[DEPRECATED] A symbolic execution engine for the VEX IR
License: BSD 2-Clause "Simplified" License
Got this error doing a large CFG. Here is the simplified code:
load_options = { 'auto_load_libs': False, 'main_opts': { 'custom_entry_point': ENTRYPOINT } }
p = angr.Project(path , load_options=load_options)
cfg = p.analyses.CFG( starts=(ENTRYPOINT,), keep_state=False, context_sensitivity_level=1, enable_advanced_backward_slicing=False, enable_symbolic_back_traversal=True )Exception:
---------------------------------------------------------------------------
TypeError Traceback (most recent call last)
/home/w/proj/hoff/go3.py in <module>()
132
133 if __name__ == '__main__':
--> 134 main()
135
/home/w/proj/hoff/go3.py in main()
94
95
---> 96 cfg = p.analyses.CFG( starts=(ENTRYPOINT,), keep_state=False, context_sensitivity_level=1, enable_advanced_backward_slicing=False, enable_symbolic_back_traversal=True )
97 #cfg = p.analyses.CFG( starts=(addr,) )
98 # cfg = p.analyses.CFG(
/home/w/proj/hoff/angr-dev/angr/lib/python2.7/site-packages/angr/analysis.pyc in make_analysis(*args, **kwargs)
85 oself.kb = kb
86
---> 87 oself.__init__(*args, **kwargs)
88 return oself
89
/home/w/proj/hoff/angr-dev/angr/lib/python2.7/site-packages/angr/analyses/cfg_accurate.pyc in __init__(self, context_sensitivity_level, start, avoid_runs, enable_function_hints, call_depth, call_tracing_filter, initial_state, starts, keep_state, enable_
advanced_backward_slicing, enable_symbolic_back_traversal, additional_edges, no_construct)
133
134 if not no_construct:
--> 135 self._analyze()
136
137 #
/home/w/proj/hoff/angr-dev/angr/lib/python2.7/site-packages/angr/analyses/forward_analysis.pyc in _analyze(self)
119 entry = self._entries.pop()
120
--> 121 self._handle_entry(entry)
122
123 # Short-cut for aborting the analysis
/home/w/proj/hoff/angr-dev/angr/lib/python2.7/site-packages/angr/analyses/forward_analysis.pyc in _handle_entry(self, entry)
142
143 try:
--> 144 self._pre_entry_handling(entry, _locals)
145 except AngrForwardAnalysisSkipEntry:
146 return
/home/w/proj/hoff/angr-dev/angr/lib/python2.7/site-packages/angr/analyses/cfg_accurate.pyc in _pre_entry_handling(self, entry, _locals)
936
937 # Get a SimRun out of current SimExit
--> 938 simrun, error_occurred, _ = self._get_simrun(addr, path, current_function_addr=func_addr)
939 if simrun is None or should_skip:
940 # We cannot retrieve the SimRun, or we should skip the analysis of this node
/home/w/proj/hoff/angr-dev/angr/lib/python2.7/site-packages/angr/analyses/cfg_accurate.pyc in _get_simrun(self, addr, current_entry, current_function_addr)
2266 jumpkind = state.scratch.jumpkind
2267 jumpkind = 'Ijk_Boring' if jumpkind is None else jumpkind
-> 2268 sim_run = self.project.factory.sim_run(current_entry.state, jumpkind=jumpkind)
2269
2270 except (simuvex.SimFastPathError, simuvex.SimSolverModeError) as ex:
/home/w/proj/hoff/angr-dev/angr/lib/python2.7/site-packages/angr/factory.pyc in sim_run(self, state, addr, jumpkind, **block_opts)
129 else:
130 l.debug("Creating SimIRSB at %#x", addr)
--> 131 r = self.sim_block(state, addr=addr, **block_opts)
132
133 return r
/home/w/proj/hoff/angr-dev/angr/lib/python2.7/site-packages/angr/factory.pyc in sim_block(self, state, stmt_whitelist, last_stmt, addr, opt_level, **block_opts)
75 addr=addr,
76 whitelist=stmt_whitelist,
---> 77 last_stmt=last_stmt)
78
79 def sim_run(self, state, addr=None, jumpkind=None, **block_opts):
/home/w/proj/hoff/angr-dev/simuvex/simuvex/vex/irsb.pyc in __init__(self, state, irsb, irsb_id, whitelist, last_stmt, **kwargs)
65 self.state.release_plugin('solver_engine')
66
---> 67 self._handle_irsb()
68
69 # It's for debugging
/home/w/proj/hoff/angr-dev/simuvex/simuvex/vex/irsb.pyc in _handle_irsb(self)
95 # handle the statements
96 try:
---> 97 self._handle_statements()
98 except (SimSolverError, SimMemoryAddressError):
99 l.warning("%s hit an error while analyzing statement %d", self, self.state.scratch.stmt_idx, exc_info=True)
/home/w/proj/hoff/angr-dev/simuvex/simuvex/vex/irsb.pyc in _handle_statements(self)
221 # process it!
222 self.state._inspect('statement', BP_BEFORE, statement=stmt_idx)
--> 223 s_stmt = translate_stmt(self.irsb, stmt_idx, self.last_imark, self.state)
224 if s_stmt is not None:
225 self.state.log.extend_actions(s_stmt.actions)
/home/w/proj/hoff/angr-dev/simuvex/simuvex/vex/statements/__init__.pyc in translate_stmt(irsb, stmt_idx, imark, state)
29 stmt_class = globals()[stmt_name]
30 s = stmt_class(irsb, stmt_idx, imark, state)
---> 31 s.process()
32 return s
33 else:
/home/w/proj/hoff/angr-dev/simuvex/simuvex/vex/statements/base.pyc in process(self)
24
25 # this is where we would choose between different analysis modes
---> 26 self._execute()
27
28 del self.stmt
/home/w/proj/hoff/angr-dev/simuvex/simuvex/vex/statements/cas.pyc in _execute(self)
19 # read the old values
20 old_cnt = self.state.memory.load(addr.expr, len(expd_lo.expr)*2/8, endness=self.stmt.endness)
---> 21 old_hi, old_lo = old_cnt.chop(bits=len(expd_lo))
22 self.state.scratch.store_tmp(self.stmt.oldLo, old_lo)
23 self.state.scratch.store_tmp(self.stmt.oldHi, old_hi)
TypeError: object of type 'SimIRExpr_RdTmp' has no len()def dbg_print(self, indent=0): """ Print out debugging information. """ lst = [] more_data = False for i, addr in enumerate(self.mem.iterkeys()):
error when calling iterkeys.
keys work.
Hi,
I am trying to execute a small program that calls atoi on argv[1]:
/* smaller_prog.c */
#include <stdio.h>
int main(int argc, char **argv)
{
int count = atoi(argv[1]);
printf("GOT: %d\n", count);
return 0;
}I compiled it for 32 bits:
$ gcc-5 -m32 smaller_prog.c -o smaller_prog
I am running it using the following example Angr script:
#!/usr/bin/env python
import angr
import claripy
import code
# Project
b = angr.Project('./smaller_prog')
# Make arguments symbolic
arg1 = "1073741813"
#arg1 = "107374181"
st = b.factory.entry_state(args=['./smaller_prog', arg1])
# Create a path group
pg = b.factory.path_group(st)
pg.explore(find=lambda p: "GOT" in p.state.posix.dumps(1))
print pg
code.interact(local=locals())The script sets argv[1] to a large decimal number and tries to find a path where a string containing "GOT" is printed. When I run the script, I get the following:
$ python example.py
<PathGroup with 1 errored>
but if I remove one of the digits in arg1 (e.g. if uncomment line 11 in the script), then Angr finds a path:
$ python example.py
<PathGroup with 1 found>
>>> pg.found[0].state.posix.dumps(1)
'GOT: 107374181\n'
As far as I can tell, the path in the failing run is errored because the constraints generated by atoi are unsatisfiable for the longer input. I have tested with and without the printf and in every situation where the output of atoi is used, the path is either errored or unsatisfied. I've attached the output generated by pg.errored[0].retry() to this issue.
I am assuming that this is an implementation issue in simuvex, my apologies if it's an Angr problem (or if I'm doing something wrong).
Hey,
So I'm trying to add a simuvex call for fclose. The basics are simple, but I'm also suggesting changing the posix.py module to include a "fd_closed" list that will be used to track when fds get closed. The obvious problem with the way files appear to be handled now is that they're simply removed, so "closing" a file isn't really what one would want from a simulation.
I've done most of the work for an initial handling of it in this way, however the fd_closed list that I create in posix init doesn't appear to get passed on through execution. I've tried adding the following:
self.fd_closed = [] if fd_closed is None else fd_closed
and adding fd_close=None in the init, but that doesn't propagate it. Help?
Making a brief detour into windows land i found errors when running the binary that related to an instruction not supported:
In [7]: pg.errored[0].error
Out[7]: angr.errors.AngrExitError('IR decoding error at 0x401d24. You can hook this instruction with a python replacement using project.hook(0x401d24, your_function, length=length_of_instruction).')Turns out the command was bnd retn. Bytes as \xf2\xc3
I'm trying to add a simuvex plugin the following way:
#! /usr/bin/env python
import angr
import simuvex
from simuvex import SimStatePlugin
class SimStateTest(SimStatePlugin):
def __init__(self):
SimStatePlugin.__init__(self)
def copy(self):
regs = self.state.regs
print regs.ip
print regs.eax
return SimStateTest()
def merge(self, others, flag, flag_values):
return False, [ ]
def widen(self, others, flag, flag_values):
return False
def clear(self):
pass
if __name__ == "__main__":
proj = angr.Project("./a", load_options={'auto_load_libs':False}) #, 'main_opts': {'custom_base_addr': 0x0}})
main = proj.loader.main_bin.get_symbol("main")
start_state = proj.factory.blank_state(addr=main.addr, plugins={'test':SimStateTest()})
start_state.stack_push(0x0)
cfg = proj.analyses.CFG(fail_fast=True, starts=[main.addr], initial_state=start_state, context_sensitivity_level=3, keep_state=True, call_depth=5)It works fine. If I remove the # in front of print regs.eax in the copy function, I get the following error:
Traceback (most recent call last):
File "test.py", line 39, in <module>
cfg = proj.analyses.CFG(fail_fast=True, starts=[main.addr], initial_state=start_state, context_sensitivity_level=3, keep_state=True, call_depth=5)
File "/usr/local/lib/python2.7/dist-packages/angr/analysis.py", line 87, in make_analysis
oself.__init__(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/angr/analyses/cfg_accurate.py", line 135, in __init__
self._analyze()
File "/usr/local/lib/python2.7/dist-packages/angr/analyses/forward_analysis.py", line 121, in _analyze
self._handle_entry(entry)
File "/usr/local/lib/python2.7/dist-packages/angr/analyses/forward_analysis.py", line 144, in _handle_entry
self._pre_entry_handling(entry, _locals)
File "/usr/local/lib/python2.7/dist-packages/angr/analyses/cfg_accurate.py", line 933, in _pre_entry_handling
simrun, error_occurred, _ = self._get_simrun(addr, path, current_function_addr=func_addr)
File "/usr/local/lib/python2.7/dist-packages/angr/analyses/cfg_accurate.py", line 2252, in _get_simrun
sim_run = self.project.factory.sim_run(current_entry.state, jumpkind=jumpkind)
File "/usr/local/lib/python2.7/dist-packages/angr/factory.py", line 131, in sim_run
r = self.sim_block(state, addr=addr, **block_opts)
File "/usr/local/lib/python2.7/dist-packages/angr/factory.py", line 77, in sim_block
last_stmt=last_stmt)
File "/usr/local/lib/python2.7/dist-packages/simuvex-4.6.3.15-py2.7.egg/simuvex/vex/irsb.py", line 33, in __init__
SimRun.__init__(self, state, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/simuvex-4.6.3.15-py2.7.egg/simuvex/s_run.py", line 18, in __init__
self.state = self.initial_state.copy()
File "/usr/local/lib/python2.7/dist-packages/simuvex-4.6.3.15-py2.7.egg/simuvex/s_state.py", line 329, in copy
c_plugins = self._copy_plugins()
File "/usr/local/lib/python2.7/dist-packages/simuvex-4.6.3.15-py2.7.egg/simuvex/s_state.py", line 318, in _copy_plugins
return { n: p.copy() for n,p in self.plugins.iteritems() }
File "/usr/local/lib/python2.7/dist-packages/simuvex-4.6.3.15-py2.7.egg/simuvex/s_state.py", line 318, in <dictcomp>
return { n: p.copy() for n,p in self.plugins.iteritems() }
RuntimeError: dictionary changed size during iteration
CFGAccurate raises a KeyError due to this change
Test:
#!/usr/bin/python2
import angr
#https://github.com/legitbs/quals-2016/tree/master/step
p = angr.Project('step')
main = 0x400fa6
cfg = p.analyses.CFGAccurate(start=main)
Execution:
Traceback (most recent call last):
File "./test.py", line 6, in <module>
p = angr.Project('step')
File "/usr/lib/python2.7/site-packages/angr/project.py", line 162, in __init__
self._simos.configure_project()
File "/usr/lib/python2.7/site-packages/angr/simos.py", line 193, in configure_project
super(SimLinux, self).configure_project()
File "/usr/lib/python2.7/site-packages/angr/simos.py", line 50, in configure_project
self.proj.loader.perform_irelative_relocs(irelative_resolver)
File "/usr/lib/python2.7/site-packages/cle-4.6.4.28-py2.7.egg/cle/loader.py", line 799, in perform_irelative_relocs
val = resolver_func(resolver)
File "/usr/lib/python2.7/site-packages/angr/simos.py", line 39, in irelative_resolver
val = resolver()
File "/usr/lib/python2.7/site-packages/angr/surveyors/caller.py", line 52, in __call__
return self.result_state.se.simplify(self._cc.get_return_val(self.result_state, stack_base=self.result_state.regs.sp - self._cc.STACKARG_SP_DIFF))
File "/usr/lib/python2.7/site-packages/simuvex-4.6.5.27-py2.7.egg/simuvex/s_cc.py", line 498, in get_return_val
if self.is_fp_arg(loc) or self.is_fp_value(val) or isinstance(ty, s_type.SimTypeFloat):
File "/usr/lib/python2.7/site-packages/simuvex-4.6.5.27-py2.7.egg/simuvex/s_cc.py", line 299, in is_fp_arg
if arg in self.fp_args or arg == self.FP_RETURN_VAL:
File "/usr/lib/python2.7/site-packages/simuvex-4.6.5.27-py2.7.egg/simuvex/s_cc.py", line 286, in fp_args
yield SimRegArg(reg, self.arch.registers[reg][1])
KeyError: 'xmm0'Folks,
Messing around w/ a CTF chal and noticed that the "enter" routine for this binary wasn't correctly handled in this case. This is a 32-bit Windows PE file that I've manually set up state and started in the middle.
Here's an example:
sub_403B04 proc near
arg_0= dword ptr 8
arg_4= dword ptr 0Ch
arg_8= dword ptr 10h
enter 0, 0
push [ebp+arg_8]
call sub_4011CF
push [ebp+arg_0]
push [ebp+arg_4]
call sub_401000
call sub_40126F
leave
retn 0Ch
sub_403B04 endpThat "enter 0,0" was throwing off angr. The following hook appears to correctly update the behavior:
def enter(s):
s.stack_push(s.regs.ebp)
s.regs.ebp = s.regs.espMaybe this is something for pyvex? Dunno. Regardless, it seems like it should be a fairly easy update.
As angr grows to emulate more environments, we need to genericize the ability for a program to interact with its environment.
Two options:
posix to supervisor and allow the plugin to implement its own logic for the things like file read/write, the program break, etcposix to environment and move all the logic into syscallls, making the plugin a pure storage mechanism. This would involve making library functions that currently call directly into posix for syscall functionality instead of performing a syscall directly, something that I would kind of like to happen anyway.other options would be appreciated :)
When trying to emulate an RCL instruction (x64) simuVEX throws an exception as the corresponding semantics aren't implemented.
The problem is at simuvex/s_type.py#L748.
see also angr/pyvex#54
Running simuvex and a debugger in parallell, I want to build constraints for a specific variable but I have access to state [before and after each instruction] based on a specific value for that variable.
Is there a way to make simuvex request / give simuvex values to variables[or better yet, part of variables] that are not dependent on the symbolic variable in order to speed up execution?
The SimProcedure as of now just directly interprets and executes the ret_instruction of the current ArchInfo to emulate a return from a procedure call. While this quirk may be acceptable for most situations, it may cause errors on architectures where the interpretation of instruction data depends on the current state of the processor -- one example being the AArch32 architecture where ARM and Thumb mode can coexist in a single task / context, so that the ret_instruction bx lr (\x1e\xff\x2f\xe1) would be incorrectly interpreted as vrhadd.u16 d14, d14, d31 if the state was in the Thumb mode.
