How to use the angr.errors.SimValueError function in angr
To help you get started, we’ve selected a few angr examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / angr / analyses / veritesting.py View on Github 
# Currently we always skip the call, unless the target function satisfies one of the following conditions:
# 1) It's a SimProcedure that are in the whitelist
# 2) It's a function that has no loops, and no calls/syscalls,
# 3) It's a function that has no loops, and only has calls to another function that will not be filtered out by
# this filter
# Generate a CFG
ip = call_target_state.ip
if self.depth >= 5:
l.debug('Rejecting target %s - too deep, depth is %d', ip, self.depth)
return REJECT
try:
addr = call_target_state.solver.eval_one(ip)
except (SimValueError, SimSolverModeError):
self._skipped_targets.add(-1)
l.debug('Rejecting target %s - cannot be concretized', ip)
return REJECT
# Is it in our blacklist?
if addr in self.blacklist:
self._skipped_targets.add(addr)
l.debug('Rejecting target 0x%x - blacklisted', addr)
return REJECT
# If the target is a SimProcedure, is it on our whitelist?
if self.project.is_hooked(addr) and type(self.project._sim_procedures[addr][0]) in CallTracingFilter.whitelist:
# accept!
l.debug('Accepting target 0x%x, jumpkind %s', addr, jumpkind)
return ACCEPTreturn 4
if prot & 0x20:
return 5
if prot & 0x40:
return 7
if prot & 0x80:
return 7
if prot & 0x01:
return 0
if prot & 0x02:
return 1
if prot & 0x04:
return 3
if prot & 0x08:
return 3
raise angr.errors.SimValueError("Unknown windows memory protection constant: %#x" % prot)def run(self, code, addr): # pylint: disable=arguments-differ
if self.state.solver.symbolic(code):
raise angr.errors.SimValueError("Code value passed to arch_prctl must be concrete.")
code = self.state.solver.eval(code)
#ARCH_SET_GS
if code == 0x1001:
self.state.regs.gs = addr
#ARCH_SET_FS
elif code == 0x1002:
self.state.regs.fs = addr
#ARCH_GET_FS
elif code == 0x1003:
fs = self.state.regs.fs
self.state.memory.store(addr,fs)
#ARCH_GET_GS
elif code == 0x1004:
gs = self.state.regs.gsdef reg_concrete(self, *args, **kwargs):
"""
Returns the contents of a register but, if that register is symbolic,
raises a SimValueError.
"""
e = self.registers.load(*args, **kwargs)
if self.solver.symbolic(e):
raise SimValueError("target of reg_concrete is symbolic!")
return self.solver.eval(e)def debug_state(self, state):
b = self.b
try:
print '-----start dump_state-----'
self.dump_reg(state)
irsb = b.factory.block(state.addr).vex
cap = b.factory.block(state.addr).capstone
irsb.pp()
cap.pp()
print '-----end dump_state-----'
except angr.errors.SimEngineError:
print 'angr.errors.SimEngineError'
pass
except angr.errors.SimValueError:
print 'angr.errors.SimValueError:'
import IPython; IPython.embed()def run(self, addr, length, prot): #pylint:disable=arguments-differ,unused-argument
try:
addr = self.state.solver.eval_one(addr)
except angr.errors.SimValueError:
raise angr.errors.SimValueError("mprotect can't handle symbolic addr")
try:
length = self.state.solver.eval_one(length)
except angr.errors.SimValueError:
raise angr.errors.SimValueError("mprotect can't handle symbolic length")
try:
prot = self.state.solver.eval_one(prot)
except angr.errors.SimValueError:
raise angr.errors.SimValueError("mprotect can't handle symbolic prot")
l.debug('mprotect(%#x, %#x, %#x) = ...', addr, length, prot)
if addr & 0xfff != 0:
l.debug('... = -1 (not aligned)')
return -1
page_end = ((addr + length - 1) & ~0xfff) + 0x1000
try:
for page in range(addr, page_end, 0x1000):
self.state.memory.permissions(page)def run(self, lpAddress, dwSize, flNewProtect, lpfOldProtect):
l.debug("VirtualProtect(%s, %s, %s, %s)", lpAddress, dwSize, flNewProtect, lpfOldProtect)
addrs = self.state.solver.eval_upto(lpAddress, 2)
if len(addrs) != 1:
raise angr.errors.SimValueError("VirtualProtect can't handle symbolic lpAddress")
addr = addrs[0]
size = self.state.solver.max_int(dwSize)
if dwSize.symbolic and size > self.state.libc.max_variable_size:
l.warning('symbolic VirtuaProtect dwSize %s has maximum %#x, greater than state.libc.max_variable_size %#x',
dwSize, size, self.state.libc.max_variable_size)
size = self.state.libc.max_variable_size
prots = self.state.solver.eval_upto(flNewProtect, 2)
if len(prots) != 1:
raise angr.errors.SimValueError("VirtualProtect can't handle symbolic flNewProtect")
prot = prots[0]
try:
if not self.state.solver.is_false(self.state.memory.permissions(lpfOldProtect) & 2 == 0):
l.debug("...failed, bad lpfOldProtect (write-perm)")def deconvert_prot(prot):
"""
Convert from a angr bitmask to a windows memory protection constant
"""
if prot in (2, 6):
raise angr.errors.SimValueError("Invalid memory protection for windows process")
return [0x01, 0x02, None, 0x04, 0x10, 0x20, None, 0x40][prot]angr
A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
Package Health Score
88 / 100Popular angr functions
- angr.analyses.AnalysesHub.register_default
- angr.analyses.identifier.func.TestData
- angr.errors
- angr.errors.AngrError
- angr.errors.SimMemoryError
- angr.errors.SimMergeError
- angr.errors.SimValueError
- angr.exploration_techniques
- angr.options
- angr.Project
- angr.sim_options
- angr.SIM_PROCEDURES
- angr.sim_state.SimState
- angr.sim_state.SimState.register_default
- angr.sim_type.SimTypeInt
- angr.SimProcedure
- angr.SimState
- angr.state_plugins.plugin.SimStatePlugin
- angr.state_plugins.sim_action.SimActionData
- angr.storage.memory_object.SimMemoryObject