I'm trying to use angr to explore possible execution states from a point in a program that I know will be reached. My program takes an optional text input file as an argument, which I am providing. I can't get the simulation manager to the known point.
Here's the technique I'm attempting to use: I wrote a function that returns true if the zeroth state in the active stash has an address equal to the address of my desired basic block. I'm providing that function in the until parameter of SimulationManager.step.
sim.step(until=at_continue)
From the docs: https://api.angr.io/angr#angr.sim_manager.SimulationManager.step
until – (DEPRECATED) If provided, should be a function that takes a SimulationManager and returns True or False. Stepping will terminate when it is True.
My angr script runs for awhile (this basic block should be hit almost instantly), then eventually runs out of active states. I expected it to hit the block and stop. I've already verified by stepping through in radare2 that the block is hit in normal execution.
So there are two parts to my question:
- Why isn't my code working?
- Since
untilis deprecated, what's the new correct way to get this functionality?
Here's my minimum reproducible example: https://github.com/aerobinsonIV/angr-stepping-question
It's contrived, I know. My real application is pretty complicated, and I want to make this question generally applicable and easy to understand.
Thanks for your time reading this. Please let me know if there's anything I can add to make the question clearer. I might not have articulated it great because I'm not super experienced with angr.
