Evaluate memory contents

[LuciaMartinezGavier]

Question

Hello!

I have the following instruction in a binary:

add    (%rdi),%eax

I want to evaluate the memory content in the address dereferenced there (with some other constraints set for %eax).

After exploring with a simulation and finding the state "final_state", when I run final_state.regs.eax.variables I get

frozenset({'mem_8000000000000000_514_32'})

So I have the address and the size that I want to evaluate, (but this changes with every simulation)

But when I do the following

sym_var = final_state.solver.BVS('sym_var', 32)
final_state.memory.store(memory_addr, sym_var) # i get memory_addr parsing the final_state.regs.eax.variables
value = finding.solver.eval(sym_var)

Doesn't return the value I expected (returns 0).

My hypothesis is that the sym_var should be stored in memory before the simulation.explore(find=addr) but before that I don't know the address referenced by the rdi register.

I could just store the sym_var in the entry state using the content of the rdi register but I want to generalize this part of my program and I don't want to assume that the rdi register is being dereferenced, that's why I'm using the final_state.regs.eax.variables.

So the question is,
How can I evaluate the memory content pointed by rdi (without explicitly talking about rdi)?

Thank you!

[rhelmot]

Now, I have not actually evaluated any of the advice I'm about to give you, nor is it code that I have ever used myself. However!

It sounds like what you're looking for is the underconstrained symbolic execution feature. With this option, angr will allocate a new memory region for each unconstrained dereference, and constrain the pointer to point to this region. With this, you should be able to eval rdi at the program point you're interested in and find the memory address that angr is using to reason about rdi.

UCSE can be enabled via state option UNDER_CONSTRAINED_SYMEXEC.