angr / angr Goto Github PK

View Code? Open in Web Editor NEW

7.2K 7.2K 1.0K 57.6 MB

A powerful and user-friendly binary analysis platform!

Home Page: http://angr.io

License: BSD 2-Clause "Simplified" License

Python 99.42% Makefile 0.01% C 0.03% C++ 0.56%

analysis angr binary hacktoberfest

angr's Introduction

angr

angr is a platform-agnostic binary analysis framework. It is brought to you by the Computer Security Lab at UC Santa Barbara, SEFCOM at Arizona State University, their associated CTF team, Shellphish, the open source community, and @rhelmot.

Project Links

Homepage: https://angr.io

Project repository: https://github.com/angr/angr

Documentation: https://docs.angr.io

API Documentation: https://api.angr.io/en/latest/

What is angr?

angr is a suite of Python 3 libraries that let you load a binary and do a lot of cool things to it:

Disassembly and intermediate-representation lifting
Program instrumentation
Symbolic execution
Control-flow analysis
Data-dependency analysis
Value-set analysis (VSA)
Decompilation

The most common angr operation is loading a binary: p = angr.Project('/bin/bash') If you do this in an enhanced REPL like IPython, you can use tab-autocomplete to browse the top-level-accessible methods and their docstrings.

The short version of "how to install angr" is mkvirtualenv --python=$(which python3) angr && python -m pip install angr.

Example

angr does a lot of binary analysis stuff. To get you started, here's a simple example of using symbolic execution to get a flag in a CTF challenge.

import angr

project = angr.Project("angr-doc/examples/defcamp_r100/r100", auto_load_libs=False)

@project.hook(0x400844)
def print_flag(state):
    print("FLAG SHOULD BE:", state.posix.dumps(0))
    project.terminate_execution()

project.execute()

Quick Start

Install Instructions
Documentation as HTML and sources in the angr Github repository
Dive right in: top-level-accessible methods
Examples using angr to solve CTF challenges.
API Reference
awesome-angr repo

angr's People

Contributors

Stargazers

Watchers

Forkers

idkwim melbshark chubbymaggie flycat01 hotelzululima mimirswell rdickey lowks peterpt qbektrix uxmal zhuyue1314 0xitx lucabongiorni terry2012 xurantju mingderwang avain fjferrer curehsu jpstjeffyao guardianrg haylesr holycrap872 pombredanne dynm xiangyuerw debug-orz juliusdedekind velocitystorm mangokingtw aflexa yhvhvx tourountzis 0xbc yangke ctfhacker trustifier flycrane kursh hira-a lisabahler cr3denza jpendlet uroborus pabit cm-recruit commial extremecoders-re tiffanyb axt shadown manggoguy josh200501 windhl sciencemanx afczys somebody365 nosharpen juk80x lxpe majinxin2003 zined franklea logan-lu xybsoft skyroot davidliu88 zyq8709 xbalien legiangthanh wxdublin iamahuman 0xsaika coldsocks embpgp cadelaren isra17 r1ceplus 0xdouze mcgrady1 ercoppa stasonhub gitcollect yangy-xiao drone29a battyc b1gw00d tsmolka universal-it-systems awesome-security ljun85 humeafo mislusnys matool13 vest12385 kssandyy jin246039 modulexcite edward-l

angr's Issues

KeyError: 'x86_cr0'

p=angr.Project('/home/xx/project/fake')
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python2.7/dist-packages/angr/project.py", line 152, in init
self._simos.configure_project()
File "/usr/local/lib/python2.7/dist-packages/angr/simos.py", line 125, in configure_project
super(SimLinux, self).configure_project()
File "/usr/local/lib/python2.7/dist-packages/angr/simos.py", line 42, in configure_project
self.proj.loader.perform_irelative_relocs(irelative_resolver)
File "/usr/local/lib/python2.7/dist-packages/cle-4.5.11.23-py2.7.egg/cle/loader.py", line 704, in perform_irelative_relocs
val = resolver_func(resolver)
File "/usr/local/lib/python2.7/dist-packages/angr/simos.py", line 31, in irelative_resolver
val = resolver()
File "/usr/local/lib/python2.7/dist-packages/angr/surveyors/caller.py", line 41, in call_get_return_val
return self.get_call_results(_args)[0]
File "/usr/local/lib/python2.7/dist-packages/angr/surveyors/caller.py", line 74, in get_call_results
caller_end_unpruned = caller.step(until=lambda pg: len(pg.active) == 0, step_func=step_func if self._concrete_only else None).unstash(from_stash='deadended')
File "/usr/local/lib/python2.7/dist-packages/angr/path_group.py", line 536, in step
pg = pg._one_step(stash=stash, selector_func=selector_func, successor_func=successor_func, check_func=check_func, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/angr/path_group.py", line 342, in _one_step
r = self._one_path_step(a, successor_func=successor_func, check_func=check_func, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/angr/path_group.py", line 287, in _one_path_step
successors = a.step(**kwargs)
File "/usr/local/lib/python2.7/dist-packages/angr/path.py", line 221, in step
self._make_sim_run()
File "/usr/local/lib/python2.7/dist-packages/angr/path.py", line 246, in _make_sim_run
self._run = self._project.factory.sim_run(self.state, *_self._run_args)
File "/usr/local/lib/python2.7/dist-packages/angr/factory.py", line 117, in sim_run
r = self.sim_block(state, addr=addr, *_block_opts)
File "/usr/local/lib/python2.7/dist-packages/angr/factory.py", line 59, in sim_block
**block_opts)
File "/usr/local/lib/python2.7/dist-packages/angr/lifter.py", line 116, in lift
traceflags=traceflags)
File "pyvex/init.py", line 136, in init
c_irsb = pvc.vex_block_bytes(vex_arch, arch.vex_archinfo, c_bytes + bytes_offset, mem_addr, num_bytes, 1)
KeyError: 'x86_cr0'

Difference between angr bindiff and zynamics BinDiff?

As there is no documentation about the bindiff feature of angr, it would be interesting to know what the differences compared to zynamics BinDiff are.
Do they have the same purpose and underlying functioning?

exceptions while run the whitehat_crypto400.py example

I install the angr on a ubuntu 14.04. but while I run the example, it crashed with a exception.
Please give me some suggestion. Thanks.

DEBUG:angr.path_group:... path <Path with 26 runs (at 0x438fb0)> didn't match!
DEBUG:angr.path_group:... returning 0 matches and 1 non-matches
DEBUG:angr.path_group:Round 26: stepping <PathGroup with 1 active>
Traceback (most recent call last):
File "whitehat_crypto400.py", line 57, in
pg.explore(find=0x4016A3).unstash(from_stash='found', to_stash='active')
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/path_group.py", line 731, in explore
return self.step(n=n, step_func=explore_step_func, until=until_func, stash=stash)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/path_group.py", line 505, in step
pg = pg._one_step(stash=stash, selector_func=selector_func, successor_func=successor_func, check_func=check_func, **kwargs)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/path_group.py", line 299, in _one_step
successors = a.step(**kwargs)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/path.py", line 218, in step
self._make_sim_run()
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/path.py", line 233, in _make_sim_run
self._run = self._project.factory.sim_run(self.state, *_self._run_args)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/factory.py", line 111, in sim_run
r = self.sim_block(state, addr=addr, *_block_opts)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/factory.py", line 57, in sim_block
**block_opts)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/lifter.py", line 111, in lift
traceflags=traceflags)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/pyvex/init.py", line 106, in init
self.statements = [ IRStmt.IRStmt._translate(c_irsb.stmts[i], self) for i in range(c_irsb.stmts_used) ]
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/pyvex/IRStmt/init.py", line 37, in _translate
return stmt_class(c_stmt, irsb)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/pyvex/IRStmt/init.py", line 165, in init
self.mAddr = IRExpr._translate(c_stmt.Ist.Dirty.details.mAddr, irsb)
File "/home/ahwei/.virtualenvs/angr/local/lib/python2.7/site-packages/pyvex/IRExpr/init.py", line 47, in _translate
if c_expr[0] == ffi.NULL:
RuntimeError: cannot dereference null pointer from cdata 'IRExpr *'
Exception TypeError: "'NoneType' object is not callable" in ignored
Exception TypeError: "'NoneType' object is not callable" in ignored

