From fad231a34deea99a697b2b290f625f0c6f7625a4 Mon Sep 17 00:00:00 2001 From: Kevin Phoenix Date: Thu, 3 Oct 2024 18:34:35 -0700 Subject: [PATCH] Use claripy ast.hash() instead of ast.cache_key --- rex/crash.py | 2 +- rex/exploit/cgc/cgc_exploit.py | 4 ++-- rex/exploit/techniques/explore_for_exploit.py | 8 ++++---- rex/pov_fuzzing/fuzzing_type_2.py | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rex/crash.py b/rex/crash.py index 716576a..d3820da 100644 --- a/rex/crash.py +++ b/rex/crash.py @@ -1239,7 +1239,7 @@ def _reconstrain_flag_data(self, state):# pylint:disable=no-self-use if any(v.startswith('cgc-flag') or v.startswith("random") for v in list(c.variables)): concrete = next(a for a in c.args if not a.symbolic) symbolic = next(a for a in c.args if a.symbolic) - replace_dict[symbolic.cache_key] = concrete + replace_dict[symbolic.hash()] = concrete cons = state.solver.constraints new_cons = [] for c in cons: diff --git a/rex/exploit/cgc/cgc_exploit.py b/rex/exploit/cgc/cgc_exploit.py index 57cad6d..d1cbb80 100644 --- a/rex/exploit/cgc/cgc_exploit.py +++ b/rex/exploit/cgc/cgc_exploit.py @@ -618,10 +618,10 @@ def filter_uncontrolled_constraints(state): # operations have to be done concretely and constrain the flagpage # to being a single value # we do not remove zen constraints - zen_cache_keys = set(x.cache_key for x in state.get_plugin("zen_plugin").zen_constraints) + zen_cache_keys = set(x.hash() for x in state.get_plugin("zen_plugin").zen_constraints) new_cons = [ ] for con in state.solver.constraints: - if con.cache_key in zen_cache_keys or \ + if con.hash() in zen_cache_keys or \ not all(v.startswith("cgc-flag") or v.startswith("random") for v in con.variables): new_cons.append(con) diff --git a/rex/exploit/techniques/explore_for_exploit.py b/rex/exploit/techniques/explore_for_exploit.py index 647707a..f1cda15 100644 --- a/rex/exploit/techniques/explore_for_exploit.py +++ b/rex/exploit/techniques/explore_for_exploit.py @@ -39,7 +39,7 @@ def __init__(self, start_addr, assigned_start): self.max_start = 0 self.assigned_start = assigned_start self.offset_to_data = dict() - self.all_addr_keys = {start_addr.cache_key} + self.all_addr_keys = {start_addr.hash()} class AttackAddr(object): @@ -89,7 +89,7 @@ def assign_write(self, addr, data, state): min_addr = (mem_range.min_start-offset) & 0xffffffff max_addr = (mem_range.max_start-offset) & 0xffffffff - mem_range.all_addr_keys.add(addr.cache_key) + mem_range.all_addr_keys.add(addr.hash()) mem_range.offset_to_data[offset] = data self.writes.append(WriteInfo(addr, data, min_addr, max_addr, assigned, mem_range)) return assigned @@ -132,7 +132,7 @@ def assign_read(self, addr, data, state): min_addr = (mem_range.min_start-offset) & 0xffffffff max_addr = (mem_range.max_start-offset) & 0xffffffff - mem_range.all_addr_keys.add(addr.cache_key) + mem_range.all_addr_keys.add(addr.hash()) self.reads.append(ReadInfo(addr, data, min_addr, max_addr, assigned, mem_range)) return assigned @@ -296,7 +296,7 @@ def mem_read_hook_after(self, state): state.add_constraints(replacement == data) state.get_plugin("address_tracker").read_constraints.append(replacement == data) - state.get_plugin("address_tracker").read_replacements[replacement.cache_key] = data + state.get_plugin("address_tracker").read_replacements[replacement.hash()] = data @staticmethod def addr_analyze(addr, state): diff --git a/rex/pov_fuzzing/fuzzing_type_2.py b/rex/pov_fuzzing/fuzzing_type_2.py index 9f42d56..a7d0b62 100644 --- a/rex/pov_fuzzing/fuzzing_type_2.py +++ b/rex/pov_fuzzing/fuzzing_type_2.py @@ -185,7 +185,7 @@ def _fix_reg_vals(self, reg_vals): # if we have an ast fix it! out_val = self.addr_ast reg_vals2 = {self._reg_asts[r]: claripy.BVV(v, 32) for r, v in reg_vals.items() if r in CGC_GENERAL_REGS} - replace_dict = {a.cache_key: b for a, b in reg_vals2.items()} + replace_dict = {a.hash(): b for a, b in reg_vals2.items()} out_val = out_val.replace_dict(replace_dict) if out_val.symbolic: raise CannotExploit("symbolic value after replacing regs")