Following all instructions from "Development install" section
git clone https://github.com/angr/angr-dev
cd angr-dev
mkvirtualenv angr
./setup.sh
I got
Running setup.py develop for simuvex
Running command /home/timcess/.virtualenvs/angr/bin/python2 -c "import setuptools, tokenize;__file__='/home/timcess/utils/angr-dev/simuvex/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" develop --no-deps
running develop
Building sim_unicorn
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/home/timcess/utils/angr-dev/simuvex/setup.py", line 76, in <module>
'simuvex': ['lib/*']
File "/usr/lib/python2.7/distutils/core.py", line 151, in setup
dist.run_commands()
File "/usr/lib/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/home/timcess/utils/angr-dev/simuvex/setup.py", line 47, in run
self.execute(_build_sim_unicorn, (), msg='Building sim_unicorn')
File "/usr/lib/python2.7/distutils/cmd.py", line 349, in execute
util.execute(func, args, msg, dry_run=self.dry_run)
File "/usr/lib/python2.7/distutils/util.py", line 309, in execute
func(*args)
File "/home/timcess/utils/angr-dev/simuvex/setup.py", line 19, in _build_sim_unicorn
import pyvex
File "/home/timcess/utils/angr-dev/pyvex/pyvex/__init__.py", line 29, in <module>
pvc = _find_c_lib()
File "/home/timcess/utils/angr-dev/pyvex/pyvex/__init__.py", line 21, in _find_c_lib
ffi.cdef(_ffi_str)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/cffi/api.py", line 105, in cdef
self._cdef(csource, override=override, packed=packed)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/cffi/api.py", line 119, in _cdef
self._parser.parse(csource, override=override, **options)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/cffi/cparser.py", line 299, in parse
self._internal_parse(csource)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/cffi/cparser.py", line 304, in _internal_parse
ast, macros, csource = self._parse(csource)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/cffi/cparser.py", line 260, in _parse
ast = _get_parser().parse(csource)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/cffi/cparser.py", line 40, in _get_parser
_parser_cache = pycparser.CParser()
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pycparser/c_parser.py", line 87, in __init__
outputdir=taboutputdir)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pycparser/c_lexer.py", line 66, in build
self.lexer = lex.lex(object=self, **kwargs)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pycparser/ply/lex.py", line 911, in lex
lexobj.readtab(lextab, ldict)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pycparser/ply/lex.py", line 233, in readtab
titem.append((re.compile(pat, lextab._lexreflags | re.VERBOSE), _names_to_funcs(func_name, fdict)))
File "/home/timcess/.virtualenvs/angr/lib/python2.7/re.py", line 194, in compile
return _compile(pattern, flags)
File "/home/timcess/.virtualenvs/angr/lib/python2.7/re.py", line 249, in _compile
p = sre_compile.compile(pattern, flags)
File "/home/timcess/.virtualenvs/angr/lib/python2.7/sre_compile.py", line 583, in compile
"sorry, but this version only supports 100 named groups"
AssertionError: sorry, but this version only supports 100 named groups
Cleaning up...
Removing source in /tmp/pip-build-L9GIGl/distribute
Command "/home/timcess/.virtualenvs/angr/bin/python2 -c "import setuptools, tokenize;__file__='/home/timcess/utils/angr-dev/simuvex/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" develop --no-deps" failed with error code 1 in /home/timcess/utils/angr-dev/simuvex/
Exception information:
Traceback (most recent call last):
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pip/commands/install.py", line 317, in run
prefix=options.prefix_path,
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pip/req/req_set.py", line 742, in install
**kwargs
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pip/req/req_install.py", line 825, in install
install_options, global_options, prefix=prefix)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pip/req/req_install.py", line 981, in install_editable
show_stdout=False)
File "/home/timcess/.virtualenvs/angr/local/lib/python2.7/site-packages/pip/utils/__init__.py", line 718, in call_subprocess
% (command_desc, proc.returncode, cwd))
InstallationError: Command "/home/timcess/.virtualenvs/angr/bin/python2 -c "import setuptools, tokenize;__file__='/home/timcess/utils/angr-dev/simuvex/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" develop --no-deps" failed with error code 1 in /home/timcess/utils/angr-dev/simuvex/
This error occured on two different machines. It's probably new one because a couple of days ago I builded angr-dev with no problem at all.
Hello!
I have a question about memoy.store() method and memcpy SimProcedure.
From simuvex documentation:
store(addr, data, size=None, condition=None, add_constraints=None, endness=None, action=None, inspect=True, priv=None)
Stores content into memory.Parameters:
sizeโ A claripy expression representing the size of the data to store.
and simuvex/procedures/libc___so___6/memcpy.py contains:
if conditional_size > 0:
src_mem = self.state.memory.load(src_addr, conditional_size, endness='Iend_BE')
if ABSTRACT_MEMORY in self.state.options:
self.state.memory.store(dst_addr, src_mem, size=conditional_size, endness='Iend_BE')
else:
l.debug("ABSTRACT_MEMORY disabled") # my logs
l.debug(self.state.se.eval(limit, 10)) #
self.state.memory.store(dst_addr, src_mem, size=limit, endness='Iend_BE')
For example, I tried to explore a code:
const int NAME_SIZE = 256;
char name[NAME_SIZE] = {0, };
read(0, name, NAME_SIZE);
std::string str = "Hii, ";
str.append(name);
and I got as result:
- log
...
DEBUG | 2016-11-17 15:36:15,138 | simuvex.procedures.libc.memcpy | Memcpy running with conditional_size 0x5
DEBUG | 2016-11-17 15:36:15,138 | simuvex.procedures.libc.memcpy | ABSTRACT_MEMORY disabled
DEBUG | 2016-11-17 15:36:15,138 | simuvex.procedures.libc.memcpy | (5L,)
...
DEBUG | 2016-11-17 15:37:49,325 | simuvex.procedures.libc.memcpy | Memcpy running with conditional_size 0x100
DEBUG | 2016-11-17 15:37:49,326 | simuvex.procedures.libc.memcpy | ABSTRACT_MEMORY disabled
DEBUG | 2016-11-17 15:38:06,919 | simuvex.procedures.libc.memcpy | (256L, 251L, 2L, 253L, 40L, 41L, 4L, 240L, 6L, 104L)
- memory.load
<BV8 104>, <BV8 105>, <BV8 105>, <BV8 44>, <BV8 32>, file_/dev/stdin_657_20_687_2048[7:0], <BV8 0>, <BV8 mem_c0000108_698_2048[63:56]> ...
I thought result be like that (I think, it'll be true if enabled ABSTRACT_MEMORY):
<BV8 104>, <BV8 105>, <BV8 105>, <BV8 44>, <BV8 32>, file_/dev/stdin_657_20_687_2048[7:0], file_/dev/stdin_657_20_687_2048[15:8], file_/dev/stdin_657_20_687_2048[23:16] ...
Thank you in advance!
UPD.
from acsac-course:
Hi,
while creating the CFG on ARM I encountered this error: arch_prctl has no attribute 'regs' within the file https://github.com/angr/simuvex/blob/fd80907da3affaaa51e5b6fd4b509efdaed96e84/simuvex/procedures/syscalls/arch_prctl.py.
I think a possible fix would be something like .self.state.regs.gs = addr rather than self.regs.regs.gs = addr. I tried with this patch applied and it worked but I'd wait your fix...
Thanks
I'm getting the following error for a binary:
Unsupported CCall x86g_calculate_RCR
Looks like RCR/RCL are not implemented. It's also not clear to me what parts would need to be changed to properly implement these assembly instructions. Seems like it shouldn't be hard, but not clear how to do it.
As previously mentioned in angr/cle#22 (comment), a Unicorn Engine plugin is in progress. Thought it would make sense to open up a GitHub issue in the proper repo so other people are aware.
@isra17 recently posted a neat benchmark showing angr vs. Unicorn. https://github.com/isra17/emu_test
Hi everyone,
While running patchrex, I am getting valueerror. I using command line as follows
python patch_master.py single /home/ronak/patchrex/myproj/cgc/patcherex-master/test_binaries/CADET_00003 stackretencryption /tmp/CADET_00003_stackretencryption
I am getting below error.
raise ValueError("Trying to store to location without specifying type")
ValueError: Trying to store to location without specifying type
Can anyone please help with it.
Thanks
Hi all,
I think your are already busy :), but is there any change that you would implement the following operations:
ERROR | 2017-02-25 06:33:06,901 | simuvex.vex.irop | Unsupported operation: Iop_SetV128lo64
ERROR | 2017-02-25 06:33:06,901 | simuvex.vex.irop | Unsupported operation: Iop_Sqrt64F0x2
I found also these operations to be unsupported for now:
ERROR | 2017-02-25 06:41:45,318 | simuvex.vex.irop | Unsupported operation: Iop_InterleaveHI8x16
ERROR | 2017-02-25 06:41:45,321 | simuvex.vex.irop | Unsupported operation: Iop_InterleaveHI16x8
ERROR | 2017-02-25 06:41:45,323 | simuvex.vex.irop | Unsupported operation: Iop_InterleaveHI32x4
Thanks
Currently IR optimization level (iropt_level) is a global setting. We should expose it as a per-block setting and we can pass the optimization level to pyvex.lift() as we wish.
Not sure if this is an issue or if I haven't set it up correctly. I've been trying to use Angr to complete the HITCON NPC challenge. When simulating through, I noticed that paths hitting the "repe cmpsb" at 0x400c9a were spinning MANY times (sometimes upwards of 600 before I stopped it). The actual assembly instruction should have only repeated 7 times.
There is a "rep stosq" in the path before it, and that rep instruction does loop the number of times that it should. This leads me to think that somehow the implementation of repe cmpsb in simuvex isn't accurate.
Hello again!
A while ago I asked about setting the flags register and got this answer: #31
Now I am wondering, can I create a constraint on the flags register? Or more specifically replace a symbolic flags register with a constant flags register using the replacement solver?
Thanks for a great tool and good support =)
My sample is: /usr/lib/firefox/firefox on a Ubuntu 14.04-3 32bit system.
I load it like this:
p = angr.Project(PATH_TO_SAMPLE, load_options={'auto_load_libs': False})
I create the control flow graph like this:
cfg = p.analyses.CFG(keep_state=False, fail_fast=True, context_sensitivity_level=0)
As output I get this:
WARNING | 2016-01-26 10:25:14,760 | simuvex.vex.irop | IROp error (for operation Iop_DivModU64to32)
Traceback (most recent call last):
File "/home/vagrant/.environments/angr/local/lib/python2.7/site-packages/simuvex/vex/irop.py", line 822, in translate
return operations[op].calculate( *s_args)
File "/home/vagrant/.environments/angr/local/lib/python2.7/site-packages/simuvex/vex/irop.py", line 345, in calculate
raise SimOperationError("divide by zero!")
SimOperationError: divide by zero!
What does it mean? Am I right to assume that it a problem of the binary (e.g. because I am not starting firefox using the appropriate script pointed to by /usr/bin/firefox?
Is it a serious problem for the CFG, i.e. does it mean the CFG is incorrect?
Similar to #88
with CC env
โ ~ env CC=/usr/local/bin/gcc-6 pip install angr -I --no-cache-dir --no-binary all
... snipped ...
Collecting simuvex>=6.7.1.31 (from angr)
Downloading simuvex-6.7.1.31.tar.gz (188kB)
100% |โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ| 194kB 4.6MB/s
Complete output from command python setup.py egg_info:
make -f Makefile-gcc
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/ir_defs.o priv/ir_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/ir_match.o priv/ir_match.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/ir_opt.o priv/ir_opt.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/ir_inject.o priv/ir_inject.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/main_main.o priv/main_main.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/main_globals.o priv/main_globals.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/main_util.o priv/main_util.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/s390_disasm.o priv/s390_disasm.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/tilegx_disasm.o priv/tilegx_disasm.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_x86_defs.o priv/host_x86_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_amd64_defs.o priv/host_amd64_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_arm_defs.o priv/host_arm_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_arm64_defs.o priv/host_arm64_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_ppc_defs.o priv/host_ppc_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_s390_defs.o priv/host_s390_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_mips_defs.o priv/host_mips_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_tilegx_defs.o priv/host_tilegx_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_x86_isel.o priv/host_x86_isel.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_amd64_isel.o priv/host_amd64_isel.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_arm_isel.o priv/host_arm_isel.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_arm64_isel.o priv/host_arm64_isel.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_ppc_isel.o priv/host_ppc_isel.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_s390_isel.o priv/host_s390_isel.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_mips_isel.o priv/host_mips_isel.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_tilegx_isel.o priv/host_tilegx_isel.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_generic_maddf.o priv/host_generic_maddf.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_generic_regs.o priv/host_generic_regs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_generic_simd64.o priv/host_generic_simd64.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_generic_simd128.o priv/host_generic_simd128.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_generic_simd256.o priv/host_generic_simd256.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/host_generic_reg_alloc2.o priv/host_generic_reg_alloc2.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_generic_x87.o priv/guest_generic_x87.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_generic_bb_to_IR.o priv/guest_generic_bb_to_IR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_x86_helpers.o priv/guest_x86_helpers.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_amd64_helpers.o priv/guest_amd64_helpers.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_arm_helpers.o priv/guest_arm_helpers.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_arm64_helpers.o priv/guest_arm64_helpers.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_ppc_helpers.o priv/guest_ppc_helpers.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_s390_helpers.o priv/guest_s390_helpers.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_mips_helpers.o priv/guest_mips_helpers.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_tilegx_helpers.o priv/guest_tilegx_helpers.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_x86_toIR.o priv/guest_x86_toIR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_amd64_toIR.o priv/guest_amd64_toIR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_arm_toIR.o priv/guest_arm_toIR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_arm64_toIR.o priv/guest_arm64_toIR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_ppc_toIR.o priv/guest_ppc_toIR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_s390_toIR.o priv/guest_s390_toIR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_mips_toIR.o priv/guest_mips_toIR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/guest_tilegx_toIR.o priv/guest_tilegx_toIR.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/e4c_lite.o priv/e4c_lite.c
rm -f libvex.a
ar crus libvex.a priv/ir_defs.o priv/ir_match.o priv/ir_opt.o priv/ir_inject.o priv/main_main.o priv/main_globals.o priv/main_util.o priv/s390_disasm.o priv/tilegx_disasm.o priv/host_x86_defs.o priv/host_amd64_defs.o priv/host_arm_defs.o priv/host_arm64_defs.o priv/host_ppc_defs.o priv/host_s390_defs.o priv/host_mips_defs.o priv/host_tilegx_defs.o priv/host_x86_isel.o priv/host_amd64_isel.o priv/host_arm_isel.o priv/host_arm64_isel.o priv/host_ppc_isel.o priv/host_s390_isel.o priv/host_mips_isel.o priv/host_tilegx_isel.o priv/host_generic_maddf.o priv/host_generic_regs.o priv/host_generic_simd64.o priv/host_generic_simd128.o priv/host_generic_simd256.o priv/host_generic_reg_alloc2.o priv/guest_generic_x87.o priv/guest_generic_bb_to_IR.o priv/guest_x86_helpers.o priv/guest_amd64_helpers.o priv/guest_arm_helpers.o priv/guest_arm64_helpers.o priv/guest_ppc_helpers.o priv/guest_s390_helpers.o priv/guest_mips_helpers.o priv/guest_tilegx_helpers.o priv/guest_x86_toIR.o priv/guest_amd64_toIR.o priv/guest_arm_toIR.o priv/guest_arm64_toIR.o priv/guest_ppc_toIR.o priv/guest_s390_toIR.o priv/guest_mips_toIR.o priv/guest_tilegx_toIR.o priv/e4c_lite.o
gcc -c -O2 -shared -fPIC --std=c99 -I ../vex-master/pub pyvex.c
gcc -c -O2 -shared -fPIC --std=c99 -I ../vex-master/pub logging.c
clang: warning: argument unused during compilation: '-shared'clang:
warning: argument unused during compilation: '-shared'
pyvex.c:142:14: warning: incompatible pointer types passing 'void (*)(void)' to parameter of type 'void (*)(void) __attribute__((noreturn))' [-Wincompatible-pointer-types]
LibVEX_Init(&failure_exit,
^~~~~~~~~~~~~
../vex-master/pub/libvex.h:565:11: note: passing argument to parameter 'failure_exit' here
void (*failure_exit) ( void ),
^
pyvex.c:435:2: warning: add explicit braces to avoid dangling else [-Wdangling-else]
catch (VEXError)
^
../vex-master/pub/e4c_lite.h:27:22: note: expanded from macro 'catch'
# define catch(type) E4C_CATCH(type)
^
../vex-master/pub/e4c_lite.h:63:25: note: expanded from macro 'E4C_CATCH'
#define E4C_CATCH(type) else if(e4c.frame[e4c.frames].stage == e4c_catching && E4C_IS_INSTANCE_OF(type) && e4c_hook(1))
^
pyvex.c:465:2: warning: add explicit braces to avoid dangling else [-Wdangling-else]
catch (VEXError)
^
../vex-master/pub/e4c_lite.h:27:22: note: expanded from macro 'catch'
# define catch(type) E4C_CATCH(type)
^
../vex-master/pub/e4c_lite.h:63:25: note: expanded from macro 'E4C_CATCH'
#define E4C_CATCH(type) else if(e4c.frame[e4c.frames].stage == e4c_catching && E4C_IS_INSTANCE_OF(type) && e4c_hook(1))
^
3 warnings generated.
