Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Angr can't find path to address unless extra constraints are added to the initial state
See original GitHub issueWhen running the following script on the unbreakable challenge from GoogleCTF 2016, no path to the specified address is found, even though one definitely exists. Angr does not say anything about unconstrained paths, so I don’t know any reason why no path would be found.
#!/usr/bin/env python2
from angr import *
input_size = 0x43
flag = claripy.BVS('flag', 8 * input_size)
p = Project('./unbreakable-enterprise-product-activation', load_options={'auto_load_libs': False})
state = p.factory.entry_state(args=[p.filename, flag])
pg = p.factory.path_group(state, veritesting=True)
state.libc.buf_symbolic_bytes = input_size + 1
for a, b in zip('CTF{', flag.chop(8)):
state.se.add(ord(a) == b)
state.se.simplify()
logging.getLogger('angr.path_group').setLevel(logging.DEBUG)
pg.explore(find=(0x400830,), avoid=(0x400850,))
f = pg.found[0]
print f.state.se.any_str(flag)
If I add in some more constraints on the input buffer, then a path is found to that address:
#!/usr/bin/env python2
from angr import *
input_size = 0x43
flag = claripy.BVS('flag', 8 * input_size)
p = Project('./unbreakable-enterprise-product-activation', load_options={'auto_load_libs': False})
state = p.factory.entry_state(args=[p.filename, flag])
pg = p.factory.path_group(state, veritesting=True)
state.libc.buf_symbolic_bytes = input_size + 1
for a, b in zip('CTF{', flag.chop(8)):
state.se.add(ord(a) == b)
# This for loop was added
for c in flag.chop(8):
state.se.add(c > ord(' '))
state.se.add(c < ord('~'))
state.se.simplify()
logging.getLogger('angr.path_group').setLevel(logging.DEBUG)
pg.explore(find=(0x400830,), avoid=(0x400850,))
f = pg.found[0]
print f.state.se.any_str(flag)
Issue Analytics
- State:
- Created 7 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Program State - angr Documentation
In the first state, we add x > 4 as a constraint, and in the second state, we add !(x > 4) as...
Read more >Solver Engine - angr Documentation
By adding these constraints to the state, we've forced the constraint solver to consider them as assertions that must be satisfied about any...
Read more >Analysis and Coordination — angr 9.2.30 documentation
Returns a state object initialized to the start of a given function, as if it were called with given parameters. Parameters. addr –...
Read more >Claripy - angr Documentation
It is a solver that tracks constraints on symbolic variables and uses a constraint solver (currently, Z3) to evaluate symbolic expressions. SolverVSA.
Read more >The Emulated Filesystem - angr Documentation
If you know specifically which SimFile class you're working with, ... to manually create any files you want to work with when you...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
It seems to be an issue with our memcpy simprocedure which is used internally by strncpy. When the length is symbolic it will try to take the libc.maximum_buffer_size, if you set that value higher it works. I’m adding a warning and updating the memcpy simprocedure
memcpy was easy to add a warning to. For strcpy we’d need to look at strlen. But in strlen it isn’t as easy. I’m not sure what a good condition would be for warning users. We could warn every time strlen is called on symbolic data, but maybe that’s too annoying