API Reference#

Project#

angr.project.load_shellcode(shellcode, arch, start_offset=0, load_address=0, thumb=False, **kwargs)[source]#

Load a new project based on a snippet of assembly or bytecode.

Parameters:

shellcode – The data to load, as either a bytestring of instructions or a string of assembly text
arch – The name of the arch to use, or an archinfo class
start_offset – The offset into the data to start analysis (default 0)
load_address – The address to place the data in memory (default 0)
thumb – Whether this is ARM Thumb shellcode

class angr.project.Project(thing, default_analysis_mode=None, ignore_functions=None, use_sim_procedures=True, exclude_sim_procedures_func=None, exclude_sim_procedures_list=(), arch=None, simos=None, engine=None, load_options=None, translation_cache=True, selfmodifying_code=False, support_selfmodifying_code=None, store_function=None, load_function=None, analyses_preset=None, concrete_target=None, eager_ifunc_resolution=None, **kwargs)[source]#

Bases: object

This is the main class of the angr module. It is meant to contain a set of binaries and the relationships between them, and perform analyses on them.

Parameters:

thing – The path to the main executable object to analyze, or a CLE Loader object.
arch (Arch) –
load_options (Dict[str, Any]) –
selfmodifying_code (bool) –
support_selfmodifying_code (bool | None) –

The following parameters are optional.

Parameters:

default_analysis_mode – The mode of analysis to use by default. Defaults to ‘symbolic’.
ignore_functions – A list of function names that, when imported from shared libraries, should never be stepped into in analysis (calls will return an unconstrained value).
use_sim_procedures – Whether to replace resolved dependencies for which simprocedures are available with said simprocedures.
exclude_sim_procedures_func – A function that, when passed a function name, returns whether or not to wrap it with a simprocedure.
exclude_sim_procedures_list – A list of functions to not wrap with simprocedures.
arch – The target architecture (auto-detected otherwise).
simos – a SimOS class to use for this project.
engine – The SimEngine class to use for this project.
translation_cache (bool) – If True, cache translated basic blocks rather than re-translating them.
selfmodifying_code (bool) – Whether we aggressively support self-modifying code. When enabled, emulation will try to read code from the current state instead of the original memory, regardless of the current memory protections.
store_function – A function that defines how the Project should be stored. Default to pickling.
load_function – A function that defines how the Project should be loaded. Default to unpickling.
analyses_preset (angr.misc.PluginPreset) – The plugin preset for the analyses provider (i.e. Analyses instance).
load_options (Dict[str, Any]) –
support_selfmodifying_code (bool | None) –

Any additional keyword arguments passed will be passed onto cle.Loader.

Variables:

analyses – The available analyses.
entry – The program entrypoint.
factory – Provides access to important analysis elements such as path groups and symbolic execution results.
filename – The filename of the executable.
loader – The program loader.
storage – Dictionary of things that should be loaded/stored with the Project.

Parameters:

arch (Arch) –
load_options (Dict[str, Any]) –
selfmodifying_code (bool) –
support_selfmodifying_code (bool | None) –

arch: Arch#

analyses: AnalysesHub#

hook(addr, hook=None, length=0, kwargs=None, replace=False)[source]#

Hook a section of code with a custom function. This is used internally to provide symbolic summaries of library functions, and can be used to instrument execution or to modify control flow.

When hook is not specified, it returns a function decorator that allows easy hooking. Usage:

# Assuming proj is an instance of angr.Project, we will add a custom hook at the entry
# point of the project.
@proj.hook(proj.entry)
def my_hook(state):
    print("Welcome to execution!")

Parameters:

addr – The address to hook.
hook – A angr.project.Hook describing a procedure to run at the given address. You may also pass in a SimProcedure class or a function directly and it will be wrapped in a Hook object for you.
length – If you provide a function for the hook, this is the number of bytes that will be skipped by executing the hook by default.
kwargs – If you provide a SimProcedure for the hook, these are the keyword arguments that will be passed to the procedure’s run method eventually.
replace – Control the behavior on finding that the address is already hooked. If true, silently replace the hook. If false (default), warn and do not replace the hook. If none, warn and replace the hook.

is_hooked(addr)[source]#

Returns True if addr is hooked.

Parameters:: addr – An address.
Return type:: bool
Returns:: True if addr is hooked, False otherwise.

hooked_by(addr)[source]#

Returns the current hook for addr.

Parameters:: addr – An address.
Return type:: Optional[SimProcedure]
Returns:: None if the address is not hooked.

unhook(addr)[source]#

Remove a hook.

Parameters:: addr – The address of the hook.

hook_symbol(symbol_name, simproc, kwargs=None, replace=None)[source]#

Resolve a dependency in a binary. Looks up the address of the given symbol, and then hooks that address. If the symbol was not available in the loaded libraries, this address may be provided by the CLE externs object.

Additionally, if instead of a symbol name you provide an address, some secret functionality will kick in and you will probably just hook that address, UNLESS you’re on powerpc64 ABIv1 or some yet-unknown scary ABI that has its function pointers point to something other than the actual functions, in which case it’ll do the right thing.

Parameters:

symbol_name – The name of the dependency to resolve.
simproc – The SimProcedure instance (or function) with which to hook the symbol
kwargs – If you provide a SimProcedure for the hook, these are the keyword arguments that will be passed to the procedure’s run method eventually.
replace – Control the behavior on finding that the address is already hooked. If true, silently replace the hook. If false, warn and do not replace the hook. If none (default), warn and replace the hook.

Returns:

The address of the new symbol.

Return type:

int

symbol_hooked_by(symbol_name)[source]#

Return the SimProcedure, if it exists, for the given symbol name.

Parameters:: symbol_name (str) – Name of the symbol.
Return type:: Optional[SimProcedure]
Returns:: None if the address is not hooked.

is_symbol_hooked(symbol_name)[source]#

Check if a symbol is already hooked.

Parameters:: symbol_name (str) – Name of the symbol.
Returns:: True if the symbol can be resolved and is hooked, False otherwise.
Return type:: bool

unhook_symbol(symbol_name)[source]#: Remove the hook on a symbol. This function will fail if the symbol is provided by the extern object, as that would result in a state where analysis would be unable to cope with a call to this symbol.

rehook_symbol(new_address, symbol_name, stubs_on_sync)[source]#: Move the hook for a symbol to a specific address :type new_address: :param new_address: the new address that will trigger the SimProc execution :type symbol_name: :param symbol_name: the name of the symbol (f.i. strcmp ) :return: None

execute(*args, **kwargs)[source]#

This function is a symbolic execution helper in the simple style supported by triton and manticore. It designed to be run after setting up hooks (see Project.hook), in which the symbolic state can be checked.

This function can be run in three different ways:

When run with no parameters, this function begins symbolic execution from the entrypoint.

It can also be run with a “state” parameter specifying a SimState to begin symbolic execution from.

Finally, it can accept any arbitrary keyword arguments, which are all passed to project.factory.full_init_state.

If symbolic execution finishes, this function returns the resulting simulation manager.

terminate_execution()[source]#: Terminates a symbolic execution that was started with Project.execute().

class angr.factory.AngrObjectFactory(project, default_engine=None)[source]#

Bases: object

This factory provides access to important analysis elements.

snippet(addr, jumpkind=None, **block_opts)[source]#

successors(*args, engine=None, **kwargs)[source]#

Perform execution using an engine. Generally, return a SimSuccessors object classifying the results of the run.

Parameters:

state – The state to analyze
engine – The engine to use. If not provided, will use the project default.
addr – optional, an address to execute at instead of the state’s ip
jumpkind – optional, the jumpkind of the previous exit
inline – This is an inline execution. Do not bother copying the state.

Additional keyword arguments will be passed directly into each engine’s process method.

blank_state(**kwargs)[source]#

Returns a mostly-uninitialized state object. All parameters are optional.

Parameters:

addr – The address the state should start at instead of the entry point.
initial_prefix – If this is provided, all symbolic registers will hold symbolic values with names prefixed by this string.
fs – A dictionary of file names with associated preset SimFile objects.
concrete_fs – bool describing whether the host filesystem should be consulted when opening files.
chroot – A path to use as a fake root directory, Behaves similarly to a real chroot. Used only when concrete_fs is set to True.
kwargs – Any additional keyword args will be passed to the SimState constructor.

Returns:

The blank state.

Return type:

SimState

entry_state(**kwargs)[source]#

Returns a state object representing the program at its entry point. All parameters are optional.

Parameters:

addr – The address the state should start at instead of the entry point.
initial_prefix – If this is provided, all symbolic registers will hold symbolic values with names prefixed by this string.
fs – a dictionary of file names with associated preset SimFile objects.
concrete_fs – boolean describing whether the host filesystem should be consulted when opening files.
chroot – a path to use as a fake root directory, behaves similar to a real chroot. used only when concrete_fs is set to True.
argc – a custom value to use for the program’s argc. May be either an int or a bitvector. If not provided, defaults to the length of args.
args – a list of values to use as the program’s argv. May be mixed strings and bitvectors.
env – a dictionary to use as the environment for the program. Both keys and values may be mixed strings and bitvectors.

Returns:

The entry state.

Return type:

SimState

full_init_state(**kwargs)[source]#

Very much like entry_state(), except that instead of starting execution at the program entry point, execution begins at a special SimProcedure that plays the role of the dynamic loader, calling each of the initializer functions that should be called before execution reaches the entry point.

It can take any of the arguments that can be provided to entry_state, except for addr.

call_state(addr, *args, **kwargs)[source]#

Returns a state object initialized to the start of a given function, as if it were called with given parameters.

Parameters:

addr – The address the state should start at instead of the entry point.
args – Any additional positional arguments will be used as arguments to the function call.

The following parameters are optional.

Parameters:

base_state – Use this SimState as the base for the new state instead of a blank state.
cc – Optionally provide a SimCC object to use a specific calling convention.
ret_addr – Use this address as the function’s return target.
stack_base – An optional pointer to use as the top of the stack, circa the function entry point
alloc_base – An optional pointer to use as the place to put excess argument data
grow_like_stack – When allocating data at alloc_base, whether to allocate at decreasing addresses
toc – The address of the table of contents for ppc64
initial_prefix – If this is provided, all symbolic registers will hold symbolic values with names prefixed by this string.
fs – A dictionary of file names with associated preset SimFile objects.
concrete_fs – bool describing whether the host filesystem should be consulted when opening files.
chroot – A path to use as a fake root directory, Behaves similarly to a real chroot. Used only when concrete_fs is set to True.
kwargs – Any additional keyword args will be passed to the SimState constructor.

Returns:

The state at the beginning of the function.

Return type:

SimState

The idea here is that you can provide almost any kind of python type in args and it’ll be translated to a binary format to be placed into simulated memory. Lists (representing arrays) must be entirely elements of the same type and size, while tuples (representing structs) can be elements of any type and size. If you’d like there to be a pointer to a given value, wrap the value in a SimCC.PointerWrapper. Any value that can’t fit in a register will be automatically put in a PointerWrapper.

If stack_base is not provided, the current stack pointer will be used, and it will be updated. If alloc_base is not provided, the current stack pointer will be used, and it will be updated. You might not like the results if you provide stack_base but not alloc_base.

grow_like_stack controls the behavior of allocating data at alloc_base. When data from args needs to be wrapped in a pointer, the pointer needs to point somewhere, so that data is dumped into memory at alloc_base. If you set alloc_base to point to somewhere other than the stack, set grow_like_stack to False so that sequencial allocations happen at increasing addresses.

simulation_manager(thing=None, **kwargs)[source]#

Constructs a new simulation manager.

Parameters:

thing (Union[List[SimState], SimState, None]) – What to put in the new SimulationManager’s active stash (either a SimState or a list of SimStates).
kwargs – Any additional keyword arguments will be passed to the SimulationManager constructor

Returns:

The new SimulationManager

Return type:

angr.sim_manager.SimulationManager

Many different types can be passed to this method:

If nothing is passed in, the SimulationManager is seeded with a state initialized for the program entry point, i.e. entry_state().
If a SimState is passed in, the SimulationManager is seeded with that state.
If a list is passed in, the list must contain only SimStates and the whole list will be used to seed the SimulationManager.

simgr(*args, **kwargs)[source]#: Alias for simulation_manager to save our poor fingers

callable(addr, prototype=None, concrete_only=False, perform_merge=True, base_state=None, toc=None, cc=None)[source]#

A Callable is a representation of a function in the binary that can be interacted with like a native python function.

Parameters:

addr – The address of the function to use
prototype – The prototype of the call to use, as a string or a SimTypeFunction
concrete_only – Throw an exception if the execution splits into multiple states
perform_merge – Merge all result states into one at the end (only relevant if concrete_only=False)
base_state – The state from which to do these runs
toc – The address of the table of contents for ppc64
cc – The SimCC to use for a calling convention

Returns:

A Callable object that can be used as a interface for executing guest code like a python function.

Return type:

angr.callable.Callable

cc()[source]#

Return a SimCC (calling convention) parametrized for this project.

Relevant subclasses of SimFunctionArgument are SimRegArg and SimStackArg, and shortcuts to them can be found on this cc object.

