)
tyenv = pyvex.IRTypeEnv(state.arch)
tyenv.types = [ 'Ity_I32', 'Ity_I32' ]
state.scratch.set_tyenv(tyenv)
state.scratch.temps[1] = state.solver.BVS('tmp_1', 32)
SimIRStmt_LoadG(engine, state, stmt)
# LOADG should not create new constraints - it is a simple conditional memory read. The conditions should only be
# used inside the value AST to guard the memory read.
assert not state.solver.constraints
assert state.scratch.temps[0] is not None
assert state.scratch.temps[0].variables.issuperset(state.scratch.temps[1].variables)
assert state.scratch.temps[0].op == 'If'def test_thumb_object():
"""
Test for an object file I ripped out of an ARM firmware HAL.
Uses some nasty relocs
:return:
"""
path = os.path.join(test_location, "armel", "i2c_api.o")
l = cle.Loader(path, rebase_granularity=0x1000)
for r in l.main_object.relocs:
if r.__class__ == cle.backends.elf.relocation.arm.R_ARM_THM_JUMP24:
if r.symbol.name == 'HAL_I2C_ER_IRQHandler':
irsb = pyvex.lift(struct.pack('for stmt in self.irsb.statements():
if type(stmt) == pyvex.IRStmt.IMark:
self.last_imark = stmt
elif type(stmt) == pyvex.IRStmt.Exit:
l.debug("%s adding conditional exit", self)
e = SimExit(expr=self.state.BVV(stmt.offsIP, self.state.arch.bits), guard=guard, state=self.state, source=self.state.BVV(self.last_imark.addr, self.state.arch.bits), jumpkind=self.irsb.jumpkind, simplify=False)
self.conditional_exits.append(e)
self.add_exits(e)
if self.irsb.jumpkind == 'Ijk_Call' and o.DO_RET_EMULATION in self.state.options:
self.postcall_exit = SimExit(expr=self.state.BVV(self.last_imark.addr+self.last_imark.len, self.state.arch.bits), guard=guard, state=self.state, source=self.state.BVV(self.last_imark.addr, self.state.arch.bits), jumpkind='Ijk_Ret', simplify=False)
self.add_exits(self.postcall_exit)
elif type(stmt) == pyvex.IRStmt.WrTmp:
temps[stmt.tmp] = self._fastpath_irexpr(stmt.data, temps, regs)
elif type(stmt) == pyvex.IRStmt.Put:
regs[stmt.offset] = self._fastpath_irexpr(stmt.data, temps, regs)
else:
continue
next_expr = self._fastpath_irexpr(self.irsb.next, temps, regs)
if next_expr is not None:
self.has_default_exit = True
self.default_exit = SimExit(expr=next_expr, guard=guard, state=self.state, jumpkind=self.irsb.jumpkind, simplify=False, source=self.state.BVV(self.last_imark.addr, self.state.arch.bits))
self.add_exits(self.default_exit)
if self.irsb.jumpkind == 'Ijk_Call' and o.DO_RET_EMULATION in self.state.options:
self.postcall_exit = SimExit(expr=self.state.BVV(self.last_imark.addr+self.last_imark.len, self.state.arch.bits), guard=guard, state=self.state, source=self.state.BVV(self.last_imark.addr, self.state.arch.bits), jumpkind='Ijk_Ret', simplify=False)
self.add_exits(self.postcall_exit)
Popular pyvex functions
- pyvex.const.get_type_size
- pyvex.const.U32
- pyvex.ffi
- pyvex.ffi.buffer
- pyvex.get_type_size
- pyvex.IRConst
- pyvex.IRExpr
- pyvex.IRExpr.Const
- pyvex.IRExpr.Get
- pyvex.IRExpr.RdTmp
- pyvex.IRSB
- pyvex.IRStmt
- pyvex.IRStmt.Exit
- pyvex.IRStmt.IMark
- pyvex.IRStmt.Put
- pyvex.IRStmt.WrTmp
- pyvex.lift
- pyvex.set_iropt_level
- pyvex.stmt
- pyvex.stmt.WrTmp