Skip to content

Commit e762205

Browse files
gleachkrgleachkr
committed
Add lunarrelaysat.py as test
1 parent 1db4808 commit e762205

File tree

1 file changed

+94
-0
lines changed

1 file changed

+94
-0
lines changed

tests/lunarrelaysat.py

+94
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
import cozy
2+
import angr
3+
import claripy
4+
5+
proj_prepatched = cozy.project.Project('test_programs/LunarRelaySat/rr.so')
6+
proj_goodpatch = cozy.project.Project('test_programs/LunarRelaySat/rr-good-incorrect-stack.so')
7+
8+
MAX_NUM_PACKETS = 11
9+
10+
packets = [claripy.BVS('packet_body', 300 * 8) for m in range(MAX_NUM_PACKETS)]
11+
recvfrom_ret = [claripy.BVS('recvfrom_ret', 32) for n in range(MAX_NUM_PACKETS)]
12+
13+
GHIDRA_OFFSET = 0x3f0000
14+
15+
ALLOCATE_ADDR = 0x2335C + GHIDRA_OFFSET
16+
class CFE_SB_AllocateMessageBuffer(angr.SimProcedure):
17+
def run(self, size):
18+
return self.state.heap._malloc(size)
19+
20+
RECV_FROM_ADDR = 0x232c4 + GHIDRA_OFFSET
21+
class OS_SocketRecvFrom(angr.SimProcedure):
22+
def run(self, socket_id, buffer, max_size, src_addr, addr_len):
23+
i = self.state.globals['packet_i']
24+
self.state.memory.store(buffer, packets[i])
25+
ret = recvfrom_ret[i]
26+
self.state.solver.add(ret <= 300)
27+
self.state.globals['packet_i'] += 1
28+
return ret
29+
30+
SEND_EVENT_ADDR = 0x2323c + GHIDRA_OFFSET
31+
class CFE_EVS_SendEvent(angr.SimProcedure):
32+
def run(self):
33+
return 0
34+
35+
PERF_LOG_ADD_ADDR = 0x23244 + GHIDRA_OFFSET
36+
class CFE_ES_PerfLogAdd(angr.SimProcedure):
37+
def run(self):
38+
pass
39+
40+
GET_AP_ID_ADDR = 0x232bc + GHIDRA_OFFSET
41+
class CFE_MSG_GetApId(angr.SimProcedure):
42+
def run(self):
43+
return 0
44+
45+
TRANSMIT_BUFFER_ADDR = 0x2322c + GHIDRA_OFFSET
46+
class CFE_SB_TransmitBuffer(angr.SimProcedure):
47+
def run(self, buffer, is_origination):
48+
buffer_contents = self.state.memory.load(buffer, 300)
49+
cozy.side_effect.perform(self.state, 'transmit-buffer', buffer_contents)
50+
return 0
51+
52+
TO_HEX_ADDR = 0x23304 + GHIDRA_OFFSET
53+
class RR_tohex(angr.SimProcedure):
54+
def run(self):
55+
pass
56+
57+
def run(proj: cozy.project.Project):
58+
proj.add_prototype('RR_ReadTlmInput', 'void RR_ReadTlmInput()')
59+
proj.add_prototype(ALLOCATE_ADDR, 'void *CFE_SB_AllocateMessageBuffer(int size)')
60+
proj.add_prototype(RECV_FROM_ADDR, 'unsigned int OS_SocketRecvFrom(int sockfd, void *buf, unsigned int len, void *src_addr, void *addr_len)')
61+
62+
proj.hook_symbol(ALLOCATE_ADDR, CFE_SB_AllocateMessageBuffer, replace=True)
63+
proj.hook_symbol(RECV_FROM_ADDR, OS_SocketRecvFrom, replace=True)
64+
proj.hook_symbol(SEND_EVENT_ADDR, CFE_EVS_SendEvent, replace=True)
65+
proj.hook_symbol(PERF_LOG_ADD_ADDR, CFE_ES_PerfLogAdd, replace=True)
66+
proj.hook_symbol(GET_AP_ID_ADDR, CFE_MSG_GetApId, replace=True)
67+
proj.hook_symbol(TRANSMIT_BUFFER_ADDR, CFE_SB_TransmitBuffer, replace=True)
68+
proj.hook_symbol(TO_HEX_ADDR, RR_tohex, replace=True)
69+
70+
sess = proj.session('RR_ReadTlmInput')
71+
72+
def mutate_init_i(state):
73+
state.regs.r9 = claripy.BVV(0x9, 32)
74+
# If you don't want to use a loop_bound, then we can instead directly change the loop counter to a larger number
75+
# so that it iterates less times.
76+
#sess.add_directives(cozy.directive.Breakpoint.from_fun_offset(proj, 'RR_ReadTlmInput', 0x2c, mutate_init_i))
77+
78+
sess.state.globals['packet_i'] = 0
79+
80+
return sess.run([], loop_bound=3)
81+
82+
results_prepatched = run(proj_prepatched)
83+
results_goodpatch = run(proj_goodpatch)
84+
85+
comparison_results = cozy.analysis.Comparison(results_prepatched, results_goodpatch)
86+
87+
cozy.execution_graph.dump_comparison(proj_prepatched, proj_goodpatch,
88+
results_prepatched, results_goodpatch,
89+
comparison_results,
90+
include_actions=True,
91+
include_side_effects=True,
92+
output_file="cmp_lunar_relay_sat.json",
93+
args={"recvfrom_ret": recvfrom_ret, "packets": packets},
94+
num_examples=2)

0 commit comments

Comments
 (0)