For stack arguments, offsets are relative to the stack pointer on function entry.

block(addr, size=None, max_size=None, byte_string=None, vex=None, thumb=False, backup_state=None, extra_stop_points=None, opt_level=None, num_inst=None, traceflags=0, insn_bytes=None, insn_text=None, strict_block_end=None, collect_data_refs=False, cross_insn_opt=True, load_from_ro_regions=False, initial_regs=None)[source]#

fresh_block(addr, size, backup_state=None)[source]#

class angr.block.DisassemblerBlock(addr, insns, thumb, arch)[source]#

Bases: object

Helper class to represent a block of dissassembled target architecture instructions

addr#

insns#

thumb#

arch#

pp()[source]#

class angr.block.DisassemblerInsn[source]#

Bases: object

Helper class to represent a disassembled target architecture instruction

property size: int#

property address: int#

property mnemonic: str#

property op_str: str#

class angr.block.CapstoneBlock(addr, insns, thumb, arch)[source]#

Bases: DisassemblerBlock

Deep copy of the capstone blocks, which have serious issues with having extended lifespans outside of capstone itself

addr#

arch#

insns#

pp()#

thumb#

class angr.block.CapstoneInsn(capstone_insn)[source]#

Bases: DisassemblerInsn

Represents a capstone instruction.

insn#

property size: int#

property address: int#

property mnemonic: str#

property op_str: str#

class angr.block.Block(addr, project=None, arch=None, size=None, byte_string=None, vex=None, thumb=False, backup_state=None, extra_stop_points=None, opt_level=None, num_inst=None, traceflags=0, strict_block_end=None, collect_data_refs=False, cross_insn_opt=True, load_from_ro_regions=False, initial_regs=None)[source]#

Bases: Serializable

Represents a basic block in a binary or a program.

BLOCK_MAX_SIZE = 4096#

arch#

thumb#

addr#

size#

pp(**kwargs)[source]#

set_initial_regs()[source]#

static reset_initial_regs()[source]#

property vex: IRSB#

property vex_nostmt#

property disassembly: DisassemblerBlock#: Provide a disassembly object using whatever disassembler is available

property capstone#

property codenode#

property bytes#

property instructions#

property instruction_addrs#

serialize_to_cmessage()[source]#

Serialize the class object and returns a protobuf cmessage object.

Returns:: A protobuf cmessage object.
Return type:: protobuf.cmessage

classmethod parse_from_cmessage(cmsg)[source]#

Parse a protobuf cmessage and create a class object.

Parameters:: cmsg – The probobuf cmessage object.
Returns:: A unserialized class object.
Return type:: cls

classmethod parse(s, **kwargs)#

Parse a bytes object and create a class object.

Parameters:: s (bytes) – A bytes object.
Returns:: A class object.
Return type:: cls

serialize()#

Serialize the class object and returns a bytes object.

Returns:: A bytes object.
Return type:: bytes

class angr.block.SootBlock(addr, project=None, arch=None)[source]#

Bases: object

Represents a Soot IR basic block.

property soot#

property size#

property codenode#

Plugin Ecosystem#

class angr.misc.plugins.PluginHub[source]#

Bases: object

A plugin hub is an object which contains many plugins, as well as the notion of a “preset”, or a backer that can provide default implementations of plugins which cater to a certain circumstance.

Objects in angr like the SimState, the Analyses hub, the SimEngine selector, etc all use this model to unify their mechanisms for automatically collecting and selecting components to use. If you’re familiar with design patterns this is a configurable Strategy Pattern.

Each PluginHub subclass should have a corresponding Plugin subclass, and perhaps a PluginPreset subclass if it wants its presets to be able to specify anything more interesting than a list of defaults.

classmethod register_default(name, plugin_cls, preset='default')[source]#

classmethod register_preset(name, preset)[source]#: Register a preset instance with the class of the hub it corresponds to. This allows individual plugin objects to automatically register themselves with a preset by using a classmethod of their own with only the name of the preset to register with.

property plugin_preset#: Get the current active plugin preset

property has_plugin_preset: bool#: Check whether or not there is a plugin preset in use on this hub right now

use_plugin_preset(preset)[source]#

Apply a preset to the hub. If there was a previously active preset, discard it.

Preset can be either the string name of a preset or a PluginPreset instance.

discard_plugin_preset()[source]#: Discard the current active preset. Will release any active plugins that could have come from the old preset.

get_plugin(name)[source]#

Get the plugin named name. If no such plugin is currently active, try to activate a new one using the current preset.

Return type:: SimStatePlugin
Parameters:: name (str) –

has_plugin(name)[source]#: Return whether or not a plugin with the name name is currently active.

register_plugin(name, plugin)[source]#

Add a new plugin plugin with name name to the active plugins.

Parameters:: name (str) –

release_plugin(name)[source]#: Deactivate and remove the plugin with name name.

class angr.misc.plugins.PluginPreset[source]#

Bases: object

A plugin preset object contains a mapping from name to a plugin class. A preset can be active on a hub, which will cause it to handle requests for plugins which are not already present on the hub.

Unlike Plugins and PluginHubs, instances of PluginPresets are defined on the module level for individual presets. You should register the preset instance with a hub to allow plugins to easily add themselves to the preset without an explicit reference to the preset itself.

activate(hub)[source]#: This method is called when the preset becomes active on a hub.

deactivate(hub)[source]#: This method is called when the preset is discarded from the hub.

add_default_plugin(name, plugin_cls)[source]#: Add a plugin to the preset.

list_default_plugins()[source]#: Return a list of the names of available default plugins.

request_plugin(name)[source]#

Return the plugin class which is registered under the name name, or raise NoPlugin if the name isn’t available.

Return type:: Type[SimStatePlugin]
Parameters:: name (str) –

copy()[source]#: Return a copy of self.

class angr.misc.plugins.PluginVendor[source]#

Bases: PluginHub

A specialized hub which serves only as a plugin vendor, never having any “active” plugins. It will directly return the plugins provided by the preset instead of instanciating them.

release_plugin(name)[source]#: Deactivate and remove the plugin with name name.

register_plugin(name, plugin)[source]#: Add a new plugin plugin with name name to the active plugins.

discard_plugin_preset()#: Discard the current active preset. Will release any active plugins that could have come from the old preset.

get_plugin(name)#

Get the plugin named name. If no such plugin is currently active, try to activate a new one using the current preset.

Return type:: SimStatePlugin
Parameters:: name (str) –

has_plugin(name)#: Return whether or not a plugin with the name name is currently active.

property has_plugin_preset: bool#: Check whether or not there is a plugin preset in use on this hub right now

property plugin_preset#: Get the current active plugin preset

classmethod register_default(name, plugin_cls, preset='default')#

classmethod register_preset(name, preset)#: Register a preset instance with the class of the hub it corresponds to. This allows individual plugin objects to automatically register themselves with a preset by using a classmethod of their own with only the name of the preset to register with.

use_plugin_preset(preset)#

Apply a preset to the hub. If there was a previously active preset, discard it.

Preset can be either the string name of a preset or a PluginPreset instance.

class angr.misc.plugins.VendorPreset[source]#

Bases: PluginPreset

A specialized preset class for use with the PluginVendor.

activate(hub)#: This method is called when the preset becomes active on a hub.

add_default_plugin(name, plugin_cls)#: Add a plugin to the preset.

copy()#: Return a copy of self.

deactivate(hub)#: This method is called when the preset is discarded from the hub.

list_default_plugins()#: Return a list of the names of available default plugins.

request_plugin(name)#

Return the plugin class which is registered under the name name, or raise NoPlugin if the name isn’t available.

Return type:: Type[SimStatePlugin]
Parameters:: name (str) –

Program State#

angr.sim_state.arch_overrideable(f)[source]#

class angr.sim_state.SimState(project=None, arch=None, plugins=None, mode=None, options=None, add_options=None, remove_options=None, special_memory_filler=None, os_name=None, plugin_preset='default', cle_memory_backer=None, dict_memory_backer=None, permissions_map=None, default_permissions=3, stack_perms=None, stack_end=None, stack_size=None, regioned_memory_cls=None, **kwargs)[source]#

Bases: PluginHub

The SimState represents the state of a program, including its memory, registers, and so forth.

Parameters:

project (angr.Project) – The project instance.
arch (archinfo.Arch|str) – The architecture of the state.

Variables:

regs – A convenient view of the state’s registers, where each register is a property
mem – A convenient view of the state’s memory, a angr.state_plugins.view.SimMemView
registers – The state’s register file as a flat memory region
memory – The state’s memory as a flat memory region
solver – The symbolic solver and variable manager for this state
inspect – The breakpoint manager, a angr.state_plugins.inspect.SimInspector
log – Information about the state’s history
scratch – Information about the current execution step
posix – MISNOMER: information about the operating system or environment model
fs – The current state of the simulated filesystem
libc – Information about the standard library we are emulating
cgc – Information about the cgc environment
uc_manager – Control of under-constrained symbolic execution
unicorn – Control of the Unicorn Engine

solver: SimSolver#

posix: SimSystemPosix#

registers: MemoryMixin#

regs: SimRegNameView#

memory: MemoryMixin#

callstack: CallStack#

mem: SimMemView#

history: SimStateHistory#

inspect: SimInspector#

jni_references: SimStateJNIReferences#

scratch: SimStateScratch#

property plugins#

property se#: Deprecated alias for solver

property ip#

Get the instruction pointer expression, trigger SimInspect breakpoints, and generate SimActions. Use _ip to not trigger breakpoints or generate actions.

Returns:: an expression

property addr#

Get the concrete address of the instruction pointer, without triggering SimInspect breakpoints or generating SimActions. An integer is returned, or an exception is raised if the instruction pointer is symbolic.

Returns:: an int

property arch: Arch#

T = ~T#

get_plugin(name)[source]#: Get the plugin named name. If no such plugin is currently active, try to activate a new one using the current preset.

has_plugin(name)[source]#: Return whether or not a plugin with the name name is currently active.

register_plugin(name, plugin, inhibit_init=False)[source]#: Add a new plugin plugin with name name to the active plugins.

property javavm_memory#

In case of an JavaVM with JNI support, a state can store the memory plugin twice; one for the native and one for the java view of the state.

Returns:: The JavaVM view of the memory plugin.

property javavm_registers#

In case of an JavaVM with JNI support, a state can store the registers plugin twice; one for the native and one for the java view of the state.

Returns:: The JavaVM view of the registers plugin.

simplify(*args)[source]#: Simplify this state’s constraints.

add_constraints(*args, **kwargs)[source]#

Add some constraints to the state.

You may pass in any number of symbolic booleans as variadic positional arguments.

satisfiable(**kwargs)[source]#: Whether the state’s constraints are satisfiable

downsize()[source]#: Clean up after the solver engine. Calling this when a state no longer needs to be solved on will reduce memory usage.

step(**kwargs)[source]#

Perform a step of symbolic execution using this state. Any arguments to AngrObjectFactory.successors can be passed to this.

Returns:: A SimSuccessors object categorizing the results of the step.

block(*args, **kwargs)[source]#

Represent the basic block at this state’s instruction pointer. Any arguments to AngrObjectFactory.block can ba passed to this.

Returns:: A Block object describing the basic block of code at this point.

copy()[source]#: Returns a copy of the state.

merge(*others, **kwargs)[source]#

Merges this state with the other states. Returns the merging result, merged state, and the merge flag.

Parameters:

states – the states to merge
merge_conditions – a tuple of the conditions under which each state holds
common_ancestor – a state that represents the common history between the states being merged. Usually it is only available when EFFICIENT_STATE_MERGING is enabled, otherwise weak-refed states might be dropped from state history instances.
plugin_whitelist – a list of plugin names that will be merged. If this option is given and is not None, any plugin that is not inside this list will not be merged, and will be created as a fresh instance in the new state.
common_ancestor_history – a SimStateHistory instance that represents the common history between the states being merged. This is to allow optimal state merging when EFFICIENT_STATE_MERGING is disabled.

Returns:

(merged state, merge flag, a bool indicating if any merging occurred)

widen(*others)[source]#: Perform a widening between self and other states :type others: :param others: :return:

reg_concrete(*args, **kwargs)[source]#: Returns the contents of a register but, if that register is symbolic, raises a SimValueError.

mem_concrete(*args, **kwargs)[source]#: Returns the contents of a memory but, if the contents are symbolic, raises a SimValueError.

stack_push(thing)[source]#: Push ‘thing’ to the stack, writing the thing to memory and adjusting the stack pointer.

stack_pop()[source]#: Pops from the stack and returns the popped thing. The length will be the architecture word size.

stack_read(offset, length, bp=False)[source]#

Reads length bytes, at an offset into the stack.

Parameters:

offset – The offset from the stack pointer.
length – The number of bytes to read.
bp – If True, offset from the BP instead of the SP. Default: False.

make_concrete_int(expr)[source]#

prepare_callsite(retval, args, cc='wtf')[source]#

dbg_print_stack(depth=None, sp=None)[source]#: Only used for debugging purposes. Return the current stack info in formatted string. If depth is None, the current stack frame (from sp to bp) will be printed out.

set_mode(mode)[source]#

property thumb#

property with_condition#

discard_plugin_preset()#: Discard the current active preset. Will release any active plugins that could have come from the old preset.

property has_plugin_preset: bool#: Check whether or not there is a plugin preset in use on this hub right now

property plugin_preset#: Get the current active plugin preset

classmethod register_default(name, plugin_cls, preset='default')#

classmethod register_preset(name, preset)#: Register a preset instance with the class of the hub it corresponds to. This allows individual plugin objects to automatically register themselves with a preset by using a classmethod of their own with only the name of the preset to register with.

release_plugin(name)#: Deactivate and remove the plugin with name name.

use_plugin_preset(preset)#

Apply a preset to the hub. If there was a previously active preset, discard it.

