[angr] Question: How angr can generate concrete value in Symbolic Execution
andrew at andrewdutcher.com
Wed Oct 12 10:47:40 PDT 2016
p.state.posix.dumps(0) returns a concretization of the data from file
descriptor zero, stdin. You can dump stdout similarly with dumps(1).
This is a shorthand for a more complicated expression that loads the
symbolic data used as input to a program and calls
state.se.any_str(symbolic_data) on it in order to concretize it. The
state.se.any_* functions take symbolic data loaded from a state, and return
a concrete value that the data could possibly take.
For example, if you loaded a 32-bit little-endian integer from memory at
address 0x8000 (state.memory.load(0x8000, 4, endness='Iend_LE')), this
would be a symbolic bit-vector. To get a possible concretization of it, you
would call state.se.any_int() on it.
Hope this helps! Please let me know if you have any more questions.
On Wed, Oct 12, 2016 at 10:24 AM, Son Tuan VU <sontuan.vu119 at gmail.com>
> Hello all,
> I wonder if there's a way to retrieve a concrete value integer from a
> deadended stash? Let p be the deadended path. *p.state.posix.dumps(0)*
> only gives a string, while *p.state.se.any_int()* requires an argument
> that I don't really understand what it is.
> Thank you all for your help,
> Son Vu
> angr mailing list
> angr at lists.cs.ucsb.edu
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the angr