andreafioraldi / angrgdb Goto Github PK

$ /bin/gdb -q ./angr_find
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/squ/.local/lib/python3.8/site-packages/angrgdb/__init__.py", line 6, in <module>
    from .debugger import *
  File "/home/squ/.local/lib/python3.8/site-packages/angrgdb/debugger.py", line 22, in <module>
    from angrdbg import *
  File "/home/squ/.local/lib/python3.8/site-packages/angrdbg/__init__.py", line 6, in <module>
    from .core import get_logger, StateShot, StateManager, get_registers
  File "/home/squ/.local/lib/python3.8/site-packages/angrdbg/core.py", line 14, in <module>
    from .memory_8 import SimSymbolicDbgMemory
  File "/home/squ/.local/lib/python3.8/site-packages/angrdbg/memory_8.py", line 17, in <module>
    from angr.storage.memory import SimMemory, DUMMY_SYMBOLIC_READ_VALUE
ModuleNotFoundError: No module named 'angr.storage.memory'
/home/squ/.gdbinit:6: Error in sourced command file:

seems like no memory module under storage?

$ python3 --version  
Python 3.8.10

$ pip show angr      
Name: angr
Version: 9.2.43

$ pip show angrdbg
Name: angrdbg
Version: 1.0.16

$ pip show angrgdb
Name: angrgdb
Version: 1.0.14

I have tried to run angrgdb on 2 PIE executables, and in both cases either
state = StateShot()
or
sm = StateManager()
yield an error of this type in gdb:
Program received signal SIGSEGV, Segmentation fault.
This sample executable is very simple:
https://crackmes.one/crackme/5c2acb8933c5d46a3882b8d4
no funny business in terms of anti-debug etc.

It can be solved with the angrgdb commands in gdb itself, but trying to source a python file yields the above error.

There is no easy way to use angr core module to add constraints to symbolic memory or even add a symbolic file to the state's filesystem.

After I have marked as symbolic, I can't access to symbolic variables with angrgdb.
I want to access from script to symbolic variables because I want to set a costraint to the symbolic variable.

Step to reproduce the bug (from this writeup: https://ctftime.org/writeup/10342)

1. Download the attachment from this CTF https://capturetheflag.withgoogle.com/#challenges/crypto-mitm
2. unzip it and run:
   gdb ./sftp
3. set breakpoint at offset 14e1 (for example, if base address is 0x8000000, execute b *0x80014e1) and run.
4. enter "yes"
5. insert "aaaaaaaaaaaaaaa" as password
6. when gdb hit the break, excute:
   angrgdb sim $rbx, 15
angrgdb find 0x800145c
angrgdb avoid 0x800145a
angrgdb shell

inside the shell:
>>> state = m.active[0]

Here is the error, I can't see the symbolic variable setted before:

>>> list(state.solver.get_variables()) []

The list is empty.

Hey guys... I just installed angrgdb with gdb 8.1 on ubuntu 18 and try to run the example but I have this:
gdb-peda$ angrgdb list
0x7fffffffe3c9 <100>
gdb-peda$ angrgdb find 0x00400607
gdb-peda$ angrgdb avoid 0x00400613
gdb-peda$ angrgdb run
(' >> to find:', '0x400607')
(' >> to avoid:', '0x400613')