Preset can be either the string name of a preset or a PluginPreset instance.

class angr.sim_state_options.StateOption(name, types, default='_NO_DEFAULT_VALUE', description=None)[source]#

Bases: object

Describes a state option.

name#

types#

default#

description#

property has_default_value#

one_type()[source]#

class angr.sim_state_options.SimStateOptions(thing)[source]#

Bases: object

A per-state manager of state options. An option can be either a key-valued entry or a Boolean switch (which can be seen as a key-valued entry whose value can only be either True or False).

OPTIONS = {'ABSTRACT_MEMORY': <O ABSTRACT_MEMORY[bool]>, 'ABSTRACT_SOLVER': <O ABSTRACT_SOLVER[bool]>, 'ACTION_DEPS': <O ACTION_DEPS[bool]>, 'ADD_AUTO_REFS': <O ADD_AUTO_REFS[bool]>, 'ALLOW_SEND_FAILURES': <O ALLOW_SEND_FAILURES[bool]>, 'ALL_FILES_EXIST': <O ALL_FILES_EXIST[bool]>, 'APPROXIMATE_FIRST': <O APPROXIMATE_FIRST[bool]>, 'APPROXIMATE_GUARDS': <O APPROXIMATE_GUARDS[bool]>, 'APPROXIMATE_MEMORY_INDICES': <O APPROXIMATE_MEMORY_INDICES[bool]>, 'APPROXIMATE_MEMORY_SIZES': <O APPROXIMATE_MEMORY_SIZES[bool]>, 'APPROXIMATE_SATISFIABILITY': <O APPROXIMATE_SATISFIABILITY[bool]>, 'AST_DEPS': <O AST_DEPS[bool]>, 'AUTO_REFS': <O AUTO_REFS[bool]>, 'AVOID_MULTIVALUED_READS': <O AVOID_MULTIVALUED_READS[bool]>, 'AVOID_MULTIVALUED_WRITES': <O AVOID_MULTIVALUED_WRITES[bool]>, 'BEST_EFFORT_MEMORY_STORING': <O BEST_EFFORT_MEMORY_STORING[bool]>, 'BYPASS_ERRORED_IRCCALL': <O BYPASS_ERRORED_IRCCALL[bool]>, 'BYPASS_ERRORED_IROP': <O BYPASS_ERRORED_IROP[bool]>, 'BYPASS_ERRORED_IRSTMT': <O BYPASS_ERRORED_IRSTMT[bool]>, 'BYPASS_UNSUPPORTED_IRCCALL': <O BYPASS_UNSUPPORTED_IRCCALL[bool]>, 'BYPASS_UNSUPPORTED_IRDIRTY': <O BYPASS_UNSUPPORTED_IRDIRTY[bool]>, 'BYPASS_UNSUPPORTED_IREXPR': <O BYPASS_UNSUPPORTED_IREXPR[bool]>, 'BYPASS_UNSUPPORTED_IROP': <O BYPASS_UNSUPPORTED_IROP[bool]>, 'BYPASS_UNSUPPORTED_IRSTMT': <O BYPASS_UNSUPPORTED_IRSTMT[bool]>, 'BYPASS_UNSUPPORTED_SYSCALL': <O BYPASS_UNSUPPORTED_SYSCALL[bool]>, 'BYPASS_VERITESTING_EXCEPTIONS': <O BYPASS_VERITESTING_EXCEPTIONS[bool]>, 'CACHELESS_SOLVER': <O CACHELESS_SOLVER[bool]>, 'CALLLESS': <O CALLLESS[bool]>, 'CGC_ENFORCE_FD': <O CGC_ENFORCE_FD[bool]>, 'CGC_NON_BLOCKING_FDS': <O CGC_NON_BLOCKING_FDS[bool]>, 'CGC_NO_SYMBOLIC_RECEIVE_LENGTH': <O CGC_NO_SYMBOLIC_RECEIVE_LENGTH[bool]>, 'COMPOSITE_SOLVER': <O COMPOSITE_SOLVER[bool]>, 'CONCRETIZE': <O CONCRETIZE[bool]>, 'CONCRETIZE_SYMBOLIC_FILE_READ_SIZES': <O CONCRETIZE_SYMBOLIC_FILE_READ_SIZES[bool]>, 'CONCRETIZE_SYMBOLIC_WRITE_SIZES': <O CONCRETIZE_SYMBOLIC_WRITE_SIZES[bool]>, 'CONSERVATIVE_READ_STRATEGY': <O CONSERVATIVE_READ_STRATEGY[bool]>, 'CONSERVATIVE_WRITE_STRATEGY': <O CONSERVATIVE_WRITE_STRATEGY[bool]>, 'CONSTRAINT_TRACKING_IN_SOLVER': <O CONSTRAINT_TRACKING_IN_SOLVER[bool]>, 'COPY_STATES': <O COPY_STATES[bool]>, 'CPUID_SYMBOLIC': <O CPUID_SYMBOLIC[bool]>, 'DOWNSIZE_Z3': <O DOWNSIZE_Z3[bool]>, 'DO_CCALLS': <O DO_CCALLS[bool]>, 'DO_RET_EMULATION': <O DO_RET_EMULATION[bool]>, 'EFFICIENT_STATE_MERGING': <O EFFICIENT_STATE_MERGING[bool]>, 'ENABLE_NX': <O ENABLE_NX[bool]>, 'EXCEPTION_HANDLING': <O EXCEPTION_HANDLING[bool]>, 'EXTENDED_IROP_SUPPORT': <O EXTENDED_IROP_SUPPORT[bool]>, 'FAST_MEMORY': <O FAST_MEMORY[bool]>, 'FAST_REGISTERS': <O FAST_REGISTERS[bool]>, 'FILES_HAVE_EOF': <O FILES_HAVE_EOF[bool]>, 'HYBRID_SOLVER': <O HYBRID_SOLVER[bool]>, 'JAVA_IDENTIFY_GETTER_SETTER': <O JAVA_IDENTIFY_GETTER_SETTER[bool]>, 'JAVA_TRACK_ATTRIBUTES': <O JAVA_TRACK_ATTRIBUTES[bool]>, 'KEEP_IP_SYMBOLIC': <O KEEP_IP_SYMBOLIC[bool]>, 'KEEP_MEMORY_READS_DISCRETE': <O KEEP_MEMORY_READS_DISCRETE[bool]>, 'LAZY_SOLVES': <O LAZY_SOLVES[bool]>, 'MEMORY_CHUNK_INDIVIDUAL_READS': <O MEMORY_CHUNK_INDIVIDUAL_READS[bool]>, 'MEMORY_FIND_STRICT_SIZE_LIMIT': <O MEMORY_FIND_STRICT_SIZE_LIMIT[bool]>, 'MEMORY_SYMBOLIC_BYTES_MAP': <O MEMORY_SYMBOLIC_BYTES_MAP[bool]>, 'NO_CROSS_INSN_OPT': <O NO_CROSS_INSN_OPT[bool]>, 'NO_IP_CONCRETIZATION': <O NO_IP_CONCRETIZATION[bool]>, 'NO_SYMBOLIC_JUMP_RESOLUTION': <O NO_SYMBOLIC_JUMP_RESOLUTION[bool]>, 'NO_SYMBOLIC_SYSCALL_RESOLUTION': <O NO_SYMBOLIC_SYSCALL_RESOLUTION[bool]>, 'OPTIMIZE_IR': <O OPTIMIZE_IR[bool]>, 'PRODUCE_ZERODIV_SUCCESSORS': <O PRODUCE_ZERODIV_SUCCESSORS[bool]>, 'REGION_MAPPING': <O REGION_MAPPING[bool]>, 'REPLACEMENT_SOLVER': <O REPLACEMENT_SOLVER[bool]>, 'REVERSE_MEMORY_HASH_MAP': <O REVERSE_MEMORY_HASH_MAP[bool]>, 'REVERSE_MEMORY_NAME_MAP': <O REVERSE_MEMORY_NAME_MAP[bool]>, 'SHORT_READS': <O SHORT_READS[bool]>, 'SIMPLIFY_CONSTRAINTS': <O SIMPLIFY_CONSTRAINTS[bool]>, 'SIMPLIFY_EXIT_GUARD': <O SIMPLIFY_EXIT_GUARD[bool]>, 'SIMPLIFY_EXIT_STATE': <O SIMPLIFY_EXIT_STATE[bool]>, 'SIMPLIFY_EXIT_TARGET': <O SIMPLIFY_EXIT_TARGET[bool]>, 'SIMPLIFY_EXPRS': <O SIMPLIFY_EXPRS[bool]>, 'SIMPLIFY_MEMORY_READS': <O SIMPLIFY_MEMORY_READS[bool]>, 'SIMPLIFY_MEMORY_WRITES': <O SIMPLIFY_MEMORY_WRITES[bool]>, 'SIMPLIFY_MERGED_CONSTRAINTS': <O SIMPLIFY_MERGED_CONSTRAINTS[bool]>, 'SIMPLIFY_REGISTER_READS': <O SIMPLIFY_REGISTER_READS[bool]>, 'SIMPLIFY_REGISTER_WRITES': <O SIMPLIFY_REGISTER_WRITES[bool]>, 'SIMPLIFY_RETS': <O SIMPLIFY_RETS[bool]>, 'SPECIAL_MEMORY_FILL': <O SPECIAL_MEMORY_FILL[bool]>, 'STRICT_PAGE_ACCESS': <O STRICT_PAGE_ACCESS[bool]>, 'STRINGS_ANALYSIS': <O STRINGS_ANALYSIS[bool]>, 'SUPER_FASTPATH': <O SUPER_FASTPATH[bool]>, 'SUPPORT_FLOATING_POINT': <O SUPPORT_FLOATING_POINT[bool]>, 'SYMBION_KEEP_STUBS_ON_SYNC': <O SYMBION_KEEP_STUBS_ON_SYNC[bool]>, 'SYMBION_SYNC_CLE': <O SYMBION_SYNC_CLE[bool]>, 'SYMBOLIC': <O SYMBOLIC[bool]>, 'SYMBOLIC_INITIAL_VALUES': <O SYMBOLIC_INITIAL_VALUES[bool]>, 'SYMBOLIC_MEMORY_NO_SINGLEVALUE_OPTIMIZATIONS': <O SYMBOLIC_MEMORY_NO_SINGLEVALUE_OPTIMIZATIONS[bool]>, 'SYMBOLIC_TEMPS': <O SYMBOLIC_TEMPS[bool]>, 'SYMBOLIC_WRITE_ADDRESSES': <O SYMBOLIC_WRITE_ADDRESSES[bool]>, 'SYMBOL_FILL_UNCONSTRAINED_MEMORY': <O SYMBOL_FILL_UNCONSTRAINED_MEMORY[bool]>, 'SYMBOL_FILL_UNCONSTRAINED_REGISTERS': <O SYMBOL_FILL_UNCONSTRAINED_REGISTERS[bool]>, 'SYNC_CLE_BACKEND_CONCRETE': <O SYNC_CLE_BACKEND_CONCRETE[bool]>, 'TRACK_ACTION_HISTORY': <O TRACK_ACTION_HISTORY[bool]>, 'TRACK_CONSTRAINTS': <O TRACK_CONSTRAINTS[bool]>, 'TRACK_CONSTRAINT_ACTIONS': <O TRACK_CONSTRAINT_ACTIONS[bool]>, 'TRACK_JMP_ACTIONS': <O TRACK_JMP_ACTIONS[bool]>, 'TRACK_MEMORY_ACTIONS': <O TRACK_MEMORY_ACTIONS[bool]>, 'TRACK_MEMORY_MAPPING': <O TRACK_MEMORY_MAPPING[bool]>, 'TRACK_OP_ACTIONS': <O TRACK_OP_ACTIONS[bool]>, 'TRACK_REGISTER_ACTIONS': <O TRACK_REGISTER_ACTIONS[bool]>, 'TRACK_SOLVER_VARIABLES': <O TRACK_SOLVER_VARIABLES[bool]>, 'TRACK_TMP_ACTIONS': <O TRACK_TMP_ACTIONS[bool]>, 'TRUE_RET_EMULATION_GUARD': <O TRUE_RET_EMULATION_GUARD[bool]>, 'UNDER_CONSTRAINED_SYMEXEC': <O UNDER_CONSTRAINED_SYMEXEC[bool]>, 'UNICORN': <O UNICORN[bool]>, 'UNICORN_AGGRESSIVE_CONCRETIZATION': <O UNICORN_AGGRESSIVE_CONCRETIZATION[bool]>, 'UNICORN_HANDLE_CGC_RANDOM_SYSCALL': <O UNICORN_HANDLE_CGC_RANDOM_SYSCALL[bool]>, 'UNICORN_HANDLE_CGC_RECEIVE_SYSCALL': <O UNICORN_HANDLE_CGC_RECEIVE_SYSCALL[bool]>, 'UNICORN_HANDLE_CGC_TRANSMIT_SYSCALL': <O UNICORN_HANDLE_CGC_TRANSMIT_SYSCALL[bool]>, 'UNICORN_HANDLE_SYMBOLIC_ADDRESSES': <O UNICORN_HANDLE_SYMBOLIC_ADDRESSES[bool]>, 'UNICORN_HANDLE_SYMBOLIC_CONDITIONS': <O UNICORN_HANDLE_SYMBOLIC_CONDITIONS[bool]>, 'UNICORN_HANDLE_SYMBOLIC_SYSCALLS': <O UNICORN_HANDLE_SYMBOLIC_SYSCALLS[bool]>, 'UNICORN_SYM_REGS_SUPPORT': <O UNICORN_SYM_REGS_SUPPORT[bool]>, 'UNICORN_THRESHOLD_CONCRETIZATION': <O UNICORN_THRESHOLD_CONCRETIZATION[bool]>, 'UNICORN_TRACK_BBL_ADDRS': <O UNICORN_TRACK_BBL_ADDRS[bool]>, 'UNICORN_TRACK_STACK_POINTERS': <O UNICORN_TRACK_STACK_POINTERS[bool]>, 'UNICORN_ZEROPAGE_GUARD': <O UNICORN_ZEROPAGE_GUARD[bool]>, 'UNINITIALIZED_ACCESS_AWARENESS': <O UNINITIALIZED_ACCESS_AWARENESS[bool]>, 'UNSUPPORTED_BYPASS_ZERO_DEFAULT': <O UNSUPPORTED_BYPASS_ZERO_DEFAULT[bool]>, 'UNSUPPORTED_FORCE_CONCRETIZE': <O UNSUPPORTED_FORCE_CONCRETIZE[bool]>, 'USE_SIMPLIFIED_CCALLS': <O USE_SIMPLIFIED_CCALLS[bool]>, 'USE_SYSTEM_TIMES': <O USE_SYSTEM_TIMES[bool]>, 'VALIDATE_APPROXIMATIONS': <O VALIDATE_APPROXIMATIONS[bool]>, 'ZERO_FILL_UNCONSTRAINED_MEMORY': <O ZERO_FILL_UNCONSTRAINED_MEMORY[bool]>, 'ZERO_FILL_UNCONSTRAINED_REGISTERS': <O ZERO_FILL_UNCONSTRAINED_REGISTERS[bool]>, 'jumptable_symbolic_ip_max_targets': <O jumptable_symbolic_ip_max_targets[int]: The maximum number of concrete addresses a symbolic instruction pointer can be concretized to if it is part of a jump table.>, 'symbolic_ip_max_targets': <O symbolic_ip_max_targets[int]: The maximum number of concrete addresses a symbolic instruction pointer can be concretized to.>}#

