simuvex icon indicating copy to clipboard operation
simuvex copied to clipboard
verified publisher icon angr

Adding constraint on flags in replacement solver?

Open Nixtron opened this issue 9 years ago • 5 comments

Hello again!

A while ago I asked about setting the flags register and got this answer: https://github.com/angr/simuvex/issues/31

Now I am wondering, can I create a constraint on the flags register? Or more specifically replace a symbolic flags register with a constant flags register using the replacement solver?

Thanks for a great tool and good support =)

Nixtron avatar Sep 20 '16 15:09 Nixtron

Yes you can, although I have never tried that, and I have no idea about any implication.

Let us know if it does not work as expected!

ltfish avatar Sep 20 '16 16:09 ltfish

I have tried to set a replacement on state.regs.cc_dep1 to the value of eflags. I have also tried to have a replacement on state.regs.cc_op and also setting the value of cc_op directly. None of these seem to work as the number of possible paths is not the same as when setting the eflags using the method in #31

I am guessing the way of setting the eflags is a hackish solution that does not work with the replacement solver. Maybe there is some other way to set a replacement constraint on the eflags register?

Nixtron avatar Sep 23 '16 12:09 Nixtron

Sorry about the laggy response. We go through waves of being extremely swamped, and lately those waves have been overlapping with each other...

Can you paste your code that uses the replacement solver? The replacement solver only works on values, so if you add a replacement for the eflags, and they get updated, it is likely that your replacement will be useful (as it will be targeting the old value).

zardus avatar Oct 07 '16 05:10 zardus

I am sorry to say that I managed to lose the code I actually used. Basically when I set the eflags register I use

state.regs.cc_dep1 = val state.regs.cc_op = simuvex.vex.ccall.data[state.arch.name]['OpTypes']['G_CC_OP_COPY']

When I set replacements I use [this works well for other registers] state.se._solver.add_replacement(reg, new_val)

So what I have tried is different combinations of adding replacements and setting of the cc_* variables. Ie. state.se._solver.add_replacement(state.regs.cc_dep1, val) state.se._solver.add_replacement(state.regs.cc_op, simuvex.vex.ccall.data[state.arch.name]['OpTypes']['G_CC_OP_COPY'])

and

state.se._solver.add_replacement(state.regs.cc_dep1, val) state.regs.cc_op = simuvex.vex.ccall.data[state.arch.name]['OpTypes']['G_CC_OP_COPY']

and

state.regs.cc_dep1 = val state.se._solver.add_replacement(state.regs.cc_op, simuvex.vex.ccall.data[state.arch.name]['OpTypes']['G_CC_OP_COPY'])

Nixtron avatar Oct 10 '16 10:10 Nixtron

My guess is that the condition code psuedoregisters get overwritten before the place where you expect the replacement to make a difference. You can check this by setting a SimInspect hook on a register write (of the cc_dep1 register) after doing the replacement and seeing when it gets triggered.

zardus avatar Oct 11 '16 06:10 zardus