Update readme

toolCHAINZ · toolCHAINZ · commit a902caad3d10 · 2025-09-22T19:00:32.000+01:00
diff --git a/README.md b/README.md
@@ -52,24 +52,41 @@ A simple usage looks like the following:
 
 ```python
 import logging
+
+from crackers.crackers import DecisionResult
+from crackers.jingle import ModeledBlock, State
+
 logging.basicConfig(level=logging.INFO)
 
-from z3 import BoolRef, BoolVal
+from z3 import BoolRef, BoolVal, simplify
 
-from crackers import State, ModeledBlock
-from crackers.config import MetaConfig, LibraryConfig, SleighConfig,
-    ReferenceProgramConfig, SynthesisConfig, ConstraintConfig, CrackersConfig
-from crackers.config.constraint import RegisterValuation,
-    RegisterStringValuation, MemoryValuation, PointerRange,
-    CustomStateConstraint, CustomTransitionConstraint, PointerRangeRole
+from crackers.config import (
+    MetaConfig,
+    LibraryConfig,
+    SleighConfig,
+    ReferenceProgramConfig,
+    SynthesisConfig,
+    ConstraintConfig,
+    CrackersConfig,
+)
+from crackers.config.constraint import (
+    RegisterValuation,
+    RegisterStringValuation,
+    MemoryValuation,
+    PointerRange,
+    CustomStateConstraint,
+    CustomTransitionConstraint,
+    PointerRangeRole,
+)
 from crackers.config.log_level import LogLevel
 from crackers.config.synthesis import SynthesisStrategy
 
+
 # Custom state constraint example
 def my_constraint(s: State, _addr: int) -> BoolRef:
     rdi = s.read_register("RDI")
     rcx = s.read_register("RCX")
-    return rdi == (rcx ^ 0x5a5a5a5a5a5a5a5a)
+    return rdi == (rcx ^ 0x5A5A5A5A5A5A5A5A)
 
 
 # Custom transition constraint example
@@ -79,29 +96,53 @@ def my_transition_constraint(block: ModeledBlock) -> BoolRef:
 
 
 meta = MetaConfig(log_level=LogLevel.INFO, seed=42)
-library = LibraryConfig(max_gadget_length=8, path="libz.so.1", sample_size=None,
-                        base_address=None)
+library = LibraryConfig(
+    max_gadget_length=8, path="libz.so.1", sample_size=None, base_address=None
+)
 sleigh = SleighConfig(ghidra_path="/Applications/ghidra")
-reference_program = ReferenceProgramConfig(path="sample.o", max_instructions=8, base_address=library.base_address)
-synthesis = SynthesisConfig(strategy=SynthesisStrategy.SAT, max_candidates_per_slot=200, parallel=8, combine_instructions=True)
+reference_program = ReferenceProgramConfig(
+    path="sample.o", max_instructions=8, base_address=library.base_address
+)
+synthesis = SynthesisConfig(
+    strategy=SynthesisStrategy.SAT,
+    max_candidates_per_slot=200,
+    parallel=8,
+    combine_instructions=True,
+)
+
 constraint = ConstraintConfig(
     precondition=[
-        RegisterValuation(name="rdi", value=0xdeadbeef),
+        RegisterValuation(name="RDI", value=0xDEADBEEF),
         MemoryValuation(space="ram", address=0x1000, size=4, value=0x41),
-        RegisterStringValuation(reg="rsi", value="/bin/sh"),
-        CustomStateConstraint(code=my_constraint)
+        RegisterStringValuation(reg="RSI", value="/bin/sh"),
+        CustomStateConstraint.from_callable(my_constraint),
     ],
     postcondition=[
-        RegisterValuation(name="rax", value=0x1337),
-        CustomStateConstraint(code=my_constraint)
+        RegisterValuation(name="RBX", value=0x1337),
     ],
-    transition=[
-        PointerRange(role=PointerRangeRole.READ, min=0x2000, max=0x3000),
-        CustomTransitionConstraint(code=my_transition_constraint)
-    ]
+    pointer=[
+        PointerRange(role=PointerRangeRole.READ, min=0x80_0000, max=0x80_8000),
+        CustomTransitionConstraint.from_callable(my_transition_constraint),
+    ],
+)
+config = CrackersConfig(
+    meta=meta,
+    library=library,
+    sleigh=sleigh,
+    specification=reference_program,
+    synthesis=synthesis,
+    constraint=constraint,
 )
-config = CrackersConfig(meta=meta, library=library, sleigh=sleigh, specification=reference_program, synthesis=synthesis, constraint=constraint)
-config.run()
+r = config.run()
+match r:
+    case DecisionResult.AssignmentFound(a):
+        for g in a.gadgets():
+            for i in g.instructions:
+                print(i.disassembly)
+            print()
+        for name, bv in a.input_summary(True):
+            print(f"{name} = {simplify(bv)}")
+
 ```
 
