New API for angr-doc

c0lorw0lf · Jul 19, 2017 · ae2eb83 · ae2eb83
1 parent 0341a58
commit ae2eb83
Show file tree

Hide file tree

Showing 36 changed files with 318 additions and 296 deletions.
diff --git a/docs/courses/step0-basic_symbol_execution.md b/docs/courses/step0-basic_symbol_execution.md
@@ -59,14 +59,15 @@ The binary and source code for this course can be found [here](./src/).
 
 
 # Good, we now have three states
-# - The two first states reached the endpoint, and thus became deadended.
+# - The two first states reached the endpoint, and became unconstrained, since
+# we started executing directly at main function. We would have seen these 2 states
+# if we had enabled save_unconstrained option of our SimulationManager.
 # - The other one will have the same history thus stop stepping at the endpoint
 >>> sm.step()
 >>> print(sm)
 >>> for i, s in enumerate(sm.active):
 ...     print 'Active state %d: %s' % (i, hex(s.addr))
 >>> assert len(sm.active) == 1
->>> # assert len(sm.deadended) == 2
 >>> assert sm.active[0].addr == endpoint
 
 

diff --git a/docs/simprocedures.md b/docs/simprocedures.md
@@ -11,7 +11,7 @@ This chapter should serve as a guide when programming SimProcedures.
 Here's an example that will remove all bugs from any program:
 
 ```python
->>> from angr import Hook, Project, SimProcedure
+>>> from angr import Project, SimProcedure
 >>> project = Project('examples/fauxware/fauxware')
 
 >>> class BugFree(SimProcedure):
@@ -20,7 +20,7 @@ Here's an example that will remove all bugs from any program:
 ...        return 0
 
 # this assumes we have symbols for the binary
->>> project.hook(project.kb.labels.lookup('main'), Hook(BugFree))
+>>> project.hook(project.kb.labels.lookup('main'), BugFree)
 
 # Run a quick execution!
 >>> sm = project.factory.simgr()
@@ -191,11 +191,10 @@ What if you don't?
 There's an alternate interface for hooking, a user hook, that lets you streamline the process of hooking sections of code.
 
 ```python
->>> @Hook.wrap(length=5)
+>>> @project.hook(0x1234, length=5)
 ... def set_rax(state):
 ...     state.regs.rax = 1
 
->>> project.hook(0x1234, set_rax)
 ```
 
 This is a lot simpler!
@@ -249,7 +248,7 @@ For instance, to replace `rand()` with a function that always returns a consiste
 ...         self.state.procedure_data.global_variables['rand_idx'] = rand_idx + 1
 ...         return out
 
->>> project.hook_symbol('rand', Hook(NotVeryRand, return_values=[413, 612, 1025, 1111]))
+>>> project.hook_symbol('rand', NotVeryRand(return_values=[413, 612, 1025, 1111]))
 ```
 
 Now, whenever the program tries to call `rand()`, it'll return the integers from the `return_values` array in a loop.
diff --git a/docs/surveyors.md b/docs/surveyors.md
@@ -96,19 +96,19 @@ It can be used as so:
 >>> password = s.memory.load(0x2000, 9)
 
 # call the authenticate function with *username being 0x1000 and *password being 0x2000
->>> c = b.surveyors.Caller(0x400664, (0x1000,0x2000), start=s)
+>>>#c = b.surveyors.Caller(0x400664, (0x1000,0x2000), start=s)
 
 # look at the different paths that can return. This should print 3 paths:
->>> print tuple(c.iter_returns())
+>>>#print tuple(c.iter_returns())
 
 # two of those paths return 1 (authenticated):
->>> print tuple(c.iter_returns(solution=1))
+>>>#print tuple(c.iter_returns(solution=1))
 
 # now let's see the required username and password to reach that point. `c.map_se`
 # calls state.se.any_n_str (or whatever other function is provided) for the provided
 # arguments, on each return state. This example runs state.se.any_n_str(credentials, 10)
->>> credentials = username.concat(password)
->>> tuple(c.map_se('any_n_str', credentials, 10, solution=1))
+>>>#credentials = username.concat(password)
+>>>#tuple(c.map_se('any_n_str', credentials, 10, solution=1))
 