Problems when install in windows

Hi, As I work on windows platform, so I follow the instructions to install angr in windows. I download the z3 binary and copy it to C:\Z3\ path, and set Z3PATH=C:\Z3\bin, and install the capstone for python binary(capstone-3.0.4-python2.7-win32.exe). Then I run "pip install angr" command.
The command returns the following error:

Running setup.py install for angr-z3
Complete output from command C:\Python27\python.exe -c "import setuptools, tokenize;file='c:\users\ppaw\appdata\local\temp\pip-build-s6b3rp\angr-z3\setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record c:\users\ppaw\appdata\local\temp\pip-5nvyuf-record\install-record.txt --single-version-externally-managed --compile:
WARNING: '' not a valid package name; please use only.-separated package names in setup.py
running install
running build
Configuring Z3
error: [Error 193] %1 is not a valid win32

----------------------------------------

Command "C:\Python27\python.exe -c "import setuptools, tokenize;file='c:\users\ppaw\appdata\local\temp\pip-build-s6b3rp\angr-z3\setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record c:\users\ppaw\appdata\local\temp\pip-5nvyuf-record\install-record.txt --single-version-externally-managed --compile" failed with error code 1 in c:\users\ppaw\appdata\local\temp\pip-build-s6b3rp\angr-z3

How to solve the above error? Thanks very much

Use-def chain of a binary

I want to extract use-def chain of memory addresses from a binary. angr uses VEX IR which is in SSA form, so extracting use-def chain shouldn't be hard. How can I do this? Any pointer is appreciated.

I would be happy to contribute back.

Exception running data dependency analysis

I'm trying to run the data dependency analysis. I've tried following code:

>>> import angr
>>> proj = angr.Project('/bin/ls')
>>> cfg = proj.analyses.CFG(keep_input_state=True)
>>> ddg = proj.analyses.DDG(cfg)

I get the following exception: SimProcedureError: Tried to run simproc continuation with empty stack

Loading static library for analysis

The cle loader fails to load linux static libraries. This is just a feature request for adding support for loading static library. I will appreciate it.

Backwardslice example?

Could you please provide a backward slicing example that would explain how to use the object after the slicing is finished? Which attributes does this object have?

undefined symbol: LibVEX_ShowStats"

after update to latest version, no matter what i run example python code, it always show this error

Traceback (most recent call last):
File "strcpy_test.py", line 11, in
import angr
File "/usr/local/lib/python2.7/dist-packages/angr/init.py", line 7, in
from .project import *
File "/usr/local/lib/python2.7/dist-packages/angr/project.py", line 10, in
import cle
File "/usr/local/lib/python2.7/dist-packages/cle/init.py", line 6, in
from .loader import *
File "/usr/local/lib/python2.7/dist-packages/cle/loader.py", line 710, in
from .tls import TLSObj
File "/usr/local/lib/python2.7/dist-packages/cle/tls.py", line 4, in
from .backends import Backend
File "/usr/local/lib/python2.7/dist-packages/cle/backends/init.py", line 4, in
import archinfo
File "/usr/local/lib/python2.7/dist-packages/archinfo/init.py", line 2, in
from .arch import *
File "/usr/local/lib/python2.7/dist-packages/archinfo/arch.py", line 7, in
import pyvex as pyvex
File "/usr/local/lib/python2.7/dist-packages/pyvex/init.py", line 42, in
enums_to_ints = { :getattr(pvc,) for _ in dir(pvc) if isinstance(getattr(pvc,), int) }
File "/usr/local/lib/python2.7/dist-packages/pyvex/init.py", line 42, in
enums_to_ints = { :getattr(pvc,) for _ in dir(pvc) if isinstance(getattr(pvc,_), int) }
File "/usr/local/lib/python2.7/dist-packages/cffi/api.py", line 718, in getattr
make_accessor(name)
File "/usr/local/lib/python2.7/dist-packages/cffi/api.py", line 714, in make_accessor
accessorsname
File "/usr/local/lib/python2.7/dist-packages/cffi/api.py", line 659, in accessor_function
raise AttributeError('%s: %s' % (name, e))
AttributeError: LibVEX_ShowStats: "function 'LibVEX_ShowStats' not found in library '/usr/local/lib/pyvex_static.so': /usr/local/lib/pyvex_static.so: undefined symbol: LibVEX_ShowStats"

Meet issue when i isntall angr

Installing collected packages: pyvex, claripy, simuvex, cle, decorator, pyelftools, pycparser, cffi, angr-z3, dpkt-fix, pefile, idalink, rpyc, plumbum
Running setup.py install for pyvex
Building libVEX
error: vex: Not a directory
Complete output from command /usr/bin/python -c "import setuptools;file='/home/ocelot/axx/build/pyvex/setup.py';exec(compile(open(file).read().replace('\r\n', '\n'), file, 'exec'))" install --single-version-externally-managed --record /tmp/pip-BoRmq0-record/install-record.txt:
running install

running build

Building libVEX

error: vex: Not a directory

Command /usr/bin/python -c "import setuptools;file='/home/ocelot/axx/build/pyvex/setup.py';exec(compile(open(file).read().replace('\r\n', '\n'), file, 'exec'))" install --single-version-externally-managed --record /tmp/pip-BoRmq0-record/install-record.txt failed with error code 1
Storing complete log in /home/ocelot/.pip/pip.log

Slow CFG analysis

I was just trying out the sample code in angr site on /bin/ls binary. The analysis kept running for almost one day without any output. I've also tried with call_depth = 3, but in that configuration, ti can only extract CFG for some of the functions. Is this expected? Is there any way to speed up analysis?

>>> import angr
>>> proj = angr.Project('/bin/ls')
>>> cfg = proj.analyses.CFG(); cfg.function_manager.functions

Error in GirlScout

I am getting following error when trying to use GirlScout:
my code:
proj = angr.Project("/bin/mkdir", load_options={'auto_load_libs': False})
gs = proj.analyses.GirlScout()
print gs.base_address

and this is the error:
File "/home/xyz/angr/cle/cle/memory.py", line 259, in _flatten_to_c raise ValueError("Pulling C data out of a non-root Clemory is disallowed!")
ValueError: Pulling C data out of a non-root Clemory is disallowed!

AttributeError: 'BackendVSA' object has no attribute 'cts_simplifier_ne'

In [4]: vfg = b.analyses.VFG(cfg, interfunction_level=3)
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-4-25c1ab7b043c> in <module>()
----> 1 vfg = b.analyses.VFG(cfg, interfunction_level=3)

/home/riyad/tmp/angr/angr/angr/analysis.pyc in _analysis(self, analysis, *args, **kwargs)
     67 
     68         # Call __init__ of chosen analysis
---> 69         a = analysis(self._p, fail_fast, *args, **kwargs)
     70 
     71         return a

/home/riyad/tmp/angr/angr/angr/analysis.pyc in __core_init__(self, project, fail_fast, *args, **kwargs)
    123 
    124         if kwargs.pop('do_analysis', True):
--> 125             self.__analysis_init__(*args, **kwargs)  # pylint:disable=no-member
    126 
    127     def post_load(self):

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in __init__(self, cfg, context_sensitivity_level, function_start, interfunction_level, initial_state, avoid_runs, remove_options)
    122 
    123         # Begin VFG construction!
--> 124         self._construct(initial_state=initial_state)
    125 
    126         self.result = {

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in _construct(self, initial_state)
    268 
    269             try:
--> 270                 self._ai_analyze(initial_state)
    271             except AngrVFGRestartAnalysisNotice:
    272                 l.info("Restarting analysis.")

