angr 9.2.103__py3-none-macosx_11_0_arm64.whl

angr/exploration_techniques/explorer.py

@@ -0,0 +1,146 @@
+import logging
+import claripy
+
+from . import ExplorationTechnique
+from .common import condition_to_lambda
+from .. import sim_options
+from ..state_plugins.sim_event import resource_event
+
+l = logging.getLogger(name=__name__)
+
+
+class Explorer(ExplorationTechnique):
+    """
+    Search for up to "num_find" paths that satisfy condition "find", avoiding condition "avoid". Stashes found paths
+    into "find_stash' and avoided paths into "avoid_stash".
+
+    The "find" and "avoid" parameters may be any of:
+
+    - An address to find
+    - A set or list of addresses to find
+    - A function that takes a path and returns whether or not it matches.
+
+    If an angr CFG is passed in as the "cfg" parameter and "find" is either a number or a list or a set, then
+    any paths which cannot possibly reach a success state without going through a failure state will be
+    preemptively avoided.
+
+    If either the "find" or "avoid" parameter is a function returning a boolean, and a path triggers both conditions,
+    it will be added to the find stash, unless "avoid_priority" is set to True.
+    """
+
+    def __init__(
+        self, find=None, avoid=None, find_stash="found", avoid_stash="avoid", cfg=None, num_find=1, avoid_priority=False
+    ):
+        super().__init__()
+        self.find, static_find = condition_to_lambda(find)
+        self.avoid, static_avoid = condition_to_lambda(avoid)
+        self.find_stash = find_stash
+        self.avoid_stash = avoid_stash
+        self.cfg = cfg
+        self.ok_blocks = set()
+        self.num_find = num_find
+        self.avoid_priority = avoid_priority
+
+        # even if avoid or find addresses are not statically known, stop on those that we do know
+        self._extra_stop_points = (static_find or set()) | (static_avoid or set())
+        self._unknown_stop_points = static_find is None or static_avoid is None
+        self._warned_unicorn = False
+
+        # TODO: This is a hack for while CFGFast doesn't handle procedure continuations
+        from .. import analyses  # pylint: disable=import-outside-toplevel
+
+        if isinstance(cfg, analyses.CFGFast):
+            l.error("CFGFast is currently inappropriate for use with Explorer.")
+            l.error("Usage of the CFG has been disabled for this explorer.")
+            self.cfg = None
+
+        if self.cfg is not None:
+            avoid = static_avoid or set()
+
+            # we need the find addresses to be determined statically
+            if not static_find:
+                l.error("You must provide at least one numeric 'find' address if you provide a CFG.")
+                l.error("Usage of the CFG has been disabled for this explorer.")
+                self.cfg = None
+                return
+
+            for a in avoid:
+                if cfg.model.get_any_node(a) is None:
+                    l.warning("'Avoid' address %#x not present in CFG...", a)
+
+            # not a queue but a stack... it's just a worklist!
+            queue = []
+            for f in static_find:
+                nodes = cfg.model.get_all_nodes(f)
+                if len(nodes) == 0:
+                    l.warning("'Find' address %#x not present in CFG...", f)
+                else:
+                    queue.extend(nodes)
+
+            seen_nodes = set()
+            while len(queue) > 0:
+                n = queue.pop()
+                if id(n) in seen_nodes:
+                    continue
+                if n.addr in avoid:
+                    continue
+                self.ok_blocks.add(n.addr)
+                seen_nodes.add(id(n))
+                queue.extend(n.predecessors)
+
+            if len(self.ok_blocks) == 0:
+                l.error("No addresses could be validated by the provided CFG!")
+                l.error("Usage of the CFG has been disabled for this explorer.")
+                self.cfg = None
+                return
+
+            l.warning("Please be sure that the CFG you have passed in is complete.")
+            l.warning("Providing an incomplete CFG can cause viable paths to be discarded!")
+
+    def setup(self, simgr):
+        if self.find_stash not in simgr.stashes:
+            simgr.stashes[self.find_stash] = []
+        if self.avoid_stash not in simgr.stashes:
+            simgr.stashes[self.avoid_stash] = []
+
+    def step(self, simgr, stash="active", **kwargs):
+        base_extra_stop_points = set(kwargs.pop("extra_stop_points", []))
+        return simgr.step(stash=stash, extra_stop_points=base_extra_stop_points | self._extra_stop_points, **kwargs)
+
+    # make it more natural to deal with the intended dataflow
+    def filter(self, simgr, state, **kwargs):
+        stash = self._filter_inner(state)
+        if stash is None:
+            return simgr.filter(state, **kwargs)
+        return stash
+
+    def _filter_inner(self, state):
+        if self._unknown_stop_points and sim_options.UNICORN in state.options and not self._warned_unicorn:
+            l.warning("Using unicorn with find/avoid conditions that are a lambda (not a number, set, tuple or list)")
+            l.warning("Unicorn may step over states that match the condition (find or avoid) without stopping.")
+            self._warned_unicorn = True
+
+        try:
+            if self.avoid_priority:
+                avoidable = self.avoid(state)
+                if avoidable and (avoidable is True or state.addr in avoidable):
+                    return self.avoid_stash
+            findable = self.find(state)
+            if findable and (findable is True or state.addr in findable):
+                return self.find_stash
+            if not self.avoid_priority:
+                avoidable = self.avoid(state)
+                if avoidable and (avoidable is True or state.addr in avoidable):
+                    return self.avoid_stash
+        except claripy.errors.ClaripySolverInterruptError as e:
+            resource_event(state, e)
+            return "interrupted"
+
+        if self.cfg is not None and self.cfg.model.get_any_node(state.addr) is not None:
+            if state.addr not in self.ok_blocks:
+                return self.avoid_stash
+
+        return None
+
+    def complete(self, simgr):
+        return len(simgr.stashes[self.find_stash]) >= self.num_find