 ### Rust CLI
diff --git a/crackers_python/PYTHON_README.md b/crackers_python/PYTHON_README.md
@@ -24,54 +24,96 @@ A simple usage looks like the following:
 
 ```python
 import logging
+
+from crackers.crackers import DecisionResult
+from crackers.jingle import ModeledBlock, State
+
 logging.basicConfig(level=logging.INFO)
 
-from z3 import BoolRef, BoolVal
+from z3 import BoolRef, BoolVal, simplify
 
-from crackers import State, ModeledBlock
-from crackers.config import MetaConfig, LibraryConfig, SleighConfig,
-    ReferenceProgramConfig, SynthesisConfig, ConstraintConfig, CrackersConfig
-from crackers.config.constraint import RegisterValuation,
-    RegisterStringValuation, MemoryValuation, PointerRange,
-    CustomStateConstraint, CustomTransitionConstraint, PointerRangeRole
+from crackers.config import (
+    MetaConfig,
+    LibraryConfig,
+    SleighConfig,
+    ReferenceProgramConfig,
+    SynthesisConfig,
+    ConstraintConfig,
+    CrackersConfig,
+)
+from crackers.config.constraint import (
+    RegisterValuation,
+    RegisterStringValuation,
+    MemoryValuation,
+    PointerRange,
+    CustomStateConstraint,
+    CustomTransitionConstraint,
+    PointerRangeRole,
+)
 from crackers.config.log_level import LogLevel
 from crackers.config.synthesis import SynthesisStrategy
 
+
 # Custom state constraint example
 def my_constraint(s: State, _addr: int) -> BoolRef:
     rdi = s.read_register("RDI")
     rcx = s.read_register("RCX")
-    return rdi == (rcx ^ 0x5a5a5a5a5a5a5a5a)
+    return rdi == (rcx ^ 0x5A5A5A5A5A5A5A5A)
+
 
 # Custom transition constraint example
 def my_transition_constraint(block: ModeledBlock) -> BoolRef:
     # Dummy: always true
     return BoolVal(True)
 
+
 meta = MetaConfig(log_level=LogLevel.INFO, seed=42)
-library = LibraryConfig(max_gadget_length=8, path="libz.so.1", sample_size=None,
-                        base_address=None)
+library = LibraryConfig(
+    max_gadget_length=8, path="libz.so.1", sample_size=None, base_address=None
+)
 sleigh = SleighConfig(ghidra_path="/Applications/ghidra")
-reference_program = ReferenceProgramConfig(path="sample.o", max_instructions=8, base_address=library.base_address)
-synthesis = SynthesisConfig(strategy=SynthesisStrategy.SAT, max_candidates_per_slot=200, parallel=8, combine_instructions=True)
+reference_program = ReferenceProgramConfig(
+    path="sample.o", max_instructions=8, base_address=library.base_address
+)
+synthesis = SynthesisConfig(
+    strategy=SynthesisStrategy.SAT,
+    max_candidates_per_slot=200,
+    parallel=8,
+    combine_instructions=True,
+)
+
 constraint = ConstraintConfig(
     precondition=[
-        RegisterValuation(name="rdi", value=0xdeadbeef),
+        RegisterValuation(name="RDI", value=0xDEADBEEF),
         MemoryValuation(space="ram", address=0x1000, size=4, value=0x41),
-        RegisterStringValuation(reg="rsi", value="/bin/sh"),
-        CustomStateConstraint(code=my_constraint)
+        RegisterStringValuation(reg="RSI", value="/bin/sh"),
+        CustomStateConstraint.from_callable(my_constraint),
     ],
     postcondition=[
-        RegisterValuation(name="rax", value=0x1337),
-        CustomStateConstraint(code=my_constraint)
+        RegisterValuation(name="RBX", value=0x1337),
+    ],
+    pointer=[
+        PointerRange(role=PointerRangeRole.READ, min=0x80_0000, max=0x80_8000),
+        CustomTransitionConstraint.from_callable(my_transition_constraint),
     ],
-    transition=[
-        PointerRange(role=PointerRangeRole.READ, min=0x2000, max=0x3000),
-        CustomTransitionConstraint(code=my_transition_constraint)
-    ]
 )
-config = CrackersConfig(meta=meta, library=library, sleigh=sleigh, specification=reference_program, synthesis=synthesis, constraint=constraint)
-config.run()
+config = CrackersConfig(
+    meta=meta,
+    library=library,
+    sleigh=sleigh,
+    specification=reference_program,
+    synthesis=synthesis,
+    constraint=constraint,
+)
+r = config.run()
+match r:
+    case DecisionResult.AssignmentFound(a):
+        for g in a.gadgets():
+            for i in g.instructions:
+                print(i.disassembly)
+            print()
+        for name, bv in a.input_summary(True):
+            print(f"{name} = {simplify(bv)}")
 ```
 
