Symbolically execute instructions

[daniellimws]

I know currently there's emu that is pretty great.

Feature

r2 has the capability of using their ESIL to do symbolic execution for the selected instructions, and often it is quite helpful.

Would we be interested in adding such feature to perform symbolic execution as well?

Example

Instead of emu -n 10, one can do something like sym -n 10 instead, and be able to see the symbolic values for tainted memory and registers after executing 10 more instructions.

Of course there can be more to it like solving expressions but gonna see you guys' view on this first before elaborating more on it.

[hugsy]

I'm not so sure of what symbolic execution would bring to a debugger. Using unicorn is convenient for simulating instructions (esp. when dealing with crypto functions). But symbolic execution might add some extra challenges, not to mention the insane increase of memory use.

If you have a PoC, feel free to post it (maybe in gef-extras instead for easier testing). That'll allow us to have a better idea on this.

Cheers.

[daniellimws]

Yea ok I'll make one some time soon.

But sadly yeah symbolic execution frameworks are quite demanding :frowning_face: Will try to pull off something that does not strain the system if possible.

[hugsy]

@daniellimws It appears that it already exists: https://github.com/SQLab/symgdb (it's based on Triton)

[daniellimws]

Oh looks good! Perhaps I can try to add that as one of the plugins into gef-extras?

[daniellimws]

Hmm but it seems to be quite limited (less capabilities compared to angr)

[Stolas]

I have tried to use Manticore for this to create something like: https://github.com/illera88/Ponce It worked, but it sucked, as manticore is not created to hook like Triton. As what I make should also run on Windows imho I am currently working on a abstraction layer for this all. (SMT Solving and Symbolic Execution) so I can easily hook a pounce like thing to gef.

[daniellimws]

@Stolas would you recommend using angr or triton then? Because triton doesn't support all archs.

[Stolas]

Well manticore is a fine toon, but as it uses emulation instead of instrumentation due to this I feel it is not the right pick to attach to gef. The POC plugin I made had the issue you'd have to wait for a while making it really awkward to use. I'd recommend to just use python to build the state your program is in, and use manticore next from your debug session.

Trtiton would better fit the bill, as it does support instrumentation.

As for angr, never used it seems to only support emulation thus the same issue as manticore had would occur.

Hope that helped.

(Ignore the typos, this was typed on a phone)

On April 19, 2018 12:02:25 AM UTC, Daniel Lim Wee Soong notifications@github.com wrote:

@Stolas would you recommend using angr or triton then? Because triton doesn't support all archs.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/hugsy/gef/issues/259#issuecomment-382566459

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[d4em0n]

see this https://github.com/andreafioraldi/angrgdb

[hugsy]

Should we close this then ? angrgdb seems to be the perfect answer, and I don't see why it would conflict with gef.

[Stolas]

Yea close it.

On June 26, 2018 4:27:34 AM UTC, crazy rabbidz notifications@github.com wrote:

Should we close this then ? angrgdb seems to be the perfect answer, and I don't see why it would conflict with gef.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/hugsy/gef/issues/259#issuecomment-400174496

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[daniellimws]

Yea of course. (just one thing, angrgdb only works for gdb compiled with python2 which is kind of sad)

[Grazfather]

Too bad about no python3 support. All effort that would have gone into that ticket should instead go into porting angrgdb/angrdbg.

[andreafioraldi]

Hi guys, I'm going to rewrite angrgdb to support py3 when shellphish will release angr 8. It's a matter of a few days, stay tuned.