From 13100dcb2680e29364e6ea50b637d52cbc4347c1 Mon Sep 17 00:00:00 2001 From: eqawasm <86770917+eqawasm@users.noreply.github.com> Date: Sat, 3 Sep 2022 12:15:47 -0400 Subject: [PATCH 1/2] Update libc.py Add simulation procedure for setlocale --- tools/angr/plugins/hooks/libc.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/tools/angr/plugins/hooks/libc.py b/tools/angr/plugins/hooks/libc.py index b30301da..bf8a840e 100644 --- a/tools/angr/plugins/hooks/libc.py +++ b/tools/angr/plugins/hooks/libc.py @@ -334,7 +334,18 @@ def run(self, dst, src, num): max_len = src_len self.inline_call(strncpy, dst + dst_len, src, max_len + 1, src_len=src_len) return dst - + + +class libc_setlocale(angr.SimProcedure): + locale = None + def run (self, category, locale): + if self.locale is None: + self.locale = self.inline_call( + angr.SIM_PROCEDURES["libc"]["malloc"], 256 + ).ret_expr + self.state.memory.store(self.locale + 255, b"\x00") + return self.locale + libc_hooks = { # Additional functions that angr doesn't provide hooks for @@ -356,6 +367,7 @@ def run(self, dst, src, num): "__snprintf_chk": libc__snprintf_chk, "strncat": libc_strncat, "strrchr": libc_strrchr, + "setlocale":libc_setlocale, } hook_condition = ("libc\.so.*", libc_hooks) From 706fc5adfcdd362de0db76b76a9c81f27e72a992 Mon Sep 17 00:00:00 2001 From: eqawasm <86770917+eqawasm@users.noreply.github.com> Date: Sun, 4 Sep 2022 22:49:05 -0400 Subject: [PATCH 2/2] Update libc.py --- tools/angr/plugins/hooks/libc.py | 39 ++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/tools/angr/plugins/hooks/libc.py b/tools/angr/plugins/hooks/libc.py index bf8a840e..9da2bd8f 100644 --- a/tools/angr/plugins/hooks/libc.py +++ b/tools/angr/plugins/hooks/libc.py @@ -337,15 +337,34 @@ def run(self, dst, src, num): class libc_setlocale(angr.SimProcedure): - locale = None - def run (self, category, locale): - if self.locale is None: - self.locale = self.inline_call( - angr.SIM_PROCEDURES["libc"]["malloc"], 256 - ).ret_expr - self.state.memory.store(self.locale + 255, b"\x00") - return self.locale - + locale = None + def run (self, category, locale): + if self.locale is None: + self.locale = self.inline_call( + angr.SIM_PROCEDURES["libc"]["malloc"], 256 + ).ret_expr + self.state.memory.store(self.locale + 255, b"\x00") + return self.locale + +class libc_bindtextdomain(angr.SimProcedure): + domainname = None + def run (self, domainname, dirname): + if self.domainname is None: + self.domainname = self.inline_call( + angr.SIM_PROCEDURES["libc"]["malloc"], 256 + ).ret_expr + self.state.memory.store(self.domainname + 255, b"\x00") + return self.domainname + +class libc_textdomain(angr.SimProcedure): + domainname = None + def run (self, domainname): + if self.domainname is None: + self.domainname = self.inline_call( + angr.SIM_PROCEDURES["libc"]["malloc"], 256 + ).ret_expr + self.state.memory.store(self.domainname + 255, b"\x00") + return self.domainname libc_hooks = { # Additional functions that angr doesn't provide hooks for @@ -368,6 +387,8 @@ def run (self, category, locale): "strncat": libc_strncat, "strrchr": libc_strrchr, "setlocale":libc_setlocale, + "bindtextdomain": libc_bindtextdomain, + "textdomain": libc_textdomain, } hook_condition = ("libc\.so.*", libc_hooks)