add value ref to cli, small changes

aemmitt-ns · aemmitt-ns · commit be8ac094afba · 2022-07-16T02:53:48.000-04:00
diff --git a/README.md b/README.md
@@ -39,7 +39,7 @@ fn main() {
     let mut state = radius.call_state(0x004006fd);
     let addr: u64 = 0x100000;
     let flag_val = state.symbolic_value("flag", 12*8);
-    state.memory.write_value(addr, &flag_val, 12);
+    state.memory_write_value(addr, &flag_val, 12);
     state.registers.set("rdi", state.concrete_value(addr, 64));
 
     radius.breakpoint(0x004007a1);
diff --git a/examples/babyre/src/main.rs b/examples/babyre/src/main.rs
@@ -1,5 +1,6 @@
 use radius2::state::State;
 use radius2::value::Value;
+use radius2::sims::Sim;
 use radius2::{Radius, RadiusOption};
 
 // simulates the scanf("%d", dst) calls with sym inputs
@@ -24,7 +25,11 @@ fn main() {
     let scanf = radius.get_address("sym.imp.__isoc99_scanf").unwrap();
 
     // register the custom sim
-    radius.simulate(scanf, scanf_sim);
+    radius.simulate(scanf, Sim{
+        symbol: "scanf".to_owned(),
+        function: scanf_sim,
+        arguments: 2 
+    });
 
     let state = radius.call_state(main); // start at main
     let new_state = radius.run_until(state, 0x004028e9, &[0x00402941]).unwrap();
diff --git a/radius/src/main.rs b/radius/src/main.rs
@@ -585,17 +585,25 @@ fn main() {
     for i in 0..matches.occurrences_of("set") as usize {
         // easiest way to interpret the stuff is just to use
         let ind = 3 * i;
-        let length: u32 = sets[ind + 2].parse().unwrap();
+        let mut length: u32 = sets[ind + 2].parse().unwrap();
 
-        let lit = radius.processor.get_literal(sets[ind + 1]);
-        let value = if let Some(Word::Literal(val)) = lit {
+        let mut is_ref = false;
+        let valstr = if sets[ind + 1][0..1].to_owned() == "&" {
+            is_ref = true;
+            &sets[ind + 1][1..]
+        } else {
+            &sets[ind + 1][0..]
+        };
+
+        let lit = radius.processor.get_literal(valstr);
+        let mut value = if let Some(Word::Literal(val)) = lit {
             val
-        } else if let Some(bv) = symbol_map.get(sets[ind + 1]) {
+        } else if let Some(bv) = symbol_map.get(valstr) {
             Value::Symbolic(bv.slice(length - 1, 0), 0)
         } else {
             // this is a real workaround of the system
             // i need a better place for these kinds of utils
-            let bytes = sets[ind + 1].as_bytes();
+            let bytes = valstr.as_bytes();
             let bv = BV::from_hex_str(
                 state.solver.btor.clone(),
                 hex_encode(bytes).as_str(),
@@ -605,6 +613,13 @@ fn main() {
             Value::Symbolic(bv, 0)
         };
 
+        if is_ref {
+            let addr = state.memory_alloc(&Value::Concrete(length as u64/8, 0));
+            state.memory_write_value(&addr, &value, length as usize/8);
+            value = addr;
+            length = state.memory.bits as u32;
+        }
+
         let lit = radius.processor.get_literal(sets[ind]);
         if let Some(Word::Literal(address)) = lit {
             state.memory_write_value(&address, &value, (length / 8) as usize);
diff --git a/radius/src/memory.rs b/radius/src/memory.rs
@@ -490,7 +490,7 @@ impl Memory {
         if length == 0 {
             return;
         }
-        //let make_sym = self.blank && !self.check_permission(addr, length as u64, 'i');
+        let make_sym = self.blank && !self.check_permission(addr, length as u64, 'i');
         
         let size = READ_CACHE as u64;
         let mask = -1i64 as u64 ^ (size - 1);
@@ -504,6 +504,13 @@ impl Memory {
 
             let mem = if let Some(m) = self.mem.get(&caddr) {
                 m
+            } else if make_sym {
+                let mut vals = Vec::with_capacity(READ_CACHE);
+                for i in 0..size {
+                    let sym_name = format!("mem_{:08x}", caddr+i);
+                    vals.push(Value::Symbolic(self.solver.bv(&sym_name, 8), 0));
+                }
+                self.mem.entry(caddr).or_insert(vals) 
             } else {
                 let bytes = self.r2api.read(caddr, READ_CACHE).unwrap();
                 let vals = bytes.iter().map(|b| Value::Concrete(*b as u64, 0)).collect();
diff --git a/radius/src/processor.rs b/radius/src/processor.rs
@@ -9,7 +9,7 @@ use crate::state::{
 };
 