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in _ai_analyze(self, initial_state, function_key)
    333             self._handle_entry(entry_wrapper, worklist,
    334                               exit_targets, fake_func_return_paths,
--> 335                               tracing_times, retn_target_sources
    336                               )
    337 

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in _handle_entry(self, entry_wrapper, remaining_entries, exit_targets, pending_returns, tracing_times, retn_target_sources)
    563 
    564         # Execute this basic block with input state, and get a new SimRun object
--> 565         simrun, error_occured, restart_analysis = self._get_simrun(input_state, current_path, addr)
    566 
    567         if restart_analysis:

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in _get_simrun(self, state, current_path, addr)
    431 
    432         try:
--> 433             sim_run = self._project.factory.sim_run(current_path.state, jumpkind=jumpkind)
    434         except simuvex.SimUninitializedAccessError as ex:
    435             l.error("Found an uninitialized access (used as %s) at expression %s.", ex.expr_type, ex.expr)

/home/riyad/tmp/angr/angr/angr/factory.pyc in sim_run(self, state, addr, jumpkind, **block_opts)
    114         else:
    115             l.debug("Creating SimIRSB at 0x%x", addr)
--> 116             r = self.sim_block(state, addr=addr, **block_opts)
    117 
    118         return r

/home/riyad/tmp/angr/angr/angr/factory.pyc in sim_block(self, state, stmt_whitelist, last_stmt, addr, opt_level, **block_opts)
     62                        addr=addr,
     63                        whitelist=stmt_whitelist,
---> 64                        last_stmt=last_stmt)
     65 
     66     def sim_run(self, state, addr=None, jumpkind=None, **block_opts):

/home/riyad/tmp/angr/simuvex/simuvex/vex/irsb.pyc in __init__(self, state, irsb, irsb_id, whitelist, last_stmt, **kwargs)
     60             self.state.release_plugin('solver_engine')
     61 
---> 62         self._handle_irsb()
     63 
     64         # It's for debugging

/home/riyad/tmp/angr/simuvex/simuvex/vex/irsb.pyc in _handle_irsb(self)
    114 
    115             self.default_exit = self.add_successor(self.state, self.next_expr.expr, self.default_exit_guard,
--> 116                                                    self.irsb.jumpkind, 'default')
    117 
    118             if o.FRESHNESS_ANALYSIS in self.state.options:

/home/riyad/tmp/angr/simuvex/simuvex/s_run.pyc in add_successor(self, state, target, guard, jumpkind, exit_stmt_idx, source)
     67         state.scratch.exit_stmt_idx = exit_stmt_idx
     68 
---> 69         state.add_constraints(guard)
     70         state.regs.ip = target
     71 

/home/riyad/tmp/angr/simuvex/simuvex/s_state.pyc in add_constraints(self, *args, **kwargs)
    227                     # then replace each original SI the intersection of original SI and the constrained one.
    228 
--> 229                     _, converted = self.se.constraint_to_si(arg)
    230 
    231                     for original_expr, constrained_si in converted:

/home/riyad/tmp/angr/simuvex/simuvex/plugins/solver.pyc in ast_stripping_op(f, *args, **kwargs)
     41             import ipdb; ipdb.set_trace()
     42     else:
---> 43         r = _actual_ast_stripping_op(f, *args, **kwargs)
     44 
     45     return r

/home/riyad/tmp/angr/simuvex/simuvex/s_action_object.pyc in ast_stripping_op(f, *args, **kwargs)
     34     new_args = _raw_ast(args)
     35     new_kwargs = _raw_ast(kwargs)
---> 36     return f(*new_args, **new_kwargs)
     37 
     38 def ast_preserving_op(f, *args, **kwargs):

/home/riyad/tmp/angr/claripy/claripy/ast/bool.pyc in constraint_to_si(expr)
    155     replace_list = [ ]
    156 
--> 157     satisfiable, replace_list = _all_backends[1].constraint_to_si(expr)
    158 
    159     # Make sure the replace_list are all ast.bvs

/home/riyad/tmp/angr/claripy/claripy/backends/backend_vsa.pyc in constraint_to_si(self, expr)
    914 
    915         try:
--> 916             sat, lst = self.cts_handle(expr.op, expr.args)
    917 
    918             return sat, lst

/home/riyad/tmp/angr/claripy/claripy/backends/backend_vsa.pyc in cts_handle(self, op, args)
    872 
    873             # Simplify left side
--> 874             lhs, new_cond = self.cts_simplify(lhs.op, lhs.args, lhs, (op, rhs))
    875 
    876             # Update args

/home/riyad/tmp/angr/claripy/claripy/backends/backend_vsa.pyc in cts_simplify(self, op, args, expr, condition)
    862 
    863     def cts_simplify(self, op, args, expr, condition):
--> 864         new_expr, new_cond = getattr(self, "cts_simplifier_%s" % op)(args, expr, condition)
    865 
    866         return new_expr, new_cond

AttributeError: 'BackendVSA' object has no attribute 'cts_simplifier___ne__'

error while installation.

Downloading/unpacking z3 (from claripy->-r requirements.txt (line 11))
  Getting page https://pypi.python.org/simple/z3/
  Could not fetch URL https://pypi.python.org/simple/z3/: 404 Client Error: Not Found
  Will skip URL https://pypi.python.org/simple/z3/ when looking for download links for z3 (from claripy->-r requirements.txt (line 11))
  Getting page https://pypi.python.org/simple/
  URLs to search for versions for z3 (from claripy->-r requirements.txt (line 11)):
  * https://pypi.python.org/simple/z3/
  Getting page https://pypi.python.org/simple/z3/
  Could not fetch URL https://pypi.python.org/simple/z3/: 404 Client Error: Not Found
  Will skip URL https://pypi.python.org/simple/z3/ when looking for download links for z3 (from claripy->-r requirements.txt (line 11))
  Could not find any downloads that satisfy the requirement z3 (from claripy->-r requirements.txt (line 11))
  Some externally hosted files were ignored (use --allow-external z3 to allow).
Cleaning up...
  Removing temporary dir /tmp/pip_build_root...
No distributions at all found for z3 (from claripy->-r requirements.txt (line 11))
Exception information:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 122, in main
    status = self.run(options, args)
  File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 278, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/lib/python2.7/dist-packages/pip/req.py", line 1178, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/usr/lib/python2.7/dist-packages/pip/index.py", line 277, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for z3 (from claripy->-r requirements.txt (line 11))

above message was copied from pip.log
to solve the problem I manually installed z3 but same error occured.
how should i do?
I can see same problem on macosx & ubuntu14.04(x86)

root@ubuntu:~/angr# pip install angr
Downloading/unpacking angr
  Could not find any downloads that satisfy the requirement angr
Cleaning up...
No distributions at all found for angr
Storing debug log for failure in /root/.pip/pip.log

"pip install angr" pip installation also fail. i think same problem occured.

Call graph of a binary

Is there any analysis that extracts call graph of binary? Since angr has a CFG analysis, extracting call graph should be easy. Any pointer how to extract call graph easily?

I am happy to contribute back.

install in simuvex with pip resolved with an issue with pyvex

Collecting simuvex
Using cached simuvex-4.5.12.28.tar.gz
Collecting bintrees (from simuvex)
Using cached bintrees-2.0.2-cp27-none-win32.whl
Collecting dpkt-fix (from simuvex)
Using cached dpkt-fix-1.7.tar.gz
Collecting pyvex (from simuvex)
Using cached pyvex-4.5.12.21.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 20, in
File "c:\users\user\appdata\local\temp\pip-build-pn9ogr\pyvex\setup.py", line 21, in
if subprocess.call(['tar', 'xzf', 'dev.tar.gz']) != 0:
File "c:\python27\lib\subprocess.py", line 522, in call
return Popen(_popenargs, *_kwargs).wait()
File "c:\python27\lib\subprocess.py", line 710, in init
errread, errwrite)
File "c:\python27\lib\subprocess.py", line 958, in _execute_child
startupinfo)
WindowsError: [Error 2] The system cannot find the file specified

----------------------------------------

Command "python setup.py egg_info" failed with error code 1 in c:\users\user\appdata\local\temp\pip-build-pn9ogr\pyvex

"Tried to run simproc continuation with empty stack" when trying to construct a DDG

Happens for a fairly simple test program under both x86_64 & ARM (glibc linux).

