Core Concept

最基础的angr，原文档

To start: proj = angr.Project('/ELF_path')

We can do these things with proj :

1. Check arch: proj.arch #查看架构
2. Check entry: proj.entry #查看程序入口
3. See Name : proj.filename #查看文件名字

To Load: proj.loader

We can do these things with proj.loader

1. See Shared_objects: proj.loader.shared_objects
2. See min_addr: proj.loader.min_addr
3. see max_addr: proj.loader.max_addr
4. See main_object: proj.loader.main_object # 主要对象
5. Check the binary have an executable stack: proj.loader.main_object.execstack
6. Check this binary position-independent : proj.loader.main_object.pic

The Factory

There are a lot of classes in angr, and most of them require a project to be instantiated. Instead of making you pass around the project everywhere, we provide project.factory, which has several convenient constructors for common objects you’ll want to use frequently.

angr有很多的类，基本上每一个类都需要一个project对象来实例化。angr提供了project.factory这一个接口，可以方便供我们使用

Block block = proj.factory.block(proj.entry)

angr的基本执行对象是block，上面这行代码可以获得程序起始地址的块

What can do with block

1. To see all the instructions: block.pp()
out:	0x401670:       xor     ebp, ebp
			0x401672:       mov     r9, rdx
			0x401675:       pop     rsi
			0x401676:       mov     rdx, rsp
			0x401679:       and     rsp, 0xfffffffffffffff0
			0x40167d:       push    rax
			0x40167e:       push    rsp
			0x40167f:       lea     r8, [rip + 0x2e2a]
			0x401686:       lea     rcx, [rip + 0x2db3]
			0x40168d:       lea     rdi, [rip - 0xd4]
			0x401694:       call    qword ptr [rip + 0x205866]
2.The number of the instructions:block.instructions
3.The address of the instructions: block.instrutions_addr
out:[0x401670, 0x401672, 0x401675, 0x401676, 0x401679, 0x40167d, 0x40167e, 0x40167f, 0x401686, 0x40168d, 0x401694]

State: state = proj.factory.entry_state()

Some Examples:

Here’s another fact about angr - the Project object only represents an “initialization image” for the program. When you’re performing execution with angr, you are working with a specific object representing a simulated program state - a SimState. Let’s grab one right now!

Project只是程序的一个初始框架，真正符号执行的是一个个SimState,现在创建一个state

state = proj.factory.entry_state()
<SimState @ 0x401670>

A SimState contains a program’s memory, registers, filesystem data… any “live data” that can be changed by execution has a home in the state.

一个state包含了很多状态，比如内存、寄存器、各种可能改变的值都会存储在state里面

1. state.regs.rip # get the current instrucion pointer
out: <BV64 0x401670>
2. state.regs.rax
out: <BV64 0x1c>
3. state.mem[proj.entry].int.resolved  # interpret the memory at the entry point as a C int
out: <BV32 0x8949ed31>

About bv and bvv

bv就是BitVector，angr存储数据的形式；bvv就是BitVector Value，代表这个位向量的值

# bv -> bitvectors to represent CPU data in angr
# Note that each bitvector has a .length property describing how wide it is in bits.

1. bv = state.solver.BVV(0x1234, 32) # create a 32-bit-wide bitvector with value 0x1234
out: <BV32 0x1234>
2. state.solver.eval(bv)                # convert to Python int
out: 0x1234

存储 bitvectors 到 reg or mem

1.state.regs.rsi = state.solver.BVV(3, 64)
  state.regs.rsi
out: <BV64 0x3>

2.state.mem[0x1000].long = 4
	state.mem[0x1000].long.resolved
out:<BV64 0x4>

About mem

1.Use array[index] notation to specify an address

2.Use .<type> to specify that the memory should be interpreted as &lt;type&gt; (common values: char, short, int, long, size_t, uint8_t, uint16_t…)

From there, you can either:

 1˚ Store a value to it, either a bitvector or a Python int

 2˚ Use .resolved to get the value as a bitvector

 3˚ Use .concrete to get the value as a Python int

Simulation Managers

1. simgr = proj.factory.simulation_manager(state)
#  The constructor can take a state or a list of states.
out: <SimulationManager with 1 active>

2. simgr.step()
# 这个step会进入block的下个块，如果有分支，那么angr都会进入，后面的文章会再提及

Analyses

# ange has lots of built-in analyses
 proj.analyses.BackwardSlice        proj.analyses.CongruencyCheck      proj.analyses.reload_analyses
 proj.analyses.BinaryOptimizer      proj.analyses.DDG                  proj.analyses.StaticHooker
 proj.analyses.BinDiff              proj.analyses.DFG                  proj.analyses.VariableRecovery
 proj.analyses.BoyScout             proj.analyses.Disassembly          proj.analyses.VariableRecoveryFast
 proj.analyses.CDG                  proj.analyses.GirlScout            proj.analyses.Veritesting
 proj.analyses.CFG                  proj.analyses.Identifier           proj.analyses.VFG
 proj.analyses.CFGEmulated          proj.analyses.LoopFinder           proj.analyses.VSA_DDG
 proj.analyses.CFGFast              proj.analyses.Reassembler

for information about these methods, we should check api documention angr.analyses