API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 6th, 2017
133
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.73 KB | None | 0 0
raw download clone embed print report
  1. from __future__ import print_function
  2.  
  3. import os
  4. import subprocess as sp
  5.  
  6. import angr
  7.  
  8. from claripy import BVS, BVV
  9.  
  10. src = """
  11. #include <stdio.h>
  12. #include <stdlib.h>
  13.  
  14. int verify(char* user, char* pass) {
  15. char* u = user;
  16. char* p = pass;
  17. if (p[0] == u[1] ^ u[2]) {
  18. return 1;
  19. } else {
  20. puts("nope");
  21. exit(1);
  22. }
  23. }
  24.  
  25. int main(int argc, char* argv[]) {
  26. char* username = argv[1];
  27. char* password = argv[2];
  28. int b = verify(username, password);
  29. return b;
  30. }
  31. """
  32.  
  33. if not os.path.exists("./test"):
  34. print("compiling binary. Test this on x86_64.")
  35. with open("./test.c", "w") as f:
  36. f.write(src)
  37. # I compiled with gcc version 6.3.1 20161221 (Red Hat 6.3.1-1) (GCC)
  38. # on fedora 25 x86_64
  39. sp.check_call(['make', 'test'])
  40.  
  41. proj = angr.Project('./test',
  42. load_options={"auto_load_libs": False})
  43. verify_addr = proj.loader.main_bin.get_symbol('verify').addr
  44. block = proj.factory.block(verify_addr)
  45. print("got the function")
  46. block.pp()
  47. """
  48. 0x400546: push rbp
  49. 0x400547: mov rbp, rsp
  50. 0x40054a: sub rsp, 0x20
  51. 0x40054e: mov qword ptr [rbp - 0x18], rdi
  52. 0x400552: mov qword ptr [rbp - 0x20], rsi
  53. 0x400556: mov rax, qword ptr [rbp - 0x18]
  54. ...
  55. """
  56. start_addr = block.capstone.insns[5].insn.address
  57. alloca = 0x20
  58. offset = 0x18
  59.  
  60. bvs = BVS("bvs", 12 * 8)
  61. bvs_addr = BVV(0x12345678, 64)
  62. # create a initial state
  63. initial_state = proj.factory.blank_state(addr=start_addr)
  64.  
  65. print("setting up state")
  66. # manually do function prologue
  67. initial_state.regs.rbp = initial_state.regs.rsp
  68. initial_state.regs.rsp -= alloca
  69. initial_state.memory.store(bvs_addr, bvs)
  70. # this is what I would intuitively do
  71. initial_state.memory.store((initial_state.regs.rbp - offset),
  72. bvs_addr)
  73.  
  74. print("rsp =", initial_state.regs.rsp)
  75. print("rbp =", initial_state.regs.rbp)
  76. print("bvs @ ", bvs_addr)
  77. print("ptr @ ", initial_state.regs.rbp - offset)
  78. block = proj.factory.block(initial_state.ip.args[0])
  79. print("executing the following instruction:")
  80. print(str(block.capstone.insns[0]))
  81. path = proj.factory.path(initial_state)
  82. p = path.step(num_inst=1)[0]
  83. print("expecting rax == [rbp - 0x{:x}]".format(offset))
  84. print("rax =", p.state.regs.rax)
  85. print("[rbp - 0x{:x}] =".format(offset),
  86. p.state.memory.load(p.state.regs.rbp - offset))
  87. # the endianess is reversed here
  88. assert p.state.regs.rax.reversed.args[0] == bvs_addr.args[0]
  89. # this is what I would expect
  90. assert p.state.regs.rax.args[0] == bvs_addr.args[0]
  91. """
  92. setting up state
  93. rsp = <BV64 0x7fffffffffeffe0>
  94. rbp = <BV64 0x7ffffffffff0000>
  95. bvs @ <BV64 0x12345678>
  96. ptr @ <BV64 0x7fffffffffeffe8>
  97. executing the following instruction:
  98. 0x400556: mov rax, qword ptr [rbp - 0x18]
  99. expecting rax == [rbp - 0x18]
  100. rax = <BV64 0x7856341200000000>
  101. [rbp - 0x18] = <BV64 0x12345678>
  102. """
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!