The interesting part about Angr (and arguably, its' reason for existence) is that it can execute native (x86_64, ARM, others...) concolically [1] - ie., given a binary and a requested end state, it will strive using both formal methods and brute force to find input required to reach that state. All automatically, including converting binary code to an IL (cle & Vagrant IL via PyVEX), executing that IL (simuvex) and interacting with SMT solvers (claripy). This can be used for finding bugs, reverse engineering and exploit generation, at least in a toy/CTF setting.<p>Angr is also the open-source part of the Shellphish/UCSB contestant (Mechanical Phish) that competed in the DARPA CGC [2].<p>[1] - <a href="https://en.wikipedia.org/wiki/Concolic_testing" rel="nofollow">https://en.wikipedia.org/wiki/Concolic_testing</a><p>[2] - <a href="https://en.wikipedia.org/wiki/2016_Cyber_Grand_Challenge" rel="nofollow">https://en.wikipedia.org/wiki/2016_Cyber_Grand_Challenge</a>
There are other similar platforms (listing biggest ones):<p>1. BAP (OCaml) - <a href="https://github.com/BinaryAnalysisPlatform/bap" rel="nofollow">https://github.com/BinaryAnalysisPlatform/bap</a><p>2. BinCAT (OCaml) - <a href="https://github.com/airbus-seclab/bincat" rel="nofollow">https://github.com/airbus-seclab/bincat</a><p>3. radare2 (C) + radeco (Rust)(WIP) - <a href="https://github.com/radare/radare2" rel="nofollow">https://github.com/radare/radare2</a> + <a href="https://github.com/radare/radeco-lib" rel="nofollow">https://github.com/radare/radeco-lib</a><p>4. Falcon (Rust) (WIP) - <a href="https://github.com/falconre/falcon" rel="nofollow">https://github.com/falconre/falcon</a><p>And a bunch of others, less common or less featureful.
If you're an everyday C/C++ programmer and can't imagine how Angr could fit into your workflow, then check out DeepState (<a href="https://github.com/trailofbits/deepstate" rel="nofollow">https://github.com/trailofbits/deepstate</a>). It is a Google Test-compatible unit testing framework that lets you write parameterized unit tests, using Angr to perform the state space exploration. What that means is that you can write a unit test, e.g. that addition of two integers doesn't overflow (it can), and using the power of Angr, DeepState will evaluate your test for all possible integers, not hard-coded ones, and not just some randomly chosen ones.
Hm, if the example written on README is representative for current usage, then it surely changed a lot recently. I remember checking angr out a few months ago, and simply running a binary required a few dozens of, mostly boilerplate, code. I may try it again now, looks like it improved since then.