search

angr / angr-targets

This repository contains the currently implemented angr concrete targets.
32 stars 9 forks source link

idc.del_bpt failed in symbion mode #15

Closed frozenkp closed 2 years ago

frozenkp commented 3 years ago

Hi, I wrote a simple script to test my toy program in ida. It just concretely executes from entry point to 0x40146E (stage 1), then symbolically executes to 0x4014c3 (stage 2). I met a problem when concretely executing to 0x40146E in stage 1. It delivered the breakpoint 0x4014c3 and tried to remove the breakpoint. However, it failed to delete the breakpoint with idc.del_opt as the screenshot showed below.

I've checked the address in idc.del_opt was correct, and idapython worked fine with typing in idc.del_opt(0x4014c3) directly to the ida debug console.

My environment is: OS: win10 64bits Target: x86 PE IDA 7.4.191011 + windbg debugger Python 3.9.4

from idaapi import *
import angr
from angr_targets import IDAConcreteTarget

binary = 'C:\\Users\\frozenkp\\Documents\\sample\\simple_if\\simple_if.exe'

# Instantiating the ConcreteTarget
ida_target = IDAConcreteTarget()

# Creating the Project
p = angr.Project(binary, concrete_target=ida_target, use_sim_procedures=True)

# Getting an entry_state
entry_state = p.factory.entry_state()

# Forget about these options as for now, will explain later.
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)      

print('[1] concrete execute to 0x40146E')
# Create a simulation manager to hold this exploration
simgr = p.factory.simgr(entry_state)
# Use Symbion!                                
simgr.use_technique(angr.exploration_techniques.Symbion(find=[0x40146e]))

exploration = simgr.run()
new_concrete_state = exploration.stashes['found'][0]

print('[2] symbolic execute to find 0x4014c3')
# Declaring a symbolic buffer
arg0 = claripy.BVS('arg0', 8*32)

# Setting the symbolic buffer in memory!
symbolic_buffer_address = new_concrete_state.regs.ebp-0xc
new_concrete_state.memory.store(symbolic_buffer_address, arg0)

simgr = p.factory.simgr(new_concrete_state)
exploration = simgr.explore(find=0x4014c3)

# Get our synchronized state back!
new_symbolic_state = exploration.stashes['found'][0]

print(new_symbolic_state.solve(arg0))

degrigis commented 3 years ago

The IDAConcreteTarget is actually completely unmaintained, but, providing that your IDA is using a Python3 environment and the call to the idc API is correct, this should work. As far as I would love to revamp the IDAConcreteTarget, I, unfortunately, don't have cycles right now to work on it. However, feel free to contribute and ask questions here or on our Slack if this is something you are interested in! :)

github-actions[bot] commented 2 years ago

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

github-actions[bot] commented 2 years ago

This issue has been closed due to inactivity.