Awesome
Seida
Seida is a Symbolic Execution plugin for IDA.
Seida is C/S architecture:
- the server is responsible for providing the symbolic execution of the simulation environment.
- the client as IDA plugin.
Server
Before we can use the client-side plugin, we need to start the server first. For now we use angr as execution engine, we can replace it with any other engine later.
Create venv and install angr:
$ python -m venv venv
$ source venv/bin/activate
$ pip install angr
then we can start Seida Server inside venv:
$ python server.py init_script
SEIDA_SERVER_ADDR = "http://0.0.0.0:50052"
>
You also can input some simple python code in this server console(It's the same environment as the client side), e.g.:
> print(project.arch)
<Arch AARCH64 (LE)>
If you want write some complex code, you can write them in a script file and use load command to load it:
> load init_script
NOTE: you also can use
python server.py init_scriptto launch the server, it will auto loadinit_scriptat beginning.
Install
Before install plugin, you need to change SEIDA_SERVER_ADDR in serda.py first.
and then:
- As Script: use
File / Script file...in IDA to loadserda.py. - As Plugin: change
SEIDA_USE_AS_SCRIPTtoFalse, and then putserda.pyin the IDA/plugins folder.
Usage
When the plugin is installed, the following buttons will be added to the IDA toolbar:
- [start], start symbolic simulation execution from the current position.
- [step], step one instruction
- [stepb], step one basic block
- [stept], step to cursor position
Command
In addition to these buttons, Seida also provide some python commands, you can use them in IDA's Python console.
Load File
Before you can do anything, you need to load the file same as the current loaded by IDA.
$ seida.load(filepath, base_addr=0)
NOTE: If your server and client are not on the same machine, the
filepathfile is the file on the server, not on the client.
Dump Memory
$ seida.dump_memory(addr, size)
7fffffffffed870 f8 ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |................|
7fffffffffed880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
7fffffffffed890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
7fffffffffed8a0 e8 ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 |................|
7fffffffffed8b0 f0 ff fe ff ff ff ff 07 4c 1b f2 00 00 00 00 00 |........L.......|
7fffffffffed8c0
Set Register
$ seida.set_reg(reg_name, val)
Hook Function
$ seida.hook_func(func_addr)
Run Script
Write a python script file:
x = claripy.BVS('x', 8 * 8) # symbolic heap memory
simulation.active[0].memory.store(0x00102c98, x, size=8)
NOTE: For more information about symbolic execution, please go to angr.
and then load this script:
$ seida.do_file(py_file_path)