This is a fork of the angr project for experimentation. This code is experimental.
The fork expriments with an algebraic subtyping-based type solver in Clinic/Typehoon. Further details are available in the paper: BinSub: The Simple Essence of Polymorphic Type Inference for Machine Code.
The original README is below. There are two relevant branches:
- ian/updated-fork this branch was used for the paper's experiments.
- ian/depth-subtyping some further experiments where width subtyping is eliminated internal to functions
If you reference this work please cite the paper as follows:
@inproceedings{smith_binsub_2025,
address = {Cham},
title = {{BinSub}: {The} {Simple} {Essence} of {Polymorphic} {Type} {Inference} for {Machine} {Code}},
isbn = {978-3-031-74776-2},
shorttitle = {{BinSub}},
doi = {10.1007/978-3-031-74776-2_17},
abstract = {Recovering high-level type information in binaries is a key task in reverse engineering and binary analysis. Binaries contain very little explicit type information. The structure of binary code is incredibly flexible allowing for ad-hoc subtyping and polymorphism. Prior work has shown that precise type inference on binary code requires expressive subtyping and polymorphism.},
language = {en},
booktitle = {Static {Analysis}},
publisher = {Springer Nature Switzerland},
author = {Smith, Ian},
editor = {Giacobazzi, Roberto and Gorla, Alessandra},
year = {2025},
pages = {425--450},
}
angr is a platform-agnostic binary analysis framework. It is brought to you by the Computer Security Lab at UC Santa Barbara, SEFCOM at Arizona State University, their associated CTF team, Shellphish, the open source community, and @rhelmot.
Homepage: https://angr.io
Project repository: https://github.com/angr/angr
Documentation: https://docs.angr.io
API Documentation: https://api.angr.io/en/latest/
angr is a suite of Python 3 libraries that let you load a binary and do a lot of cool things to it:
- Disassembly and intermediate-representation lifting
- Program instrumentation
- Symbolic execution
- Control-flow analysis
- Data-dependency analysis
- Value-set analysis (VSA)
- Decompilation
The most common angr operation is loading a binary: p = angr.Project('/bin/bash') If you do this in an enhanced REPL like IPython, you can use tab-autocomplete to browse the top-level-accessible methods and their docstrings.
The short version of "how to install angr" is mkvirtualenv --python=$(which python3) angr && python -m pip install angr.
angr does a lot of binary analysis stuff. To get you started, here's a simple example of using symbolic execution to get a flag in a CTF challenge.
import angr
project = angr.Project("angr-doc/examples/defcamp_r100/r100", auto_load_libs=False)
@project.hook(0x400844)
def print_flag(state):
print("FLAG SHOULD BE:", state.posix.dumps(0))
project.terminate_execution()
project.execute()- Install Instructions
- Documentation as HTML and sources in the angr Github repository
- Dive right in: top-level-accessible methods
- Examples using angr to solve CTF challenges.
- API Reference
- awesome-angr repo