From d64c7c293cc7100e3e125f304fb62f12be841630 Mon Sep 17 00:00:00 2001 From: Kevin Phoenix Date: Tue, 20 Aug 2024 16:11:50 -0700 Subject: [PATCH] Use claripy ops from claripy instead of solver (#73) * Use claripy ops from claripy instead of solver * Improve lint --- angr_platforms/ct64/ct64_angr.py | 23 ++++++++++++++--------- angr_platforms/ct64/ct64_engine.py | 10 +++++----- tests/test_bpf_idea.py | 16 ++++++++-------- tests/test_riscv.py | 6 ++++-- 4 files changed, 31 insertions(+), 24 deletions(-) diff --git a/angr_platforms/ct64/ct64_angr.py b/angr_platforms/ct64/ct64_angr.py index 65f4e50..6d8ef78 100644 --- a/angr_platforms/ct64/ct64_angr.py +++ b/angr_platforms/ct64/ct64_angr.py @@ -1,20 +1,25 @@ +import logging +import struct + import angr +import archinfo import claripy import cle -import archinfo -import logging -import struct from .ct64_engine import UberEngineWithCT64K l = logging.getLogger('angr.ct64k') def load_rom(rom): - return angr.Project(rom, main_opts={'backend': CT64KBlob, 'arch': ArchCT64K(), 'base_addr': 0x1000, 'entry_point': 0x1000}, engine=UberEngineWithCT64K) + return angr.Project( + rom, + main_opts={'backend': CT64KBlob, 'arch': ArchCT64K(), 'base_addr': 0x1000, 'entry_point': 0x1000}, + engine=UberEngineWithCT64K + ) class ArchCT64K(archinfo.Arch): def __init__(self, endness=archinfo.Endness.BE): - super(ArchCT64K, self).__init__(endness) + super().__init__(endness) name = 'CT64K' bits = 16 @@ -63,7 +68,7 @@ def __init__(self, project): 0x200: (hard_200_rd, hard_200_wr), 0x201: (hard_201_rd, hard_201_wr), } - super(SimCT64K, self).__init__(project, 'ct64k') + super().__init__(project, 'ct64k') def configure_project(self): pass @@ -73,7 +78,7 @@ def state_blank(self, addr=None, **kwargs): addr = 0x1000 permissions_backer = (True, {(0, 0xffff): 7}) - state = super(SimCT64K, self).state_blank(addr=addr, permissions_backer=permissions_backer, **kwargs) + state = super().state_blank(addr=addr, permissions_backer=permissions_backer, **kwargs) state.register_plugin('registers', state.memory) state.memory.id = 'reg' @@ -93,7 +98,7 @@ def state_entry(self, *args, **kwargs): return state def _hard_checker(self, state, addr): - crange = state.solver.And(addr >= 0x200, addr < 0x300) + crange = claripy.And(addr >= 0x200, addr < 0x300) if not state.solver.satisfiable(extra_constraints=(crange,)): return None @@ -126,7 +131,7 @@ def hard_checker_wr(self, state): # output def hard_200_rd(state): - return state.solver.BVV(0, 16) + return claripy.BVV(0, 16) def hard_200_wr(state, v): state.posix.fd[1].write_data(v) diff --git a/angr_platforms/ct64/ct64_engine.py b/angr_platforms/ct64/ct64_engine.py index f385873..c22405b 100644 --- a/angr_platforms/ct64/ct64_engine.py +++ b/angr_platforms/ct64/ct64_engine.py @@ -81,7 +81,7 @@ def execute(self, state, successors): state.regs._ip += self.LEN state.memory.store(dest, value) - successors.add_successor(state, state.regs._ip, state.solver.true, 'Ijk_Boring') + successors.add_successor(state, state.regs._ip, claripy.true, 'Ijk_Boring') def value(self, state): raise NotImplementedError @@ -171,7 +171,7 @@ class SR(Instruction2): NAME = 'SR' def value(self, state): - return state.solver.LShR(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1)) + return claripy.LShR(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1)) class SL(Instruction2): NAME = 'SL' @@ -206,7 +206,7 @@ def execute(self, state, successors): jumpkind = 'Ijk_Exit' if self.NAME == 'HF' and state.solver.is_true(self.imm == successors.addr) else 