Hi angr team! I'm looking to do some simple binary analysis to get a listing of functions, and for each:

1. the name of the function
2. parameters and types, likely nested for structs, and more complex types
3. the register that parameter is intended for, per system V abi document
4. parsing of call sites
5. bonus some kind of exception parsing

Is this something you can do and point me to a good example? I'm currently using https://github.com/dyninst/dyninst for some of these things (except for 3. that is added / attempted separately) but I find it kind of bug laden and am hoping I could use Python to write the same. Thank you!

I get an error when using the unicorn engine for the analysis:

s = p.factory.blank_state(addr=0x401260, add_options=simuvex.o.unicorn, remove_options={simuvex.o.LAZY_SOLVES})

I installed Angr in a pypy virtualenv so had to install unicorn manually (not available in pip), but I tried several unicorn scripts and they work ok and when installing Angr, it finds it:

Requirement already satisfied (use --upgrade to upgrade): unicorn in /Users/alvaro/virtualenvs/angr_pypy/site-packages/unicorn-1.0-py2.7.egg (from simuvex->angr)

but when I select the unicorn engine I get the following error (add_options=simuvex.o.unicorn):

Traceback (most recent call last):
  File "app_main.py", line 75, in run_toplevel
  File "solve_rock_angr.py", line 40, in <module>
    print main()
  File "solve_rock_angr.py", line 25, in main
    pg.explore(find=0x401428, avoid=0x40186d)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/angr/path_group.py", line 806, in explore
    n=n)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/angr/path_group.py", line 830, in run
    return self.step(n=n, step_func=step_func, until=until_func, stash=stash)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/angr/path_group.py", line 520, in step
    pg = pg._one_step(stash=stash, selector_func=selector_func, successor_func=successor_func, check_func=check_func, **kwargs)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/angr/path_group.py", line 311, in _one_step
    r = self._one_path_step(a, successor_func=successor_func, check_func=check_func, **kwargs)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/angr/path_group.py", line 208, in _one_path_step
    successors = a.step(**kwargs)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/angr/path.py", line 337, in step
    self._make_sim_run(throw=throw)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/angr/path.py", line 368, in _make_sim_run
    self._run = self._project.factory.sim_run(self.state, **self._run_args)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/angr/factory.py", line 167, in sim_run
    r = SimUnicorn(state, stop_points=stops)
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/simuvex/s_unicorn.py", line 29, in __init__
    self.state.unicorn.setup()
  File "/Users/alvaro/virtualenvs/angr_pypy/site-packages/simuvex/plugins/unicorn_engine.py", line 825, in setup
    self._uc_state = _UC_NATIVE.alloc(self.uc._uch, self.cache_key)
AttributeError: 'NoneType' object has no attribute 'alloc'

_UC_NATIVE seems to reference sim_unicorn.dylib in MacOS. Is this a simuvex library? I can only find libunicorn.dylib in my system.

Thanks, A

I want to extract use-def chain of memory addresses from a binary. angr uses VEX IR which is in SSA form, so extracting use-def chain shouldn't be hard. How can I do this? Any pointer is appreciated.

I would be happy to contribute back.

A common request is an easy (and clean) way to timeout symbolic exploration. I good beginner project for someone to get involved in angr would be to create this as an exploration technique.

When use 'b.analyses.CFG()', it promt "KeyError: 'x86_cr0'", where b = angr.Project('/bin/true'), why?

File "/root/.virtualenvs/angr/local/lib/python2.7/site-packages/pyvex-4.6.6.28-py2.7.egg/pyvex/block.py", line 70, in __init__
    1)
KeyError: 'x86_cr0'

Hi all In case I would need to generate a CFGAccurate with a context_sensitivity_level really high can I pickle an intermediate result, close the project in order to free the RAM, reload the saved object and restart from where I left?

Can I see a demo code?

Thanks

Using path.step(num_inst=1) on MIPS architecture causes incorrect results if branch is involved due to delay slots.

