Comments (5)
Above all, do you guys have any plan to open a forum to share knowledge? I find it very difficult to follow many different aspects of the symbolic execution. Besides it would be great to share some great techniques among researchers.
Much appreciated,
from angr-doc.
If you want angr to parse self-modifying code you need to initialize the project with support_selfmodifying_code=True
.
from angr-doc.
On top of that, due to how angr works internally, your "check" function will only be called at the beginning of a basic block. The address you're looking for, 0x401010
, isn't at the start of a basic block (according to VEX). You can see this by doing:
In [12]: project.factory.block(0x40100a).vex.pp()
IRSB {
t0:Ity_I8 t1:Ity_I8 t2:Ity_I8 t3:Ity_I32 t4:Ity_I32 t5:Ity_I32 t6:Ity_I32 t7:Ity_I32 t8:Ity_I32 t9:Ity_I32 t10:Ity_I32 t11:Ity_I1 t12:Ity_I32 t13:Ity_I32
00 | ------ IMark(0x40100a, 4, 0) ------
01 | t6 = GET:I32(ecx)
02 | t7 = GET:I32(ebx)
03 | t4 = Add32(t7,t6)
04 | t2 = LDle:I8(t4)
05 | t0 = Xor8(t2,0x9c)
06 | STle(t4) = t0
07 | PUT(cc_op) = 0x0000000d
08 | t8 = 8Uto32(t0)
09 | PUT(cc_dep1) = t8
10 | PUT(cc_dep2) = 0x00000000
11 | PUT(cc_ndep) = 0x00000000
12 | PUT(eip) = 0x0040100e
13 | ------ IMark(0x40100e, 2, 0) ------
14 | t9 = Sub32(t6,0x00000001)
15 | PUT(ecx) = t9
16 | t11 = CmpNE32(t9,0x00000000)
17 | if (t11) { PUT(eip) = 0x40100a; Ijk_Boring }
18 | ------ IMark(0x401010, 2, 0) ------
NEXT: PUT(eip) = 0x00401017; Ijk_Boring
}
(if you want to learn more about VEX, check out https://github.com/angr/angr-doc/blob/master/ir.md)
There are two things you can do: break at 0x401017
, which is the beginning of the basic block that it jumps to, or break at 0x40100a
, which is the beginning of that basic block. Then the breakpoint, at least, should work.
If you really need to break at that exact instruction, SimuVEX breakpoints are more granular, and let you break at specific instructions or whenever any conditions are met (i.e., some specific address being written to). You can read more about that at https://github.com/angr/angr-doc/blob/master/simuvex.md#breakpoints
from angr-doc.
As for the forum, are you on #angr on freenode.net? That's the closest thing that we have at the moment...
from angr-doc.
Thanks heaps. I'm on freenode.net now. I will ask questions there from now on. salls already helped me on a couple of things. Knowing find callback gets invoked at the BBL level helps!
I'm trying to do some taint analysis aiming to identify the decryptor code and its associated encrypted block that gets decrypted. salls advised me to use 'TRACK_ACTION_HISTORY' for recording all taint info.
Thanks!
from angr-doc.
Related Issues (20)
- Unexpected behaviour between different versions while analyzing "beginner" binary HOT 1
- [help] why no solutions?
- why input length must multiply 4 in examples/b01lersctf2020_little_engine HOT 1
- Question: BVS, bytes, ASCII, constraints HOT 3
- Resolve automatically HOT 15
- Remove references to Layer7 and other Surveyor solves HOT 1
- CFG Emulated "None type" Node HOT 2
- Swapped find and avoid on sim_mgr.explore when using argv claripy HOT 1
- where can i find the source code of the folder "example"? HOT 1
- little_engine example not working for me HOT 9
- Error/inconsistency handling arm code between angr versions
- Add concatenating constraints to cheatsheet HOT 2
- insomnihack fail to find a symbolic buffer HOT 2
- `test_apidoc.test_lint_docstrings` fails under python 3.8 HOT 5
- `test_examples.test_defcon2016quals_baby_re` is timing out in CI HOT 3
- Testing the java_androidnative1 example failed with error HOT 3
- Move API docs to project repos. HOT 5
- Install information is out of date and sometimes incorrect HOT 1
- Migrate gitbook docs to api docs HOT 1
- driller's approach page cannot find HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from angr-doc.