# Angr¶

Angr is a multi architectural binary analysis framework developed by the team Shellphish from ASU. Angr is a suite of python3 and lets you load binaries and analyze it along the lines of the constraints you add to the symbolic execution state. Basically, angr is capable of performing dynamic symbolic execution and also static analysis on the binary to frame an input to the binary.

#### Installation¶

pip3 install angr

#### Angr for CTF’s¶

Very often we come across binaries that have numerous checks and conditions which are practically impossible or hard to reverse and these have to be automated somehow and that’s where angr plays an important role. Angr symbolically executes your binary and finds the input required by the binary to achieve a particular state in the binary.

The most common script that comes in handy while playing CTF’s is the find and avoid scripts where the angr solver engine is provided with a find address and an avoid address which is symbolically achieved by the solver engine.

import angr
import claripy
import sys
flag=[claripy.BVS('flag%i'%i,8) for i in range(inp_len))] # here inpp_len refers to the length of the input which we obtain by reversing the binary
Good_address = #address we want to achieve when the required string is given as input
flag_concat=claripy.Concat(*flag + [claripy.BVV("\n")])
state=proj.factory.entry_state(stdin=flag_concat) #the binary is symbolically executed from the binaries entry point
for i in flag: #Adding constraints to the solver to obtain values that are in the printable range
simgr=proj.factory.simgr(state)
if simgr.found:
simulation=simgr.found[0]
print(simulation.posix.dumps(sys.stdin.fileno()))
else:
print("FAILURE")


This is the most basic script which comes in handy for numerous ctf’s but most of the time you have to add more constraints to limit the characters and optimise the solver to solve your problem and reduce the time taken by the solver to find the solution.

#### Explanation¶

##### Creating a project¶

angr.Project(‘/path/to/file’)

Creates an angr project from where the binary is used for symbolic execution.

##### Creating Simulation¶

Project.factory.simgr(init_state)

Here init_state is the entry point set up from the project.

##### Setting up Entry Point¶

Init_state = project.factory.entry_state()

It fetches the binary and the entry point to the code to start execution. Here instead of entry_state(), you can start executing the binary from any point by using blank_state(addr = address_to_start)

##### Creating a Bitvector array to store the input array¶

flag=[claripy.BVS('flag%i'%i,8) for i in range(inp_len))]

Here we initialise a bitvector of the length that we expect the input to be. We can make an assumption of the length from analysing the binary statically using ghidra or any other tool. This is not necessarily required, you can also brute force the input without this too.