zardus
commented
8 years ago @ltfish, looks like @chubbymaggie might have a fix for this, fyi (see the commits referencing this issue).
Open AndyXan opened 8 years ago
zardus
commented
8 years ago @ltfish, looks like @chubbymaggie might have a fix for this, fyi (see the commits referencing this issue).
ltfish
commented
8 years ago It seems @chubbymaggie is changing code in CFGFast. I don't think it will fix this issue though. I'll wait for his PR :-)
rhelmot
commented
8 years ago Actually - the problem is because of relocations. Relocatable objects use a more exotic set of relocations than executable files or shared objects, and the one relocation in this object (to dlopen) is not understood by CLE. Therefore, the emulated program is going to attempt to jump to somewhere it shouldn't, that angr has no control over.
Another tiny thing in a tiny binary (dlopen.o, from libdl.a). The lifter fails with
/home/andy/angr/angr-dev/angr/angr/lifter.pyc in lift(self, addr, arch, insn_bytes, max_size, num_inst,traceflags, thumb, backup_state, opt_level)?--> 152 raise AngrMemoryError("No bytes in memory for block starting at %#x." % addr)AngrMemoryError: No bytes in memory for block starting at 0xc.IDA:
.text:00000008 B.W __dlopenAccording to IDA/ANGR this is a constant jump. So vex assumes two predecessors, the constant jump target #9 and the following instruction #13 (0xd) which does not lie within the text section. This is either a CLE problem because main_bin.get_max_addr() is greater then the text section size or it its a CFG-Accurate thing, not checking the boundaries.
The application/calls as follows:
s = b.loader.main_bin.get_symbol('dlopen')cfg = b.analyses.CFGAccurate(starts=[s.rebased_addr],)In [29]: v.constant_jump_targets_and_jumpkindsOut[29]: {9: 'Ijk_Call', 13: 'Ijk_Boring'}In [30]: hex(13)Out[30]: '0xd'In [24]: b.loader.main_bin.sections_map['.text']Out[24]: <.text | offset 0x34, vaddr 0x0, size 0xc>dlopen.zip