angr/exploration_techniques/lengthlimiter.py

@@ -0,0 +1,20 @@
+from . import ExplorationTechnique
+
+
+class LengthLimiter(ExplorationTechnique):
+    """
+    Length limiter on paths.
+    """
+
+    def __init__(self, max_length, drop=False):
+        super().__init__()
+        self._max_length = max_length
+        self._drop = drop
+
+    def _filter(self, s):
+        return s.history.block_count > self._max_length
+
+    def step(self, simgr, stash="active", **kwargs):
+        simgr = simgr.step(stash=stash, **kwargs)
+        simgr.move("active", "_DROP" if self._drop else "cut", self._filter)
+        return simgr

angr/exploration_techniques/local_loop_seer.py

@@ -0,0 +1,64 @@
+import logging
+from collections import defaultdict
+
+from . import ExplorationTechnique
+
+
+l = logging.getLogger(name=__name__)
+
+
+class LocalLoopSeer(ExplorationTechnique):
+    """
+    LocalLoopSeer monitors exploration and maintains all loop-related data without relying on a control flow graph.
+    """
+
+    def __init__(self, bound=None, bound_reached=None, discard_stash="spinning"):
+        """
+        :param bound:                 Limit the number of iterations a loop may be executed.
+        :param bound_reached:         If provided, should be a function that takes the LoopSeer and the succ_state.
+                                      Will be called when loop execution reach the given bound.
+                                      Default to moving states that exceed the loop limit to a discard stash.
+        :param discard_stash:         Name of the stash containing states exceeding the loop limit.
+        """
+
+        super().__init__()
+        self.bound = bound
+        self.bound_reached = bound_reached
+        self.discard_stash = discard_stash
+        self.block_counters = defaultdict(int)
+        self.cut_succs = []
+
+    def setup(self, simgr):
+        pass
+
+    def filter(self, simgr, state, **kwargs):
+        if state in self.cut_succs:
+            self.cut_succs.remove(state)
+            return self.discard_stash
+        else:
+            return simgr.filter(state, **kwargs)
+
+    def successors(self, simgr, state, **kwargs):
+        succs = simgr.successors(state, **kwargs)
+
+        for succ_state in succs.successors:
+            # Processing a currently running loop
+
+            if succ_state._ip.symbolic:
+                continue
+            succ_addr = succ_state.addr
+
+            # If we have set a bound for symbolic/concrete loops we want to handle it here
+            if self.bound is not None:
+                counts = succ_state.history.bbl_addrs.count(succ_addr)
+                if counts > self.bound:
+                    if self.bound_reached is not None:
+                        # We want to pass self to modify the LocalLoopSeer state if needed
+                        # Users can modify succ_state in the handler to implement their own logic
+                        # or edit the state of LocalLoopSeer.
+                        self.bound_reached(self, succ_state)
+                    else:
+                        # Remove the state from the successors object
+                        # This state is going to be filtered by the self.filter function
+                        self.cut_succs.append(succ_state)
+        return succs

