From 09b23a004017f4392661a01f42da33efc356edcd Mon Sep 17 00:00:00 2001 From: Kevin Phoenix Date: Thu, 15 Aug 2024 16:36:24 -0700 Subject: [PATCH] Use BVV from claripy (#116) --- angrop/chain_builder/mem_changer.py | 9 +++++---- angrop/chain_builder/mem_writer.py | 2 +- angrop/chain_builder/reg_setter.py | 3 ++- angrop/gadget_finder/gadget_analyzer.py | 2 +- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/angrop/chain_builder/mem_changer.py b/angrop/chain_builder/mem_changer.py index de2bc8b..20d7852 100644 --- a/angrop/chain_builder/mem_changer.py +++ b/angrop/chain_builder/mem_changer.py @@ -1,6 +1,7 @@ import logging from functools import cmp_to_key +import claripy import angr from .builder import Builder @@ -140,9 +141,9 @@ def _add_mem_with_gadget(self, gadget, addr, data_size, final_val=None, differen test_state = self.make_sim_state(gadget.addr) if difference is not None: - test_state.memory.store(addr.concreted, test_state.solver.BVV(~(difference.concreted), data_size)) # pylint:disable=invalid-unary-operand-type + test_state.memory.store(addr.concreted, claripy.BVV(~(difference.concreted), data_size)) # pylint:disable=invalid-unary-operand-type if final_val is not None: - test_state.memory.store(addr.concreted, test_state.solver.BVV(~final_val, data_size)) # pylint:disable=invalid-unary-operand-type + test_state.memory.store(addr.concreted, claripy.BVV(~final_val, data_size)) # pylint:disable=invalid-unary-operand-type # step the gadget pre_gadget_state = test_state @@ -171,11 +172,11 @@ def _add_mem_with_gadget(self, gadget, addr, data_size, final_val=None, differen # constrain the data if final_val is not None: test_state.add_constraints(state.memory.load(addr.concreted, data_size//8, endness=arch_endness) == - test_state.solver.BVV(final_val, data_size)) + claripy.BVV(final_val, data_size)) if difference is not None: test_state.add_constraints(state.memory.load(addr.concreted, data_size//8, endness=arch_endness) - test_state.memory.load(addr.concreted, data_size//8, endness=arch_endness) == - test_state.solver.BVV(difference.concreted, data_size)) + claripy.BVV(difference.concreted, data_size)) # get the actual register values all_deps = list(mem_change.addr_dependencies) + list(mem_change.data_dependencies) diff --git a/angrop/chain_builder/mem_writer.py b/angrop/chain_builder/mem_writer.py index 4e0d270..52cdee9 100644 --- a/angrop/chain_builder/mem_writer.py +++ b/angrop/chain_builder/mem_writer.py @@ -225,7 +225,7 @@ def _write_to_mem_with_gadget(self, gadget, addr_val, data, use_partial_controll state = rop_utils.step_to_unconstrained_successor(self.project, pre_gadget_state) # constrain the data - test_state.add_constraints(state.memory.load(addr_val.data, len(data)) == test_state.solver.BVV(data)) + test_state.add_constraints(state.memory.load(addr_val.data, len(data)) == claripy.BVV(data)) # get the actual register values all_deps = list(mem_write.addr_dependencies) + list(mem_write.data_dependencies) diff --git a/angrop/chain_builder/reg_setter.py b/angrop/chain_builder/reg_setter.py index 674e253..cee6f17 100644 --- a/angrop/chain_builder/reg_setter.py +++ b/angrop/chain_builder/reg_setter.py @@ -2,6 +2,7 @@ import logging from collections import defaultdict +import claripy from angr.errors import SimUnsatError from .builder import Builder @@ -494,7 +495,7 @@ def _check_if_sufficient_partial_control(self, gadget, reg, value): state.registers.store(reg, 0) state.regs.ip = gadget.addr # store A's past the end of the stack - state.memory.store(state.regs.sp + gadget.stack_change, state.solver.BVV(b"A"*0x100)) + state.memory.store(state.regs.sp + gadget.stack_change, claripy.BVV(b"A"*0x100)) succ = rop_utils.step_to_unconstrained_successor(project=self.project, state=state) # successor diff --git a/angrop/gadget_finder/gadget_analyzer.py b/angrop/gadget_finder/gadget_analyzer.py index 81e3645..6fb45e9 100644 --- a/angrop/gadget_finder/gadget_analyzer.py +++ b/angrop/gadget_finder/gadget_analyzer.py @@ -534,7 +534,7 @@ def _check_if_stack_controls_ast(self, ast, initial_state, gadget_stack_change=N stack_bytes_length = self._stack_bsize # number of controllable bytes if gadget_stack_change is not None: stack_bytes_length = min(max(gadget_stack_change, 0), stack_bytes_length) - concrete_stack = initial_state.solver.BVV(b"B" * stack_bytes_length) + concrete_stack = claripy.BVV(b"B" * stack_bytes_length) concrete_stack_s = initial_state.copy() concrete_stack_s.add_constraints( initial_state.memory.load(initial_state.regs.sp, stack_bytes_length) == concrete_stack)