Ponce
Ponce
Ponce
Ponce
Introduction
USAGE
Symbolic and Taint engines
Enable/Disable Ponce
Symbolize/Taint data
Solve conditions
Blacklisting library functions
Shortcuts
EXAMPLES
Symbolic engine
Taint engine
Negate & Inject
Negate, Inject & Restore
MISC
Ponce limitations
Building
FAQ
Debugging
Port to IDA version
Powered by GitBook

Symbolic and Taint engines

Ponce has two different engines:

  • Taint engine: This engine is used to determine at every step of the binary's execution which parts of memory and registers are controllable by the user input.

    This engine is more useful when you just want to see how user controlled data moves through a program.

    For example during exploit development you can use the taint engine to narrow down which functions of the binary are parsing the user controlled data.

    The taint engine is slighly faster and lightweight than the symbolic one.

  • Symbolic engine: This engine maintains a symbolic state of registers and part of memory at each step in a binary's execution path. And allows a user to get a solution for a specific condition.

    This engine is useful when there is a non straigh forward condition to solve in order to reach an area of code we are interested in.

    One example is CTF challenges that do some complex calculations and checks for a specific result.

Previous
Introduction
Next - USAGE
Enable/Disable Ponce
Last updated 9 months ago