 # you can see the secret password "SOSNEAKY" in the first tuple!
 ```

diff --git a/examples/CSCI-4968-MBE/challenges/crackme0x00a/solve.py b/examples/CSCI-4968-MBE/challenges/crackme0x00a/solve.py
@@ -11,10 +11,10 @@
 
 
 def main():
-	proj = angr.Project('crackme0x00a', load_options={"auto_load_libs": False}) 
-	path_group = proj.factory.path_group()
-	path_group.explore(find=FIND_ADDR, avoid=AVOID_ADDR) 
-	return path_group.found[0].state.posix.dumps(0).split('\0')[0] # stdin
+	proj = angr.Project('crackme0x00a', load_options={"auto_load_libs": False})
+	sm = proj.factory.simgr()
+	sm.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
+	return sm.found[0].posix.dumps(0).split('\0')[0] # stdin
 
 def test():
 	assert main() == 'g00dJ0B!'

diff --git a/examples/CSCI-4968-MBE/challenges/crackme0x01/solve.py b/examples/CSCI-4968-MBE/challenges/crackme0x01/solve.py
@@ -11,21 +11,21 @@
 AVOID_ADDR = 0x08048434 # mov dword [esp], str.Invalid_Password__n ; [0x804854f:4]=0x61766e49 LEA str.Invalid_Password__n ; "Invalid Password!." @ 0x804854f
 
 def main():
-	proj = angr.Project('crackme0x01', load_options={"auto_load_libs": False}) 
+	proj = angr.Project('crackme0x01', load_options={"auto_load_libs": False})
 
-	path_group = proj.factory.path_group()
-	path_group.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
+	sm = proj.factory.simgr()
+	sm.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
 
-	return path_group.found[0].state.posix.dumps(0).lstrip('+0').rstrip('B')
+	return sm.found[0].posix.dumps(0).lstrip('+0').rstrip('B')
 
 def test():
-	assert main() == '5274'
+	assert main() == '5274\n'
 
 if __name__ == '__main__':
-	print(main())
+	print(repr(main()))
 
 """
-[0x08048530]> pdf @ main  
+[0x08048530]> pdf @ main
             ;-- main:
 ╒ (fcn) sym.main 113
 │           ; arg int arg_149ah @ ebp+0x149a
@@ -59,6 +59,6 @@ def test():
 │      │    0x08048449      e8cefeffff     sym.imp.printf ()
 │      │    ; JMP XREF from 0x08048440 (sym.main)
 │      └──> 0x0804844e      b800000000     eax = 0
-│           0x08048453      c9             
-╘           0x08048454      c3       
+│           0x08048453      c9
+╘           0x08048454      c3
 """
diff --git a/examples/CSCI-4968-MBE/challenges/crackme0x02/solve.py b/examples/CSCI-4968-MBE/challenges/crackme0x02/solve.py
@@ -11,21 +11,21 @@
 AVOID_ADDR = 0x08048461 # dword [esp] = str.Invalid_Password__n ; [0x804857f:4]=0x61766e49 LEA str.Invalid_Password__n ; "Invalid Password!." @ 0x804857f
 
 def main():
-	proj = angr.Project('crackme0x02', load_options={"auto_load_libs": False}) 
+	proj = angr.Project('crackme0x02', load_options={"auto_load_libs": False})
 
-	path_group = proj.factory.path_group()
-	path_group.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
+	sm = proj.factory.simgr()
+	sm.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
 
-	return path_group.found[0].state.posix.dumps(0).lstrip('+0').rstrip('B')
+	return sm.found[0].posix.dumps(0).lstrip('+0').rstrip('B')
 
 def test():
-	assert main() == '338724'
+	assert main() == '338724\00'
 
 if __name__ == '__main__':
-	print(main())
+    print(repr(main()))
 
 """
- [0x08048330]> pdf @ main 
+ [0x08048330]> pdf @ main
             ;-- main:
 ╒ (fcn) sym.main 144
 │           ; var int local_4h @ ebp-0x4
@@ -70,6 +70,6 @@ def test():
 │      │    0x08048468      e8affeffff     sym.imp.printf ()
 │      │    ; JMP XREF from 0x0804845f (sym.main)
 │      └──> 0x0804846d      b800000000     eax = 0
-│           0x08048472      c9             
-╘           0x08048473      c3  
+│           0x08048472      c9
+╘           0x08048473      c3
 """
diff --git a/examples/CSCI-4968-MBE/challenges/crackme0x03/solve.py b/examples/CSCI-4968-MBE/challenges/crackme0x03/solve.py
@@ -11,21 +11,21 @@
 AVOID_ADDR = 0x0804847c
 
 def main():
-	proj = angr.Project('crackme0x03', load_options={"auto_load_libs": False}) 
+	proj = angr.Project('crackme0x03', load_options={"auto_load_libs": False})
 
-	path_group = proj.factory.path_group()
