4. Outline
●What is Binary Analysis ?
●Introduction to Angr
●Various uses of Angr
●Symbolic Execution
●Using Angr to perform SE
●Hooking
●Using Angr to perform Hooking
4
5. “ Process of analysing an
executable to gain a better
idea of its working is called
Binary analysis
5
6. Why do we need to Automate it?
●Save a lot of time and effort
●Avoid human error
●Cost - effective
●Boring
●All factors accounted for
6
7. Angr
●Shellphish’s entry for DARPA’s CGC - came 3rd
●Python based framework
●Open Source
●Can detect and exploit vulnerabilities
Installation instructions at angr.io
www.angr.io7
8. Various uses of Angr
●Control Flow Graph recovery
●Symbolic Execution
●ROP chain generation
●Binary Hardening
●Exploit Generation
8
9. Symbolic Execution
Analysing a program to determine the input/inputs
to be given to make each part of the program to
execute.
9
11. Angr and Symbolic Execution
● Symbolic variables
● Finds paths that are important
● Makes constrains related to the variable
● Solves those constraints using z3
11
13. Hooking
Hooking is a technique used while reverse
engineering where certain instructions/calls are
replaced with custom made functions and calls.
13
14. Hooking is used for
●Faster Reverse Engineering
●Tracing function calls
●Parameter checking
●Logging
14
16. Summary
●Angr uses symbolic variables and constraints to
find out more about executable.
●Angr can hook functions
●Paths , Path groups
●States - entry state , blank state
●explore - find, avoid
●se - solver engine
● Claripy
●Library functions
16