Various improved diagnostics

angr · Mar 28, 2024 · 05fa3f8 · 05fa3f8
1 parent f108838
commit 05fa3f8
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/rex/crash_tracer/dumb_tracer.py b/rex/crash_tracer/dumb_tracer.py
@@ -71,6 +71,10 @@ def _investigate_crash(self, r, testcase, channel, pre_fire_hook, delay=0):
             add_options=add_options
             )
 
+        proc = project.hooked_by(state.addr)
+        if proc is not None:
+            raise CrashTracerError(f"Cannot investigate crash inside {proc}")
+
         # taint the registers and then step one single instruction which is the crashing instruction
         # then we can use the taint to infer which register caused the crash
         # This assumes that the register value directly comes from the input
@@ -82,6 +86,8 @@ def _investigate_crash(self, r, testcase, channel, pre_fire_hook, delay=0):
 
         # step 2: step one single instruction
         block = state.block()
+        if block.size == 0 and block.vex.jumpkind == 'Ijk_NoDecode':
+            raise CrashTracerError(f"Crash seems to be at an undecodable instruction ({block.addr:#x})")
         insn = block.capstone.insns[0]
         insn_end = block.addr + insn.insn.size
         simgr = project.factory.simgr(state)
@@ -94,7 +100,7 @@ def _investigate_crash(self, r, testcase, channel, pre_fire_hook, delay=0):
             if act.type == 'mem':
                 break
         else:
-            raise CrashTracerError("There is no memory access in the last instruction" +
+            raise CrashTracerError("There is no memory access in the last instruction, " +
                                    "why does it crash?")
         for ast in act.addr.ast.leaf_asts():
             if ast.annotations:

diff --git a/rex/exploit/techniques/ret2libc.py b/rex/exploit/techniques/ret2libc.py
@@ -45,7 +45,7 @@ def _find_libs_system_addrs(self):
             addr = sym.rebased_addr
             # make sure it is executable, both system itself and plt are executable
             seg = self.rop.project.loader.find_segment_containing(addr)
-            if not seg.is_executable:
+            if seg is None or not seg.is_executable:
                 continue
 
             # make sure it does not have bad bytes