 use crate::sims::syscall::syscall;
-use crate::sims::SimMethod;
+use crate::sims::{Sim, SimMethod};
 
 use std::collections::BinaryHeap;
 use std::mem;
@@ -47,7 +47,7 @@ pub struct Processor {
     pub instructions: BTreeMap<u64, InstructionEntry>,
     pub hooks: HashMap<u64, Vec<HookMethod>>,
     pub esil_hooks: HashMap<u64, Vec<String>>,
-    pub sims: HashMap<u64, SimMethod>,
+    pub sims: HashMap<u64, Sim>,
     pub traps: HashMap<u64, SimMethod>,
     pub interrupts: HashMap<u64, SimMethod>,
     pub syscalls: HashMap<u64, Syscall>,
@@ -206,9 +206,8 @@ impl Processor {
 
     /// print instruction if debug output is enabled
     pub fn print_instr(&self, state: &mut State, instr: &Instruction) {
-        if self.sims.contains_key(&instr.offset) {
-            let flag = state.r2api.cmd(&format!("fd @ {}", instr.offset)).unwrap_or_default();
-            println!("\n0x{:08x}      ( {} )\n", instr.offset, "simulated ".to_owned() + &flag.trim());
+        if let Some(sim) = self.sims.get(&instr.offset) {
+            println!("\n0x{:08x}      ( {} )\n", instr.offset, "simulated ".to_owned() + &sim.symbol);
         } else if !self.color {
             println!(
                 "0x{:08x}      {:<40} |  {}",
@@ -584,7 +583,7 @@ impl Processor {
                 let cc = state.r2api.get_cc(pc).unwrap_or_default();
                 let args = self.get_args(state, &cc);
 
-                let ret = sim(state, &args);
+                let ret = (sim.function)(state, &args);
                 state.registers.set_with_alias(cc.ret.as_str(), ret);
 
                 // don't ret if sim changes the PC value
diff --git a/radius/src/r2_api.rs b/radius/src/r2_api.rs
@@ -902,6 +902,17 @@ impl R2Api {
         self.cmd(format!("e {}={}", key, value).as_str())
     }
 
+    // is.j returns a weird format
+    pub fn get_symbol(&mut self, addr: u64) -> R2Result<Symbol> {
+        let json = self.cmd(&format!("is.j @ {}", addr))?;
+        let result: Option<HashMap<String, Symbol>> = serde_json::from_str(json.as_str()).ok();
+        if let Some(mut symmap) = result {
+            Ok(symmap.remove("symbols").unwrap())
+        } else {
+            Err("symbol not found".to_owned())
+        }
+    }
+
     pub fn get_symbols(&mut self) -> R2Result<Vec<Symbol>> {
         let json = self.cmd("isj")?;
         r2_result(serde_json::from_str(json.as_str()))
diff --git a/radius/src/radius.rs b/radius/src/radius.rs
@@ -3,7 +3,7 @@ use crate::r2_api::{BasicBlock, FunctionInfo, Information, Instruction, R2Api, R
 use crate::state::State;
 //use crate::value::Value;
 use crate::sims::syscall::indirect;
-use crate::sims::{get_sims, zero, SimMethod};
+use crate::sims::{get_sims, zero, SimMethod, Sim};
 use crate::value::{vc, Value};
 
 // use std::collections::VecDeque;
@@ -409,14 +409,18 @@ impl Radius {
             for sim in &sims {
                 let addropt = symmap.remove(&sim.symbol);
                 if let Some(addr) = addropt {
-                    processor.sims.insert(addr, sim.function);
+                    processor.sims.insert(addr, sim.to_owned());
                 }
             }
 
             if sim_all {
-                for addr in symmap.values() {
-                    // we are gonna go with unconstrained by default
-                    processor.sims.insert(*addr, zero);
+                for name in symmap.keys() {
+                    // we are gonna go with zero by default
+                    processor.sims.insert(symmap[name], Sim {
+                        symbol: name.to_owned(),
+                        function: zero,
+                        arguments: 0,
+                    });
                 }
             }
         }
@@ -431,7 +435,7 @@ impl Radius {
     }
 
     /// Register a `SimMethod` for the provided function address
-    pub fn simulate(&mut self, addr: u64, sim: SimMethod) {
+    pub fn simulate(&mut self, addr: u64, sim: Sim) {
         self.processor.sims.insert(addr, sim);
     }
 
diff --git a/radius/src/sims/mod.rs b/radius/src/sims/mod.rs
@@ -8,6 +8,7 @@ pub mod syscall;
 
 pub type SimMethod = fn(&mut State, &[Value]) -> Value;
 
