import angr
speed substantiallydep_graph
can now be used to track dependencies between temporaries, constants, guard conditions, and function calls - if you want it!state.heap
plugin which manages the heap (with pluggable heap schemes!) and provides malloc functionality. Thanks @tgduckworth.__version__
variable has been added to all modules.stack_base
kwarg for call_state
is not broken for the first time ever_security_cookie
is initialized for SimWindows. Thanks @zeroSteiner.SimData
. It's a cleaner interface to deal with data imports in CLE -- especially for those data entries that are not imported because of missing or unloaded libraries. This commit fixes long-standing issues #151 and #693.UnresolvableTarget
is now split into two classes: UnresolvableJumpTarget
and UnresolvableCallTarget
. Thanks @Kyle-Kyle.p = angr.Project("cfg_loop_unrolling", auto_load_libs=False); p.analyses.CFG(); print(p.analyses.Decompiler(p.kb.functions['test_func']).codegen.text)
.SimAction
s now have incrementing IDs. Thanks @bannsec.ANA
, angr's old identity-aware serialization backend, has been removed. Instead of non-obvious serialization behavior, all angr objects should now be pickleable. If one is not, please file an issue. For use-cases that require identity-awareness (i.e., deduplicating ASTs across states serialized at different times), an angr.vaults
module has been introduced.SYMBOL_FILL_UNCONSTRAINED_REGISTERS
and SYMBOL_FILL_UNCONSTRAINED_MEMORY
state options to silence them.func_ty
argumentdescribe_addr
will work on them. Additionally, the representation for SimProcedure (appearing in history.descriptions
and project._sim_procedures
among other places) has been improved to show this information.save_unconstrained
flag of Simulation Manager is now on by default'unsat'
stash regardless of the save_unsat
setting, since this usually indicates a bug. Add unsat
to the auto_drop
parameter to restore the old behavior.object.symbols_by_addr
(dict) and add object.symbols
(sorted list); add fuzzy
parameter to loader.find_symbol
LoopLimiter
and DFG
.CFGAccurate
can now leverage indirect jump resolvers to resolve indirect jumps.PluginHub
is added. Plugins (analyses, engines) are refactored to be based on PluginHub
.state.options
is no longer a set of strings.PRODUCE_ZERODIV_SUCCESSORS
to generate divide-by-zero successors.ManualMergepoint
exploration technique for when veritesting is too mysterious for your tastesLoopSeer
exploration technique for managing loops during symbolic exploration (credit @tyb0807)ProxyTechnique
exploration technique for easily composing simple lambda-based instrumentations (credit @danse-macabre)state.solver.BVS
now can take a key
parameter, which describes its meaning in relation to the emulated environment. You can then use state.solver.get_variables(...)
and state.solver.describe_variables(...)
to map tags and ASTs to and from each other. Check out the API docs!project.simos
instead of project._simos
. Additionally, the SimOS code structure has been shuffled around a bit - it's now a subpackage instead of a submodule.byte_width
parameter and angr supports emulation of platforms with non-octet bytes, lord help ushistory
state pluginstate.solver
interface has been cleaned up drasticallystate.regs.eflags
on x86 and state.regs.flags
on ARM (partial credit @tyb0807)angr.SimOS.handle_exception
for detailscle.Loader.dynamic_load
and angr.procedures.win32.dynamic_loading
for details.ForwardAnalysis
class. Additionally, a few exemplary data-flow analyses, like VariableRecovery
and VariableRecoveryFast
, have been implemented in angr.CFGUtils
, which resulted in suboptimal graph node ordering after sorting.LAZY_SOLVES
is no longer enabled by default during symbolic execution. It's still there if it's wanted, but it just caused confusion when on by default.process
function that, from an input state, produces a SimSuccessors instance containing lists of different successor states (normal, unsat, unconstrained, etc) and any engine-specific artifacts (such as the VEX statements. Take a look at successors.artifacts
).state.mem[x:] = y
now requires a type for storage (for example state.mem[x:].dword = y
).execute()
on it and pass in a program state as well as the arguments.SimRegNameView
(like state.regs.eax
) always triggers SimInspect breakpoints and creates new actions. Now you can access a register by prefixing its name with an underscore (e.g. state.regs._eax
or state._ip
) to avoid triggering breakpoints or creating actions.project._sim_procedures
dict.max_size
and changed it to to size
in the angr.Block
constructor (i.e., the argument to project.factory.block
and more upstream methods (path.step
, path_group.step
, etc).project.factory.sim_run
and changed it to to project.factory.successors
, and it now generates a SimSuccessors
object.project.factory.sim_block
has been deprecated and replaced with project.factory.successors(default_engine=True)
.project._simos.syscall_table
. This will be made "public" after a usability refactor. If you were using project.is_hooked(addr)
to see if an address has a related SimProcedure, now you probably want to check if there is a related syscall as well (using project._simos.syscall_table.get_by_addr(addr) is not None
).unsat_core()
to get the core of unsatness of constraints. It is in fact a thin wrapper of the unsat_core()
function provided by Z3. Also a new state option CONSTRAINT_TRACKING_IN_SOLVER
is added to SimuVEX. That state option must be enabled if you want to use unsat_core()
on any state.SimMemory.load()
and SimMemory.store()
now takes a new parameter disable_actions
. Setting it to True will prevent any SimAction creation.len()
on path trace
or addr_trace
is made much faster.BackwardSlicing
is temporarily disabled. It will be re-enabled once all DDG-related refactor are merged to master.unicorn
is now a dependency for simuvex
.Disassembly
. The new Disassembly analysis provides an easy-to-use interface to render assembly of functions.ForwardAnalysis
may prematurely terminate while there are still un-processed jobs.CFGFast
