CTF-All-In-One/doc/5.3_angr.md

# 5.3 angr 二进制自动化分析

angr是一个多架构的二进制分析平台，具备对二进制文件的动态符号执行能力和多种静态分析能力。

## 安装

在Ubuntu上，首先我们应该安装所有的编译所需要的依赖环境：

```shell
sudo apt install python-dev libffi-dev build-essential virtualenvwrapper
```

强烈建议在虚拟环境中安装angr，因为有几个angr的依赖（比如z3）是从他们的原始库中fork而来，如果你已经安装了z3,那么你肯定不希望angr的依赖覆盖掉官方的共享库。

对于大多数*unix系统，只需要`mkvirtualenv angr && pip install angr`安装angr就好了。

如果这样安装失败的话，那么你可以按照这样的顺序：

```text
1. claripy
2. archinfo
3. pyvex
4. cle
5. angr
```

从angr的官方仓库安装。

附安装方法：

```shell
git clone https://github.com/angr/claripy
cd claripy
sudo pip install -r requirements.txt
sudo python setup.py build
sudo python setup.py install
```

其他几个angr官方库的安装也是如此。

## 一些`import angr`可能出现的问题

如果你在安装angr之后，进入python环境，在import之后有这样的报错：

```python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import angr
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "angr/__init__.py", line 25, in <module>
    from .project import *
  File "angr/project.py", line 592, in <module>
    from .analyses.analysis import Analyses
  File "angr/analyses/__init__.py", line 22, in <module>
    from .reassembler import Reassembler
  File "angr/analyses/reassembler.py", line 9, in <module>
    import capstone
  File "/usr/local/lib/python2.7/dist-packages/capstone/__init__.py", line 6, in <module>
    from . import arm, arm64, mips, ppc, sparc, systemz, x86, xcore
ImportError: cannot import name arm
>>>
```

在ipython环境中也许会有这样的报错：

```python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
Type "copyright", "credits" or "license" for more information.

IPython 2.4.1 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: import angr
---------------------------------------------------------------------------
ImportError                               Traceback (most recent call last)
<ipython-input-1-bcea9b74a356> in <module>()
----> 1 import angr

/root/angr/angr/__init__.pyc in <module>()
     23 from .state_plugins.inspect import BP
     24
---> 25 from .project import *
     26 from .errors import *
     27 #from . import surveyors

/root/angr/angr/project.py in <module>()
    590 from .factory import AngrObjectFactory
    591 from .simos import SimOS, os_mapping
--> 592 from .analyses.analysis import Analyses
    593 from .surveyors import Surveyors
    594 from .knowledge_base import KnowledgeBase

/root/angr/angr/analyses/__init__.py in <module>()
     20 from .congruency_check import CongruencyCheck
     21 from .static_hooker import StaticHooker
---> 22 from .reassembler import Reassembler
     23 from .binary_optimizer import BinaryOptimizer
     24 from .disassembly import Disassembly

/root/angr/angr/analyses/reassembler.py in <module>()
      7 from itertools import count
      8
----> 9 import capstone
     10 import cffi
     11 import cle

/usr/local/lib/python2.7/dist-packages/capstone/__init__.py in <module>()
      4 if _python2:
      5     range = xrange
----> 6 from . import arm, arm64, mips, ppc, sparc, systemz, x86, xcore
      7
      8 __all__ = [

ImportError: cannot import name arm
```

可以看到，是capstone出现了问题。

解决这个问题的方法是重新安装angr：

```shell
sudo pip install -I --no-use-wheel capstone
```

这样就能解决问题。

若是问题依然存在，那么请先卸载所有的capstone：

```shell
sudo pip3 uninstall capstone
sudo pip uninstall capstone
```

然后从pypi源中获取最新版本安装：

```shell
wget https://pypi.python.org/packages/fd/33/d1fc2d01b85572b88c9b4c359f36f88f8c32f2f0b9ffb2d21cd41bad2257/capstone-3.0.5rc2-py2-none-manylinux1_x86_64.whl#md5=ecd7e1e39ea6dacf027c0cfe7eb1bf94
sudo pip2 install capstone-3.0.5rc2-py2-none-manylinux1_x86_64.whl
```

(如果wget这个安装包失败的话，你可以在[https://pypi.python.org/pypi/capstone/](https://pypi.python.org/pypi/capstone/)找到capstone最新的版本)

## 一个例子

这里是一个简单的使用符号执行去获取一道CTF赛题的flag：

```python
import angr

project = angr.Project("CTF-All-In-One/src/Reverse/defcamp_r100", auto_load_libs=False)

@project.hook(0x400844)
def print_flag(state):
    print "FLAG SHOULD BE:", state.posix.dump_fd(0)
    project.terminate_execution()

project.execute()
```