z3 - understanding the angr memory map -


i'm working on 1 of angr-doc challenges (https://github.com/angr/angr-doc/blob/2d45c9e6d9f91e83988719aa19940aec2cfd8747/examples/ekopartyctf2015_rev100/solve.py) in approach have situation:

mov     rdx, [rbp+var_150]; mov     rdx, [rdx]; mov     rdx, [rdx+8]; movsx   esi, byte ptr [rdx]

where need set esi symbolic (esi contains value).

i've tried this: 

#mov     rdx, [rbp+var_150] p1 = init_state.memory.load(init_state.regs.rbp-0x150, 8, endness=p.arch.memory_endness) #mov     rdx, [rdx] p2 = init_state.memory.load(p1, 8, endness=p.arch.memory_endness) #mov     rdx, [rdx+8] p3 = init_state.memory.load(p2+8, 8, endness=p.arch.memory_endness) #movsx   esi, byte ptr [rdx] r1 = init_state.memory.load(p3, 8, endness=p.arch.memory_endness)

but doesn't work also, i've tried set each pointer bitvector value (bvv), didn't work either.

what doing wrong?

i found solution. i've misunderstanding of memory layout. though memory symbolic, expecting access multiples ptr resolve "autmagicaly". fix problem creating bitvector values , storing in rpb-0x150, , in pointers. here example:

#mov     rdx, [rbp+var_150] ptr_v_2 = claripy.bvv(0xe000000000, 64) init_state.memory.store(init_state.regs.rbp-0x150, ptr_v_2) p3 = init_state.memory.load(init_state.regs.rbp-0x150, 8, endness=p.arch.memory_endness)  #mov     rdx, [rdx] ptr_v_1 = claripy.bvv(0xd000000000, 64) init_state.memory.store(p3, ptr_v_1) p2 = init_state.memory.load(p3, 8, endness=p.arch.memory_endness)  #mov     rdx, [rdx+8] ptr_v = claripy.bvv(0xc000000000, 64) init_state.memory.store(p2+8, ptr_v) p1 = init_state.memory.load(p2+8, 8, endness=p.arch.memory_endness)

now, i'm trying undestand how set memory sybolic


Comments

Post a Comment

Popular posts from this blog

asynchronous - C# WinSCP .NET assembly: How to upload multiple files asynchronously -

i using winscp .net assembly uploading files. want upload multiple files asynchronous way. have created method works single upload. public class uploadingdata { private sessionoptions _sessionoptions; private session _session; //connection etc private void onconnected() { foreach (var fileinfo in localfileslist) { var task = task.factory.startnew(() => uploadfilesasync(fileinfo)); } } private async task uploadfilesasync(string file) { string remotefilepath = _session.translatelocalpathtoremote(file, @"/", "/test_data_upload"); var uploading = _session.putfiles(file, remotefilepath, false); //when done await task.run(() => thread.sleep(1000)); } } please suggest me correct way. thanks you can use backgroundworker class this: string[] images = new string[50]; foreach (var path in images) { backgroundworker
Read more

aws api gateway - SerializationException in posting new Records via Dynamodb Proxy Service in API -

i getting "__type": "com.amazon.coral.service#serializationexception" as reply in postman & in test console in api gateway trying post record directly dynamodb using api proxy services.. referring aws article - https://aws.amazon.com/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/ here's mapping { "tablename": "tablenamegoeshere", "item": { "id" : "$context.requestid" "eventname" : "$input.path('$.eventname')", "timestamp" : $input.path('$.timestamp'), "answers": "$util.parsejson($input.path('$.answers'))" } } update: did asked ... , worked if try add array of json objects gives me above same error - here's trying now. please - couldnt find on google well #set($inputroot = $input.path('$')) { "tablename": "answer", "item": {
Read more

asp.net - Problems sending emails from forum -

i have been redesigning site has message board, has been written guy looked after site. it has few problems , written in .asp , uses .mdb files database. you can see whole thing here . feel free post if helps, test thing have set using original files , new database. the basic problem when posts message, supposed email sent them, have posted it. when replies, originator supposed message, replier has been posted. i’d have thought @ point in process there should script/file in postmessage.asp? the postmessage.asp page below. <% option explicit %> <!-- #include virtual="common/adovbs.inc" --> <html> <head> <meta http-equiv="content-type" content="text/html; charset=windows-1252"> <meta name="generator" content="microsoft frontpage 4.0"> <meta name="progid" content="frontpage.editor.document"> <title>new page 2</title> <base target="_self"
Read more