So consider a jal 0x00400770, followed by addu $at, $zero (essentially NOP). In binary, it would be b"\xDC\x01\x10\x0C\x21\x08\x20\x00".

Let's take them both and observe that the result is correct.

In [6]: pyvex.IRSB(b"\xDC\x01\x10\x0C\x21\x08\x20\x00", 0x4009FC, archinfo.ArchMIPS32()).pp()
IRSB {
   t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I32

   00 | IR-NoOp
   01 | IR-NoOp
   02 | IR-NoOp
   03 | IR-NoOp
   04 | IR-NoOp
   05 | IR-NoOp
   06 | IR-NoOp
   07 | IR-NoOp
   08 | IR-NoOp
   09 | IR-NoOp
   10 | IR-NoOp
   11 | IR-NoOp
   12 | IR-NoOp
   13 | IR-NoOp
   14 | IR-NoOp
   15 | ------ IMark(0x4009fc, 4, 0) ------
   16 | PUT(ra) = 0x00400a04
   17 | t0 = 0x00400770
   18 | PUT(pc) = 0x00400a00
   19 | ------ IMark(0x400a00, 4, 0) ------
   20 | t2 = GET:I32(at)
   21 | t1 = Add32(t2,0x00000000)
   22 | PUT(at) = t1
   23 | PUT(pc) = t0
   24 | t3 = GET:I32(pc)
   NEXT: PUT(pc) = t3; Ijk_Call
}

Now, let's check them one by one:

In [5]: pyvex.IRSB(b"\xDC\x01\x10\x0C", 0x4009FC, archinfo.ArchMIPS32()).pp()
IRSB {
   t0:Ity_I32 t1:Ity_I32

   00 | IR-NoOp
   01 | IR-NoOp
   02 | IR-NoOp
   03 | IR-NoOp
   04 | IR-NoOp
   05 | IR-NoOp
   06 | IR-NoOp
   07 | IR-NoOp
   08 | IR-NoOp
   09 | IR-NoOp
   10 | IR-NoOp
   11 | IR-NoOp
   12 | IR-NoOp
   13 | IR-NoOp
   14 | IR-NoOp
   15 | ------ IMark(0x4009fc, 4, 0) ------
   16 | PUT(ra) = 0x00400a04
   17 | t0 = 0x00400770
   18 | PUT(pc) = 0x00400a00
   19 | t1 = GET:I32(pc)
   NEXT: PUT(pc) = t1; Ijk_Boring
}
In [8]: pyvex.IRSB(b"\x21\x08\x20\x00", 0x400A00, archinfo.ArchMIPS32()).pp()
IRSB {
   t0:Ity_I32 t1:Ity_I32 t2:Ity_I32

   00 | IR-NoOp
   01 | IR-NoOp
   02 | IR-NoOp
   03 | IR-NoOp
   04 | IR-NoOp
   05 | IR-NoOp
   06 | IR-NoOp
   07 | IR-NoOp
   08 | IR-NoOp
   09 | IR-NoOp
   10 | IR-NoOp
   11 | IR-NoOp
   12 | IR-NoOp
   13 | IR-NoOp
   14 | IR-NoOp
   15 | ------ IMark(0x400a00, 4, 0) ------
   16 | t1 = GET:I32(at)
   17 | t0 = Add32(t1,0x00000000)
   18 | PUT(at) = t0
   19 | PUT(pc) = 0x00400a04
   20 | t2 = GET:I32(pc)
   NEXT: PUT(pc) = t2; Ijk_Boring
}

Branch is lost.

I'm trying to understand the ddg.py analysis, and found multiple bugs in it.

My questions are:

• is it under internal changes, or may I send a pull-request with the fixes?
• should we discuss the bugs/changes here or with the pull request?

I'm not sure about the conception of fake_rets in the CFG, but I think I found an issue. To demonstrate this, here is the cfg for ais3_crackme:

This is the CFG generated by angr:

This is the CFG it should generate IMO:

The difference is only that in the second graph the 0x40060e -> 0x400618 fake_ret edge is not missing.

