Skip to content
This repository has been archived by the owner on Jan 6, 2025. It is now read-only.

How to load external library and sync it? #24

Open
SteinsGatep001 opened this issue Jul 12, 2022 · 4 comments
Open

How to load external library and sync it? #24

SteinsGatep001 opened this issue Jul 12, 2022 · 4 comments
Assignees
@degrigis

Comments

@SteinsGatep001
Copy link

SteinsGatep001 commented Jul 12, 2022
edited
Loading

I use current_state.concrete.sync() to sync data from gdb target. But the library of the target didn't sync.
How can I load external library and sync the library memory to angr project?
I tried:

project = angr.Project("/squashfs-root/usr/sbin/httpd")
project.loader.dynamic_load("/squashfs-root/usr/lib/libnvram.so")
# it works
# [<ELF Object libnvram.so, maps [0x1500000:0x1522fdf]>,
# <ExternObject Object cle##externs, maps [0x1600000:0x16000e7]>]

It works!
But when I use simstate to step

succ_path = current_path.copy().step()
_succ_path_active_states = succ_path.active

succ_path.active is empty, and succ_path.errored:

SimEngineError
State errored with "No bytes in memory for block starting at 0xf7f03ae4."
@SteinsGatep001 SteinsGatep001 mentioned this issue Jul 12, 2022
Closed
@SteinsGatep001
Copy link
Author

Here is my code

	_avatar_gdb_target = ArmVMGDBConcreteTarget(avatar2.archs.arm.ARM, self.TARGET_HOSTNAME, _host_gdbserver_port)
	self.target = '/tmp/squashfs-root/usr/sbin/httpd'
	force_load_libs = ['/tmp/squashfs-root/usr/lib/libnvram.so']
	_project = angr.Project(self.target, concrete_target=_avatar_gdb_target, ld_path=ld_path, use_sim_procedures=True)
	for _load_lib in force_load_libs:
		_project.loader.dynamic_load(_load_lib)
	self._current_state = _entry_state = _project.factory.entry_state()
	self.run_concretly(["nvram_get"]) # break at nvram_get in libnvram
	self.sync_state()
	_current_simgr = _project.factory.simgr(self._current_state.copy(), save_unconstrained=True, save_unsat=True)
	_succ_path = _current_simgr.copy().step()
	# _succ_path.errored will be No bytes in memory for block starting at 0xf7f03ae4.
	_succ_path_active_states = _succ_path.active
	
def sync_state(self, wait_time=1):
	"""
	sync state from concrete in gdbserver
	:return:
	"""
	new_state = self._current_state
	# FIXME wait target hang
	time.sleep(wait_time)
	new_state.concrete.sync()
	self._current_state = new_state

@SteinsGatep001
Copy link
Author

SteinsGatep001 commented Jul 13, 2022
edited
Loading

I also tried
_project = angr.Project('/tmp/squashfs-root/usr/lib/libnvram.so', concrete_target=_avatar_gdb_target, ld_path=ld_path, use_sim_procedures=True)
But after _succ_path = _current_simgr.copy().step(), it also failed:
_succ_path.erroed: <State errored with "No bytes in memory for block starting at 0xf77bbae4.">

@degrigis
Copy link
Member

degrigis commented Jul 16, 2022
edited
Loading

Can you try to step a few instructions into the concrete process (i.e., set a breakpoint at the beginning) and grab the concrete state?

@SteinsGatep001
Copy link
Author

I can step a few instruction into concrete process and grab the concrete state successfully(I checked in GDB remote, instructions are valid ). But I failed to use the step via step() function in copy of state.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@degrigis degrigis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@degrigis @SteinsGatep001