Exception stack trace:

  File "./angr_runner.py", line 12, in <module>
    ddg = b.analyses.DDG(cfg)
  File "/home/itx/angr/angr/angr/analysis.py", line 69, in _analysis
    a = analysis(self._p, fail_fast, *args, **kwargs)
  File "/home/itx/angr/angr/angr/analysis.py", line 125, in __core_init__
    self.__analysis_init__(*args, **kwargs)  # pylint:disable=no-member
  File "/home/itx/angr/angr/angr/analyses/ddg.py", line 22, in __init__
    self._construct()
  File "/home/itx/angr/angr/angr/analyses/ddg.py", line 241, in _construct
    run = self._cfg.irsb_from_node(node)
  File "/home/itx/angr/angr/angr/analyses/cfg_base.py", line 147, in irsb_from_node
    return self._get_irsb(cfg_node)
  File "/home/itx/angr/angr/angr/analyses/cfg_base.py", line 141, in _get_irsb
    return self._project.factory.sim_run(cfg_node.input_state)
  File "/home/itx/angr/angr/angr/factory.py", line 105, in sim_run
    r = sim_proc_class(state, addr=addr, sim_kwargs=kwargs)
  File "/home/itx/angr/simuvex/simuvex/s_procedure.py", line 211, in __new__
    raise SimProcedureError("Tried to run simproc continuation with empty stack")

Test program, runner script & generated CFG
1MB Debug log, starting from DDG creation

hook_addr seems to point right at __libc_start_main's SimProc, which probably should have had _start in its call stack.

Extracting external function names for PLT entries

This is a feature request.

I see external function names from PLT entries are named in patterns like sub_4015d0. I believe it's possible to extract the names of external functions from PLT entries. It would be great if you can add support for external function name.

Pros and cons of enabling or disabling `fail_fast` during analysis

In https://github.com/angr/angr-doc/blob/master/analyses.md#resilience, it is written:

These errors, depending on how they're caught, are logged to the errors or named_errors attribute of the analysis. However, you might want to run an analysis in "fail fast" mode, so that errors are not handled.

It is not explained what are the pros and cons of disabling or enabling fail_fast during analysis.

Error in buffer overflow detection analysis

Long story short, I've tried buffer overflow detection analysis and this is the error I'm seeing:

In [11]: buffer_overflow = b.analyses.BufferOverflowDetection()
---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
<ipython-input-11-d2172fc511ce> in <module>()
----> 1 buffer_overflow = b.analyses.BufferOverflowDetection()

/home/riyad/tmp/angr/angr/angr/analysis.pyc in _analysis(self, analysis, *args, **kwargs)
     67 
     68         # Call __init__ of chosen analysis
---> 69         a = analysis(self._p, fail_fast, *args, **kwargs)
     70 
     71         return a

/home/riyad/tmp/angr/angr/angr/analysis.pyc in __core_init__(self, project, fail_fast, *args, **kwargs)
    123 
    124         if kwargs.pop('do_analysis', True):
--> 125             self.__analysis_init__(*args, **kwargs)  # pylint:disable=no-member
    126 
    127     def post_load(self):

/home/riyad/tmp/angr/angr/angr/analyses/buffer_overflow_detection.pyc in __init__(self, cfg, functions)
     93                 continue
     94             # Create one VFG for every function in the binary
---> 95             vfg = self._p.analyses.VFG(cfg=self._cfg, function_start=func, interfunction_level=3, context_sensitivity_level=2)
     96             self.vfgs[func] = vfg
     97             for overlap in process_vfg(vfg):

/home/riyad/tmp/angr/angr/angr/analysis.pyc in _analysis(self, analysis, *args, **kwargs)
     67 
     68         # Call __init__ of chosen analysis
---> 69         a = analysis(self._p, fail_fast, *args, **kwargs)
     70 
     71         return a

/home/riyad/tmp/angr/angr/angr/analysis.pyc in __core_init__(self, project, fail_fast, *args, **kwargs)
    123 
    124         if kwargs.pop('do_analysis', True):
--> 125             self.__analysis_init__(*args, **kwargs)  # pylint:disable=no-member
    126 
    127     def post_load(self):

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in __init__(self, cfg, context_sensitivity_level, function_start, interfunction_level, initial_state, avoid_runs)
    106 
    107         # Begin VFG construction!
--> 108         self._construct(initial_state=initial_state)
    109 
    110         self.result = {

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in _construct(self, initial_state)
    231 
    232             try:
--> 233                 self._ai_analyze(initial_state)
    234             except AngrVFGRestartAnalysisNotice:
    235                 l.info("Restarting analysis.")

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in _ai_analyze(self, initial_state, function_key)
    296             self._handle_entry(entry_wrapper, worklist,
    297                               exit_targets, fake_func_return_paths,
--> 298                               tracing_times, retn_target_sources
    299                               )
    300 

/home/riyad/tmp/angr/angr/angr/analyses/vfg.pyc in _handle_entry(self, entry_wrapper, remaining_entries, exit_targets, pending_returns, tracing_times, retn_target_sources)
    526 
    527         # Execute this basic block with input state, and get a new SimRun object
--> 528         simrun, error_occured, restart_analysis = self._get_simrun(input_state, current_path, addr)
    529 
/home/riyad/tmp/angr/angr/angr/factory.pyc in sim_run(self, state, addr, jumpkind, **block_opts)                                                                                                                                      [0/9359]
    108                     sim_proc_class.__name__, addr)
    109             state._inspect('call', BP_BEFORE, function_name=sim_proc_class.__name__)
--> 110             r = sim_proc_class(state, addr=addr, sim_kwargs=kwargs)
    111             state._inspect('call', BP_AFTER, function_name=sim_proc_class.__name__)
    112             l.debug("... %s created", r)

/home/riyad/tmp/angr/simuvex/simuvex/s_procedure.pyc in __init__(self, state, ret_to, stmt_from, convention, arguments, sim_kwargs, run_func_name, **kwargs)
     53 
     54         run_func = getattr(self, run_func_name)
---> 55         r = run_func(*args, **self.kwargs)
     56 
     57         if r is not None:

/home/riyad/tmp/angr/simuvex/simuvex/procedures/libc___so___6/printf.pyc in run(self)
     12     def run(self):
     13         # The format str is at index 0
---> 14         fmt_str = self._parse(0)
     15         out_str = fmt_str.replace(1, self.arg)
     16 

/home/riyad/tmp/angr/simuvex/simuvex/s_format.pyc in _parse(self, fmt_idx)
    397             raise SimProcedureError("Symbolic pointer to (format) string :(")
    398 
--> 399         length = self._sim_strlen(fmtstr_ptr)
    400         if self.state.se.symbolic(length):
    401             raise SimProcedureError("Symbolic (format) string, game over :(")

/home/riyad/tmp/angr/simuvex/simuvex/s_format.pyc in _sim_strlen(self, str_addr)
    379         strlen = simuvex.SimProcedures['libc.so.6']['strlen']
    380 
--> 381         return self.inline_call(strlen, str_addr).ret_expr
    382 
    383 

/home/riyad/tmp/angr/simuvex/simuvex/s_procedure.pyc in inline_call(self, procedure, *arguments, **sim_kwargs)
    113     def inline_call(self, procedure, *arguments, **sim_kwargs):
    114         e_args = [ self.state.BVV(a, self.state.arch.bits) if isinstance(a, (int, long)) else a for a in arguments ]
--> 115         p = procedure(self.state, inline=True, arguments=e_args, sim_kwargs=sim_kwargs)
    116         return p
    117 

/home/riyad/tmp/angr/simuvex/simuvex/s_procedure.pyc in __init__(self, state, ret_to, stmt_from, convention, arguments, sim_kwargs, run_func_name, **kwargs)
     53 
     54         run_func = getattr(self, run_func_name)
---> 55         r = run_func(*args, **self.kwargs)
     56 
     57         if r is not None:

/home/riyad/tmp/angr/simuvex/simuvex/procedures/libc___so___6/strlen.pyc in run(self, s)
     29                 r, c, i = self.state.memory.find(s, self.state.BVV(0, 8), max_str_len, max_symbolic_bytes=max_symbolic_bytes)
     30 
---> 31                 self.max_null_index = max(self.max_null_index + i)
     32 
     33                 # Convert r to the same region as s

TypeError: unsupported operand type(s) for +: 'int' and 'list'

A question on class CallStack

Hi, I'm a newcomer of angr.
Just now, I tried to look into path.callstack and printed it.
However, the result of it(type pathgroup.active[0].callstack directly) looked like the following.
CallStack (depth 3) [ 0x400580 (0x4005d0), 0x40079b (0x1000070), 0x4006c6 (0x40082d) ]
And the function 'repr' in CallStack is
_return "<CallStack (depth %d)>" % len(self.callstack)
On the other hand,the result of 'print (pathgroup.active[0[.callstack' is same with 'pathgroup.active[0].callstack'.
And the function 'str' in CallStack is
return "Backtrace:\n%s" % "\n".join(str(f) for f in self)
Hoping and Thanks for solving.