This is the check in CFGAccurate, that "removes" that edge:

        # Let's check whether this address has been traced before.
        if pending_exit_tuple in self._nodes:
            node = self._nodes[pending_exit_tuple]
            if node in self.graph:
                pending_exit_addr = self._simrun_key_addr(pending_exit_tuple)
                # That block has been traced before. Let's forget about it
                l.debug("Target 0x%08x has been traced before. " + "Trying the next one...", pending_exit_addr)
                return None

Can you please validate this issue?

import pyvex,archinfo pyvex.lift(b'\xe9\x2d\xd9\xf0', 0x1000, archinfo.ArchARM()).pp()

The result is:

IRSB {

NEXT: PUT(pc) = 0x00001000; Ijk_NoDecode } Vex can't lift? I am using angr int a docker image 'angr/angr'.

Hello guys, I have a question want to ask. If I have the information like this, <Path with 88 runs (at 0x410eca : /bin/ls)>. I do the symbolic execution on /bin/ls. I want to know the path from the begin of ls benchmark to the special node, like the example above,0x410eca, whether this can solve or not. I read the doc, and find the function, satisfiable(), in claripy. I think this function will return the boolean value to let me know whether one path can solve or not, but I'm not sure how to use it. Please help me to use it. I'm just a beginner on angr. Thank you all very much.

Description

Recently introduced code in angr >= v9.2.29 (9995e2958bb248bbfd2e30ecde0c20acd0ab5853) to split memory stores which use the Concat operation seems to result in the following error:

  ...
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/unwrapper_mixin.py", line 8, in store
    return super().store(_raw_ast(addr), _raw_ast(data),
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/name_resolution_mixin.py", line 54, in store
    return super().store(addr, data, size=size, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/bvv_conversion_mixin.py", line 25, in store
    super().store(addr, data_bv, size=size, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/simplification_mixin.py", line 11, in store
    super().store(addr, real_data, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/clouseau_mixin.py", line 41, in store
    super().store(addr, data,
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/actions_mixin.py", line 34, in store
    super().store(addr, data, size=size, action=action, condition=condition, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/underconstrained_mixin.py", line 27, in store
    super().store(addr, data, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/size_resolution_mixin.py", line 88, in store
    super().store(addr, data, size=size, condition=condition, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/size_resolution_mixin.py", line 47, in store
    super().store(addr, data, size=out_size, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/address_concretization_mixin.py", line 325, in store
    self._store_one_addr(addr, data, True, addr, condition, size, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/address_concretization_mixin.py", line 319, in _store_one_addr
    super().store(concrete_addr, data, size=size, condition=sub_condition, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/actions_mixin.py", line 74, in store
    return super().store(addr, data, action=action, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/conditional_store_mixin.py", line 17, in store
    super().store(addr, data, size=size, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/convenient_mappings_mixin.py", line 44, in store
    return super().store(addr, data, size=size, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/dirty_addrs_mixin.py", line 8, in store
    super().store(addr, data, size=size, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/paged_memory/paged_memory_mixin.py", line 186, in store
    sub_data, sub_data_base, sub_data_size = sub_gen.send(sub_size - written_size)
  File "/usr/local/lib/python3.8/dist-packages/angr/storage/memory_mixins/paged_memory/pages/cooperation.py", line 109, in _decompose_objects
    cur_data = data.args[start_offset].concat(*data.args[start_offset + 1:start_offset + size])
IndexError: tuple index out of range

data.args[start_offset] seems problematic, as args is a tuple of symbolic arguments, but it is being indexed by a memory offset.

Steps to reproduce the bug

Perform a memory store on an AST which involves a Concat operation on a state which uses paged memory; I think the object size must also be larger than the page size. For instance, st.memory.store(0xbe000000, claripy.Concat(claripy.BVS('foo', 3000 * 8), claripy.BVS('bar', 5000 * 8))) (where st is an angr.SimState) will reproduce the error if the page size is 4096 bytes.