gcc -O2 -shared -fPIC --std=c99 -I ../vex-master/pub -o libpyvex.dylib pyvex.o logging.o ../vex-master/libvex.a -Wl,-install_name,libpyvex.dylib
ar rcs libpyvex.a pyvex.o logging.o
No handlers could be found for logger "cffier"
Exception("Couldn't process pyvex headers - set CPP env var",)
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/private/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/pip-build-_ws0vL/simuvex/setup.py", line 117, in <module>
'simuvex': ['lib/*']
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/core.py", line 111, in setup
_setup_distribution = dist = klass(attrs)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/dist.py", line 268, in __init__
self.fetch_build_eggs(attrs['setup_requires'])
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/dist.py", line 313, in fetch_build_eggs
replace_conflicting=True,
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources/__init__.py", line 843, in resolve
dist = best[req.key] = env.best_match(req, ws, installer)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources/__init__.py", line 1088, in best_match
return self.obtain(req, installer)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources/__init__.py", line 1100, in obtain
return installer(requirement)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/dist.py", line 380, in fetch_build_egg
return cmd.easy_install(req)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 638, in easy_install
return self.install_item(spec, dist.location, tmpdir, deps)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 668, in install_item
dists = self.install_eggs(spec, download, tmpdir)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 851, in install_eggs
return self.build_and_install(setup_script, setup_base)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 1079, in build_and_install
self.run_setup(setup_script, setup_base, args)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 1065, in run_setup
run_setup(setup_script, args)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 240, in run_setup
raise
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 193, in setup_context
yield
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 164, in save_modules
saved_exc.resume()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 139, in resume
compat.reraise(type, exc, self._tb)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 152, in save_modules
yield saved
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 193, in setup_context
yield
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 237, in run_setup
DirectorySandbox(setup_dir).run(runner)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 267, in run
return func()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 236, in runner
_execfile(setup_script, ns)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/sandbox.py", line 46, in _execfile
exec(code, globals, locals)
File "/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/easy_install-IFlia4/pyvex-6.7.1.31/setup.py", line 143, in <module>
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/core.py", line 151, in setup
dist.run_commands()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/easy_install-IFlia4/pyvex-6.7.1.31/setup.py", line 118, in run
}
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/cmd.py", line 326, in run_command
self.distribution.run_command(command)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/easy_install-IFlia4/pyvex-6.7.1.31/setup.py", line 100, in run
packages=packages,
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/cmd.py", line 349, in execute
util.execute(func, args, msg, dry_run=self.dry_run)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/util.py", line 309, in execute
func(*args)
File "/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/easy_install-IFlia4/pyvex-6.7.1.31/setup.py", line 90, in _build_ffi
sys.argv.append('manylinux1_' + platform.machine())
File "/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/easy_install-IFlia4/pyvex-6.7.1.31/make_ffi.py", line 83, in doit
Exception: Couldn't process pyvex headers - set CPP env var
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /private/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/pip-build-_ws0vL/simuvex/
โ ~
without CC env
โ ~ pip install angr -I --no-cache-dir --no-binary all
... snipped ...
Collecting simuvex>=6.7.1.31 (from angr)
Downloading simuvex-6.7.1.31.tar.gz (188kB)
100% |โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ| 194kB 10.5MB/s
Complete output from command python setup.py egg_info:
make -f Makefile-gcc
cc -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/ir_defs.o priv/ir_defs.c
clang: error: unknown argument: '-malign-double'
make[1]: *** [priv/ir_defs.o] Error 1
make: *** [all] Error 2
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/private/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/pip-build-L37HM5/simuvex/setup.py", line 117, in <module>
'simuvex': ['lib/*']
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/core.py", line 111, in setup
_setup_distribution = dist = klass(attrs)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/dist.py", line 268, in __init__
self.fetch_build_eggs(attrs['setup_requires'])
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/dist.py", line 313, in fetch_build_eggs
replace_conflicting=True,
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources/__init__.py", line 843, in resolve
dist = best[req.key] = env.best_match(req, ws, installer)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources/__init__.py", line 1088, in best_match
return self.obtain(req, installer)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources/__init__.py", line 1100, in obtain
return installer(requirement)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/dist.py", line 380, in fetch_build_egg
return cmd.easy_install(req)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 638, in easy_install
return self.install_item(spec, dist.location, tmpdir, deps)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 668, in install_item
dists = self.install_eggs(spec, download, tmpdir)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 851, in install_eggs
return self.build_and_install(setup_script, setup_base)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 1079, in build_and_install
self.run_setup(setup_script, setup_base, args)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/setuptools/command/easy_install.py", line 1067, in run_setup
raise DistutilsError("Setup script exited with %s" % (v.args[0],))
distutils.errors.DistutilsError: Setup script exited with error: Unable to build libVEX.
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /private/var/folders/f1/1w6x0njj6tnfs68s1mdys9br393wb7/T/pip-build-L37HM5/simuvex/
โ ~
Line 46:
self.state.memory.store(where.ret_expr, write_content, size=write_length, strategy=["symbolic_nonzero", "any"], limit=str_strlen.max_null_index+1)
strategy and limit no longer exist. This needs fix.
$ pip install simuvex
Collecting simuvex
Using cached simuvex-5.6.10.5.tar.gz
Collecting bintrees (from simuvex)
Using cached bintrees-2.0.4.tar.gz
Collecting unicorn (from simuvex)
Could not find a version that satisfies the requirement unicorn (from simuvex) (from versions: )
No matching distribution found for unicorn (from simuvex)
I think the package is called pyunicorn on my system.
$ pip search pyunicorn
pyunicorn (0.5.1) - Unified complex network and recurrence analysis toolbox$ cat /etc/fedora-release
Fedora release 23 (Twenty Three)
I am not really sure how to fix this bug. I could of course edit requirements.txt and setup.py, but then it would break at the computers of the people where it is named unicorn.
Playing with this test binary, i discovered that the fgets call appears to not be saving the newline entered from stdin.
I finds the correct values and appears to populate memory correctly, but it forgets to add the newline character to the posix input file, so replaying the input doesn't correctly generate the path. My guess is similar problems may exist with other generic input sim functions, but not 100% sure.
Re-creating should be as simple as path group exploring the binary to successful print, then state.posix.dumps(0).
Hello everyone,
I am currently trying to extract system calls (name, arguments, return value) from PE binaries but the only thing I am able to extract is the name and thereturn value. I get an empty list from Angr for each system call.
Before trying to extract things from PE, I did the same for ELF binaries and everything seems to work well. For ELF what i do is something like this : arguments = path.next_run.artifacts['procedure'].cc.ARG_REGS
For PE, ARG_REGS is always empty. So I'm not sure if I missed something from calling conventions and if this is not implemented yet (from s_cc.py , the empty list seems to be hardcoded in SimCCxxWindowsxx classes). I tried to check on the stack too for the arguments but I did not found something really relevant.
Basically : Am I doing something wrong here or is there a way to retrieve the arguments and their type with Angr that I'm not aware of ?
Thanks and have a good day !
Hi,
I have installed the latest simuvex from the master and I have the following error:
line 209, in _handle_irsb
retval_size = state.scratch.tyenv.sizeof(stmt.tmp)
AttributeError: 'IRTypeEnv' object has no attribute 'sizeof'
Any idea on how to fix it?
Thanks
When I use the CONCRETIZE option, the following error happens:
Traceback (most recent call last):
File "./angr-test.py", line 142, in <module>
dot = analyze_paths(p, p.addr, dot)
File "./angr-test.py", line 40, in analyze_paths
parent_p.step()
File "/home/user/tools/code/angr-dev/angr/angr/path.py", line 432, in step
self._make_sim_run()
File "/home/user/tools/code/angr-dev/angr/angr/path.py", line 457, in _make_sim_run
self._run = self._project.factory.sim_run(self.state, **self._run_args)
File "/home/user/tools/code/angr-dev/angr/angr/factory.py", line 123, in sim_run
r = self.sim_block(state, addr=addr, **block_opts)
File "/home/user/tools/code/angr-dev/angr/angr/factory.py", line 69, in sim_block
last_stmt=last_stmt)
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/irsb.py", line 62, in __init__
self._handle_irsb()
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/irsb.py", line 92, in _handle_irsb
self._handle_statements()
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/irsb.py", line 208, in _handle_statements
s_stmt = translate_stmt(self.irsb, stmt_idx, self.last_imark, self.state)
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/statements/__init__.py", line 31, in translate_stmt
s.process()
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/statements/base.py", line 26, in process
self._execute()
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/statements/wrtmp.py", line 6, in _execute
data = self._translate_expr(self.stmt.data)
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/statements/base.py", line 36, in _translate_expr
e = translate_expr(expr, self.imark, self.stmt_idx, self.state)
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/expressions/__init__.py", line 14, in translate_expr
e.process()
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/expressions/base.py", line 38, in process
self._execute()
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/expressions/get.py", line 24, in _execute
self._post_process()
File "/home/user/tools/code/angr-dev/simuvex/simuvex/vex/expressions/base.py", line 59, in _post_process
if self.expr.size() != self.size_bits():
AttributeError: 'long' object has no attribute 'size'
In https://github.com/angr/simuvex/blob/master/simuvex/vex/expressions/base.py#L94 make_concrete(self), the expr member is replaced by a long variable. So all subsequent calls to expr.to_bv() or expr.size() won't work.
Maybe we should create an BVV object :
self.expr = self.state.se.BVV(concrete_value, self.size_bits())
But I am not sure if we should add contraints (#L92 & #L93) based on BVV object or the original long value.
Hi all,
my idea is to create a new plugin in order to perform an analysis on the VEX IR. Suppose I have already generated the path I need and now I "just" need to analyse the VEX IR code. Is create a new plugin the best approach or should I create a new analysis for that?
Thanks
If I have a x86-64 instruction and access to the actual cpu state[think debugger], can I use simuvex/angr to identify if the instruction changes the instruction pointer [i.e jump, ret, call etc], and what the next instruction will be?
Currently it seems like my main issue is to set all the necessary flags, for example the zero flag.
I'm trying to run a binary which uses fgets to read a file in. At this point, I'm running concretely with a concrete file system as I have not yet hit the unrelated function I am going to hook and make symbolic. The file I am reading with fgets has several blank lines in it and it would appear that this messes up the simuvex implementation of fgets. Importantly, this file does not start with a new line, and the first few blank lines don't seem to mess up anything. After several blank lines, the file pointer position (fp.pos) gets pushed way ahead of where it should be, because of a very large read distance argument and this causes my program to break.
I think the problem might be with these lines in simuvex/procedures/libc___so___6/fgets.py:
# XXX: this is a HACK to determine if r is 0 because there is a newline at the first index or
# if r is 0 because there cannot be any newline
errored = False
if not self.state.se.satisfiable(extra_constraints=(r > 0,)):
errored = True
if self.state.se.solution(mem.load(0, 1), self.state.se.BVV('\n')):
errored = FalseI think there's at least two problems:
I may be completely wrong, but changing those lines to the following seems to work for me in my concrete case. I've had to add the extra conditional check as it seems even with the r > 0 changed to r > pos, there are still times where the satisfiable check fails when I don't believe it should. There could be more going on here, my understanding of this code is fairly limited.
# XXX: this is a HACK to determine if r is 0 because there is a newline at the first index or
# if r is 0 because there cannot be any newline
errored = False
# Not sure if this is the best way to do this... I'm really just trying to find if r==pos
# but I have to take into account the fact that these could be symoblic...
# The way it is things could go south if either value is symbolic
# This way works with concrete values
if self.state.se.any_int(r) == self.state.se.any_int(pos):
if not self.state.se.satisfiable(extra_constraints=(r > pos,)):
errored = True
if self.state.se.solution(mem.load(pos, 1), self.state.se.BVV('\n')):
errored = Falseputs will look as far ahead as it can for the null byte
I'm concerned that the default settings cause it to error like that, I'd consider that a bug
nitro:catalyst dave$ ipython
Python 2.7.13 (default, Dec 18 2016, 07:03:39)
Type "copyright", "credits" or "license" for more information.
