How to use the claripy.Solver function in claripy
To help you get started, we’ve selected a few claripy examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / tests / test_callable.py View on Github 
def run_manyfloatsum_symbolic(arch):
global type_cache
if type_cache is None:
type_cache = parse_defns(open(os.path.join(location, 'tests_src', 'manyfloatsum.c')).read())
p = angr.Project(os.path.join(location, 'tests', arch, 'manyfloatsum'))
function = 'sum_doubles'
cc = p.factory.cc(func_ty=type_cache[function])
args = [claripy.FPS('arg_%d' % i, claripy.FSORT_DOUBLE) for i in range(len(type_cache[function].args))]
addr = p.loader.main_object.get_symbol(function).rebased_addr
my_callable = p.factory.callable(addr, cc=cc)
result = my_callable(*args)
nose.tools.assert_true(result.symbolic)
s = claripy.Solver()
for arg in args:
s.add(arg > claripy.FPV(1.0, claripy.FSORT_DOUBLE))
s.add(result == claripy.FPV(27.7, claripy.FSORT_DOUBLE))
args_conc = s.batch_eval(args, 1)[0]
nose.tools.assert_equal(s.eval(result, 1)[0], 27.7)
# not almost equal!! totally equal!!! z3 is magic, if kinda slow!!!!!
for arg_conc in args_conc:
nose.tools.assert_greater(arg_conc, 1.0)
nose.tools.assert_equal(sum(args_conc), 27.7)split_state.add_constraints(symbolic_syscall_num == n)
self.flat_successors.append(split_state)
else:
# We cannot resolve the syscall number
# However, we still put it to the flat_successors list, and angr.SimOS.handle_syscall will pick it
# up, and create a "unknown syscall" stub for it.
self.flat_successors.append(state)
except UnsupportedSyscallError:
self.unsat_successors.append(state)
else:
# a successor with a symbolic IP
try:
if o.KEEP_IP_SYMBOLIC in state.options:
s = claripy.Solver()
addrs = s.eval(target, 257, extra_constraints=tuple(state.ip_constraints))
if len(addrs) > 256:
# It is not a library
l.debug("It is not a Library")
addrs = state.se.any_n_int(target, 257)
if len(addrs) == 1:
state.add_constraints(target == addrs[0])
l.debug("addrs :%s", addrs)
else:
addrs = state.se.any_n_int(target, 257)
if len(addrs) > 256:
l.warning(
"Exit state has over 257 possible solutions. Likely unconstrained; skipping. %s",
target.shallow_repr()
)def _get_patched_instruction(self, value=None, solver=None):
if not (value is None) ^ (solver is None):
raise ValueError('Must provide a value xor a solver!')
if value is not None:
solver = claripy.Solver()
solver.add(value == self.patch_value_expression)
try:
insn_int = solver.eval(self.patch_bytes_expression, 1)[0]
except claripy.UnsatError:
raise ValueNotFoundError('Unsat on solve!')
return self._insn_to_string(insn_int)template_solver_string=claripy.SolverCompositeChild(backend=our_backend, track=track)
)
elif o.ABSTRACT_SOLVER in self.state.options:
self._stored_solver = claripy.SolverVSA()
elif o.SYMBOLIC in self.state.options and o.REPLACEMENT_SOLVER in self.state.options:
self._stored_solver = claripy.SolverReplacement(auto_replace=False)
elif o.SYMBOLIC in self.state.options and o.CACHELESS_SOLVER in self.state.options:
self._stored_solver = claripy.SolverCacheless(track=track)
elif o.SYMBOLIC in self.state.options and o.COMPOSITE_SOLVER in self.state.options:
self._stored_solver = claripy.SolverComposite(track=track)
elif o.SYMBOLIC in self.state.options and any(opt in self.state.options for opt in o.approximation):
self._stored_solver = claripy.SolverHybrid(track=track, approximate_first=approximate_first)
elif o.HYBRID_SOLVER in self.state.options:
self._stored_solver = claripy.SolverHybrid(track=track, approximate_first=approximate_first)
elif o.SYMBOLIC in self.state.options:
self._stored_solver = claripy.Solver(track=track)
else:
self._stored_solver = claripy.SolverConcrete()
return self._stored_solverself.lock = None
self.queue = q
self.kernel_path = kernel_path
