angr

angr is a platform-agnostic binary analysis framework. It is brought to you by the Computer Security Lab at UC Santa Barbara, SEFCOM at Arizona State University, their associated CTF team, Shellphish, the open source community, and @rhelmot.

Project Links

Homepage: https://angr.io

Project repository: https://github.com/angr/angr

Documentation: https://docs.angr.io

API Documentation: https://api.angr.io/en/latest/

What is angr?

angr is a suite of Python 3 libraries that let you load a binary and do a lot of cool things to it:

Disassembly and intermediate-representation lifting
Program instrumentation
Symbolic execution
Control-flow analysis
Data-dependency analysis
Value-set analysis (VSA)
Decompilation

The most common angr operation is loading a binary: p = angr.Project('/bin/bash') If you do this in an enhanced REPL like IPython, you can use tab-autocomplete to browse the top-level-accessible methods and their docstrings.

The short version of "how to install angr" is mkvirtualenv --python=$(which python3) angr && python -m pip install angr.

Example

angr does a lot of binary analysis stuff. To get you started, here's a simple example of using symbolic execution to get a flag in a CTF challenge.

import angr

project = angr.Project("angr-doc/examples/defcamp_r100/r100", auto_load_libs=False)

@project.hook(0x400844)
def print_flag(state):
    print("FLAG SHOULD BE:", state.posix.dumps(0))
    project.terminate_execution()

project.execute()

Quick Start

Install Instructions
Documentation as HTML and sources in the angr Github repository
Dive right in: top-level-accessible methods
Examples using angr to solve CTF challenges.
API Reference
awesome-angr repo

A question about the compile way of dir-gcc-O0 or ln_gcc_-O2?

I compile the source code of coretuils-8.25 with gcc -no-pie, and the size of dir is 562.1KB, which is more than twice of dir-gcc-O0.

More importantly, when I use the Reassembler module to assemble the file dir and compile the output, it gets errors.

The file dir is here
dir.zip

The errors as follow:

INFO    | 2020-04-23 15:34:22,151 | __main__ | /home/l1b0/Desktop/test_binaries/x86_64/dir
WARNING | 2020-04-23 15:34:22,636 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2020-04-23 15:34:22,636 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2020-04-23 15:34:22,636 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state
WARNING | 2020-04-23 15:34:22,636 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2020-04-23 15:34:22,636 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages.
WARNING | 2020-04-23 15:34:22,636 | angr.state_plugins.symbolic_memory | Filling memory at 0x7fffffff with 8 unconstrained bytes referenced from 0x4047d5 (_start+0x5 in dir (0x4047d5))
WARNING | 2020-04-23 15:34:24,421 | angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTableProcessor | unsupported operand type(s) for &: 'RegisterOffset' and 'int'
WARNING | 2020-04-23 15:34:24,473 | angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTableProcessor | unsupported operand type(s) for &: 'RegisterOffset' and 'int'
WARNING | 2020-04-23 15:34:24,770 | angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTableProcessor | unsupported operand type(s) for &: 'RegisterOffset' and 'int'
WARNING | 2020-04-23 15:34:24,865 | angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTableProcessor | unsupported operand type(s) for &: 'RegisterOffset' and 'int'
WARNING | 2020-04-23 15:34:24,915 | angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTableProcessor | unsupported operand type(s) for &: 'RegisterOffset' and 'int'
WARNING | 2020-04-23 15:34:26,637 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffffffffff0040 with 4 unconstrained bytes referenced from 0x4047bb (main+0x20eb in dir (0x4047bb))
Deprecation warning: Use self.model.nodes() instead of nodes
/home/l1b0/Desktop/test_binaries/x86_64/dir_new.s: Assembler messages:
/home/l1b0/Desktop/test_binaries/x86_64/dir_new.s:52657: 警告：end of file not at end of a line; newline inserted
/tmp/cczz8fMv.o：在函数‘.label_61’中：
(.text+0xb08)：对‘.label_2’未定义的引用
(.text+0xb0f)：对‘label_3’未定义的引用
/tmp/cczz8fMv.o：在函数‘.label_84’中：
(.text+0x172b)：对‘.label_2’未定义的引用
(.text+0x1732)：对‘label_3’未定义的引用
/tmp/cczz8fMv.o：在函数‘rpl_mktime’中：
(.text+0x12273)：对‘label_2005’未定义的引用
collect2: error: ld returned 1 exit status
Traceback (most recent call last):
  File "/media/l1b0/code/test_ramblr.py", line 116, in <module>
    ropDefense("/home/l1b0/Desktop/test_binaries/x86_64/dir")
  File "/media/l1b0/code/test_ramblr.py", line 103, in ropDefense
    compile_asm(bin_filepath, '_new', assembly_normal)
  File "/media/l1b0/code/test_ramblr.py", line 80, in compile_asm
    subprocess.check_call(compile_list)
  File "/usr/lib/python3.6/subprocess.py", line 291, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['gcc', '-z', 'noexecstack', '-no-pie', '/home/l1b0/Desktop/test_binaries/x86_64/dir_new.s', '-o', '/home/l1b0/Desktop/test_binaries/x86_64/dir_new']' returned non-zero exit status 1.
‘’‘

angr / binaries Goto Github PK

binaries's Introduction

angr

Project Links

What is angr?

Example

Quick Start

binaries's People

Contributors

Stargazers

Watchers

Forkers

binaries's Issues

Description

Steps to reproduce the bug

Environment

Additional context

Recommend Projects

Recommend Topics

Recommend Org