Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
exit_after = 0
def handle_exit_before(state):
counts.exit_before += 1
exit_target = state.inspect.exit_target
nose.tools.assert_equal(state.solver.eval(exit_target), 0x3f8)
# change exit target
state.inspect.exit_target = 0x41414141
nose.tools.assert_equal(state.inspect.exit_jumpkind, "Ijk_Boring")
nose.tools.assert_true(state.inspect.exit_guard.is_true())
def handle_exit_after(state): #pylint:disable=unused-argument
counts.exit_after += 1
s = SimState(arch="AMD64", mode="symbolic")
irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a", mem_addr=1000, arch=archinfo.ArchAMD64())
# break on exit
s.inspect.b('exit', BP_BEFORE, action=handle_exit_before)
s.inspect.b('exit', BP_AFTER, action=handle_exit_after)
# step it
succ = SimEngineVEX().process(s, irsb).flat_successors
# check
nose.tools.assert_equal( succ[0].solver.eval(succ[0].ip), 0x41414141)
nose.tools.assert_equal(counts.exit_before, 1)
nose.tools.assert_equal(counts.exit_after, 1)
s.inspect.b('reg_write', when=BP_AFTER, action=act_reg_write)
nose.tools.assert_equal(counts.reg_write, 0)
s.registers.store(16, s.solver.BVV(10, 32))
nose.tools.assert_equal(counts.reg_write, 1)
nose.tools.assert_equal(counts.mem_write, 1)
nose.tools.assert_equal(counts.mem_read, 4)
nose.tools.assert_equal(counts.reg_read, 1)
s.inspect.b('tmp_read', when=BP_AFTER, action=act_tmp_read, tmp_read_num=0)
s.inspect.b('tmp_write', when=BP_AFTER, action=act_tmp_write, tmp_write_num=0)
s.inspect.b('expr', when=BP_AFTER, action=act_expr, expr_result=1016)
s.inspect.b('statement', when=BP_AFTER, action=act_statement)
s.inspect.b('instruction', when=BP_AFTER, action=act_instruction, instruction=1001)
s.inspect.b('instruction', when=BP_AFTER, action=act_instruction, instruction=1000)
irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a", mem_addr=1000, arch=archinfo.ArchAMD64(), opt_level=0)
irsb.pp()
SimEngineVEX().process(s, irsb)
nose.tools.assert_equal(counts.reg_write, 7)
nose.tools.assert_equal(counts.reg_read, 2)
nose.tools.assert_equal(counts.tmp_write, 1)
nose.tools.assert_equal(counts.tmp_read, 1)
nose.tools.assert_equal(counts.expr, 3) # one for the Put, one for the WrTmp, and one to get the next address to jump to
nose.tools.assert_equal(counts.statement, 11)
nose.tools.assert_equal(counts.instruction, 2)
nose.tools.assert_equal(counts.constraints, 0)
nose.tools.assert_equal(counts.mem_write, 1)
nose.tools.assert_equal(counts.mem_read, 4)
s = SimState(arch="AMD64", mode="symbolic")
s.inspect.b('symbolic_variable', when=BP_AFTER, action=act_variables)
s.memory.load(0, 10)
def disasmble(self,bb):
insn = []
buff = self._header.read_bytes(self._header.read_addr(bb.addr-self._header.base_addr))
addr = bb.addr
arch = self._header.arch
irsb = pyvex.IRSB(buff,addr,arch,num_bytes=400,bytes_offset=0,traceflags=0)
bytestring = buff[:irsb.size]
cs = arch.capstone
for cs_insn in cs.disasm(bytestring,addr):
insn.append(cs_insn)
#print hex(cs_insn.address).replace("L",''), cs_insn.mnemonic, cs_insn.op_str
return irsb, insn
def run(self):
if self.cleanup:
self.state.options.discard(o.AST_DEPS)
self.state.options.discard(o.AUTO_REFS)
ret_irsb = pyvex.IRSB(self.state.arch.ret_instruction, self.addr, self.state.arch)
ret_simirsb = SimIRSB(self.state, ret_irsb, inline=True, addr=self.addr)
if not ret_simirsb.flat_successors + ret_simirsb.unsat_successors:
ret_state = ret_simirsb.default_exit
else:
ret_state = (ret_simirsb.flat_successors + ret_simirsb.unsat_successors)[0]
if self.cleanup:
self.state.options.add(o.AST_DEPS)
self.state.options.add(o.AUTO_REFS)
self.add_successor(ret_state, ret_state.scratch.target, ret_state.scratch.guard, 'Ijk_Sys')
def disasmble(self,bb):
insn = []
buff = self._header.read_bytes(self._header.read_addr(bb.addr-self._header.base_addr))
addr = bb.addr
arch = self._header.arch
irsb = pyvex.IRSB(buff,addr,arch,num_bytes=400,bytes_offset=0,traceflags=0)
bytestring = buff[:irsb.size]
cs = arch.capstone
for cs_insn in cs.disasm(bytestring,addr):
insn.append(cs_insn)
#print hex(cs_insn.address).replace("L",''), cs_insn.mnemonic, cs_insn.op_str
return irsb, insn
def get_ret_irsb(self, inst_addr):
l.debug("Creating ret IRSB at 0x%x", inst_addr)
irsb = pyvex.IRSB(bytes=self.ret_instruction, mem_addr=inst_addr,
arch=self.vex_arch, endness=self.vex_endness)
l.debug("... created IRSB %s", irsb)
return irsb
register(LifterBF, 'BF')
if __name__ == '__main__':
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
import logging
logging.getLogger('pyvex').setLevel(logging.DEBUG)
logging.basicConfig()
irsb_ = pyvex.IRSB(None, 0, arch=archinfo.arch_from_id('bf'))
test1 = b'<>+-[].,'
test2 = b'<>+-[].,'
lifter = LifterBF(irsb_, test1, len(test1) , len(test1), 0, None)
lifter.lift()
lifter.irsb.pp()
irsb_ = pyvex.IRSB(None, 0, arch=ArchBF())
lifter = LifterBF(irsb_, test2, len(test2),len(test2),0, None)
lifter.lift()
lifter.irsb.pp()
def get_ret_irsb(self, inst_addr):
l.debug("Creating ret IRSB at 0x%x", inst_addr)
irsb = pyvex.IRSB(bytes=self.ret_instruction, mem_addr=inst_addr,
arch=self.vex_arch, endness=self.vex_endness)
l.debug("... created IRSB %s", irsb)
return irsb
def get_irsbs(self, code, address):
irsbs = []
code_address = address
while code_address <= address + len(code) - self.arch.instruction_alignment:
try:
irsb = pyvex.IRSB(code[code_address-address:], code_address, self.arch, opt_level=0)
irsbs.append(irsb)
except: # If decoding fails, we can't use this gadget
traceback.print_exc()
return [] # So just return an empty list
if (self.arch.name not in extra_archinfo.ENDS_EARLY_ARCHS
or irsb.jumpkind != 'Ijk_Boring'
or not self.irsb_ends_with_constant_pc(irsb)):
break
# Find the last address that was translated (For some architectures, pyvex stops before the end of a block)
last_addr = None
for stmt in irsb.statements:
if stmt.tag == 'Ist_IMark':
last_addr = stmt.addr