Optimization of vsa_ddg (parallelization?)

Hi!
I found this comment in the vsa_ddg.py

# TODO: The worklist algorithm can definitely use some optimizations. It is a future work.

What optimization do you have in mind?
Would it make sense to parallelize the worklist algorithm?
Is is even possible in general to parallelize the task of creating def use chains?
In other words, is it a bad idea to think of parallelization or even distributed computing in this context?

Slow Control Dependence Analysis

I'm trying the CDG analysis. But it's been half an hour, I'm still not seeing any output. From my understanding, CDG analysis should be faster than the CFG analysis. Is there any secret option to make it faster?

proj = angr.Project('/bin/ls', load_options={'auto_load_libs': False})
cdg = proj.analyses.CDG()

Thanks.

angr fails to resolve this jump table

In this binary, there is a jump table at 0x8048a7e (basic block starts at 0x8048a70). angr sees a single jump target there with advanced_backward_slicing enabled. It'd be awesome to a) fix this and b) adopt it as a testcase.

pyvex_c missing

I run pip install angr and get a warning that pyvex_c can not be found when building pyvex. I believe there is a missing dependency

AttributeError in VSA DDG analysis

I'm experimenting with VSA DDG analysis. I'm seeing the following error message:

In [9]: vsa_ddg = b.analyses.VSA_DDG(b.entry)                                                                          
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-9-4533d51ccf3d> in <module>()
----> 1 vsa_ddg = b.analyses.VSA_DDG(b.entry)

/home/riyad/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/analysis.pyc in _analysis(self, analysis, *args, **kwargs)
     67 
     68         # Call __init__ of chosen analysis
---> 69         a = analysis(self._p, fail_fast, *args, **kwargs)
     70 
     71         return a

/home/riyad/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/analysis.pyc in __core_init__(self, project, fail_fast, *args, **kwargs)
    123 
    124         if kwargs.pop('do_analysis', True):
--> 125             self.__analysis_init__(*args, **kwargs)  # pylint:disable=no-member
    126 
    127     def post_load(self):

/home/riyad/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/analyses/vsa_ddg.pyc in __init__(self, start_addr, interfunction_level, context_sensitivity_level, keep_addrs)
     46 
     47         # We explore one path at a time
---> 48         self._branch({}, self._startnode)
     49 
     50     def _make_block(self, irsb, live_defs):

/home/riyad/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/analyses/datagraph_meta.pyc in _branch(self, live_defs, node, path)
     66         """
     67 
---> 68         irsb = self._irsb(node.state)
     69         path = path + " -> " + hex(irsb.addr)
     70 

/home/riyad/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/analyses/datagraph_meta.pyc in _irsb(self, in_state)
     17             We expect a VSA state here.
     18             """
---> 19             return self._p.sim_run(in_state)
     20 
     21     def _vfg_node(self, addr):

AttributeError: 'Project' object has no attribute 'sim_run'

CLE crashes when trying to load FASM-compiled executables

>>> b=angr.Project('./garbage_bytes2.EXE')
ERROR   | 2015-12-15 16:57:25,594 | cle.loader | Loading error when loading /home/viktor/tool/angrtest/garbage_bytes2.EXE with backend Blob
Traceback (most recent call last): File "/home/viktor/.virtualenvs/angr3/local/lib/python2.7/site-packages/cle/loader.py", line 230, in load_object loaded = backend(path,compatible_with=compatible_with, filetype=filetype, is_main_bin=is_main_bin, **options)
  File "/home/viktor/.virtualenvs/angr3/local/lib/python2.7/site-packages/cle/backends/blob.py", line 25, in __init__raise CLEError("Must specify custom_arch when loading blob!")
CLEError: Must specify custom_arch when loading blob!
Traceback (most recent call last):    
  File "<stdin>", line 1, in <module>
  File "/home/viktor/.virtualenvs/angr3/local/lib/python2.7/site-packages/angr/project.py", line 98, in __init__
self.loader = cle.Loader(self.filename, **load_options)
File "/home/viktor/.virtualenvs/angr3/local/lib/python2.7/site-packages/cle/loader.py", line 88, in __init__
self._load_main_binary()
File "/home/viktor/.virtualenvs/angr3/local/lib/python2.7/site-packages/cle/loader.py", line 139, in _load_main_binary
self.main_bin = self.load_object(self._main_binary_path, self._main_opts, is_main_bin=True)
File "/home/viktor/.virtualenvs/angr3/local/lib/python2.7/site-packages/cle/loader.py", line 236, in load_object
raise CLEError("All backends failed loading %s!" % path)
cle.errors.CLEError: All backends failed loading /home/viktor/tools/angrtest/garbage_bytes2.EXE!

Not sure if this is my error or whether it is on angr/CLE. I made a fresh virtualenv to try and fix this. Didn't help.

garbage_bytes.txt

Error with "claripy" module

After install angr, I am getting the following error:

$python -c "import angr"
No handlers could be found for logger "claripy"
Exception TypeError: "'NoneType' object is not callable" in  ignored
Exception TypeError: "'NoneType' object is not callable" in  ignored

Update: I installed angr on a 64bit Ubuntu 12.04 machine.

ImportError: cannot import name arm

Hi,
i installed angr using the dev-install on ubuntu LTS x64, python 2.7

[+] All done! Execute "workon angr" to use your new angr virtual
etc...

but when i try to run the following commands

workon angr
angr-dev$ ipython
Python 2.7.6 (default, Jun 22 2015, 17:58:13) 
Type "copyright", "credits" or "license" for more information.

IPython 4.0.1 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: import angr

/media/sid/sharespace/angr-dev/archinfo/archinfo/arch.py in <module>()
      1 ''' This class is responsible for architecture-specific things such as call emulation and so forth. '''
      2 
----> 3 import capstone as _capstone
      4 import struct as _struct

/home/sid/virtualenvs/angr/local/lib/python2.7/site-packages/capstone/__init__.py in <module>()
    228             pass
    229     if _found == False:
--> 230         raise ImportError("ERROR: fail to load the dynamic library.")
    231 
    232 

ImportError: ERROR: fail to load the dynamic library.

maybe it is a problem with the capstone lib

In [3]: import capstone as _capstone
---------------------------------------------------------------------------
ImportError                               Traceback (most recent call last)
<ipython-input-3-760631d34950> in <module>()
----> 1 import capstone as _capstone

/home/sid/virtualenvs/angr/local/lib/python2.7/site-packages/capstone/__init__.py in <module>()
      4 if _python2:
      5     range = xrange
----> 6 from . import arm, arm64, mips, ppc, sparc, systemz, x86, xcore
      7 
      8 __all__ = [

ImportError: cannot import name arm

outside the angr virtualenv i can import capstone with none error

thanks

references to non-existent "setup.sh" in README

Its not clear if there is actually a script or this should be:

