Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Bomb CMU - Phase 6 - SimMemoryAddressError
See original GitHub issueHello! I’m trying to solve phase 6 with angr but I get a lot of warnings like the following and angr actually never finishes the execution.
WARNING | 2016-12-21 23:09:53,895 | simuvex.vex.irsb | <SimIRSB 0x401176> hit an error while analyzing statement 3
SimMemoryAddressError: Unable to concretize address for load with the provided strategies.
What am I doing wrong?
This is the script I’ve done (still a WIP so some constraints are missing).
import angr, logging, claripy, simuvex
from IPython import embed
class custom_hook(simuvex.SimProcedure):
def run(self, addr):
for i in range(6):
bvs = claripy.BVS("int{}".format(i), 8*4*6, explicit_name=True)
self.state.add_constraints(bvs.get_bytes(0, 4) >= 1, bvs.get_bytes(0,4) <= 6)
self.state.memory.store(bvs, addr+i*4, endness=self.state.arch.memory_endness)
return addr
def solve_flag_6():
start = 0x4010f4
read_num = 0x40145c
find = 0x4011f7
avoid = (0x4011e9, 0x401140, 0x401123,)
p = angr.Project("./bomb", load_options={'auto_load_libs':False})
p.hook(read_num, custom_hook)
state = p.factory.blank_state(addr=0x4010f4)
pg = p.factory.path_group(state, threads=4)
pg.explore(find=find, avoid=avoid)
print(pg)
return 0
def main():
print("Flag 6:" + str(solve_flag_6()))
if __name__ == '__main__':
logging.getLogger('angr.path_group').setLevel(logging.DEBUG)
main()
Thanks guys!
Issue Analytics
- State:
- Created 7 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
CMU Bomb Lab with Radare2 — Phase 6 - Medium
CMU Bomb Lab with Radare2 — Phase 6. This level gets a little rough. We've decided to use r2 for good, so patching...
Read more >Binary Bomb Lab :: Phase 6 - Zach Alexander
Learn how to work through Phase 6 of Bryant and O'Hallaron's Binary Bomb lab step by step. Get started on the path to...
Read more >Computer Systems Bomblab Phase 6 Walkthrough - YouTube
In this video, I demonstrate how to solve the Bomblab Phase 6 for Computer Systems. I assume that the student has already logged...
Read more >angr符号执行用例解析——cmu_binary_bomb - CSDN博客
首先运行bomb文件,随便输入个字符串,bomb! 炸了!总共有6关要闯,每次只要输入满足要求的数据才能进入下一关,否则就爆炸。 ... print "Stage 6 ok!
Read more >Binary Bomb phase 6 no nodes - Stack Overflow
run bomb ---after input 6 int--- ---breakpoints phase6, explode_bomb > until *0x08048ea8 > x/3x *(*(*(*($eax+8)+8)+8)+8) > x/3x ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Another thing @ocean1 didn’t mention is that your arguments to
self.state.memory.storewere incorrect. You saidstore(bvs, addr + i * 4), but it should actually bestore(addr + i * 4, bvs).Closing the issue again since It could be related to an unfeasible path. My bad, sorry guys!