How to use the angr.options function in angr
To help you get started, we’ve selected a few angr examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / tests / test_unicorn.py View on Github 
def run_longinit(arch):
p = angr.Project(os.path.join(test_location, 'binaries', 'tests', arch, 'longinit'))
s_unicorn = p.factory.entry_state(add_options=so.unicorn, remove_options={so.SHORT_READS})
pg = p.factory.simulation_manager(s_unicorn, save_unconstrained=True, save_unsat=True)
pg.explore()
s = pg.deadended[0]
(first, _), (second, _) = s.posix.stdin.content
s.add_constraints(first == s.solver.BVV(b'A'*9))
s.add_constraints(second == s.solver.BVV(b'B'*9))
nose.tools.assert_equal(s.posix.dumps(1), b"You entered AAAAAAAAA and BBBBBBBBB!\n")def test_cfg_6():
function_addresses = [0xfa630, 0xfa683, 0xfa6d4, 0xfa707, 0xfa754, 0xfa779, 0xfa7a9, 0xfa7d6, 0xfa844, 0xfa857,
0xfa8d9, 0xfa92f, 0xfa959, 0xfa9fb, 0xfabd6, 0xfac61, 0xfacc2, 0xfad29, 0xfaf94, 0xfbd07,
0xfc100, 0xfc101, 0xfc14f, 0xfc18e, 0xfc25e, 0xfc261, 0xfc3c6, 0xfc42f, 0xfc4a3, 0xfc4cf,
0xfc4db, 0xfc5ba, 0xfc5ef, 0xfc5fe, 0xfc611, 0xfc682, 0xfc6b7, 0xfc7fc, 0xfc8a8, 0xfc8e7,
0xfcb42, 0xfcb50, 0xfcb72, 0xfcc3b, 0xfcc7a, 0xfcc8b, 0xfccdc, 0xfd1a3, 0xff06e]
# We need to add DO_CCALLS to resolve long jmp and support real mode
o.modes['fastpath'] |= {o.DO_CCALLS}
binary_path = test_location + "/i386/bios.bin.elf"
proj = angr.Project(binary_path,
use_sim_procedures=True,
page_size=1)
cfg = proj.analyses.CFGEmulated(context_sensitivity_level=1, fail_fast=True) # pylint:disable=unused-variable
nose.tools.assert_greater_equal(set(f for f in proj.kb.functions), set(function_addresses))
o.modes['fastpath'] ^= {o.DO_CCALLS}def test_concrete_engine_linux_x86_unicorn_simprocedures():
global avatar_gdb
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True)
entry_state = p.factory.entry_state(add_options=angr.options.unicorn)
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solv_concrete_engine_linux_x86(p, entry_state)def run_similarity(binpath, depth, prehook=None):
b = angr.Project(os.path.join(test_location, binpath))
cc = b.analyses.CongruencyCheck(throw=True)
cc.set_state_options(
left_add_options=so.unicorn,
left_remove_options={so.LAZY_SOLVES, so.TRACK_MEMORY_MAPPING, so.COMPOSITE_SOLVER},
right_add_options={so.INITIALIZE_ZERO_REGISTERS},
right_remove_options={so.LAZY_SOLVES, so.TRACK_MEMORY_MAPPING, so.COMPOSITE_SOLVER}
)
if prehook:
cc.simgr = prehook(cc.simgr)
cc.run(depth=depth)def test_concrete_engine_linux_x86_unicorn_simprocedures():
#print("test_concrete_engine_linux_x86_unicorn_simprocedures")
global avatar_gdb
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True)
entry_state = p.factory.entry_state(add_options=angr.options.unicorn)
solv_concrete_engine_linux_x86(p, entry_state)def perf_unicorn_0():
p = angr.Project(os.path.join(test_location, 'binaries', 'tests', 'x86_64', 'perf_unicorn_0'))
s_unicorn = p.factory.entry_state(add_options=so.unicorn | {so.STRICT_PAGE_ACCESS}, remove_options={so.LAZY_SOLVES}) # unicorn
sm_unicorn = p.factory.simulation_manager(s_unicorn)
start = time.time()
sm_unicorn.run()
elapsed = time.time() - start
print("Elapsed %f sec" % elapsed)
print(sm_unicorn.one_deadended)def test_concrete_engine_windows_x86_no_simprocedures():
global avatar_gdb
#print("test_concrete_engine_windows_x86_no_simprocedures")
try:
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=False,
page_size=0x1000)
entry_state = p.factory.entry_state()
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solv_concrete_engine_windows_x86(p, entry_state)
except ValueError:
#print("Failing executing test")
passdef _full_code_scan(self):
"""
Perform a full code scan on the target binary.
