search

angr / angr-targets

This repository contains the currently implemented angr concrete targets.
32 stars 9 forks source link

Issue with memory not being mapped into angr state #25

Closed lain3d closed 11 months ago

lain3d commented 2 years ago

Hi,

I was using the example at https://github.com/angr/angr-doc/tree/master/examples/csaw_wyvern and wanted to try symbion out on it.

Here's the entire script

import angr
from angr_targets import *
import avatar2
import logging
import claripy
from IPython import embed

logging.getLogger("angr").setLevel(logging.INFO)

GDB_SERVER_IP = "127.0.0.1"
GDB_SERVER_PORT = 1234
binary_x64 = "./wyvern"

# Instantiating the ConcreteTarget
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64,
                                     GDB_SERVER_IP, GDB_SERVER_PORT)

# Creating the Project
p = angr.Project(binary_x64, concrete_target=avatar_gdb,
                             use_sim_procedures=True) #, main_opts={'base_addr':0x0})

# Getting an entry_state
entry_state = p.factory.entry_state()

# Forget about these options as for now, will explain later.
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)      

simgr = p.factory.simulation_manager()

# Use Symbion!                                
simgr.use_technique(angr.exploration_techniques.Symbion(find=[0x000000000040E1FA]))
exploration = simgr.run()

st = exploration.stashes['found'][0]

flag_chars = [claripy.BVS('flag_%d' % i, 8) for i in range(28)]
flag = claripy.Concat(*flag_chars + [claripy.BVV(b'\n')])
for k in flag_chars:
    st.solver.add(k != 0)
    st.solver.add(k != 10)

symbolic_buffer_address = st.regs.rax

st.concrete.sync()

st.memory.store(symbolic_buffer_address, flag)

simgr = p.factory.simgr(st)

# while True:
#     simgr.step()
#     print(simgr)
# embed()
simgr.explore(find=0x000000000040E02C)
embed()

I get

In [3]: simgr.errored                                                                                                                                                                                                                       
Out[3]: [<State errored with "No bytes in memory for block starting at 0x7ffff7fe7bc0.">]

Note: I tried using use_sim_procedures=False and True. There were some libraries that it complained about like libgcc_s so I switched it to off to see what would happen.

degrigis commented 1 year ago

Can you try to remove the call to st.concrete.sync() right before the st.memory.store(symbolic_buffer_address, flag)?

If you set use_sim_procedures to False you are basically going to execute the code of all the functions in the linked libraries inside angr, this can easily lead to errors and state explosions if not handled carefully.

SteinsGatep001 commented 1 year ago

I manually pathed it at angr/engines/vex/lifter.py:

        # phase 4: get bytes
        if buff is NO_OVERRIDE:
            if insn_bytes is not None:
                buff, size = insn_bytes, len(insn_bytes)
                # offset stays unchanged
            else:
                _suppose_size = size
                buff, size, offset = self._load_bytes(addr, size, state, clemory)
                if size == 0 and state is not None:
                    buff = state.project.concrete_target.read_memory(addr, _suppose_size)
                    size = len(buff)

Hope it works for you.