Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can angr ignore function calls?

See original GitHub issue

Example:

push eax
push ebx
call some_func
test eax, eax
jne 0xxxxx

I do not want angr to execute the some_func body, so angr can skip it?

thanks.

Issue Analytics

State:
Created 6 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

schiebcommented, Oct 24, 2017

Obligatory warning that may not apply in your case: Depending on the calling convention, skipping function calls can result in the stack pointer becoming corrupted.

For example, in your example there are two pushes before the call. If the callee is responsible for cleaning up the stack (e.g., ret 8) then simply NOPing out the call instruction with an empty hook will cause the stack to become corrupt. The correct thing to do in that case is to stub the function with a SimProcedure while specifying the calling convention.

@rhelmot has some code that can help to automatically detect calling conventions. In particular it will attempt to determine the size of the stack that the callee will cleanup before returning. It is mostly helpful when stubbing functions in a Windows binary. It works very well. The only discrepancy I have had was for a function in a dll that takes one of two paths: It either returns to the caller, or calls a function that does not return. This is more of a CFG problem though.

0reactions

yangshouguocommented, Sep 15, 2020

You can also ignore all function calls by adding the CALLLESS state option. It’ll unconstrained the return value register, though. On Oct 24, 2017 10:22 AM, “Fish” notifications@github.com wrote: There are two ways to achieve your goal. - Hook the call some_func instruction with a hook (project.Hook()) with a length of the size of the call instruction. - Hook the some_func function with the ReturnUnconstrained stub SimProcedure. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#723 (comment)>, or mute the thread https://github.com/notifications/unsubscribe-auth/ADSzl4Ln90rGoHkgXhEdG1TfOydsspZZks5svfKQgaJpZM4QEeWw .

would you provide an example code?

Top Results From Across the Web

Handle function calls during static analysis in angr

On the research project I work on at SEFCOM, I use angr to statically analyse binary programs.

Analyzing Functions - Breaking Bits - GitBook

Calling functions to trace or find bugs angr provides a callable interface to either concretely or concolically run functions. The current documentation on...

Gotchas - angr Documentation

1. Disable the SimProcedure (you can exclude specific SimProcedures by passing options to the angr.Project class) ...

Program State - angr Documentation

This method will perform one step of symbolic execution and return an object called ... SimFile) # ignore that argument for now -...

Analysis and Coordination — angr 9.2.30 documentation

ignore_functions – A list of function names that, when imported from shared libraries, should never be stepped into in analysis (calls will return...