search

illera88 / Ponce

IDA 2016 plugin contest winner! Symbolic Execution just one-click away!
https://docs.idaponce.com
Other
1.5k stars 74 forks source link

There is no color tainted instruction and color tainted condition. #75

Closed YangY-Xiao closed 4 years ago

YangY-Xiao commented 7 years ago

When I try to solve one elf with ponce, there are some errors.

Ponce setting: image

Symbolize memory: image

Result: image

As show in result, there is no colored tainted instructions and colored tainted condition.

Do I set mistakenly? Thanks a lot~~

0ca commented 7 years ago

It looks like the real check is happening inside the call sub_400D40. You should see inside that function if something is tainted.

The taint/symbolic engine is not going to detect things like this:

int check(char myinput)
{
  int flag = 0;
  if (myinput == 'A')  //This condition is tainted
    flag = 1
  else
    flag =- 1;
  return flag; // flag is not tainted!
}

I'm not sure how to solve this problem.

0ca commented 4 years ago

This is not a Ponce issue, it's a limitation of concolic execution.