Obtain the graph for SIMP

[frapik99]

Hi,
at the moment when I create a png for a graph if an SIMP is encountered the graph does not show all the call done but that SIMP. Is it possible to have the full graph even with the call made by the SIMPs? I think it would be useful in case a user has loaded all the shared object and wants to see whet happens in the SIMP thar could be function in the loaded shared objects

Thanks

[axt]

Do you use the plot_cfg function? It has a remove_imports parameter which defaults to True, and it will remove calls to SimProcedures from the graph. You can set it to False.

If you use bingraphvis directly and you see missing nodes/edges from a graph, then give me an example binary, where it is wrong, and I will have a look.

[frapik99]

@axt ,
so I have attached a zip file containing pngpixel and the relative cfg. As you will see for exampe png_create_info_struct does not have any leaf and it is grey. I have used the following code:

import angr
from angrutils import plot_cfg

def analyze(b, addr, name=None):
    start_state = b.factory.blank_state(addr=addr)
    start_state.stack_push(0x0)
    #cfg = b.analyses.CFGFast()
    cfg = b.analyses.CFGAccurate(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100)
    for addr,func in proj.kb.functions.iteritems():
        if func.name == "func.name":
	    pass
    	    #plot_cfg(cfg, "%s_%s_full" % (name, func.name), asminst=True, vexinst=False, debug_info=False, remove_imports=False, remove_path_terminator=False)
            #plot_cfg(cfg, "%s_%s_cfg" % (name, func.name), asminst=True, vexinst=False, func_addr={addr:True}, debug_info=False, remove_imports=False, remove_path_terminator=False)

    #plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
    plot_cfg(cfg, "%s_cfg_full" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=False, remove_path_terminator=False)

if __name__ == "__main__":
    proj = angr.Project("../samples/pngpixel", load_options={'auto_load_libs':True})
    main = proj.loader.main_bin.get_symbol("main")
    analyze(proj, main.addr, "pngpixel")

png.zip

[axt]

If png_create_info_struct is grey, it means the libpng16.so.16 binary was not loaded, so that symbol was replaced with a ReturnUnconstrained SimProcedure.

I've placed the binary next to your executable, and created a CFG with context_sensitivity_level=0 which created a graph so big (~4000 nodes) what plot_cfg couldn't render into png in a reasonable time.

[frapik99]

@axt , I'm sorry but I tried again putting libpng16.so.16 in the same dir of the python script but I don't have a proper result. I have used the following code:

#! /usr/bin/env python

import angr
from angrutils import plot_cfg

def analyze(b, addr, name=None):
    start_state = b.factory.blank_state(addr=addr)
    start_state.stack_push(0x0)
    #cfg = b.analyses.CFGFast()
    cfg = b.analyses.CFGAccurate(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=0, keep_state=True, call_depth=100)
    for addr,func in proj.kb.functions.iteritems():
        if func.name == "png_create_info_struct":
	    print "Creating the graph"
	    #pass
    	    #plot_cfg(cfg, "%s_%s_full" % (name, func.name), asminst=True, vexinst=False, debug_info=False, remove_imports=False, remove_path_terminator=False)
            plot_cfg(cfg, "%s_%s_cfg" % (name, func.name), asminst=True, vexinst=False, func_addr={addr:True}, debug_info=False, remove_imports=False, remove_path_terminator=False)

    #plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
    #plot_cfg(cfg, "%s_cfg_full" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=False, remove_path_terminator=False)

if __name__ == "__main__":
    proj = angr.Project("../samples/pngpixel", load_options={'auto_load_libs':True})
    main = proj.loader.main_bin.get_symbol("main")
    analyze(proj, main.addr, "pngpixel")

I have attached the generated images... Thanks for your help
png.zip

[axt]

Are you using the latest angr?

I've attached my 'so' file, and the graph. Maybe try with this file, placed the same dir as the executable.

png.zip

[frapik99]

Hi,
yes I have updated to the latest angr and angr-utils but I still have the same empty image. I have also noticed that the sentence Creating the graph is printed twice. I'm not sure why... I cannot really see why I'm having this problem...

[frapik99]

So I have amended bingraphvis making it print the number of nodes from within generate function. For some reason png_create_info_struct is found twice and the first time there are 2 nodes and 1 edge, Instead for the second 0 nodes and 0 edge... I cannot really understand why.. I assume there are few problems with the cfg but I have generated it: cfg = b.analyses.CFGAccurate(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=0, keep_state=True, call_depth=100) Should I change something?

Thanks for your patience

[axt]

That is normal. One is the PLT entry, and the other is the SimProcedure. If you print .is_plt property of those two functions, for one it will be true and for the other it will be false.

Unfortunately I have no idea, why it doesn't loads the library for you, you should try to seek help for that issue from the official angr channels.