New API for other example scripts.

examples/0ctf_momo_3/solve.py

@@ -13,7 +13,7 @@
 import sys
 import string
 import angr
-from angr.lifter import CapstoneInsn, CapstoneBlock
+from angr.block import CapstoneInsn, CapstoneBlock
 
 
 ins_char = 0x81fe6e0
@@ -70,8 +70,7 @@ def main():
             state = p.factory.entry_state()
             state.posix.files[0].content.store(0, flag + "\n")
 
-            path = p.factory.path(state=state)
-            e = p.surveyors.Explorer(start=path, find=(target,))
+            e = p.surveyors.Explorer(start=state, find=(target,))
             e.run()
 
             assert len(e.found) == 1
@@ -81,11 +80,11 @@ def main():
                 nb_size = target - np.addr
                 if nb_size <= 0:
                     break
-                np = np.step(max_size=nb_size)[0]
+                np = p.factory.successors(np, size=nb_size).flat_successors[0]
             assert nb_size == 0
 
-            al = np.state.regs.eax[7:0]
-            dl = np.state.regs.edx[7:0]
+            al = np.regs.eax[7:0]
+            dl = np.regs.edx[7:0]
             al_val = al._model_concrete.value
             dl_val = dl._model_concrete.value
 

examples/9447_nobranch/solve.py

@@ -31,33 +31,31 @@ def main():
     state.regs.rsi = state.regs.rsp + 64                                                            # set argv = args
     state.regs.rdx = state.regs.rsp + 80                                                            # set envp = empty list
 
-    path = p.factory.path(state)
     i = 0
-    while path.jumpkind == 'Ijk_Boring':                                                            # symbolically execute until we hit the syscall at the end
+    while state.history.jumpkind == 'Ijk_Boring':                                                   # symbolically execute until we hit the syscall at the end
         i += 1
         print i
-        path.step(num_inst=1)                                                                       # only step one instruction at a time
-        opath = path
-        path = path.successors[0]
+        ss = p.factory.successors(state, num_inst=1)                                                # only step one instruction at a time
+        state = ss.successors[0]
         reg_names = ['rax', 'rbx', 'rcx', 'rdx', 'rsi', 'rdi', 'rbp', 'rsp', 'r8', 'r9', 'r10', 'r11', 'r12', 'r13', 'r14', 'r15']
 
-        assert not path.state.regs.rsp.symbolic
+        assert not state.regs.rsp.symbolic
 
         for reg_name in reg_names:                                                                  # for each register and memory location that matters in the program,
-            val = path.state.registers.load(reg_name)                                               # after each step, if the symbolic AST for that value has become larger than
+            val = state.registers.load(reg_name)                                               # after each step, if the symbolic AST for that value has become larger than
             if val.symbolic and val.depth > 3:                                                      # three nodes deep, stub it out by replacing it with a single symbolic value
                 newval = claripy.BVS('replacement', len(val))                                       # constrained to be equal to the original value. This makes the constraints much
-                path.state.se.add(newval == val)                                                    # easier for z3 to bite into in smaller chunks. It might also indicate that there
-                path.state.registers.store(reg_name, newval)                                        # some issues with angr's current usage of z3 :-)
+                state.se.add(newval == val)                                                    # easier for z3 to bite into in smaller chunks. It might also indicate that there
+                state.registers.store(reg_name, newval)                                        # some issues with angr's current usage of z3 :-)
 
-        for mem_addr in range(outaddr, outaddr + 0x1f) + [path.state.regs.rsp - x for x in xrange(0x40)]:
-            val = path.state.memory.load(mem_addr, 1)
+        for mem_addr in range(outaddr, outaddr + 0x1f) + [state.regs.rsp - x for x in xrange(0x40)]:
+            val = state.memory.load(mem_addr, 1)
             if val.symbolic and val.depth > 3:
                 newval = claripy.BVS('replacement', len(val))
-                path.state.se.add(newval == val)
-                path.state.memory.store(mem_addr, newval)
+                state.se.add(newval == val)
+                state.memory.store(mem_addr, newval)
 
-    fstate = path.state.copy()
+    fstate = state.copy()
     fstate.se._solver.timeout = 0xfffffff                                                           # turn off z3's timeout for solving :^)
     for i, c in enumerate(shouldbe):
         fstate.se.add(fstate.memory.load(0x616050 + i, 1) == ord(c))                                # constrain the output to what we were told it should be

examples/codegate_2017-angrybird/solve.py

@@ -10,19 +10,18 @@
 FIND_ADDR = 0x404fc1  # This is shortly after the printf.
 
 def main():
-	proj = angr.Project('angrybird', load_options={"auto_load_libs": False}) 
+	proj = angr.Project('angrybird', load_options={"auto_load_libs": False})
 	# There's a couple anti-run instructions in this binary.
 	# Yes, anti-run. That's not a typo.
 
 	# Because I'm not interested in fixing a weird binary, I'm going to skip all the beginning of the program.
 	state = proj.factory.entry_state(addr=START_ADDR)
 
-	path = proj.factory.path(state)  # Set up the first path.
-	path_group = proj.factory.path_group(path)  # Create the path group.
+	sm = proj.factory.simgr(state)  # Create the SimulationManager.
 