.VFG
. Bring back widening support. Fix the issue that VFG
may not terminate under certain cases. Implement a new graph traversal algorithm to have an optimal traversal order. Allow state merging at non-merge-points, which allows faster convergence.SimAbstractMemory
to SimMemory
. This will allow an easier conversion between SimAbstractMemory
and SimSymbolicMemory
, which is to say, conversion between symbolic states and static states is now possible.unsat_core
in Z3. It returns a set of constraints that led to unsatness of the constraint set on the current state.branch_delay_slot
for each architecture. It is set to True on MIPS32.data_graph
and simplified_data_graph
on a DDG object!simuvex.o.STRICT_PAGE_ACCESS
will cause a SimSegfaultError
to be raised whenever the guest reads/writes/executes memory that is either unmapped or doesn't have the appropriate permissions.support_selfmodifying_code
project option is changed: Before, this would allow the state to be used as a fallback source of instruction bytes when no backer from CLE is available. Now, this option makes instruction lifting use the state as the source of bytes always. When the option is disabled and execution jumps outside the normal binary, the state will be used automatically.base_graph
keyword to its constructor, e.g. CFGFast().graph
, or even .graph
of a function, to use as a base for analysis.find
and avoid
parameters to the Explorer otiegnqwvk are resolved correctly. (credit clslgrnc)StaticHooker
which hooks library functions in unstripped statically linked binaries.Lifter
can be used without creating an angr Project. You must manually specify the architecture and bytestring in calls to .lift()
and .fresh_block()
. If you like, you can also specify the architecture as a parameter to the constructor and omit it from the lifting calls.CFGFast
and CFGAccurate
in order to have better and faster CFG recovery. The two biggest changes in CFGFast
are jump table resolution and data references collection, respectively. Now CFGFast
resolves indirect jumps by default. You may get a list of indirect jumps recovered in CFGFast
by accessing the indirect_jumps
attribute. For many cases, it resolves the jump table accurately. Data references collection is still in alpha mode. To test data references collection, just pass collect_data_references=True
when creating a fast CFG, and access the memory_data
attribute after the CFG is constructed.__div__
was not always doing unsigned division, and added new methods SDiv
and SMod
for signed division and signed remainder, respectively.claripy.frontends
), and additional functionality (such as caching, deciding when to simplify, etc) is handled by frontend mixins (in claripy.frontend_mixins
). This makes it considerably easier to customize solvers to your specific needE. For examples, look at claripy/solver.py
.simuvex.procedures.syscalls.handler
. Instead, syscalls are now handled by angr.SimOS.handle_syscall()
. Previously, the address of a syscall SimProcedure is the address right after the syscall instruction (e.g. int 80h
), which collides with the real basic block starting at that address, and is very confusing. Now each syscall SimProcedure has its own address, just as a normal SimProcedure. To support this, there is another region mapped for the syscall addresses, Project._syscall_obj
.CFGFast
.claripy.Annotation
and claripy.Backend.apply_annotation
.call_state
. Comes with a refactor to SimCC
, a refactor to callable
, and the removal of PathGroup.call
. All these changes are thoroughly documented, in angr-doc/docs/structured_data.md
SimType
to make it easier to use types - they can be instanciated without a SimState and one can be added later. Comes with some usability improvements to SimMemView. Also, there's a better wrapper around PyCParser for generating SimType instances from c declarations and definitions. Again, thoroughly documented, still in the structured data doc.CFG
is now an alias to CFGFast
instead of CFGAccurate
. In general, CFGFast
should work under most cases, and it's way faster than CFGAccurate
. We believe such a change is necessary, and will make angr more approachable to new users. You will have to change your code from CFG
to CFGAccurate
if you are relying on specific functionalities that only exist in CFGAccurate
, for example, context-sensitivity and state-preserving. An exception will be raised by angr if any parameter passed to CFG
is only supported by CFGAccurate
. For more detailed explanation, please take a look at the documentation of angr.analyses.CFG
.IRExpr
, IRStmt
, and IRConst
modules no longer exist as submodules, and those module names are deprecated. Use pyvex.expr
, pyvex.stmt
, and pyvex.const
if you need to access the members of those modules.pyvex.IRSB
(the required ones) have been changed. If you were passing the positional args to IRSB as keyword args, consider switching to positional args. The order is data
, mem_addr
, arch
.sargc
to the entry_state
and full_init_state
constructors has been removed and replaced with an argc
parameter. sargc
predates being able to have claripy ASTs independent from a solver. The new system is to pass in the exact value, ast or integer, that you'd like to have as the guest program's arg count.stream.read()
and stream.seek()
can be passed in wherever a filepath is expected.project.kb
. Over time, this knowledge base will be expanded in the course of any analysis or symbolic execution, so angr is constantly learning more information about the program it is analyzing.claripy.backend_concrete
is now claripy.backends.concrete
, claripy.backend_vsa
is now claripy.backends.vsa
, and so on.project.hook
, even if those addresses are not the beginning of a basic block.keep_input_state
has been renamed to keep_state
. With this option enabled, both input and final states are kept.cfg_node
and stmt_id
of BackwardSlicing
have been deprecated. Instead, BackwardSlicing
takes a single argument, targets
. This means that we now support slicing from multiple sources.