1. Advisor
  2. angr
  3. functions
  4. angr.sim_type.SimTypeInt
View all angr analysis

How to use the angr.sim_type.SimTypeInt function in angr

To help you get started, we’ve selected a few angr examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github fabros / angr-antievasion / testing / utilities / aux_simprocs.py View on Github external
def run(self, c):
        self.argument_types = {0: angr.sim_type.SimTypeInt(self.state.arch, True)}
        self.return_type = angr.sim_type.SimTypeInt(self.state.arch, True)

        ret_expr = self.state.solver.If(
            self.state.solver.And(c >= 65, c <= 90),  # A - Z
            c + 32, c)
        l.info('{} @ {}: {} => {}'.format(
            self.display_name, self.state.memory.load(self.state.regs.esp, 4, endness=self.arch.memory_endness),
            c, ret_expr))
        return ret_expr
github angr / angr / angr / procedures / libc / puts.py View on Github external
def run(self, string):
        self.argument_types = {0: self.ty_ptr(SimTypeString())}
        self.return_type = SimTypeInt(32, True)

        stdout = self.state.posix.get_fd(1)
        if stdout is None:
            return -1

        strlen = angr.SIM_PROCEDURES['libc']['strlen']
        length = self.inline_call(strlen, string).ret_expr
        out = stdout.write(string, length)
        stdout.write_data(self.state.solver.BVV(b'\n'))
        return out + 1
github angr / angr / angr / analyses / identifier / runner.py View on Github external
def get_base_call_state(self, function, test_data, initial_state=None, concrete_rand=False):
        curr_buf_loc = 0x2000
        mapped_input = []
        s = self.setup_state(function, test_data, initial_state, concrete_rand=concrete_rand)

        for i in test_data.input_args:
            if isinstance(i, (bytes, claripy.ast.BV)):
                s.memory.store(curr_buf_loc, i)
                mapped_input.append(curr_buf_loc)
                curr_buf_loc += max(len(i), 0x1000)
            else:
                if not isinstance(i, int):
                    raise Exception("Expected int/bytes got %s" % type(i))
                mapped_input.append(i)

        inttype = SimTypeInt(self.project.arch.bits, False)
        func_ty = SimTypeFunction([inttype] * len(mapped_input), inttype)
        cc = self.project.factory.cc(func_ty=func_ty)
        call = IdentifierCallable(self.project, function.startpoint.addr, concrete_only=True,
                        cc=cc, base_state=s, max_steps=test_data.max_steps)
        return call.get_base_state(*mapped_input)
github angr / angr / angr / procedures / glibc / _IO_getc.py View on Github external
def run(self, f_p):
        self.argument_types = {0: SimTypeFd()}
        self.return_type = SimTypeInt(32, True)

        fileno = angr.SIM_PROCEDURES['posix']['fileno']
        fd = self.inline_call(fileno, f_p).ret_expr

        # let's get the memory back for the file we're interested in and find
        # the newline
        fp = self.state.posix.get_file(fd)
        pos = fp.pos

        max_str_len = self.state.libc.max_str_len

        # if there exists a limit on the file size, let's respect that, the
        # limit cannot be symbolic
        limit = max_str_len if fp.size is None else self.state.se.max_int(
            fp.size - pos)
github angr / angr-doc / examples / flareon2015_10 / solve.py View on Github external
def main():
    p = angr.Project('challenge-7.sys', load_options={'auto_load_libs': False})

    # Set a zero-length hook, so our function got executed before calling the
    # function tea_decrypt(0x100f0), and then we can keep executing the original
    # code. Thanks to this awesome design by @rhelmot!
    p.hook(0xadc31, before_tea_decrypt, length=0)

    # Declare the prototype of the target function
    prototype = SimTypeFunction((SimTypeInt(False),), SimTypeInt(False))
    # Initialize the function instance
    proc_big_68 = p.factory.callable(BIG_PROC, cc=p.factory.cc(func_ty=prototype), toc=None, concrete_only=True)
    # Call the function and get the final state
    proc_big_68.perform_call(0)
    state = proc_big_68.result_state
    # Load the string from memory
    return hex(state.solver.eval(state.memory.load(ARRAY_ADDRESS, 40)))[2:-1].decode('hex').strip('\0')
github angr / angr / angr / procedures / msvcr / _initterm.py View on Github external
def run(self, fp_a, fp_z):
        self.argument_types = {0: self.ty_ptr(SimTypeInt()),
                               1: self.ty_ptr(SimTypeInt())
        }
        self.return_type = SimTypeInt()

        if self.state.solver.symbolic(fp_a) or self.state.solver.symbolic(fp_z):
            l.warn("Symbolic argument to _initterm{_e} is not supported... returning")
            return 0 # might as well try to keep going

        self.callbacks = self.get_callbacks(fp_a, fp_z)
        self.do_callbacks(fp_a, fp_z)
github angr / angr / angr / procedures / glibc / __isoc99_scanf.py View on Github external
def run(self, fmt):
        #pylint:disable=attribute-defined-outside-init

        self.argument_types = {0: self.ty_ptr(SimTypeString())}
        self.return_type = SimTypeInt(self.state.arch.bits, True)

        fmt_str = self._parse(0)

        # we're reading from stdin so the region is the file's content
        f = self.state.posix.get_file(0)
        region = f.content
        start = f.pos

        (end, items) = fmt_str.interpret(start, 1, self.arg, region=region)

        # do the read, correcting the internal file position and logging the action
        self.state.posix.read_from(0, end - start)

        return items
github angr / angr / angr / procedures / libc / memset.py View on Github external
def run(self, dst_addr, char, num):
        char = char[7:0]

        self.argument_types = {0: self.ty_ptr(SimTypeTop()),
                       1: SimTypeInt(32, True), # ?
                       2: SimTypeLength(self.state.arch)}
        self.return_type = self.ty_ptr(SimTypeTop())

        if self.state.solver.symbolic(num):
            l.debug("symbolic length")
            max_size = self.state.solver.min_int(num) + self.state.libc.max_buffer_size
            write_bytes = self.state.solver.Concat(*([ char ] * max_size))
            self.state.memory.store(dst_addr, write_bytes, size=num)
        else:
            max_size = self.state.solver.eval(num)
            l.debug("memset writing %d bytes", max_size)

            offset = 0
            while offset < max_size:
                chunksize = min(max_size - offset, 0x1000)
github angr / angr / angr / procedures / win32 / InterlockedExchange.py View on Github external
def run(self, target, value): #pylint:disable=arguments-differ
        self.argument_types = {0: self.ty_ptr(SimTypeInt()),
                               1: SimTypeInt()
        }
        self.return_type = SimTypeInt()

        if not self.state.solver.symbolic(target):
            old_value = self.state.memory.load(target, 4, endness=self.state.arch.memory_endness)
            self.state.memory.store(target, value)
        else:
            old_value = self.state.solver.Unconstrained("unconstrained_ret_%s" % self.display_name, self.state.arch.bits)

        return old_value

angr

A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries

GitHub
BSD-2-Clause
Latest version published 14 days ago

Package Health Score

88 / 100
Full package analysis

Popular angr functions

Similar packages