miasm
Reverse engineering framework
Classes | Functions | Variables
dse_crackme Namespace Reference

Classes

class  FinishOn
 
class  SymbolicFile
 

Functions

def xxx_fopen (jitter)
 
def xxx_fread (jitter)
 
def xxx_fclose (jitter)
 
def xxx_fopen_symb (dse)
 
def xxx_fread_symb (dse)
 
def xxx_fclose_symb (dse)
 
def xxx___libc_start_main_symb (dse)
 
def xxx_puts_symb (dse)
 

Variables

string is_win = "Windows"
 
int my_FILE_ptr = 0x11223344
 
 FInfo = namedtuple("FInfo", ["path", "fdesc"])
 
dictionary FILE_to_info = {}
 
 TEMP_FILE = NamedTemporaryFile(delete = False)
 
 parser = Sandbox_Linux_x86_64.parser(description="ELF sandboxer")
 
 help
 
 choices
 
 default
 
 options = parser.parse_args()
 
 mimic_env
 
 command_line
 
 loc_db = LocationDB()
 
 sb = Sandbox_Linux_x86_64(loc_db, options.filename, options, globals())
 
 do_stk_segm
 
 do_ds_segm
 
 do_str_segm
 
 do_all_segm
 
int FS_0_ADDR = 0x7ff70000
 
 FS
 
dictionary FILE_to_info_symb = {}
 
 FILE_stream = ExprId("FILE_0", 64)
 
 FILE_size = ExprId("FILE_0_size", 64)
 
 todo = set([b""])
 
 machine = Machine("x86_64")
 
dictionary strategy
 
 dse = DSEPathConstraint(machine, loc_db, produce_solution=strategy)
 
 z3_file_size = dse.z3_trans.from_expr(FILE_size)
 
 snapshot = dse.take_snapshot()
 Save the current clean state, before any computation of the FILE content. More...
 
bool found = False
 
 file_content = todo.pop()
 
 keep_known_solutions
 
dictionary finfo = FILE_to_info_symb[FILE_stream]
 
list out = []
 
 fsize
 
dictionary byteid = finfo.gen_bytes[index]
 
 crackme
 
 stdout = stdout.strip()
 
 stderr
 

Detailed Description

Example of DynamicSymbolicExecution engine use

This example should run on the compiled ELF x86 64bits version of
"dse_crackme.c"

Function Documentation

◆ xxx___libc_start_main_symb()

def dse_crackme.xxx___libc_start_main_symb (   dse)

◆ xxx_fclose()

def dse_crackme.xxx_fclose (   jitter) 
#include <stdio.h>

int fclose(FILE *stream);

◆ xxx_fclose_symb()

def dse_crackme.xxx_fclose_symb (   dse)

◆ xxx_fopen()

def dse_crackme.xxx_fopen (   jitter) 
#include <stdio.h>

FILE *fopen(const char *path, const char *mode);
Here is the call graph for this function:

◆ xxx_fopen_symb()

def dse_crackme.xxx_fopen_symb (   dse)
Here is the call graph for this function:

◆ xxx_fread()

def dse_crackme.xxx_fread (   jitter) 
#include <stdio.h>

size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);

◆ xxx_fread_symb()

def dse_crackme.xxx_fread_symb (   dse)

◆ xxx_puts_symb()

def dse_crackme.xxx_puts_symb (   dse)
Here is the call graph for this function:

Variable Documentation

◆ byteid

dictionary dse_crackme.byteid = finfo.gen_bytes[index]

◆ choices

dse_crackme.choices

◆ command_line

dse_crackme.command_line

◆ crackme

dse_crackme.crackme
Initial value:
1 = subprocess.Popen([options.filename, TEMP_FILE.name],
2  stdout=subprocess.PIPE,
3  stderr=subprocess.PIPE)

◆ default

dse_crackme.default

◆ do_all_segm

dse_crackme.do_all_segm

◆ do_ds_segm

dse_crackme.do_ds_segm

◆ do_stk_segm

dse_crackme.do_stk_segm

◆ do_str_segm

dse_crackme.do_str_segm

◆ dse

dse_crackme.dse = DSEPathConstraint(machine, loc_db, produce_solution=strategy)

◆ file_content

dse_crackme.file_content = todo.pop()

◆ FILE_size

dse_crackme.FILE_size = ExprId("FILE_0_size", 64)

◆ FILE_stream

dse_crackme.FILE_stream = ExprId("FILE_0", 64)

◆ FILE_to_info

dictionary dse_crackme.FILE_to_info = {}

◆ FILE_to_info_symb

dictionary dse_crackme.FILE_to_info_symb = {}

◆ FInfo

dse_crackme.FInfo = namedtuple("FInfo", ["path", "fdesc"])

◆ finfo

dictionary dse_crackme.finfo = FILE_to_info_symb[FILE_stream]

◆ found

bool dse_crackme.found = False

◆ FS

dse_crackme.FS

◆ FS_0_ADDR

int dse_crackme.FS_0_ADDR = 0x7ff70000

◆ fsize

dse_crackme.fsize
Initial value:
1 = max(model.eval(dse.z3_trans.from_expr(FILE_size)).as_long(),
2  len(finfo.gen_bytes))

◆ help

dse_crackme.help

◆ is_win

string dse_crackme.is_win = "Windows"

◆ keep_known_solutions

dse_crackme.keep_known_solutions

◆ loc_db

dse_crackme.loc_db = LocationDB()

◆ machine

dse_crackme.machine = Machine("x86_64")

◆ mimic_env

dse_crackme.mimic_env

◆ my_FILE_ptr

int dse_crackme.my_FILE_ptr = 0x11223344

◆ options

dse_crackme.options = parser.parse_args()

◆ out

list dse_crackme.out = []

◆ parser

dse_crackme.parser = Sandbox_Linux_x86_64.parser(description="ELF sandboxer")

◆ sb

dse_crackme.sb = Sandbox_Linux_x86_64(loc_db, options.filename, options, globals())

◆ snapshot

dse_crackme.snapshot = dse.take_snapshot()

Save the current clean state, before any computation of the FILE content.

◆ stderr

dse_crackme.stderr

◆ stdout

dse_crackme.stdout = stdout.strip()

◆ strategy

dictionary dse_crackme.strategy
Initial value:
1 = {
2  "code-cov": DSEPathConstraint.PRODUCE_SOLUTION_CODE_COV,
3  "branch-cov": DSEPathConstraint.PRODUCE_SOLUTION_BRANCH_COV,
4  "path-cov": DSEPathConstraint.PRODUCE_SOLUTION_PATH_COV,
5 }[options.strategy]

◆ TEMP_FILE

dse_crackme.TEMP_FILE = NamedTemporaryFile(delete = False)

◆ todo

dse_crackme.todo = set([b""])

◆ z3_file_size

dse_crackme.z3_file_size = dse.z3_trans.from_expr(FILE_size)