[docs]defstate_blank(self,flag_page=None,allocate_stack_page_count=0x100,**kwargs):""" :param flag_page: Flag page content, either a string or a list of BV8s :param allocate_stack_page_count: Number of pages to pre-allocate for stack """# default stack as specified in the cgc abiifkwargs.get("stack_end",None)isNone:kwargs["stack_end"]=0xBAAAB000ifkwargs.get("stack_size",None)isNone:kwargs["stack_size"]=1024*1024*8s=super().state_blank(**kwargs)# pylint:disable=invalid-name# pre-grow the stack. unsure if this is strictly required or just a hack around a compiler bugifhasattr(s.memory,"allocate_stack_pages"):s.memory.allocate_stack_pages(kwargs["stack_end"]-1,allocate_stack_page_count*0x1000)# Map the flag pageifo.ABSTRACT_MEMORYnotins.options:s.memory.map_region(0x4347C000,4096,1)# Create the CGC plugins.get_plugin("cgc")# Set maximum bytes a single receive syscall should reads.cgc.max_receive_size=kwargs.get("cgc_max_recv_size",0)# Set up the flag pageifflag_pageisNone:flag_page=[s.solver.BVS("cgc-flag-byte-%d"%i,8,key=("flag",i),eternal=True)foriinrange(0x1000)]eliftype(flag_page)isbytes:flag_page=[s.solver.BVV(c,8)forcinflag_page]eliftype(flag_page)islist:passelse:raiseValueError("Bad flag page: expected None, bytestring, or list, but got %s"%type(flag_page))s.cgc.flag_bytes=flag_pageifs.mode!="static":s.memory.store(0x4347C000,claripy.Concat(*s.cgc.flag_bytes),priv=True)# set up the address for concrete transmits and receives.unicorn.cgc_transmit_addr=self.syscall_from_number(2).addrs.unicorn.cgc_receive_addr=self.syscall_from_number(3).addrs.unicorn.cgc_random_addr=self.syscall_from_number(7).addrs.libc.max_str_len=1000000s.libc.max_strtol_len=10s.libc.max_memcpy_size=0x100000s.libc.max_buffer_size=0x100000returns
[docs]defstate_entry(self,add_options=None,**kwargs):ifisinstance(self.project.loader.main_object,BackedCGC):kwargs["permissions_backer"]=(True,self.project.loader.main_object.permissions_map)ifadd_optionsisNone:add_options=set()add_options.add(o.ZERO_FILL_UNCONSTRAINED_MEMORY)state=super().state_entry(add_options=add_options,**kwargs)ifisinstance(self.project.loader.main_object,BackedCGC):# Update allocation basestate.cgc.allocation_base=self.project.loader.main_object.current_allocation_base# Do all the writeswrites_backer=self.project.loader.main_object.writes_backerstdout=state.posix.get_fd(1)pos=0forsizeinwrites_backer:ifsize==0:continuestr_to_write=state.solver.BVS("file_write",size*8)a=SimActionData(state,"file_1_0","write",addr=claripy.BVV(pos,state.arch.bits),data=str_to_write,size=size)stdout.write_data(str_to_write)state.history.add_action(a)pos+=sizeelse:# Set CGC-specific variablesstate.regs.eax=0state.regs.ebx=0state.regs.ecx=0x4347C000state.regs.edx=0state.regs.edi=0state.regs.esi=0state.regs.esp=0xBAAAAFFCstate.regs.ebp=0state.regs.cc_dep1=0x202# default eflagsstate.regs.cc_op=0# OP_COPYstate.regs.cc_dep2=0# doesn't matterstate.regs.cc_ndep=0# doesn't matter# fpu valuesstate.regs.mm0=0state.regs.mm1=0state.regs.mm2=0state.regs.mm3=0state.regs.mm4=0state.regs.mm5=0state.regs.mm6=0state.regs.mm7=0state.regs.fpu_tags=0state.regs.fpround=0state.regs.fc3210=0x0300state.regs.ftop=0# sse valuesstate.regs.sseround=0state.regs.xmm0=0state.regs.xmm1=0state.regs.xmm2=0state.regs.xmm3=0state.regs.xmm4=0state.regs.xmm5=0state.regs.xmm6=0state.regs.xmm7=0# segmentation registersstate.regs.ds=0state.regs.es=0state.regs.fs=0state.regs.gs=0state.regs.ss=0state.regs.cs=0returnstate