Environment

My environment is somewhat noncompliant with recommended defaults due to conflicts with other packages in use:

• Installed without a virtual environment (in a Docker container).
• Unicorn version 2.0.0 is installed, which is incompatible with angr, but I am not using Unicorn mode.

I don't think these impact this issue, but let me know if it is not reproducible.

Output of python3 -m angr.misc.bug_report:

/usr/local/lib/python3.8/dist-packages/angr/misc/bug_report.py:1: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
angr environment report                              
=============================                        
Date: 2023-01-02 01:31:40.160383                     
!!! running in global environment.  Are you sure? !!!
Platform: linux-x86_64
Python version: 3.8.10 (default, Nov 14 2022, 12:59:47)
[GCC 9.4.0]
######## angr #########
Python found it in /usr/local/lib/python3.8/dist-packages/angr
Pip version angr 9.2.31
Couldn't find git info
######## ailment #########
Python found it in /usr/local/lib/python3.8/dist-packages/ailment
Pip version ailment 9.2.31
Couldn't find git info
######## cle #########
Python found it in /usr/local/lib/python3.8/dist-packages/cle
Pip version cle 9.2.31
Couldn't find git info
######## pyvex #########
Python found it in /usr/local/lib/python3.8/dist-packages/pyvex
Pip version pyvex 9.2.31
Couldn't find git info
######## claripy #########
Python found it in /usr/local/lib/python3.8/dist-packages/claripy
Pip version claripy 9.2.31
Couldn't find git info
######## archinfo #########
Python found it in /usr/local/lib/python3.8/dist-packages/archinfo
Pip version archinfo 9.2.31
Couldn't find git info
######## z3 #########
Python found it in /usr/local/lib/python3.8/dist-packages/z3
Pip version z3-solver 4.10.2.0
Couldn't find git info
######## unicorn #########
Python found it in /usr/local/lib/python3.8/dist-packages/unicorn
Pip version unicorn 2.0.0
Couldn't find git info
######### Native Module Info ##########
angr: <CDLL '/usr/local/lib/python3.8/dist-packages/angr/state_plugins/../lib/angr_native.so', handle 1a3f8c0 at 0x7f9da666c640>
unicorn: <CDLL '/usr/local/lib/python3.8/dist-packages/unicorn/lib/libunicorn.so.2', handle 144b610 at 0x7f9dab70aeb0>
pyvex: <cffi.api._make_ffi_library.<locals>.FFILibrary object at 0x7f9dac3057c0>
z3: <CDLL '/usr/local/lib/python3.8/dist-packages/z3/lib/libz3.so', handle 18292d0 at 0x7f9dab647fa0>

Additional context

Downgrading to angr 9.2.28 mitigated the issue.

Please let me know if more information is required.

Description

Function strip_trailing_slashes , with source code:

bool
strip_trailing_slashes (char *file)
{
  char *base = last_component (file);
  char *base_lim;
  bool had_slash;

  /* last_component returns "" for file system roots, but we need to turn
     "///" into "/".  */
  if (! *base)
    base = file;
  base_lim = base + base_len (base);
  had_slash = (*base_lim != '\0');
  *base_lim = '\0';
  return had_slash;
}

is decompiled as:

int strip_trailing_slashes(unsigned long long a0, unsigned long a1, unsigned long a2, unsigned long a3)
{
    unsigned long v0;  // [bp-0x18]
    unsigned long v2;  // rax
    unsigned long long v3;  // r14
    char *v4;  // rax

    v0 = v2;
    v3 = a0;
    v4 = last_component(a0);
    *((char *)((*(v4) == 0? v3 : v4) + (unsigned long long)(unsigned int)base_len((*(v4) == 0? v3 : v4)))) = 0;
    return;
}

Two things I noticed: 1. the number of input arguments is not the same 2. no return variable, which is not matching with the function return type. For the return type, it looks like the disassembler of angr considers this function as a void function:

BTW, I am not sure whether the commits in #3698 can fix this. I will decompile again once the commit is merged into the master branch.