angr/exploration_techniques/loop_seer.py

@@ -0,0 +1,239 @@
+import logging
+
+from . import ExplorationTechnique
+from ..knowledge_base import KnowledgeBase
+from ..knowledge_plugins.functions import Function
+
+
+l = logging.getLogger(name=__name__)
+
+
+class LoopSeer(ExplorationTechnique):
+    """
+    This exploration technique monitors exploration and maintains all
+    loop-related data (well, currently it is just the loop trip counts, but feel
+    free to add something else).
+    """
+
+    def __init__(
+        self,
+        cfg=None,
+        functions=None,
+        loops=None,
+        use_header=False,
+        bound=None,
+        bound_reached=None,
+        discard_stash="spinning",
+        limit_concrete_loops=True,
+    ):
+        """
+        :param cfg:                   Normalized CFG is required.
+        :param functions:             Function(s) containing the loop(s) to be analyzed.
+        :param loops:                 Specific group of Loop(s) to be analyzed, if this is None we run the LoopFinder
+                                      analysis.
+        :param use_header:            Whether to use header based trip counter to compare with the bound limit.
+        :param bound:                 Limit the number of iterations a loop may be executed.
+        :param bound_reached:         If provided, should be a function that takes the LoopSeer and the succ_state.
+                                      Will be called when loop execution reach the given bound.
+                                      Default to moving states that exceed the loop limit to a discard stash.
+        :param discard_stash:         Name of the stash containing states exceeding the loop limit.
+        :param limit_concrete_loops:  If False, do not limit a loop back-edge if it is the only successor
+                                      (Defaults to True to maintain the original behavior)
+        """
+
+        super().__init__()
+        self.cfg = cfg
+        self.functions = functions
+        self.bound = bound
+        self.bound_reached = bound_reached
+        self.discard_stash = discard_stash
+        self.use_header = use_header
+        self.limit_concrete_loops = limit_concrete_loops
+        self.loops = {}
+        self.cut_succs = []
+        if type(loops) is Loop:
+            loops = [loops]
+
+        if type(loops) in (list, tuple) and all(type(l) is Loop for l in loops):
+            for loop in loops:
+                if loop.entry_edges:
+                    self.loops[loop.entry_edges[0][1].addr] = loop
+
+        elif loops is not None:
+            raise TypeError("Invalid type for 'loops' parameter!")
+
+    def setup(self, simgr):
+        if self.cfg is None:
+            cfg_kb = KnowledgeBase(self.project)
+            self.cfg = self.project.analyses.CFGFast(kb=cfg_kb, normalize=True)
+        elif not self.cfg.normalized:
+            l.warning("LoopSeer must use a normalized CFG. Normalizing the provided CFG...")
+            self.cfg.normalize()
+
+        funcs = None
+        if type(self.functions) in (str, int, Function):
+            funcs = [self._get_function(self.functions)]
+
+        elif type(self.functions) in (list, tuple) and all(type(f) in (str, int, Function) for f in self.functions):
+            funcs = []
+            for f in self.functions:
+                func = self._get_function(f)
+                if func is not None:
+                    funcs.append(func)
+            funcs = None if not funcs else funcs
+
+        elif self.functions is not None:
+            raise TypeError("Invalid type for 'functions' parameter!")
+
+        if not self.loops:
+            loop_finder = self.project.analyses.LoopFinder(kb=self.cfg.kb, normalize=True, functions=funcs)
+
+            for loop in loop_finder.loops:
+                if loop.entry_edges:
+                    entry = loop.entry_edges[0][1]
+                    self.loops[entry.addr] = loop
+
+    def filter(self, simgr, state, **kwargs):
+        if state in self.cut_succs:
+            self.cut_succs.remove(state)
+            return self.discard_stash
+        else:
+            return simgr.filter(state, **kwargs)
+
+    def successors(self, simgr, state, **kwargs):
+        node = self.cfg.model.get_any_node(state.addr)
+        if node is not None:
+            kwargs["num_inst"] = min(kwargs.get("num_inst", float("inf")), len(node.instruction_addrs))
+        succs = simgr.successors(state, **kwargs)
+
+        # Edge case: When limiting concrete loops, we may not want to do so
+        # via the header.  If there is a way out of the loop, and we can
+        # chose not to take it (e.g., the loop is not concrete), increase the trip count
+        at_loop_exit = False
+        for succ_state in succs.successors:
+            if succ_state.loop_data.current_loop:
+                if succ_state.addr in succ_state.loop_data.current_loop[-1][1]:
+                    l.debug(
+                        "One of the successors: %s is at the exit of the current loop %s",
+                        hex(succ_state.addr),
+                        succ_state.loop_data.current_loop[-1][0],
+                    )
+                    at_loop_exit = True
+
+        for succ_state in succs.successors:
+            # Processing a currently running loop
+            if succ_state.loop_data.current_loop:
+                l.debug("Loops currently active are %s", succ_state.loop_data.current_loop)
+                # Extract info about the loop ([-1] takes the last active loop and [0] the loop object)
+                loop = succ_state.loop_data.current_loop[-1][0]
+                header = loop.entry.addr
+                l.debug("Loop currently active is %s with entry %s", loop, hex(header))
+
+                if succ_state.addr == header:
+                    continue_addrs = [e[0].addr for e in loop.continue_edges]
+                    # If there's only one successor, the loop is "concrete"
