Angr is a platform-agnostic binary analysis framework. It is a suite of Python 3 libraries that let you load a binary and do a lot of cool things to it:
- Disassembly and intermediate-representation lifting
- Program instrumentation
- Symbolic execution
- Control-flow analysis
- Data-dependency analysis
- Value-set analysis (VSA)
The most common angr operation is loading a binary:
p = angr.Project('/bin/bash') If you do this in an enhanced REPL like IPython, you can use tab-autocomplete to browse the top-level-accessible methods and their docstrings.
The short version of “how to install angr” is
mkvirtualenv --python=$(which python3) angr && python -m pip install angr.
angr does a lot of binary analysis stuff. To get you started, here’s a simple example of using symbolic execution to get a flag in a CTF challenge.
project = angr.Project(“angr-doc/examples/defcamp_r100/r100”, auto_load_libs=False)
print(“FLAG SHOULD BE:”, state.posix.dumps(0))
Mac OS X
pip install angr should work, but there are some caveats.
angr requires the
unicorn library, which (as of this writing)
pip must build from source on macOS, even though binary distributions (“wheels”) exist on other platforms.
unicorn from source requires Python 2, so will fail inside a virtualenv where
python gets you Python 3. If you encounter errors with
pip install angr, you may need to first install
unicorn separately, pointing it to your Python 2:
UNICORN_QEMU_FLAGS=”–python=/path/to/python2″ pip install unicorn # Python 2 is probably /usr/bin/python on your macOS system
pip install angr.
If this still doesn’t work and you run into a broken build script with Clang, try using GCC.
brew install gcc
CC=/usr/local/bin/gcc-8 UNICORN_QEMU_FLAGS=”–python=/path/to/python2″ pip install unicorn # As of this writing, brew install gcc gives you gcc-8
pip install angr
After installing angr, you will need to fix some shared library paths for the angr native libraries. Activate your virtual env and execute the following lines. A script is provided in the angr-dev repo.
python3 -c 'import pyvex; print(pyvex.__path__)' UNICORN=
python3 -c 'import unicorn; print(unicorn.__path__)'
python3 -c 'import angr; print(angr.__path__)'
install_name_tool -change libunicorn.1.dylib “$UNICORN”/lib/libunicorn.dylib “$ANGR”/lib/angr_native.dylib
install_name_tool -change libpyvex.dylib “$PYVEX”/lib/libpyvex.dylib “$ANGR”/lib/angr_native.dylib
angr can be installed from pip on Windows, same as above:
pip install angr. You should not be required to build any C code with this setup, since wheels (binary distributions) should be automatically pulled down for angr and its dependencies.
There is a special repository
angr-dev with scripts to make life easier for angr developers. You can set up angr in development mode by running:
git clone https://github.com/angr/angr-dev
./setup.sh -i -e angr
This creates a virtualenv (
-e angr), checks for any dependencies you might need (
-i), clones all of the repositories and installs them in editable mode.
setup.sh can even create a PyPy virtualenv for you (replace
-p), resulting in significantly faster performance and lower memory usage.
You can branch/edit/recompile the various modules in-place, and it will automatically reflect in your virtual environment.
Development install on windows
The angr-dev repository has a setup.bat script that creates the same setup as above, though it’s not as magical as setup.sh.
Since we’ll be building C code, you must be in the visual studio developer command prompt. Make sure that if you’re using a 64-bit python interpreter, you’re also using the 64-bit build tools (
pip install virtualenv
git clone https://github.com/angr/angr-dev
virtualenv -p “C:\Path\To\python3\python.exe” env
You may also substitute the use of
virtualenv above with the
virtualenvwrapper-win package for a more streamlined experience.
For convenience, we ship a Docker image that is 99% guaranteed to work. You can install via docker by doing:
curl -sSL https://get.docker.com/ | sudo sh
pull the docker image
sudo docker pull angr/angr
sudo docker run -it angr/angr
Synchronization of files in and out of docker is left as an exercise to the user (hint: check out
Modifying the angr container
You might find yourself needing to install additional packages via apt. The vanilla version of the container does not have the sudo package installed, which means the default user in the container cannot escalate privilege to install additional packages.
To over come this hurdle, use the following docker command to grant yourself root access:
#assuming the docker container is running
#with the name “angr” and the instance is
#running in the background.
docker exec -ti -u root angr bash