IPython 5.1.0 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
In [1]: import angr
In [2]: proj = angr.Project('catalyst', load_options={"auto_load_libs": False})
In [3]: path_group = proj.factory.path_group()
In [4]: path_group.explore()
Out[4]: <PathGroup with 1 errored>
In [5]: list(path_group.errored[0].trace)
Out[5]:
['<IRSB from 0x400780: 1 sat>',
'<SimProcedure __libc_start_main from 0x1000040: 1 sat>',
'<IRSB from 0x400fc0: 1 sat>',
'<IRSB from 0x400690: 1 sat 1 unsat>',
'<IRSB from 0x4006a2: 1 sat>',
'<IRSB from 0x400ff1: 1 sat 1 unsat>',
'<IRSB from 0x400ff6: 1 sat>',
'<IRSB from 0x400850: 1 sat 1 unsat>',
'<IRSB from 0x40085b: 1 sat>',
'<IRSB from 0x4007f0: 1 sat 1 unsat>',
'<IRSB from 0x400828: 1 sat>',
'<IRSB from 0x40100d: 1 sat 1 unsat>',
'<IRSB from 0x401016: 1 sat>',
'<SimProcedure __libc_start_main from 0x1000050: 1 sat>',
'<IRSB from 0x400d93: 1 sat>',
'<IRSB from 0x400720: 1 sat>',
'<SimProcedure malloc from 0x1000000: 1 sat>',
'<IRSB from 0x400da5: 1 sat>',
'<IRSB from 0x400720: 1 sat>',
'<SimProcedure malloc from 0x1000000: 1 sat>',
'<IRSB from 0x400db3: 1 sat>',
'<IRSB from 0x400710: 1 sat>',
'<SimProcedure ReturnUnconstrained from 0x10000d0: 1 sat>',
'<IRSB from 0x400dc1: 1 sat>',
'<IRSB from 0x400700: 1 sat>',
'<SimProcedure ReturnUnconstrained from 0x10000c0: 1 sat>',
'<IRSB from 0x400dc8: 1 sat>',
'<IRSB from 0x4006d0: 1 sat>']
In [6]: path_group.errored[0]
Out[6]: <Errored Path with 28 runs (at 0x1000010, SimMemoryLimitError)>
In [7]: proj._sim_procedures
Out[7]:
{16777216: <Hook for malloc>,
16777232: <Hook for puts>,
16777248: <Hook for __isoc99_scanf>,
16777264: <Hook for exit>,
16777280: <Hook for __libc_start_main>,
16777296: <Hook for __libc_start_main (continuation)>,
16777312: <Hook for printf>,
16777328: <Hook for putchar>,
16777344: <Hook for fflush>,
16777360: <Hook for strlen>,
16777376: <Hook for sleep>,
16777392: <Hook for ReturnUnconstrained (resolves rand) (1 arg)>,
16777408: <Hook for ReturnUnconstrained (resolves srand) (1 arg)>,
16777424: <Hook for ReturnUnconstrained (resolves time) (1 arg)>,
16777440: <Hook for CallReturn>,
16777456: <Hook for LinuxLoader (1 arg)>,
16777472: <Hook for _dl_rtld_lock_recursive>,
16777488: <Hook for _dl_rtld_unlock_recursive>,
16777504: <Hook for _vsyscall>,
16777520: <Hook for LinuxLoader (1 arg) (continuation)>}int sub_400d93() {
var_10 = malloc(0x3e8);
var_18 = malloc(0x3e8);
rax = time(0x0);
rax = srand(LODWORD(rax));
rax = puts(0x401088);
rax = puts(0x401160);
rax = puts(0x401258);
rax = puts(0x401348);
rax = puts(0x4013e0);
rax = puts(0x4014a8);
rax = puts(0x401570);
rax = puts(0x401348);
rax = puts(0x401638);
rax = puts(0x401708);
rax = puts(0x4017e0);
rax = puts(0x401890);
LODWORD(rax) = 0x0;
rax = printf("Loading");
rax = *stdout;
rax = fflush(rax);
var_4 = 0x0;
rax = putchar(0xa);
LODWORD(rax) = 0x0;
rax = printf("Username: ");
LODWORD(rax) = 0x0;
rax = __isoc99_scanf(0x4018c3, var_10);
LODWORD(rax) = 0x0;
rax = printf(0x4018c6);
LODWORD(rax) = 0x0;
rax = __isoc99_scanf(0x4018c3, var_18);
LODWORD(rax) = 0x0;
rax = printf("Logging in");
rax = *stdout;
rax = fflush(rax);
var_8 = 0x0;
rax = putchar(0xa);
rax = sub_400c9a(var_10);
rax = sub_400cdd(var_10);
rax = sub_4008f7(var_10);
rax = sub_400977(var_10, var_18);
rax = sub_400876(var_10, var_18);
LODWORD(rax) = 0x0;
return 0x0;
}โ (fcn) main 335
โ main ();
โ ; var int local_18h @ rbp-0x18
โ ; var int local_10h @ rbp-0x10
โ ; var int local_4h @ rbp-0x4
โ ; DATA XREF from 0x0040079d (entry0)
โ 0x00400d93 55 push rbp
โ 0x00400d94 4889e5 rbp = rsp
โ 0x00400d97 4883ec20 rsp -= 0x20
โ 0x00400d9b bfe8030000 edi = 0x3e8 ; size_t size
โ 0x00400da0 e87bf9ffff sym.imp.malloc () ; void *malloc(size_t size)
โ 0x00400da5 488945f0 qword [rbp - local_10h] = rax
โ 0x00400da9 bfe8030000 edi = 0x3e8 ; size_t size
โ 0x00400dae e86df9ffff sym.imp.malloc () ; void *malloc(size_t size)
โ 0x00400db3 488945e8 qword [rbp - local_18h] = rax
โ 0x00400db7 bf00000000 edi = 0 ; time_t *timer
โ 0x00400dbc e84ff9ffff sym.imp.time () ; time_t time(time_t *timer)
โ 0x00400dc1 89c7 edi = eax ; int seed
โ 0x00400dc3 e838f9ffff sym.imp.srand () ; void srand(int seed)
โ 0x00400dc8 bf88104000 edi = 0x401088 ; const char * s
โ 0x00400dcd e8fef8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400dd2 bf60114000 edi = str._e_33m_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_33m_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400dd7 e8f4f8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400ddc bf58124000 edi = str._e_32m__________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_32m__________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400de1 e8eaf8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400de6 bf48134000 edi = str._e_36m_____________________________________________________________________________________________________________________________________ ; str._e_36m_____________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400deb e8e0f8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400df0 bfe0134000 edi = 0x4013e0 ; const char * s
โ 0x00400df5 e8d6f8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400dfa bfa8144000 edi = str._e_35m_______________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_35m_______________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400dff e8ccf8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400e04 bf70154000 edi = str._e_34m______________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_34m______________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400e09 e8c2f8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400e0e bf48134000 edi = str._e_36m_____________________________________________________________________________________________________________________________________ ; str._e_36m_____________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400e13 e8b8f8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400e18 bf38164000 edi = str._e_32m___________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_32m___________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400e1d e8aef8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400e22 bf08174000 edi = str._e_33m_________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_33m_________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400e27 e8a4f8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400e2c bfe0174000 edi = str._e_31m____________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_31m____________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
โ 0x00400e31 e89af8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400e36 bf90184000 edi = str._e_0mWelcome_to_Catalyst_systems ; str._e_0mWelcome_to_Catalyst_systems ; const char * s
โ 0x00400e3b e890f8ffff sym.imp.puts () ; int puts(const char *s)
โ 0x00400e40 bfb0184000 edi = str.Loading ; "Loading" @ 0x4018b0 ; const char * format
โ 0x00400e45 b800000000 eax = 0
โ 0x00400e4a e8a1f8ffff sym.imp.printf () ; int printf(const char *format)
โ 0x00400e4f 488b05721220. rax = qword [obj.stdout] ; [0x6020c8:8]=0x4e4728203a434347 ; LEA obj.stdout ; "GCC: (GNU) 6.1.1 20160721 (Red Hat 6.1.1-4)" @ 0x6020c8
โ 0x00400e56 4889c7 rdi = rax ; FILE *stream
โ 0x00400e59 e8d2f8ffff sym.imp.fflush () ; int fflush(FILE *stream)
โ 0x00400e5e c745fc000000. dword [rbp - local_4h] = 0
โ โโ< 0x00400e65 eb44 goto loc.00400eab
โ loc.00400eab 123
โ loc.00400eab ();
โ ; var int local_18h @ rbp-0x18
โ ; var int local_10h @ rbp-0x10
โ ; var int local_8h @ rbp-0x8
โ ; JMP XREF from 0x00400e65 (main)
โ 0x00400eab bf0a000000 edi = 0xa ; size_t size
โ 0x00400eb0 e80bf8ffff sym.imp.putchar () ; sym.imp.malloc-0x60; void *malloc(size_t size)
โ 0x00400eb5 bfb8184000 edi = str.Username: ; "Username: " @ 0x4018b8 ; const char * format
โ 0x00400eba b800000000 eax = 0
โ 0x00400ebf e82cf8ffff sym.imp.printf () ; int printf(const char *format)
โ 0x00400ec4 488b45f0 rax = qword [rbp - local_10h]
โ 0x00400ec8 4889c6 rsi = rax
โ 0x00400ecb bfc3184000 edi = 0x4018c3 ; const char * format
โ 0x00400ed0 b800000000 eax = 0
โ 0x00400ed5 e866f8ffff sym.imp.__isoc99_scanf () ; int scanf(const char *format)
โ 0x00400eda bfc6184000 edi = str.Password: ; "Password: " @ 0x4018c6 ; const char * format
โ 0x00400edf b800000000 eax = 0
โ 0x00400ee4 e807f8ffff sym.imp.printf () ; int printf(const char *format)
โ 0x00400ee9 488b45e8 rax = qword [rbp - local_18h]
โ 0x00400eed 4889c6 rsi = rax
โ 0x00400ef0 bfc3184000 edi = 0x4018c3 ; const char * format
โ 0x00400ef5 b800000000 eax = 0
โ 0x00400efa e841f8ffff sym.imp.__isoc99_scanf () ; int scanf(const char *format)
โ 0x00400eff bfd1184000 edi = str.Logging_in ; "Logging in" @ 0x4018d1 ; const char * format
โ 0x00400f04 b800000000 eax = 0
โ 0x00400f09 e8e2f7ffff sym.imp.printf () ; int printf(const char *format)
โ 0x00400f0e 488b05b31120. rax = qword [obj.stdout] ; [0x6020c8:8]=0x4e4728203a434347 ; LEA obj.stdout ; "GCC: (GNU) 6.1.1 20160721 (Red Hat 6.1.1-4)" @ 0x6020c8
โ 0x00400f15 4889c7 rdi = rax ; FILE *stream
โ 0x00400f18 e813f8ffff sym.imp.fflush () ; int fflush(FILE *stream)
โ 0x00400f1d c745f8000000. dword [rbp - local_8h] = 0
โ โโ< 0x00400f24 eb3e goto loc.00400f64Folks,
I'm wondering if i stumbled on to another sscanf issue. I'm playing around with the crackme challenges (https://github.com/radare/radare2book/blob/master/crackmes/ioli/IOLI-crackme.tar.gz). Specifically, crackme0x04. When loading it up and exploring using:
pg.explore(find=0x80484E8)
pg.found[0].state.posix.dumps(0)It appears to find a segfault in the program (likely not intended on their part). However, it will find paths through to the successful login that, when played into the program, don't actually get to that part of the program.
Maybe I'm not understanding or grasping the bigger picture here, but should posix.open always return a new fd even if a file of the same name exists?
As it is now, if there is no preferred_fd number passed to posix.open, then fd is assigned an unused number and returned.
Would it make more sense to check if the file already exists on line 156?
else:
tmp = self.filename_to_fd(name)
if tmp:
fd = tmp
else:
for fd_ in xrange(0, 8192):
...
Truth be told, I haven't tested this on anything other than my use-cases, but from what I've seen, the existing logic seems to be polluting the self.files dictionary with copies of my file, all with different fds.
I see that there is a check if the name occurs in self.fs, which makes it seem like it is not intended to have superfluous fds pointing to the same file, but I'm still becoming familiar with the backend, so I could be misunderstanding.
Any insight would be appreciated!
Thank you!
Hi,
First i want to thank for your amazing work !
I am using simuvex with angr (through Tracer/Driller). I had an issue in a specific testcase.
In this test case, I had the warning "Accessing non-existing file with fd %d. Creating a new file" from posix plugin.
And after that the process crashed because it's trying to access "cache_key" key on a string expression (solver issue).
Thanks to a debugger i found that is was trying to solve "wr" self.open("tmp_%d" % fd, "wr", preferred_fd=fd) . The solver is called here.
I "solved" temporarily my issue by using simuvex.storage.file.Flags.O_CREAT flag (integer -> no need of solving) instead of "wr".
I don't if it's the best thing to do and that is why i am asking for your help.
x mod 1 is always 0. Perhaps you meant addr % 4 == 2 as a quick check in case the caller forgot to specify the thumb argument (which would catch a mistake half the time). If that is the case, I think a warning would be in order. Code is here.
thumb = int(thumb)
if isinstance(arch, ArchARM):
if addr % 1 == 1:
thumb = 1
if thumb:
addr &= ~1
I could be completely wrong. I have zero arm experience, which is why I did not submit a PR.
Hi,
while working with pngpixel I have encountered this warning:
WARNING | 2017-03-07 06:06:32,781 | simuvex.engines.vex.engine | t28 = LDle:I8(t24)
WARNING | 2017-03-07 06:06:32,782 | simuvex.engines.vex.engine | -----0x1018b20 hit an error while analyzing statement 34
Is it a bug in simuvex or am I doing something wrong?
Happy to give more information if necessary.
Thanks
I'm not sure this should belong here as "an issue" or you'd rather receive these through other channels (si there a mailing list?) so let me know if that's the case.
The snprintf SimProcedure is currently missing (and vsnprintf kinda unimplemented as well, with a simple return size-1). I've been playing around with some binaries that use snprintf... and tried to implement it based off sprintf.
However, I do not know exactly what's the "correct" way to constrain the size of the output string. sprintf does this:
fmt_str = self._parse(1)
out_str = fmt_str.replace(2, self.arg)
self.state.memory.store(dst_ptr, out_str)So I can easily increase the indices passed to self._parse and fmt_str.replace. However, I am in doubt on what would be the proper way to constrain the buffer size...
compile libVEX with clang got this error!
$ python setup.py install
make -f Makefile-gcc
cc -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/ir_defs.o priv/ir_defs.c
clang: error: unknown argument: '-malign-double'
make[1]: *** [priv/ir_defs.o] Error 1
make: *** [all] Error 2
Traceback (most recent call last):
File "setup.py", line 117, in <module>
'simuvex': ['lib/*']
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/core.py", line 111, in setup
_setup_distribution = dist = klass(attrs)
File "/Library/Python/2.7/site-packages/setuptools/dist.py", line 317, in __init__
self.fetch_build_eggs(attrs['setup_requires'])
File "/Library/Python/2.7/site-packages/setuptools/dist.py", line 372, in fetch_build_eggs
replace_conflicting=True,
File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 851, in resolve
dist = best[req.key] = env.best_match(req, ws, installer)
File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 1123, in best_match
return self.obtain(req, installer)
File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 1135, in obtain
return installer(requirement)
File "/Library/Python/2.7/site-packages/setuptools/dist.py", line 440, in fetch_build_egg
return cmd.easy_install(req)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 674, in easy_install
return self.install_item(spec, dist.location, tmpdir, deps)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 700, in install_item
dists = self.install_eggs(spec, download, tmpdir)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 881, in install_eggs
return self.build_and_install(setup_script, setup_base)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 1120, in build_and_install
self.run_setup(setup_script, setup_base, args)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 1108, in run_setup
raise DistutilsError("Setup script exited with %s" % (v.args[0],))
distutils.errors.DistutilsError: Setup script exited with error: Unable to build libVEX.
then use gcc6.
$ CC=/usr/local/bin/gcc-6 python setup.py install
make -f Makefile-gcc
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/ir_defs.o priv/ir_defs.c
/usr/local/bin/gcc-6 -c -Wall -Wmissing-prototypes -Wstrict-prototypes -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wcast-align -Wmissing-declarations -Wwrite-strings -Wformat -Wformat-security -std=gnu99 -fpic -w -g -O2 -fstrict-aliasing -malign-double -Ipub -Ipriv -o priv/ir_match.o priv/ir_match.c
......
gcc -c -O2 -shared -fPIC --std=c99 -I ../vex-master/pub pyvex.c
gcc -c -O2 -shared -fPIC --std=c99 -I ../vex-master/pub logging.c
clang: clangwarning: : argument unused during compilation: '-shared'warning
: argument unused during compilation: '-shared'
pyvex.c:142:14: warning: incompatible pointer types passing 'void (*)(void)' to
parameter of type 'void (*)(void) __attribute__((noreturn))'
[-Wincompatible-pointer-types]
LibVEX_Init(&failure_exit,
^~~~~~~~~~~~~
../vex-master/pub/libvex.h:565:11: note: passing argument to parameter
'failure_exit' here
void (*failure_exit) ( void ),
^
pyvex.c:435:2: warning: add explicit braces to avoid dangling else
[-Wdangling-else]
catch (VEXError)
^
../vex-master/pub/e4c_lite.h:27:22: note: expanded from macro 'catch'
# define catch(type) E4C_CATCH(type)
^
../vex-master/pub/e4c_lite.h:63:25: note: expanded from macro 'E4C_CATCH'
#define E4C_CATCH(type) else if(e4c.frame[e4c.frames].stage == e4c_catch...
^
pyvex.c:465:2: warning: add explicit braces to avoid dangling else
[-Wdangling-else]
catch (VEXError)
^
../vex-master/pub/e4c_lite.h:27:22: note: expanded from macro 'catch'
# define catch(type) E4C_CATCH(type)
^
../vex-master/pub/e4c_lite.h:63:25: note: expanded from macro 'E4C_CATCH'
#define E4C_CATCH(type) else if(e4c.frame[e4c.frames].stage == e4c_catch...
^
3 warnings generated.
gcc -O2 -shared -fPIC --std=c99 -I ../vex-master/pub -o libpyvex.dylib pyvex.o logging.o ../vex-master/libvex.a -Wl,-install_name,libpyvex.dylib
ar rcs libpyvex.a pyvex.o logging.o
No handlers could be found for logger "cffier"
Exception("Couldn't process pyvex headers - set CPP env var",)
Traceback (most recent call last):
File "setup.py", line 117, in <module>
'simuvex': ['lib/*']
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/core.py", line 111, in setup
_setup_distribution = dist = klass(attrs)
File "/Library/Python/2.7/site-packages/setuptools/dist.py", line 317, in __init__
self.fetch_build_eggs(attrs['setup_requires'])
File "/Library/Python/2.7/site-packages/setuptools/dist.py", line 372, in fetch_build_eggs
replace_conflicting=True,
File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 851, in resolve
dist = best[req.key] = env.best_match(req, ws, installer)
File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 1123, in best_match
return self.obtain(req, installer)
File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 1135, in obtain
return installer(requirement)
File "/Library/Python/2.7/site-packages/setuptools/dist.py", line 440, in fetch_build_egg
return cmd.easy_install(req)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 674, in easy_install
return self.install_item(spec, dist.location, tmpdir, deps)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 700, in install_item
dists = self.install_eggs(spec, download, tmpdir)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 881, in install_eggs
return self.build_and_install(setup_script, setup_base)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 1120, in build_and_install
self.run_setup(setup_script, setup_base, args)
File "/Library/Python/2.7/site-packages/setuptools/command/easy_install.py", line 1106, in run_setup
run_setup(setup_script, args)
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 258, in run_setup
raise
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 198, in setup_context
yield
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 169, in save_modules
saved_exc.resume()
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 144, in resume
six.reraise(type, exc, self._tb)
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 157, in save_modules
yield saved
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 198, in setup_context
yield
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 255, in run_setup
DirectorySandbox(setup_dir).run(runner)
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 285, in run
return func()
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 253, in runner
_execfile(setup_script, ns)
File "/Library/Python/2.7/site-packages/setuptools/sandbox.py", line 47, in _execfile
exec(code, globals, locals)
File "/var/folders/rd/mts0362j0n92rq0z1cnmdb580000gn/T/easy_install-GXsdJs/pyvex-6.7.1.31/setup.py", line 143, in <module>
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/core.py", line 151, in setup
dist.run_commands()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/var/folders/rd/mts0362j0n92rq0z1cnmdb580000gn/T/easy_install-GXsdJs/pyvex-6.7.1.31/setup.py", line 118, in run
}
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/cmd.py", line 326, in run_command
self.distribution.run_command(command)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/var/folders/rd/mts0362j0n92rq0z1cnmdb580000gn/T/easy_install-GXsdJs/pyvex-6.7.1.31/setup.py", line 100, in run
packages=packages,
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/cmd.py", line 349, in execute
util.execute(func, args, msg, dry_run=self.dry_run)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/util.py", line 309, in execute
func(*args)
File "/var/folders/rd/mts0362j0n92rq0z1cnmdb580000gn/T/easy_install-GXsdJs/pyvex-6.7.1.31/setup.py", line 90, in _build_ffi
sys.argv.append('manylinux1_' + platform.machine())
File "/var/folders/rd/mts0362j0n92rq0z1cnmdb580000gn/T/easy_install-GXsdJs/pyvex-6.7.1.31/make_ffi.py", line 83, in doit
Exception: Couldn't process pyvex headers - set CPP env var
plz let me know,how to resolve it?
