Skip to content
Permalink
Browse files

Symbion: Synchronized Concrete and Symbolic Execution for Complex Env…

…ironments (#1048)

* Defined SimEngineConcrete, ConcreteTarget classes and added the new param concrete_target to the loader

Signed-off-by: degrigis <degrigis@ucsb.edu>

* Added Symbion exploration technique

Signed-off-by: degrigis <degrigis@ucsb.edu>

* Symbion exploration technique skeleton finished

Signed-off-by: degrigis <degrigis@ucsb.edu>

* first skeleton of to_engine method

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed methods name

Signed-off-by: degrigis <degrigis@ucsb.edu>

* first implementation of the to_engine method

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed couple of typos

Signed-off-by: degrigis <degrigis@ucsb.edu>

* from_engine first draft

Signed-off-by: degrigis <degrigis@ucsb.edu>

* Added general arguments to the ConcreteTarget interface

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed couple of thing in symbion exploration technique

Signed-off-by: degrigis <degrigis@ucsb.edu>

* removed ipdb

Signed-off-by: degrigis <degrigis@ucsb.edu>

* to_engine without concretization

Signed-off-by: degrigis <degrigis@ucsb.edu>

* from_engine register sync

Signed-off-by: degrigis <degrigis@ucsb.edu>

* dropped reg whitelist for reg blacklist

Signed-off-by: degrigis <degrigis@ucsb.edu>

* removed unused var

Signed-off-by: degrigis <degrigis@ucsb.edu>

* Symbion exploration technique works

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed flush pages method

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added test_concrete_engine

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* move the concretization of symvar inside the to_engine method

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixing ConcreteCleMemory

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added debug messages to track method invokes

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added concrete target support to Clemory

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* modified test script concrete engine

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added redirection of whitelist addresses

Signed-off-by: degrigis <degrigis@ucsb.edu>

* first implementation read fs for x64

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* solved issue with simulated memory allocation with a concrete target

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed bug in setting default engine after symbion exploraion technique

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* got sync working

Signed-off-by: degrigis <degrigis@ucsb.edu>

* removed unused attribute

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added segment register handling on windows x86 and x64

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* removed default temporary break in set_breakpoint

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* disabled simprocedures by default

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* minor fix to logging

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added simprocures code again

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added gdt support for managing segment registers on 32 bit and introduced whitelist of addresses not flushed

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* linux test OK windows test KO

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* concrete tests linux completed only fail x86 without simprocedures

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* memory wl now works with addr_start and addr_end

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed log.debug message

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added warning for not restoring the simprocedures

Signed-off-by: degrigis <degrigis@ucsb.edu>

* improved log

Signed-off-by: degrigis <degrigis@ucsb.edu>

* improved log 2

Signed-off-by: degrigis <degrigis@ucsb.edu>

* improved log 3

Signed-off-by: degrigis <degrigis@ucsb.edu>

* improved log 4

Signed-off-by: degrigis <degrigis@ucsb.edu>

* updated linux tests

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* refactored tests and divided x64 from x86

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* mov fucking log of register

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added log to the hook engine and remove debug level

Signed-off-by: degrigis <degrigis@ucsb.edu>

* meh...str..

Signed-off-by: degrigis <degrigis@ucsb.edu>

* commented a log

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added log for unicorn

Signed-off-by: degrigis <degrigis@ucsb.edu>

* not restoring simproc with current methods if binary is pic

Signed-off-by: degrigis <degrigis@ucsb.edu>

* improved the register synchronization from the concrete target

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed the segment register check for windows heaven's gate Wow64

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed the segment register check for windows heaven's gate Wow64

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added 2 incomplete tests

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed simprocedure syncronization

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed initialized memory bug in paged_memory

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* created simstate plugin for the concrete memory syncronization

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed minor issues

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* beta of idaplugin

Signed-off-by: degrigis <degrigis@ucsb.edu>

* defined strict interface for concrete targets

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* refactored code, added check on auto_load_libs

Signed-off-by: degrigis <degrigis@ucsb.edu>

* modified timeout parameter

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed idatarget

Signed-off-by: degrigis <degrigis@ucsb.edu>

* refactor segment register

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed repo...ops

Signed-off-by: degrigis <degrigis@ucsb.edu>

* Revert "fixed repo...ops"

This reverts commit 58255dd.

* Revert "modified timeout parameter"

This reverts commit 9a5896f.

* Revert "Revert "modified timeout parameter""

This reverts commit 9f89f65.

