In Angr, I have a code like this
#include <stdio.h>
typedef struct A_struct
{
int data1;
int data2;
} A;
void bar(A* a){
a->data2 += 1;
}
void foo(A* a)
{
a->data1 += 1;
bar(a);
}
int main()
{
A a;
a.data1 = 1;
a.data2 = 2;
foo(&a);
printf("%d, %d\n", a.data1, a.data2);
return 0;
}
I compile the C code into Binary, and I want to use angr to execute function foo, how can I just execute the foo without executing the main?
For Symbolic execution, how can I get the execution trace of structure A?
For Concrete execution, If I set a as the memory section, how can I get the result of a?
I tried to use BVS as the parameter
import angr
import claripy
b = angr.Project('test_fun')
func_addr = b.loader.find_symbol('foo').rebased_addr
print(func_addr)
f = b.factory.callable(func_addr)
x = claripy.BVS('x', 64)
res = f(x)
print(res, type(res))
but the result is not what I want, the result is x_40_64, I don't know what is this. And I don't know how to pass some concrete memory as the parameter
you are probably looking for the function
project.factory.call_state, you can pass arguments to the function by passing positional arguments after the address argument. after that you can initialize a simulation manager with that state, and simulate it.