Building wheels for collected packages: simuvex
Running setup.py bdist_wheel for simuvex ... error
Complete output from command /Users/wxy/.virtualenvs/angr/bin/python -u -c "import setuptools, tokenize;__file__='/private/var/folders/g4/d0skzchs7m71kfqntq95x7jh0000gn/T/pip-build-9Uvh1g/simuvex/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /var/folders/g4/d0skzchs7m71kfqntq95x7jh0000gn/T/tmpmfqpZHpip-wheel- --python-tag cp27:
running bdist_wheel
running build
Building sim_unicorn
gcc -fPIC -c -O3 -o log.o log.c
log.c:110:87: warning: 'syscall' is deprecated: first deprecated in macOS 10.12 - syscall(2) is unsupported; please switch to a supported interface. For SYS_kdebug_trace use kdebug_signpost(). [-Wdeprecated-declarations]
dprintf(log_fd, "[%s][%s][%d] %s():%d ", timestr, logLevels[ll].descr, (pid_t)syscall(__NR_gettid), fn, ln);
^
/usr/include/unistd.h:733:6: note: 'syscall' has been explicitly marked deprecated here
int syscall(int, ...);
^
1 warning generated.
g++ -I /Users/wxy/.virtualenvs/angr/lib/python2.7/site-packages/unicorn/include -I /Users/wxy/.virtualenvs/angr/lib/python2.7/site-packages/pyvex/include -L /Users/wxy/.virtualenvs/angr/lib/python2.7/site-packages/unicorn/lib -L /Users/wxy/.virtualenvs/angr/lib/python2.7/site-packages/pyvex/lib `pkg-config --cflags glib-2.0` -O3 -fPIC -std=c++11 -shared -o sim_unicorn.dylib log.o sim_unicorn.cpp `pkg-config --libs glib-2.0` -lunicorn -lpyvex
sim_unicorn.cpp:207:3: error: use of undeclared identifier 'uc_context_free'
uc_context_free(saved_regs);
^
sim_unicorn.cpp:470:59: warning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long') [-Wformat]
printf("[%#lx, %#lx] overlaps with [%#lx, %#lx].\n", address, address + size, after->first, after->first + after->second.size);
~~~~ ^~~~~~~
%#llx
sim_unicorn.cpp:470:68: warning: format specifies type 'unsigned long' but the argument has type 'unsigned long long' [-Wformat]
printf("[%#lx, %#lx] overlaps with [%#lx, %#lx].\n", address, address + size, after->first, after->first + after->second.size);
~~~~ ^~~~~~~~~~~~~~
%#llx
sim_unicorn.cpp:470:84: warning: format specifies type 'unsigned long' but the argument has type 'unsigned long long' [-Wformat]
printf("[%#lx, %#lx] overlaps with [%#lx, %#lx].\n", address, address + size, after->first, after->first + after->second.size);
~~~~ ^~~~~~~~~~~~
%#llx
sim_unicorn.cpp:470:98: warning: format specifies type 'unsigned long' but the argument has type 'unsigned long long' [-Wformat]
printf("[%#lx, %#lx] overlaps with [%#lx, %#lx].\n", address, address + size, after->first, after->first + after->second.size);
~~~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%#llx
sim_unicorn.cpp:482:59: warning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long') [-Wformat]
printf("[%#lx, %#lx] overlaps with [%#lx, %#lx].\n", address, address + size, before->first, before->first + before->second.size);
~~~~ ^~~~~~~
%#llx
sim_unicorn.cpp:482:68: warning: format specifies type 'unsigned long' but the argument has type 'unsigned long long' [-Wformat]
printf("[%#lx, %#lx] overlaps with [%#lx, %#lx].\n", address, address + size, before->first, before->first + before->second.size);
~~~~ ^~~~~~~~~~~~~~
%#llx
sim_unicorn.cpp:482:84: warning: format specifies type 'unsigned long' but the argument has type 'unsigned long long' [-Wformat]
printf("[%#lx, %#lx] overlaps with [%#lx, %#lx].\n", address, address + size, before->first, before->first + before->second.size);
~~~~ ^~~~~~~~~~~~~
%#llx
sim_unicorn.cpp:482:99: warning: format specifies type 'unsigned long' but the argument has type 'unsigned long long' [-Wformat]
printf("[%#lx, %#lx] overlaps with [%#lx, %#lx].\n", address, address + size, before->first, before->first + before->second.size);
~~~~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%#llx
8 warnings and 1 error generated.
make: *** [sim_unicorn.dylib] Error 1
error: Unable to build sim_unicorn
----------------------------------------
Failed building wheel for simuvex
Running setup.py clean for simuvex
Failed to build simuvex
Hi all,
can someone help me to understand how to create a new plugin if someone wants to create a new kind of analysis based on the VEX representation?
Thanks
I was looking through the list of functions listed at https://github.com/angr/simuvex/tree/master/simuvex/procedures/libc___so___6 and it seems the gets() function is missing. Could it be implemented and added?
There are lots of missing module, class, and function docstrings in the angr module. Here is the list. We desperately need help with this from the community, if someone wants to contribute!
Here is the list:
************* Module simuvex.vex.irsb
- vex/irsb.py:88 - SimIRSB._handle_irsb
- vex/irsb.py:177 - SimIRSB._handle_statements
- vex/irsb.py:247 - SimIRSB._prepare_temps
- vex/irsb.py:260 - SimIRSB.reanalyze
************* Module simuvex.vex.ccall
- vex/ccall.py:1 -
- vex/ccall.py:16 - calc_paritybit
- vex/ccall.py:27 - calc_zerobit
- vex/ccall.py:30 - boolean_extend
- vex/ccall.py:33 - flag_concretize
- vex/ccall.py:241 - pc_preamble
- vex/ccall.py:246 - pc_make_rdata
- vex/ccall.py:249 - pc_make_rdata_if_necessary
- vex/ccall.py:257 - pc_actions_ADD
- vex/ccall.py:270 - pc_actions_SUB
- vex/ccall.py:283 - pc_actions_LOGIC
- vex/ccall.py:295 - pc_actions_DEC
- vex/ccall.py:308 - pc_actions_ADC
- vex/ccall.py:327 - pc_actions_SBB
- vex/ccall.py:344 - pc_actions_INC
- vex/ccall.py:357 - pc_actions_SHL
- vex/ccall.py:366 - pc_actions_SHR
- vex/ccall.py:375 - pc_actions_ROL
- vex/ccall.py:384 - pc_actions_ROR
- vex/ccall.py:393 - pc_actions_UMUL
- vex/ccall.py:405 - pc_actions_UMULQ
- vex/ccall.py:409 - pc_actions_SMUL
- vex/ccall.py:421 - pc_actions_SMULQ
- vex/ccall.py:427 - pc_calculate_rdata_all_WRK
- vex/ccall.py:514 - pc_calculate_rdata_all
- vex/ccall.py:523 - pc_calculate_condition
- vex/ccall.py:652 - _cond_flag
- vex/ccall.py:657 - pc_actions_DEC_CondZ
- vex/ccall.py:662 - pc_actions_INC_CondNZ
- vex/ccall.py:667 - pc_actions_SHR_CondZ
- vex/ccall.py:677 - pc_actions_SUB_CondZ
- vex/ccall.py:680 - pc_actions_SUB_CondNZ
- vex/ccall.py:683 - pc_actions_SUB_CondB
- vex/ccall.py:686 - pc_actions_SUB_CondBE
- vex/ccall.py:689 - pc_actions_SUB_CondNBE
- vex/ccall.py:692 - pc_actions_SUB_CondL
- vex/ccall.py:695 - pc_actions_SUB_CondLE
- vex/ccall.py:698 - pc_actions_SUB_CondNLE
- vex/ccall.py:701 - pc_actions_SUB_CondS
- vex/ccall.py:706 - pc_actions_LOGIC_CondZ
- vex/ccall.py:709 - pc_actions_LOGIC_CondLE
- vex/ccall.py:712 - pc_actions_LOGIC_CondNZ
- vex/ccall.py:715 - pc_actions_LOGIC_CondS
- vex/ccall.py:751 - pc_calculate_rdata_c
- vex/ccall.py:770 - amd64g_calculate_condition
- vex/ccall.py:776 - amd64g_calculate_rflags_all
- vex/ccall.py:779 - amd64g_calculate_rflags_c
- vex/ccall.py:785 - x86g_calculate_condition
- vex/ccall.py:791 - x86g_calculate_eflags_all
- vex/ccall.py:794 - x86g_calculate_eflags_c
- vex/ccall.py:797 - x86g_check_fldcw
- vex/ccall.py:800 - x86g_create_fpucw
- vex/ccall.py:809 - get_segdescr_base
- vex/ccall.py:815 - get_segdescr_limit
- vex/ccall.py:825 - x86g_use_seg_selector
- vex/ccall.py:827 - x86g_use_seg_selector.bad
- vex/ccall.py:926 - amd64g_create_mxcsr
- vex/ccall.py:929 - amd64g_check_ldmxcsr
- vex/ccall.py:985 - armg_calculate_flag_n
- vex/ccall.py:1014 - arm_zerobit
- vex/ccall.py:1017 - armg_calculate_flag_z
- vex/ccall.py:1047 - armg_calculate_flag_c
- vex/ccall.py:1075 - armg_calculate_flag_v
- vex/ccall.py:1109 - armg_calculate_data_nzcv
- vex/ccall.py:1119 - armg_calculate_condition
- vex/ccall.py:1200 - arm64g_calculate_flag_n
- vex/ccall.py:1239 - arm64_zerobit
- vex/ccall.py:1242 - arm64g_calculate_flag_z
- vex/ccall.py:1268 - arm64g_calculate_flag_c
- vex/ccall.py:1292 - arm64g_calculate_flag_v
- vex/ccall.py:1338 - arm64g_calculate_data_nzcv
- vex/ccall.py:1348 - arm64g_calculate_condition
- vex/ccall.py:1394 - _get_flags
************* Module simuvex.vex.irop
- vex/irop.py:22 - op_attrs
- vex/irop.py:90 - make_operations
- vex/irop.py:148 - supports_vector
- vex/irop.py:333 - SimIROp._dbg_print_attrs
- vex/irop.py:339 - SimIROp.calculate
- vex/irop.py:355 - SimIROp.extend_size
- vex/irop.py:371 - SimIROp.is_signed
- vex/irop.py:379 - SimIROp._op_mapped
- vex/irop.py:407 - SimIROp._translate_rm
- vex/irop.py:414 - SimIROp._op_float_mapped
- vex/irop.py:424 - SimIROp._op_vector_mapped
- vex/irop.py:429 - SimIROp._op_float_op_just_low
- vex/irop.py:434 - SimIROp._op_concat
- vex/irop.py:437 - SimIROp._op_hi_half
- vex/irop.py:440 - SimIROp._op_lo_half
- vex/irop.py:443 - SimIROp._op_extract
- vex/irop.py:446 - SimIROp._op_sign_extend
- vex/irop.py:449 - SimIROp._op_zero_extend
- vex/irop.py:463 - SimIROp._op_generic_Mull
- vex/irop.py:485 - SimIROp.generic_minmax
- vex/irop.py:499 - SimIROp._op_generic_Min
- vex/irop.py:503 - SimIROp._op_generic_Max
- vex/irop.py:507 - SimIROp._op_generic_GetMSBs
- vex/irop.py:513 - SimIROp._op_generic_InterleaveLO
- vex/irop.py:520 - SimIROp.generic_compare
- vex/irop.py:538 - SimIROp._op_generic_CmpEQ
- vex/irop.py:542 - SimIROp._op_generic_CmpNE
- vex/irop.py:548 - SimIROp._op_generic_CmpNEZ
- vex/irop.py:554 - SimIROp._op_generic_CmpGT
- vex/irop.py:559 - SimIROp._op_generic_CmpGE
- vex/irop.py:564 - SimIROp._op_generic_CmpLT
- vex/irop.py:569 - SimIROp._op_generic_CmpLE
- vex/irop.py:573 - SimIROp._op_generic_CmpORD
- vex/irop.py:580 - SimIROp.generic_shift_thing
- vex/irop.py:597 - SimIROp._op_generic_ShlN
- vex/irop.py:601 - SimIROp._op_generic_ShrN
- vex/irop.py:605 - SimIROp._op_generic_SarN
- vex/irop.py:682 - SimIROp._op_divmod
- vex/irop.py:698 - SimIROp._op_int_to_fp
- vex/irop.py:705 - SimIROp._op_fp_to_fp
- vex/irop.py:712 - SimIROp._op_fp_to_int
- vex/irop.py:721 - SimIROp._op_fgeneric_Cmp
- vex/irop.py:729 - SimIROp._op_fgeneric_Reinterp
- vex/irop.py:738 - SimIROp._op_fgeneric_Round
- vex/irop.py:761 - SimIROp._op_Iop_Yl2xF64
- vex/irop.py:778 - SimIROp._op_Iop_Yl2xp1F64
- vex/irop.py:785 - SimIROp.pow
- vex/irop.py:791 - SimIROp._op_Iop_SinF64
- vex/irop.py:807 - SimIROp._op_Iop_CosF64
- vex/irop.py:828 - translate
************* Module simuvex.vex.expressions.load
- vex/expressions/load.py:1 -
- vex/expressions/load.py:8 - SimIRExpr_Load
************* Module simuvex.vex.expressions.ite
- vex/expressions/ite.py:1 -
- vex/expressions/ite.py:3 - SimIRExpr_ITE
************* Module simuvex.vex.expressions.vecret
- vex/expressions/vecret.py:1 -
- vex/expressions/vecret.py:6 - SimIRExpr_VECRET
************* Module simuvex.vex.expressions.op
- vex/expressions/op.py:1 -
- vex/expressions/op.py:6 - SimIRExpr_Op
- vex/expressions/op.py:21 - SimIRExpr_Unop
- vex/expressions/op.py:22 - SimIRExpr_Binop
- vex/expressions/op.py:23 - SimIRExpr_Triop
- vex/expressions/op.py:24 - SimIRExpr_Qop
************* Module simuvex.vex.expressions.bbptr
- vex/expressions/bbptr.py:1 -
- vex/expressions/bbptr.py:3 - SimIRExpr_BBPTR
************* Module simuvex.vex.expressions.rdtmp
- vex/expressions/rdtmp.py:1 -
- vex/expressions/rdtmp.py:5 - SimIRExpr_RdTmp
************* Module simuvex.vex.expressions.geti
- vex/expressions/geti.py:1 -
- vex/expressions/geti.py:7 - SimIRExpr_GetI
************* Module simuvex.vex.expressions.const
- vex/expressions/const.py:1 -
- vex/expressions/const.py:4 - SimIRExpr_Const
************* Module simuvex.vex.expressions.ccall
- vex/expressions/ccall.py:1 -
- vex/expressions/ccall.py:10 - SimIRExpr_CCall
************* Module simuvex.vex.expressions.get
- vex/expressions/get.py:1 -
- vex/expressions/get.py:7 - SimIRExpr_Get
************* Module simuvex.vex.expressions.unsupported
- vex/expressions/unsupported.py:1 -
- vex/expressions/unsupported.py:6 - SimIRExpr_Unsupported
************* Module simuvex.vex.expressions.base
- vex/expressions/base.py:9 - SimIRExpr
- vex/expressions/base.py:43 - SimIRExpr._execute
- vex/expressions/base.py:47 - SimIRExpr._post_process
- vex/expressions/base.py:62 - SimIRExpr.size_bits
- vex/expressions/base.py:67 - SimIRExpr.size_bytes
- vex/expressions/base.py:85 - SimIRExpr._record_expr
- vex/expressions/base.py:90 - SimIRExpr.make_concrete
************* Module simuvex.vex.expressions
- vex/expressions/__init__.py:1 -
- vex/expressions/__init__.py:1 - translate_expr
************* Module simuvex.vex.dirty
- vex/dirty.py:1 -
- vex/dirty.py:14 - ppcg_dirtyhelper_MFTB
- vex/dirty.py:18 - ppc32g_dirtyhelper_MFSPR_287
- vex/dirty.py:21 - amd64g_dirtyhelper_RDTSC
- vex/dirty.py:31 - amd64g_dirtyhelper_CPUID_baseline
- vex/dirty.py:33 - amd64g_dirtyhelper_CPUID_baseline.SET_ABCD
- vex/dirty.py:63 - CORRECT_amd64g_dirtyhelper_CPUID_avx_and_cx16
- vex/dirty.py:67 - CORRECT_amd64g_dirtyhelper_CPUID_avx_and_cx16.SET_ABCD
- vex/dirty.py:126 - amd64g_dirtyhelper_IN
- vex/dirty.py:129 - amd64g_dirtyhelper_OUT
- vex/dirty.py:132 - amd64g_dirtyhelper_SxDT
- vex/dirty.py:141 - x86g_dirtyhelper_CPUID_sse0
- vex/dirty.py:144 - x86g_dirtyhelper_CPUID_sse0.SET_ABCD
- vex/dirty.py:166 - CORRECT_x86g_dirtyhelper_CPUID_sse2
- vex/dirty.py:170 - CORRECT_x86g_dirtyhelper_CPUID_sse2.SET_ABCD
- vex/dirty.py:218 - x86g_dirtyhelper_IN
- vex/dirty.py:221 - x86g_dirtyhelper_OUT
- vex/dirty.py:224 - x86g_dirtyhelper_SxDT
- vex/dirty.py:237 - x86g_dirtyhelper_LGDT_LIDT
- vex/dirty.py:253 - x86g_dirtyhelper_FINIT
- vex/dirty.py:260 - x86g_dirtyhelper_write_cr0
************* Module simuvex.vex.statements.wrtmp
- vex/statements/wrtmp.py:1 -
- vex/statements/wrtmp.py:3 - SimIRStmt_WrTmp
************* Module simuvex.vex.statements.storeg
- vex/statements/storeg.py:1 -
- vex/statements/storeg.py:6 - SimIRStmt_StoreG
************* Module simuvex.vex.statements.mbe
- vex/statements/mbe.py:1 -
- vex/statements/mbe.py:3 - SimIRStmt_MBE
