angr-targets icon indicating copy to clipboard operation
angr-targets copied to clipboard

Published 20 hours ago verified publisher icon angr

How to load external library and sync it?

Open SteinsGatep001 opened this issue 2 years ago • 4 comments

I use current_state.concrete.sync() to sync data from gdb target. But the library of the target didn't sync. How can I load external library and sync the library memory to angr project? I tried:

project = angr.Project("/squashfs-root/usr/sbin/httpd")
project.loader.dynamic_load("/squashfs-root/usr/lib/libnvram.so")
# it works
# [<ELF Object libnvram.so, maps [0x1500000:0x1522fdf]>,
# <ExternObject Object cle##externs, maps [0x1600000:0x16000e7]>]

It works! But when I use simstate to step

succ_path = current_path.copy().step()
_succ_path_active_states = succ_path.active

succ_path.active is empty, and succ_path.errored:

SimEngineError
State errored with "No bytes in memory for block starting at 0xf7f03ae4."

SteinsGatep001 avatar Jul 12 '22 08:07 SteinsGatep001

Here is my code

	_avatar_gdb_target = ArmVMGDBConcreteTarget(avatar2.archs.arm.ARM, self.TARGET_HOSTNAME, _host_gdbserver_port)
	self.target = '/tmp/squashfs-root/usr/sbin/httpd'
	force_load_libs = ['/tmp/squashfs-root/usr/lib/libnvram.so']
	_project = angr.Project(self.target, concrete_target=_avatar_gdb_target, ld_path=ld_path, use_sim_procedures=True)
	for _load_lib in force_load_libs:
		_project.loader.dynamic_load(_load_lib)
	self._current_state = _entry_state = _project.factory.entry_state()
	self.run_concretly(["nvram_get"]) # break at nvram_get in libnvram
	self.sync_state()
	_current_simgr = _project.factory.simgr(self._current_state.copy(), save_unconstrained=True, save_unsat=True)
	_succ_path = _current_simgr.copy().step()
	# _succ_path.errored will be No bytes in memory for block starting at 0xf7f03ae4.
	_succ_path_active_states = _succ_path.active
	
def sync_state(self, wait_time=1):
	"""
	sync state from concrete in gdbserver
	:return:
	"""
	new_state = self._current_state
	# FIXME wait target hang
	time.sleep(wait_time)
	new_state.concrete.sync()
	self._current_state = new_state

SteinsGatep001 avatar Jul 13 '22 08:07 SteinsGatep001

I also tried _project = angr.Project('/tmp/squashfs-root/usr/lib/libnvram.so', concrete_target=_avatar_gdb_target, ld_path=ld_path, use_sim_procedures=True) But after _succ_path = _current_simgr.copy().step(), it also failed: _succ_path.erroed: <State errored with "No bytes in memory for block starting at 0xf77bbae4.">

SteinsGatep001 avatar Jul 13 '22 08:07 SteinsGatep001

Can you try to step a few instructions into the concrete process (i.e., set a breakpoint at the beginning) and grab the concrete state?

degrigis avatar Jul 16 '22 18:07 degrigis

I can step a few instruction into concrete process and grab the concrete state successfully(I checked in GDB remote, instructions are valid ). But I failed to use the step via step() function in copy of state.

SteinsGatep001 avatar Jul 24 '22 04:07 SteinsGatep001