'Ijk_Boring' successors.add_successor(yes_state, self.imm, guard, jumpkind) - successors.add_successor(no_state, state.solver.BVV(successors.addr + self.LEN, 16), state.solver.Not(guard), jumpkind) + successors.add_successor(no_state, claripy.BVV(successors.addr + self.LEN, 16), claripy.Not(guard), jumpkind) def condition(self, state): raise NotImplementedError @@ -215,13 +215,13 @@ class JG(InstructionJump): NAME = 'JG' def condition(self, state): - return state.solver.UGT(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1)) + return claripy.UGT(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1)) class JL(InstructionJump): NAME = 'JL' def condition(self, state): - return state.solver.ULT(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1)) + return claripy.ULT(state.memory.load(self.rm, size=1), state.memory.load(self.mem, size=1)) class JQ(InstructionJump): NAME = 'JQ' diff --git a/tests/test_bpf_idea.py b/tests/test_bpf_idea.py index f76f3c9..ed24097 100644 --- a/tests/test_bpf_idea.py +++ b/tests/test_bpf_idea.py @@ -25,10 +25,10 @@ def test_idea_correct_flag(): state.memory.store(proj.arch.DATA_BASE, 0x1337, endness='Iend_LE') # input variables for i in range(0, len(flag), 4): - state.memory.store(proj.arch.DATA_BASE + 0x10 + i, state.solver.BVV(ord(flag[i]), 8)) - state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 1, state.solver.BVV(ord(flag[i+1]), 8)) - state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 2, state.solver.BVV(ord(flag[i+2]), 8)) - state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 3, state.solver.BVV(ord(flag[i+3]), 8)) + state.memory.store(proj.arch.DATA_BASE + 0x10 + i, claripy.BVV(ord(flag[i]), 8)) + state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 1, claripy.BVV(ord(flag[i+1]), 8)) + state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 2, claripy.BVV(ord(flag[i+2]), 8)) + state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 3, claripy.BVV(ord(flag[i+3]), 8)) # Execute until it returns simgr.explore(find=(MAX_INSTR_ID * 8,)) @@ -54,10 +54,10 @@ def test_idea_incorrect_flag(): state.memory.store(proj.arch.DATA_BASE, 0x1337, endness='Iend_LE') # input variables for i in range(0, len(flag), 4): - state.memory.store(proj.arch.DATA_BASE + 0x10 + i, state.solver.BVV(ord(flag[i]), 8)) - state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 1, state.solver.BVV(ord(flag[i+1]), 8)) - state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 2, state.solver.BVV(ord(flag[i+2]), 8)) - state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 3, state.solver.BVV(ord(flag[i+3]), 8)) + state.memory.store(proj.arch.DATA_BASE + 0x10 + i, claripy.BVV(ord(flag[i]), 8)) + state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 1, claripy.BVV(ord(flag[i+1]), 8)) + state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 2, claripy.BVV(ord(flag[i+2]), 8)) + state.memory.store(proj.arch.DATA_BASE + 0x10 + i + 3, claripy.BVV(ord(flag[i+3]), 8)) # Execute until it returns simgr.explore(find=(MAX_INSTR_ID * 8,)) diff --git a/tests/test_riscv.py b/tests/test_riscv.py index 0f24a2e..778c276 100644 --- a/tests/test_riscv.py +++ b/tests/test_riscv.py @@ -1,6 +1,8 @@ import os import angr +import claripy + from angr_platforms.risc_v import * @@ -15,8 +17,8 @@ def test_schoolbook_multiplication(): startState = proj.factory.call_state(targetAddress) - A = startState.solver.BVS("A",32) - B = startState.solver.BVS("B",32) + A = claripy.BVS("A",32) + B = claripy.BVS("B",32) startState.memory.store(startState.regs.a0, A) startState.memory.store(startState.regs.a1, B)