add(boolean_switch)[source]#

[COMPATIBILITY] Enable a Boolean switch.

Parameters:: boolean_switch (str) – Name of the Boolean switch.
Returns:: None

update(boolean_switches)[source]#

[COMPATIBILITY] In order to be compatible with the old interface, you can enable a collection of Boolean switches at the same time by doing the following:

>>> state.options.update({sim_options.SYMBOLIC, sim_options.ABSTRACT_MEMORY})

>>> state.options.update(sim_options.unicorn)

Parameters:: boolean_switches (set) – A collection of Boolean switches to enable.
Returns:: None

remove(name)[source]#

Drop a state option if it exists, or raise a KeyError if the state option is not set.

[COMPATIBILITY] Remove a Boolean switch.

Parameters:: name (str) – Name of the state option.
Returns:: NNone

discard(name)[source]#

Drop a state option if it exists, or silently return if the state option is not set.

[COMPATIBILITY] Disable a Boolean switch.

Parameters:: name (str) – Name of the Boolean switch.
Returns:: None

difference(boolean_switches)[source]#

[COMPATIBILITY] Make a copy of the current instance, and then discard all options that are in boolean_switches.

Parameters:: boolean_switches (set) – A collection of Boolean switches to disable.
Returns:: A new SimStateOptions instance.

copy()[source]#

Get a copy of the current SimStateOptions instance.

Returns:: A new SimStateOptions instance.
Return type:: SimStateOptions

tally(exclude_false=True, description=False)[source]#

Return a string representation of all state options.

Parameters:

exclude_false (bool) – Whether to exclude Boolean switches that are disabled.
description (bool) – Whether to display the description of each option.

Returns:

A string representation.

Return type:

str

classmethod register_option(name, types, default=None, description=None)[source]#

Parameters:

name (str) – Name of the state option.
types – A collection of allowed types of this state option.
default – The default value of this state option.
description (str) – The description of this state option.

Returns:

None

classmethod register_bool_option(name, description=None)[source]#

Register a Boolean switch as state option. This is equivalent to cls.register_option(name, set([bool]), description=description)

Parameters:

name (str) – Name of the state option.
description (str) – The description of this state option.

Returns:

None

class angr.state_plugins.plugin.SimStatePlugin[source]#

Bases: object

This is a base class for SimState plugins. A SimState plugin will be copied along with the state when the state is branched. They are intended to be used for things such as tracking open files, tracking heap details, and providing storage and persistence for SimProcedures.

STRONGREF_STATE = False#

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)[source]#

copy(_memo)[source]#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

The base implementation of this function constructs a new instance of the plugin’s class without calling its initializer. If you super-call down to it, make sure you instanciate all the fields in your copy method!

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

static memo(f)[source]#: A decorator function you should apply to copy

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

Note that when multiple instances of a single plugin object (for example, a file) are referenced in the state, it is important that merge only ever be called once. This should be solved by designating one of the plugin’s referees as the “real owner”, who should be the one to actually merge it. This technique doesn’t work to resolve the similar issue that arises during copying because merging doesn’t produce a new reference to insert.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

There is a utility state.solver.ite_cases which will help with constructing arbitrarily large merged ASTs. Use it like self.bar = self.state.solver.ite_cases(zip(conditions[1:], [o.bar for o in others]), self.bar)

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

The widening operation for plugins. Widening is a special kind of merging that produces a more general state from several more specific states. It is used only during intensive static analysis. The same behavior regarding copying and mutation from merge should be followed.

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

classmethod register_default(name, xtr=None)[source]#

init_state()[source]#: Use this function to perform any initialization on the state at plugin-add time

class angr.state_plugins.inspect.BP(when='before', enabled=None, condition=None, action=None, **kwargs)[source]#

Bases: object

A breakpoint.

check(state, when)[source]#

Checks state state to see if the breakpoint should fire.

Parameters:

state – The state.
when – Whether the check is happening before or after the event.

Returns:

A boolean representing whether the checkpoint should fire.

fire(state)[source]#

Trigger the breakpoint.

Parameters:: state – The state.

class angr.state_plugins.inspect.SimInspector[source]#

Bases: SimStatePlugin

The breakpoint interface, used to instrument execution. For usage information, look here: https://docs.angr.io/core-concepts/simulation#breakpoints

BP_AFTER = 'after'#

BP_BEFORE = 'before'#

BP_BOTH = 'both'#

action(event_type, when, **kwargs)[source]#: Called from within the engine when events happens. This function checks all breakpoints registered for that event and fires the ones whose conditions match.

make_breakpoint(event_type, *args, **kwargs)[source]#

Creates and adds a breakpoint which would trigger on event_type. Additional arguments are passed to the BP constructor.

Returns:: The created breakpoint, so that it can be removed later.

b(event_type, *args, **kwargs)#

Creates and adds a breakpoint which would trigger on event_type. Additional arguments are passed to the BP constructor.

Returns:: The created breakpoint, so that it can be removed later.

add_breakpoint(event_type, bp)[source]#

Adds a breakpoint which would trigger on event_type.

Parameters:

event_type – The event type to trigger on
bp – The breakpoint

Returns:

The created breakpoint.

remove_breakpoint(event_type, bp=None, filter_func=None)[source]#

Removes a breakpoint.

Parameters:

bp – The breakpoint to remove.
filter_func – A filter function to specify whether each breakpoint should be removed or not.

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

downsize()[source]#

Remove previously stored attributes from this plugin instance to save memory. This method is supposed to be called by breakpoint implementors. A typical workflow looks like the following :

>>> # Add `attr0` and `attr1` to `self.state.inspect`
>>> self.state.inspect(xxxxxx, attr0=yyyy, attr1=zzzz)
>>> # Get new attributes out of SimInspect in case they are modified by the user
>>> new_attr0 = self.state._inspect.attr0
>>> new_attr1 = self.state._inspect.attr1
>>> # Remove them from SimInspect
>>> self.state._inspect.downsize()

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.libc.SimStateLibc[source]#

Bases: SimStatePlugin

This state plugin keeps track of various libc stuff:

LOCALE_ARRAY = [b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x03 ', b'\x02 ', b'\x02 ', b'\x02 ', b'\x02 ', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x01`', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x02\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00']#

TOLOWER_LOC_ARRAY = [128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 4294967295, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]#

TOUPPER_LOC_ARRAY = [128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 4294967295, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]#

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

property errno#

ret_errno(val)[source]#

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.posix.PosixDevFS[source]#

Bases: SimMount

get(path)[source]#

Implement this function to instrument file lookups.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A SimFile, or None

insert(path, simfile)[source]#

Implement this function to instrument file creation.

Parameters:

path_elements – A list of path elements traversing from the mountpoint to the file
simfile – The file to insert

Returns:

A bool indicating whether the insert occurred

delete(path)[source]#

Implement this function to instrument file deletion.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A bool indicating whether the delete occurred

lookup(_)[source]#

Look up the path of a SimFile in the mountpoint

Parameters:: sim_file – A SimFile object needs to be looked up
Returns:: A string representing the path of the file in the mountpoint Or None if the SimFile does not exist in the mountpoint

merge(others, conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

copy(_)[source]#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.posix.PosixProcFS[source]#

Bases: SimMount

The virtual file system mounted at /proc (as of now, on Linux).

get(path)[source]#

Implement this function to instrument file lookups.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A SimFile, or None

insert(path, simfile)[source]#

Implement this function to instrument file creation.

Parameters:

path_elements – A list of path elements traversing from the mountpoint to the file
simfile – The file to insert

Returns:

A bool indicating whether the insert occurred

delete(path)[source]#

Implement this function to instrument file deletion.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A bool indicating whether the delete occurred

lookup(_)[source]#

Look up the path of a SimFile in the mountpoint

Parameters:: sim_file – A SimFile object needs to be looked up
Returns:: A string representing the path of the file in the mountpoint Or None if the SimFile does not exist in the mountpoint

merge(others, conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

copy(_)[source]#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.posix.SimSystemPosix(stdin=None, stdout=None, stderr=None, fd=None, sockets=None, socket_queue=None, argv=None, argc=None, environ=None, auxv=None, tls_modules=None, sigmask=None, pid=None, ppid=None, uid=None, gid=None, brk=None)[source]#

Bases: SimStatePlugin

Data storage and interaction mechanisms for states with an environment conforming to posix. Available as state.posix.

SIG_BLOCK = 0#

SIG_UNBLOCK = 1#

SIG_SETMASK = 2#

EPERM = 1#

ENOENT = 2#

ESRCH = 3#

EINTR = 4#

EIO = 5#

ENXIO = 6#

E2BIG = 7#

ENOEXEC = 8#

EBADF = 9#

ECHILD = 10#

EAGAIN = 11#

ENOMEM = 12#

EACCES = 13#

EFAULT = 14#

ENOTBLK = 15#

EBUSY = 16#

EEXIST = 17#

EXDEV = 18#

ENODEV = 19#

ENOTDIR = 20#

EISDIR = 21#

EINVAL = 22#

ENFILE = 23#

EMFILE = 24#

ENOTTY = 25#

ETXTBSY = 26#

EFBIG = 27#

ENOSPC = 28#

ESPIPE = 29#

EROFS = 30#

EMLINK = 31#

EPIPE = 32#

EDOM = 33#

ERANGE = 34#

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

property closed_fds#

init_state()[source]#: Use this function to perform any initialization on the state at plugin-add time

set_brk(new_brk)[source]#

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

open(name, flags, preferred_fd=None)[source]#

Open a symbolic file. Basically open(2).

Parameters:

name (string or bytes) – Path of the symbolic file, as a string or bytes.
flags – File operation flags, a bitfield of constants from open(2), as an AST
preferred_fd – Assign this fd if it’s not already claimed.

Returns:

The file descriptor number allocated (maps through posix.get_fd to a SimFileDescriptor) or None if the open fails.

mode from open(2) is unsupported at present.

open_socket(ident)[source]#

get_fd(fd)[source]#: Looks up the SimFileDescriptor associated with the given number (an AST). If the number is concrete and does not map to anything, return None. If the number is symbolic, constrain it to an open fd and create a new file for it.

close(fd)[source]#: Closes the given file descriptor (an AST). Returns whether the operation succeeded (a concrete boolean)

fstat(sim_fd)[source]#

sigmask(sigsetsize=None)[source]#

Gets the current sigmask. If it’s blank, a new one is created (of sigsetsize).

Parameters:: sigsetsize – the size (in bytes of the sigmask set)
Returns:: the sigmask

sigprocmask(how, new_mask, sigsetsize, valid_ptr=True)[source]#

Updates the signal mask.

