Exploration

Modality contains a number of exploration commands. These can be listed with the Me? command.

[0x08048450]> Me?
Getting help
| Me[?]                 Explore using find/avoid comments
| Meu <addr>            Explore until address
| Meo <string>          Explore until string is in stdout

Currently there are only three options, but eventually all of the angr exploration methods and some variations will be included.

Exploring to a location

The simplest command to use is probably the Meu <addr|function> command. This command explores until a state reaches a specified address or function name. An example of exploring to the main address is shown below.

[0x08048450]> Meu main
[DEBUG] Starting exploration. Find: [0x80485c7]
WARNING | 2020-06-15 15:22:15,566 | angr.state_plugins.symbolic_memory | Filling register edi with 4 unconstrained bytes referenced from 0x80486b1 (__libc_csu_init+0x1 in 00_angr_find (0x80486b1))
WARNING | 2020-06-15 15:22:15,568 | angr.state_plugins.symbolic_memory | Filling register ebx with 4 unconstrained bytes referenced from 0x80486b3 (__libc_csu_init+0x3 in 00_angr_find (0x80486b3))
[DEBUG] Found 1 solutions
[0x080485c7]>

Exploring using find/avoid comments

The Me command explores using the addresses marked by the radare2 comments "find" or "avoid". An example is shown below.

The CC+ command adds a comment at that address, and the Me command is used to explore to it. Most of the time you'll use find/avoid addresses because you want to set multiple throughout the binary. It's often convienient to add these comments by pressing ; in the graph view.

Exploring using stdout

The Meo command explores until a state has a specified value in stdout. This is useful, for example, if you want to find the input for some CTF challenge that gets the binary to print "Sucess".

PreviousOverviewNextEmulation

Last updated

Was this helpful?