ercoppa · December 18, 2017 07:49
diff --git a/avoid-i386.txt b/avoid-i386.txt
 0804848b
diff --git a/avoid-mips.txt b/avoid-mips.txt
 00400860
diff --git a/failure-i386.txt b/failure-i386.txt
 080484cb
diff --git a/failure-mips.txt b/failure-mips.txt
 004008f8
diff --git a/found-i386.txt b/found-i386.txt
 080484ab
diff --git a/found-mips.txt b/found-mips.txt
 004008ac
diff --git a/freeze.txt b/freeze.txt
 ana==0.3
 angr==7.7.12.16
 archinfo==7.7.12.16
 bintrees==2.0.7
 bitstring==3.1.5
 cachetools==2.0.1
 capstone==3.0.5rc2
 cffi==1.11.2
 claripy==7.7.12.16
 cle==7.7.12.16
 cooldict==1.2
 decorator==4.1.2
 dpkt-fix==1.7
 future==0.16.0
 futures==3.2.0
 idalink==0.11
 mulpyplexer==0.8
 namedlist==1.7
 networkx==2.0
 pefile==2017.11.5
 plumbum==1.6.4
 progressbar==2.3
 pycparser==2.18
 pyelftools==0.24
 pygit==0.1
 Pympler==0.5
 pyvex==7.7.12.16
 rpyc==3.4.4
 sortedcontainers==1.5.7
 unicorn==1.0.1
 z3-solver==4.5.1.0.post2
diff --git a/main-i386 b/main-i386
diff --git a/main-mips b/main-mips
diff --git a/main.c b/main.c
 #include <stdio.h>
 #include <stdlib.h>

 void avoid() { printf("Avoid\n"); exit(1); }
 void found() { printf("Found\n"); exit(0); }
 void failure() { printf("Failure\n"); exit(1); }

 int main(int argc, char * argv[]) {

    if (argc != 2) avoid();
    char n = argv[1][0] - 97;
    if (n < 0 || n > 1) avoid();

    int m[2] = {0x0, 0x0};
    *((int *)(((char *) m) + n)) = 0x01020304;

    //printf("%d\n", *((int *)(m + n)));

    if (*((int *)(((char *) m) + n)) == 0x01020304) found();
    else failure();

    return 0;
 }
diff --git a/Makefile b/Makefile
 all:
 	gcc -o main-i386 main.c -m32
 	mips-linux-gnu-gcc -o main-mips main.c

 clean:
 	-rm main-i386 main-mips

 gen:
 	objdump -d main-i386 | grep '<avoid>' | cut -f1 -d' ' | head -n 1 > avoid-i386.txt
 	objdump -d main-mips | grep '<avoid>' | cut -f1 -d' ' | head -n 1 > avoid-mips.txt
 	objdump -d main-i386 | grep '<found>' | cut -f1 -d' ' | head -n 1 > found-i386.txt
 	objdump -d main-mips | grep '<found>' | cut -f1 -d' ' | head -n 1 > found-mips.txt
 	objdump -d main-i386 | grep '<failure>' | cut -f1 -d' ' | head -n 1 > failure-i386.txt
 	objdump -d main-mips | grep '<failure>' | cut -f1 -d' ' | head -n 1 > failure-mips.txt

 run:
 	@echo "Running i386"
 	./main-i386 a
 	./main-i386 b
 	@echo
 	@echo "Running mips (qemu-mips)"
 	./main-mips a
 	./main-mips b
 	@echo
 	@echo "angr i386"
 	python run.py i386
 	@echo
 	@echo "angr mips"
 	python run.py mips
diff --git a/output-with-patch.txt b/output-with-patch.txt
 Running i386
 ./main-i386 a
 Found
 ./main-i386 b
 Found

 Running mips (qemu-mips)
 ./main-mips a
 Found
 ./main-mips b
 Found

 angr i386
 python run.py i386
 binary: main-i386
 avoid: [134513803, 4196600]
 found: 134513835
 <SimulationManager with 1 found, 2 avoid>
 Correct: argv[1]=[98L, 97]

 angr mips
 python run.py mips
 binary: main-mips
 avoid: [4196448, 4196600]
 found: 4196524
 <SimulationManager with 1 found, 2 avoid>
 Correct: argv[1]=[98L, 97]
diff --git a/output.txt b/output.txt
 Running i386
 ./main-i386 a
 Found
 ./main-i386 b
 Found

