0x00 Intro

When doing my assignment with angr, I found some useful (and obvious) tricks but they didn’t fit into the previous post on state merging with angr. This post will cover the following topics: (1) using angr with Jupyter Notebook, (2) forcefully setting the RIP to a specific address, and (3) speeding up symbolic execution (symbex) when there are too many constraints by having multiple symbex runs for different parts.

…

0x00 Intro

Using angr for symbolic execution (symbex) to get assignments done caused anger issues for me and some of my fellows. With due respect, the documentation and existing examples in 2025 are insufficient to quickly teach a newcomer how to correctly tackle state explosion when doing symbex with angr. To fill this niche gap, this post will (1) first dissect an simple example to illustrate why the number of states increases (which will lead to state explosion if not controlled), then (2) try to make sense of and conduct state merging, the trick for tackling state explosion, on the simple example and (3) finally put everything together and try it on a real example that could cause state explosion. Note that it is not guaranteed that the use of angr APIs in this post is ideal. This post intends to provide at least a quick first-aid for those who are stuck with their assignments/CTF challenges with a closing deadline.

…