+                    # We may wish not to cut loops that are concrete, as this can dead-end
+                    # the path prematurely, even when there won't be state explosion.
+                    if self.limit_concrete_loops or len(succs.successors) > 1:
+                        # If the previous state contains an address inside the continue_addrs, a.k.a "we have
+                        # traversed the continue edge" we did an iteration over the back edge.
+                        if succ_state.history.addr in continue_addrs:
+                            l.debug(
+                                "Continue edge traversed, incrementing back_edge_trip_counts for addr at %s",
+                                hex(succ_state.addr),
+                            )
+                            # This is an iteration on the back edge.
+                            succ_state.loop_data.back_edge_trip_counts[succ_state.addr][-1] += 1
+
+                        l.debug(
+                            "Continue edge traversed, incrementing header_trip_counts for addr at %s",
+                            hex(succ_state.addr),
+                        )
+                        # This is also an iteration over the loop's header
+                        succ_state.loop_data.header_trip_counts[succ_state.addr][-1] += 1
+
+                # current_loop[-1][1] is the exit node of the current loop.
+                elif succ_state.addr in succ_state.loop_data.current_loop[-1][1]:
+                    # We have terminated the loop, so let's pop it out from the current active.
+                    l.debug("Deactivating loop at %s because hits the exit node", hex(succ_state.addr))
+                    succ_state.loop_data.current_loop.pop()
+
+                elif at_loop_exit:
+                    # We're not at the header, but we're where we exit the loop
+                    # NOTE: this only matters if you want to not limit concrete loops
+                    if not self.limit_concrete_loops and len(succs.successors) > 1:
+                        l.debug("At loop exit, incrementing back_edge_trip_counts for addr at %s", hex(succ_state.addr))
+                        succ_state.loop_data.back_edge_trip_counts[succ_state.addr][-1] += 1
+
+                # If we have set a bound for symbolic/concrete loops we want to handle it here
+                if self.bound is not None and succ_state.loop_data.current_loop:
+                    counts = 0
+                    # Decide how we should check the bounds
+                    if self.use_header:
+                        counts = succ_state.loop_data.header_trip_counts[header][-1]
+                    else:
+                        if succ_state.addr in succ_state.loop_data.back_edge_trip_counts:
+                            counts = succ_state.loop_data.back_edge_trip_counts[succ_state.addr][-1]
+                    if counts > self.bound:
+                        if self.bound_reached is not None:
+                            # We want to pass self to modify the LoopSeer state if needed
+                            # Users can modify succ_state in the handler to implement their own logic
+                            # or edit the state of the LoopSeer.
+                            self.bound_reached(self, succ_state)
+                        else:
+                            # Remove the state from the successors object
+                            # This state is going to be filtered by the self.filter function
+                            self.cut_succs.append(succ_state)
+
+                l.debug("%s back edge based trip counts %s", state, state.loop_data.back_edge_trip_counts)
+                l.debug("%s header based trip counts %s", state, state.loop_data.header_trip_counts)
+            else:
+                l.debug("No loop are currently active at %s", hex(succ_state.addr))
+
+            # Loop entry detected. This test is put here because in case of
+            # nested loops, we want to handle the outer loop before proceeding
+            # the inner loop.
+            if succ_state.addr in self.loops and not self._inside_current_loops(succ_state):
+                loop = self.loops[succ_state.addr]
+                header = loop.entry.addr
+                l.debug("Activating loop %s for state at %s", loop, hex(succ_state.addr))
+                exits = [e[1].addr for e in loop.break_edges]
+
+                succ_state.loop_data.back_edge_trip_counts[header].append(0)
+                # If we are not limiting concrete loops, we also consider
+                # trip counts at the possible exits
+                if not self.limit_concrete_loops:
+                    for node in loop.body_nodes:
+                        succ_state.loop_data.back_edge_trip_counts[node.addr].append(0)
+
+                # save info about current active loop for the succ state
+                succ_state.loop_data.header_trip_counts[header].append(1)
+                succ_state.loop_data.current_loop.append((loop, exits))
+        return succs
+
+    # pylint: disable=R0201
+    def _inside_current_loops(self, succ_state):
+        current_loops_addrs = [x[0].entry.addr for x in succ_state.loop_data.current_loop]
+        if succ_state.addr in current_loops_addrs:
+            return True
+        return False
+
+    def _get_function(self, func):
+        f = None
+        if type(func) is str:
+            f = self.cfg.kb.functions.function(name=func)
+            if f is None:
+                l.warning("Function '%s' doesn't exist in the CFG. Skipping...", func)
+
+        elif type(func) is int:
+            f = self.cfg.kb.functions.function(addr=func)
+            if f is None:
+                l.warning("Function at 0x%x doesn't exist in the CFG. Skipping...", func)
+
+        elif type(func) is Function:
+            f = func
+
+        return f
+
+
+from ..analyses.loopfinder import Loop

