angr: Unsupported flag action ROL

I was testing the following assembly code compiled with fasm.

format PE

entry start

section '.text' code readable executable

start:
    mov ecx, 10

next:
    rol eax, 1
    loop next

check:
    cmp eax, 0xDEADC0DE
    jz success

failure:
    xor eax, eax
    ret

success:
    mov eax, 1
    ret

Basically, I want to find the initial value of eax such that after 10 rol eax, 1 operations its value would be 0xDEADC0DE. (The answer is 0x37B7AB70)

The disassembly of the code looks like this: bb

and the script is as follows.

#!/usr/bin/python

import angr

def main():
    proj = angr.Project('test.exe')

    initial_state = proj.factory.blank_state(addr=0x401000)
    r_eax = initial_state.se.BVS('eax', 32)
    initial_state.regs.eax = r_eax

    pg = proj.factory.path_group(initial_state, immutable=False)

    pg.explore(find=0x401013, avoid=0x401010)
    found_state = pg.found[0].state

    print found_state.se.any_int(r_eax)

if __name__ == '__main__':
    main()

However on running I am getting the following error

WARNING | 2016-03-22 20:38:46,984 | cle.pe | The PE module is not well-supported. Good luck!
ERROR   | 2016-03-22 20:38:47,076 | simuvex.vex.ccall | Unsupported flag action ROL

Is the rol instruction unsupported ?

(The binary is provided for reference: https://drive.google.com/open?id=0B4nawd5TCX1cakhaLTROMW5XdXM)

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 15 (15 by maintainers)

Commits related to this issue

Most upvoted comments

The problem is that having a conditional jump following an ROL operation is not supported by angr right now. It shouldn’t be difficult to add the support, we just need someone to write the code (~10 lines) in simuvex/s_ccall.py. That’s why I @zardus before, since he has a much better idea of those code than me.

+1
ltfish on Mar 22, 2016
Read more comments on GitHub
← angr-management: Python crashes during CFG generation
cle: Issue loading binary with exceptions →