Skip to main content

Welcome to angrop

angrop is a powerful ROP gadget finder and chain builder that leverages angr’s symbolic execution engine to automatically generate complex ROP chains. It uses symbolic execution to understand gadget effects and employs constraint solving with graph search to build chains that would take hours for humans to construct manually.
angrop can generate ROP chains faster than humans. In many cases, it can build complex chains that take hours manually in just seconds.

Key Features

Multi-Architecture Support

Works with x86/x64, ARM, AArch64, MIPS, and RISC-V (64-bit). Architecture-agnostic design makes it easy to extend.

Symbolic Execution

Built on angr’s symbolic execution engine to understand gadget effects and generate precise chains.

CLI & Python API

Simple command-line tool for quick tasks, powerful Python API for advanced chain building.

Kernel ROP Support

Not just for userspace binaries - works with the Linux kernel for container escape chains and more.

Design Philosophy

angrop uses a fundamentally different approach than traditional ROP tools:
  • Symbolic Execution: Instead of pattern matching, angrop symbolically executes gadgets to understand their true effects
  • Constraint Solving: Uses constraint solving to find gadget combinations that achieve desired outcomes
  • Graph Search: Builds a graph of gadget dependencies and searches for optimal chains
  • Architecture Agnostic: Core design works across multiple architectures without special-casing

Quick Example

import angr
import angrop

# Load binary
p = angr.Project("/bin/ls")

# Initialize ROP analysis
rop = p.analyses.ROP()
rop.find_gadgets()

# Generate chain to set registers
chain = rop.set_regs(rax=0x41414141, rbx=0x42424242)
chain.print_payload_code()

Get Started

Installation

Install angrop and its dependencies

Quickstart

Build your first ROP chain in minutes

Python API

Explore the full Python API capabilities

Examples

See angrop in action with real-world examples

Supported Architectures

angrop currently supports:
  • x86/x64 - Full support for Intel/AMD architectures
  • ARM - 32-bit ARM support
  • AArch64 - 64-bit ARM support
  • MIPS - MIPS architecture support
  • RISC-V - 64-bit RISC-V support
Want support for another architecture? angrop’s architecture-agnostic design makes it relatively easy to add new architectures supported by angr. Create an issue on GitHub and we’ll look into it!

Research Paper

angrop’s design and capabilities are described in detail in our NDSS 2026 paper: ropbot: Reimaging Code Reuse Attack Synthesis Kyle Zeng, Moritz Schloegel, Christopher Salls, Adam Doupé, Ruoyu Wang, Yan Shoshitaishvili, Tiffany Bao In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2026

Use Cases

angrop excels at:
  • Exploit Development: Automatically generate ROP chains for binary exploitation
  • CTF Competitions: Quickly build chains for time-sensitive competitions
  • Security Research: Test binary defenses and explore ROP possibilities
  • Kernel Exploitation: Build chains for Linux kernel exploitation and container escapes
  • Architecture Research: Study ROP gadget availability across different architectures

Build docs developers (and LLMs) love

Get started for freeTalk to us