[angr] Question: How angr can generate concrete value in Symbolic Execution

Andrew Dutcher andrew at andrewdutcher.com
Wed Oct 12 10:47:40 PDT 2016


Hello!

p.state.posix.dumps(0) returns a concretization of the data from file
descriptor zero, stdin. You can dump stdout similarly with dumps(1).

This is a shorthand for a more complicated expression that loads the
symbolic data used as input to a program and calls
state.se.any_str(symbolic_data) on it in order to concretize it. The
state.se.any_* functions take symbolic data loaded from a state, and return
a concrete value that the data could possibly take.

For example, if you loaded a 32-bit little-endian integer from memory at
address 0x8000 (state.memory.load(0x8000, 4, endness='Iend_LE')), this
would be a symbolic bit-vector. To get a possible concretization of it, you
would call state.se.any_int() on it.

Hope this helps! Please let me know if you have any more questions.
- Andrew

On Wed, Oct 12, 2016 at 10:24 AM, Son Tuan VU <sontuan.vu119 at gmail.com>
wrote:

> Hello all,
>
> I wonder if there's a way to retrieve a concrete value integer from a
> deadended stash? Let p be the deadended path. *p.state.posix.dumps(0)*
> only gives a string, while *p.state.se.any_int()* requires an argument
> that I don't really understand what it is.
>
> Thank you all for your help,
>
> Son Vu
>
>
>
> _______________________________________________
> angr mailing list
> angr at lists.cs.ucsb.edu
> https://lists.cs.ucsb.edu/mailman/listinfo/angr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20161012/f2467b1d/attachment.html>


More information about the angr mailing list