Closed daniellimws closed 6 years ago
I'm not so sure of what symbolic execution would bring to a debugger. Using unicorn
is convenient for simulating instructions (esp. when dealing with crypto functions). But symbolic execution might add some extra challenges, not to mention the insane increase of memory use.
If you have a PoC, feel free to post it (maybe in gef-extras
instead for easier testing). That'll allow us to have a better idea on this.
Cheers.
Yea ok I'll make one some time soon.
But sadly yeah symbolic execution frameworks are quite demanding :frowning_face: Will try to pull off something that does not strain the system if possible.
@daniellimws It appears that it already exists: https://github.com/SQLab/symgdb (it's based on Triton)
Oh looks good! Perhaps I can try to add that as one of the plugins into gef-extras?
Hmm but it seems to be quite limited (less capabilities compared to angr)
I have tried to use Manticore for this to create something like: https://github.com/illera88/Ponce It worked, but it sucked, as manticore is not created to hook like Triton. As what I make should also run on Windows imho I am currently working on a abstraction layer for this all. (SMT Solving and Symbolic Execution) so I can easily hook a pounce like thing to gef.
@Stolas would you recommend using angr or triton then? Because triton doesn't support all archs.
Well manticore is a fine toon, but as it uses emulation instead of instrumentation due to this I feel it is not the right pick to attach to gef. The POC plugin I made had the issue you'd have to wait for a while making it really awkward to use. I'd recommend to just use python to build the state your program is in, and use manticore next from your debug session.
Trtiton would better fit the bill, as it does support instrumentation.
As for angr, never used it seems to only support emulation thus the same issue as manticore had would occur.
Hope that helped.
(Ignore the typos, this was typed on a phone)
On April 19, 2018 12:02:25 AM UTC, Daniel Lim Wee Soong notifications@github.com wrote:
@Stolas would you recommend using angr or triton then? Because triton doesn't support all archs.
-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/hugsy/gef/issues/259#issuecomment-382566459
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Should we close this then ? angrgdb
seems to be the perfect answer, and I don't see why it would conflict with gef
.
Yea close it.
On June 26, 2018 4:27:34 AM UTC, crazy rabbidz notifications@github.com wrote:
Should we close this then ?
angrgdb
seems to be the perfect answer, and I don't see why it would conflict withgef
.-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/hugsy/gef/issues/259#issuecomment-400174496
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Yea of course. (just one thing, angrgdb only works for gdb compiled with python2 which is kind of sad)
Too bad about no python3 support. All effort that would have gone into that ticket should instead go into porting angrgdb/angrdbg.
Hi guys, I'm going to rewrite angrgdb to support py3 when shellphish will release angr 8. It's a matter of a few days, stay tuned.
I know currently there's
emu
that is pretty great.Feature
r2 has the capability of using their ESIL to do symbolic execution for the selected instructions, and often it is quite helpful.
Would we be interested in adding such feature to perform symbolic execution as well?
Example
Instead of
emu -n 10
, one can do something likesym -n 10
instead, and be able to see the symbolic values for tainted memory and registers after executing 10 more instructions.Of course there can be more to it like solving expressions but gonna see you guys' view on this first before elaborating more on it.