Я изучаю фреймворк Angr, чтобы помочь мне решить очень простое приложение для Android.
Я хочу попробовать новую возможность Angr по поддержке приложений Java и Android.Вот код приложения Android.Я бы хотел, чтобы angr помог мне найти правильное значение варианта 'str', и приводит метод 'checkStr ()', возвращающий True.Я попытался написать решатель, который перехватывает метод 'getStr' и позволяет ему просто возвращать символическую строку.
Код приложения Android:
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
checkStr();
}
private boolean checkStr(){
String str = getStr(3);
if (str.equals("88"))
return true;
else
return false;
}
private String getStr(int f){
int a = 7;
int b = 8;
int c = a + b + f;
return String.valueOf(c);
}
}
Мой решатель:
import os
import angr
import claripy
from angr.procedures.java import JavaSimProcedure
from angr.engines.soot.values import SimSootValue_StringRef
from archinfo.arch_soot import SootArgument, SootMethodDescriptor, SootAddressDescriptor
class Custom_getStr(JavaSimProcedure):
__provides__=(
("com.example.ecular.myapplication.MainActivity", "getStr(int)"),
)
def run(self, this_ref, param_int):
bvs = claripy.BVS("retStr", 8 * 2)
return SimSootValue_StringRef.new_string(self.state, bvs)
def test():
sdk_path = os.path.join(os.path.expanduser("~"), "Android/Sdk/platforms/")
loading_opts = {
'android_sdk':sdk_path,
'entry_point':'com.example.ecular.myapplication.MainActivity.onCreate',
'entry_point_params':('android.os.Bundle',)
}
project = angr.Project("app-debug.apk", main_opts=loading_opts)
#Hook
project.hook(SootMethodDescriptor(class_name="com.example.ecular.myapplication.MainActivity", name="getStr", params=('int',)).address(), Custom_getStr())
methods = project.loader.main_object.classes['com.example.ecular.myapplication.MainActivity'].methods
chkMethod = [m for m in methods if m.name == "checkStr"][0]
methodEntry = SootMethodDescriptor.from_soot_method(chkMethod).address()
entry = project.factory.blank_state(addr = methodEntry)
simgr = project.factory.simgr(entry)
simgr.run()
if __name__ == "__main__":
import logging
logging.getLogger("angr.engines.soot.engine").setLevel("DEBUG")
logging.getLogger('cle.backends.soot').setLevel('DEBUG')
logging.getLogger('cle.backends.apk').setLevel('DEBUG')
logging.getLogger("angr").setLevel("INFO")
test()
Я ожидаю, что angr может помочь мне решить, что возвращаемое значение 'getStr ()' равно 88, что если я хочу, чтобы checkStr () возвращало True.Но я получил исключение, когда запустил свой решатель:
Traceback (most recent call last):
File "solver_str.py", line 44, in <module>
test()
File "solver_str.py", line 36, in test
simgr.run()
File "/home/ecular/forWork/angr/angr-dev/angr/angr/sim_manager.py", line 260, in run
self.step(stash=stash, **kwargs)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/sim_manager.py", line 344, in step
successors = self.step_state(state, successor_func=successor_func, **run_args)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/sim_manager.py", line 382, in step_state
successors = self.successors(state, successor_func=successor_func, **run_args)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/sim_manager.py", line 421, in successors
return self._project.factory.successors(state, **run_args)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/factory.py", line 54, in successors
return self.project.engines.successors(*args, **kwargs)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/engines/hub.py", line 128, in successors
r = engine.process(state, **kwargs)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/engines/engine.py", line 60, in process
self._process(new_state, successors, *args, **kwargs)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/engines/soot/engine.py", line 115, in _process
self._handle_block(state, successors, block, starting_stmt_idx, method)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/engines/soot/engine.py", line 123, in _handle_block
terminate = self._handle_statement(state, successors, stmt_idx, stmt)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/engines/soot/engine.py", line 182, in _handle_statement
successors.add_successor(state.copy(), target, condition, 'Ijk_Boring')
File "/home/ecular/forWork/angr/angr-dev/angr/angr/engines/successors.py", line 125, in add_successor
self._categorize_successor(state)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/engines/successors.py", line 254, in _categorize_successor
elif o.LAZY_SOLVES not in state.options and not state.satisfiable():
File "/home/ecular/forWork/angr/angr-dev/angr/angr/sim_state.py", line 521, in satisfiable
return self.solver.satisfiable(**kwargs)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/state_plugins/sim_action_object.py", line 57, in ast_stripper
return f(*new_args, **new_kwargs)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/state_plugins/solver.py", line 87, in wrapped_f
return f(*args, **kwargs)
File "/home/ecular/forWork/angr/angr-dev/angr/angr/state_plugins/solver.py", line 640, in satisfiable
return self._solver.satisfiable(extra_constraints=self._adjust_constraint_list(extra_constraints), exact=exact)
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontend_mixins/constraint_filter_mixin.py", line 34, in satisfiable
return super(ConstraintFilterMixin, self).satisfiable(extra_constraints=ec, **kwargs)
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontend_mixins/sat_cache_mixin.py", line 45, in satisfiable
extra_constraints=extra_constraints, **kwargs
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontends/composite_frontend.py", line 314, in satisfiable
return all(s.satisfiable(exact=exact) for s in self._solver_list)
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontends/composite_frontend.py", line 314, in <genexpr>
return all(s.satisfiable(exact=exact) for s in self._solver_list)
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontend_mixins/sat_cache_mixin.py", line 45, in satisfiable
extra_constraints=extra_constraints, **kwargs
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontend_mixins/model_cache_mixin.py", line 240, in satisfiable
return super(ModelCacheMixin, self).satisfiable(extra_constraints=extra_constraints, **kwargs)
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontends/full_frontend.py", line 102, in satisfiable
solver=self._get_solver(), model_callback=self._model_hook
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontends/full_frontend.py", line 55, in _get_solver
self._add_constraints()
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/frontends/full_frontend.py", line 67, in _add_constraints
self._solver_backend.add(self._tls.solver, self.constraints, track=self._track)
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/backends/__init__.py", line 446, in add
return self._add(s, self.convert_list(c), track=track)
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/backends/__init__.py", line 226, in convert_list
return [ a if isinstance(a, numbers.Number) else self.convert(a) for a in args ]
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/backends/__init__.py", line 226, in <listcomp>
return [ a if isinstance(a, numbers.Number) else self.convert(a) for a in args ]
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/backends/__init__.py", line 196, in convert
r = self._call(ast.op, args)
File "/home/ecular/forWork/angr/angr-dev/claripy/claripy/backends/__init__.py", line 259, in _call
obj = getattr(operator, op)(*args)
File "/home/ecular/.virtualenvs/angr/lib/python3.6/site-packages/z3/z3.py", line 871, in __ne__
a, b = _coerce_exprs(self, other)
File "/home/ecular/.virtualenvs/angr/lib/python3.6/site-packages/z3/z3.py", line 1016, in _coerce_exprs
s = _coerce_expr_merge(s, b)
File "/home/ecular/.virtualenvs/angr/lib/python3.6/site-packages/z3/z3.py", line 1006, in _coerce_expr_merge
_z3_assert(False, "sort mismatch")
File "/home/ecular/.virtualenvs/angr/lib/python3.6/site-packages/z3/z3.py", line 91, in _z3_assert
raise Z3Exception(msg)
z3.z3types.Z3Exception: sort mismatch