angr / angr-targets Goto Github PK

I use current_state.concrete.sync() to sync data from gdb target. But the library of the target didn't sync.
How can I load external library and sync the library memory to angr project?
I tried:

project = angr.Project("/squashfs-root/usr/sbin/httpd")
project.loader.dynamic_load("/squashfs-root/usr/lib/libnvram.so")
# it works
# [<ELF Object libnvram.so, maps [0x1500000:0x1522fdf]>,
# <ExternObject Object cle##externs, maps [0x1600000:0x16000e7]>]

It works!
But when I use simstate to step

succ_path = current_path.copy().step()
_succ_path_active_states = succ_path.active

succ_path.active is empty, and succ_path.errored:

SimEngineError
State errored with "No bytes in memory for block starting at 0xf7f03ae4."

As of pip version 19, there is no longer the option --process-dependency-links.

As I issued in #8
First I commented these three lines in /avatar2/protocols/gdb.py:
line:270

self._gdbmi = pygdbmi.gdbcontroller.GdbController()
#gdb_path=gdb_executable,
#gdb_args=gdb_args,
#verbose=True)

I used manual_concrete_packed_elf64.py file and pass the binary file that is available in angr-symbion blog. But the concrete execution is not sync to symbolic state... I don't know the changes that I have been done to that code was the reason or not, exploration can't find the symbolic path and I have avatar No memory range CRITICAL error.
ubuntu x86_64 python3.6 angr and angr-target successfully installed without problems.

shot:

Hi, I wrote a simple script to test my toy program in ida. It just concretely executes from entry point to 0x40146E (stage 1), then symbolically executes to 0x4014c3 (stage 2). I met a problem when concretely executing to 0x40146E in stage 1. It delivered the breakpoint 0x4014c3 and tried to remove the breakpoint. However, it failed to delete the breakpoint with idc.del_opt as the screenshot showed below.

I've checked the address in idc.del_opt was correct, and idapython worked fine with typing in idc.del_opt(0x4014c3) directly to the ida debug console.

My environment is:
OS: win10 64bits
Target: x86 PE
IDA 7.4.191011 + windbg debugger
Python 3.9.4

from idaapi import *
import angr
from angr_targets import IDAConcreteTarget

binary = 'C:\\Users\\frozenkp\\Documents\\sample\\simple_if\\simple_if.exe'

# Instantiating the ConcreteTarget
ida_target = IDAConcreteTarget()

# Creating the Project
p = angr.Project(binary, concrete_target=ida_target, use_sim_procedures=True)

# Getting an entry_state
entry_state = p.factory.entry_state()

# Forget about these options as for now, will explain later.
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)      


print('[1] concrete execute to 0x40146E')
# Create a simulation manager to hold this exploration
simgr = p.factory.simgr(entry_state)
# Use Symbion!                                
simgr.use_technique(angr.exploration_techniques.Symbion(find=[0x40146e]))

exploration = simgr.run()
new_concrete_state = exploration.stashes['found'][0]



print('[2] symbolic execute to find 0x4014c3')
# Declaring a symbolic buffer
arg0 = claripy.BVS('arg0', 8*32)

# Setting the symbolic buffer in memory!
symbolic_buffer_address = new_concrete_state.regs.ebp-0xc
new_concrete_state.memory.store(symbolic_buffer_address, arg0)

simgr = p.factory.simgr(new_concrete_state)
exploration = simgr.explore(find=0x4014c3)

# Get our synchronized state back!
new_symbolic_state = exploration.stashes['found'][0]

print(new_symbolic_state.solve(arg0))

Ref angr/angr#2701

Description

Hi,
When I try running the following script :

import claripy
import angr
import logging
import avatar2
import subprocess
from angr_targets import AvatarGDBConcreteTarget
from IPython import embed

#logging.getLogger('angr').setLevel('ERROR')

base_addr = 0x0
GDB_SERVER_IP = "127.0.0.1"
GDB_SERVER_PORT = 1234
bin_path = "./test"
nb_chars = 32
bp_addr = 0x11e9

avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT)
project = angr.Project(bin_path,main_opts={'base_addr':base_addr},concrete_target=avatar_gdb,use_sim_procedures=True)

state = project.factory.entry_state() #stdin='A'*(nb_chars-1)+'\n'

state.options.add(angr.options.SYMBION_SYNC_CLE)
state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)

simgr = project.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[bp_addr]))
concrete_res = simgr.run()
bp_state = concrete_res.stashes['found'][0]
print(bp_state)

embed()

the process seems to exit before reaching my "breakpoint". Here is the complete error trace :