-./setup.sh
+python setup.py install
 ```

 This clones all of the repositories and installs them in editable mode.
-`setup.sh` can even create a PyPy virtualenv for you, resulting in significantly faster performance and lower memory usage.
+`setup.py` can even create a PyPy virtualenv for you, resulting in significantly faster performance and lower memory usage.

Shall I submit issues for not implemented arguments of existing SimProcedures?

For examples, the printf SimProcedure seems to not support long integers, that is, exploring the following code leads to an errored path:

long blah;
blah = 1;
printf("%li", blah);

Would you suggest submitting such things as an issue? I mean, it is obvious to everybody that angr's coverage of system functions is not complete yet and submitting such things could pollute the repo.
What do you think?

Caller not returning expected results

Hey,

I've been working on understanding the Caller surveyor, and in doing so used the "npc" challenge from HITCON 2015 as the example. In that challenge, the first part contains a very convoluted function that effectively just checks the length of the input.

When I force the answer with "callable", I can find one path that returns non-zero (input 88). However, when I use "Caller", it returns informing me that the only path that should ever return is 0x0.

Here are the steps to recreate:

import angr
b = angr.Project("npc")
p = b.factory.path()
length = p.state.memory.load(0x1000,4)
c = b.surveyors.Caller(0x402980,(0x1000,),start=p)
print tuple(c.iter_returns())

NPC File: http://filebin.ca/2KtRrvR9YhZf/npc

Error in running the examples.

I have successfully installed angr. However, I am getting following errors in running the 2 examples provided in the documentation.

Whitehat CTF 2015 Crypto 400

[*] example guess: 'ny;~!TBU'
[*] brute-forcing 6392 possibilities
Traceback (most recent call last):                              | ETA:  --:--:--
  File "whitehat_crypto400.py", line 83, in <module>
    stdout,_ = subprocess.Popen(["./whitehat_crypto400", ''.join(guess)], stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
  File "/usr/lib/python2.7/subprocess.py", line 679, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1249, in _execute_child
    raise child_exception
OSError: [Errno 8] Exec format error

Layer7 CTF 2015 Windows challenge OnlyOne

No handlers could be found for logger "cle.pe"
Executing...
Traceback (most recent call last):
  File "solve.py", line 83, in <module>
    main()
  File "solve.py", line 59, in main
    r = ex.run()
  File "/home/xyz/angr/angr/angr/surveyor.py", line 240, in run
    self.step()
  File "/home/xyz/angr/angr/angr/surveyor.py", line 217, in step
    self.tick()
  File "/home/xyz/angr/angr/angr/surveyor.py", line 297, in tick
    if isinstance(p.error, PathUnreachableError):
AttributeError: 'Path' object has no attribute 'error'

Exception in CFG.get_lbe_exits()

I tried this: [exit for exit in CFG.get_lbe_exits()].

The error message: AttributeError: 'CFGNode' object has no attribute 'exits'.

How to load a 'wild' firmware into Angr

I am trying to load a firmware into Angr for which I know neither the entry point nor the architecture in which it runs (hence, 'wild') IDA pro too fails to determine those details automatically.

When I try these two options:
proj = angr.Project("wild_firmware.bin", load_options={ 'auto_load_libs': False})
OR
proj = angr.Project("wild_firmware.bin", load_options={'main_opts': {'backend': 'blob'}, 'auto_load_libs': False})
I am getting this error:
cle.errors.CLEError: All backends failed loading /home/xyz/angr/firmware/wild_firmware.bin!

But, when I try to guess the architecture,
proj = angr.Project("wild_firmware.bin", load_options={'main_opts': {'backend': 'blob', 'custom_arch': 'ARM'}, 'auto_load_libs': False})

I am getting this error:
AttributeError: 'Blob' object has no attribute 'is_ppc64_abiv1'

What is the best way to identify entry_point/architecture of a 'wild' firmware using Angr

Thanks

angr can't detect some of the functions in binary

If you use objdump to disassemble the binary you can find srec_scan function. But with angr, I've extracted the CFG from the binary, in the cfg.function_manager.functions, I don't see srec_scan function.

Please find the binary in here: https://drive.google.com/file/d/0B5jqCZluyyOPaFRFM0c5RVBUazQ/view?usp=sharing

Importing angr gives OSError regarding libgomp.so.1

After installing angr to a virtualwrapper with no issues, the following error persists over multiple installations. I work on a Dell Vostro 3560 with Ubuntu 14.04.

Would appreciate any pointers towards a solution.

python -c "import angr"
File "<string>", line 1, in <module>
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/angr/__init__.py", line 3, in <module>
  from .project import *
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/angr/project.py", line 11, in <module>
  import simuvex
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/simuvex/__init__.py", line 6, in <module>
  from .s_state import SimState
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/simuvex/s_state.py", line 23, in <module>
  from .plugins import default_plugins
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/simuvex/plugins/__init__.py", line 5, in <module>
  from .posix import *
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/simuvex/plugins/posix.py", line 4, in <module>
  from ..storage.file import SimSymbolicFile
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/simuvex/storage/__init__.py", line 1, in <module>
  from .file import SimFile
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/simuvex/storage/file.py", line 2, in <module>
  from ..s_action_object import SimActionObject
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/simuvex/s_action_object.py", line 4, in <module>
  import claripy
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/claripy/__init__.py", line 17, in <module>
  from . import backends as _backends
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/claripy/backends/__init__.py", line 1, in <module>
  from .backend_z3 import BackendZ3
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/claripy/backends/backend_z3.py", line 32, in <module>
  z3.init(z3_path)
File "/home/viktor/.virtualenvs/angr2/local/lib/python2.7/site-packages/z3core.py", line 42, in init
  _lib = ctypes.CDLL(PATH)
File "/usr/lib/python2.7/ctypes/__init__.py", line 365, in __init__
  self._handle = _dlopen(self._name, mode)
OSError: /usr/lib/x86_64-linux-gnu/libgomp.so.1: version `GOMP_4.0' not found (required by /home/viktor/.virtualenvs/angr2/lib/libz3.so)

Performance / CPU load

I am running angr in an Ubuntu vmware virtual machine. When I do CPU-intensive tasks, e.g. CFG creation, the CPU load stays between 52 and 54%. I have two CPUs configured for the VM and I would like to let the CPU load go higher than those 54%. Unfortunately, I couldn't find a configuration option to achieve this. Is there a way to allow angr use more CPU?

cle is not importing BackedCGC

After installing all dependencies and dealling with the common package issues, I encountered
with the following issue;

Traceback (most recent call last):
File "solve.py", line 3, in
import angr

File "/usr/local/lib/python2.7/dist-packages/angr/init.py", line 7, in
from .project import *
File "/usr/local/lib/python2.7/dist-packages/angr/project.py", line 322, in
from .simos import SimOS, os_mapping
File "/usr/local/lib/python2.7/dist-packages/angr/simos.py", line 12, in
from cle import MetaELF, BackedCGC
ImportError: cannot import name BackedCGC

Thanks.

[meta] Improve angr documentation

This is a meta-ticket to keep track of tasks to improve the angr documentation.

Host the api-doc on the angr website.