* refactored segment register

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* refactored code for segment registers synchronization

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* merge

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed wrong import

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* cleaning code

Signed-off-by: degrigis <degrigis@ucsb.edu>

* now segment registers are synchronized on demand as soon as symbolic execution accesses them

Signed-off-by: degrigis <degrigis@ucsb.edu>

* shellcode to extract seg regs has now a small nopsled at the end

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed comment

Signed-off-by: degrigis <degrigis@ucsb.edu>

* moved fs register sync to the state plugin and removed the bp after the sync

Signed-off-by: degrigis <degrigis@ucsb.edu>

* to fix multiple seg register synchronization

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed error multiple sync of fs/gs

Signed-off-by: degrigis <degrigis@ucsb.edu>

* deleted unuseful test

Signed-off-by: degrigis <degrigis@ucsb.edu>

* removed print

Signed-off-by: degrigis <degrigis@ucsb.edu>

* created test packed binary and added condintion for segment register x86

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* unicorn engine now kicks only if seg registers have been synchronized

Signed-off-by: degrigis <degrigis@ucsb.edu>

* created packed binary test for concrete target

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* created packed binary test for concrete target

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed tests

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed bug in concrete simstate plugin

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed callback using only state.concrete reference instead of self

Signed-off-by: degrigis <degrigis@ucsb.edu>

* created test for solving not_packed_binary with concrete engine

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added not other test and fixed style issues

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added max number of not expected breakpoints

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fucking missing else

Signed-off-by: degrigis <degrigis@ucsb.edu>

* removed breakpoints at the end of the concrete execution

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed pep8 problems

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed other pep8 problems

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* moved rehook_symbol function

Signed-off-by: degrigis <degrigis@ucsb.edu>

* add some comments to the funcion

Signed-off-by: degrigis <degrigis@ucsb.edu>

* renamed 'attempt' variable and moved the limit as class attribute

Signed-off-by: degrigis <degrigis@ucsb.edu>

* refactored code to access arch registers using the new class

Signed-off-by: degrigis <degrigis@ucsb.edu>

* merged with master

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* specified the engines to use for symbion instead of changing the default one

Signed-off-by: degrigis <degrigis@ucsb.edu>

* sync before the subregisters and then the registers

Signed-off-by: degrigis <degrigis@ucsb.edu>

* some minor changes

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added documentation

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed some comments

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added windows test and refactored names of linux tests

Signed-off-by: degrigis <degrigis@ucsb.edu>

* removed unuseful comment

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed some comments

Signed-off-by: degrigis <degrigis@ucsb.edu>

* renamed test on windows

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* renamed windows tests

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed relative imports, moved the concrete tests in the root folder

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* modified binary path in tests

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* removed usage of compatibility layer in symbion step

Signed-off-by: degrigis <degrigis@ucsb.edu>

* removed hardcoded constant in flush page

Signed-off-by: degrigis <degrigis@ucsb.edu>

* rephrase comment to rehook_symbol

Signed-off-by: degrigis <degrigis@ucsb.edu>

* first implementation of CLE synchronization with the concrete process memory using vmmap

Signed-off-by: degrigis <degrigis@ucsb.edu>

* added function to check return type of concrete target read methods

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* fixed relocation symbols addresses lazily

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed relocation symbols addresses lazily

Signed-off-by: degrigis <degrigis@ucsb.edu>

* meh...pdb

Signed-off-by: degrigis <degrigis@ucsb.edu>

* rebased also sections and segments during cle synchronization

Signed-off-by: degrigis <degrigis@ucsb.edu>

* todo for a better future

Signed-off-by: degrigis <degrigis@ucsb.edu>

* fixed auto_load_libs and concrete_target conflict option msg

Signed-off-by: degrigis <degrigis@ucsb.edu>

* modified code invoking clemory.read_bytes_c for supporting the concrete target read memory

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added missing exception check in cfg_base

