I need to simulate this decompiled line of code in a Python script using claripy as solver engine,
*(ulong *)(global_variable + (ulong)((uint)local_variable[local_inedx + 1] & 1) * 8)
global_variable is basically an array cointaining a 0 and an integer and the local_variable is an array populated with 4 bytes symbolic variables that will be evaluated.
pwndbg> x/gx <global_variable address>
0x...70 <global_variable>: 0x0000000000000000
0x...78 <global_variable+8>: 0x000000009908b0df
As I've understood, depending on the & between the local variable value and 1 the code is resolved with 0 or the integer stored in global_variable+8.
I thought I'd use the claripy.If operations as below, but there's no way to satisfy the solver constraint.
claripy.If(local_variable[local_inedx + 1] & 1 == 1, claripy.BVV(0x9908b0df,32), claripy.BVV(0, 32))
As far as there could be other reason that implies the unsatisfied constraint I would like to know if this is the correct way to simulate read access to the global variables using claripy or there are other ways.
Related
Is there a function in Lua to generate a variable name with a string and a value?
For example, I have the first (string) part "vari" and the second (value) part, which can vary. So I want to generate "vari1", "vari2", "vari3" and so on. Something like this:
"vari"..value = 42 should then be vari1 = 42.
Thanks
Yes, but it most likely is a bad idea (and this very much seems to be an XY-problem to me). If you need an enumerated "list" of variables, just use a table:
local var = { 42, 100, 30 }
var[4] = 33 -- add a fourth variable
print(var[1]) -- prints 42
if you really need to set a bunch of variables though (perhaps to adhere to some odd API?), I'd recommend using ("..."):format(...) to ensure that your variables will be formatted as var<int> rather than var1.0, var1e3 or the like.
Th environment in Lua - both the global environment _G and the environment of your script _ENV (in Lua 5.2), which usually is the global environment, are just tables in the end, so you can write to them and read from them the same way you'd write to and read from tables:
for value = 1, 3 do
_ENV[("vari%d"):format(value)] = value^2
end
print(var3) -- prints 3*3 = 9
-- verbose ways of accessing var3:
print(_ENV.var3) -- still 9
print(_ENV["var"]) -- 9 as well
Note that this is most likely just pollution of your script environment (likely global pollution) which is considered a bad practice (and often bad for performance). Please outline your actual problem and consider using the list approach.
Yes. Call:
rawset(table, key, value)
Example:
rawset(_G, 'foo', 'bar')
print(foo)
-- Output: bar
-- Lets loop it and rawget() it too
-- rawset() returns table _G here to rawget()
-- rawset() is executed before rawget() in this case
for i = 1, 10 do
print(rawget(rawset(_G, 'var' .. i, i), 'var' .. i))
end
-- Output: 10 lines - First the number 1 and last the number 10
See: https://lua.org/manual/5.1/manual.html#pdf-rawset
Putting all together and create an own function...
function create_vars(var, start, stop)
for i = start, stop do
print(var .. i, '=>', rawget(rawset(_G, var .. i, i), var .. i))
end
end
And use it...
> create_vars('var', 42, 42)
var42 => 42
> print(var42)
42
var1 = 1
var2 = var1 # why doesn't this bind the two variables?
var2 = var2 + 3
print(var1)
print(var2)
The output is
1
4
What is the Python 3.x (added after StackrunnethOver's original answer - apologies for not specifying) syntax to bind var2 to the same memory as var1? Not that I want to, but rather that I want to make sure that my assignment statements aren't accidentally binding two variables to one another.
This line of questioning (how do I know what happens to variables and when) is usually very language-dependent, so it’s often a lot more relevant to talk about it in the context of a specific language. However, in the example you present, I think there is a general answer:
For the code:
var1 = 1
var2 = var1
var2 = var2 + 3
On line 2, there are two things that could happen:
var2 gets assigned the value 1
var2 now points to the same location in memory as var1, and var1’s location in memory holds the value 1
If #1 happens, we get the behavior you see above. This should not be surprising.
If #2 happens, now var1 and var2 point to the same location in memory. Your question is why isn’t this the case? Consider, if line 2 does make var2 point to the same thing as var1, what does line 3 do?
...
If x = y makes x point to the thing y points to, what does x = y + 3 do? Make x point to the thing y + 3 points to? This doesn’t really make sense.
What this gets at, underneath, is the difference between a value, a variable, and a pointer. In the example you give, var1 and var2 are variables, which on the left hand side of an equals sign are treated as such (you can assign values to your variables e.g. x = 3). But on the right-hand side of an equals sign, variables become their values before other operations take place. In var2 = var1 + 3, the expression becomes var2 = 1 + 3 and then var2 = 4.
In some languages, this behavior is not always automatic. Instead, you have to create it for yourself, by using pointers. This effectively means you have one way of referencing a variable x which explicitly says you want the location in memory x points to, which is the true “value of x”, and another way of referencing it x’ which explicitly says you want the value at that location in memory.
In such a world, your code could be written as
var1’ = 1
var2’ = var1’
var2’ = var2’ + 3
To get behavior #1 above, or
var1’ = 1
var2 = var1
var2’ = var2’ + 3
To get output
4
4
All this assuming that var1 and var2 have been initialized beforehand.
In such languages (like C) you can actually do things like `x = y + 3’, where x and y are pointers. It literally makes x equal to the position in memory three spots further along than y. This is called pointer arithmetic.
So I got the following code:
def foo(a, b, c):
try:
a = [0]
b[0] = 1
c[0] = 2
w[0] = 3
except:
pass
return z
x, y, z = [None], [None], [None]
w = z[:]
foo(x,y,z)
print(x,y,z,w)
The last line of the code print(x,y,z,w) prints [None] [1] [2] [3], however
I don't quite get it. Why are x,y,z are being changed from within the funciton? and if w changes - and it points to z, why doesnt z change accordingly?
