How to use the angr.exploration_techniques function in angr
To help you get started, we’ve selected a few angr examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr-targets / tests / test_concrete_packed_elf64.py View on Github 
def execute_concretly(p, state, address, memory_concretize=[], register_concretize=[], timeout=0):
simgr = p.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[address], memory_concretize=memory_concretize,
register_concretize=register_concretize, timeout=timeout))
exploration = simgr.run()
return exploration.stashes['found'][0]def test_basic():
project = angr.Project(_bin('tests', 'cgc', 'sc2_0b32aa01_01'))
state = project.factory.entry_state()
spiller = angr.exploration_techniques.Spiller(pickle_callback=pickle_callback, unpickle_callback=unpickle_callback)
spiller._pickle([state])
del state
gc.collect()
state = spiller._unpickle(1)[0]
assert state.globals['pickled']
assert state.globals['unpickled']def execute_concretly(p, state, address, memory_concretize=[], register_concretize=[], timeout=0):
simgr = p.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[address], memory_concretize=memory_concretize,
register_concretize=register_concretize, timeout=timeout))
exploration = simgr.run()
return exploration.stashes['found'][0]def execute_concretly(p, state, address, concretize):
simgr = p.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[address], concretize=concretize))
exploration = simgr.run()
return exploration.stashes['found'][0]def execute_concretly(p, state, address, memory_concretize=[], register_concretize=[], timeout=0):
simgr = p.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[address], memory_concretize=memory_concretize,
register_concretize=register_concretize, timeout=timeout))
exploration = simgr.run()
return exploration.stashes['found'][0]def test_cromu_70():
p = angr.Project(os.path.join(test_location, 'binaries', 'tests', 'cgc', 'CROMU_00070'))
inp = bytes.fromhex("030e000001000001001200010000586d616ce000000600030000040dd0000000000600000606000006030e000001000001003200010000586d616ce0030000000000030e000001000001003200010000586d616ce003000000000006000006030e000001000001003200010000586d616ce0030000df020000")
s = p.factory.full_init_state(
add_options={ angr.options.UNICORN },
remove_options={ angr.options.LAZY_SOLVES, angr.options.SUPPORT_FLOATING_POINT },
stdin=inp
)
#import traceit
pg = p.factory.simulation_manager(s)
pg.use_technique(angr.exploration_techniques.Oppologist())
pg.run(n=50)
assert pg.one_active.history.block_count > 1500def execute_concretly(p, state, address, memory_concretize=[], register_concretize=[], timeout=0):
simgr = p.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[address], memory_concretize=memory_concretize,
register_concretize=register_concretize, timeout=timeout))
exploration = simgr.run()
return exploration.stashes['found'][0]def execute_concretly(p, state, address, concretize):
simgr = p.factory.simgr(state)
simgr.use_technique(angr.exploration_techniques.Symbion(find=[address], concretize=concretize))
exploration = simgr.run()
return exploration.stashes['found'][0]def run_veritesting_b(arch):
#logging.getLogger('angr.analyses.sse').setLevel(logging.DEBUG)
proj = angr.Project(os.path.join(location, arch, "veritesting_b"),
load_options={'auto_load_libs': False},
use_sim_procedures=True
)
ex = proj.factory.simulation_manager()
ex.use_technique(angr.exploration_techniques.Veritesting(enable_function_inlining=True))
ex.explore(find=addresses_veritesting_b[arch])
nose.tools.assert_not_equal(len(ex.found), 0)
# Make sure the input makes sense
for f in ex.found:
input_str = f.plugins['posix'].dumps(0)
nose.tools.assert_equal(input_str.count(b'B'), 35)stdout=SimFileStream('stdout'),
stderr=SimFileStream('stderr')))
# Create the preconstrainer plugin
state.register_plugin('preconstrainer', SimStatePreconstrainer())
state.preconstrainer.preconstrain_flag_page(self._runner.magic)
state.preconstrainer.preconstrain_file(self.payload, state.posix.stdin)
# Set up zen
ZenPlugin.prep_tracer(state)
ChallRespInfo.prep_tracer(state, format_infos)
self._simgr = self.project.factory.simulation_manager(state, save_unsat=True, hierarchy=False, save_unconstrained=self._runner.crash_mode)
self._t = angr.exploration_techniques.Tracer(trace=self._runner.trace, resiliency=False)
self._simgr.use_technique(self._t)
self._simgr.use_technique(angr.exploration_techniques.Oppologist())
assert self.causes_leak(), "challenge did not cause leak when trying to recover challenge-response"
return self.attempt_pov(enabled_chall_resp=True)angr
A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
Package Health Score
88 / 100Popular angr functions
- angr.analyses.AnalysesHub.register_default
- angr.analyses.identifier.func.TestData
- angr.errors
- angr.errors.AngrError
- angr.errors.SimMemoryError
- angr.errors.SimMergeError
- angr.errors.SimValueError
- angr.exploration_techniques
- angr.options
- angr.Project
- angr.sim_options
- angr.SIM_PROCEDURES
- angr.sim_state.SimState
- angr.sim_state.SimState.register_default
- angr.sim_type.SimTypeInt
- angr.SimProcedure
- angr.SimState
- angr.state_plugins.plugin.SimStatePlugin
- angr.state_plugins.sim_action.SimActionData
- angr.storage.memory_object.SimMemoryObject