Comments (6)
Another thing @ocean1 didn't mention is that your arguments to self.state.memory.store
were incorrect. You said store(bvs, addr + i * 4)
, but it should actually be store(addr + i * 4, bvs)
.
from angr-doc.
Hello! there's a few errors in your script:
the arguments for SimProc are wrong, as the function read_six_numbers has two args, the first is const char string that is parsed by sscanf, the second one is the the address of the six ints you are reading (stored on the stack).
The return value of the function can definitely be set to 6 (not returning an addr, but the number of items matched and assigned by the sscanf).
Also you are setting up a BVS of 6 ints for each int processed: xrange(6) -> 846.
You'll also have to remove the LAZY_SOLVES option, otherwise some memory accesses will be unconstrained, that's the reason you get that error.
import angr
import claripy
import simuvex
from struct import unpack
stored_ints_addr = 0
bvs = None
class custom_hook(simuvex.SimProcedure):
def run(self, s1_addr, int_addr):
print "read_six_numbers hook"
global stored_ints_addr
global bvs
for i in range(6):
bvs = self.state.se.BVS(
"int{}".format(i), 8 * 4, explicit_name=True)
self.state.add_constraints(bvs >= 1, bvs < 6)
self.state.memory.store(int_addr + i * 4, bvs,
endness=self.state.arch.memory_endness)
# let's keep this for later
stored_ints_addr = int_addr
return self.state.se.BVV(6, self.state.arch.bits)
def solve_flag_6():
start = 0x4010f4
read_num = 0x40145c
find = 0x4011f7
avoid = (0x4011e9, 0x401140, 0x401123,)
p = angr.Project("./bomb", load_options={'auto_load_libs': False})
p.hook(read_num, custom_hook)
state = p.factory.blank_state(
addr=start, remove_options={simuvex.o.LAZY_SOLVES})
pg = p.factory.path_group(state)
pg.explore(find=find, avoid=avoid)
found = pg.found[0].state
return unpack('IIIIII', found.se.any_str(found.memory.load(stored_ints_addr, 24)))
def main():
print("Flag 6:" + str(solve_flag_6()))
if __name__ == '__main__':
# logging.getLogger('angr.path_group').setLevel(logging.DEBUG)
main()
Use the script without threading, seems like you hit a problem with either z3 or claripy, I'll open a new issue for that.
from angr-doc.
yup! sorry I did forget that! :)
from angr-doc.
Lesson learned: never write in a hurry.
Thank you guys.
from angr-doc.
Hello guys. I've noticed that "removing" the LAZY_SOLVES
option still triggers the bug.
e.g:
from this
state = p.factory.blank_state(
addr=start, remove_options={simuvex.o.LAZY_SOLVES})
to this
state = p.factory.blank_state(addr=start)
from angr-doc.
Closing the issue again since It could be related to an unfeasible path. My bad, sorry guys!
from angr-doc.
Related Issues (20)
- Unexpected behaviour between different versions while analyzing "beginner" binary HOT 1
- [help] why no solutions?
- why input length must multiply 4 in examples/b01lersctf2020_little_engine HOT 1
- Question: BVS, bytes, ASCII, constraints HOT 3
- Resolve automatically HOT 15
- Remove references to Layer7 and other Surveyor solves HOT 1
- CFG Emulated "None type" Node HOT 2
- Swapped find and avoid on sim_mgr.explore when using argv claripy HOT 1
- where can i find the source code of the folder "example"? HOT 1
- little_engine example not working for me HOT 9
- Error/inconsistency handling arm code between angr versions
- Add concatenating constraints to cheatsheet HOT 2
- insomnihack fail to find a symbolic buffer HOT 2
- `test_apidoc.test_lint_docstrings` fails under python 3.8 HOT 5
- `test_examples.test_defcon2016quals_baby_re` is timing out in CI HOT 3
- Testing the java_androidnative1 example failed with error HOT 3
- Move API docs to project repos. HOT 5
- Install information is out of date and sometimes incorrect HOT 1
- Migrate gitbook docs to api docs HOT 1
- driller's approach page cannot find HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from angr-doc.