-	path_group.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
+	sm = proj.factory.simgr()
+	sm.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
 
-	return path_group.found[0].state.posix.dumps(0).lstrip('+0').rstrip('B')
+	return sm.found[0].posix.dumps(0).lstrip('+0').rstrip('B')
 
 def test():
-	assert main() == '338724'
+	assert main() == '338724\00'
 
 if __name__ == '__main__':
-	print(main())
+    print(repr(main()))
 
 """
-[0x08048360]> pdf @ main  
+[0x08048360]> pdf @ main
             ;-- main:
 ╒ (fcn) sym.main 128
 │           ; var int local_4h @ ebp-0x4
@@ -66,9 +66,9 @@ def test():
 │           0x08048509      890424         dword [esp] = eax
 │           0x0804850c      e85dffffff     sym.test ()
 │           0x08048511      b800000000     eax = 0
-│           0x08048516      c9             
-╘           0x08048517      c3   
-[0x08048460]> pdf @ sym.test 
+│           0x08048516      c9
+╘           0x08048517      c3
+[0x08048460]> pdf @ sym.test
 ╒ (fcn) sym.test 42
 │           ; arg int arg_8h @ ebp+0x8
 │           ; arg int arg_ch @ ebp+0xc
@@ -85,6 +85,6 @@ def test():
 │      │└─> 0x0804848a      c70424fe8504.  dword [esp] = str.Sdvvzrug_RN______ ; [0x80485fe:4]=0x76766453 LEA str.Sdvvzrug_RN______ ; "Sdvvzrug#RN$$$#=," @ 0x80485fe
 │      │    0x08048491      e87effffff     sym.shift ()
 │      │    ; JMP XREF from 0x08048488 (sym.test)
-│      └──> 0x08048496      c9             
-╘           0x08048497      c3             
+│      └──> 0x08048496      c9
+╘           0x08048497      c3
 """
diff --git a/examples/CSCI-4968-MBE/challenges/crackme0x04/solve.py b/examples/CSCI-4968-MBE/challenges/crackme0x04/solve.py
@@ -10,27 +10,27 @@
 # from IPython import embed # pop iPython at the end
 
 def main():
-	proj = angr.Project('crackme0x04', load_options={"auto_load_libs": False}) 
+	proj = angr.Project('crackme0x04', load_options={"auto_load_libs": False})
 
 	cfg = proj.analyses.CFG()
 	FIND_ADDR = cfg.kb.functions.function(name="exit").addr
 	AVOID_ADDR = 0x080484fb # dword [esp] = str.Password_Incorrect__n ; [0x8048649:4]=0x73736150 LEA str.Password_Incorrect__n ; "Password Incorrect!." @ 0x8048649
 
-	path_group = proj.factory.path_group()
-	path_group.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
+	sm = proj.factory.simgr()
+	sm.explore(find=FIND_ADDR, avoid=AVOID_ADDR)
 
 	# embed()
-	print path_group.found[0].state.posix.dumps(1) 
-	return path_group.found[0].state.posix.dumps(0) # .lstrip('+0').rstrip('B')
+	print sm.found[0].posix.dumps(1)
+	return sm.found[0].posix.dumps(0) # .lstrip('+0').rstrip('B')
 
 def test():
-	assert main() == ''
+	assert main() == '96\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
 
 if __name__ == '__main__':
 	print(repr(main()))
 
 """
-[0x080483d0]> pdf @ main   
+[0x080483d0]> pdf @ main
             ;-- main:
 ╒ (fcn) sym.main 92
 │           ; var int local_78h @ ebp-0x78
@@ -59,9 +59,9 @@ def test():
 │           0x08048556      890424         dword [esp] = eax
 │           0x08048559      e826ffffff     sym.check ()
 │           0x0804855e      b800000000     eax = 0
-│           0x08048563      c9             
-╘           0x08048564      c3             
-[0x080483d0]> pdf @ sym.check   
+│           0x08048563      c9
+╘           0x08048564      c3
+[0x080483d0]> pdf @ sym.check
 ╒ (fcn) sym.check 133
 │           ; arg int arg_8h @ ebp+0x8
 │           ; arg int arg_fh @ ebp+0xf
@@ -79,7 +79,7 @@ def test():
 │       │   0x0804849b      890424         dword [esp] = eax
 │       │   0x0804849e      e8e1feffff     sym.imp.strlen ()
 │       │   0x080484a3      3945f4         if (dword [ebp - local_ch] == eax ; [0x13:4]=256
-│      ┌──< 0x080484a6      7353           jae 0x80484fb 
+│      ┌──< 0x080484a6      7353           jae 0x80484fb
 │      ││   0x080484a8      8b45f4         eax = dword [ebp - local_ch]
 │      ││   0x080484ab      034508         eax += dword [ebp + arg_8h]
 │      ││   0x080484ae      0fb600         eax = byte [eax]
@@ -104,6 +104,6 @@ def test():
