d0now · December 27, 2022 15:35
diff --git a/angr_traverse_paths.py b/angr_traverse_paths.py
 #!python3

 from angr import Project, SIM_PROCEDURES, options
 from angr.sim_manager import SimulationManager
 from angr.sim_state import SimState


 def main(args):
    
    project = Project(args.binary, load_options={
        'auto_load_libs': False
    })

    if args.exclude:
        do_nothing_proc = SIM_PROCEDURES['stubs']['ReturnUnconstrained']
        for do_nothing_addr in args.exclude:
            if args.add_mapped_base_to_path:
                do_nothing_addr += project.loader.main_object.mapped_base
            project.hook(do_nothing_addr, do_nothing_proc())

    if args.add_mapped_base_to_path:
        path = [p + project.loader.main_object.mapped_base for p in args.path]
    else:
        path = args.path

    initial_state = project.factory.blank_state(addr=path.pop(0), add_options={options.LAZY_SOLVES})

    simgr = project.factory.simulation_manager(initial_state)
    
    while path:
        
        next_addr = path.pop(0)
        
        while len(simgr.active) == 1:
            print("now: " + str(simgr.active))
            simgr.step()
        
        print("branch: " + str(simgr.active))
        simgr.move(from_stash='active', to_stash='unsat', filter_func=lambda s: s.addr != next_addr)

    print("done: " + str(simgr.active))


 if __name__ == '__main__':

    hexint = lambda x: int(x, 16)

    import argparse
    from pathlib import Path

    parser = argparse.ArgumentParser()
    parser.add_argument("binary", type=Path)
    parser.add_argument("-p", "--path", required=True, type=hexint, nargs='*')
    parser.add_argument("-e", "--exclude", type=hexint, nargs='*')
    parser.add_argument("-b", "--add-mapped-base-to-path", action='store_true')
    args = parser.parse_args()

    main(args)
	#!python3

	from angr import Project, SIM_PROCEDURES, options
	from angr.sim_manager import SimulationManager
	from angr.sim_state import SimState


	def main(args):

	project = Project(args.binary, load_options={
	'auto_load_libs': False
	})

	if args.exclude:
	do_nothing_proc = SIM_PROCEDURES['stubs']['ReturnUnconstrained']
	for do_nothing_addr in args.exclude:
	if args.add_mapped_base_to_path:
	do_nothing_addr += project.loader.main_object.mapped_base
	project.hook(do_nothing_addr, do_nothing_proc())

	if args.add_mapped_base_to_path:
	path = [p + project.loader.main_object.mapped_base for p in args.path]
	else:
	path = args.path

	initial_state = project.factory.blank_state(addr=path.pop(0), add_options={options.LAZY_SOLVES})

	simgr = project.factory.simulation_manager(initial_state)

	while path:

	next_addr = path.pop(0)

	while len(simgr.active) == 1:
	print("now: " + str(simgr.active))
	simgr.step()

	print("branch: " + str(simgr.active))
	simgr.move(from_stash='active', to_stash='unsat', filter_func=lambda s: s.addr != next_addr)

	print("done: " + str(simgr.active))


	if __name__ == '__main__':

	hexint = lambda x: int(x, 16)

	import argparse
	from pathlib import Path

	parser = argparse.ArgumentParser()
	parser.add_argument("binary", type=Path)
	parser.add_argument("-p", "--path", required=True, type=hexint, nargs='*')
	parser.add_argument("-e", "--exclude", type=hexint, nargs='*')
	parser.add_argument("-b", "--add-mapped-base-to-path", action='store_true')
	args = parser.parse_args()

	main(args)