Closed knnikita closed 2 years ago
Your shellphish-qemu installation seems to be very messed up. How did you install it? It shouldn't be possible to get into a setup like this if you installed it with pip.
Your shellphish-qemu installation seems to be very messed up. How did you install it? It shouldn't be possible to get into a setup like this if you installed it with pip.
I installed angr from https://hub.docker.com/r/angr/angr. Then packages from repos: https://github.com/shellphish/shellphish-qemu.git https://github.com/mechaphish/povsim.git https://github.com/salls/angrop.git https://github.com/mechaphish/compilerex.git https://github.com/shellphish/rex.git https://github.com/angr/tracer https://github.com/shellphish/shellphish-afl.git
And then
sudo apt-get update
sudo apt-get install -y virtualenvwrapper python2.7-dev build-essential sudo libxml2-dev libxslt1-dev git libffi-dev cmake libreadline-dev libtool debootstrap debian-archive-keyring libglib2.0-dev libpixman-1-dev libpq-dev python-dev libc6:i386 libncurses5:i386 libstdc++6:i386 zlib1g:i386 pkg-config zlib1g-dev libtool libtool-bin wget automake autoconf coreutils bison libacl1-dev qemu-user qemu-kvm socat postgresql-client nasm binutils-multiarch llvm clang
Please do not try to build shellphish-qemu and shellphish-afl by yourself. Use the wheels on pypi or in https://github.com/angr/wheels.
If you must, install it with pip install .
or pip install -e .
If you must, install it with
pip install .
orpip install -e .
Now it work! Thanks! Other binary (elf arm32):
WARNING | 2018-12-21 10:34:44,884 | pyvex.lifting.gym.arm_spotter | Spotting an LDM instruction at 0x176ec4. This is not fully tested. Prepare for errors.
WARNING | 2018-12-21 10:34:44,884 | pyvex.lifting.gym.arm_spotter | Spotting an LDM instruction at 0x176ec4. This is not fully tested. Prepare for errors.
WARNING | 2018-12-21 10:35:01,381 | tracer.qemu_runner | The trace is found to be malformed. it is possible that the log file size exceeds the 1G limit, meaning that there might be infinite loops in the target program.
---------------------------------------------------------------------------
AngrTracerError Traceback (most recent call last)
<ipython-input-3-86ac8f8f0c42> in <module>
----> 1 crash = rex.Crash('./tlrun_static', bytes_crash)
~/virtenvs/angr/lib/python3.6/site-packages/rex/crash.py in __init__(self, binary, crash, pov_file, aslr, constrained_addrs, crash_state, prev_path, hooks, format_infos, rop_cache_tuple, use_rop, fast_mode, explore_steps, angrop_object, argv, concrete_fs, chroot, rop_cache_path, trace_timeout, input_type, port, use_crash_input, tracer_args, initial_state)
223
224 self._t = angr.exploration_techniques.Tracer(trace=r.trace, resiliency=False, keep_predecessors=2, crash_addr=r.crash_addr)
--> 225 simgr.use_technique(self._t)
226 simgr.use_technique(angr.exploration_techniques.Oppologist())
227
/home/angr/angr-dev/angr/angr/sim_manager.py in use_technique(self, tech)
186 # XXX: as promised
187 tech.project = self._project
--> 188 tech.setup(self)
189
190 HookSet.install_hooks(self, **tech._get_hooks())
/home/angr/angr-dev/angr/angr/exploration_techniques/tracer.py in setup(self, simgr)
72 break
73 else:
---> 74 raise AngrTracerError("Could not identify program entry point in trace!")
75
76 # pylint: disable=undefined-loop-variable
AngrTracerError: Could not identify program entry point in trace!
what does it mean?
It means angr can't figure out which block in the trace is the program entry point. That seems like a fairly easy conclusion to draw.
Get a debug shell there and print out the trace, and see if you can identify the entry point in the trace. Should be pretty easy if the program isn't PIE.
It might have to do with the warning message: The trace is found to be malformed. it is possible that the log file size exceeds the 1G limit, meaning that there might be infinite loops in the target program.
. I don't really know how to approach that issue though.
Get a debug shell there and print out the trace, and see if you can identify the entry point in the trace. Should be pretty easy if the program isn't PIE.