if os.path.isfile('angr_project.cache'):
with open('angr_project.cache', 'rb') as f:
print('[+] load kernel vmlinux binary from pickle dump')
self.b = pickle.load(f)
else:
self.b = angr.Project(kernel_path)
with open('angr_project.cache', 'wb') as f:
pickle.dump(self.b, f)
self.r = None
self.statebroker = statebroker.StateBroker()
self.claripy = claripy
self.sol = claripy.Solver()
self.md = Cs(CS_ARCH_X86, CS_MODE_64)
self.md.detail = True
self.debug_bloom_verbose = False
self.vm = None
self.reproduce_mode = False # reproduce exploit and generate payload
self.custom_rop_gadget_number = 10 # length of the rop payload we want to usedef reachable(self):
if self._satisfiable is not None:
pass
elif self.state is not None:
self._satisfiable = self.state.solver.satisfiable()
else:
solver = claripy.Solver()
solver.add(self._all_constraints)
self._satisfiable = solver.satisfiable()
return self._satisfiableself._fix_syscall_ip(state)
self.flat_successors.append(state)
except AngrUnsupportedSyscallError:
self.unsat_successors.append(state)
else:
# a successor with a symbolic IP
_max_targets = state.options.symbolic_ip_max_targets
_max_jumptable_targets = state.options.jumptable_symbolic_ip_max_targets
try:
if o.NO_IP_CONCRETIZATION in state.options:
# Don't try to concretize the IP
cond_and_targets = [ (claripy.true, target) ]
max_targets = 0
elif o.KEEP_IP_SYMBOLIC in state.options:
s = claripy.Solver()
addrs = s.eval(target, _max_targets + 1, extra_constraints=tuple(state.ip_constraints))
if len(addrs) > _max_targets:
# It is not a library
l.debug("It is not a Library")
addrs = state.solver.eval_upto(target, _max_targets + 1)
l.debug("addrs :%s", addrs)
cond_and_targets = [ (target == addr, addr) for addr in addrs ]
max_targets = _max_targets
else:
cond_and_targets = self._eval_target_jumptable(state, target, _max_jumptable_targets + 1)
if cond_and_targets is None:
# Fallback to the traditional and slow method
cond_and_targets = self._eval_target_brutal(state, target, _max_targets + 1)
max_targets = _max_targets
else:
max_targets = _max_jumptable_targetsdef patch_function_stack(self, func, technique):
solver = claripy.Solver()
analysis_result = StructureAnalysis(self.project, self.cfg, [func], False)
stack = analysis_result.stack_frames[func.addr]
if stack is None:
return
stack = analysis_result.structures[stack]
if stack.alloc_op is None:
l.info('\tFunction does not appear to have a stack frame (No alloc)')
return False
if func.has_return and stack.least_alloc.value != self.project.arch.bytes if self.project.arch.call_pushes_ret else 0:
l.info('\tFunction does not ever deallocate stack frame (Least alloc is %d for %s)', -stack.least_alloc.value, self.project.arch.name)
return False
if func.has_return and len(stack.dealloc_ops) == 0:
l.warning('\tFunction does not ever deallocate stack frame (No zero alloc)')def compare_states(self, sl, sr):
"""
Compares two states for similarity.
"""
joint_solver = claripy.Solver()
# make sure the canonicalized constraints are the same
n_map, n_counter, n_canon_constraint = claripy.And(*sr.solver.constraints).canonicalize() #pylint:disable=no-member
u_map, u_counter, u_canon_constraint = claripy.And(*sl.solver.constraints).canonicalize() #pylint:disable=no-member
n_canoner_constraint = sr.solver.simplify(n_canon_constraint)
u_canoner_constraint = sl.solver.simplify(u_canon_constraint)
joint_solver.add((n_canoner_constraint, u_canoner_constraint))
if n_canoner_constraint is not u_canoner_constraint:
self._report_incongruency("Different constraints!")
return False
# get the differences in registers and memory
mem_diff = sr.memory.changed_bytes(sl.memory)
reg_diff = sr.registers.changed_bytes(sl.registers)
# this is only for unicornclaripy
An abstraction layer for constraint solvers