File "/home/helldiner/Cyber/Projects/Angr Tests/solve.py", line 28, in <module>
    concrete_res = simgr.run()
  File "/usr/local/lib/python3.10/dist-packages/angr/sim_manager.py", line 345, in run
    self.step(stash=stash, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/exploration_techniques/symbion.py", line 54, in step
    return simgr.step(stash=stash, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/exploration_techniques/suggestions.py", line 43, in step
    simgr.step(stash=stash, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/misc/hookset.py", line 101, in __call__
    return self.func(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/sim_manager.py", line 454, in step
    successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
  File "/usr/local/lib/python3.10/dist-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/exploration_techniques/symbion.py", line 58, in step_state
    ss = self.successors(
  File "/usr/local/lib/python3.10/dist-packages/angr/exploration_techniques/__init__.py", line 109, in successors
    return simgr.successors(state, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/sim_manager.py", line 545, in successors
    return self._project.factory.successors(state, **run_args)
  File "/usr/local/lib/python3.10/dist-packages/angr/factory.py", line 76, in successors
    return engine.process(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/angr/engines/concrete.py", line 53, in process_successors
    self.to_engine(new_state, extra_stop_points, memory_concretize, register_concretize, timeout)
  File "/usr/local/lib/python3.10/dist-packages/angr/engines/concrete.py", line 144, in to_engine
    self.target.remove_breakpoint(stop_point)
  File "/usr/local/lib/python3.10/dist-packages/angr_targets/targets/avatar_gdb.py", line 110, in remove_breakpoint
    res = self.target.remove_breakpoint(address, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/avatar2/watchmen.py", line 78, in watchtrigger
    ret = func(self, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/avatar2/targets/target.py", line 33, in check
    raise Exception("%s() requested but Target is %s" %
Exception: remove_breakpoint() requested but Target is EXITED```

Note : The breakpoint is in my main function and I have to start gdbserver in another terminal because it won't expose my process without root rights for some reason.

### Steps to reproduce the bug

_No response_

### Environment

_No response_

### Additional context

_No response_

Hi. I just install the angr-targets and I want to use this:
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT)

The full error texts is here:
Exception ignored in: <bound method GDBProtocol.del of <avatar2.protocols.gdb.GDBProtocol object at 0x7f2e606b75c0>>
Traceback (most recent call last):
File "/home/lab-test/.local/lib/python3.6/site-packages/avatar2/protocols/gdb.py", line 287, in del
self.shutdown()
File "/home/lab-test/.local/lib/python3.6/site-packages/avatar2/protocols/gdb.py", line 290, in shutdown
if self._communicator is not None:
AttributeError: 'GDBProtocol' object has no attribute '_communicator'
Traceback (most recent call last):
File "", line 1, in
File "/home/lab-test/Downloads/angr_targets/angr-targets/angr_targets/targets/avatar_gdb.py", line 23, in init
self.avatar.init_targets()
File "/home/lab-test/.local/lib/python3.6/site-packages/avatar2/avatar2.py", line 210, in init_targets
t[1].init()
File "/home/lab-test/.local/lib/python3.6/site-packages/avatar2/targets/gdb_target.py", line 47, in init
verbose=self._verbose_gdbmi)
File "/home/lab-test/.local/lib/python3.6/site-packages/avatar2/protocols/gdb.py", line 273, in init
verbose=verbose) # set to True for debugging
TypeError: init() got an unexpected keyword argument 'gdb_path'

I am using ubuntu 18 and try to pass that 'avatar_gdb' as a ConcreteTarget in angr.

install command pip install -e .

ERROR: HTTP error 404 while getting https://github.com/avatartwo/avatar2/tarball/master#egg=avatar2-1.1.1

If I use avatar_gdb.read_memory, I get a value from a concrete execution. But the state obtained using symbion, does not "redirect the read to the target" like I thought it would. E.g., state.memory.load does not result in the target doing a read. Is this expected? Was the memory load modified for the engine, but not for the direct "state.memory.load" method?