running the exploration...
WARNING | 2021-01-28 01:42:26,367 | angr.exploration_techniques.explorer | Using unicorn with find/avoid conditions that are a lambda (not a number, set, tuple or list)
WARNING | 2021-01-28 01:42:26,368 | angr.exploration_techniques.explorer | Unicorn may step over states that match the condition (find or avoid) without stopping.
Traceback (most recent call last):
File "_ctypes/callbacks.c", line 315, in 'calling callback function'
File "/home/lab-test2/.local/lib/python2.7/site-packages/unicorn/unicorn.py", line 443, in _hook_mem_invalid_cb
return cb(self, access, address, size, value, data)
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/unicorn_engine.py", line 754, in _hook_mem_unmapped
ret = self._hook_mem_unmapped(uc, access, address, size, value, user_data, size_extension=False)
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/unicorn_engine.py", line 709, in _hook_mem_unmapped
ret = self._hook_mem_unmapped_core(uc, access, start, length, best_effort_read=best_effort_read)
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/unicorn_engine.py", line 846, in _hook_mem_unmapped_core
s = self.state.se.eval(d, cast_to=str)
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 706, in eval
return self.eval_upto(e, 1, **kwargs)[0]
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 689, in eval_upto
cast_vals = [self._cast_to(e, v, cast_to) for v in self._eval(e, n, **kwargs)]
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 155, in concrete_shortcut_tuple
return f(self, *args, **kwargs)
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/sim_action_object.py", line 53, in ast_stripper
return f(*new_args, **new_kwargs)
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 86, in wrapped_f
return f(*args, **kwargs)
File "/home/lab-test2/.local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 481, in _eval
return self._solver.eval(e, n, extra_constraints=self._adjust_constraint_list(extra_constraints), exact=exact)
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontend_mixins/concrete_handler_mixin.py", line 7, in eval
return super(ConcreteHandlerMixin, self).eval(e, n, **kwargs)
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontend_mixins/constraint_filter_mixin.py", line 40, in eval
return super(ConstraintFilterMixin, self).eval(e, n, extra_constraints=ec, **kwargs)
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontend_mixins/sat_cache_mixin.py", line 56, in eval
extra_constraints=extra_constraints, **kwargs
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontend_mixins/simplify_helper_mixin.py", line 13, in eval
return super(SimplifyHelperMixin, self).eval(e, n, *args, **kwargs)
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontend_mixins/constraint_expansion_mixin.py", line 12, in eval
**kwargs
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontends/composite_frontend.py", line 284, in eval
r = ms.eval(e, n, extra_constraints=extra_constraints, exact=exact)
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontend_mixins/sat_cache_mixin.py", line 56, in eval
extra_constraints=extra_constraints, **kwargs
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontend_mixins/model_cache_mixin.py", line 267, in eval
return tuple( r[0] for r in ModelCacheMixin.batch_eval(self, [e], n=n, **kwargs) )
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontend_mixins/model_cache_mixin.py", line 255, in batch_eval
asts, remaining, extra_constraints=constraints, **kwargs
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontends/full_frontend.py", line 120, in batch_eval
raise_from(ClaripyFrontendError("Backend error during batch_eval"), e)
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/utils/transition.py", line 8, in raise_from
exec('raise type(new_error), new_error, sys.exc_info()[2]')
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/frontends/full_frontend.py", line 117, in batch_eval
model_callback=self._model_hook
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/backends/init.py", line 479, in batch_eval
converted_exprs = [ self.convert(ex) for ex in exprs ]
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/backends/init.py", line 157, in convert
r = self._op_exprexpr.op
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/backends/backend_z3.py", line 64, in z3_condom
return f(*condom_args, **kwargs)
File "/home/lab-test2/.local/lib/python2.7/site-packages/claripy/backends/backend_z3.py", line 251, in BVV
raise BackendError("Z3 can't handle empty BVVs")
angr.errors.SimSolverModeError: ('Translated claripy error:', <class 'claripy.errors.ClaripyFrontendError'>, ClaripyFrontendError('Backend error during batch_eval',))
Python Exception <class 'angrgdb.commands.AngrGDBError'> angrdbg run: valid state not found after exploration:
Error occurred in Python command: angrdbg run: valid state not found after exploration

I think angr is trying to pass the empty buffer

    def put_bytes(self, addr, value):
        self.inferior.write_memory(addr, value)
        

Dear Andrea Fioraldi,
I'm trying to extend angrgdb for Android app debugging. We are debugging an Android app using a typical gdbserver on Android emulator. (In contrast with AngrIDA we have no IDA server or anything)
In angrgdb you have "stateShot" which returns an angr state from the current debugging session. What will happen when we want to do that in a remote debugging mode?
As I understand, If I want to connect angr to a debugger, I should implement abstracts from angrdbg.
What should I do with "beforeStateShot" in remote debugging mode?
I'm new in this field, but I will be happy if I can contribute angrgdb even a little.
Thanks in advance for your help and consideration

how would
angrgdb sim ($rbp-0x30) 30
translate into a python script statement?

I could figure out that
angrgdb sim $rax 100
is
sm.sim(sm["rax"], 100)
from your examples, but I can't find a guide for the syntax of what can go into
sm.sim()