I'm working on one of the angr-doc challenges (https://github.com/angr/angr-doc/blob/2d45c9e6d9f91e83988719aa19940aec2cfd8747/examples/ekopartyctf2015_rev100/solve.py) but in my approach I have this situation:
mov rdx, [rbp+var_150];
mov rdx, [rdx];
mov rdx, [rdx+8];
movsx esi, byte ptr [rdx]
where I need to set esi as symbolic (esi will be contains the value).
I've tried something like this:
#mov rdx, [rbp+var_150]
p1 = init_state.memory.load(init_state.regs.rbp-0x150, 8, endness=p.arch.memory_endness)
#mov rdx, [rdx]
p2 = init_state.memory.load(p1, 8, endness=p.arch.memory_endness)
#mov rdx, [rdx+8]
p3 = init_state.memory.load(p2+8, 8, endness=p.arch.memory_endness)
#movsx esi, byte ptr [rdx]
r1 = init_state.memory.load(p3, 8, endness=p.arch.memory_endness)
but it doesn't work Also, I've tried to set each pointer with a BitVector value (BVV), but it didn't work either.
what am I doing wrong?
I found a solution. I've a misunderstanding of the memory layout. I though that all memory was symbolic, then I was expecting that the access to multiples ptr was resolve "autmagicaly". I fix my problem creating a BitVector Values and storing it in rpb-0x150, and the in the pointers. here is the example:
#mov rdx, [rbp+var_150]
ptr_v_2 = claripy.BVV(0xe000000000, 64)
init_state.memory.store(init_state.regs.rbp-0x150, ptr_v_2)
p3 = init_state.memory.load(init_state.regs.rbp-0x150, 8, endness=p.arch.memory_endness)
#mov rdx, [rdx]
ptr_v_1 = claripy.BVV(0xd000000000, 64)
init_state.memory.store(p3, ptr_v_1)
p2 = init_state.memory.load(p3, 8, endness=p.arch.memory_endness)
#mov rdx, [rdx+8]
ptr_v = claripy.BVV(0xc000000000, 64)
init_state.memory.store(p2+8, ptr_v)
p1 = init_state.memory.load(p2+8, 8, endness=p.arch.memory_endness)
Now, I'm trying to undestand how to set all the memory sybolic