angr Documentation
Search…
Migrating to angr 8
angr has moved from python 2 to python 3! We took this opportunity of a major version bump to make a few breaking API changes that improve quality-of-life.
What do I need to know for migrating my scripts to python 3?
To begin, just the standard py3k changes, the relevant parts of which we'll rehash here as a reference guide:
- Strings and bytestrings
- Strings are now unicode by default, a new
bytestype holds bytestrings - Bytestring literals can be constructued with the b prefix, like
b'ABCD' - Conversion between strings and bytestrings happens with
.encode()and.decode(), which use utf-8 as a default. Thelatin-1codec will map byte values to their equivilant unicode codepoints - The
ord()andchr()functions operate on strings, not bytestrings - Enumerating over or indexing into bytestrings produces an unsigned 8 bit integer, not a 1-byte bytestring
- Bytestrings have all the string manipulation functions present on strings, including
join,upper/lower,translate, etc hexandbase64are no longer string encoding codecs. For hex, usebytes.fromhex()andbytes.hex(). For base64 use thebase64module.
- Builtin functions
printandexecare now builtin functions instead of statements- Many builtin functions previously returning lists now return iterators, such as
map,filter, andzip.reduceis no longer a builtin; you have to import it fromfunctools.
- Numbers
- The
/operator is explicitly floating-point division, the//operator is expliclty integer division. The magic functions for overriding these ops are__truediv__and__floordiv__ - The int and long types have been merged, there is only int now
- Dictionary objects have had their
.iterkeys,.itervalues, and.iteritemsmethods removed, and then non-iter versions have been made to return efficient iterators - Comparisons between objects of very different types (such as between strings and ints) will raise an exception
In terms of how this has affected angr, any string that represents data from the emulated program will be a bytestring. This means that where you previously said
state.solver.eval(x, cast_to=str) you should now say cast_to=bytes. When creating concrete bitvectors from strings (including implicitly by just making a comparison against a string) these should be bytestrings. If they are not they will be utf-8 converted and a warning will be printed. Symbol names should be unicode strings.For division, however, ASTs are strongly typed so they will treat both division operators as the kind of division that makes sense for their type.
Clemory API changes
The memory object in CLE (project.loader.memory, not state.memory) has had a few breaking API changes since the bytes type is much nicer to work with than the py2 string for this specific case, and the old API was an inconsistent mess.
Before
After
memory.read_bytes(addr, n) -> list[str]memory.load(addr, n) -> bytesmemory.write_bytes(addr, list[str])memory.store(addr, bytes)memory.get_byte(addr) -> strmemory[addr] -> intmemory.read_addr_at(addr) -> intmemory.unpack_word(addr) -> intmemory.write_addr_at(addr, value) -> intmemory.pack_word(addr, value)memory.stride_repr -> list[(start, end, str)]memory.backers() -> iter[(start, bytearray)]Additionally,
pack_word and unpack_word now take optional size, endness, and signed parameters. We have also added memory.pack(addr, fmt, *data) and memory.unpack(addr, fmt), which take format strings for use with the struct module.If you were using the
cbackers or read_bytes_c functions, the conversion is a little more complicated - we were able to remove the split notion of "backers" and "updates" and replaced all backers with bytearrays that we mutate, so we can work directly with the backer objects. The backers() function iterates through all bottom-level backer objects and their start addresses. You can provide an optional address to the function, and it will skip over all backers that end before that address.Here is some sample code for producing a C-pointer to a given address:
1
import cffi, cle
2
ffi = cffi.FFI()
3
ld = cle.Loader('/bin/true')
4
​
5
addr = ld.main_object.entry
6
try:
7
backer_start, backer = next(ld.memory.backers(addr))
8
except StopIteration:
9
raise Exception("not mapped")
10
​
11
if backer_start > addr:
12
raise Exception("not mapped")
13
​
14
cbacker = ffi.from_buffer(backer)
15
addr_pointer = cbacker + (addr - backer_start)
Copied!
You should not have to use this if you aren't passing the data to a native library - the normal load methods should now be more than fast enough for intensive use.
CLE symbols changes
Previously, your mechanisms for looking up symbols by their address were
loader.find_symbol() and object.symbols_by_addr, where there was clearly some overlap. However, symbols_by_addr stayed because it was the only way to enumerate symbols in an object. This has changed! symbols_by_addr is deprecated and here is now object.symbols, a sorted list of Symbol objects, to enumerate symbols in a binary.Additionally, you can now enumerate all symbols in the entire project with
loader.symbols. This change has also enabled us to add a fuzzy parameter to find_symbol (returns the first symbol before the given address) and make the output of loader.describe_addr much nicer (shows offset from closest symbol).Deprecations and name changes
- All parameters in cle that started with
custom_- so,custom_base_addr,custom_entry_point,custom_offset,custom_arch, andcustom_ld_path- have had thecustom_removed from the beginning of their names. - All the functions that were deprecated more than a year ago (at or before the angr 7 release) have been removed.
state.sehas been deprecated. You should have been usingstate.solverfor the past few years.- Support for immutable simulation managers has been removed. So far as we're aware, nobody was actually using this, and it was making debugging a pain.
Last modified 1mo ago