In Python objects are passed by reference to functions.
This line makes a copy of z
w = z[:]
so changes to z don't affect w and vice versa. In the line
a = [0]
you change the reference to point to a new object, so you don't mutate x (which is what a was initially bound to). In the following lines
b[0] = 1
c[0] = 2
you mutate the objects that you got references to (y and z in global scope), so the objects in the outside scope change. In the line
w[0] = 3
you mutate the global object w since the name w is not a parameter of the function, nor is it bound in the body of the function.
What everyone else says is correct, but I want to add my way of thinking that may be helpful if you have experience with a language like C or C++.
Every variable in Python is a pointer (well, the technical term is a "reference", but I find that more difficult to visualize than "pointer"). You know how in C/C++ you can get a function to output multiple values by passing in pointers? Your code is doing essentially the same thing.
Of course, you may be wondering, if that is the case, why don't you see the same thing happening to ints, strs or whatnot? The reason is that those things are immutable, which means you cannot directly change the value of an int or a str at all. When you "change an integer", like i = 1, you are really changing the variable, pointing it to a different int object. Similarly, s += 'abc' creates a new str object with the value s + 'abc', then assigns it to s. (This is why s += 'abc' can be inefficient when s is long, compared to appending to a list!)
Notice that when you do a = [0], you are changing a in the second way --- changing the pointer instead of the object pointed to. This is why this line doesn't modify x.
Finally, as the others has said, w = z[:] makes a copy. This might be a little confusing, because for some other objects (like numpy arrays), this syntax makes a view instead of a copy, which means that it acts like the same object when it comes to changing elements. Remember that [] is just an operator, and every type of object can choose to give it a different semantical meaning. Just like % is mod for ints, and formatting for strs --- you sometimes just need to get familiar with the peculiarities of different types.
I would like to perform a simple increment operation on specific array elements:
Minimal Not-Working Example:
array[1..2] of var 0..1: a = [0, 0];
constraint forall (i in 1..2) (
a[i] = a[i] + 1
);
output ["\(a)"];
solve satisfy;
This produces the minizinc output
WARNING: model inconsistency detected
stack.mzn:3:
in call 'forall'
in array comprehension expression
with i = 1
stack.mzn:4:
in binary '=' operator expression
=====UNSATISFIABLE=====
% stack.fzn:1: warning: model inconsistency detected before search.
Why is this an inconsistency in the model -- why can't I reference the old value of the current array element? Is there some other way to increase the current array element by 1?
I'm new to constraint solving, so I hope this is not a terribly stupid question.
It is important to know that MiniZinc is a declarative language. In a constraint you're not stating an instruction, but you're stating the "truth" as know to the solvers.
That means that an instruction like a = a + 1 will not work because you are stating that we're looking for a value for a that is its own value + 1. Since no such value exist we call the model inconsistent since no solutions can be found.
The idea of the constraint items is to express relations between different variables and parameters. You could for example write: constraint forall(i in N) (a[i] = a[i-1] + 1). This will mean we will look for a value a[i] which is 1 more than a[i-1] for all i in N. (Note that we should probably add an if-statement to make sure i-1 stays within the given bounds)
As a general rule: if there is a literal on one side of an equals signs, using that literal on the other side will create an inconsistent model.
If you still wanted to create a MiniZinc model that increases the values of a given array by one, you could use the following model:
set of int: N = 1..2
array[N] of int: a = [0,1];
array[N] of var int: b;
constraint forall(i in N) (
b[i] = a[i] + 1
);
Since the variables a are now expressed in terms of b, this doesn't violate our rule.
This question already has answers here:
Create variables with names from strings
(6 answers)
Closed 6 years ago.
I have a loop running on multiple workstations, each loop is dealing with 5 different classes, when the results is acquired it is to save the result with the name of the classes it used.
For example on workstation 1 I am using:
class1 = 1;
class2 = 10;
%code that will run on all images associated with classes 1:10
% final_result from all 10 classes is calculated here
I want to save this now, with the name such as:
result_1_10 = final_result;
save result_1_10 result_1_10;
I can do this manually but its becoming very difficult to change the values on all machines after one value is changed, I would rather it save these and pick up the numbers from the two variables class1 and class2.
Here is what I tried:
['result_' num2str(class1) '_' num2str(class2)];
This would give me result_1_10. Which is what I wanted but it is a string, rather than a variable, so I cannot assign the result value to it
['result_' num2str(class1) '_' num2str(class2)] = final_result;
Would give the error:
Error: An array for multiple LHS assignment cannot contain
LEX_TS_STRING.
I even tried str2num(num2str(class1)) but that would also give an error.
How do I actually do this?
Thank you
While you can do this, it is very much discouraged by The Mathworks themselves. Any time you are trying to store information about what a variable contains within the variable name itself, that's a sign that maybe things should be rearranged a bit. Maybe consider using a different data structure.
Consider for example using a struct where you keep the classes as fields and the result as a field.
S.class1 = 1;
S.class2 = 10;
S.result = final_result;
You could then even create an array of structs holding your data.
S = struct('class1', {1, 2, 1}, ...
'class2', {10, 11, 10}, ...
'result', {rand(10), rand(10), rand(10)});
Then you could grab all results when class1 was 1:
S([S.class1 == 1]);
Or all results when class1 as 1 and class2 was 10
S([S.class1 == 1] & [S.class2 == 10]);
If you insist on doing it the way that you've laid out, you'll have to use eval or assignin to do that. Also, sprintf is often more concise than string concatenations.
variable = sprintf('result_%d_%d', class1, class2);
eval([variable, '= final_result;']);