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* added test for cfgfast

Signed-off-by: r0rshark <lord.fontana@gmail.com>

* merge with master

Signed-off-by: degrigis <degrigis@gmail.com>

* minor fixes

Signed-off-by: degrigis <degrigis@gmail.com>

* ported engines, state_plugin and tests to py3

Signed-off-by: degrigis <degrigis@gmail.com>

* fixed condition_to_lambda call inside Symbion ET

Signed-off-by: degrigis <degrigis@gmail.com>

* changed solver cast from int to bytes

Signed-off-by: degrigis <degrigis@gmail.com>

* fixed shellcode injection encoding

Signed-off-by: degrigis <degrigis@gmail.com>

* symbion linux test cases working

Signed-off-by: degrigis <degrigis@gmail.com>

* windows test cases ok

Signed-off-by: degrigis <degrigis@gmail.com>

* clean windows test cases code

Signed-off-by: degrigis <degrigis@gmail.com>

* cleanup logs messages

Signed-off-by: degrigis <degrigis@gmail.com>

* refactored tests

Signed-off-by: degrigis <degrigis@gmail.com>

* clean tests again and try catch on imports of angr-targets

Signed-off-by: degrigis <degrigis@gmail.com>

* implemented amd64g_dirtyhelper_XRSTOR_COMPONENT_1_EXCLUDING_XMMREGS and amd64g_dirtyhelper_XSAVE_COMPONENT_1_EXCLUDING_XMMREGS dirty calls

Signed-off-by: degrigis <degrigis@gmail.com>

* removed debug stuff meh

Signed-off-by: degrigis <degrigis@gmail.com>

* lost the SYNC_CLE_BACKEND_CONCRETE during merge, doh

Signed-off-by: degrigis <degrigis@gmail.com>

* merge with master

Signed-off-by: degrigis <degrigis@gmail.com>

* symbion's tests are speed=slow now

Signed-off-by: degrigis <degrigis@gmail.com>

* removed symbion's test to verify CI failures

Signed-off-by: degrigis <degrigis@gmail.com>

* dummy commit to trigger CI

Signed-off-by: degrigis <degrigis@gmail.com>

* dummy commit 2 for CI testing

Signed-off-by: degrigis <degrigis@gmail.com>

* CI, let's talk

Signed-off-by: degrigis <degrigis@gmail.com>

* making peace with PyLint

Signed-off-by: degrigis <degrigis@gmail.com>

* removed symbion's tests for now

Signed-off-by: degrigis <degrigis@gmail.com>

* check compatibility of matched library during cle sync in a more elegant way

Signed-off-by: degrigis <degrigis@gmail.com>

* killed last PyLint errors

Signed-off-by: degrigis <degrigis@gmail.com>

* fixed ET symbion docstring and added test 1 symbion with try-catch for targets instantiation

Signed-off-by: degrigis <degrigis@gmail.com>

* added try catch to avatar import

Signed-off-by: degrigis <degrigis@gmail.com>

* Catching more broad exception

Signed-off-by: degrigis <degrigis@gmail.com>

* merge with master

Signed-off-by: degrigis <degrigis@gmail.com>

* horrifying the test to understand what's going on

Signed-off-by: degrigis <degrigis@gmail.com>

* gotta catch 'em all

Signed-off-by: degrigis <degrigis@gmail.com>

* maybe spotted the fucker

Signed-off-by: degrigis <degrigis@gmail.com>

* prettyfing test case

Signed-off-by: degrigis <degrigis@gmail.com>

* pushed all the symbion's test

Signed-off-by: degrigis <degrigis@gmail.com>

* Killed last PyLint warning

Signed-off-by: degrigis <degrigis@gmail.com>

* removed also the code to test the thing manually

Signed-off-by: degrigis <degrigis@gmail.com>

* fucking trailing-newlines

Signed-off-by: degrigis <degrigis@gmail.com>

* super elegant way of handling timeout + style changes

Signed-off-by: degrigis <fbi.gritti@gmail.com>

* boolean guard to angr_target project existence

Signed-off-by: degrigis <fbi.gritti@gmail.com>

* style++

Signed-off-by: degrigis <fbi.gritti@gmail.com>

* fixup tests

* edit wow64 error message

* AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

* And so I say unto thee, reveal your secrets. I cast gale of knowledge. bitch.

* BANISH
  • Loading branch information...
ltfish authored and rhelmot committed Nov 16, 2018
1 parent 56e3311 commit fe20116e8dc2aef94d0849439ff9f12a39000dfe
@@ -9,7 +9,7 @@
_l = logging.getLogger(name=__name__)


class CFBlanketView(object):
class CFBlanketView:
"""
A view into the control-flow blanket.
"""
@@ -41,7 +41,7 @@ def __getitem__(self, item):
#


class Unknown(object):
class Unknown:
def __init__(self, addr, size, bytes_=None, object_=None, segment=None, section=None):
self.addr = addr
self.size = size
@@ -14,7 +14,7 @@
from ...misc.ux import deprecated
from ... import SIM_PROCEDURES
from ...errors import AngrCFGError, SimTranslationError, SimMemoryError, SimIRSBError, SimEngineError,\
AngrUnsupportedSyscallError, SimError
AngrUnsupportedSyscallError, SimError, SimConcreteMemoryError
from ...codenode import HookNode, BlockNode
from ...knowledge_plugins import FunctionManager, Function
from .. import Analysis
@@ -24,7 +24,7 @@
l = logging.getLogger(name=__name__)


class IndirectJump(object):
class IndirectJump:

