print(simgr)
is a good place to start, and if you see anything to do with "errored", go for print(simgr.errored)
.simgr.errored[n].debug()
.import pprint; pprint.pprint(state.history.descriptions.hardcopy)
. This will show you a high-level summary of what the symbolic execution engine did at each step along the state's history. You will be able to see from this a basic block trace and also a list of executed simprocedures. If you're using unicorn engine, you can check state.history.bbl_addrs.hardcopy
to see what blocks were executed in each invocation of unicorn.print(state.solver.constraints)
. If a state has just gone past a branch, you can check the most recent branch condition with state.history.events[-1]
.logging
module for logging, with every package and submodule creating a new logger.INFO
or whatever else instead. By default, angr will enable logging at the WARNING
level.angr.analyses.cfg
. Because of the way the Python logging module works, you can set the verbosity for all submodules in a module by setting a verbosity level for the parent module. For example, logging.getLogger('angr.analyses').setLevel('INFO')
will make the CFG, as well as all other analyses, log at the INFO level.avoid
condition or as complicated as implementing CMU's MAYHEM system as an Exploration Technique.angr.engines.vex
package, that are VEX-specific:Ijk_Ret
for returns, Ijk_Call
for calls, and so forth) are VEX enums.state.regs.rax
and friends, on the backend, this does state.registers.load(8, 8)
, where the first 8
is a VEX-defined offset for rax
to the register file.address - 1
is in THUMB mode.pickle.dumps(obj, -1)
.UnsupportedIROpError("floating point support disabled")
mean?normalize=True
to the CFG analysis.state.scratch.ins_addr
to get the current instruction pointer.