How to use claripy - 10 common examples
To help you get started, we’ve selected a few claripy examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / angr / procedures / stubs / format_parser.py View on Github 
if simfd is not None and isinstance(simfd.read_storage, SimPackets):
argnum = startpos
for component in self.components:
if type(component) is bytes:
sdata, _ = simfd.read_data(len(component), short_reads=False)
self.state.solver.add(sdata == component)
elif isinstance(component, claripy.Bits):
sdata, _ = simfd.read_data(len(component) // 8, short_reads=False)
self.state.solver.add(sdata == component)
elif component.spec_type == b's':
if component.length_spec is None:
sdata, slen = simfd.read_data(self.state.libc.buf_symbolic_bytes)
else:
sdata, slen = simfd.read_data(component.length_spec)
for byte in sdata.chop(8):
self.state.solver.add(claripy.And(*[byte != char for char in self.SCANF_DELIMITERS]))
self.state.memory.store(args(argnum), sdata, size=slen)
self.state.memory.store(args(argnum) + slen, claripy.BVV(0, 8))
argnum += 1
elif component.spec_type == b'c':
sdata, _ = simfd.read_data(1, short_reads=False)
self.state.memory.store(args(argnum), sdata)
argnum += 1
else:
bits = component.size * 8
if component.spec_type == b'x':
base = 16
elif component.spec_type == b'o':
base = 8
else:
base = 10if self.is_signed:
quotient = (args[0].SDiv(claripy.SignExt(self._from_size - self._to_size, args[1])))
remainder = (args[0].SMod(claripy.SignExt(self._from_size - self._to_size, args[1])))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient)
)
else:
quotient = (args[0] // claripy.ZeroExt(self._from_size - self._to_size, args[1]))
remainder = (args[0] % claripy.ZeroExt(self._from_size - self._to_size, args[1]))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient)
)def _op_divmod(self, args):
if self.is_signed:
quotient = (args[0].SDiv(claripy.SignExt(self._from_size - self._to_size, args[1])))
remainder = (args[0].SMod(claripy.SignExt(self._from_size - self._to_size, args[1])))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient)
)
else:
quotient = (args[0] // claripy.ZeroExt(self._from_size - self._to_size, args[1]))
remainder = (args[0] % claripy.ZeroExt(self._from_size - self._to_size, args[1]))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient)
)quotient = (args[0].SDiv(claripy.SignExt(self._from_size - self._to_size, args[1])))
remainder = (args[0].SMod(claripy.SignExt(self._from_size - self._to_size, args[1])))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient)
)
else:
quotient = (args[0] // claripy.ZeroExt(self._from_size - self._to_size, args[1]))
remainder = (args[0] % claripy.ZeroExt(self._from_size - self._to_size, args[1]))
quotient_size = self._to_size
remainder_size = self._to_size
return claripy.Concat(
claripy.Extract(remainder_size - 1, 0, remainder),
claripy.Extract(quotient_size - 1, 0, quotient)
)def test_simple_concrete():
s = SimState(arch="AMD64")
addr = 0xba5e0
def check_read(val):
nose.tools.assert_equal(s.solver.eval(s.memory.load(addr, 8, endness=Endness.LE), cast_to=int), val)
nose.tools.assert_equal(s.mem[addr].char.concrete, chr(val & 0xFF).encode())
nose.tools.assert_equal(s.mem[addr].byte.concrete, val & 0xFF)
nose.tools.assert_equal(s.mem[addr].int16_t.concrete, ctypes.c_int16(val & 0xFFFF).value)
nose.tools.assert_equal(s.mem[addr].uint16_t.concrete, val & 0xFFFF)
nose.tools.assert_equal(s.mem[addr].qword.concrete, val)
s.memory.store(addr, claripy.BVV(0x11223344aabbcc7d, 64), endness=Endness.LE)
check_read(0x11223344aabbcc7d)
# test storing
s.mem[addr].uint16_t = 0xef6d
