I am developing a static analysis automation tool to help me on CTFs. It would be nice for me to discover from where a certain argument of certain functions is coming from (does it come from a writable section in the VAS? Or does it come from .rodata?). I have a need-to-know superficial knowledge of angr, I tried to look at the documentation and my approach would be to:
- Generate the CFG of the binary
- Get all the symbols of the binary and filter them for the functions I'm interested in
- Get to know from which address these symbols are being called
- Construct from the calling address its basic block and traverse backwards the CFG from it to find out how the corresponding register is being set
Am I having the right approach? How would you implement this with angr?