Parameters:

how – the “how” argument of sigprocmask (see manpage)
new_mask – the mask modification to apply
sigsetsize – the size (in bytes of the sigmask set)
valid_ptr – is set if the new_mask was not NULL

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(_)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

dump_file_by_path(path, **kwargs)[source]#

Returns the concrete content for a file by path.

Parameters:

path – file path as string
kwargs – passed to state.solver.eval

Returns:

file contents as string

dumps(fd, **kwargs)[source]#

Returns the concrete content for a file descriptor.

BACKWARD COMPATIBILITY: if you ask for file descriptors 0 1 or 2, it will return the data from stdin, stdout, or stderr as a flat string.

Parameters:: fd – A file descriptor.
Returns:: The concrete content.
Return type:: str

STRONGREF_STATE = False#

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.filesystem.Stat(st_dev, st_ino, st_nlink, st_mode, st_uid, st_gid, st_rdev, st_size, st_blksize, st_blocks, st_atime, st_atimensec, st_mtime, st_mtimensec, st_ctime, st_ctimensec)#

Bases: tuple

count(value, /)#: Return number of occurrences of value.

index(value, start=0, stop=9223372036854775807, /)#

Return first index of value.

Raises ValueError if the value is not present.

st_atime#: Alias for field number 10

st_atimensec#: Alias for field number 11

st_blksize#: Alias for field number 8

st_blocks#: Alias for field number 9

st_ctime#: Alias for field number 14

st_ctimensec#: Alias for field number 15

st_dev#: Alias for field number 0

st_gid#: Alias for field number 5

st_ino#: Alias for field number 1

st_mode#: Alias for field number 3

st_mtime#: Alias for field number 12

st_mtimensec#: Alias for field number 13

st_nlink#: Alias for field number 2

st_rdev#: Alias for field number 6

st_size#: Alias for field number 7

st_uid#: Alias for field number 4

class angr.state_plugins.filesystem.SimFilesystem(files=None, pathsep=None, cwd=None, mountpoints=None)[source]#

Bases: SimStatePlugin

angr’s emulated filesystem. Available as state.fs. When constructing, all parameters are optional.

Parameters:

files – A mapping from filepath to SimFile
pathsep – The character used to separate path elements, default forward slash.
cwd – The path of the current working directory to use
mountpoints – A mapping from filepath to SimMountpoint

Variables:

pathsep – The current pathsep
cwd – The current working directory
unlinks – A list of unlink operations, tuples of filename and simfile. Be careful, this list is shallow-copied from successor to successor, so don’t mutate anything in it without copying.

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

property unlinks#

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

chdir(path)[source]#: Changes the current directory to the given path

get(path)[source]#: Get a file from the filesystem. Returns a SimFile or None.

insert(path, simfile)[source]#: Insert a file into the filesystem. Returns whether the operation was successful.

delete(path)[source]#

Remove a file from the filesystem. Returns whether the operation was successful.

This will add a fs_unlink event with the path of the file and also the index into the unlinks list.

mount(path, mount)[source]#: Add a mountpoint to the filesystem.

unmount(path)[source]#: Remove a mountpoint from the filesystem.

get_mountpoint(path)[source]#

Look up the mountpoint servicing the given path.

Returns:: A tuple of the mount and a list of path elements traversing from the mountpoint to the specified file.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.filesystem.SimMount[source]#

Bases: SimStatePlugin

This is the base class for “mount points” in angr’s simulated filesystem. Subclass this class and give it to the filesystem to intercept all file creations and opens below the mountpoint. Since this a SimStatePlugin you may also want to implement set_state, copy, merge, etc.

get(path_elements)[source]#

Implement this function to instrument file lookups.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A SimFile, or None

insert(path_elements, simfile)[source]#

Implement this function to instrument file creation.

Parameters:

path_elements – A list of path elements traversing from the mountpoint to the file
simfile – The file to insert

Returns:

A bool indicating whether the insert occurred

delete(path_elements)[source]#

Implement this function to instrument file deletion.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A bool indicating whether the delete occurred

lookup(sim_file)[source]#

Look up the path of a SimFile in the mountpoint

Parameters:: sim_file – A SimFile object needs to be looked up
Returns:: A string representing the path of the file in the mountpoint Or None if the SimFile does not exist in the mountpoint

STRONGREF_STATE = False#

copy(_memo)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

merge(others, merge_conditions, common_ancestor=None)#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

widen(others)#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

state: angr.SimState#

class angr.state_plugins.filesystem.SimConcreteFilesystem(pathsep='/')[source]#

Bases: SimMount

Abstract SimMount allowing the user to import files from some external source into the guest

Parameters:: pathsep (str) – The host path separator character, default os.path.sep

get(path_elements)[source]#

Implement this function to instrument file lookups.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A SimFile, or None

insert(path_elements, simfile)[source]#

Implement this function to instrument file creation.

Parameters:

path_elements – A list of path elements traversing from the mountpoint to the file
simfile – The file to insert

Returns:

A bool indicating whether the insert occurred

delete(path_elements)[source]#

Implement this function to instrument file deletion.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A bool indicating whether the delete occurred

lookup(sim_file)[source]#

Look up the path of a SimFile in the mountpoint

Parameters:: sim_file – A SimFile object needs to be looked up
Returns:: A string representing the path of the file in the mountpoint Or None if the SimFile does not exist in the mountpoint

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.filesystem.SimHostFilesystem(host_path=None, **kwargs)[source]#

Bases: SimConcreteFilesystem

Simulated mount that makes some piece from the host filesystem available to the guest.

Parameters:

host_path (str) – The path on the host to mount
pathsep (str) – The host path separator character, default os.path.sep

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

STRONGREF_STATE = False#

delete(path_elements)#

Implement this function to instrument file deletion.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A bool indicating whether the delete occurred

get(path_elements)#

Implement this function to instrument file lookups.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A SimFile, or None

init_state()#: Use this function to perform any initialization on the state at plugin-add time

insert(path_elements, simfile)#

Implement this function to instrument file creation.

Parameters:

path_elements – A list of path elements traversing from the mountpoint to the file
simfile – The file to insert

Returns:

A bool indicating whether the insert occurred

lookup(sim_file)#

Look up the path of a SimFile in the mountpoint

Parameters:: sim_file – A SimFile object needs to be looked up
Returns:: A string representing the path of the file in the mountpoint Or None if the SimFile does not exist in the mountpoint

static memo(f)#: A decorator function you should apply to copy

merge(others, merge_conditions, common_ancestor=None)#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

widen(others)#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

state: angr.SimState#

angr.state_plugins.solver.timed_function(f)[source]#

angr.state_plugins.solver.enable_timing()[source]#

angr.state_plugins.solver.disable_timing()[source]#

angr.state_plugins.solver.error_converter(f)[source]#

angr.state_plugins.solver.concrete_path_bool(f)[source]#

angr.state_plugins.solver.concrete_path_not_bool(f)[source]#

angr.state_plugins.solver.concrete_path_scalar(f)[source]#

angr.state_plugins.solver.concrete_path_tuple(f)[source]#

angr.state_plugins.solver.concrete_path_list(f)[source]#

class angr.state_plugins.solver.SimSolver(solver=None, all_variables=None, temporal_tracked_variables=None, eternal_tracked_variables=None)[source]#

Bases: SimStatePlugin

This is the plugin you’ll use to interact with symbolic variables, creating them and evaluating them. It should be available on a state as state.solver.

Any top-level variable of the claripy module can be accessed as a property of this object.

reload_solver(constraints=None)[source]#

Reloads the solver. Useful when changing solver options.

Parameters:: constraints (list) – A new list of constraints to use in the reloaded solver instead of the current one

get_variables(*keys)[source]#

Iterate over all variables for which their tracking key is a prefix of the values provided.

Elements are a tuple, the first element is the full tracking key, the second is the symbol.

>>> list(s.solver.get_variables('mem'))
[(('mem', 0x1000), <BV64 mem_1000_4_64>), (('mem', 0x1008), <BV64 mem_1008_5_64>)]

>>> list(s.solver.get_variables('file'))
[(('file', 1, 0), <BV8 file_1_0_6_8>), (('file', 1, 1), <BV8 file_1_1_7_8>), (('file', 2, 0), <BV8 file_2_0_8_8>)]

>>> list(s.solver.get_variables('file', 2))
[(('file', 2, 0), <BV8 file_2_0_8_8>)]

>>> list(s.solver.get_variables())
[(('mem', 0x1000), <BV64 mem_1000_4_64>), (('mem', 0x1008), <BV64 mem_1008_5_64>), (('file', 1, 0), <BV8 file_1_0_6_8>), (('file', 1, 1), <BV8 file_1_1_7_8>), (('file', 2, 0), <BV8 file_2_0_8_8>)]

register_variable(v, key, eternal=True)[source]#

Parameters:

v – The BVS to register
key – A tuple to register the variable under

Parma eternal:

Whether this is an eternal variable, default True. If False, an incrementing counter will be appended to the key.

describe_variables(v)[source]#: Given an AST, iterate over all the keys of all the BVS leaves in the tree which are registered.

Unconstrained(name, bits, uninitialized=True, inspect=True, events=True, key=None, eternal=False, **kwargs)[source]#

Creates an unconstrained symbol or a default concrete value (0), based on the state options.

Parameters:

name – The name of the symbol.
bits – The size (in bits) of the symbol.
uninitialized – Whether this value should be counted as an “uninitialized” value in the course of an analysis.
inspect – Set to False to avoid firing SimInspect breakpoints
events – Set to False to avoid generating a SimEvent for the occasion
key – Set this to a tuple of increasingly specific identifiers (for example, ('mem', 0xffbeff00) or ('file', 4, 0x20) to cause it to be tracked, i.e. accessable through solver.get_variables.
eternal – Set to True in conjunction with setting a key to cause all states with the same ancestry to retrieve the same symbol when trying to create the value. If False, a counter will be appended to the key.

Returns:

an unconstrained symbol (or a concrete value of 0).

BVS(name, size, min=None, max=None, stride=None, uninitialized=False, explicit_name=None, key=None, eternal=False, inspect=True, events=True, **kwargs)[source]#

Creates a bit-vector symbol (i.e., a variable). Other keyword parameters are passed directly on to the constructor of claripy.ast.BV.

Parameters:

name – The name of the symbol.
size – The size (in bits) of the bit-vector.
min – The minimum value of the symbol. Note that this only work when using VSA.
max – The maximum value of the symbol. Note that this only work when using VSA.
stride – The stride of the symbol. Note that this only work when using VSA.
uninitialized – Whether this value should be counted as an “uninitialized” value in the course of an analysis.
explicit_name – Set to True to prevent an identifier from appended to the name to ensure uniqueness.
key – Set this to a tuple of increasingly specific identifiers (for example, ('mem', 0xffbeff00) or ('file', 4, 0x20) to cause it to be tracked, i.e. accessable through solver.get_variables.
eternal – Set to True in conjunction with setting a key to cause all states with the same ancestry to retrieve the same symbol when trying to create the value. If False, a counter will be appended to the key.
inspect – Set to False to avoid firing SimInspect breakpoints
events – Set to False to avoid generating a SimEvent for the occasion

Returns:

A BV object representing this symbol.

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

downsize()[source]#: Frees memory associated with the constraint solver by clearing all of its internal caches.

property constraints#: Returns the constraints of the state stored by the solver.

eval_to_ast(e, n, extra_constraints=(), exact=None)[source]#

Evaluate an expression, using the solver if necessary. Returns AST objects.

Parameters:

e – the expression
n – the number of desired solutions
extra_constraints – extra constraints to apply to the solver
exact – if False, returns approximate solutions

Returns:

a tuple of the solutions, in the form of claripy AST nodes

Return type:

tuple

max(e, extra_constraints=(), exact=None, signed=False)[source]#

Return the maximum value of expression e.

:param e : expression (an AST) to evaluate :type extra_constraints: :param extra_constraints: extra constraints (as ASTs) to add to the solver for this solve :param exact : if False, return approximate solutions. :param signed : Whether the expression should be treated as a signed value. :return: the maximum possible value of e (backend object)

min(e, extra_constraints=(), exact=None, signed=False)[source]#

Return the minimum value of expression e.

solution(e, v, extra_constraints=(), exact=None)[source]#

Return True if v is a solution of expr with the extra constraints, False otherwise.

Parameters:

e – An expression (an AST) to evaluate
v – The proposed solution (an AST)
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns:

True if v is a solution of expr, False otherwise

is_true(e, extra_constraints=(), exact=None)[source]#

If the expression provided is absolutely, definitely a true boolean, return True. Note that returning False doesn’t necessarily mean that the expression can be false, just that we couldn’t figure that out easily.

Parameters:

e – An expression (an AST) to evaluate
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns:

True if v is definitely true, False otherwise

is_false(e, extra_constraints=(), exact=None)[source]#

If the expression provided is absolutely, definitely a false boolean, return True. Note that returning False doesn’t necessarily mean that the expression can be true, just that we couldn’t figure that out easily.

Parameters:

e – An expression (an AST) to evaluate
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns:

True if v is definitely false, False otherwise

unsat_core(extra_constraints=())[source]#

This function returns the unsat core from the backend solver.

Parameters:: extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
Returns:: The unsat core.

satisfiable(extra_constraints=(), exact=None)[source]#

This function does a constraint check and checks if the solver is in a sat state.

Parameters:

extra_constraints – Extra constraints (as ASTs) to add to s for this solve
exact – If False, return approximate solutions.