check_read(0x11223344aabbef6d)def solv_concrete_engine_linux_x86(p, entry_state):
new_concrete_state = execute_concretly(p, entry_state, BINARY_DECISION_ADDRESS, [], [])
arg0 = claripy.BVS('arg0', 8*32)
symbolic_buffer_address = new_concrete_state.regs.ebp-0xa0
new_concrete_state.memory.store(symbolic_buffer_address, arg0)
# symbolic exploration
simgr = p.factory.simgr(new_concrete_state)
exploration = simgr.explore(find=DROP_STAGE2_V1, avoid=[DROP_STAGE2_V2, VENV_DETECTED, FAKE_CC])
if not exploration.stashes['found'] and exploration.errored and type(exploration.errored[0].error) is angr.errors.SimIRSBNoDecodeError:
raise nose.SkipTest()
new_symbolic_state = exploration.stashes['found'][0]
binary_configuration = new_symbolic_state.solver.eval(arg0, cast_to=int)
execute_concretly(p, new_symbolic_state, BINARY_EXECUTION_END, [(symbolic_buffer_address, arg0)], [])
correct_solution = 0xa000000f9ffffff000000000000000000000000000000000000000000000000
nose.tools.assert_true(binary_configuration == correct_solution)def test_ppc32():
arger_ppc32 = angr.Project(os.path.join(test_location, 'ppc', 'argc_symbol'))
r_addr = [0x1000043C, 0x10000474, 0x100004B0]
sargc = claripy.BVS('argc', 32)
s = arger_ppc32.factory.entry_state(args = [claripy.BVS('arg_0', 40*8), claripy.BVS('arg_1', 40*8), claripy.BVS('arg_2', 40*8)], env ={"HOME": "/home/angr"}, argc=sargc)
pg = arger_ppc32.factory.simulation_manager(s).explore(find=r_addr, num_find=100)
_verify_results(pg, sargc)def solv_concrete_engine_linux_arm(p, entry_state):
new_concrete_state = execute_concretly(p, entry_state, BINARY_DECISION_ADDRESS, [])
arg0 = claripy.BVS('arg0', 5 * 32)
symbolic_buffer_address = new_concrete_state.regs.r3
new_concrete_state.memory.store(symbolic_buffer_address, arg0)
simgr = p.factory.simgr(new_concrete_state)
print("Symbolically executing BINARY to find dropping of second stage [ address: " + hex(DROP_STAGE2_V1) + " ]")
exploration = simgr.explore(find=DROP_STAGE2_V2, avoid=[DROP_STAGE2_V1, VENV_DETECTED, FAKE_CC])
if not exploration.stashes['found'] and exploration.errored and type(exploration.errored[0].error) is angr.errors.SimIRSBNoDecodeError:
raise nose.SkipTest()
new_symbolic_state = exploration.stashes['found'][0]
binary_configuration = new_symbolic_state.solver.eval(arg0, cast_to=int)
print("Executing BINARY concretely with solution found until the end " + hex(BINARY_EXECUTION_END))
execute_concretly(p, new_symbolic_state, BINARY_EXECUTION_END, [(symbolic_buffer_address, arg0)])def test_self_modifying_code():
p = angr.Project(os.path.join(test_location, 'cgc', 'stuff'))
pg = p.factory.simulation_manager(p.factory.entry_state(add_options={o.STRICT_PAGE_ACCESS}))
pg.step(until=lambda lpg: len(lpg.active) != 1)
retval = pg.one_deadended.regs.ebx
nose.tools.assert_true(claripy.is_true(retval == 65))
pgu = p.factory.simulation_manager(p.factory.entry_state(add_options={o.STRICT_PAGE_ACCESS} | o.unicorn))
pgu.step(until=lambda lpg: len(lpg.active) != 1)
retval = pgu.one_deadended.regs.ebx
nose.tools.assert_true(claripy.is_true(retval == 65))
nose.tools.assert_true(pg.one_deadended.history.bbl_addrs.hardcopy == pgu.one_deadended.history.bbl_addrs.hardcopy)def test_type_annotation():
my_ty = angr.sim_type.SimTypeTop()
ptr = claripy.BVS('ptr', 32).annotate(angr.type_backend.TypeAnnotation(angr.sim_type.SimTypePointer(my_ty, label=[])))
ptroffset = ptr + 4
bt = angr.type_backend.TypeBackend()
tv = bt.convert(ptroffset)
nose.tools.assert_is(tv.ty.pts_to, my_ty)
nose.tools.assert_true(claripy.is_true(tv.ty.offset == 4))claripy
An abstraction layer for constraint solvers