************* Module simuvex.vex.statements.llsc
- vex/statements/llsc.py:1 -
- vex/statements/llsc.py:13 - SimIRStmt_LLSC
************* Module simuvex.vex.statements.imark
- vex/statements/imark.py:1 -
- vex/statements/imark.py:3 - SimIRStmt_IMark
************* Module simuvex.vex.statements.put
- vex/statements/put.py:1 -
- vex/statements/put.py:7 - SimIRStmt_Put
************* Module simuvex.vex.statements.abihint
- vex/statements/abihint.py:1 -
- vex/statements/abihint.py:3 - SimIRStmt_AbiHint
************* Module simuvex.vex.statements.noop
- vex/statements/noop.py:1 -
- vex/statements/noop.py:3 - SimIRStmt_NoOp
************* Module simuvex.vex.statements.exit
- vex/statements/exit.py:1 -
- vex/statements/exit.py:7 - SimIRStmt_Exit
************* Module simuvex.vex.statements.cas
- vex/statements/cas.py:1 -
- vex/statements/cas.py:5 - SimIRStmt_CAS
************* Module simuvex.vex.statements.puti
- vex/statements/puti.py:1 -
- vex/statements/puti.py:8 - SimIRStmt_PutI
************* Module simuvex.vex.statements.base
- vex/statements/base.py:1 -
- vex/statements/base.py:31 - SimIRStmt._execute
************* Module simuvex.vex.statements.dirty
- vex/statements/dirty.py:1 -
- vex/statements/dirty.py:10 - SimIRStmt_Dirty
************* Module simuvex.vex.statements.loadg
- vex/statements/loadg.py:1 -
- vex/statements/loadg.py:7 - SimIRStmt_LoadG
************* Module simuvex.vex.statements.store
- vex/statements/store.py:1 -
- vex/statements/store.py:6 - SimIRStmt_Store
************* Module simuvex.vex.statements
- vex/statements/__init__.py:1 -
- vex/statements/__init__.py:23 - translate_stmt
************* Module simuvex.vex
- vex/__init__.py:1 -
- vex/__init__.py:17 - translate_irconst
************* Module simuvex.procedures.cgc.allocate
- procedures/cgc/allocate.py:1 -
- procedures/cgc/allocate.py:7 - allocate
************* Module simuvex.procedures.cgc.transmit
- procedures/cgc/transmit.py:1 -
- procedures/cgc/transmit.py:3 - transmit
************* Module simuvex.procedures.cgc.deallocate
- procedures/cgc/deallocate.py:1 -
- procedures/cgc/deallocate.py:6 - deallocate
************* Module simuvex.procedures.cgc.random
- procedures/cgc/random.py:1 -
- procedures/cgc/random.py:6 - random
************* Module simuvex.procedures.cgc.fdwait
- procedures/cgc/fdwait.py:1 -
- procedures/cgc/fdwait.py:6 - fdwait
************* Module simuvex.procedures.cgc._terminate
- procedures/cgc/_terminate.py:1 -
- procedures/cgc/_terminate.py:3 - _terminate
************* Module simuvex.procedures.cgc.receive
- procedures/cgc/receive.py:1 -
- procedures/cgc/receive.py:6 - receive
************* Module simuvex.procedures.ld-linux-x86-64___so___2.__tls_get_addr
- procedures/ld-linux-x86-64___so___2/__tls_get_addr.py:1 -
- procedures/ld-linux-x86-64___so___2/__tls_get_addr.py:3 - __tls_get_addr
************* Module simuvex.procedures.testing.manyargs
- procedures/testing/manyargs.py:1 -
- procedures/testing/manyargs.py:3 - manyargs
************* Module simuvex.procedures.testing.retreg
- procedures/testing/retreg.py:1 -
- procedures/testing/retreg.py:3 - retreg
************* Module simuvex.procedures.syscalls.brk
- procedures/syscalls/brk.py:1 -
************* Module simuvex.procedures.syscalls.stub
- procedures/syscalls/stub.py:1 -
- procedures/syscalls/stub.py:8 - stub
************* Module simuvex.procedures.syscalls.getpid
- procedures/syscalls/getpid.py:1 -
- procedures/syscalls/getpid.py:3 - getpid
************* Module simuvex.procedures.syscalls.close
- procedures/syscalls/close.py:1 -
- procedures/syscalls/close.py:7 - close
************* Module simuvex.procedures.syscalls.sigprocmask
- procedures/syscalls/sigprocmask.py:1 -
- procedures/syscalls/sigprocmask.py:3 - sigprocmask
************* Module simuvex.procedures.syscalls.tgkill
- procedures/syscalls/tgkill.py:1 -
- procedures/syscalls/tgkill.py:3 - tgkill
************* Module simuvex.procedures.syscalls.munmap
- procedures/syscalls/munmap.py:1 -
- procedures/syscalls/munmap.py:3 - munmap
************* Module simuvex.procedures.syscalls.open
- procedures/syscalls/open.py:1 -
- procedures/syscalls/open.py:7 - open
************* Module simuvex.procedures.syscalls.stat
- procedures/syscalls/stat.py:1 -
- procedures/syscalls/stat.py:3 - stat
- procedures/syscalls/stat.py:14 - stat._store_amd64
************* Module simuvex.procedures.syscalls.gettid
- procedures/syscalls/gettid.py:1 -
- procedures/syscalls/gettid.py:3 - gettid
************* Module simuvex.procedures.syscalls.exit
- procedures/syscalls/exit.py:1 -
- procedures/syscalls/exit.py:8 - exit
************* Module simuvex.procedures.syscalls.mmap
- procedures/syscalls/mmap.py:1 -
- procedures/syscalls/mmap.py:3 - mmap
************* Module simuvex.procedures.syscalls.read
- procedures/syscalls/read.py:1 -
- procedures/syscalls/read.py:7 - read
************* Module simuvex.procedures.syscalls.write
- procedures/syscalls/write.py:1 -
- procedures/syscalls/write.py:7 - write
************* Module simuvex.procedures.syscalls.fstat
- procedures/syscalls/fstat.py:1 -
- procedures/syscalls/fstat.py:3 - fstat
- procedures/syscalls/fstat.py:13 - fstat._store_amd64
************* Module simuvex.procedures.syscalls.sigaction
- procedures/syscalls/sigaction.py:1 -
- procedures/syscalls/sigaction.py:3 - sigaction
************* Module simuvex.procedures.libc___so___6.fclose
- procedures/libc___so___6/fclose.py:1 -
- procedures/libc___so___6/fclose.py:9 - fclose
************* Module simuvex.procedures.libc___so___6.strcmp
- procedures/libc___so___6/strcmp.py:1 -
- procedures/libc___so___6/strcmp.py:7 - strcmp
************* Module simuvex.procedures.libc___so___6.__libc_init
- procedures/libc___so___6/__libc_init.py:1 -
- procedures/libc___so___6/__libc_init.py:13 - __libc_init
- procedures/libc___so___6/__libc_init.py:32 - __libc_init.after_slingshot
************* Module simuvex.procedures.libc___so___6.pthread_mutex_lock
- procedures/libc___so___6/pthread_mutex_lock.py:1 -
- procedures/libc___so___6/pthread_mutex_lock.py:7 - pthread_mutex_lock
************* Module simuvex.procedures.libc___so___6.strchr
- procedures/libc___so___6/strchr.py:1 -
- procedures/libc___so___6/strchr.py:7 - strchr
************* Module simuvex.procedures.libc___so___6.strtok_r
- procedures/libc___so___6/strtok_r.py:1 -
- procedures/libc___so___6/strtok_r.py:7 - strtok_r
************* Module simuvex.procedures.libc___so___6.__isoc99_scanf
- procedures/libc___so___6/__isoc99_scanf.py:1 -
- procedures/libc___so___6/__isoc99_scanf.py:8 - __isoc99_scanf
************* Module simuvex.procedures.libc___so___6.fflush
- procedures/libc___so___6/fflush.py:1 -
- procedures/libc___so___6/fflush.py:7 - fflush
************* Module simuvex.procedures.libc___so___6.recv
- procedures/libc___so___6/recv.py:1 -
- procedures/libc___so___6/recv.py:7 - recv
************* Module simuvex.procedures.libc___so___6.printf
- procedures/libc___so___6/printf.py:1 -
- procedures/libc___so___6/printf.py:10 - printf
************* Module simuvex.procedures.libc___so___6.strncmp
- procedures/libc___so___6/strncmp.py:1 -
- procedures/libc___so___6/strncmp.py:7 - strncmp
************* Module simuvex.procedures.libc___so___6.realloc
- procedures/libc___so___6/realloc.py:1 -
- procedures/libc___so___6/realloc.py:11 - realloc
************* Module simuvex.procedures.libc___so___6.__uClibc_main
- procedures/libc___so___6/__uClibc_main.py:1 -
- procedures/libc___so___6/__uClibc_main.py:7 - __uClibc_main
************* Module simuvex.procedures.libc___so___6.system
- procedures/libc___so___6/system.py:1 -
- procedures/libc___so___6/system.py:7 - system
************* Module simuvex.procedures.libc___so___6.__ctype_b_loc
- procedures/libc___so___6/__ctype_b_loc.py:1 -
************* Module simuvex.procedures.libc___so___6.recvfrom
- procedures/libc___so___6/recvfrom.py:1 -
- procedures/libc___so___6/recvfrom.py:7 - recvfrom
************* Module simuvex.procedures.libc___so___6.listen
- procedures/libc___so___6/listen.py:1 -
- procedures/libc___so___6/listen.py:9 - listen
************* Module simuvex.procedures.libc___so___6.fileno
- procedures/libc___so___6/fileno.py:1 -
- procedures/libc___so___6/fileno.py:11 - fileno
************* Module simuvex.procedures.libc___so___6.memset
- procedures/libc___so___6/memset.py:1 -
- procedures/libc___so___6/memset.py:11 - memset
************* Module simuvex.procedures.libc___so___6.sprintf
- procedures/libc___so___6/sprintf.py:1 -
- procedures/libc___so___6/sprintf.py:10 - sprintf
************* Module simuvex.procedures.libc___so___6.scanf
- procedures/libc___so___6/scanf.py:1 -
- procedures/libc___so___6/scanf.py:5 - scanf
************* Module simuvex.procedures.libc___so___6.strcasecmp
- procedures/libc___so___6/strcasecmp.py:1 -
- procedures/libc___so___6/strcasecmp.py:7 - strcasecmp
************* Module simuvex.procedures.libc___so___6._IO_getc
- procedures/libc___so___6/_IO_getc.py:1 -
- procedures/libc___so___6/_IO_getc.py:9 - _IO_getc
************* Module simuvex.procedures.libc___so___6.__isoc99_sscanf
- procedures/libc___so___6/__isoc99_sscanf.py:1 -
- procedures/libc___so___6/__isoc99_sscanf.py:8 - __isoc99_sscanf
************* Module simuvex.procedures.libc___so___6.strncpy
- procedures/libc___so___6/strncpy.py:1 -
- procedures/libc___so___6/strncpy.py:7 - strncpy
************* Module simuvex.procedures.libc___so___6.bind
- procedures/libc___so___6/bind.py:1 -
- procedures/libc___so___6/bind.py:9 - bind
************* Module simuvex.procedures.libc___so___6.__libc_start_main
- procedures/libc___so___6/__libc_start_main.py:1 -
- procedures/libc___so___6/__libc_start_main.py:12 - __libc_start_main
- procedures/libc___so___6/__libc_start_main.py:52 - __libc_start_main.after_init
- procedures/libc___so___6/__libc_start_main.py:59 - __libc_start_main.after_main
************* Module simuvex.procedures.libc___so___6.rewind
- procedures/libc___so___6/rewind.py:1 -
- procedures/libc___so___6/rewind.py:9 - rewind
************* Module simuvex.procedures.libc___so___6.open
- procedures/libc___so___6/open.py:1 -
- procedures/libc___so___6/open.py:8 - open
************* Module simuvex.procedures.libc___so___6.vsnprintf
- procedures/libc___so___6/vsnprintf.py:1 -
- procedures/libc___so___6/vsnprintf.py:7 - vsnprintf
************* Module simuvex.procedures.libc___so___6.sleep
- procedures/libc___so___6/sleep.py:1 -
- procedures/libc___so___6/sleep.py:7 - sleep
************* Module simuvex.procedures.libc___so___6.atoi
- procedures/libc___so___6/atoi.py:1 -
- procedures/libc___so___6/atoi.py:8 - atoi
************* Module simuvex.procedures.libc___so___6.perror
- procedures/libc___so___6/perror.py:1 -
- procedures/libc___so___6/perror.py:7 - perror
************* Module simuvex.procedures.libc___so___6.strlen
- procedures/libc___so___6/strlen.py:1 -
- procedures/libc___so___6/strlen.py:8 - strlen
************* Module simuvex.procedures.libc___so___6.strtol
- procedures/libc___so___6/strtol.py:1 -
- procedures/libc___so___6/strtol.py:11 - strtol
************* Module simuvex.procedures.libc___so___6.accept
- procedures/libc___so___6/accept.py:1 -
- procedures/libc___so___6/accept.py:7 - accept
************* Module simuvex.procedures.libc___so___6.fseek
- procedures/libc___so___6/fseek.py:1 -
- procedures/libc___so___6/fseek.py:9 - fseek
************* Module simuvex.procedures.libc___so___6.malloc
- procedures/libc___so___6/malloc.py:1 -
- procedures/libc___so___6/malloc.py:11 - malloc
************* Module simuvex.procedures.libc___so___6.fgets
- procedures/libc___so___6/fgets.py:1 -
- procedures/libc___so___6/fgets.py:10 - fgets
************* Module simuvex.procedures.libc___so___6.calloc
- procedures/libc___so___6/calloc.py:1 -
- procedures/libc___so___6/calloc.py:8 - calloc
************* Module simuvex.procedures.libc___so___6.memmove
- procedures/libc___so___6/memmove.py:1 -
- procedures/libc___so___6/memmove.py:7 - memmove
************* Module simuvex.procedures.libc___so___6.usleep
- procedures/libc___so___6/usleep.py:1 -
- procedures/libc___so___6/usleep.py:8 - usleep
************* Module simuvex.procedures.libc___so___6.fopen
- procedures/libc___so___6/fopen.py:1 -
- procedures/libc___so___6/fopen.py:9 - mode_to_flag
- procedures/libc___so___6/fopen.py:26 - fopen
************* Module simuvex.procedures.libc___so___6.abort
- procedures/libc___so___6/abort.py:1 -
- procedures/libc___so___6/abort.py:7 - abort
************* Module simuvex.procedures.libc___so___6.memcmp
- procedures/libc___so___6/memcmp.py:1 -
- procedures/libc___so___6/memcmp.py:7 - memcmp
************* Module simuvex.procedures.libc___so___6.fgetc
- procedures/libc___so___6/fgetc.py:1 -
- procedures/libc___so___6/fgetc.py:11 - fgetc
************* Module simuvex.procedures.libc___so___6.fwrite
- procedures/libc___so___6/fwrite.py:1 -
- procedures/libc___so___6/fwrite.py:9 - fwrite
************* Module simuvex.procedures.libc___so___6.fread
- procedures/libc___so___6/fread.py:1 -
- procedures/libc___so___6/fread.py:9 - fread
************* Module simuvex.procedures.libc___so___6.socket_
- procedures/libc___so___6/socket_.py:1 -
- procedures/libc___so___6/socket_.py:7 - socket
************* Module simuvex.procedures.libc___so___6.inet_ntoa
- procedures/libc___so___6/inet_ntoa.py:1 -
- procedures/libc___so___6/inet_ntoa.py:8 - inet_ntoa
************* Module simuvex.procedures.libc___so___6.exit
- procedures/libc___so___6/exit.py:1 -
- procedures/libc___so___6/exit.py:7 - exit
************* Module simuvex.procedures.libc___so___6.pthread_create
- procedures/libc___so___6/pthread_create.py:1 -
- procedures/libc___so___6/pthread_create.py:7 - pthread_create
************* Module simuvex.procedures.libc___so___6.strstr
- procedures/libc___so___6/strstr.py:1 -