 # Research Paper
diff --git a/crackers_python/crackers/config/constraint.py b/crackers_python/crackers/config/constraint.py
@@ -162,12 +162,12 @@ class ConstraintConfig(BaseModel):
     Attributes:
         precondition (list[StateConstraint] | None): Constraints on the initial state.
         postcondition (list[StateConstraint] | None): Constraints on the final state.
-        transition (list[TransitionConstraint] | None): Constraints on the transitions between states.
+        pointer (list[TransitionConstraint] | None): Constraints on the transitions between states (named 'pointer' for compatibility reasons, but can express any transition constraint)
     """
 
     precondition: list[StateConstraint] | None = None
     postcondition: list[StateConstraint] | None = None
-    transition: list[TransitionConstraint] | None = None
+    pointer: list[TransitionConstraint] | None = None
 
     @field_serializer("precondition", "postcondition")
     def serialize_state_constraints(value, _info):
@@ -190,7 +190,7 @@ def serialize_state_constraints(value, _info):
                 "size": mem.size,
                 "value": mem.value,
             }
-        transformed: StateEqualityConstraint = {
+        transformed = {
             "register": {
                 v.name: v.value for v in filtered if isinstance(v, RegisterValuation)
             },
@@ -203,8 +203,18 @@ def serialize_state_constraints(value, _info):
         }
         return transformed
 
-    @field_serializer("transition")
-    def skip_custom_transition_constraints(value, _info):
-        return [
+    @field_serializer("pointer")
+    def serialize_transition_constraints(value, _info):
+        filtered = [
             v for v in value or [] if getattr(v, "type", None) != "custom_transition"
         ]
+        read_ranges = []
+        write_ranges = []
+        for v in filtered:
+            if isinstance(v, PointerRange):
+                range_dict = {"min": v.min, "max": v.max}
+                if v.role == PointerRangeRole.READ:
+                    read_ranges.append(range_dict)
+                elif v.role == PointerRangeRole.WRITE:
+                    write_ranges.append(range_dict)
+        return {"read": read_ranges, "write": write_ranges}
diff --git a/crackers_python/crackers/config/crackers.py b/crackers_python/crackers/config/crackers.py
@@ -1,11 +1,13 @@
 from pydantic import BaseModel
-from crackers.config.constraint import ConstraintConfig
+from crackers.config.constraint import ConstraintConfig, CustomStateConstraint, \
+    CustomTransitionConstraint
 from crackers.config.library import LibraryConfig
 from crackers.config.meta import MetaConfig
 from crackers.config.sleigh import SleighConfig
 from crackers.config.specification import ReferenceProgramConfig
 from crackers.config.synthesis import SynthesisConfig
 from crackers import _internal
+from crackers.crackers import DecisionResult
 
 
 class CrackersConfig(BaseModel):
@@ -28,40 +30,40 @@ class CrackersConfig(BaseModel):
     synthesis: SynthesisConfig
     constraint: ConstraintConfig
 
-    def run(self):
+    def run(self) -> DecisionResult:
         j = self.model_dump_json()
         config = _internal.crackers.CrackersConfig.from_json(j)
         resolved = config.resolve_config()
 
         # Separate custom state constraints into precondition and postcondition
-        precondition_state_constraints = []
-        postcondition_state_constraints = []
+        precondition_state_constraints: list[CustomStateConstraint] = []
+        postcondition_state_constraints: list[CustomStateConstraint] = []
         if self.constraint.precondition:
             precondition_state_constraints = [
-                c
+                c  # type: ignore
                 for c in self.constraint.precondition
                 if getattr(c, "type", None) == "custom_state"
             ]
         if self.constraint.postcondition:
             postcondition_state_constraints = [
-                c
+                c  # type: ignore
                 for c in self.constraint.postcondition
                 if getattr(c, "type", None) == "custom_state"
             ]
 
-        custom_transition_constraints = []
-        if self.constraint.transition:
+        custom_transition_constraints: list[CustomTransitionConstraint] = []
+        if self.constraint.pointer:
             custom_transition_constraints = [
-                c
-                for c in self.constraint.transition
+                c  # type: ignore
+                for c in self.constraint.pointer
                 if getattr(c, "type", None) == "custom_transition"
             ]
 
         for c in precondition_state_constraints:
             resolved.add_precondition(c._code)
         for c in postcondition_state_constraints:
             resolved.add_postcondition(c._code)
-        for c in custom_transition_constraints:
-            resolved.add_transition_constraint(c._code)
+        for d in custom_transition_constraints:
+            resolved.add_transition_constraint(d._code)
 
-        print(resolved.run())
+        return resolved.run()