 Running mips (qemu-mips)
 ./main-mips a
 Found
 ./main-mips b
 Found

 angr i386
 python run.py i386
 binary: main-i386
 avoid: [134513803, 4196600]
 found: 134513835
 <SimulationManager with 1 found, 2 avoid>
 Correct: argv[1]=[98L, 97]

 angr mips
 python run.py mips
 binary: main-mips
 avoid: [4196448, 4196600]
 found: 4196524
 Error: <SimulationManager with 3 avoid>
diff --git a/run.py b/run.py
 import angr
 import claripy  # It is optimal to use claripy.BVV/BVS over state.solver.BVV/BVS
 import sys

 def main():

    if len(sys.argv) == 2 and sys.argv[1] in ('i386', 'mips'):
        if sys.argv[1] == 'mips':
            found = int(open('found-mips.txt', 'r').read().rstrip('\n'), 16)
            avoid = [int(open('avoid-mips.txt', 'r').read().rstrip('\n'), 16), int(open('failure-mips.txt', 'r').read().rstrip('\n'), 16)]
            binary = "main-mips"
        else:
            found = int(open('found-i386.txt', 'r').read().rstrip('\n'), 16)
            avoid = [int(open('avoid-i386.txt', 'r').read().rstrip('\n'), 16), int(open('failure-mips.txt', 'r').read().rstrip('\n'), 16)]
            binary = "main-i386"
    else:
        print sys.argv[0] + " <i386|mips>"
        sys.exit(1)

    print "binary: " + str(binary)
    print "avoid: " + str(avoid)
    print "found: " + str(found)

    project = angr.Project(binary, load_options={'auto_load_libs':False}, )

    argv = [project.filename]   # argv[0]
    sym_arg_size = 1   # max number of bytes we'll try to solve for
    sym_arg = claripy.BVS('sym_arg', 8*sym_arg_size)
    argv.append(sym_arg)    # argv[1]

    state = project.factory.entry_state(args=argv, add_options={angr.options.SYMBOLIC_WRITE_ADDRESSES})
    sm = project.factory.simulation_manager(state)

    sm = sm.explore(find=found, avoid=avoid)
    if len(sm.found) > 0:

        #assert len(sm.found) == 1
        #assert len(sm.active) == 0

        found = sm.found[0]
        result = found.solver.eval_upto(argv[1], 10)
        print sm
        return "Correct: argv[1]=" + str(result)
    
    return "Error: " + str(sm)

 if __name__ == "__main__":
    print main()
	ana==0.3
	angr==7.7.12.16
	archinfo==7.7.12.16
	bintrees==2.0.7
	bitstring==3.1.5
	cachetools==2.0.1
	capstone==3.0.5rc2
	cffi==1.11.2
	claripy==7.7.12.16
	cle==7.7.12.16
	cooldict==1.2
	decorator==4.1.2
	dpkt-fix==1.7
	future==0.16.0
	futures==3.2.0
	idalink==0.11
	mulpyplexer==0.8
	namedlist==1.7
	networkx==2.0
	pefile==2017.11.5
	plumbum==1.6.4
	progressbar==2.3
	pycparser==2.18
	pyelftools==0.24
	pygit==0.1
	Pympler==0.5
	pyvex==7.7.12.16
	rpyc==3.4.4
	sortedcontainers==1.5.7
	unicorn==1.0.1
	z3-solver==4.5.1.0.post2
	#include <stdio.h>
	#include <stdlib.h>

	void avoid() { printf("Avoid\n"); exit(1); }
	void found() { printf("Found\n"); exit(0); }
	void failure() { printf("Failure\n"); exit(1); }

	int main(int argc, char * argv[]) {

	if (argc != 2) avoid();
	char n = argv[1][0] - 97;
	if (n < 0 \|\| n > 1) avoid();

	int m[2] = {0x0, 0x0};
	((int )(((char *) m) + n)) = 0x01020304;