How I can get a debug shell? I used logging:
logging.getLogger('rex').setLevel('DEBUG')
logging.getLogger('angr').setLevel('DEBUG')
logging.getLogger('tracer').setLevel('DEBUG')
and get this:
INFO | 2018-12-25 10:53:17,486 | angr.project | Loading binary ./bin_test
DEBUG | 2018-12-25 10:53:19,608 | angr.project | hooking 0x2000000 with <SimProcedure LinuxLoader>
DEBUG | 2018-12-25 10:53:19,608 | angr.project | hooking 0x2000008 with <SimProcedure _dl_rtld_lock_recursive>
DEBUG | 2018-12-25 10:53:19,609 | angr.project | hooking 0x2000010 with <SimProcedure _dl_rtld_unlock_recursive>
DEBUG | 2018-12-25 10:53:19,609 | angr.project | hooking 0x2000018 with <SimProcedure _dl_initial_error_catch_tsd>
DEBUG | 2018-12-25 10:53:19,609 | angr.project | hooking 0x2000020 with <SimProcedure _vsyscall>
DEBUG | 2018-12-25 10:53:19,609 | angr.project | hooking 0xffff0fe0 with <SimProcedure _kernel_user_helper_get_tls>
DEBUG | 2018-12-25 10:53:19,609 | angr.project | hooking 0x2000030 with <SimProcedure CallReturn>
DEBUG | 2018-12-25 10:53:19,609 | angr.project | hooking 0x2000038 with <SimProcedure UnresolvableJumpTarget>
DEBUG | 2018-12-25 10:53:19,610 | angr.project | hooking 0x2000040 with <SimProcedure UnresolvableCallTarget>
DEBUG | 2018-12-25 10:53:19,657 | tracer.qemu_runner | Accumulating basic block trace...
DEBUG | 2018-12-25 10:53:19,657 | tracer.qemu_runner | tracer qemu path: /root/virtenvs/angr/lib/python3.6/site-packages/shellphish_qemu/bin/shellphish-qemu-linux-arm
WARNING | 2018-12-25 10:53:29,773 | tracer.qemu_runner | The trace is found to be malformed. it is possible that the log file size exceeds the 1G limit, meaning that there might be infinite loops in the target program.
DEBUG | 2018-12-25 10:53:29,776 | angr.state_plugins.solver | Creating SimSolverClaripy.
DEBUG | 2018-12-25 10:53:29,823 | angr.state_plugins.solver | Creating new unconstrained BV named aeg_stdin_0
DEBUG | 2018-12-25 10:53:29,824 | angr.state_plugins.preconstrainer | Preconstraint: <Bool aeg_stdin_0_15546_8{UNINITIALIZED} == 5>
DEBUG | 2018-12-25 10:53:30,155 | angr.state_plugins.solver | Creating new unconstrained BV named aeg_stdin_1
DEBUG | 2018-12-25 10:53:30,155 | angr.state_plugins.preconstrainer | Preconstraint: <Bool aeg_stdin_1_15547_8{UNINITIALIZED} == 0>
....
Also a get many warning like this:
WARNING | 2018-12-25 10:53:06,036 | pyvex.lifting.gym.arm_spotter | Spotting an LDM instruction at 0x1735e0. This is not fully tested. Prepare for errors.
WARNING | 2018-12-25 10:53:06,057 | pyvex.lifting.gym.arm_spotter | Spotting an LDM instruction at 0x173606. This is not fully tested. Prepare for errors.
WARNING | 2018-12-25 10:53:06,066 | pyvex.lifting.gym.arm_spotter | Ignoring STMxx ^ instruction at 0x17360e. This mode is not implemented by VEX! See pyvex/lifting/gym/arm_spotter.py
WARNING | 2018-12-25 10:53:06,068 | pyvex.lifting.gym.arm_spotter | Ignoring STMxx ^ instruction at 0x173610. This mode is not implemented by VEX! See pyvex/lifting/gym/arm_spotter.py
Sorry, I don't understand what it means.
A shell is an interactive prompt. A debug shell is an interactive prompt embedded in the program that lets you explore its state at a given point.
In python, the two main ways of doing this are to insert import ipdb; ipdb.set_trace()
into a source file to effectively set a breakpoint, or to run ipython --pdb
instead of python
to execute your scripts, which will spawn a debug shell when the program terminates with an exception. Both of these shells will be the pdb shell, which is like the gdb shell but for python. Tutorials for using it should be available online.
This issue has been marked as stale
because it has no recent activity. Please comment or add the pinned
tag to prevent this issue from being closed.
This issue has been closed due to inactivity.
Hi! I run the example you provided, but get KeyError : 'shellphish_qemu/bin'. What could be the problem?
`