Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pass argument of struct type to call_state()

See original GitHub issue

Hi, I want to make a calling state with an argument of struct type by calling proj.factory.call_state, but angr seems to replace the argument with the address of the argument before the calling. Here is the code:

typedef struct _A {
    int a;
    char b;
    short c;
    void* d;
    int e;
} A;

void func(A a) {
    // ...
}

I want to pass an argument with values (a=10, b=11, c=12, d=0x66666666, e=13) to func. And the following code I used didn’t work as I expected:

import angr

# loading binary
proj = angr.Project('bins/exe', load_options={
    'auto_load_libs': False,
    'main_opts': {
        'base_addr': 0
    }
})

# getting rebased address of func
func_addr = proj.loader.find_symbol('func').rebased_addr

# function definition
ty = angr.types.parse_defns('void foo(struct a {int a; char b; short c; void* d; int e; } x);')['foo']

cc = proj.factory.cc(ty=ty)

s = proj.factory.call_state(func_addr, (10, 11, 12, 0x66666666, 13), cc=cc, ret_addr=0x12345678)

and when I call s.stack_read, I got following data:

s.regs.esp               # 0x7ffeffe9

s.stack_read(0, 4)   # 0x12345678    ret_addr

s.stack_read(4, 4)   # 0x7ffefff1        the address of struct argument

s.stack_read(8, 4)   # 10                    a.a

s.stack_read(12, 4)   # 11                  a.b

but when I compile the source code with gcc 7.5.0 on 'unbuntu 18.04 x86, and I make a breakpointinfunc` to inspect the stack, then I got this

with nothing between ret_addr and the start of argument a.

There must be some mistakes I made while calling proj.factory.call_state, but I can’t figure out.

Issue Analytics

State:
Created 2 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

rhelmotcommented, Dec 14, 2021

this has finally been resolved! see #2961. You may now use a dict (or a tuple, or a SimStructValue) to pass structs by value, provided you follow the new guidelines for providing function prototypes to call_state.

0reactions

tbbatbbcommented, Apr 1, 2021

Well, I found that angr do the same to arguments with type long long, it converts long long to pointers to long long as well, while it can handle double correctly, confusing.

Source code:

void func(char a, short b, int c, long long d, double e) {
    // ...
}

Python with angr:

p = angr.Project('exe', load_options={
     'auto_load_libs': False,
     'main_opts': {
         'base_addr': 0
     }
})

ty = angr.types.parse_defns('void foo(char a, short b, int c, long long d, double e);')['foo'] 

s = p.factory.call_state(0x567, 1,2,3,4,5, cc=p.factory.cc(func_ty=ty), ret_addr=0x66666666)

s.stack_read(0,4)     # ret_addr   <BV32 0x66666666>

s.stack_read(16,4)   # addr of d  <BV32 0x7ffefff8>

# as if there is not argument d
ty = angr.types.parse_defns('void foo(char a, short b, int c, double e);')['foo']              

s = p.factory.call_state(0x567, 1,2,3,4, cc=p.factory.cc(func_ty=ty), ret_addr=0x66666666)   

s.stack_read(16,8)   # e    <BV64 0x4010000000000000>

Top Results From Across the Web

Passing struct to function

This is how to pass the struct by reference. This means that your function can access the struct outside of the function and...

Documentation: 15: 38.10. C-Language Functions

It has three arguments: the argument of type HeapTupleHeader passed into the function, the name of the desired attribute, and a return parameter...

Method Parameters - C# Reference

In C#, arguments can be passed to parameters either by value or by reference. Remember that C# types can be either reference types...

Using the State Hook

If you write a function component and realize you need to add some state to it, ... The only argument to the useState()...

C Struct and Functions

Here, a struct variable s1 of type struct student is created. The variable is passed to the display() function using display(s1); statement. Return...