	//printf("%d\n", ((int )(m + n)));

	if (((int )(((char *) m) + n)) == 0x01020304) found();
	else failure();

	return 0;
	}
	all:
	gcc -o main-i386 main.c -m32
	mips-linux-gnu-gcc -o main-mips main.c

	clean:
	-rm main-i386 main-mips

	gen:
	objdump -d main-i386 \| grep '<avoid>' \| cut -f1 -d' ' \| head -n 1 > avoid-i386.txt
	objdump -d main-mips \| grep '<avoid>' \| cut -f1 -d' ' \| head -n 1 > avoid-mips.txt
	objdump -d main-i386 \| grep '<found>' \| cut -f1 -d' ' \| head -n 1 > found-i386.txt
	objdump -d main-mips \| grep '<found>' \| cut -f1 -d' ' \| head -n 1 > found-mips.txt
	objdump -d main-i386 \| grep '<failure>' \| cut -f1 -d' ' \| head -n 1 > failure-i386.txt
	objdump -d main-mips \| grep '<failure>' \| cut -f1 -d' ' \| head -n 1 > failure-mips.txt

	run:
	@echo "Running i386"
	./main-i386 a
	./main-i386 b
	@echo
	@echo "Running mips (qemu-mips)"
	./main-mips a
	./main-mips b
	@echo
	@echo "angr i386"
	python run.py i386
	@echo
	@echo "angr mips"
	python run.py mips
	Running i386
	./main-i386 a
	Found
	./main-i386 b
	Found

	Running mips (qemu-mips)
	./main-mips a
	Found
	./main-mips b
	Found

	angr i386
	python run.py i386
	binary: main-i386
	avoid: [134513803, 4196600]
	found: 134513835
	<SimulationManager with 1 found, 2 avoid>
	Correct: argv[1]=[98L, 97]

	angr mips
	python run.py mips
	binary: main-mips
	avoid: [4196448, 4196600]
	found: 4196524
	<SimulationManager with 1 found, 2 avoid>
	Correct: argv[1]=[98L, 97]
	import angr
	import claripy # It is optimal to use claripy.BVV/BVS over state.solver.BVV/BVS
	import sys

	def main():

	if len(sys.argv) == 2 and sys.argv[1] in ('i386', 'mips'):
	if sys.argv[1] == 'mips':
	found = int(open('found-mips.txt', 'r').read().rstrip('\n'), 16)
	avoid = [int(open('avoid-mips.txt', 'r').read().rstrip('\n'), 16), int(open('failure-mips.txt', 'r').read().rstrip('\n'), 16)]
	binary = "main-mips"
	else:
	found = int(open('found-i386.txt', 'r').read().rstrip('\n'), 16)
	avoid = [int(open('avoid-i386.txt', 'r').read().rstrip('\n'), 16), int(open('failure-mips.txt', 'r').read().rstrip('\n'), 16)]
	binary = "main-i386"
	else:
	print sys.argv[0] + " <i386\|mips>"
	sys.exit(1)

	print "binary: " + str(binary)
	print "avoid: " + str(avoid)
	print "found: " + str(found)

	project = angr.Project(binary, load_options={'auto_load_libs':False}, )

	argv = [project.filename] # argv[0]
	sym_arg_size = 1 # max number of bytes we'll try to solve for
	sym_arg = claripy.BVS('sym_arg', 8*sym_arg_size)
	argv.append(sym_arg) # argv[1]

	state = project.factory.entry_state(args=argv, add_options={angr.options.SYMBOLIC_WRITE_ADDRESSES})
	sm = project.factory.simulation_manager(state)

	sm = sm.explore(find=found, avoid=avoid)
	if len(sm.found) > 0:

	#assert len(sm.found) == 1
	#assert len(sm.active) == 0

	found = sm.found[0]
	result = found.solver.eval_upto(argv[1], 10)
	print sm
	return "Correct: argv[1]=" + str(result)

	return "Error: " + str(sm)

	if __name__ == "__main__":
	print main()