How to load external library and sync it?

angr / angr-targets

This repository contains the currently implemented angr concrete targets.

32 stars 9 forks source link

How to load external library and sync it? #24

Open SteinsGatep001 opened 2 years ago

SteinsGatep001 commented 2 years ago

I use current_state.concrete.sync() to sync data from gdb target. But the library of the target didn't sync. How can I load external library and sync the library memory to angr project? I tried:

project = angr.Project("/squashfs-root/usr/sbin/httpd")
project.loader.dynamic_load("/squashfs-root/usr/lib/libnvram.so")
# it works
# [<ELF Object libnvram.so, maps [0x1500000:0x1522fdf]>,
# <ExternObject Object cle##externs, maps [0x1600000:0x16000e7]>]

It works! But when I use simstate to step

succ_path = current_path.copy().step()
_succ_path_active_states = succ_path.active

succ_path.active is empty, and succ_path.errored:

SimEngineError
State errored with "No bytes in memory for block starting at 0xf7f03ae4."

SteinsGatep001 commented 2 years ago

Here is my code

    _avatar_gdb_target = ArmVMGDBConcreteTarget(avatar2.archs.arm.ARM, self.TARGET_HOSTNAME, _host_gdbserver_port)
    self.target = '/tmp/squashfs-root/usr/sbin/httpd'
    force_load_libs = ['/tmp/squashfs-root/usr/lib/libnvram.so']
    _project = angr.Project(self.target, concrete_target=_avatar_gdb_target, ld_path=ld_path, use_sim_procedures=True)
    for _load_lib in force_load_libs:
        _project.loader.dynamic_load(_load_lib)
    self._current_state = _entry_state = _project.factory.entry_state()
    self.run_concretly(["nvram_get"]) # break at nvram_get in libnvram
    self.sync_state()
    _current_simgr = _project.factory.simgr(self._current_state.copy(), save_unconstrained=True, save_unsat=True)
    _succ_path = _current_simgr.copy().step()
    # _succ_path.errored will be No bytes in memory for block starting at 0xf7f03ae4.
    _succ_path_active_states = _succ_path.active

def sync_state(self, wait_time=1):
    """
    sync state from concrete in gdbserver
    :return:
    """
    new_state = self._current_state
    # FIXME wait target hang
    time.sleep(wait_time)
    new_state.concrete.sync()
    self._current_state = new_state

SteinsGatep001 commented 2 years ago

I also tried _project = angr.Project('/tmp/squashfs-root/usr/lib/libnvram.so', concrete_target=_avatar_gdb_target, ld_path=ld_path, use_sim_procedures=True) But after _succ_path = _current_simgr.copy().step(), it also failed: _succ_path.erroed: <State errored with "No bytes in memory for block starting at 0xf77bbae4.">

degrigis commented 2 years ago

Can you try to step a few instructions into the concrete process (i.e., set a breakpoint at the beginning) and grab the concrete state?

SteinsGatep001 commented 2 years ago

I can step a few instruction into concrete process and grab the concrete state successfully(I checked in GDB remote, instructions are valid ). But I failed to use the step via step() function in copy of state.