Looking at how Symbion handles syncing SimProcedure addresses, it appears it's not able to properly update them when the binary is PIC.

With that in mind, I'd propose adding another (perhaps optional) method to the Concrete class. Something like symbol_address. It would simply take in a symbol and, if the harness knew how to handle it, could get back either the resolved address for that symbol or None if not resolved.

This would both allow for using simprocs on pic code, and also take away the burden of needing to try to keep up with backend changes of how angr handles simproc registration and such.

It would be helpful to be able to install this via pip install angr-targets.

Description

I have a binary named "example_new" and I want to analyze it using symbion. However, I encountered the following issue. To facilitate comparison, I wrote two functions with the same processing logic. When I used AvatarGDBConcreteTarget, the code that used to run successfully now throws an error: "Stopped at unexpected location inside the concrete process: 0x7ffff7eda1f2"

Here is my code :

import subprocess
import logging

import angr
import claripy
import avatar2
from angr_targets import AvatarGDBConcreteTarget

logging.getLogger('angr').setLevel(logging.INFO)

GDB_SERVER_IP = '127.0.0.1'
GDB_SERVER_PORT = 9999

start_addr = 0x40129c
end_addr = 0x4012eb

def explore_binary_without_symbion(binary_path, initial_input, from_address, to_address):
    p = angr.Project(binary_path, load_options={'auto_load_libs': False})
    entry_state = p.factory.entry_state(args=[initial_input])
    simgr = p.factory.simgr(entry_state)
    simgr.use_technique(angr.exploration_techniques.Explorer(find=from_address))
    simgr.run()
    print(f'found state: {simgr.found}')
    assert(simgr.found[0].addr == from_address)


def explore_binary_with_symbion(binary_path, initial_input, from_address, to_address):
    subprocess.Popen(f"gdbserver {GDB_SERVER_IP}:{GDB_SERVER_PORT} '{binary_path}'", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
    avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT)
    p = angr.Project(binary_path, concrete_target=avatar_gdb, use_sim_procedures=True)

    entry_state = p.factory.entry_state(args=[initial_input])
    simgr = p.factory.simgr(entry_state)
    simgr.use_technique(angr.exploration_techniques.Symbion(find=[from_address]))
    simgr.run()
    print(f'found state: {simgr.found}')

if __name__ == '__main__':
    binary_path = 'example_new'
    initial_input = 'fix:234'
    explore_binary_without_symbion(binary_path, initial_input, start_addr, end_addr)
    explore_binary_with_symbion(binary_path, initial_input, start_addr, end_addr)

Here is the error:

2024-03-28 16:16:26,816 | angr.sim_manager.INFO | Stepping active of <SimulationManager with 1 active>
CRITICAL | 2024-03-28 16:16:27,092 | angr.engines.concrete | Stopped at unexpected location inside the concrete process: 0x7ffff7eda1f2
2024-03-28 16:16:27,092 | angr.engines.concrete.CRITICAL | Stopped at unexpected location inside the concrete process: 0x7ffff7eda1f2
Traceback (most recent call last):
  File "/home/Fuzz/angr/symbion_usage.py", line 106, in <module>
    explore_binary_with_symbion(binary_path, initial_input, entry_addr, main_addr)
  File "/home/Fuzz/angr/symbion_usage.py", line 38, in explore_binary_with_symbion
    simgr.run()
  File "/home/angr/lib/python3.8/site-packages/angr/sim_manager.py", line 360, in run
    self.step(stash=stash, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/exploration_techniques/symbion.py", line 54, in step
    return simgr.step(stash=stash, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/exploration_techniques/suggestions.py", line 43, in step
    simgr.step(stash=stash, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/misc/hookset.py", line 101, in __call__
    return self.func(*args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/sim_manager.py", line 469, in step
    successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
  File "/home/angr/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/exploration_techniques/symbion.py", line 58, in step_state
    ss = self.successors(
  File "/home/angr/lib/python3.8/site-packages/angr/exploration_techniques/__init__.py", line 109, in successors
    return simgr.successors(state, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/sim_manager.py", line 560, in successors
    return self._project.factory.successors(state, **run_args)
  File "/home/angr/lib/python3.8/site-packages/angr/factory.py", line 78, in successors
    return engine.process(*args, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/home/angr/lib/python3.8/site-packages/angr/engines/concrete.py", line 53, in process_successors
    self.to_engine(new_state, extra_stop_points, memory_concretize, register_concretize, timeout)
  File "/home/angr/lib/python3.8/site-packages/angr/engines/concrete.py", line 151, in to_engine
    raise AngrError
angr.errors.AngrError