__slots__ = [ "addr", "ins_addr", "func_addr", "jumpkind", "stmt_idx", "resolved_targets", "jumptable",
"jumptable_addr", "jumptable_entries",
@@ -24,6 +24,7 @@

VEX_IRSB_MAX_SIZE = 400


l = logging.getLogger(name=__name__)


@@ -1368,7 +1369,7 @@ def _pre_analysis(self):
self._nodes = {}
self._nodes_by_addr = defaultdict(list)

if self._use_function_prologues:
if self._use_function_prologues and self.project.concrete_target is None:
self._function_prologue_addrs = sorted(self._func_addrs_from_prologues())
# make a copy of those prologue addresses, so that we can pop from the list
self._remaining_function_prologue_addrs = self._function_prologue_addrs[::]
@@ -2023,6 +2024,7 @@ def _create_jobs(self, target, jumpkind, current_function_addr, irsb, addr, cfg_
else:
# TODO: Support more jumpkinds
l.debug("Unsupported jumpkind %s", jumpkind)
l.debug("Instruction address: %#x", ins_addr)

return jobs

@@ -51,6 +51,10 @@ def filter(self, cfg, addr, func_addr, block, jumpkind):
return False

section = self.project.loader.find_section_containing(addr)

if section is None:
return False

if section.name != '.plt':
return False

@@ -6,6 +6,7 @@
from .unicorn import SimEngineUnicorn
from .failure import SimEngineFailure
from .syscall import SimEngineSyscall
from .concrete import SimEngineConcrete
from .hook import SimEngineHook

from .hub import EngineHub, EnginePreset
@@ -28,6 +29,7 @@

vex_preset.add_default_plugin('unicorn', SimEngineUnicorn)
vex_preset.add_default_plugin('vex', SimEngineVEX)
vex_preset.add_default_plugin('concrete', SimEngineConcrete)

vex_preset.order = 'unicorn', 'vex'
vex_preset.order = 'unicorn', 'vex', 'concrete'
vex_preset.default_engine = 'vex'
@@ -0,0 +1,162 @@
import logging
import threading

from angr.errors import AngrError
from .engine import SimEngine
from ..errors import SimConcreteMemoryError, SimConcreteRegisterError

l = logging.getLogger("angr.engines.concrete")
# l.setLevel(logging.DEBUG)

try:
from angr_targets.concrete import ConcreteTarget
except ImportError:
ConcreteTarget = None


class SimEngineConcrete(SimEngine):
"""
Concrete execution using a concrete target provided by the user.
"""
def __init__(self, project):
if not ConcreteTarget:
l.critical("Error, can't find angr_target project")
raise AngrError

l.info("Initializing SimEngineConcrete with ConcreteTarget provided.")
super(SimEngineConcrete, self).__init__()
self.project = project
if isinstance(self.project.concrete_target, ConcreteTarget) and \
self.check_concrete_target_methods(self.project.concrete_target):

self.target = self.project.concrete_target
else:
l.warning("Error, you must provide an instance of a ConcreteTarget to initialize a SimEngineConcrete.")
self.target = None
raise NotImplementedError

self.segment_registers_already_init = False

def _check(self, state, *args, **kwargs):
return True

def _process(self, new_state, successors, *args, ** kwargs):
# setup the concrete process and resume the execution
self.to_engine(new_state, kwargs['extra_stop_points'], kwargs['concretize'], kwargs['timeout'])