- procedures/libc___so___6/strstr.py:7 - strstr
************* Module simuvex.procedures.libc___so___6.strcpy
- procedures/libc___so___6/strcpy.py:1 -
- procedures/libc___so___6/strcpy.py:4 - strcpy
************* Module simuvex.procedures.libc___so___6.memcpy
- procedures/libc___so___6/memcpy.py:1 -
- procedures/libc___so___6/memcpy.py:7 - memcpy
************* Module simuvex.procedures.libc___so___6.getpass
- procedures/libc___so___6/getpass.py:1 -
- procedures/libc___so___6/getpass.py:7 - getpass
************* Module simuvex.procedures.libc___so___6.getchar
- procedures/libc___so___6/getchar.py:1 -
- procedures/libc___so___6/getchar.py:9 - getchar
************* Module simuvex.procedures.libc___so___6.bcopy
- procedures/libc___so___6/bcopy.py:1 -
- procedures/libc___so___6/bcopy.py:10 - bcopy
************* Module simuvex.procedures.libc___so___6.send
- procedures/libc___so___6/send.py:1 -
- procedures/libc___so___6/send.py:7 - send
************* Module simuvex.procedures.libc___so___6.ftell
- procedures/libc___so___6/ftell.py:1 -
- procedures/libc___so___6/ftell.py:9 - ftell
************* Module simuvex.procedures.libc___so___6.htons
- procedures/libc___so___6/htons.py:1 -
- procedures/libc___so___6/htons.py:6 - htons
************* Module simuvex.procedures.libc___so___6.pthread_mutex_unlock
- procedures/libc___so___6/pthread_mutex_unlock.py:1 -
- procedures/libc___so___6/pthread_mutex_unlock.py:7 - pthread_mutex_unlock
************* Module simuvex.procedures.libc___so___6.read
- procedures/libc___so___6/read.py:1 -
- procedures/libc___so___6/read.py:8 - read
************* Module simuvex.procedures.libc___so___6.write
- procedures/libc___so___6/write.py:1 -
- procedures/libc___so___6/write.py:7 - write
************* Module simuvex.procedures.libc___so___6.puts
- procedures/libc___so___6/puts.py:1 -
- procedures/libc___so___6/puts.py:8 - puts
************* Module simuvex.procedures.libc___so___6.__assert_fail
- procedures/libc___so___6/__assert_fail.py:1 -
- procedures/libc___so___6/__assert_fail.py:7 - __assert_fail
************* Module simuvex.procedures.libc___so___6.free
- procedures/libc___so___6/free.py:1 -
- procedures/libc___so___6/free.py:7 - free
************* Module simuvex.procedures.libc___so___6.pthread_cond_signal
- procedures/libc___so___6/pthread_cond_signal.py:1 -
- procedures/libc___so___6/pthread_cond_signal.py:7 - pthread_cond_signal
************* Module simuvex.procedures.libc___so___6
- procedures/libc___so___6/__init__.py:1 -
************* Module simuvex.procedures.libc___so___6.setvbuf
- procedures/libc___so___6/setvbuf.py:1 -
- procedures/libc___so___6/setvbuf.py:3 - setvbuf
************* Module simuvex.procedures.libc___so___6.putchar
- procedures/libc___so___6/putchar.py:1 -
- procedures/libc___so___6/putchar.py:7 - putchar
************* Module simuvex.procedures.libc___so___6.__stack_chk_fail
- procedures/libc___so___6/__stack_chk_fail.py:1 -
- procedures/libc___so___6/__stack_chk_fail.py:8 - __stack_chk_fail
************* Module simuvex.procedures.stubs.Nop
- procedures/stubs/Nop.py:1 -
- procedures/stubs/Nop.py:8 - Nop
************* Module simuvex.procedures.stubs.ReturnChar
- procedures/stubs/ReturnChar.py:1 -
- procedures/stubs/ReturnChar.py:7 - ReturnChar
************* Module simuvex.procedures.stubs.UserHook
- procedures/stubs/UserHook.py:1 -
- procedures/stubs/UserHook.py:3 - UserHook
************* Module simuvex.procedures.stubs.crazy_scanf
- procedures/stubs/crazy_scanf.py:1 -
- procedures/stubs/crazy_scanf.py:3 - crazy_scanf
************* Module simuvex.procedures.stubs.PathTerminator
- procedures/stubs/PathTerminator.py:1 -
- procedures/stubs/PathTerminator.py:7 - PathTerminator
************* Module simuvex.procedures.stubs.b64_decode
- procedures/stubs/b64_decode.py:1 -
- procedures/stubs/b64_decode.py:3 - b64_decode
************* Module simuvex.procedures.stubs.ReturnUnconstrained
- procedures/stubs/ReturnUnconstrained.py:1 -
- procedures/stubs/ReturnUnconstrained.py:7 - ReturnUnconstrained
************* Module simuvex.procedures.stubs.NoReturnUnconstrained
- procedures/stubs/NoReturnUnconstrained.py:1 -
- procedures/stubs/NoReturnUnconstrained.py:9 - NoReturnUnconstrained
************* Module simuvex.procedures.stubs.Redirect
- procedures/stubs/Redirect.py:1 -
- procedures/stubs/Redirect.py:7 - Redirect
************* Module simuvex.procedures.stubs.caller
- procedures/stubs/caller.py:1 -
- procedures/stubs/caller.py:19 - Caller.after_call
************* Module simuvex.procedures
- procedures/__init__.py:1 -
************* Module simuvex.procedures.ld-uClibc___so___0.__uClibc_main
- procedures/ld-uClibc___so___0/__uClibc_main.py:1 -
- procedures/ld-uClibc___so___0/__uClibc_main.py:7 - __uClibc_main
************* Module simuvex.s_run
- s_run.py:1 -
- s_run.py:14 - SimRun
- s_run.py:44 - SimRun.cleanup
- s_run.py:186 - SimRun._concrete_syscall_numbers
- s_run.py:214 - SimRun.id_str
************* Module simuvex.s_format
- s_format.py:1 -
- s_format.py:25 - FormatString._add_to_string
- s_format.py:33 - FormatString._get_str_at
- s_format.py:202 - FormatSpecifier.spec_type
************* Module simuvex.s_cc
- s_cc.py:1 -
- s_cc.py:10 - PointerWrapper
- s_cc.py:15 - AllocHelper
- s_cc.py:21 - AllocHelper.dump
- s_cc.py:33 - SimFunctionArgument
- s_cc.py:40 - SimFunctionArgument.check_value
- s_cc.py:46 - SimFunctionArgument.set_value
- s_cc.py:49 - SimFunctionArgument.get_value
- s_cc.py:53 - SimRegArg
- s_cc.py:89 - SimStackArg
- s_cc.py:112 - SimComboArg
- s_cc.py:163 - ArgSession.next_arg
- s_cc.py:189 - ArgSession.upsize_arg
- s_cc.py:331 - SimCC.return_val
- s_cc.py:340 - SimCC.fp_return_val
- s_cc.py:345 - SimCC.is_fp_value
- s_cc.py:530 - SimCC._standardize_value
- s_cc.py:656 - SimCC._match
- s_cc.py:696 - SimCCCdecl
- s_cc.py:705 - SimCCX86LinuxSyscall
- s_cc.py:717 - SimCCX86LinuxSyscall.syscall_num
- s_cc.py:720 - SimCCX86WindowsSyscall
- s_cc.py:733 - SimCCX86WindowsSyscall.syscall_num
- s_cc.py:736 - SimCCSystemVAMD64
- s_cc.py:773 - SimCCAMD64LinuxSyscall
- s_cc.py:784 - SimCCAMD64LinuxSyscall.syscall_num
- s_cc.py:787 - SimCCAMD64WindowsSyscall
- s_cc.py:800 - SimCCAMD64WindowsSyscall.syscall_num
- s_cc.py:803 - SimCCARM
- s_cc.py:810 - SimCCARMLinuxSyscall
- s_cc.py:824 - SimCCARMLinuxSyscall.syscall_num
- s_cc.py:827 - SimCCAArch64
- s_cc.py:834 - SimCCAArch64LinuxSyscall
- s_cc.py:847 - SimCCAArch64LinuxSyscall.syscall_num
- s_cc.py:850 - SimCCO32
- s_cc.py:858 - SimCCO32LinuxSyscall
- s_cc.py:871 - SimCCO32LinuxSyscall.syscall_num
- s_cc.py:874 - SimCCO64
- s_cc.py:882 - SimCCO64LinuxSyscall
- s_cc.py:894 - SimCCO64LinuxSyscall.syscall_num
- s_cc.py:897 - SimCCPowerPC
- s_cc.py:905 - SimCCPowerPCLinuxSyscall
- s_cc.py:918 - SimCCPowerPCLinuxSyscall.syscall_num
- s_cc.py:921 - SimCCPowerPC64
- s_cc.py:929 - SimCCPowerPC64LinuxSyscall
- s_cc.py:942 - SimCCPowerPC64LinuxSyscall.syscall_num
************* Module simuvex.s_procedure
- s_procedure.py:1 -
- s_procedure.py:18 - SimProcedure
- s_procedure.py:93 - SimProcedure._run
- s_procedure.py:123 - SimProcedure.run
- s_procedure.py:126 - SimProcedure.reanalyze
- s_procedure.py:134 - SimProcedure.initialize_run
- s_procedure.py:137 - SimProcedure.handle_run
- s_procedure.py:140 - SimProcedure.handle_procedure
- s_procedure.py:143 - SimProcedure.set_convention
- s_procedure.py:156 - SimProcedure.set_args
- s_procedure.py:182 - SimProcedure.inline_call
- s_procedure.py:188 - SimProcedure.set_return_expr
- s_procedure.py:211 - SimProcedure.ret
- s_procedure.py:246 - SimProcedure.call
- s_procedure.py:275 - SimProcedure.jump
- s_procedure.py:278 - SimProcedure.exit
- s_procedure.py:287 - SimProcedure.ty_ptr
- s_procedure.py:320 - SimProcedureContinuation
************* Module simuvex.plugins.plugin
- plugins/plugin.py:1 -
- plugins/plugin.py:5 - SimStatePlugin
- plugins/plugin.py:12 - SimStatePlugin.set_state
- plugins/plugin.py:21 - SimStatePlugin.copy
- plugins/plugin.py:46 - SimStatePlugin.register_default
************* Module simuvex.plugins.posix
- plugins/posix.py:1 -
- plugins/posix.py:18 - SimStateSystem
- plugins/posix.py:102 - SimStateSystem.set_brk
- plugins/posix.py:108 - SimStateSystem.add_socket
- plugins/posix.py:112 - SimStateSystem.back_with_pcap
- plugins/posix.py:197 - SimStateSystem.read_from
- plugins/posix.py:200 - SimStateSystem.write
- plugins/posix.py:205 - SimStateSystem.close
- plugins/posix.py:220 - SimStateSystem.fstat
- plugins/posix.py:239 - SimStateSystem.seek
- plugins/posix.py:287 - SimStateSystem.pos
- plugins/posix.py:291 - SimStateSystem.filename_to_fd
************* Module simuvex.plugins.abstract_memory
- plugins/abstract_memory.py:1 -
- plugins/abstract_memory.py:19 - MemoryRegion
- plugins/abstract_memory.py:39 - MemoryRegion.id
- plugins/abstract_memory.py:43 - MemoryRegion.memory
- plugins/abstract_memory.py:47 - MemoryRegion.state
- plugins/abstract_memory.py:51 - MemoryRegion.alocs
- plugins/abstract_memory.py:55 - MemoryRegion.is_stack
- plugins/abstract_memory.py:59 - MemoryRegion.related_function_addr
- plugins/abstract_memory.py:83 - MemoryRegion.addrs_for_name
- plugins/abstract_memory.py:86 - MemoryRegion.set_state
- plugins/abstract_memory.py:90 - MemoryRegion.copy
- plugins/abstract_memory.py:99 - MemoryRegion.store
- plugins/abstract_memory.py:121 - MemoryRegion.load
- plugins/abstract_memory.py:125 - MemoryRegion.merge
- plugins/abstract_memory.py:145 - MemoryRegion.widen
- plugins/abstract_memory.py:208 - SimAbstractMemory.regions
- plugins/abstract_memory.py:211 - SimAbstractMemory.stack_id
- plugins/abstract_memory.py:214 - SimAbstractMemory.set_stack_size
- plugins/abstract_memory.py:217 - SimAbstractMemory.set_stack_address_mapping
- plugins/abstract_memory.py:220 - SimAbstractMemory.unset_stack_address_mapping
- plugins/abstract_memory.py:315 - SimAbstractMemory._normalize_address_type
- plugins/abstract_memory.py:363 - SimAbstractMemory._do_store
- plugins/abstract_memory.py:413 - SimAbstractMemory._do_load
************* Module simuvex.plugins.libc
- plugins/libc.py:1 -
************* Module simuvex.plugins.cgc
- plugins/cgc.py:1 -
- plugins/cgc.py:34 - SimStateCGC.peek_input
- plugins/cgc.py:38 - SimStateCGC.discard_input
- plugins/cgc.py:45 - SimStateCGC.peek_output
- plugins/cgc.py:49 - SimStateCGC.discard_output
- plugins/cgc.py:56 - SimStateCGC.addr_invalid
************* Module simuvex.plugins.inspect
- plugins/inspect.py:1 -
************* Module simuvex.plugins.solver
- plugins/solver.py:1 -
- plugins/solver.py:21 - timed_function
- plugins/solver.py:24 - timed_function.timing_guy
- plugins/solver.py:56 - enable_timing
- plugins/solver.py:62 - disable_timing
- plugins/solver.py:78 - error_converter
- plugins/solver.py:80 - error_converter.wrapped_f
- plugins/solver.py:95 - _concrete_bool
- plugins/solver.py:105 - _concrete_value
- plugins/solver.py:116 - concrete_path_bool
- plugins/solver.py:118 - concrete_path_bool.concrete_shortcut_bool
- plugins/solver.py:126 - concrete_path_not_bool
- plugins/solver.py:128 - concrete_path_not_bool.concrete_shortcut_not_bool
- plugins/solver.py:136 - concrete_path_scalar
- plugins/solver.py:138 - concrete_path_scalar.concrete_shortcut_scalar
- plugins/solver.py:146 - concrete_path_tuple
- plugins/solver.py:148 - concrete_path_tuple.concrete_shortcut_tuple
- plugins/solver.py:156 - concrete_path_list
- plugins/solver.py:158 - concrete_path_list.concrete_shortcut_list
- plugins/solver.py:181 - SimSolver._solver
- plugins/solver.py:204 - SimSolver.Unconstrained
- plugins/solver.py:286 - SimSolver.downsize
- plugins/solver.py:290 - SimSolver.constraints
- plugins/solver.py:293 - SimSolver._adjust_constraint
- plugins/solver.py:302 - SimSolver._adjust_constraint_list
- plugins/solver.py:347 - SimSolver.max
- plugins/solver.py:359 - SimSolver.min
- plugins/solver.py:370 - SimSolver.solution
- plugins/solver.py:383 - SimSolver.is_true
- plugins/solver.py:396 - SimSolver.is_false
- plugins/solver.py:408 - SimSolver.solve
- plugins/solver.py:414 - SimSolver.satisfiable
- plugins/solver.py:426 - SimSolver.add
- plugins/solver.py:435 - SimSolver.any_int
- plugins/solver.py:440 - SimSolver.any_str
- plugins/solver.py:445 - SimSolver.any_n_str_iter
- plugins/solver.py:453 - SimSolver.any_n_str
- plugins/solver.py:459 - SimSolver.any_n_int
- plugins/solver.py:465 - SimSolver.exactly_n
- plugins/solver.py:471 - SimSolver.exactly_n_int
- plugins/solver.py:477 - SimSolver.exactly_int
- plugins/solver.py:494 - SimSolver.unique
- plugins/solver.py:511 - SimSolver.symbolic
- plugins/solver.py:516 - SimSolver.single_valued
- plugins/solver.py:527 - SimSolver.simplify
- plugins/solver.py:544 - SimSolver._claripy_simplify
- plugins/solver.py:547 - SimSolver.variables
************* Module simuvex.plugins.procedure_data
- plugins/procedure_data.py:1 -
- plugins/procedure_data.py:4 - SimProcedureData
- plugins/procedure_data.py:24 - SimProcedureData.clear
************* Module simuvex.plugins.fast_memory
- plugins/fast_memory.py:1 -
- plugins/fast_memory.py:11 - SimFastMemory
************* Module simuvex.plugins.gdb
- plugins/gdb.py:1 -
- plugins/gdb.py:120 - GDB._read_data
- plugins/gdb.py:126 - GDB._write
- plugins/gdb.py:131 - GDB._to_bvv
************* Module simuvex.plugins.symbolic_memory
- plugins/symbolic_memory.py:1 -
- plugins/symbolic_memory.py:15 - SimSymbolicMemory
- plugins/symbolic_memory.py:156 - SimSymbolicMemory._merge
- plugins/symbolic_memory.py:271 - SimSymbolicMemory._resolve_size_range
- plugins/symbolic_memory.py:301 - SimSymbolicMemory._concretization_strategy_norepeats
- plugins/symbolic_memory.py:312 - SimSymbolicMemory._concretization_strategy_symbolic
- plugins/symbolic_memory.py:321 - SimSymbolicMemory._concretization_strategy_symbolic_unoptimized
