Welcome to angr’s documentation!#
Welcome to angr’s documentation! This documentation is intended to be a guide for learning angr, as well as a reference for the API. If you’re new to angr,
The angr team maintains a number of libraries that are used as part of angr. These libraries are:
archinfo - Information about CPU architectures
pyvex - Python bindings to the VEX IR
pypcode - Python bindings to the Pcode IR
ailment - angr’s high-level intermediate language
cle - Many-platform binary loader
claripy - Solver abstraction layer
- Getting Started
- Core Concepts
- Build-in Analyses
- Advanced Topics
- Gotchas when using angr
- Understanding the Execution Pipeline
- What’s Up With Mixins, Anyway?
- Optimization considerations
- Working with File System, Sockets, and Pipes
- Intermediate Representation
- Working with Data and Conventions
- Solver Engine
- Symbolic memory addressing
- Java Support
- Symbion: Interleaving symbolic and concrete execution
- Debug variable resolution
- Variable visibility
- Extending angr
- angr examples
- Frequently Asked Questions
- Why is it named angr?
- How should “angr” be stylized?
- Why isn’t symbolic execution doing the thing I want?
- How can I get diagnostic information about what angr is doing?
- Why is angr so slow?
- How do I find bugs using angr?
- Why did you choose VEX instead of another IR (such as LLVM, REIL, BAP, etc)?
- Why are some ARM addresses off-by-one?
- How do I serialize angr objects?
- What does
UnsupportedIROpError("floating point support disabled")mean?
- Why is angr’s CFG different from IDA’s?
- Why do I get incorrect register values when reading from a state during a SimInspect breakpoint?
- API Reference
- Plugin Ecosystem
- Program State
- Memory Mixins
- Concretization Strategies
- Simulation Manager
- Exploration Techniques
- Simulation Engines
- Simulation Logging
- Calling Conventions and Types
- Knowledge Base
- Function Signature Matching
- Distributed analysis