Angr Cheat Sheet

Installation

It’s recommended to create a Python virtual environment.

python3 -m venv myenv
source myenv/bin/activate

pip3 install angr
pip3 install monkeyhex

Copied!

Basic Usage

import angr, monkeyhex

proj = angr.Project('/bin/id')
proj = angr.Project('/bin/id', load_options={'auto_load_libs': False})

# Basic information
proj.arch
proj.entry
proj.filename

# The loader
proj.loader
proj.loader.all_objects
proj.loader.shared_objects
proj.loader.min_addr
proj.loader.max_addr

# Objects
obj = proj.loader.main_object
obj.entry
obj.min_addr, obj.max_addr
addr = obj.plt['strcmp']
obj.reserve_plt[addr]

# Blocks
block = proj.factory.block(proj.entry)
block.pp() # pretty-print a disassembly to stdout
block.instructions # the number of instructions
block.instruction_addrs

# States
state = proj.factory.entry_state()
state.regs.rip # get the current instruction pointer
state.regs.rax
state.mem[proj.entry].int.resolved

# Simulation Managers
simgr = proj.factory.simulation_manager(state)
simgr.active
simgr.active[0].regs.rip
simgr.step()

# Analyses
proj.analyses. # enter tab key to auto-completion in iPython

Copied!

Binary Exploitation

import angr

def main():
    proj = angr.Project('./example', load_options={'auto_load_libs': False})

    def correct(state):
        try:
            return b'Success' in state.posix.dumps(1)
        except:
            return False

    def wrong(state):
        try:
            return b"Failed" in state.posix.dumps(1)
        except:
            return False

    simgr = proj.factory.simulation_manager()
    simgr.explore(find=correct, avoid=wrong)
    return simgr.found[0].posix.dumps(0)

if __name__ == "__main__":
    print(main())

Copied!