Steps to reproduce the bug

binary is attached basename.zip

Environment

No response

Additional context

No response

Description

Decompiling function "argmatch_to_argument", whose source code is as followed:

const char *
argmatch_to_argument (const void *value,
                      const char *const *arglist,
                      const void *vallist, size_t valsize)
{
  size_t i;

  for (i = 0; arglist[i]; i++)

    if (!memcmp (value, (char const *) vallist + valsize * i, valsize))
      return arglist[i];
  return NULL;
}

angr gives me the following decompiled code:

int argmatch_to_argument(void *a0, unsigned long long *a1, void *a2, unsigned int a3)
{
    unsigned long long v1;  // r13
    unsigned long long *v3;  // rbx
    unsigned long long v4;  // rax
    void *v5;  // r15
    unsigned long long v6;  // rax

    v1 = *(a1);
    if (!(*(a1) != 0))
    {
        v1 = 0;
        v6 = v1;
        return v6;
    }
    else if (bcmp(a0, a2, a3) != 0)
    {
        v5 = a2 + a3;
        v3 = &a1[1];
        while (true)
        {
            v1 = *(v3);
            if (*(v3) != 0)
            {
                v4 = bcmp(a0, v5, a3);
                v5 += a3;
                v3 = &v3[1];
                v6 = v1;
                return v6;
                v1 = 0;
                v6 = v1;
                return v6;
            }
        }
    }
    else
    {
        v6 = v1;
        return v6;
    }
}

Note that there are two return v6; in the while(true) loop. And it looks like the value of v4 = bcmp(a0, v5, a3);, which correspond to memcmp (value, (char const *) vallist + valsize * i, valsize) in the source code, is not used in the while(true) loop. the disassembled code:

Steps to reproduce the bug

binary is attached dd.zip

Environment

No response

Additional context

No response

Description

Decompiling function "set_quoting_style", whose source code looks like:

void
set_quoting_style (struct quoting_options *o, enum quoting_style s)
{
  (o ? o : &default_quoting_options)->style = s;
}

angr considers it as an int return function:

int set_quoting_style(unsigned long a0, unsigned long a1)
{
    *((unsigned int *)(a0 != 0? a0 : 4239984)) = a1;
    return (a0 != 0? a0 : 4239984);
}

I also note that ghidra can decompile its return type correctly, not sure how ghidra does it though:

void set_quoting_style(undefined1 *param_1,undefined4 param_2)

{
  if ((undefined4 *)param_1 == (undefined4 *)0x0) {
    param_1 = default_quoting_options;
  }
  *(undefined4 *)param_1 = param_2;
  return;
}

Steps to reproduce the bug

binary is attached: getlimits.zip

Environment

latest angr

Additional context

No response

Description

There are some problems that make it hard to develop extensions to SimMemView. I have looked into it while creating the debug variables state plugin, and now I have some suggestions:

• The SimMemView class is the state plugin, the interface to get a specific memory location. And a specific memory location is an instance of SimMemView, too. I think these two use cases don't use overlapping properties/methods, so it should be straight forward to make two distinct classes out of it.
• For accessing an array element of a memory location, it would be great if memview[i] worked. But memview's [i] expects an address not an array index, which makes sense for the state plugin. So one has to use memview.array(i) instead. Another argument to split the class into two.
• The central internal method for navigating through the memory is called ._deeper(...). This method seems to copy the current memview, with modified properties given as arguments to ._deeper(...). Maybe add some documentation (docstring/comments) stating that. I also can't make any sense out of the name "deeper", maybe rename the method into ._copy_with(...).
• Docstrings are missing for most of the methods/properties.
• SimDebugVariable is equalized with SimMemView now (#3691). I tried to make it a subclass of the memory location part of SimMemView. But that turned out to be much more work than expected, so I gave it up. I think the suggestions above could possibly help here.

Alternatives

No response

Additional context

No response