Skip to content

Commit

Permalink
Use claripy ops from claripy instead of solver (#73)
Browse files Browse the repository at this point in the history
* Use claripy ops from claripy instead of solver

* Improve lint
  • Loading branch information
twizmwazin authored Aug 20, 2024
1 parent fc321ff commit d64c7c2
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 24 deletions.
23 changes: 14 additions & 9 deletions angr_platforms/ct64/ct64_angr.py
Original file line number Diff line number Diff line change
@@ -1,20 +1,25 @@
import logging
import struct

import angr
import archinfo
import claripy
import cle
import archinfo
import logging
import struct

from .ct64_engine import UberEngineWithCT64K

l = logging.getLogger('angr.ct64k')

def load_rom(rom):
return angr.Project(rom, main_opts={'backend': CT64KBlob, 'arch': ArchCT64K(), 'base_addr': 0x1000, 'entry_point': 0x1000}, engine=UberEngineWithCT64K)
return angr.Project(
rom,
main_opts={'backend': CT64KBlob, 'arch': ArchCT64K(), 'base_addr': 0x1000, 'entry_point': 0x1000},
engine=UberEngineWithCT64K
)

class ArchCT64K(archinfo.Arch):
def __init__(self, endness=archinfo.Endness.BE):
super(ArchCT64K, self).__init__(endness)
super().__init__(endness)

name = 'CT64K'
bits = 16
Expand Down Expand Up @@ -63,7 +68,7 @@ def __init__(self, project):
0x200: (hard_200_rd, hard_200_wr),
0x201: (hard_201_rd, hard_201_wr),
}
super(SimCT64K, self).__init__(project, 'ct64k')
super().__init__(project, 'ct64k')

def configure_project(self):
pass
Expand All @@ -73,7 +78,7 @@ def state_blank(self, addr=None, **kwargs):
addr = 0x1000

permissions_backer = (True, {(0, 0xffff): 7})
state = super(SimCT64K, self).state_blank(addr=addr, permissions_backer=permissions_backer, **kwargs)
state = super().state_blank(addr=addr, permissions_backer=permissions_backer, **kwargs)

state.register_plugin('registers', state.memory)
state.memory.id = 'reg'
Expand All @@ -93,7 +98,7 @@ def state_entry(self, *args, **kwargs):
return state

def _hard_checker(self, state, addr):
crange = state.solver.And(addr >= 0x200, addr < 0x300)
crange = claripy.And(addr >= 0x200, addr < 0x300)
if not state.solver.satisfiable(extra_constraints=(crange,)):
return None

Expand Down Expand Up @@ -126,7 +131,7 @@ def hard_checker_wr(self, state):

# output
def hard_200_rd(state):
return state.solver.BVV(0, 16)
return claripy.BVV(0, 16)

def hard_200_wr(state, v):
state.posix.fd[1].write_data(v)
Expand Down
10 changes: 5 additions & 5 deletions angr_platforms/ct64/ct64_engine.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ def execute(self, state, successors):

state.regs._ip += self.LEN
state.memory.store(dest, value)
successors.add_successor(state, state.regs._ip, state.solver.true, 'Ijk_Boring')
successors.add_successor(state, state.regs._ip, claripy.true, 'Ijk_Boring')

def value(self, state):
raise NotImplementedError
Expand Down Expand Up @@ -171,7 +171,7 @@ class SR(Instruction2):
NAME = 'SR'

def value(self, state):
return state.solver.LShR(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1))
return claripy.LShR(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1))

class SL(Instruction2):
NAME = 'SL'
Expand Down Expand Up @@ -206,7 +206,7 @@ def execute(self, state, successors):

jumpkind = 'Ijk_Exit' if self.NAME == 'HF' and state.solver.is_true(self.imm == successors.addr) else 'Ijk_Boring'
successors.add_successor(yes_state, self.imm, guard, jumpkind)
successors.add_successor(no_state, state.solver.BVV(successors.addr + self.LEN, 16), state.solver.Not(guard), jumpkind)
successors.add_successor(no_state, claripy.BVV(successors.addr + self.LEN, 16), claripy.Not(guard), jumpkind)

def condition(self, state):
raise NotImplementedError
Expand All @@ -215,13 +215,13 @@ class JG(InstructionJump):
NAME = 'JG'

def condition(self, state):
return state.solver.UGT(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1))
return claripy.UGT(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1))

class JL(InstructionJump):
NAME = 'JL'

def condition(self, state):
return state.solver.ULT(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1))
return claripy.ULT(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1))

class JQ(InstructionJump):
NAME = 'JQ'
Expand Down
16 changes: 8 additions & 8 deletions tests/test_bpf_idea.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@ def test_idea_correct_flag():
state.memory.store(proj.arch.DATA_BASE, 0x1337, endness='Iend_LE')
# input variables
for i in range(0, len(flag), 4):
state.memory.store(proj.arch.DATA_BASE + 0x10 + i, state.solver.BVV(ord(flag[i]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 1, state.solver.BVV(ord(flag[i+1]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 2, state.solver.BVV(ord(flag[i+2]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 3, state.solver.BVV(ord(flag[i+3]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i, claripy.BVV(ord(flag[i]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 1, claripy.BVV(ord(flag[i+1]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 2, claripy.BVV(ord(flag[i+2]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 3, claripy.BVV(ord(flag[i+3]), 8))

# Execute until it returns
simgr.explore(find=(MAX_INSTR_ID * 8,))
Expand All @@ -54,10 +54,10 @@ def test_idea_incorrect_flag():
state.memory.store(proj.arch.DATA_BASE, 0x1337, endness='Iend_LE')
# input variables
for i in range(0, len(flag), 4):
state.memory.store(proj.arch.DATA_BASE + 0x10 + i, state.solver.BVV(ord(flag[i]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 1, state.solver.BVV(ord(flag[i+1]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 2, state.solver.BVV(ord(flag[i+2]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 3, state.solver.BVV(ord(flag[i+3]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i, claripy.BVV(ord(flag[i]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 1, claripy.BVV(ord(flag[i+1]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 2, claripy.BVV(ord(flag[i+2]), 8))
state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 3, claripy.BVV(ord(flag[i+3]), 8))

# Execute until it returns
simgr.explore(find=(MAX_INSTR_ID * 8,))
Expand Down
6 changes: 4 additions & 2 deletions tests/test_riscv.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
import os

import angr
import claripy

from angr_platforms.risc_v import *


Expand All @@ -15,8 +17,8 @@ def test_schoolbook_multiplication():

startState = proj.factory.call_state(targetAddress)

A = startState.solver.BVS("A",32)
B = startState.solver.BVS("B",32)
A = claripy.BVS("A",32)
B = claripy.BVS("B",32)
startState.memory.store(startState.regs.a0, A)
startState.memory.store(startState.regs.a1, B)

Expand Down

0 comments on commit d64c7c2

Please sign in to comment.