How Can I execute a function in angr using concrete value?

Question

In Angr, I have a code like this

#include <stdio.h>  

typedef struct A_struct
{
    int data1;
    int data2;
} A;


void bar(A* a){
    a->data2 += 1;
}

void foo(A* a)  
{
    a->data1 += 1;
    bar(a);
}

int main()  
{  
    A a;
    a.data1 = 1;
    a.data2 = 2;
    foo(&a);
    printf("%d, %d\n", a.data1, a.data2);
    return 0;  
}

I compile the C code into Binary, and I want to use angr to execute function foo, how can I just execute the foo without executing the main? For Symbolic execution, how can I get the execution trace of structure A? For Concrete execution, If I set a as the memory section, how can I get the result of a?

I tried to use BVS as the parameter

import angr
import claripy

b = angr.Project('test_fun')
func_addr = b.loader.find_symbol('foo').rebased_addr
print(func_addr)
f = b.factory.callable(func_addr)
x = claripy.BVS('x', 64)
res = f(x)
print(res, type(res))

but the result is not what I want, the result is x_40_64, I don't know what is this. And I don't know how to pass some concrete memory as the parameter

lior · Accepted Answer · 2023-11-18 20:02:57Z

0

you are probably looking for the function project.factory.call_state, you can pass arguments to the function by passing positional arguments after the address argument. after that you can initialize a simulation manager with that state, and simulate it.

answered Nov 18, 2023 at 20:02

lior

261 silver badge7 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Devon · Accepted Answer · 2024-04-23 15:58:26Z

b = angr.Project('test_fun.o')
func_addr = b.loader.find_symbol('foo').rebased_addr
f = b.factory.callable(func_addr, prototype='void foo(uint64_t *a)')

data1 = 1
data2 = 2
packedstruct = (data2 << 32) | data1  # little endian
f(angr.PointerWrapper(packedstruct))

rdi = f.result_state.regs.rdi  # System V calling convention
print("data1 =", f.result_state.memory.load(rdi,   4).reversed.concrete_value) # ".reversed" for little endian
print("data2 =", f.result_state.memory.load(rdi+4, 4).reversed.concrete_value)

Not sure whether this is the best way but it works with this base64-encoded binary:

f0VMRgIBAQAAAAAAAAAAAAEAPgABAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAEAAAAAAAEAADAALAP9HBMP/B+v4AEdDQzogKEdOVSkgMTMuMi4xIDIwMjMwODAxAAAAAAAEAAAAIAAAAAUAAABHTlUAAgABwAQAAAAAAAAAAAAAAAEAAcAEAAAAAQAAAAAAAAAUAAAAAAAAAAF6UgABeBABGwwHCJABAAAQAAAAHAAAAAAAAAAEAAAAAAAAABAAAAAwAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAAAAAAAMAAQAAAAAAAAAAAAAAAAAAAAAADAAAABIAAQAAAAAAAAAAAAQAAAAAAAAAEAAAABIAAQAEAAAAAAAAAAQAAAAAAAAAAHRlc3RfZnVuLmMAYmFyAGZvbwAAAAAAIAAAAAAAAAACAAAAAgAAAAAAAAAAAAAANAAAAAAAAAACAAAAAgAAAAQAAAAAAAAAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALnRleHQALmRhdGEALmJzcwAuY29tbWVudAAubm90ZS5HTlUtc3RhY2sALm5vdGUuZ251LnByb3BlcnR5AC5yZWxhLmVoX2ZyYW1lAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAEAAAAGAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACEAAAABAAAAAwAAAAAAAAAAAAAAAAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAnAAAACAAAAAMAAAAAAAAAAAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAALAAAAAEAAAAwAAAAAAAAAAAAAAAAAAAASAAAAAAAAAAcAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAADUAAAABAAAAAAAAAAAAAAAAAAAAAAAAAGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABFAAAABwAAAAIAAAAAAAAAAAAAAAAAAABoAAAAAAAAADAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAXQAAAAEAAAACAAAAAAAAAAAAAAAAAAAAmAAAAAAAAABAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAFgAAAAEAAAAQAAAAAAAAAAAAAAAAAAAAGgBAAAAAAAAMAAAAAAAAAAJAAAABwAAAAgAAAAAAAAAGAAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAADYAAAAAAAAAHgAAAAAAAAACgAAAAMAAAAIAAAAAAAAABgAAAAAAAAACQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAUAEAAAAAAAAUAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAJgBAAAAAAAAZwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=

Collectives™ on Stack Overflow

How Can I execute a function in angr using concrete value?

2 Answers 2

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related