States

The states commands are used for manipulating and reading data from the various simulation manager stashes. The relevant commands can be listed as shown below.

[0x08048450]> Ms?
Getting help
| Ms[?]                 States list
| Msl <index>           List states
| Msi                   Print state stdin
| Mso                   Print state stdout
| Msk[?] <index|addr>   Kill state by index or address
| Msr[?] <index|addr>   Revive state by index or address
| Mss[?] <index|addr>   
| Mse <index|addr>      Extract single state and kill all others

Listing states

States can be listed with the Msl command.

[0x00400844]> Msl
Active states:
  0 0x4007e4
  1 0x4007e4
  2 0x4005a0
  3 0x40085f
  4 0x40087f
  5 0x4000050
  6 0x400844

Deadended states:
  0 0x4000050
  1 0x4000050
  2 0x4000050
  3 0x4000050
  4 0x4000050
  5 0x4000050
  6 0x4000050
  7 0x4000050

[0x00400844]>

States may be in either the active or deadended stashes.

Manipulating states

To optimize the exploration process it is useful to be able to kill in unwanted parts of the CFG. Some commands relevant to this include Msk (for killing states), Msr (for reviving states), Mse (for extracting states, or killing all states except for one), Mska (kill all states), and Msra revive all states. These commands can be used with indexes or addresses.

Here is an example of killing a state.

[0x004007e8]> Msl
Active states:
  0 0x4007e4
  1 0x4007e4
  2 0x4007e8

[0x004007e8]> Msk 2
[0x004007e4]> Msl
Active states:
  0 0x4007e4
  1 0x4007e4

Deadended states:
  0 0x4007e8

[0x004007e4]>

Reviving a state.

[0x004007e4]> Msl
Active states:
  0 0x4007e4
  1 0x4007e4

Deadended states:
  0 0x4007e8

[0x004007e4]> Msr 0x4007e8
[0x004007e8]> Msl
Active states:
  0 0x4007e4
  1 0x4007e4
  2 0x4007e8

Extracting a state (this is the state command I use the most often).

[0x004007e8]> Msl
Active states:
  0 0x4007e4
  1 0x4007e4
  2 0x4007e8

[0x004007e8]> Mse 2
[0x004007e8]> Msl
Active states:
  0 0x4007e8

Deadended states:
  0 0x4007e4
  1 0x4007e4

Reviving all states

[0x004007e8]> Msl
Active states:
  0 0x4007e8

Deadended states:
  0 0x4007e4
  1 0x4007e4

[0x004007e8]> Msra
[0x004007e4]> Msl
Active states:
  0 0x4007e8
  1 0x4007e4
  2 0x4007e4

Killing all states.

[0x004007e4]> Msl
Active states:
  0 0x4007e8
  1 0x4007e4
  2 0x4007e4

[0x004007e4]> Mska
[0x004007e4]> Msl
Deadended states:
  0 0x4007e8
  1 0x4007e4
  2 0x4007e4

Standard in/out

After exploring to some address, it may be useful to print the stdin/stdout for any state. This can be done using the Msi and Mso commands. An example of printing the input is below.

[0x00400844]> Msi
Active state 0 at 0x400844:
b'Code_Talkers\xf5\xf5\xf5\xf5\xf5\xf5\xf5\x00'
[0x00400844]>

And printing the output

[0x0040084e]> Mso
Active state 0 at 0x40084e:
Enter the password: Nice!

[0x0040084e]>
PreviousInitializationNextHooks

Last updated

Was this helpful?