"""
# We gotta time this function
start_time = datetime.now()
traced_address = set()
self.functions = set()
self.call_map = networkx.DiGraph()
self.cfg = networkx.DiGraph()
initial_state = self.project.factory.blank_state(mode="fastpath")
initial_options = initial_state.options - {o.TRACK_CONSTRAINTS} - o.refs
initial_options |= {o.SUPER_FASTPATH}
# initial_options.remove(o.COW_STATES)
initial_state.options = initial_options
# Sadly, not all calls to functions are explicitly made by call
# instruction - they could be a jmp or b, or something else. So we
# should record all exits from a single function, and then add
# necessary calling edges in our call map during the post-processing
# phase.
function_exits = defaultdict(set)
widgets = [progressbar.Percentage(),
' ',
progressbar.Bar(marker=progressbar.RotatingMarker()),
' ',
progressbar.Timer(),
' ',
progressbar.ETA()def main():
project = angr.Project('./unmap', load_options={"auto_load_libs": False})
state = project.factory.entry_state(add_options={angr.options.STRICT_PAGE_ACCESS})
simulation_manager = project.factory.simulation_manager(state)
# (•_•) ( •_•)>⌐■-■ (⌐■_■)
simulation_manager.explore()
keys = []
for deadended in simulation_manager.deadended:
print("Valid memory access triggered by %s" % repr(deadended.posix.dumps(0)))
for errored in simulation_manager.errored:
stdin = errored.state.posix.dumps(0)
keys.append(stdin)
print("%s caused by %s" % (errored.error, repr(stdin)))print(o, len(all_checkers))
# parse basic blocks in this function to figure out the char offset
char_offset = None
for block in check_func.blocks:
for insn in block.capstone.insns:
if insn.mnemonic == 'mov' and \
insn.operands[0].type == 3 and \
insn.operands[0].mem.base == capstone.x86_const.X86_REG_R12 and \
insn.operands[0].mem.disp == 0x10:
char_offset = insn.operands[1].imm
break
if char_offset is not None:
break
state = p.factory.blank_state(addr=check_func.addr, add_options={angr.options.LAZY_SOLVES, angr.options.NO_SYMBOLIC_JUMP_RESOLUTION})
char = state.solver.BVS("chr", 64)
# rsi is a2
state.regs.rsi = state.solver.BVV(0xd000000, 64)
state.memory.store(0xd000000, state.solver.BVV(0xd000010, 64), endness='Iend_LE')
state.memory.store(0xd000010 + 16, state.solver.BVV(0xd000040, 64), endness='Iend_LE')
state.memory.store(0xd000040 + 8, char, endness='Iend_LE')
sm = p.factory.simulation_manager(state)
sm.explore(avoid=(c_mutate_slot,))
the_char = None
for state in sm.deadended:
if not state.satisfiable():
continueangr
A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
Package Health Score
88 / 100Popular angr functions
- angr.analyses.AnalysesHub.register_default
- angr.analyses.identifier.func.TestData
- angr.errors
- angr.errors.AngrError
- angr.errors.SimMemoryError
- angr.errors.SimMergeError
- angr.errors.SimValueError
- angr.exploration_techniques
- angr.options
- angr.Project
- angr.sim_options
- angr.SIM_PROCEDURES
- angr.sim_state.SimState
- angr.sim_state.SimState.register_default
- angr.sim_type.SimTypeInt
- angr.SimProcedure
- angr.SimState
- angr.state_plugins.plugin.SimStatePlugin
- angr.state_plugins.sim_action.SimActionData
- angr.storage.memory_object.SimMemoryObject