+#[derive(Clone)]
 pub struct Sim {
     pub symbol: String,
     pub function: SimMethod,
diff --git a/radius/src/solver.rs b/radius/src/solver.rs
@@ -124,6 +124,15 @@ impl Solver {
                 }
             }
         } else {
+            // add exception for if(c, y, y) for concrete y
+            if let Some(x) = if_val.as_u64() {
+                if let Some(y) = else_val.as_u64() {
+                    if x == y {
+                        return Value::Concrete(if_val.as_u64().unwrap(), 
+                            if_val.get_taint() | else_val.get_taint());
+                    }
+                }
+            }
             max_bit = 64;
         }
 
diff --git a/radius/src/state.rs b/radius/src/state.rs
@@ -696,21 +696,18 @@ impl State {
             }
         }
 
-        let mut addrs = self.memory.addresses();
-        addrs.sort_unstable();
-
-        let mut chunk: Vec<u8> = Vec::with_capacity(256);
-        for (i, addr) in addrs.iter().enumerate() {
-            let bval = self.memory.read_value(*addr, 1);
-            let b = self.solver.evalcon_to_u64(&bval).unwrap() as u8;
-            chunk.push(b);
-
-            if chunk.len() > 255 || i >= addrs.len() - 1 || addrs[i + 1] != addrs[i] + 1 {
-                self.r2api
-                    .write(1 + addr - chunk.len() as u64, chunk.clone());
-                chunk.clear();
-            }
+        let mut bvals = vec![Value::Concrete(0, 0); READ_CACHE];
+        for addr in self.memory.addresses() {
+            self.memory.read(addr, READ_CACHE, &mut bvals);
+            let bytes: Vec<u8> = bvals
+                .iter()
+                .map(|bval| self.solver.evalcon_to_u64(&bval).unwrap() as u8)
+                .collect();
+
+            self.r2api.write(addr, bytes.clone());
         }
+
+        // TODO: evaluate files and write to real FS? maybe a bad idea
     }
 
     /// merges the argument state into self

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ use crate::r2_api::{BasicBlock, FunctionInfo, Information, Instruction, R2Api, R`
`3`	`3`	`use crate::state::State;`
`4`	`4`	`//use crate::value::Value;`
`5`	`5`	`use crate::sims::syscall::indirect;`
`6`		`-use crate::sims::{get_sims, zero, SimMethod};`
	`6`	`+use crate::sims::{get_sims, zero, SimMethod, Sim};`
`7`	`7`	`use crate::value::{vc, Value};`
`8`	`8`
`9`	`9`	`// use std::collections::VecDeque;`
`@@ -409,14 +409,18 @@ impl Radius {`
`409`	`409`	`for sim in &sims {`
`410`	`410`	`let addropt = symmap.remove(&sim.symbol);`
`411`	`411`	`if let Some(addr) = addropt {`
`412`		`- processor.sims.insert(addr, sim.function);`
	`412`	`+ processor.sims.insert(addr, sim.to_owned());`
`413`	`413`	`}`
`414`	`414`	`}`
`415`	`415`
`416`	`416`	`if sim_all {`
`417`		`- for addr in symmap.values() {`
`418`		`- // we are gonna go with unconstrained by default`
`419`		`- processor.sims.insert(*addr, zero);`
	`417`	`+ for name in symmap.keys() {`
	`418`	`+ // we are gonna go with zero by default`
	`419`	`+ processor.sims.insert(symmap[name], Sim {`
	`420`	`+ symbol: name.to_owned(),`
	`421`	`+ function: zero,`
	`422`	`+ arguments: 0,`
	`423`	`+ });`
`420`	`424`	`}`
`421`	`425`	`}`
`422`	`426`	`}`
`@@ -431,7 +435,7 @@ impl Radius {`
`431`	`435`	`}`
`432`	`436`
`433`	`437`	/// Register a `SimMethod` for the provided function address
`434`		`- pub fn simulate(&mut self, addr: u64, sim: SimMethod) {`
	`438`	`+ pub fn simulate(&mut self, addr: u64, sim: Sim) {`
`435`	`439`	`self.processor.sims.insert(addr, sim);`
`436`	`440`	`}`
`437`	`441`
Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,15 @@ impl Solver {`
`124`	`124`	`}`
`125`	`125`	`}`
`126`	`126`	`} else {`
	`127`	`+ // add exception for if(c, y, y) for concrete y`
	`128`	`+ if let Some(x) = if_val.as_u64() {`
	`129`	`+ if let Some(y) = else_val.as_u64() {`
	`130`	`+ if x == y {`
	`131`	`+ return Value::Concrete(if_val.as_u64().unwrap(),`
	`132`	`+ if_val.get_taint() \| else_val.get_taint());`
	`133`	`+ }`
	`134`	`+ }`
	`135`	`+ }`
`127`	`136`	`max_bit = 64;`
`128`	`137`	`}`
`129`	`138`