-	path_group.explore(find=FIND_ADDR)  # This will take a couple minutes. Ignore the warning message(s), it's fine.
-	found = path_group.found[-1]
-	stdin = found.state.posix.dumps(0)
+	sm.explore(find=FIND_ADDR)  # This will take a couple minutes. Ignore the warning message(s), it's fine.
+	found = sm.found[-1]
+	stdin = found.posix.dumps(0)
 
 	# This trims off anything that's not printable.
 	flag = filter(lambda x: x in string.printable, stdin).split()[0]

examples/csaw_wyvern/solve.py

@@ -1,7 +1,6 @@
 #!/usr/bin/env python
 # coding: utf-8
 import angr
-import simuvex
 
 def main():
     # Load the binary. This is a 64-bit C++ binary, pretty heavily obfuscated.
@@ -11,7 +10,7 @@ def main():
     # Because we're going to have to step deep into the C++ standard libraries
     # for this to work, we need to run everyone's initializers. The full_init_state
     # will do that. In order to do this peformantly, we will use the unicorn engine!
-    st = p.factory.full_init_state(args=['./wyvern'], add_options=simuvex.o.unicorn)
+    st = p.factory.full_init_state(args=['./wyvern'], add_options=angr.sim_options.unicorn)
 
     # It's reasonably easy to tell from looking at the program in IDA that the key will
     # be 29 bytes long, and the last byte is a newline.
@@ -30,15 +29,15 @@ def main():
     st.posix.files[0].seek(0)
     st.posix.files[0].length = 29
 
-    # Construct a path group to perform symbolic execution.
+    # Construct a SimulationManager to perform symbolic execution.
     # Step until there is nothing left to be stepped.
-    pg = p.factory.path_group(st)
-    pg.run()
+    sm = p.factory.simgr(st)
+    sm.run()
 
     # Get the stdout of every path that reached an exit syscall. The flag should be in one of these!
     out = ''
-    for pp in pg.deadended:
-        out = pp.state.posix.dumps(1)
+    for pp in sm.deadended:
+        out = pp.posix.dumps(1)
         if 'flag{' in out:
             return filter(lambda s: 'flag{' in s, out.split())[0]
 

examples/simple_heap_overflow/solve.py

@@ -36,7 +36,6 @@ def main():
     # Out[9]: <PathGroup with 1 deadended, 1 unconstrained>
 
     # Make a copy of the state to play with
-    import ipdb; ipdb.set_trace()
     s = sm.unconstrained[0].copy()
 
     # Now we can simply tell angr to set the instruction pointer to point at the

test.py

@@ -115,25 +115,44 @@ def test_simple_heap_overflow(): exampletest_single('simple_heap_overflow')
         tester(arg)
 
 #   exampletest_single('0ctf_trace')
+#   exampletest_single('0ctf_momo_3')
+#   exampletest_single('9447_nobranch')
 #   exampletest_single('ais3_crackme')
 #   exampletest_single('android_arm_license_validation')
 #   exampletest_single('asisctffinals2015_fake')
 #   exampletest_single('asisctffinals2015_license')
 #   exampletest_single('CADET_00001')
 #   exampletest_single('cmu_binary_bomb')
+    exampletest_single('codegate_2017-angrybird')
+    exampletest_single('csaw_wyvern')
+    exampletest_single('CSCI-4968-MBE')
 #   exampletest_single('defcamp_r100')
+    exampletest_single('defcamp_r200')
+    exampletest_single('defcon2016quals_baby-re_0')
+#   exampletest_single('defcon2016quals_baby-re_1')
+    exampletest_single('defcon2016quals_crackme2000')
 #   exampletest_single('ekopartyctf2015_rev100')
 #   exampletest_single('ekopartyctf2016_rev250')
+    exampletest_single('ekopartyctf2016_sokohashv2')
 #   exampletest_single('fauxware')
 #   exampletest_single('flareon2015_10')
 #   exampletest_single('flareon2015_2')
+    exampletest_single('flareon2015_5')
 #   exampletest_single('google2016_unbreakable_0')
 #   exampletest_single('google2016_unbreakable_1')
 #   exampletest_single('grub')
+    exampletest_single('hackcon2016_angry-reverser')
+    exampletest_single('insomnihack_aeg')
+    exampletest_single('layer7_onlyone')
 #   exampletest_single('mma_howtouse')
+    exampletest_single('mma_simplehash')
+    exampletest_single('secconquals2016_ropsynth')
+    exampletest_single('secuinside2016mbrainfuzz')
 #   exampletest_single('securityfest_fairlight')
+    exampletest_single('sherif7')
+#   exampletest_single('simple_heap_overflow')
 #   exampletest_single('strcpy_find')
+    exampletest_single('sym-write')
+    exampletest_single('tumctf2016_zwiebel')
 #   exampletest_single('whitehat_crypto400')
 #   exampletest_single('whitehatvn2015_re400')
-#   exampletest_single('defcon2016quals_baby-re_1')
-#   exampletest_single('simple_heap_overflow')