How to use the ailment.Expr.StackBaseOffset function in ailment
To help you get started, we’ve selected a few ailment examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / angr / analyses / propagator / engine_ail.py View on Github 
def _ail_handle_Store(self, stmt):
addr = self._expr(stmt.addr)
data = self._expr(stmt.data)
if isinstance(addr, Expr.StackBaseOffset):
# Storing data to a stack variable
self.state.store_variable(Expr.Load(None, addr, data.bits // 8, stmt.endness), data)def check_bp_save_fauxware(arch):
p = angr.Project(os.path.join(test_location, arch, 'fauxware'), auto_load_libs=False)
p.analyses.CFGFast()
main = p.kb.functions['main']
dra = p.analyses.Decompiler(main)
first_block_stmts = dra.codegen._sequence.nodes[0].nodes[0].statements
for stmt in first_block_stmts:
if isinstance(stmt, ailment.Stmt.Store):
nose.tools.assert_false(
(isinstance(stmt.data, ailment.Expr.Register)
and stmt.data.reg_offset == p.arch.bp_offset)
or (isinstance(stmt.data, ailment.Expr.StackBaseOffset)
and stmt.data.offset == 0))def _find_retaddr_save_stmt(self):
first_block = self._get_block(self._func.addr)
for idx, stmt in enumerate(first_block.statements):
if isinstance(stmt, ailment.Stmt.Store) \
and isinstance(stmt.addr, ailment.Expr.StackBaseOffset) \
and isinstance(stmt.data, ailment.Expr.Register) \
and stmt.data.reg_offset == self.project.arch.bp_offset \
and stmt.addr.offset < 0:
return first_block, idx
if isinstance(stmt, ailment.Stmt.Store) \
and isinstance(stmt.addr, ailment.Expr.StackBaseOffset) \
and isinstance(stmt.data, ailment.Expr.StackBaseOffset) \
and stmt.data.offset == 0 \
and stmt.addr.offset < 0:
return first_block, idxfrom .sbo import SimIRExpr_StackBaseOffset
EXPR_CLASSES = {
# ailment.Expr.Atom: SimIRExpr_Atom,
ailment.Expr.Const: SimIRExpr_Const,
# ailment.Expr.Tmp: SimIRExpr_Tmp,
# ailment.Expr.Register: SimIRExpr_Register,
# ailment.Expr.Op: SimIRExpr_Op,
# ailment.Expr.UnaryOp: SimIRExpr_UnaryOp,
# ailment.Expr.Convert: SimIRExpr_Convert,
# ailment.Expr.BinaryOp: SimIRExpr_BinaryOp,
# ailment.Expr.Load: SimIRExpr_Load,
# ailment.Expr.ITE: SimIRExpr_ITE,
# ailment.Expr.DirtyExpression: SimIRExpr_DirtyExpression,
# ailment.Expr.BasePointerOffset: SimIRExpr_BasePointerOffset,
ailment.Expr.StackBaseOffset: SimIRExpr_StackBaseOffset,
}def _ail_handle_Register(self, expr):
# Special handling for SP and BP
if self._stack_pointer_tracker is not None:
if expr.reg_offset == self.arch.sp_offset:
sb_offset = self._stack_pointer_tracker.offset_before(self.ins_addr, self.arch.sp_offset)
if sb_offset is not None:
new_expr = Expr.StackBaseOffset(None, self.arch.bits, sb_offset)
self.state.add_replacement(self._codeloc(), expr, new_expr)
return new_expr
elif expr.reg_offset == self.arch.bp_offset:
sb_offset = self._stack_pointer_tracker.offset_before(self.ins_addr, self.arch.bp_offset)
if sb_offset is not None:
new_expr = Expr.StackBaseOffset(None, self.arch.bits, sb_offset)
self.state.add_replacement(self._codeloc(), expr, new_expr)
return new_expr
new_expr = self.state.get_variable(expr)
if new_expr is not None:
l.debug("Add a replacement: %s with %s", expr, new_expr)
self.state.add_replacement(self._codeloc(), expr, new_expr)
expr = new_expr
return exprdef _find_canary_init_stmt(self):
first_block = self._get_block(self._func.addr)
for idx, stmt in enumerate(first_block.statements):
if isinstance(stmt, ailment.Stmt.Store) \
and isinstance(stmt.addr, ailment.Expr.StackBaseOffset) \
and isinstance(stmt.data, ailment.Expr.Load) \
and self._is_add(stmt.data.addr):
# Check addr: must be fs+0x28
op0, op1 = stmt.data.addr.operands
if isinstance(op1, ailment.Expr.Register):
op0, op1 = op1, op0
if isinstance(op0, ailment.Expr.Register) and isinstance(op1, ailment.Expr.Const):
if op0.reg_offset == self.project.arch.get_register_offset('fs') and op1.value == 0x28:
return first_block, idx
return Nonenot negated and condition.op == "CmpEQ" or
negated and condition.op == "CmpNE"
):
pass
else:
continue
expr = condition.operands[0]
if not isinstance(expr, ailment.Expr.UnaryOp):
continue
if expr.op != "Xor":
continue
op0, op1 = expr.operands
if not isinstance(op0, ailment.Expr.Load):
continue
if not isinstance(op0.addr, ailment.Expr.StackBaseOffset):
continue
if op0.addr.offset != s2u(canary_value_stack_offset, self.project.arch.bits):
continue
if not isinstance(op1, ailment.Expr.Load):
continue
if not isinstance(op1.addr, ailment.Expr.BinaryOp):
continue
if not op1.addr.op == "Add":
continue
if not isinstance(op1.addr.operands[0], ailment.Expr.Const):
continue
if op1.addr.operands[0].value != 0x28:
continue
if not isinstance(op1.addr.operands[1], ailment.Expr.Register):
continue
if op1.addr.operands[1].reg_offset != self.project.arch.get_register_offset('fs'):ConditionalBreakNode: self._handle_ConditionalBreak,
MultiNode: self._handle_MultiNode,
Block: self._handle_AILBlock,
# AIL statements
Stmt.Store: self._handle_Stmt_Store,
Stmt.Assignment: self._handle_Stmt_Assignment,
Stmt.Call: self._handle_Stmt_Call,
# AIL expressions
Expr.Register: self._handle_Expr_Register,
Expr.Load: self._handle_Expr_Load,
Expr.Tmp: self._handle_Expr_Tmp,
Expr.Const: self._handle_Expr_Const,
Expr.UnaryOp: self._handle_Expr_UnaryOp,
Expr.BinaryOp: self._handle_Expr_BinaryOp,
Expr.Convert: self._handle_Expr_Convert,
Expr.StackBaseOffset: self._handle_Expr_StackBaseOffset,
Expr.DirtyExpression: self._handle_Expr_Dirty,
# SimVariables
SimStackVariable: self._handle_Variable_SimStackVariable,
SimRegisterVariable: self._handle_Variable_SimRegisterVariable,
}
self._analyze()
Popular ailment functions
- ailment.Block
- ailment.Expr
- ailment.Expr.BasePointerOffset
- ailment.Expr.BinaryOp
- ailment.Expr.Const
- ailment.Expr.Convert
- ailment.Expr.DirtyExpression
- ailment.Expr.Expression
- ailment.Expr.Load
- ailment.Expr.Register
- ailment.Expr.StackBaseOffset
- ailment.Expr.Tmp
- ailment.Expr.UnaryOp
- ailment.IRSBConverter.convert
- ailment.Stmt
- ailment.Stmt.Assignment
- ailment.Stmt.Call
- ailment.Stmt.ConditionalJump
- ailment.Stmt.Jump
- ailment.Stmt.Store