Symbolize Memory, Negate and inject don't work

illera88 / Ponce

IDA 2016 plugin contest winner! Symbolic Execution just one-click away!

https://docs.idaponce.com

Other

1.48k stars 72 forks source link

Symbolize Memory, Negate and inject don't work #51

Closed trietptm closed 8 years ago

trietptm commented 8 years ago

I test Ponce v0.1 with IDA 6.8 in Windows and see that Symbolize Memory, Negate and inject don't work, even in the disassembler view.

screenshot - 9_29_2016 3_39_02 pm screenshot - 9_29_2016 3_39_40 pm

screenshot - 9_29_2016 4_31_36 pm

heartbleeded commented 8 years ago

Have you tried the new version authors posted in this https://github.com/illera88/Ponce/issues/50 ? It works well for me.

trietptm commented 8 years ago

@heartbleeded , I download Ponce (Ponce_x86_static_IDA68.plw, Ponce_x64_static_IDA68.p64) yesterday from https://github.com/illera88/Ponce/releases .

illera88 commented 8 years ago

We will take a look at it ASAP.

The problem we are facing is that IDA 6.8 SDK does not have some APIs we are using to get the memory selection.

Anyway we will fix it so 6.8 users can still enjoy Ponce.

We are currently working in it. Stay tuned

0ca commented 8 years ago

@trietptm It was yesterday when we fixed that bug and we replaced the IDA6.8 plugin with the new version. So I am not sure if you have the last one.

I tried right now, the 32 bits version: https://github.com/illera88/Ponce/releases/download/v0.1/Ponce_x86_static_IDA68.plw (md5: fa884066a8e95e23c946ac7ded6fd471) in IDA 6.8.150428 and it is working.

I am not sure about why you can't negate or even solve the condition. Are you clicking over the condition jump? Can you describe for us the steps and the binary you are using?

Thank you very much for try Ponce ;)

0ca commented 8 years ago

@trietptm about the negate I think I know what it is happening.

You executed the program one time, right? The first time the main function was detected and the arguments were automatically symbolized. And this main function had symbolic instructions, so the function was renamed to T000_main.

Then you executed it a second time, this time, the main function wasn't found (we are looking for main, _main, and other variants) so the arguments weren't symbolized. And when you arrive to that condition it wasn't a symbolic condition.

We are working to solve this.

For now you could disable in option the Rename symbolic/tainted functions.

We had some options to solve this. The idea is to detect the main function even if it was renamed.

Thank you again for the report!

0ca commented 8 years ago

Now we are ignoring our own prefix for tainted/symbolized functions, so you should have this problem.

Still we want to wipe all the color after a re execution to avoid any confusion: https://github.com/illera88/Ponce/issues/57

Thank you for the report @trietptm