
Angr – User-friendly binary analysis platform - adulau
https://github.com/angr/angr
======
q3k
The interesting part about Angr (and arguably, its' reason for existence) is
that it can execute native (x86_64, ARM, others...) concolically [1] - ie.,
given a binary and a requested end state, it will strive using both formal
methods and brute force to find input required to reach that state. All
automatically, including converting binary code to an IL (cle & Vagrant IL via
PyVEX), executing that IL (simuvex) and interacting with SMT solvers
(claripy). This can be used for finding bugs, reverse engineering and exploit
generation, at least in a toy/CTF setting.

Angr is also the open-source part of the Shellphish/UCSB contestant
(Mechanical Phish) that competed in the DARPA CGC [2].

[1] -
[https://en.wikipedia.org/wiki/Concolic_testing](https://en.wikipedia.org/wiki/Concolic_testing)

[2] -
[https://en.wikipedia.org/wiki/2016_Cyber_Grand_Challenge](https://en.wikipedia.org/wiki/2016_Cyber_Grand_Challenge)

~~~
saagarjha
> Angr is also the open-source part of the Shellphish/UCSB contestant
> (Mechanical Phish) that competed in the DARPA CGC

It's not the only open-source part:
[https://github.com/mechaphish](https://github.com/mechaphish)

------
xvilka
There are other similar platforms (listing biggest ones):

1\. BAP (OCaml) -
[https://github.com/BinaryAnalysisPlatform/bap](https://github.com/BinaryAnalysisPlatform/bap)

2\. BinCAT (OCaml) - [https://github.com/airbus-
seclab/bincat](https://github.com/airbus-seclab/bincat)

3\. radare2 (C) + radeco (Rust)(WIP) -
[https://github.com/radare/radare2](https://github.com/radare/radare2) \+
[https://github.com/radare/radeco-lib](https://github.com/radare/radeco-lib)

4\. Falcon (Rust) (WIP) -
[https://github.com/falconre/falcon](https://github.com/falconre/falcon)

And a bunch of others, less common or less featureful.

------
pag
If you're an everyday C/C++ programmer and can't imagine how Angr could fit
into your workflow, then check out DeepState
([https://github.com/trailofbits/deepstate](https://github.com/trailofbits/deepstate)).
It is a Google Test-compatible unit testing framework that lets you write
parameterized unit tests, using Angr to perform the state space exploration.
What that means is that you can write a unit test, e.g. that addition of two
integers doesn't overflow (it can), and using the power of Angr, DeepState
will evaluate your test for all possible integers, not hard-coded ones, and
not just some randomly chosen ones.

~~~
rurban
For this usually CBMC is used.
[http://www.cprover.org/cbmc/](http://www.cprover.org/cbmc/)

You can also use CBMC to solve the usual state reverse engineering problems,
like coverage analysis, finding input for output, hash collisions, ...

------
akrasuski1
Hm, if the example written on README is representative for current usage, then
it surely changed a lot recently. I remember checking angr out a few months
ago, and simply running a binary required a few dozens of, mostly boilerplate,
code. I may try it again now, looks like it improved since then.

------
TACIXAT
Did Manticore lead to a focus on ease of use? Not sure I've seen angr
described as user friendly before.

~~~
ltfish
You are more or less correct. The `project.execute()` API was indeed inspired
by Manticore!