Returns:

True if sat, otherwise false

add(*constraints)[source]#

Add some constraints to the solver.

Parameters:: constraints – Pass any constraints that you want to add (ASTs) as varargs.

T = ~T#

CastTarget = ~CastTarget#

eval_upto(e, n, cast_to=None, **kwargs)[source]#

Evaluate an expression, using the solver if necessary. Returns primitives as specified by the cast_to parameter. Only certain primitives are supported, check the implementation of _cast_to to see which ones.

Parameters:

e – the expression
n – the number of desired solutions
extra_constraints – extra constraints to apply to the solver
exact – if False, returns approximate solutions
cast_to – A type to cast the resulting values to

Returns:

a tuple of the solutions, in the form of Python primitives

Return type:

tuple

eval(e, cast_to=None, **kwargs)[source]#

Evaluate an expression to get any possible solution. The desired output types can be specified using the cast_to parameter. extra_constraints can be used to specify additional constraints the returned values must satisfy.

Parameters:

e – the expression to get a solution for
kwargs – Any additional kwargs will be passed down to eval_upto
cast_to (CastTarget | None) –

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints

Returns:

eval_one(e, **kwargs)[source]#

Evaluate an expression to get the only possible solution. Errors if either no or more than one solution is returned. A kwarg parameter default can be specified to be returned instead of failure!

Parameters:

e – the expression to get a solution for
default – A value can be passed as a kwarg here. It will be returned in case of failure.
kwargs – Any additional kwargs will be passed down to eval_upto

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if more than one solution was found to satisfy the given constraints

Returns:

The value for e

eval_atmost(e, n, **kwargs)[source]#

Evaluate an expression to get at most n possible solutions. Errors if either none or more than n solutions are returned.

Parameters:

e – the expression to get a solution for
n – the inclusive upper limit on the number of solutions
kwargs – Any additional kwargs will be passed down to eval_upto

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if more than n solutions were found to satisfy the given constraints

Returns:

The solutions for e

eval_atleast(e, n, **kwargs)[source]#

Evaluate an expression to get at least n possible solutions. Errors if less than n solutions were found.

Parameters:

e – the expression to get a solution for
n – the inclusive lower limit on the number of solutions
kwargs – Any additional kwargs will be passed down to eval_upto

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if less than n solutions were found to satisfy the given constraints

Returns:

The solutions for e

eval_exact(e, n, **kwargs)[source]#

Evaluate an expression to get exactly the n possible solutions. Errors if any number of solutions other than n was found to exist.

Parameters:

e – the expression to get a solution for
n – the inclusive lower limit on the number of solutions
kwargs – Any additional kwargs will be passed down to eval_upto

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if any number of solutions other than n were found to satisfy the given constraints

Returns:

The solutions for e

min_int(e, extra_constraints=(), exact=None, signed=False)#

Return the minimum value of expression e.

max_int(e, extra_constraints=(), exact=None, signed=False)#

Return the maximum value of expression e.

unique(e, **kwargs)[source]#: Returns True if the expression e has only one solution by querying the constraint solver. It does also add that unique solution to the solver’s constraints.

symbolic(e)[source]#: Returns True if the expression e is symbolic.

single_valued(e)[source]#: Returns True whether e is a concrete value or is a value set with only 1 possible value. This differs from unique in that this does not query the constraint solver.

simplify(e=None)[source]#: Simplifies e. If e is None, simplifies the constraints of this state.

variables(e)[source]#: Returns the symbolic variables present in the AST of e.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.log.SimStateLog(log=None)[source]#

Bases: SimStatePlugin

property actions#

add_event(event_type, **kwargs)[source]#

add_action(action)[source]#

extend_actions(new_actions)[source]#

events_of_type(event_type)[source]#

actions_of_type(action_type)[source]#

property fresh_constraints#

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

clear()[source]#

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.callstack.CallStack(call_site_addr=0, func_addr=0, stack_ptr=0, ret_addr=0, jumpkind='Ijk_Call', next_frame=None, invoke_return_variable=None)[source]#

Bases: SimStatePlugin

Stores the address of the function you’re in and the value of SP at the VERY BOTTOM of the stack, i.e. points to the return address.

Parameters:: next_frame (CallStack | None) –

state: angr.SimState#

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

property current_function_address#

Address of the current function.

Returns:: the address of the function
Return type:: int

property current_stack_pointer#

Get the value of the stack pointer.

Returns:: Value of the stack pointer
Return type:: int

property current_return_target#

Get the return target.

Returns:: The address of return target.
Return type:: int

static stack_suffix_to_string(stack_suffix)[source]#: Convert a stack suffix to a human-readable string representation. :param tuple stack_suffix: The stack suffix. :return: A string representation :rtype: str

property top#

Returns the element at the top of the callstack without removing it.

Returns:: A CallStack.

push(cf)[source]#: Push the frame cf onto the stack. Return the new stack.

pop()[source]#: Pop the top frame from the stack. Return the new stack.

call(callsite_addr, addr, retn_target=None, stack_pointer=None)[source]#

Push a stack frame into the call stack. This method is called when calling a function in CFG recovery.

Parameters:

callsite_addr (int) – Address of the call site
addr (int) – Address of the call target
retn_target (int or None) – Address of the return target
stack_pointer (int) – Value of the stack pointer

Returns:

None

ret(retn_target=None)[source]#

Pop one or many call frames from the stack. This method is called when returning from a function in CFG recovery.

Parameters:: retn_target (int) – The target to return to.
Returns:: None

dbg_repr()[source]#

Debugging representation of this CallStack object.

Returns:: Details of this CalLStack
Return type:: str

stack_suffix(context_sensitivity_level)[source]#

Generate the stack suffix. A stack suffix can be used as the key to a SimRun in CFG recovery.

Parameters:: context_sensitivity_level (int) – Level of context sensitivity.
Returns:: A tuple of stack suffix.
Return type:: tuple

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

class angr.state_plugins.callstack.CallStackAction(callstack_hash, callstack_depth, action, callframe=None, ret_site_addr=None)[source]#

Bases: object

Used in callstack backtrace, which is a history of callstacks along a path, to record individual actions occurred each time the callstack is changed.

class angr.state_plugins.light_registers.SimLightRegisters(reg_map=None, registers=None)[source]#

Bases: SimStatePlugin

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

resolve_register(offset, size)[source]#

load(offset, size=None, **kwargs)[source]#

store(offset, value, size=None, endness=None, **kwargs)[source]#

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

merge(others, merge_conditions, common_ancestor=None)#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

widen(others)#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

state: angr.SimState#

class angr.state_plugins.history.SimStateHistory(parent=None, clone=None)[source]#

Bases: SimStatePlugin

This class keeps track of historically-relevant information for paths.

STRONGREF_STATE = True#

init_state()[source]#: Use this function to perform any initialization on the state at plugin-add time

set_strongref_state(state)[source]#

property addr#

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

trim()[source]#: Discard the ancestry of this state.

filter_actions(start_block_addr=None, end_block_addr=None, block_stmt=None, insn_addr=None, read_from=None, write_to=None)[source]#

Filter self.actions based on some common parameters.

[start_block_addr, end_block_addr]

Parameters:

start_block_addr – Only return actions generated in blocks starting at this address.
end_block_addr – Only return actions generated in blocks ending at this address.
block_stmt – Only return actions generated in the nth statement of each block.
insn_addr – Only return actions generated in the assembly instruction at this address.
read_from – Only return actions that perform a read from the specified location.
write_to – Only return actions that perform a write to the specified location.

Notes: If IR optimization is turned on, reads and writes may not occur in the instruction they originally came from. Most commonly, If a register is read from twice in the same block, the second read will not happen, instead reusing the temp the value is already stored in.

Valid values for read_from and write_to are the string literals ‘reg’ or ‘mem’ (matching any read or write to registers or memory, respectively), any string (representing a read or write to the named register), and any integer (representing a read or write to the memory at this address).

demote()[source]#: Demotes this history node, causing it to drop the strong state reference.

reachable()[source]#

add_event(event_type, **kwargs)[source]#

add_action(action)[source]#

extend_actions(new_actions)[source]#

subscribe_actions()[source]#

property recent_constraints#

property recent_actions#

property block_count#

property lineage#

property parents#

property events#

property actions#

property jumpkinds#

property jump_guards#

property jump_targets#

property jump_sources#

property descriptions#

property bbl_addrs#

property ins_addrs#

property stack_actions#

closest_common_ancestor(other)[source]#

Find the common ancestor between this history node and ‘other’.

Parameters:: other – the PathHistory to find a common ancestor with.
Returns:: the common ancestor SimStateHistory, or None if there isn’t one

constraints_since(other)[source]#

Returns the constraints that have been accumulated since other.

Parameters:: other – a prior PathHistory object
Returns:: a list of constraints

make_child()[source]#

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

state: angr.SimState#

class angr.state_plugins.history.TreeIter(start, end=None)[source]#

Bases: object

property hardcopy#

count(v)[source]#: Count occurrences of value v in the entire history. Note that the subclass must implement the __reversed__ method, otherwise an exception will be thrown. :param object v: The value to look for :return: The number of occurrences :rtype: int

class angr.state_plugins.history.HistoryIter(start, end=None)[source]#

Bases: TreeIter

count(v)#: Count occurrences of value v in the entire history. Note that the subclass must implement the __reversed__ method, otherwise an exception will be thrown. :param object v: The value to look for :return: The number of occurrences :rtype: int

property hardcopy#

class angr.state_plugins.history.LambdaAttrIter(start, f, **kwargs)[source]#

Bases: TreeIter

count(v)#: Count occurrences of value v in the entire history. Note that the subclass must implement the __reversed__ method, otherwise an exception will be thrown. :param object v: The value to look for :return: The number of occurrences :rtype: int

property hardcopy#

class angr.state_plugins.history.LambdaIterIter(start, f, reverse=True, **kwargs)[source]#

Bases: LambdaAttrIter

count(v)#: Count occurrences of value v in the entire history. Note that the subclass must implement the __reversed__ method, otherwise an exception will be thrown. :param object v: The value to look for :return: The number of occurrences :rtype: int

property hardcopy#

class angr.state_plugins.gdb.GDB(omit_fp=False, adjust_stack=False)[source]#

Bases: SimStatePlugin

Initialize or update a state from gdb dumps of the stack, heap, registers and data (or arbitrary) segments.

set_stack(stack_dump, stack_top)[source]#

Stack dump is a dump of the stack from gdb, i.e. the result of the following gdb command :

dump binary memory [stack_dump] [begin_addr] [end_addr]

We set the stack to the same addresses as the gdb session to avoid pointers corruption.

Parameters:

stack_dump – The dump file.
stack_top – The address of the top of the stack in the gdb session.

set_heap(heap_dump, heap_base)[source]#

Heap dump is a dump of the heap from gdb, i.e. the result of the following gdb command:

dump binary memory [stack_dump] [begin] [end]

Parameters:

heap_dump – The dump file.
heap_base – The start address of the heap in the gdb session.

set_data(addr, data_dump)[source]#: Update any data range (most likely use is the data segments of loaded objects)

set_regs(regs_dump)[source]#

Initialize register values within the state

Parameters:: regs_dump – The output of info registers in gdb.

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

merge(others, merge_conditions, common_ancestor=None)#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

widen(others)#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

state: angr.SimState#

class angr.state_plugins.cgc.SimStateCGC[source]#

Bases: SimStatePlugin

This state plugin keeps track of CGC state.

EBADF = 1#

EFAULT = 2#

EINVAL = 3#

ENOMEM = 4#

ENOSYS = 5#

EPIPE = 6#

FD_SETSIZE = 1024#

max_allocation = 268435456#

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

peek_input()[source]#

discard_input(num_bytes)[source]#

peek_output()[source]#

discard_output(num_bytes)[source]#

addr_invalid(a)[source]#

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

get_max_sinkhole(length)[source]#

Find a sinkhole which is large enough to support length bytes.

This uses first-fit. The first sinkhole (ordered in descending order by their address) which can hold length bytes is chosen. If there are more than length bytes in the sinkhole, a new sinkhole is created representing the remaining bytes while the old sinkhole is removed.

add_sinkhole(address, length)[source]#

Add a sinkhole.

Allow the possibility for the program to reuse the memory represented by the address length pair.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

This file contains objects to track additional information during a trace or modify symbolic variables during a trace.