Automatically rebuild api-doc on commit.
Disable angr.readthedocs.org
Configure Gitbook to be generated based on content of angr-doc.
Add a link to the Gitbook on angr.io
Add a link to the api-doc on angr.io
Document how to write docstrings
Check if Sphinx supports having more than one parameter type.
Document how to maintain api-doc

Purpose of cfg.get_paths() given the existence of PathGroup.explore etc ?

I was wondering what the purpose of the cfg.get_paths(...) method is. The function results in a call to networkx.all_simple_paths, i.e. other than for trivial examples, it will take almost forever. In addition, why would one use this method to find a path in the CFG if there are possibilities such as PathGroup.explore(...) or surveyors.Explorer(find=...). Am I missing something? E.g. a way to restrict the cfg.get_paths to a certain length or "call-depth" ?

Error running angr

I've installed angr successfully, but whenever I try to use I get following error. Any idea why?

In [1]: import angr
No handlers could be found for logger "claripy"
---------------------------------------------------------------------------
ImportError                               Traceback (most recent call last)
<ipython-input-1-bcea9b74a356> in <module>()
----> 1 import angr

/usr/local/lib/python2.7/dist-packages/angr/__init__.py in <module>()
      1 """ Angr module """
      2 # pylint: disable=wildcard-import
----> 3 from .project import *
      4 from .functionmanager import *
      5 from .variableseekr import *

/usr/local/lib/python2.7/dist-packages/angr/project.py in <module>()
      9 
     10 import cle
---> 11 import simuvex
     12 import archinfo
     13 

/usr/local/lib/python2.7/dist-packages/simuvex-1.00-py2.7.egg/simuvex/__init__.py in <module>()
      7 from .s_errors import *
      8 from .s_action import *
----> 9 from .s_procedure import SimProcedure
     10 import simuvex.procedures
     11 from .procedures import SimProcedures

/usr/local/lib/python2.7/dist-packages/simuvex-1.00-py2.7.egg/simuvex/s_procedure.py in <module>()
     10 
     11 from .s_run import SimRun
---> 12 from .s_cc import DefaultCC
     13 
     14 class SimProcedure(SimRun):

/usr/local/lib/python2.7/dist-packages/simuvex-1.00-py2.7.egg/simuvex/s_cc.py in <module>()
      2 
      3 import claripy
----> 4 from archinfo import ArchX86, ArchAMD64, ArchARM, ArchAArch64, ArchMIPS32, ArchMIPS64, ArchPPC32, ArchPPC64
      5 
      6 from .s_action_object import SimActionObject

ImportError: cannot import name ArchAArch64

Get size of a native function

I want to know the size of a native function in binary; similar to size in basic block. Any idea how can I get this?

Accessing all the strings of a binary in 1 go

From the documentation what I gather is, the best way to find all strings in the binary(and their addresses) is to walk through each function and find the string references.

cfg = proj.analyses.CFG();
for addr in cfg.function_manager.functions:
    f = cfg.function_manager.functions[addr]
    print f.string_references()

Are there better/faster ways to go about doing this?

Enhancement: Voting in BoyScout

I am currently analysing a proprietary firmware that has several modules and each runs on different processor. However, when I use BoyScout to determine the architecture, it always returns X86 (due to highest no. of pattern matches). When I print the votes dictionary, this is what I get.

[('X86', 'Iend_LE', 3086), ('AMD64', 'Iend_LE', 3078), ('ARMEL', 'Iend_LE', 118), ('ARMEL', 'Iend_BE', 32), ('MIPS32', 'Iend_LE', 1), ('AARCH64', 'Iend_LE', 0), ('AARCH64', 'Iend_BE', 0), ('PPC64', 'Iend_LE', 0), ('PPC32', 'Iend_LE', 0), ('MIPS64', 'Iend_LE', 0), ('MIPS32', 'Iend_BE', 0), ('MIPS64', 'Iend_BE', 0), ('PPC64', 'Iend_BE', 0), ('PPC32', 'Iend_BE', 0)]

So, will it be better to print the vote dictionary and let the user decide?

AttributeError: 'CFGNode' object has no attribute 'callstack_key'

Long story short, this is what I've tried and this is the error I've got:

In [2]: import angr

In [3]: b = angr.Project('/home/riyad/tmp/coreutils-8.24/src/mkdir', load_options={'auto_load_libs': False})

In [4]: cfg = b.analyses.CFG()

In [5]: cfg.graph.reverse()
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-5-7aba54da083a> in <module>()
----> 1 cfg.graph.reverse()

/home/riyad/.virtualenvs/angr/local/lib/python2.7/site-packages/networkx/classes/digraph.pyc in reverse(self, copy)
   1264                               in self.edges(data=True) )
   1265             H.graph=deepcopy(self.graph)
-> 1266             H.node=deepcopy(self.node)
   1267         else:
   1268             self.pred,self.succ=self.succ,self.pred

/usr/lib64/python2.7/copy.pyc in deepcopy(x, memo, _nil)
    161     copier = _deepcopy_dispatch.get(cls)
    162     if copier:
--> 163         y = copier(x, memo)
    164     else:
    165         try:

/usr/lib64/python2.7/copy.pyc in _deepcopy_dict(x, memo)
    255     memo[id(x)] = y
    256     for key, value in x.iteritems():
--> 257         y[deepcopy(key, memo)] = deepcopy(value, memo)
    258     return y
    259 d[dict] = _deepcopy_dict

/usr/lib64/python2.7/copy.pyc in deepcopy(x, memo, _nil)
    188                             raise Error(
    189                                 "un(deep)copyable object of type %s" % cls)
--> 190                 y = _reconstruct(x, rv, 1, memo)
    191 
    192     memo[d] = y

/usr/lib64/python2.7/copy.pyc in _reconstruct(x, info, deep, memo)
    332     if state:
    333         if deep:
--> 334             state = deepcopy(state, memo)
    335         if hasattr(y, '__setstate__'):
    336             y.__setstate__(state)

/usr/lib64/python2.7/copy.pyc in deepcopy(x, memo, _nil)
    161     copier = _deepcopy_dispatch.get(cls)
    162     if copier:
--> 163         y = copier(x, memo)
    164     else:
    165         try:

/usr/lib64/python2.7/copy.pyc in _deepcopy_dict(x, memo)
    255     memo[id(x)] = y
    256     for key, value in x.iteritems():
--> 257         y[deepcopy(key, memo)] = deepcopy(value, memo)
    258     return y
    259 d[dict] = _deepcopy_dict

/usr/lib64/python2.7/copy.pyc in deepcopy(x, memo, _nil)
    188                             raise Error(
    189                                 "un(deep)copyable object of type %s" % cls)
--> 190                 y = _reconstruct(x, rv, 1, memo)
    191 
    192     memo[d] = y

/usr/lib64/python2.7/copy.pyc in _reconstruct(x, info, deep, memo)
    332     if state:
    333         if deep:
--> 334             state = deepcopy(state, memo)
    335         if hasattr(y, '__setstate__'):
    336             y.__setstate__(state)

/usr/lib64/python2.7/copy.pyc in deepcopy(x, memo, _nil)
    161     copier = _deepcopy_dispatch.get(cls)
    162     if copier:
--> 163         y = copier(x, memo)
    164     else:
    165         try:

/usr/lib64/python2.7/copy.pyc in _deepcopy_dict(x, memo)
    255     memo[id(x)] = y
    256     for key, value in x.iteritems():
--> 257         y[deepcopy(key, memo)] = deepcopy(value, memo)
    258     return y
    259 d[dict] = _deepcopy_dict

/usr/lib64/python2.7/copy.pyc in deepcopy(x, memo, _nil)
    188                             raise Error(
    189                                 "un(deep)copyable object of type %s" % cls)
--> 190                 y = _reconstruct(x, rv, 1, memo)
    191 
    192     memo[d] = y

/usr/lib64/python2.7/copy.pyc in _reconstruct(x, info, deep, memo)
    332     if state:
    333         if deep:
--> 334             state = deepcopy(state, memo)
    335         if hasattr(y, '__setstate__'):
    336             y.__setstate__(state)

/usr/lib64/python2.7/copy.pyc in deepcopy(x, memo, _nil)
    161     copier = _deepcopy_dispatch.get(cls)
    162     if copier:
