diff options
Diffstat (limited to 'example/symbol_exec')
| -rw-r--r-- | example/symbol_exec/depgraph.py | 29 | ||||
| -rw-r--r-- | example/symbol_exec/dse_crackme.py | 41 | ||||
| -rw-r--r-- | example/symbol_exec/dse_strategies.py | 29 | ||||
| -rw-r--r-- | example/symbol_exec/single_instr.py | 5 |
4 files changed, 65 insertions, 39 deletions
diff --git a/example/symbol_exec/depgraph.py b/example/symbol_exec/depgraph.py index 260d62ab..c1dbd422 100644 --- a/example/symbol_exec/depgraph.py +++ b/example/symbol_exec/depgraph.py @@ -1,7 +1,11 @@ +from __future__ import print_function +from builtins import range from argparse import ArgumentParser from pdb import pm import json +from future.utils import viewitems + from miasm2.analysis.machine import Machine from miasm2.analysis.binary import Container from miasm2.analysis.depgraph import DependencyGraph @@ -54,7 +58,7 @@ init_ctx = {} if args.rename_args: if arch == "x86_32": # StdCall example - for i in xrange(4): + for i in range(4): e_mem = ExprMem(ExprId("ESP_init", 32) + ExprInt(4 * (i + 1), 32), 32) init_ctx[e_mem] = ExprId("arg%d" % i, 32) @@ -74,8 +78,9 @@ dg = DependencyGraph( # Build information target_addr = int(args.target_addr, 0) -current_block = list(ircfg.getby_offset(target_addr))[0] +current_loc_key = next(iter(ircfg.getby_offset(target_addr))) assignblk_index = 0 +current_block = ircfg.get_block(current_loc_key) for assignblk_index, assignblk in enumerate(current_block): if assignblk.instr.offset == target_addr: break @@ -88,14 +93,14 @@ for sol_nb, sol in enumerate(dg.get(current_block.loc_key, elements, assignblk_i fdesc.write(sol.graph.dot()) results = sol.emul(ir_arch, ctx=init_ctx) - tokens = {str(k): str(v) for k, v in results.iteritems()} + tokens = {str(k): str(v) for k, v in viewitems(results)} if not args.json: - result = ", ".join("=".join(x) for x in tokens.iteritems()) - print "Solution %d: %s -> %s" % (sol_nb, + result = ", ".join("=".join(x) for x in viewitems(tokens)) + print("Solution %d: %s -> %s" % (sol_nb, result, - fname) + fname)) if sol.has_loop: - print '\tLoop involved' + print('\tLoop involved') if args.implicit: sat = sol.is_satisfiable @@ -109,10 +114,12 @@ for sol_nb, sol in enumerate(dg.get(current_block.loc_key, elements, assignblk_i constraints[element] = result if args.json: tokens["satisfiability"] = sat - tokens["constraints"] = {str(k): str(v) - for k, v in constraints.iteritems()} + tokens["constraints"] = { + str(k): str(v) + for k, v in viewitems(constraints) + } else: - print "\tSatisfiability: %s %s" % (sat, constraints) + print("\tSatisfiability: %s %s" % (sat, constraints)) if args.json: tokens["has_loop"] = sol.has_loop @@ -120,4 +127,4 @@ for sol_nb, sol in enumerate(dg.get(current_block.loc_key, elements, assignblk_i if args.json: - print json.dumps(json_solutions) + print(json.dumps(json_solutions)) diff --git a/example/symbol_exec/dse_crackme.py b/example/symbol_exec/dse_crackme.py index 37700d75..33ec3b72 100644 --- a/example/symbol_exec/dse_crackme.py +++ b/example/symbol_exec/dse_crackme.py @@ -4,15 +4,19 @@ This example should run on the compiled ELF x86 64bits version of "dse_crackme.c" """ +from __future__ import print_function #### This part is only related to the run of the sample, without DSE #### +from builtins import range import os import subprocess import platform from collections import namedtuple from pdb import pm from tempfile import NamedTemporaryFile +from future.utils import viewitems +from miasm2.core.utils import int_to_byte from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE from miasm2.analysis.sandbox import Sandbox_Linux_x86_64 from miasm2.expression.expression import * @@ -81,8 +85,11 @@ FS_0_ADDR = 0x7ff70000 sb.jitter.cpu.FS = 0x4 sb.jitter.cpu.set_segm_base(sb.jitter.cpu.FS, FS_0_ADDR) sb.jitter.vm.add_memory_page( - FS_0_ADDR + 0x28, PAGE_READ, "\x42\x42\x42\x42\x42\x42\x42\x42", - "Stack canary FS[0x28]") + FS_0_ADDR + 0x28, + PAGE_READ, + b"\x42\x42\x42\x42\x42\x42\x42\x42", + "Stack canary FS[0x28]" +) # Prepare the execution sb.jitter.init_run(sb.entry_point) @@ -108,7 +115,7 @@ class SymbolicFile(object): def read(self, length): assert self.state == "OPEN" out = [] - for i in xrange(self.position, min(self.position + length, + for i in range(self.position, min(self.position + length, self.max_size)): if i not in self.gen_bytes: ret = ExprId("SF_%08x_%d" % (id(self), i), 8) @@ -220,7 +227,7 @@ def xxx_puts_symb(dse): raise FinishOn(string) -todo = set([""]) # Set of file content to test +todo = set([b""]) # Set of file content to test # Instantiate the DSE engine machine = Machine("x86_64") @@ -262,7 +269,7 @@ found = False while todo: # Prepare a solution to try, based on the clean state file_content = todo.pop() - print "CUR: %r" % file_content + print("CUR: %r" % file_content) open(TEMP_FILE.name, "wb").write(file_content) dse.restore_snapshot(snapshot, keep_known_solutions=True) FILE_to_info.clear() @@ -272,38 +279,38 @@ while todo: try: sb.run() except FinishOn as finish_info: - print finish_info.string - if finish_info.string == "OK": + print(finish_info.string) + if finish_info.string == b"OK": # Stop if the expected result is found found = True break finfo = FILE_to_info_symb[FILE_stream] - for sol_ident, model in dse.new_solutions.iteritems(): + for sol_ident, model in viewitems(dse.new_solutions): # Build the file corresponding to solution in 'model' - out = "" + out = [] fsize = max(model.eval(dse.z3_trans.from_expr(FILE_size)).as_long(), len(finfo.gen_bytes)) - for index in xrange(fsize): + for index in range(fsize): try: byteid = finfo.gen_bytes[index] - out += chr(model.eval(dse.z3_trans.from_expr(byteid)).as_long()) + out.append(int_to_byte(model.eval(dse.z3_trans.from_expr(byteid)).as_long())) except (KeyError, AttributeError) as _: # Default value if there is no constraint on current byte - out += "\x00" + out.append(b"\x00") - todo.add(out) + todo.add(b"".join(out)) # Assert that the result has been found assert found == True -print "FOUND !" +print("FOUND !") TEMP_FILE.close() # Replay for real if not is_win: - print "Trying to launch the binary without Miasm" + print("Trying to launch the binary without Miasm") crackme = subprocess.Popen([options.filename, TEMP_FILE.name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) @@ -311,8 +318,8 @@ if not is_win: assert not stderr os.unlink(TEMP_FILE.name) stdout = stdout.strip() - print stdout - assert stdout == "OK" + print(stdout) + assert stdout == b"OK" else: os.unlink(TEMP_FILE.name) diff --git a/example/symbol_exec/dse_strategies.py b/example/symbol_exec/dse_strategies.py index b38c797a..8e479d61 100644 --- a/example/symbol_exec/dse_strategies.py +++ b/example/symbol_exec/dse_strategies.py @@ -17,8 +17,11 @@ Global overview: - Ask the DSE for new candidates, according to its strategy, ie. finding new block / branch / path """ +from __future__ import print_function from argparse import ArgumentParser +from future.utils import viewitems + from miasm2.analysis.machine import Machine from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE from miasm2.analysis.dse import DSEPathConstraint @@ -42,9 +45,13 @@ strategy = { run_addr = 0x40000 machine = Machine("x86_32") jitter = machine.jitter("python") -with open(args.filename) as fdesc: - jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, fdesc.read(), - "Binary") +with open(args.filename, "rb") as fdesc: + jitter.vm.add_memory_page( + run_addr, + PAGE_READ | PAGE_WRITE, + fdesc.read(), + "Binary" + ) # Expect a binary with one argument on the stack jitter.init_stack() @@ -94,7 +101,7 @@ while todo: continue done.add(arg_value) - print "Run with ARG = %s" % arg_value + print("Run with ARG = %s" % arg_value) # Restore state, while keeping already found solutions dse.restore_snapshot(snapshot, keep_known_solutions=True) @@ -113,17 +120,21 @@ while todo: # - last edge for branch coverage # - execution path for path coverage - for sol_ident, model in dse.new_solutions.iteritems(): - print "Found a solution to reach: %s" % str(sol_ident) + for sol_ident, model in viewitems(dse.new_solutions): + print("Found a solution to reach: %s" % str(sol_ident)) # Get the argument to use as a Miasm Expr sol_value = model.eval(dse.z3_trans.from_expr(arg)).as_long() sol_expr = ExprInt(sol_value, arg.size) # Display info and update storages - print "\tARG = %s" % sol_expr + print("\tARG = %s" % sol_expr) todo.add(sol_expr) reaches.add(sol_ident) -print "Found %d input, to reach %d element of coverage" % (len(done), - len(reaches)) +print( + "Found %d input, to reach %d element of coverage" % ( + len(done), + len(reaches) + ) +) diff --git a/example/symbol_exec/single_instr.py b/example/symbol_exec/single_instr.py index 3b27a814..bdc65360 100644 --- a/example/symbol_exec/single_instr.py +++ b/example/symbol_exec/single_instr.py @@ -1,3 +1,4 @@ +from __future__ import print_function # Minimalist Symbol Exec example from miasm2.analysis.binary import Container from miasm2.analysis.machine import Machine @@ -32,9 +33,9 @@ symb = SymbolicExecutionEngine(ira) cur_addr = symb.run_at(ircfg, START_ADDR) # Modified elements -print 'Modified registers:' +print('Modified registers:') symb.dump(mems=False) -print 'Modified memory (should be empty):' +print('Modified memory (should be empty):') symb.dump(ids=False) # Check final status |