The ChallRespInfo plugin tracks variables in stdin and stdout to enable handling of challenge response It handles atoi/int2str in a special manner since path constraints will usually prevent their values from being modified

The Zen plugin simplifies expressions created from variables in the flag page (losing some accuracy) to avoid situations where they become to complex for z3, but the actual equation doesn’t matter much. This can happen in challenge response if all of the values in the flag page are multiplied together before being printed.

class angr.state_plugins.trace_additions.FormatInfo[source]#

Bases: object

copy()[source]#

compute(state)[source]#

get_type()[source]#

class angr.state_plugins.trace_additions.FormatInfoStrToInt(addr, func_name, str_arg_num, base, base_arg, allows_negative)[source]#

Bases: FormatInfo

copy()[source]#

compute(state)[source]#

get_type()[source]#

class angr.state_plugins.trace_additions.FormatInfoIntToStr(addr, func_name, int_arg_num, str_dst_num, base, base_arg)[source]#

Bases: FormatInfo

copy()[source]#

compute(state)[source]#

get_type()[source]#

class angr.state_plugins.trace_additions.FormatInfoDontConstrain(addr, func_name, check_symbolic_arg)[source]#

Bases: FormatInfo

copy()[source]#

compute(state)[source]#

get_type()[source]#

angr.state_plugins.trace_additions.int2base(x, base)[source]#

angr.state_plugins.trace_additions.generic_info_hook(state)[source]#

angr.state_plugins.trace_additions.end_info_hook(state)[source]#

angr.state_plugins.trace_additions.exit_hook(state)[source]#

angr.state_plugins.trace_additions.syscall_hook(state)[source]#

angr.state_plugins.trace_additions.constraint_hook(state)[source]#

class angr.state_plugins.trace_additions.ChallRespInfo[source]#

Bases: SimStatePlugin

This state plugin keeps track of the reads and writes to symbolic addresses

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

static get_byte(var_name)[source]#

lookup_original(replacement)[source]#

pop_from_backup()[source]#

get_stdin_indices(variable)[source]#

get_stdout_indices(variable)[source]#

get_real_len(input_val, base, result_bv, allows_negative)[source]#

get_possible_len(input_val, base, allows_negative)[source]#

get_same_length_constraints()[source]#

static atoi_dumps(state, require_same_length=True)[source]#

static prep_tracer(state, format_infos=None)[source]#

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: SimState#

angr.state_plugins.trace_additions.zen_hook(state, expr)[source]#

angr.state_plugins.trace_additions.zen_memory_write(state)[source]#

angr.state_plugins.trace_additions.zen_register_write(state)[source]#

class angr.state_plugins.trace_additions.ZenPlugin(max_depth=13)[source]#

Bases: SimStatePlugin

static get_flag_rand_args(expr)[source]#

get_expr_depth(expr)[source]#

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

get_flag_bytes(ast)[source]#

filter_constraints(constraints)[source]#

analyze_transmit(state, buf)[source]#

static prep_tracer(state)[source]#

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: SimState#

class angr.state_plugins.globals.SimStateGlobals(backer=None)[source]#

Bases: SimStatePlugin

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

keys()[source]#

values()[source]#

items()[source]#

get(k, alt=None)[source]#

pop(k, alt=None)[source]#

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.uc_manager.SimUCManager(man=None)[source]#

Bases: SimStatePlugin

assign(dst_addr_ast)[source]#

Assign a new region for under-constrained symbolic execution.

Parameters:: dst_addr_ast – the symbolic AST which address of the new allocated region will be assigned to.
Returns:: as ast of memory address that points to a new region

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

get_alloc_depth(addr)[source]#

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

is_bounded(ast)[source]#

Test whether an AST is bounded by any existing constraint in the related solver.

Parameters:: ast – an claripy.AST object
Returns:: True if there is at least one related constraint, False otherwise

static memo(f)#: A decorator function you should apply to copy

merge(others, merge_conditions, common_ancestor=None)#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

widen(others)#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

state: angr.SimState#

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

class angr.state_plugins.scratch.SimStateScratch(scratch=None)[source]#

Bases: SimStatePlugin

Implements the scratch state plugin.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

property priv#

push_priv(priv)[source]#

pop_priv()[source]#

set_tyenv(tyenv)[source]#

tmp_expr(tmp)[source]#

Returns the Claripy expression of a VEX temp value.

Parameters:

tmp – the number of the tmp
simplify – simplify the tmp before returning it

Returns:

a Claripy expression of the tmp

store_tmp(tmp, content, reg_deps=None, tmp_deps=None, deps=None, **kwargs)[source]#

Stores a Claripy expression in a VEX temp value. If in symbolic mode, this involves adding a constraint for the tmp’s symbolic variable.

Parameters:

tmp – the number of the tmp
content – a Claripy expression of the content
reg_deps – the register dependencies of the content
tmp_deps – the temporary value dependencies of the content

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

clear()[source]#

class angr.state_plugins.preconstrainer.SimStatePreconstrainer(constrained_addrs=None)[source]#

Bases: SimStatePlugin

This state plugin manages the concept of preconstraining - adding constraints which you would like to remove later.

Parameters:: constrained_addrs – SimActions for memory operations whose addresses should be constrained during crash analysis

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

preconstrain(value, variable)[source]#

Add a preconstraint that variable == value to the state.

Parameters:

value – The concrete value. Can be a bitvector or a bytestring or an integer.
variable – The BVS to preconstrain.

preconstrain_file(content, simfile, set_length=False)[source]#

Preconstrain the contents of a file.

Parameters:

content – The content to preconstrain the file to. Can be a bytestring or a list thereof.
simfile – The actual simfile to preconstrain

preconstrain_flag_page(magic_content)[source]#

Preconstrain the data in the flag page.

Parameters:: magic_content – The content of the magic page as a bytestring.

remove_preconstraints(to_composite_solver=True, simplify=True)[source]#

Remove the preconstraints from the state.

If you are using the zen plugin, this will also use that to filter the constraints.

Parameters:

to_composite_solver – Whether to convert the replacement solver to a composite solver. You probably want this if you’re switching from tracing to symbolic analysis.
simplify – Whether to simplify the resulting set of constraints.

reconstrain()[source]#: Split the solver. If any of the subsolvers time out after a short timeout (10 seconds), re-add the preconstraints associated with each of its variables. Hopefully these constraints still allow us to do meaningful things to the state.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.unicorn_engine.MEM_PATCH[source]#

Bases: Structure

struct mem_update_t

address#: Structure/Union member

length#: Structure/Union member

next#: Structure/Union member

class angr.state_plugins.unicorn_engine.TRANSMIT_RECORD[source]#

Bases: Structure

struct transmit_record_t

count#: Structure/Union member

data#: Structure/Union member

fd#: Structure/Union member

class angr.state_plugins.unicorn_engine.TaintEntityEnum[source]#

Bases: object

taint_entity_enum_t

TAINT_ENTITY_REG = 0#

TAINT_ENTITY_TMP = 1#

TAINT_ENTITY_MEM = 2#

TAINT_ENTITY_NONE = 3#

class angr.state_plugins.unicorn_engine.MemoryValue[source]#

Bases: Structure

struct memory_value_t

address#: Structure/Union member

is_value_set#: Structure/Union member

is_value_symbolic#: Structure/Union member

value#: Structure/Union member

class angr.state_plugins.unicorn_engine.RegisterValue[source]#

Bases: Structure

struct register_value_t

offset#: Structure/Union member

size#: Structure/Union member

value#: Structure/Union member

class angr.state_plugins.unicorn_engine.VEXStmtDetails[source]#

Bases: Structure

struct sym_vex_stmt_details_t

has_memory_dep#: Structure/Union member

memory_values#: Structure/Union member

memory_values_count#: Structure/Union member

stmt_idx#: Structure/Union member

class angr.state_plugins.unicorn_engine.BlockDetails[source]#

Bases: Structure

struct sym_block_details_ret_t

block_addr#: Structure/Union member

block_size#: Structure/Union member

block_trace_ind#: Structure/Union member

has_symbolic_exit#: Structure/Union member

register_values#: Structure/Union member

register_values_count#: Structure/Union member

symbolic_vex_stmts#: Structure/Union member

symbolic_vex_stmts_count#: Structure/Union member

class angr.state_plugins.unicorn_engine.STOP[source]#

Bases: object

enum stop_t

STOP_NORMAL = 0#

STOP_STOPPOINT = 1#

STOP_ERROR = 2#

STOP_SYSCALL = 3#

STOP_EXECNONE = 4#

STOP_ZEROPAGE = 5#

STOP_NOSTART = 6#

STOP_SEGFAULT = 7#

STOP_ZERO_DIV = 8#

STOP_NODECODE = 9#

STOP_HLT = 10#

STOP_VEX_LIFT_FAILED = 11#

STOP_SYMBOLIC_PC = 12#

STOP_SYMBOLIC_READ_ADDR = 13#

STOP_SYMBOLIC_READ_SYMBOLIC_TRACKING_DISABLED = 14#

STOP_SYMBOLIC_WRITE_ADDR = 15#

STOP_SYMBOLIC_BLOCK_EXIT_CONDITION = 16#

STOP_SYMBOLIC_BLOCK_EXIT_TARGET = 17#

STOP_UNSUPPORTED_STMT_PUTI = 18#

STOP_UNSUPPORTED_STMT_STOREG = 19#

STOP_UNSUPPORTED_STMT_LOADG = 20#

STOP_UNSUPPORTED_STMT_CAS = 21#

STOP_UNSUPPORTED_STMT_LLSC = 22#

STOP_UNSUPPORTED_STMT_DIRTY = 23#

STOP_UNSUPPORTED_EXPR_GETI = 24#

STOP_UNSUPPORTED_STMT_UNKNOWN = 25#

STOP_UNSUPPORTED_EXPR_UNKNOWN = 26#

STOP_UNKNOWN_MEMORY_WRITE_SIZE = 27#

STOP_SYSCALL_ARM = 28#

STOP_X86_CPUID = 29#

stop_message = {0: 'Reached maximum steps', 1: 'Hit a stop point', 2: 'Something wrong', 3: 'Unable to handle syscall', 4: 'Fetching empty page', 5: 'Accessing zero page', 6: 'Failed to start', 7: 'Permissions or mapping error', 8: 'Divide by zero', 9: 'Instruction decoding error', 10: 'hlt instruction encountered', 11: 'Failed to lift block to VEX', 12: 'Instruction pointer became symbolic', 13: 'Attempted to read from symbolic address', 14: 'Attempted to read symbolic data from memory but symbolic tracking is disabled', 15: 'Attempted to write to symbolic address', 16: "Guard condition of block's exit statement is symbolic", 17: 'Target of default exit of block is symbolic', 18: 'Symbolic taint propagation for PutI statement not yet supported', 19: 'Symbolic taint propagation for StoreG statement not yet supported', 20: 'Symbolic taint propagation for LoadG statement not yet supported', 21: 'Symbolic taint propagation for CAS statement not yet supported', 22: 'Symbolic taint propagation for LLSC statement not yet supported', 23: 'Symbolic taint propagation for Dirty statement not yet supported', 24: 'Symbolic taint propagation for GetI expression not yet supported', 25: 'Canoo propagate symbolic taint for unsupported VEX statement type', 26: 'Cannot propagate symbolic taint for unsupported VEX expression', 27: 'Unicorn failed to determine size of memory write', 28: 'ARM syscalls are currently not supported by SimEngineUnicorn', 29: 'Block executes cpuid which should be handled in VEX engine'}#

symbolic_stop_reasons = {12, 13, 14, 15, 16, 17, 28, 29}#

unsupported_reasons = {11, 18, 19, 20, 21, 22, 23, 25, 26}#

static name_stop(num)[source]#

static get_stop_msg(stop_reason)[source]#

class angr.state_plugins.unicorn_engine.StopDetails[source]#

Bases: Structure

struct stop_details_t

block_addr#: Structure/Union member

block_size#: Structure/Union member

stop_reason#: Structure/Union member

class angr.state_plugins.unicorn_engine.SimOSEnum[source]#

Bases: object

enum simos_t

SIMOS_CGC = 0#

SIMOS_LINUX = 1#

SIMOS_OTHER = 2#

exception angr.state_plugins.unicorn_engine.MemoryMappingError[source]#

Bases: Exception

args#

with_traceback()#: Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception angr.state_plugins.unicorn_engine.AccessingZeroPageError[source]#

Bases: MemoryMappingError

args#

with_traceback()#: Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception angr.state_plugins.unicorn_engine.FetchingZeroPageError[source]#

Bases: MemoryMappingError

args#

with_traceback()#: Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception angr.state_plugins.unicorn_engine.SegfaultError[source]#

Bases: MemoryMappingError

args#

with_traceback()#: Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception angr.state_plugins.unicorn_engine.MixedPermissonsError[source]#

Bases: MemoryMappingError

args#

with_traceback()#: Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

class angr.state_plugins.unicorn_engine.AggressiveConcretizationAnnotation(addr)[source]#

Bases: SimplificationAvoidanceAnnotation

property eliminatable#

Returns whether this annotation can be eliminated in a simplification.

Returns:: True if eliminatable, False otherwise

property relocatable#

Returns whether this annotation can be relocated in a simplification.

Returns:: True if it can be relocated, false otherwise.

relocate(src, dst)#

This is called when an annotation has to be relocated because of simplifications.

Consider the following case:

x = claripy.BVS(‘x’, 32) zero = claripy.BVV(0, 32).add_annotation(your_annotation) y = x + zero

Here, one of three things can happen:

if your_annotation.eliminatable is True, the simplifiers will simply eliminate your_annotation along with zero and y is x will hold

elif your_annotation.relocatable is False, the simplifier will abort and y will never be simplified

elif your_annotation.relocatable is True, the simplifier will run, determine that the simplified result of x + zero will be x. It will then call your_annotation.relocate(zero, x) to move the annotation away from the AST that is about to be eliminated.