- plugins/symbolic_memory.py:327 - SimSymbolicMemory._concretization_strategy_symbolic_approx
- plugins/symbolic_memory.py:336 - SimSymbolicMemory._concretization_strategy_symbolic_nonzero
- plugins/symbolic_memory.py:345 - SimSymbolicMemory._concretization_strategy_symbolic_nonzero_approx
- plugins/symbolic_memory.py:354 - SimSymbolicMemory._concretization_strategy_max_approx
- plugins/symbolic_memory.py:361 - SimSymbolicMemory._concretization_strategy_max
- plugins/symbolic_memory.py:364 - SimSymbolicMemory._concretization_strategy_any_approx
- plugins/symbolic_memory.py:371 - SimSymbolicMemory._concretization_strategy_any
- plugins/symbolic_memory.py:374 - SimSymbolicMemory._concretization_strategy_norepeats_simple
- plugins/symbolic_memory.py:381 - SimSymbolicMemory._concretization_strategy_norepeats_range
- plugins/symbolic_memory.py:387 - SimSymbolicMemory._concretization_strategy_norepeats_min
- plugins/symbolic_memory.py:394 - SimSymbolicMemory._validate_strategy
- plugins/symbolic_memory.py:418 - SimSymbolicMemory._concretize_addr
- plugins/symbolic_memory.py:524 - SimSymbolicMemory._read_from
- plugins/symbolic_memory.py:836 - SimSymbolicMemory._store_with_merge
- plugins/symbolic_memory.py:873 - SimSymbolicMemory._store_with_merge.is_reversed
- plugins/symbolic_memory.py:878 - SimSymbolicMemory._store_with_merge.can_be_reversed
- plugins/symbolic_memory.py:943 - SimSymbolicMemory.unconstrain_byte
- plugins/symbolic_memory.py:948 - SimSymbolicMemory.unconstrain_differences
- plugins/symbolic_memory.py:955 - SimSymbolicMemory._is_uninitialized
- plugins/symbolic_memory.py:958 - SimSymbolicMemory._merge_values
************* Module simuvex.plugins.log
- plugins/log.py:1 -
- plugins/log.py:10 - SimStateLog
- plugins/log.py:21 - SimStateLog.actions
- plugins/log.py:26 - SimStateLog.add_event
- plugins/log.py:34 - SimStateLog._add_event
- plugins/log.py:37 - SimStateLog.add_action
- plugins/log.py:40 - SimStateLog.extend_actions
- plugins/log.py:43 - SimStateLog.events_of_type
- plugins/log.py:46 - SimStateLog.actions_of_type
- plugins/log.py:64 - SimStateLog.clear
************* Module simuvex.plugins.view
- plugins/view.py:1 -
- plugins/view.py:7 - SimRegNameView
- plugins/view.py:45 - SimMemView
- plugins/view.py:60 - SimMemView._deeper
- plugins/view.py:131 - SimMemView.resolvable
- plugins/view.py:135 - SimMemView.resolved
- plugins/view.py:141 - SimMemView.concrete
- plugins/view.py:147 - SimMemView.deref
- plugins/view.py:158 - SimMemView.store
************* Module simuvex.plugins.scratch
- plugins/scratch.py:1 -
- plugins/scratch.py:9 - SimStateScratch
- plugins/scratch.py:105 - SimStateScratch.clear
- plugins/scratch.py:110 - SimStateScratch.update_ignored_variables
************* Module simuvex.plugins.uc_manager
- plugins/uc_manager.py:1 -
- plugins/uc_manager.py:8 - SimUCManager
- plugins/uc_manager.py:60 - SimUCManager.get_alloc_depth
************* Module simuvex.plugins
- plugins/__init__.py:1 -
************* Module simuvex.s_errors
- s_errors.py:1 -
- s_errors.py:3 - SimError
- s_errors.py:10 - SimStateError
- s_errors.py:13 - SimMergeError
- s_errors.py:16 - SimMemoryError
- s_errors.py:19 - SimRegionMapError
- s_errors.py:22 - SimMemoryLimitError
- s_errors.py:25 - SimMemoryAddressError
- s_errors.py:28 - SimFastMemoryError
- s_errors.py:31 - SimEventError
- s_errors.py:34 - SimFileError
- s_errors.py:37 - SimPosixError
- s_errors.py:44 - SimSolverError
- s_errors.py:47 - SimSolverModeError
- s_errors.py:50 - SimValueError
- s_errors.py:53 - SimUnsatError
- s_errors.py:60 - SimOperationError
- s_errors.py:63 - UnsupportedIROpError
- s_errors.py:70 - SimExpressionError
- s_errors.py:73 - UnsupportedIRExprError
- s_errors.py:76 - SimCCallError
- s_errors.py:79 - UnsupportedCCallError
- s_errors.py:82 - SimUninitializedAccessError
- s_errors.py:94 - SimStatementError
- s_errors.py:97 - UnsupportedIRStmtError
- s_errors.py:100 - UnsupportedDirtyError
- s_errors.py:107 - SimRunError
- s_errors.py:110 - SimIRSBError
- s_errors.py:113 - SimProcedureError
- s_errors.py:116 - SimProcedureArgumentError
- s_errors.py:119 - SimFastPathError
- s_errors.py:122 - UnsupportedSyscallError
- s_errors.py:129 - SimSlicerError
- s_errors.py:136 - SimActionError
- s_errors.py:143 - SimCCError
- s_errors.py:150 - SimUCManagerError
- s_errors.py:153 - SimUCManagerAllocationError
************* Module simuvex.storage.memory_object
- storage/memory_object.py:1 -
- storage/memory_object.py:18 - SimMemoryObject.size
- storage/memory_object.py:25 - SimMemoryObject.base
- storage/memory_object.py:29 - SimMemoryObject.length
- storage/memory_object.py:33 - SimMemoryObject.object
- storage/memory_object.py:36 - SimMemoryObject.bytes_at
************* Module simuvex.storage.memory
- storage/memory.py:1 -
- storage/memory.py:93 - RegionMap.is_empty
- storage/memory.py:97 - RegionMap.stack_base
- storage/memory.py:107 - RegionMap.copy
- storage/memory.py:261 - MemoryStoreRequest._adjust_condition
- storage/memory.py:320 - SimMemory._resolve_location_name
- storage/memory.py:442 - SimMemory._store
- storage/memory.py:499 - SimMemory._store_cases
- storage/memory.py:651 - SimMemory._constrain_underconstrained_index
- storage/memory.py:668 - SimMemory._load
- storage/memory.py:698 - SimMemory._find
- storage/memory.py:723 - SimMemory._copy_contents
************* Module simuvex.storage.paged_memory
- storage/paged_memory.py:1 -
- storage/paged_memory.py:47 - Page.sinkhole
- storage/paged_memory.py:53 - Page.sorted_storage_keys
- storage/paged_memory.py:58 - Page.keys
- storage/paged_memory.py:88 - Page._get_object
- storage/paged_memory.py:121 - Page.copy
- storage/paged_memory.py:164 - SimPagedMemory.branch
- storage/paged_memory.py:206 - SimPagedMemory.load_bytes
- storage/paged_memory.py:246 - SimPagedMemory._create_page
- storage/paged_memory.py:249 - SimPagedMemory._initialize_page
- storage/paged_memory.py:314 - SimPagedMemory._get_page
- storage/paged_memory.py:344 - SimPagedMemory.keys
- storage/paged_memory.py:545 - SimPagedMemory._mark_updated_mapping
- storage/paged_memory.py:565 - SimPagedMemory._update_range_mappings
- storage/paged_memory.py:573 - SimPagedMemory._update_mappings
- storage/paged_memory.py:702 - SimPagedMemory.map_region
************* Module simuvex.storage
- storage/__init__.py:1 -
************* Module simuvex.storage.file
- storage/file.py:1 -
- storage/file.py:13 - Flags
- storage/file.py:35 - _deps_unpack
- storage/file.py:61 - SimFile.read_pos
- storage/file.py:69 - SimFile.write_pos
- storage/file.py:93 - SimFile.close
- storage/file.py:117 - SimFile.read_from
- storage/file.py:131 - SimFile.write
- storage/file.py:140 - SimFile.seek
- storage/file.py:151 - SimFile.all_bytes
************* Module simuvex.s_pcap
- s_pcap.py:1 -
- s_pcap.py:7 - PCAP
- s_pcap.py:20 - PCAP.initialize
- s_pcap.py:35 - PCAP.recv
- s_pcap.py:63 - PCAP.copy
************* Module simuvex.s_event
- s_event.py:1 -
- s_event.py:4 - SimEvent
- s_event.py:18 - SimEvent._copy_event
************* Module simuvex.s_variable
- s_variable.py:1 -
- s_variable.py:4 - SimVariable
- s_variable.py:8 - SimTemporaryVariable
- s_variable.py:29 - SimRegisterVariable
- s_variable.py:51 - SimMemoryVariable
- s_variable.py:128 - SimVariableSet.add_register_variable
- s_variable.py:132 - SimVariableSet.add_memory_variable
- s_variable.py:149 - SimVariableSet.discard_register_variable
- s_variable.py:153 - SimVariableSet.discard_memory_variable
- s_variable.py:165 - SimVariableSet.add_memory_variables
- s_variable.py:170 - SimVariableSet.copy
- s_variable.py:195 - SimVariableSet.contains_register_variable
- s_variable.py:201 - SimVariableSet.contains_memory_variable
************* Module simuvex.s_state
- s_state.py:1 -
- s_state.py:15 - arch_overrideable
- s_state.py:17 - arch_overrideable.wrapped_f
- s_state.py:113 - SimState._get_weakref
- s_state.py:116 - SimState._get_strongref
- s_state.py:123 - SimState.BV
- s_state.py:128 - SimState.BVV
- s_state.py:151 - SimState.memory
- s_state.py:155 - SimState.registers
- s_state.py:159 - SimState.se
- s_state.py:163 - SimState.inspect
- s_state.py:167 - SimState.log
- s_state.py:171 - SimState.scratch
- s_state.py:175 - SimState.posix
- s_state.py:179 - SimState.libc
- s_state.py:183 - SimState.cgc
- s_state.py:187 - SimState.regs
- s_state.py:191 - SimState.mem
- s_state.py:195 - SimState.gdb
- s_state.py:199 - SimState.procedure_data
- s_state.py:203 - SimState.uc_manager
- s_state.py:206 - SimState._inspect
- s_state.py:210 - SimState._inspect_getattr
- s_state.py:221 - SimState.has_plugin
- s_state.py:224 - SimState.get_plugin
- s_state.py:231 - SimState.register_plugin
- s_state.py:237 - SimState.release_plugin
- s_state.py:245 - SimState.simplify
- s_state.py:247 - SimState.add_constraints
- s_state.py:312 - SimState.satisfiable
- s_state.py:323 - SimState.downsize
- s_state.py:332 - SimState._copy_plugins
- s_state.py:485 - SimState.make_concrete_int
- s_state.py:498 - SimState.prepare_callsite
- s_state.py:582 - SimState.set_mode
- s_state.py:587 - SimState.thumb
- s_state.py:606 - SimState.with_condition
- s_state.py:608 - SimState.with_condition.ctx
- s_state.py:619 - SimState._adjust_condition
- s_state.py:627 - SimState._adjust_condition_list
************* Module simuvex.s_slicer
- s_slicer.py:1 -
- s_slicer.py:6 - SimLightState
- s_slicer.py:89 - SimSlicer._forward_handler_stmt_WrTmp
- s_slicer.py:117 - SimSlicer._forward_handler_expr_Get
- s_slicer.py:128 - SimSlicer._forward_handler_expr_RdTmp
- s_slicer.py:136 - SimSlicer._forward_handler_expr_Const
- s_slicer.py:140 - SimSlicer._forward_handler_expr_Binop
- s_slicer.py:152 - SimSlicer._forward_handler_expr_binop_Add64
- s_slicer.py:189 - SimSlicer._backward_handler_stmt
- s_slicer.py:198 - SimSlicer._backward_handler_stmt_WrTmp
- s_slicer.py:210 - SimSlicer._backward_handler_stmt_Put
- s_slicer.py:223 - SimSlicer._backward_handler_stmt_Store
- s_slicer.py:247 - SimSlicer._backward_handler_expr
- s_slicer.py:255 - SimSlicer._backward_handler_expr_RdTmp
- s_slicer.py:260 - SimSlicer._backward_handler_expr_Get
- s_slicer.py:265 - SimSlicer._backward_handler_expr_Load
- s_slicer.py:277 - SimSlicer._backward_handler_expr_Unop
- s_slicer.py:283 - SimSlicer._backward_handler_expr_CCall
- s_slicer.py:289 - SimSlicer._backward_handler_expr_Binop
************* Module simuvex.s_type
- s_type.py:1 -
- s_type.py:51 - SimType.view
- s_type.py:55 - SimType.name
- s_type.py:58 - SimType._refine_dir
- s_type.py:61 - SimType._refine
- s_type.py:67 - SimType.size
- s_type.py:72 - SimType.with_arch
- s_type.py:78 - SimType._with_arch
- s_type.py:126 - SimTypeReg.extract
- s_type.py:132 - SimTypeReg.store
- s_type.py:168 - SimTypeNum.extract
- s_type.py:177 - SimTypeNum.store
- s_type.py:236 - SimTypeLong
- s_type.py:326 - SimTypePointer.make
- s_type.py:361 - SimTypeFixedSizeArray.extract
- s_type.py:364 - SimTypeFixedSizeArray.store
- s_type.py:428 - SimTypeString.extract
- s_type.py:559 - SimStruct
- s_type.py:575 - SimStruct.offsets
- s_type.py:584 - SimStruct.extract
- s_type.py:688 - define_struct
- s_type.py:694 - parse_defns
- s_type.py:722 - parse_type
- s_type.py:737 - _decl_to_type
************* Module simuvex.s_action_object
- s_action_object.py:1 -
- s_action_object.py:11 - _raw_ast
- s_action_object.py:21 - _all_objects
- s_action_object.py:33 - ast_stripping_op
- s_action_object.py:38 - ast_preserving_op
- s_action_object.py:48 - ast_stripping_decorator
- s_action_object.py:50 - ast_stripping_decorator.ast_stripper
- s_action_object.py:76 - SimActionObject._preserving_unbound
- s_action_object.py:79 - SimActionObject._preserving_bound
- s_action_object.py:97 - SimActionObject.to_claripy
- s_action_object.py:100 - SimActionObject.copy
- s_action_object.py:107 - _operator
- s_action_object.py:108 - _operator.wrapper
- s_action_object.py:114 - make_methods
************* Module simuvex.s_action
- s_action.py:1 -
- s_action.py:36 - SimAction._desc
- s_action.py:46 - SimAction._make_object
- s_action.py:55 - SimAction._copy_object
- s_action.py:62 - SimAction.all_objects
- s_action.py:66 - SimAction.tmp_deps
- s_action.py:70 - SimAction.reg_deps
- s_action.py:73 - SimAction._copy_objects
- s_action.py:76 - SimAction.copy
************* Module simuvex.s_options
- s_options.py:1 -
On linux, when you open a file twice, you get two separate fds linked to the same underlying object. For normal files, the two fds have separate seek heads, but for devices, pipes, etc, they both have the same "seek head".
A bug related to not emulating this accurately was reported to me over email.
[15:14:51] [simuvex.plugins.unicorn] | ERROR: You are attempting to use unicorn engine support even though it or the simuvex compatibility layer isn't installed
This is because this unicorn SimEngine runs the cooldown decrement function in the _check_failed callback, regardless of the reason for failure. This should be moved to being called directly from the check function, ONLY when the state option is enabled, perhaps guarded by a few more checks.
Furthermore, we should use this as an opportunity to re-evaluate the need for a callback function at all. IMO it's a bit of a wart.
Playing around with an app that uses fgets, when the fgets SimProcedure notices that it runs out of room, it appears to prefer to force a newline character. While that's a valid character, it likely shouldn't force the newline at that point since the implicit EOF after that newline would be the end of fgets processing.
This seems to open the fgets simprocedure up to a very slight misinterpretation of valid fgets input.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.