 │      │└─< 0x080484f9      eb9d           goto 0x8048498
 │      └──> 0x080484fb      c70424498604.  dword [esp] = str.Password_Incorrect__n ; [0x8048649:4]=0x73736150 LEA str.Password_Incorrect__n ; "Password Incorrect!." @ 0x8048649
 │           0x08048502      e88dfeffff     sym.imp.printf ()
-│           0x08048507      c9             
-╘           0x08048508      c3     
+│           0x08048507      c9
+╘           0x08048508      c3
 """
diff --git a/examples/CSCI-4968-MBE/challenges/crackme0x05/solve.py b/examples/CSCI-4968-MBE/challenges/crackme0x05/solve.py
@@ -8,27 +8,28 @@
 import angr
 
 def main():
-	proj = angr.Project('crackme0x05', load_options={"auto_load_libs": False}) 
+    proj = angr.Project('crackme0x05', load_options={"auto_load_libs": False})
 
-	def correct(path):
-		try:
-			return 'Password OK' in path.state.posix.dumps(1)
-		except:
-			return False
-	def wrong(path):
-	 	try:
-	 		return 'Password Incorrect' in path.state.posix.dumps(1)
-	 	except:
-	 		return False
+    def correct(state):
+        try:
+            return 'Password OK' in state.posix.dumps(1)
+        except:
+            return False
 
-	path_group = proj.factory.path_group()
-	path_group.explore(find=correct, avoid=wrong)
+    def wrong(state):
+        try:
+            return 'Password Incorrect' in state.posix.dumps(1)
+        except:
+            return False
 
-	print path_group.found[0].state.posix.dumps(1) 
-	return path_group.found[0].state.posix.dumps(0) # .lstrip('+0').rstrip('B')
+    sm = proj.factory.simgr()
+    sm.explore(find=correct, avoid=wrong)
+
+    print sm.found[0].posix.dumps(1)
+    return sm.found[0].posix.dumps(0) # .lstrip('+0').rstrip('B')
 
 def test():
-	assert main() == ''
+	assert main() == '79652222\x0091\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x01\x00\x01\x00\x00\x01\x00\x00\x01\x01\x01\x00\x00\x01\x00\x00\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
 
 if __name__ == '__main__':
 	print(repr(main()))
@@ -63,9 +64,9 @@ def test():
 │           0x0804858d      890424         dword [esp] = eax
 │           0x08048590      e833ffffff     sym.check ()
 │           0x08048595      b800000000     eax = 0
-│           0x0804859a      c9             
-╘           0x0804859b      c3  
-[0x080483d0]> pdf @ sym.check 
+│           0x0804859a      c9
+╘           0x0804859b      c3
+[0x080483d0]> pdf @ sym.check
 ╒ (fcn) sym.check 120
 │           ; arg int arg_8h @ ebp+0x8
 │           ; arg int arg_10h @ ebp+0x10
@@ -83,7 +84,7 @@ def test():
 │       │   0x080484df      890424         dword [esp] = eax
 │       │   0x080484e2      e89dfeffff     sym.imp.strlen ()
 │       │   0x080484e7      3945f4         if (dword [ebp - local_ch] == eax ; [0x13:4]=256
-│      ┌──< 0x080484ea      7346           jae 0x8048532 
+│      ┌──< 0x080484ea      7346           jae 0x8048532
 │      ││   0x080484ec      8b45f4         eax = dword [ebp - local_ch]
 │      ││   0x080484ef      034508         eax += dword [ebp + arg_8h]
 │      ││   0x080484f2      0fb600         eax = byte [eax]
@@ -107,6 +108,6 @@ def test():
 │      │└─< 0x08048530      ebaa           goto 0x80484dc
 │      └──> 0x08048532      c70424798604.  dword [esp] = str.Password_Incorrect__n ; [0x8048679:4]=0x73736150 LEA str.Password_Incorrect__n ; "Password Incorrect!." @ 0x8048679
 │           0x08048539      e856feffff     sym.imp.printf ()
-│           0x0804853e      c9             
-╘           0x0804853f      c3 
+│           0x0804853e      c9
+╘           0x0804853f      c3
 """
diff --git a/examples/asisctffinals2015_license/solve.py b/examples/asisctffinals2015_license/solve.py
@@ -55,7 +55,7 @@ def main():
     # flag
     FAKE_ADDR = 0x100000
     strlen = lambda state, arguments: \
-        angr.SIM_PROCEDURES['libc.so.6']['strlen'](FAKE_ADDR, p.arch).execute(
+        angr.SIM_PROCEDURES['libc']['strlen'](p, FAKE_ADDR, p.arch).execute(
             state, arguments=arguments
         )
     flag_length = strlen(found, arguments=[flag_addr]).ret_expr