Parameters:

src – the old AST that was eliminated in the simplification
dst – the new AST (the result of a simplification)

Returns:

the annotation that will be applied to dst

class angr.state_plugins.unicorn_engine.Uniwrapper(arch, cache_key, thumb=False)[source]#

Bases: Uc

hook_add(htype, callback, user_data=None, begin=1, end=0, arg1=0)[source]#

hook_del(h)[source]#

mem_map(addr, size, perms=7)[source]#

mem_map_ptr(addr, size, perms, ptr)[source]#

mem_unmap(addr, size)[source]#

mem_reset()[source]#

hook_reset()[source]#

reset()[source]#

context_restore(context)#

Parameters:: context (UcContext) –

context_save()#

context_update(context)#

Parameters:: context (UcContext) –

ctl(control, *args)#

Parameters:: control (int) –

ctl_exits_enabled(val)#

Parameters:: val (bool) –

ctl_flush_tb()#

ctl_get_arch()#

ctl_get_cpu_model()#

ctl_get_exits()#

ctl_get_exits_cnt()#

ctl_get_mode()#

ctl_get_page_size()#

ctl_get_timeout()#

ctl_remove_cache(addr, end)#

Parameters:

addr (int) –
end (int) –

ctl_request_cache(addr)#

Parameters:: addr (int) –

ctl_set_cpu_model(val)#

Parameters:: val (int) –

ctl_set_exits(exits)#

Parameters:: exits (List[int]) –

ctl_set_page_size(val)#

Parameters:: val (int) –

emu_start(begin, until, timeout=0, count=0)#

Return type:

None

Parameters:

begin (int) –
until (int) –
timeout (int) –
count (int) –

emu_stop()#

Return type:: None

mem_protect(address, size, perms=7)#

Parameters:

address (int) –
size (int) –
perms (int) –

mem_read(address, size)#

Parameters:

address (int) –
size (int) –

mem_regions()#

mem_write(address, data)#

Parameters:

address (int) –
data (bytes) –

mmio_map(address, size, read_cb, user_data_read, write_cb, user_data_write)#

Parameters:

address (int) –
size (int) –
read_cb (Callable[[Uc, int, int, Any], int]) –
user_data_read (Any) –
write_cb (Callable[[Uc, int, int, int, Any], None]) –
user_data_write (Any) –

msr_read(msr_id)#

Parameters:: msr_id (int) –

msr_write(msr_id, value)#

Parameters:: value (int) –

query(query_mode)#

Parameters:: query_mode (int) –

reg_read(reg_id, opt=None)#

Return type:

Union[int, Tuple[int, int, int, int], Tuple[int, int]]

Parameters:

reg_id (int) –
opt (None | int | Tuple[int, int, int, int, int, int, int] | Tuple[int, int, int, int, int]) –

reg_write(reg_id, value)#

Parameters:

reg_id (int) –
value (int | Tuple[int, int, int, int, int, int, int, int] | Tuple[int, int, int, int, int, int] | Tuple[int, int, int, int] | Tuple[int, int]) –

static release_handle(uch)#

Parameters:: uch (CDLL) –

class angr.state_plugins.unicorn_engine.Unicorn(syscall_hooks=None, cache_key=None, unicount=None, symbolic_var_counts=None, symbolic_inst_counts=None, concretized_asts=None, always_concretize=None, never_concretize=None, concretize_at=None, concretization_threshold_memory=None, concretization_threshold_registers=None, concretization_threshold_instruction=None, cooldown_symbolic_stop=2, cooldown_unsupported_stop=2, cooldown_nonunicorn_blocks=100, cooldown_stop_point=1, max_steps=1000000)[source]#

Bases: SimStatePlugin

setup the unicorn engine for a state

UC_CONFIG = {}#

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

property uc#

static delete_uc()[source]#

set_last_block_details(details)[source]#

set_stops(stop_points)[source]#

set_tracking(track_bbls, track_stack)[source]#

hook()[source]#

uncache_region(addr, length)[source]#

clear_page_cache()[source]#

setup(syscall_data=None, fd_bytes=None)[source]#

start(step=None)[source]#

get_recent_bbl_addrs()[source]#

get_stop_details()[source]#

finish(succ_state)[source]#

destroy(succ_state)[source]#

set_regs()[source]#: setting unicorn registers

setup_flags()[source]#

setup_gdt(fs, gs)[source]#

read_msr(msr=3221225728)[source]#

write_msr(val, msr=3221225728)[source]#

get_regs(succ_state)[source]#: loading registers from unicorn. If succ_state is not None, update it instead of self.state. Needed when handling symbolic exits in native interface

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.loop_data.SimStateLoopData(back_edge_trip_counts=None, header_trip_counts=None, current_loop=None)[source]#

Bases: SimStatePlugin

This class keeps track of loop-related information for states. Note that we have 2 counters for loop iterations (trip counts): the first recording the number of times one of the back edges (or continue edges) of a loop is taken, whereas the second recording the number of times the loop header (or loop entry) is executed. These 2 counters may differ since compilers usually optimize loops hence completely change the loop structure at the binary level. This is supposed to be used with LoopSeer exploration technique, which monitors loop execution. For the moment, the only thing we want to analyze is loop trip counts, but nothing prevents us from extending this plugin for other loop analyses.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.concrete.Concrete(segment_registers_initialized=False, segment_registers_callback_initialized=False, whitelist=None, fs_register_bp=None, already_sync_objects_addresses=None)[source]#

Bases: SimStatePlugin

copy(_memo)[source]#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(_others, _merge_conditions, _common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(_others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

set_state(state)[source]#: Sets a new state (for example, if the state has been branched)

sync()[source]#

Handle the switch between the concrete execution and angr. This method takes care of: 1- Synchronize registers. 2- Set a concrete target to the memory backer so the memory reads are redirected in the concrete process memory. 3- If possible restore the SimProcedures with the real addresses inside the concrete process. 4- Set an inspect point to sync the segments register as soon as they are read during the symbolic execution. 5- Flush all the pages loaded until now.

Returns:

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.javavm_classloader.SimJavaVmClassloader(initialized_classes=None)[source]#

Bases: SimStatePlugin

JavaVM Classloader is used as an interface for resolving and initializing Java classes.

get_class(class_name, init_class=False, step_func=None)[source]#

Get a class descriptor for the class.

Parameters:

class_name (str) – Name of class.
init_class (bool) – Whether the class initializer <clinit> should be executed.
step_func (func) – Callback function executed at every step of the simulation manager during the execution of the main <clinit> method

get_superclass(class_)[source]#: Get the superclass of the class.

get_class_hierarchy(base_class)[source]#: Walks up the class hierarchy and returns a list of all classes between base class (inclusive) and java.lang.Object (exclusive).

is_class_initialized(class_)[source]#: Indicates whether the classes initializing method <clinit> was already executed on the state.

init_class(class_, step_func=None)[source]#

This method simulates the loading of a class by the JVM, during which parts of the class (e.g. static fields) are initialized. For this, we run the class initializer method <clinit> (if available) and update the state accordingly.

Note: Initialization is skipped, if the class has already been: initialized (or if it’s not loaded in CLE).

property initialized_classes#: List of all initialized classes.

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.jni_references.SimStateJNIReferences(local_refs=None, global_refs=None)[source]#

Bases: SimStatePlugin

Management of the mapping between opaque JNI references and the corresponding Java objects.

lookup(opaque_ref)[source]#: Lookups the object that was used for creating the reference.

create_new_reference(obj, global_ref=False)[source]#

Create a new reference thats maps to the given object.

Parameters:

obj – Object which gets referenced.
global_ref (bool) – Whether a local or global reference is created.

clear_local_references()[source]#: Clear all local references.

delete_reference(opaque_ref, global_ref=False)[source]#

Delete the stored mapping of a reference.

Parameters:

opaque_ref – Reference which should be removed.
global_ref (bool) – Whether opaque_ref is a local or global reference.

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.heap.heap_base.SimHeapBase(heap_base=None, heap_size=None)[source]#

Bases: SimStatePlugin

This is the base heap class that all heap implementations should subclass. It defines a few handlers for common heap functions (the libc memory management functions). Heap implementations are expected to override these functions regardless of whether they implement the SimHeapLibc interface. For an example, see the SimHeapBrk implementation, which is based on the original libc SimProcedure implementations.

Variables:

heap_base – the address of the base of the heap in memory
heap_size – the total size of the main memory region managed by the heap in memory
mmap_base – the address of the region from which large mmap allocations will be made

copy(memo)[source]#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

init_state()[source]#: Use this function to perform any initialization on the state at plugin-add time

STRONGREF_STATE = False#

static memo(f)#: A decorator function you should apply to copy

merge(others, merge_conditions, common_ancestor=None)#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

widen(others)#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

state: angr.SimState#

class angr.state_plugins.heap.heap_brk.SimHeapBrk(heap_base=None, heap_size=None)[source]#

Bases: SimHeapBase

SimHeapBrk represents a trivial heap implementation based on the Unix brk system call. This type of heap stores virtually no metadata, so it is up to the user to determine when it is safe to release memory. This also means that it does not properly support standard heap operations like realloc.

This heap implementation is a holdover from before any more proper implementations were modelled. At the time, various libc (or win32) SimProcedures handled the heap in the same way that this plugin does now. To make future heap implementations plug-and-playable, they should implement the necessary logic themselves, and dependent SimProcedures should invoke a method by the same name as theirs (prepended with an underscore) upon the heap plugin. Depending on the heap implementation, if the method is not supported, an error should be raised.

Out of consideration for the original way the heap was handled, this plugin implements functionality for all relevant SimProcedures (even those that would not normally be supported together in a single heap implementation).

Variables:: heap_location – the address of the top of the heap, bounding the allocations made starting from heap_base

copy(memo=None, **kwargs)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

allocate(sim_size)[source]#

The actual allocation primitive for this heap implementation. Increases the position of the break to allocate space. Has no guards against the heap growing too large.

Parameters:: sim_size – a size specifying how much to increase the break pointer by
Returns:: a pointer to the previous break position, above which there is now allocated space

release(sim_size)[source]#

The memory release primitive for this heap implementation. Decreases the position of the break to deallocate space. Guards against releasing beyond the initial heap base.

Parameters:: sim_size – a size specifying how much to decrease the break pointer by (may be symbolic or not)

merge(others, merge_conditions, common_ancestor=None)[source]#

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)[source]#

Parameters:: others – the other state plugin
Returns:: True if the state plugin is actually widened.
Return type:: bool

STRONGREF_STATE = False#

init_state()#: Use this function to perform any initialization on the state at plugin-add time

static memo(f)#: A decorator function you should apply to copy

classmethod register_default(name, xtr=None)#

set_state(state)#: Sets a new state (for example, if the state has been branched)

set_strongref_state(state)#

state: angr.SimState#

class angr.state_plugins.heap.heap_freelist.Chunk(base, sim_state)[source]#

Bases: object

The sort of chunk as would typically be found in a freelist-style heap implementation. Provides a representation of a chunk via a view into the memory plugin. Chunks may be adjacent, in different senses, to as many as four other chunks. For any given chunk, two of these chunks are adjacent to it in memory, and are referred to as the “previous” and “next” chunks throughout this implementation. For any given free chunk, there may also be two significant chunks that are adjacent to it in some linked list of free chunks. These chunks are referred to the “backward” and “foward” chunks relative to the chunk in question.

Variables:

base – the location of the base of the chunk in memory
state – the program state that the chunk is resident in

get_size()[source]#: Returns the actual size of a chunk (as opposed to the entire size field, which may include some flags).

get_data_size()[source]#: Returns the size of the data portion of a chunk.

set_size(size)[source]#: Sets the size of the chunk, preserving any flags.

data_ptr()[source]#: Returns the address of the payload of the chunk.

is_free()[source]#: Returns a concrete determination as to whether the chunk is free.

next_chunk()[source]#: Returns the chunk immediately following (and adjacent to) this one.

prev_chunk()[source]#: Returns the chunk immediately prior (and adjacent) to this one.

fwd_chunk()[source]#: Returns the chunk following this chunk in the list of free chunks.

set_fwd_chunk(fwd)[source]#

Sets the chunk following this chunk in the list of free chunks.

Parameters:: fwd – the chunk to follow this chunk in the list of free chunks

bck_chunk()[source]#: Returns the chunk backward from this chunk in the list of free chunks.

set_bck_chunk(bck)[source]#

Sets the chunk backward from this chunk in the list of free chunks.

Parameters:: bck – the chunk to precede this chunk in the list of free chunks

class angr.state_plugins.heap.heap_freelist.SimHeapFreelist(heap_base=None, heap_size=None)[source]#

Bases: SimHeapLibc

A freelist-style heap implementation. Distinguishing features of such heaps include chunks containing heap metadata in addition to user data and at least (but often more than) one linked list of free chunks.

chunks()[source]#: Returns an iterator over all the chunks in the heap.

allocated_chunks()[source]#: Returns an iterator over all the allocated chunks in the heap.

free_chunks()[source]#: Returns an iterator over all the free chunks in the heap.

chunk_from_mem(ptr)[source]#

Given a pointer to a user payload, return the chunk associated with that payload.

Parameters:: ptr – a pointer to the base of a user payload in the heap
Returns:: the associated heap chunk

print_heap_state()[source]#

print_all_chunks()[source]#

STRONGREF_STATE = False#

calloc(sim_nmemb, sim_size)#

A somewhat faithful implementation of libc calloc.

Parameters:

sim_nmemb – the number of elements to allocated
sim_size – the size of each element (in bytes)

Returns:

the address of the allocation, or a NULL pointer if the allocation failed

copy(memo)#

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

Parameters:: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use