How to use the claripy.ast function in claripy
To help you get started, we’ve selected a few claripy examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
ww9210 / Linux_kernel_exploits / fuze / concolicexecutor / __init__.py View on Github 
def __init__(self, kernel_path=None, dbcred=\
'/home/ww9210/develop/concolic_execution/concolicexecutor/dbcredentials.bin'):
self.kernel_path = kernel_path
self.k = ELF(kernel_path)
self.b = angr.Project(kernel_path)
self.sol = claripy.Solver()
self.claripy = claripy
self.typebv = claripy.ast.bv.BV
self.r = None
self.statebroker = statebroker.StateBroker()
self.krop = None
self.interested_funcs = {}
self.memory_leak_funcs = {}
# build connection to knowledge graph
tmpf = open(dbcred, 'r')
url, username, password = pickle.load(tmpf)
print url, username, password
try:
self.neo4j_inst = neo4j_interace.MyNeo4jInterface(url, username, password)
except neo4j.exceptions.ServiceUnavailable:
print '[-] could not connect database'
tmpf.close()def __repr__(self):
if self._addr is None:
return ''
value = '' if not self.resolvable else self.resolved
if isinstance(self._addr, claripy.ast.Base):
addr = self._addr.__repr__(inner=True)
elif hasattr(self._addr, 'ast') and isinstance(self._addr.ast, claripy.ast.Base):
addr = self._addr.ast.__repr__(inner=True)
else:
addr = repr(self._addr)
type_name = repr(self._type) if self._type is not None else ''
return '<{} {} at {}>'.format(type_name,
value,
addr)entries = [ ]
if hooker.ADDS_EXITS:
# Get two blocks ahead
grandparent_nodes = self.graph.predecessors(previous_src_node)
if not grandparent_nodes:
l.warning("%s is supposed to yield new exits, but it fails to do so.", hooker.__name__)
return [ ]
blocks_ahead = [
self.project.factory.block(grandparent_nodes[0].addr).vex,
self.project.factory.block(previous_src_node.addr).vex,
]
new_exits = hooker.static_exits(self.project.arch, blocks_ahead)
for addr, jumpkind in new_exits:
if isinstance(addr, claripy.ast.BV) and not addr.symbolic:
addr = addr._model_concrete.value
if not isinstance(addr, (int, long)):
continue
entries += self._create_entries(addr, jumpkind, current_function_addr, None, addr, cfg_node, None, None)
return entriesdef _prepare_paths(self):
'''
prepare initial paths
'''
if self.os == "cgc":
cache_tuple = self._cache_lookup()
pg = None
# if we're restoring from a cache, we preconstrain
if cache_tuple is not None:
bb_cnt, self.cgc_flag_bytes, state, claripy.ast.base.var_counter = cache_tuple
pg = self._cgc_prepare_paths(state)
self._preconstrain_state(state)
self.bb_cnt = bb_cnt
else: # if we're not restoring from a cache, the cacher will preconstrain
pg = self._cgc_prepare_paths()
return pg
elif self.os.startswith("UNIX"):
return self._linux_prepare_paths()
raise TracerEnvironmentError(
"unsupport OS \"%s\" called _prepare_paths",
self.os)def store(self, state, addr, value):
store_endness = state.arch.memory_endness
if isinstance(value, claripy.ast.Bits):
if value.size() != self.size:
raise ValueError("size of expression is wrong size for type")
elif isinstance(value, int):
value = state.solver.BVV(value, self.size)
elif isinstance(value, bytes):
store_endness = 'Iend_BE'
else:
raise TypeError("unrecognized expression type for SimType {}".format(type(self).__name__))
state.memory.store(addr, value, endness=store_endness)elif len(self._memory_backer) <= self._page_size:
for i in self._memory_backer:
if new_page_addr <= i and i <= new_page_addr + self._page_size:
if isinstance(self._memory_backer[i], claripy.ast.Base):
backer = self._memory_backer[i]
elif isinstance(self._memory_backer[i], bytes):
backer = claripy.BVV(self._memory_backer[i])
else:
backer = claripy.BVV(self._memory_backer[i], self.byte_width)
mo = SimMemoryObject(backer, i, byte_width=self.byte_width)
self._apply_object_to_page(n*self._page_size, mo, page=new_page)
initialized = True
elif len(self._memory_backer) > self._page_size:
