From d57fbab54695341af906b705b6e65deaedb9f738 Mon Sep 17 00:00:00 2001 From: Kevin Phoenix Date: Fri, 20 Sep 2024 19:53:57 -0700 Subject: [PATCH 1/2] Make claripy true and false functions --- angr_platforms/bf/engine_bf.py | 6 +++--- angr_platforms/ct64/ct64_engine.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/angr_platforms/bf/engine_bf.py b/angr_platforms/bf/engine_bf.py index 3e54284..4b5db7a 100644 --- a/angr_platforms/bf/engine_bf.py +++ b/angr_platforms/bf/engine_bf.py @@ -96,7 +96,7 @@ def process_successors(self, successors, **kwargs): # ...except if it IS symbolic. That means we ran off the memory. # Drop the mic and go home. We're done here. the_end = state.copy() - successors.add_successor(the_end, state.ip, claripy.true, "Ijk_Exit", add_guard=False, exit_stmt_idx=-1, + successors.add_successor(the_end, state.ip, claripy.true(), "Ijk_Exit", add_guard=False, exit_stmt_idx=-1, exit_ins_addr=state.ip, source=my_block) break # Step 1: Decode. If it's a.... @@ -121,7 +121,7 @@ def process_successors(self, successors, **kwargs): newstate = state.copy() newstate.regs.inout = 1 # Set this to 0 to cause a write syscall newstate.ip = state.ip + 1 - successors.add_successor(newstate, newstate.ip, claripy.true, "Ijk_Syscall", + successors.add_successor(newstate, newstate.ip, claripy.true(), "Ijk_Syscall", add_guard=False, exit_stmt_idx=-1, exit_ins_addr=state.ip, source=my_block) # Syscalls, even fake ones like this, end a basic block. break @@ -130,7 +130,7 @@ def process_successors(self, successors, **kwargs): new_state = state.copy() new_state.regs.inout = 0 # This must be 0 when we do a syscall to get a read! new_state.ip = state.ip + 1 - successors.add_successor(new_state, new_state.ip, claripy.true, "Ijk_Syscall", + successors.add_successor(new_state, new_state.ip, claripy.true(), "Ijk_Syscall", add_guard=False, exit_stmt_idx=-1, exit_ins_addr=state.ip, source=my_block) # Syscalls, even fake ones like this, end the basic block break diff --git a/angr_platforms/ct64/ct64_engine.py b/angr_platforms/ct64/ct64_engine.py index c22405b..2cd5480 100644 --- a/angr_platforms/ct64/ct64_engine.py +++ b/angr_platforms/ct64/ct64_engine.py @@ -81,7 +81,7 @@ def execute(self, state, successors): state.regs._ip += self.LEN state.memory.store(dest, value) - successors.add_successor(state, state.regs._ip, claripy.true, 'Ijk_Boring') + successors.add_successor(state, state.regs._ip, claripy.true(), 'Ijk_Boring') def value(self, state): raise NotImplementedError From c668c9809e49609e730bad476457af4c9d77b4f1 Mon Sep 17 00:00:00 2001 From: Kevin Phoenix Date: Fri, 20 Sep 2024 20:27:30 -0700 Subject: [PATCH 2/2] Improve lint --- angr_platforms/bf/engine_bf.py | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/angr_platforms/bf/engine_bf.py b/angr_platforms/bf/engine_bf.py index 4b5db7a..a7a7cf7 100644 --- a/angr_platforms/bf/engine_bf.py +++ b/angr_platforms/bf/engine_bf.py @@ -41,8 +41,8 @@ def resolve_jump(self, state, addr): state.scratch.jump_table = self._build_jump_table(state) try: return state.scratch.jump_table[addr] - except KeyError: - raise ValueError("There is no entry in the jump table at address %d" % addr) + except KeyError as err: + raise ValueError("There is no entry in the jump table at address %d" % addr) from err #def lift(self, addr=None, clemory=None, insn_bytes=None, size=None, arch=None, **kwargs): @@ -96,25 +96,33 @@ def process_successors(self, successors, **kwargs): # ...except if it IS symbolic. That means we ran off the memory. # Drop the mic and go home. We're done here. the_end = state.copy() - successors.add_successor(the_end, state.ip, claripy.true(), "Ijk_Exit", add_guard=False, exit_stmt_idx=-1, - exit_ins_addr=state.ip, source=my_block) + successors.add_successor( + the_end, + state.ip, + claripy.true(), + "Ijk_Exit", + add_guard=False, + exit_stmt_idx=-1, + exit_ins_addr=state.ip, + source=my_block + ) break # Step 1: Decode. If it's a.... if inst == '>': # Increment ptr - state.regs.ptr = (state.regs.ptr + 1) + state.regs.ptr = state.regs.ptr + 1 elif inst == "<": - state.regs.ptr = (state.regs.ptr - 1) + state.regs.ptr = state.regs.ptr - 1 elif inst == "-": # Decrement the byte at ptr in memory # NOTE: We're doing the "wrap-around" variation of BF oldval = state.memory.load(state.regs.ptr, 1) - newval = (oldval - 1) + newval = oldval - 1 state.memory.store(state.regs.ptr, newval, 1) elif inst == "+": # Increment the byte at ptr in memory oldval = state.memory.load(state.regs.ptr, 1) - newval = (oldval + 1) + newval = oldval + 1 state.memory.store(state.regs.ptr, newval, 1) elif inst == ".": # Syscall: write byte at mem to stdout @@ -184,4 +192,3 @@ class UberEngineWithBF(angr.engines.UberEngine, BFMixin): This is a class that "mixes" together the standard symbolic execution stack and the brainfuck interpreter. Giving it to angr will do everything we want. """ - pass