--> 163         y = copier(x, memo)
    164     else:
    165         try:

/usr/lib64/python2.7/copy.pyc in _deepcopy_dict(x, memo)
    255     memo[id(x)] = y
    256     for key, value in x.iteritems():
--> 257         y[deepcopy(key, memo)] = deepcopy(value, memo)
    258     return y
    259 d[dict] = _deepcopy_dict

/usr/lib64/python2.7/copy.pyc in deepcopy(x, memo, _nil)
    161     copier = _deepcopy_dispatch.get(cls)
    162     if copier:
--> 163         y = copier(x, memo)
    164     else:
    165         try:

/usr/lib64/python2.7/copy.pyc in _deepcopy_dict(x, memo)
    255     memo[id(x)] = y
    256     for key, value in x.iteritems():
--> 257         y[deepcopy(key, memo)] = deepcopy(value, memo)
    258     return y
    259 d[dict] = _deepcopy_dict

/home/riyad/tmp/angr/angr/angr/analyses/cfg.pyc in __hash__(self)
    106 
    107     def __hash__(self):
--> 108         return hash((self.callstack_key, self.addr, self.looping_times, self.simprocedure_name))
    109 
    110 class PendingExit(object):

AttributeError: 'CFGNode' object has no attribute 'callstack_key'

Unsupported flag action

I encountered an error at this instruction movsx eax, dl. Is the instruction movsx supported?

In [40]: paths
Out[40]: <PathGroup with 1 errored>

In [41]: print paths.errored[0].error
Unsupported flag action. Please implement or bug Yan.

In [42]: p.factory.block(p1.addr).vex.pp()
IRSB {
   t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I32 t4:Ity_I32 t5:Ity_I8 t6:Ity_I1 t7:Ity_I32 t8:Ity_I8 t9:Ity_I32 t10:Ity_I8 t11:Ity_I8 t12:Ity_I32 t13:Ity_I32 t14:Ity_I32 t15:Ity_I32 t16:Ity_I32 t17:Ity_I32 t18:Ity_I32 t19:Ity_I32 t20:Ity_I1 t21:Ity_I32 t22:Ity_I32 t23:Ity_I32 t24:Ity_I32 t25:Ity_I32 t26:Ity_I32

   00 | ------ IMark(0x401a6a, 3, 0) ------
   01 | t8 = GET:I8(edx)
   02 | t7 = 8Sto32(t8)
   03 | ------ IMark(0x401a6d, 3, 0) ------
   04 | t3 = Shl32(t7,0x16)
   05 | t9 = Shl32(t7,0x15)
   06 | PUT(cc_op) = 0x00000018
   07 | PUT(cc_dep1) = t3
   08 | PUT(cc_dep2) = t9
   09 | PUT(cc_ndep) = 0x00000000
   10 | PUT(eax) = t3
   11 | PUT(eip) = 0x00401a70
   12 | ------ IMark(0x401a70, 2, 0) ------
   13 | t25 = x86g_calculate_condition(0x00000004,0x00000018,t3,t9,0x00000000):Ity_I32
   14 | t20 = 32to1(t25)
   15 | if (t20) { PUT(eip) = 0x401a72; Ijk_Boring }
   NEXT: PUT(eip) = 0x00401a74; Ijk_Boring
}

In [43]: paths.errored[0].addr
Out[43]: 0x401a6a

Here is the relevant instruction listing:

00401a67       je      image00400000+0x1a63 (00401a63)         [br=1]
00401a63       jmp     image00400000+0x1a6a (00401a6a)
00401a6a       movsx   eax,dl
00401a6d       shl     eax,16h

Trouble using CFG

>>> import angr
>>> proj = angr.Project('./test')
>>> cfg = proj.analyses.CFG();
No handlers could be found for logger "simuvex.plugins.solver"
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/asdf/angr-master/venv/local/lib/python2.7/site-packages/angr/analysis.py", line 84, in make_analysis
    oself.__init__(*args, **kwargs)
  File "/home/asdf/angr-master/venv/local/lib/python2.7/site-packages/angr/analyses/cfg.py", line 232, in __init__
    self._construct()
  File "/home/asdf/angr-master/venv/local/lib/python2.7/site-packages/angr/analyses/cfg.py", line 335, in _construct
    loaded_state = self.project.factory.entry_state(mode="fastpath")
  File "/home/asdf/angr-master/venv/local/lib/python2.7/site-packages/angr/factory.py", line 145, in entry_state
    return self._project._simos.state_entry(**kwargs)
  File "/home/asdf/angr-master/venv/local/lib/python2.7/site-packages/angr/simos.py", line 201, in state_entry
    state = super(SimLinux, self).state_entry(**kwargs)
  File "/home/asdf/angr-master/venv/local/lib/python2.7/site-packages/angr/simos.py", line 67, in state_entry
    return self.state_blank(**kwargs)
  File "/home/asdf/angr-master/venv/local/lib/python2.7/site-packages/angr/simos.py", line 193, in state_blank
    state.register_plugin('posix', SimStateSystem(fs=fs, concrete_fs=concrete_fs, chroot=chroot))
TypeError: __init__() got an unexpected keyword argument 'chroot'

Recursion limit reached

I was trying VFG analysis. According to #10, I've tried to increase interfunction_level. The code I've tried is vfg = b.analyses.VFG(cfg, interfunction_level=3)

Just last part of the error message:

.....
/home/riyad/tmp/angr/claripy/claripy/backend.pyc in convert(self, expr, result)
    158             # otherwise, resolve it!
    159             if r is None:
--> 160                 r = expr.resolved_with(self, result=result)
    161 
    162             if result is None: self._object_cache[expr._cache_key] = r

/home/riyad/tmp/angr/claripy/claripy/ast/base.pyc in resolved_with(self, b, result)
    394 
    395         #l.debug("trying evaluation with %s", b)
--> 396         return b.call(self, result=result)
    397 
    398     #

/home/riyad/tmp/angr/claripy/claripy/backends/backend_z3.pyc in z3_condom(*args, **kwargs)
     74         try:
     75             args = tuple((int(a) if type(a) is long and a < sys.maxint else a) for a in args)
---> 76             return f(*args, **kwargs)
/home/riyad/tmp/angr/claripy/claripy/backend.pyc in call(self, ast, result)
    192                 r = self._op_expr[ast.op](*ast.args, result=result)
    193             else:
--> 194                 converted = self.convert_list(ast.args, result=result)
    195 
    196                 if ast.op in self._op_raw_result:

/home/riyad/tmp/angr/claripy/claripy/backend.pyc in convert_list(self, args, result)
    168 
    169     def convert_list(self, args, result=None):
--> 170         return [ self.convert(a, result=result) for a in args ]
    171 
    172     #

/home/riyad/tmp/angr/claripy/claripy/backend.pyc in convert(self, expr, result)
    158             # otherwise, resolve it!
    159             if r is None:
--> 160                 r = expr.resolved_with(self, result=result)
    161 
    162             if result is None: self._object_cache[expr._cache_key] = r

/home/riyad/tmp/angr/claripy/claripy/ast/base.pyc in resolved_with(self, b, result)
    394 
    395         #l.debug("trying evaluation with %s", b)
--> 396         return b.call(self, result=result)
    397 
    398     #

/home/riyad/tmp/angr/claripy/claripy/backends/backend_z3.pyc in z3_condom(*args, **kwargs)
     74         try:
     75             args = tuple((int(a) if type(a) is long and a < sys.maxint else a) for a in args)
---> 76             return f(*args, **kwargs)
     77         except z3.Z3Exception as ze:
     78             raise ClaripyZ3Error("Z3Exception: %s" % ze)

/home/riyad/tmp/angr/claripy/claripy/backends/backend_z3.pyc in call(self, *args, **kwargs)
    253     @condom
    254     def call(self, *args, **kwargs):
--> 255         return Backend.call(self, *args, **kwargs)
    256 
    257     @condom

/home/riyad/tmp/angr/claripy/claripy/backend.pyc in call(self, ast, result)
    185             except KeyError: pass
    186 
--> 187         try: return self._object_cache[ast._cache_key]
    188         except KeyError: pass
    189 

/home/riyad/tmp/angr/claripy/claripy/backend.pyc in _object_cache(self)
     61     def _object_cache(self):
     62         try:
---> 63             return self._tls.object_cache
     64         except AttributeError:
     65             self._tls.object_cache = weakref.WeakKeyDictionary()

ClaripyRecursionError: ('Recursion limit reached. I sorry.', <type 'exceptions.RuntimeError'>, RuntimeError('maximum recursion depth exceeded',))

Difference between blocks and basic_blocks

There are two properties in Function class: blocks and basic_blocks. Printing them both, I see they are same list of start addresses of basic blocks. What's the difference between Function.blocks and Function.basic_blocks?