for i in range(self._page_size):
try:
if isinstance(self._memory_backer[i], claripy.ast.Base):
backer = self._memory_backer[i]
elif isinstance(self._memory_backer[i], bytes):
backer = claripy.BVV(self._memory_backer[i])
else:
backer = claripy.BVV(self._memory_backer[i], self.byte_width)
mo = SimMemoryObject(backer, new_page_addr+i, byte_width=self.byte_width)
self._apply_object_to_page(n*self._page_size, mo, page=new_page)
initialized = True
except KeyError:
pass
# page from debugger
try:
if seg is not None:
perms = 0
if seg.perm & idaapi.SEGPERM_EXEC:def is_fp_value(val):
return isinstance(val, (float, claripy.ast.FP)) or \
(isinstance(val, claripy.ast.Base) and val.op.startswith('fp')) or \
(isinstance(val, claripy.ast.Base) and val.op == 'Reverse' and val.args[0].op.startswith('fp'))def unmap_region(self, addr, length):
if o.TRACK_MEMORY_MAPPING not in self.state.options:
return
if self.state.solver.symbolic(addr):
raise SimMemoryError("cannot unmap region with a symbolic address")
if isinstance(addr, claripy.ast.bv.BV):
addr = self.state.solver.max_int(addr)
base_page_num = self._page_id(addr)
pages = self._num_pages(addr, addr + length)
# this check should not be performed when constructing a CFG
if self.state.mode != 'fastpath':
for page in range(pages):
# TODO: Why is this different from the check in map_region? what if we unmap _backer backed pages?
if base_page_num + page not in self._pages:
l.warning("unmap_region received address and length combination is not mapped")
return
for page_id in range(base_page_num, base_page_num + pages):
del self._pages[page_id]
del self._symbolic_addrs[page_id]def _normalize_address_type(self, addr): #pylint:disable=no-self-use
"""
Convert address of different types to a list of mapping between region IDs and offsets (strided intervals).
:param claripy.ast.Base addr: Address to convert
:return: A list of mapping between region IDs and offsets.
:rtype: dict
"""
addr_e = _raw_ast(addr)
if isinstance(addr_e, (claripy.bv.BVV, claripy.vsa.StridedInterval, claripy.vsa.ValueSet)):
raise SimMemoryError('_normalize_address_type() does not take claripy models.')
if isinstance(addr_e, claripy.ast.Base):
if not isinstance(addr_e._model_vsa, ValueSet):
# Convert it to a ValueSet first by annotating it
addr_e = addr_e.annotate_inline(RegionAnnotation('global', 0, addr_e._model_vsa))
return addr_e._model_vsa.items()
else:
raise SimAbstractMemoryError('Unsupported address type %s' % type(addr_e))The following parameters are optional.
:param fallback: A claripy expression representing what the write should resolve to if all conditions
evaluate to false (default: whatever was there before).
:param add_constraints: Add constraints resulting from the merge (default: True)
:param endness: The endianness for contents as well as fallback.
:param action: A SimActionData to fill out with the final written value and constraints.
:type action: SimActionData
"""
if fallback is None and all(c is None for c in contents):
l.debug("Avoiding an empty write.")
return
max_bits = max(c.length for c in contents_e if isinstance(c, claripy.ast.Bits)) \
if fallback is None else fallback.length
# if fallback is not provided by user, load it from memory
# remember to specify the endianness!
fallback_e = self.load(addr, max_bits//self.state.arch.byte_width, add_constraints=add_constraints, endness=endness) \
if fallback_e is None else fallback_e
req = self._store_cases(addr_e, contents_e, conditions_e, fallback_e, endness=endness)
add_constraints = self.state._inspect_getattr('address_concretization_add_constraints', add_constraints)
if add_constraints:
self.state.add_constraints(*req.constraints)
if req.completed and o.AUTO_REFS in self.state.options and action is None:
region_type = self.category
if region_type == 'file':
# Special handling for files to keep compatibilityclaripy
An abstraction layer for constraint solvers
