Welcome to angr’s documentation!¶
Welcome to angr’s documentation! This documentation is intended to be a guide for learning angr, as well as a reference for the API. If you’re new to angr,
The angr team maintains a number of libraries that are used as part of angr. These libraries are:
archinfo - Information about CPU architectures
pyvex - Python bindings to the VEX IR
pypcode - Python bindings to the Pcode IR
cle - Many-platform binary loader
claripy - Solver abstraction layer
angr also has a GUI! Check out angr-management.
- Introduction
- Getting Started
- Core Concepts
- Build-in Analyses
- Advanced Topics
- Gotchas when using angr
- Understanding the Execution Pipeline
- What’s Up With Mixins, Anyway?
- Optimization considerations
- Working with File System, Sockets, and Pipes
- Intermediate Representation
- Working with Data and Conventions
- Solver Engine
- Symbolic memory addressing
- Java Support
- Debug variable resolution
- Variable visibility
- Extending angr
- angr examples
- Frequently Asked Questions
- Why is it named angr?
- How should “angr” be stylized?
- Why isn’t symbolic execution doing the thing I want?
- How can I get diagnostic information about what angr is doing?
- Why is angr so slow?
- How do I find bugs using angr?
- Why did you choose VEX instead of another IR (such as LLVM, REIL, BAP, etc)?
- Why are some ARM addresses off-by-one?
- How do I serialize angr objects?
- What does
UnsupportedIROpError("floating point support disabled")mean? - Why is angr’s CFG different from IDA’s?
- Why do I get incorrect register values when reading from a state during a SimInspect breakpoint?
- Appendix
- API Reference
Analysis.errorsBlock.BLOCK_MAX_SIZEEmulatorStopReason.INSTRUCTION_LIMITEmulatorStopReason.BREAKPOINTEmulatorStopReason.NO_SUCCESSORSEmulatorStopReason.MEMORY_ERROREmulatorStopReason.FAILUREEmulatorStopReason.EXITSimCC.ARG_REGSSimCC.FP_ARG_REGSSimCC.STACKARG_SP_BUFFSimCC.STACKARG_SP_DIFFSimCC.CALLER_SAVED_REGSSimCC.RETURN_ADDRSimCC.RETURN_VALSimCC.OVERFLOW_RETURN_VALSimCC.FP_RETURN_VALSimCC.ARCHSimCC.EXTRA_ARCHESSimCC.CALLEE_CLEANUPSimCC.STACK_ALIGNMENTSimError.bbl_addrSimError.stmt_idxSimError.ins_addrSimError.executed_instruction_countSimError.guardSimFileBase.seekableSimFileBase.posSimProcedure.NO_RETSimProcedure.DYNAMIC_RETSimProcedure.ADDS_EXITSSimProcedure.IS_FUNCTIONSimProcedure.ARGS_MISMATCHSimProcedure.ALT_NAMESSimProcedure.local_varsSimStatePlugin.STRONGREF_STATESimulationManager.ALLSimulationManager.DROP- angr.ail_callable
- angr.ailment
- angr.analyses
- angr.angrdb
- angr.annocfg
- angr.blade
- angr.block
- angr.callable
- angr.calling_conventions
- angr.code_location
- angr.codenode
- angr.concretization_strategies
- angr.distributed
- angr.emulator
- angr.engines
- angr.errors
- angr.exploration_techniques
- angr.factory
- angr.flirt
- angr.keyed_region
- angr.knowledge_base
- angr.knowledge_plugins
- angr.llm_client
- angr.llm_models
- angr.mcp
- angr.misc
- angr.procedures
- angr.project
- angr.protos
- angr.rust
- angr.rustylib
- angr.serializable
- angr.sim_manager
- angr.sim_options
- angr.sim_procedure
- angr.sim_state
- angr.sim_state_options
- angr.sim_type
- angr.sim_variable
- angr.simos
- angr.slicer
- angr.state_hierarchy
- angr.state_plugins
- angr.storage
- angr.tablespecs
- angr.utils
- angr.vaults