# sync angr with the current state of the concrete process using
# the state plugin
new_state.concrete.sync()
successors.engine = "SimEngineConcrete"
successors.sort = "SimEngineConcrete"
successors.add_successor(new_state, new_state.ip, new_state.solver.true, new_state.unicorn.jumpkind)
successors.description = "Concrete Successors "
successors.processed = True

def to_engine(self, state, extra_stop_points, concretize, timeout):
"""
Handle the concrete execution of the process
This method takes care of:
1- Set the breakpoints on the addresses provided by the user
2- Concretize the symbolic variables and perform the write inside the concrete process
3- Continue the program execution.
:param state: The state with which to execute
:param extra_stop_points: list of a addresses where to stop the concrete execution and return to the
simulated one
:param concretize: list of tuples (address, symbolic variable) that are going to be written
in the concrete process memory
:param timeout: how long we should wait the concrete target to reach the breakpoint
:return: None
"""

state.timeout = False
state.errored = False

l.debug("Entering in SimEngineConcrete: simulated address %#x concrete address %#x stop points %s",
state.addr, self.target.read_register("pc"), map(hex, extra_stop_points))

if concretize:
l.debug("SimEngineConcrete is concretizing variables before resuming the concrete process")

for sym_var in concretize:
sym_var_address = state.solver.eval(sym_var[0])
sym_var_value = state.solver.eval(sym_var[1], cast_to=bytes)
l.debug("Concretize memory at address %#x with value %s", sym_var_address, str(sym_var_value))
self.target.write_memory(sym_var_address, sym_var_value, raw=True)

# Set breakpoint on remote target
for stop_point in extra_stop_points:
l.debug("Setting breakpoints at %#x", stop_point)
self.target.set_breakpoint(stop_point, temporary=True)

if timeout > 0:
l.debug("Found timeout as option, setting it up!")

def timeout_handler():
self.target.stop() # stop the concrete target now!
state.timeout = True # this will end up in the timeout stash

execution_timer = threading.Timer(timeout, timeout_handler)
execution_timer.start() # start the timer!

# resuming of the concrete process, if the target won't reach the
# breakpoint specified by the user the timeout will abort angr execution.
l.debug("SimEngineConcrete is resuming the concrete process")
self.target.run()
l.debug("SimEngineConcrete has successfully resumed the process")

if state.timeout:
l.critical("Timeout has been reached during resuming of concrete process")
l.critical("This can be a bad thing ( the ConcreteTarget didn't hit your breakpoint ) or"
"just it will take a while.")

# reset the alarm
if timeout > 0:
execution_timer.cancel()

# removing all breakpoints set by the concrete target
for stop_point in extra_stop_points:
self.target.remove_breakpoint(stop_point)

# handling the case in which the program stops at a point different than the breakpoints set
# by the user.
current_pc = self.target.read_register("pc")
if current_pc not in extra_stop_points and not self.target.timeout:
l.critical("Stopped at unexpected location inside the concrete process: %#x", current_pc)
raise AngrError

@staticmethod
def check_concrete_target_methods(concrete_target):
"""
Check if the concrete target methods return the correct type of data
:return: True if the concrete target is compliant
"""
entry_point = concrete_target.read_register("pc")
if not type(entry_point) is int:
l.error("read_register result type is %s, should be <type 'int'>", (type(entry_point)))
return False

mem_read = concrete_target.read_memory(entry_point, 0x4)

if not type(mem_read) is bytes:
l.error("read_memory result type is %s, should be <type 'str'>", (type(mem_read)))
return False

try:
concrete_target.read_register("not_existent_reg")
l.error("read_register should raise a SimConcreteRegisterError when accessing non existent registers")
return False

except SimConcreteRegisterError:
l.debug("read_register raise a SimConcreteRegisterError, ok!")

try:
concrete_target.read_memory(0x0, 0x4)
l.error("read_memory should raise a SimConcreteMemoryError when accessing non mapped memory")
return False

except SimConcreteMemoryError:
l.debug("read_register raise a SimConcreteMemoryError, ok!")

return True
@@ -58,6 +58,13 @@ def _check(self, state, **kwargs):
return False

unicorn = state.unicorn # shorthand

# if we have a concrete target we want the program to synchronize the segment
# registers before, otherwise undefined behavior could happen.
if state.project.concrete_target:
if not state.concrete.segment_registers_initialized:
l.debug("segment register must be synchronized with the concrete target before using unicorn engine")
return False
if state.regs.ip.symbolic:
l.debug("symbolic IP!")
return False
@@ -1105,9 +1105,16 @@ def bad(msg):
if state.arch.vex_archinfo['x86_cr0'] & 1 == 0:
return ((seg_selector << 4) + virtual_addr).zero_extend(32), ()


seg_selector &= 0x0000FFFF

segment_selector_val = state.solver.eval(seg_selector >> 3)

if state.project.simos.name == "Win32" and segment_selector_val == 0x6 and state.project.concrete_target is not None:
return bad("angr doesn't support Windows Heaven's gate calls http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/ \n"
"Please use the native 32 bit libs (not WoW64) or implement a simprocedure to avoid executing these instructions"
)


