In [1]:
import angr, monkeyhex
import random
from collections import deque

In [2]:
binary_name = 'loop'

In [3]:
proj = angr.Project(binary_name, auto_load_libs=False)
_state = proj.factory.entry_state()

In [4]:
inx1 = _state.solver.BVS('inx1', 16)
inx2 = _state.solver.BVS('inx2', 16)
inx3 = _state.solver.BVS('inx3', 16)
inxs = [inx1, inx2, inx3]

In [5]:
def genInitState(proj, inxs, ins):
    state = proj.factory.entry_state(args=inxs)
    assert( len(inxs) >= len(ins) )
    for i in range(len(ins)):
        state.add_constraints(inxs[i] == ins[i])
    return state

In [6]:
def executeState(proj, state, max_branches):  # will only randomly pick one path if multiple paths possible
    simgr = proj.factory.simulation_manager(state)
    branches = 0
    while simgr.active and branches < max_branches:
        simgr.step(until=lambda s: not s.active or s.active[0].history.recent_constraints)
        branches += 1
        if (len(simgr.active) == 2):
            r = random.randint(0,1)
            simgr.active.pop(r)
            
    if simgr.active:
        return simgr.active[0]
    elif simgr.deadended:
        return simgr.deadended[0]
    elif simgr.errored:
        return simgr.errored[0].state
    else:
        return None

In [7]:
def getConstraints(proj, start, end):
    ins = start.history.constraints_since(start)
    constraints = end.history.constraints_since(start)
    
    for _ in range(len(ins)): # pop constraints for input
        constraints.pop() 
    constraints.reverse() # adjust to correct order
    
    return [c.ast for c in constraints] # extract ast/condition from Simulation Action Object

In [8]:
def executeSymbolic(proj, inx, ins, max_branches):
    start = genInitState(proj, inxs, ins)
    end = executeState(proj, start,  max_branches)
    assert( end != None and "unhandled case")
    
    return getConstraints(proj, start, end)

In [9]:
def getInversedConds(proj, conds, i):
    state = proj.factory.blank_state()
    new_conds = conds[:i]
    new_conds.append(state.solver.Not(conds[i]))
    return new_conds

In [10]:
def solveForInput(proj, inxs, conds):
    state = proj.factory.blank_state()
    state.add_constraints(*conds)
    return [ state.solver.eval(inx, cast_to=str) for inx in inxs ] if state.satisfiable() else None

In [11]:
def fuzz(proj, inxs, ins0, max_branches):
    all_ins = []
    
    queue = deque([])
    queue.append( (ins0, -1) )

    while queue:  # TODO: add time limit
        ins, bound = queue.popleft()
        # TODO: run actual program and check bugs
        all_ins.append(ins)
        
        conds = executeSymbolic(proj, inxs, ins, max_branches)
        for i in range(bound+1, len(conds)):
            new_conds = getInversedConds(proj, conds, i)
            new_ins = solveForInput(proj, inxs, new_conds)
            if new_ins != None:
                queue.append( (new_ins, i) )
    
    return all_ins

In [12]:
max_branches = 10

conds0 = executeSymbolic(proj, inxs, [], max_branches)
ins0 = solveForInput(proj, inxs, conds0)
all_ins = fuzz(proj, inxs, ins0, max_branches)

In [13]:
all_ins

[['n\x00', '\x00\x00', '\x00\x00'],
 ['`\x00', '\x00\x00', '\x00\x00'],
 ['h\x00', '\x00\x00', '\x00\x00'],
 ['e\x00', '\x00\x00', '\x00\x00']]

asdf