I am a beginner in angr and I referred to not_packed_elf64 to use symbion. The binary “example_new” requires external input from stdin, so I passed the args parameter in the code. However, I encountered the aforementioned error and I'm not sure what caused it or how to resolve it.

Steps to reproduce the bug

No response

Environment

Python: 3.8.10
Ubuntu: 20.04.6
GDB: 9.2
angr: 9.2.92

Additional context

No response

Hi,

I was using the example at https://github.com/angr/angr-doc/tree/master/examples/csaw_wyvern and wanted to try symbion out on it.

Here's the entire script

import angr
from angr_targets import *
import avatar2
import logging
import claripy
from IPython import embed

logging.getLogger("angr").setLevel(logging.INFO)

GDB_SERVER_IP = "127.0.0.1"
GDB_SERVER_PORT = 1234
binary_x64 = "./wyvern"

# Instantiating the ConcreteTarget
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64,
                                     GDB_SERVER_IP, GDB_SERVER_PORT)



# Creating the Project
p = angr.Project(binary_x64, concrete_target=avatar_gdb,
                             use_sim_procedures=True) #, main_opts={'base_addr':0x0})

# Getting an entry_state
entry_state = p.factory.entry_state()

# Forget about these options as for now, will explain later.
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)      

simgr = p.factory.simulation_manager()

# Use Symbion!                                
simgr.use_technique(angr.exploration_techniques.Symbion(find=[0x000000000040E1FA]))
exploration = simgr.run()

st = exploration.stashes['found'][0]

flag_chars = [claripy.BVS('flag_%d' % i, 8) for i in range(28)]
flag = claripy.Concat(*flag_chars + [claripy.BVV(b'\n')])
for k in flag_chars:
    st.solver.add(k != 0)
    st.solver.add(k != 10)

symbolic_buffer_address = st.regs.rax

st.concrete.sync()

st.memory.store(symbolic_buffer_address, flag)

simgr = p.factory.simgr(st)

# while True:
#     simgr.step()
#     print(simgr)
# embed()
simgr.explore(find=0x000000000040E02C)
embed()

I get

In [3]: simgr.errored                                                                                                                                                                                                                       
Out[3]: [<State errored with "No bytes in memory for block starting at 0x7ffff7fe7bc0.">]

Note: I tried using use_sim_procedures=False and True. There were some libraries that it complained about like libgcc_s so I switched it to off to see what would happen.

Trying to create a gdb concrete target using AvatarGDBConcreteTarget(avatar2.archs.arm.ARM, 'localhost', port).

avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.arm.ARM, 'localhost', port)
p = angr.Project(target, concrete_target=avatar_gdb, use_sim_procedures=True)

But it shows that:

angr.project.CRITICAL | Concrete execution does not support yet the selected architecture. Aborting.

Should I add the concrete for this architecture myself or is there already another branch that supports this arch?

When use

simgr.use_technique(angr.exploration_techniques.Symbion(find=address_list, memory_concretize=memory_concretize,
                                                                register_concretize=register_concretize, timeout=timeout))

will you add condition for these address_list?

➜ angr-targets git:(master) python tests/disabled_gdb_target_linux.py
Traceback (most recent call last):
File "tests/disabled_gdb_target_linux.py", line 5, in
from angr_targets.segment_registers import *
ModuleNotFoundError: No module named 'angr_targets.segment_registers'

I cann't find the file.

Hi, I'm interested in the novel method symbion and have tested the demo. I want to use angr's symbolic execution to test a dynamic library (used by a tcp server), so I use symbion to synchronize the state after the server is initialized and dynamically load the library in the project (also add new memory backer). However, I find after synchronizion angr can not continue the execute the code in the address space of the library, showing "bytes can only be stored big-endian". Could you give me some suggestions?
Thank you.