# RPL=11 check
#if state.solver.is_true((seg_selector & 3) != 3):
# return bad()
@@ -1155,7 +1162,9 @@ def bad(msg):
base = get_segdescr_base(state, descriptor)
limit = get_segdescr_limit(state, descriptor)

if state.solver.is_true(virtual_addr >= limit):
# When a concrete target is set and memory is read directly from the process sometimes a negative offset
# from a segment register is used
if state.solver.is_true(virtual_addr >= limit) and state.project.concrete_target is None:
return bad("virtual_addr >= limit")

r = (base + virtual_addr).zero_extend(32)
@@ -32,12 +32,14 @@ def amd64g_dirtyhelper_RDTSC(state):
val = state.solver.BVS('RDTSC', 64, key=('hardware', 'rdtsc'))
return val, []


x86g_dirtyhelper_RDTSC = amd64g_dirtyhelper_RDTSC

# For all the CPUID helpers: we've implemented the very nice CPUID functions, but we don't use them.
# we claim to be a much dumber cpu than we can support because otherwise we get bogged down doing
# various tasks in the libc initializers.


# Copied basically directly from the vex source
def amd64g_dirtyhelper_CPUID_baseline(state, _):
old_eax = state.regs.rax[31:0]
@@ -72,6 +74,74 @@ def SET_ABCD(a, b, c, d, condition=None):
amd64g_dirtyhelper_CPUID_avx_and_cx16 = amd64g_dirtyhelper_CPUID_baseline
amd64g_dirtyhelper_CPUID_avx2 = amd64g_dirtyhelper_CPUID_baseline


def amd64g_create_mxcsr(_, sseround):
return 0x1F80 | ((sseround & 3) << 13)


# see canonical implementation of this in guest_amd64_helpers.c
def amd64g_dirtyhelper_XSAVE_COMPONENT_1_EXCLUDING_XMMREGS(state, _, addr):

mxcsr = amd64g_create_mxcsr(state, state.regs.sseround)
mxcsr = mxcsr[15:0]

state.mem[state.solver.eval(addr) + 12*2].short = mxcsr
state.mem[state.solver.eval(addr) + 13*2].short = mxcsr >> 16

state.mem[state.solver.eval(addr) + 14*2].short = 0xffff
state.mem[state.solver.eval(addr) + 15*2].short = 0x0000

return None, []

EmNote_NONE = 0
EmWarn_X86_x87exns = 1
EmWarn_X86_x87precision = 2
EmWarn_X86_sseExns = 3
EmWarn_X86_fz = 4
EmWarn_X86_daz = 5
EmWarn_X86_acFlag = 6
EmWarn_PPCexns = 7
EmWarn_PPC64_redir_overflow = 8
EmWarn_PPC64_redir_underflow = 9
EmWarn_S390X_fpext_rounding = 10
EmWarn_S390X_invalid_rounding = 11

def amd64g_check_ldmxcsr(state, mxcsr):

rmode = state.solver.LShR(mxcsr, 13) & 3

ew = state.solver.If(
(mxcsr & 0x1F80) != 0x1F80,
state.solver.BVV(EmWarn_X86_sseExns, 64),
state.solver.If(
mxcsr & (1 << 15) != 0,
state.solver.BVV(EmWarn_X86_fz, 64),
state.solver.If(
mxcsr & (1 << 6) != 0,
state.solver.BVV(EmWarn_X86_daz, 64),
state.solver.BVV(EmNote_NONE, 64)
)
)
)

return (ew << 32) | rmode, ()


# see canonical implementation of this in guest_amd64_helpers.c
def amd64g_dirtyhelper_XRSTOR_COMPONENT_1_EXCLUDING_XMMREGS(state, _, addr):

w32 = state.solver.BVV(
(state.mem[state.solver.eval(addr) + 12*2].short.concrete & 0xFFFF) |
((state.mem[state.solver.eval(addr) + 13*2].short.concrete & 0xFFFF) << 16)
, 64)

w64, _ = amd64g_check_ldmxcsr(state, w32)
warnXMM = w64 >> 32
state.regs.sseround = w64 & 0xFFFFFFFF

return warnXMM, []


def CORRECT_amd64g_dirtyhelper_CPUID_avx_and_cx16(state, _):
old_eax = state.regs.rax[31:0]
old_ecx = state.regs.rcx[31:0]

0 comments on commit fe20116

Please sign in to comment.
You can’t perform that action at this time.