angr/exploration_techniques/manual_mergepoint.py

@@ -0,0 +1,80 @@
+import logging
+
+from . import ExplorationTechnique
+
+l = logging.getLogger(name=__name__)
+
+
+class ManualMergepoint(ExplorationTechnique):
+    def __init__(self, address, wait_counter=10, prune=True):
+        super().__init__()
+        self.address = address
+        self.wait_counter_limit = wait_counter
+        self.prune = prune
+        self.wait_counter = 0
+        self.stash = f"merge_waiting_{self.address:#x}_{id(self):x}"
+        self.filter_marker = "skip_next_filter_%#x" % self.address
+
+    def setup(self, simgr):
+        simgr.stashes[self.stash] = []
+
+    def mark_nofilter(self, simgr, stash):
+        for state in simgr.stashes[stash]:
+            state.globals[self.filter_marker] = True
+
+    def mark_okfilter(self, simgr, stash):
+        for state in simgr.stashes[stash]:
+            state.globals.pop(self.filter_marker)
+
+    def step(self, simgr, stash="active", **kwargs):
+        # ha ha, very funny, if this is being run on a single-step basis our filter probably misfired
+        if len(simgr.stashes[self.stash]) == 1 and len(simgr.stashes[stash]) == 0:
+            simgr = simgr.move(self.stash, stash)
+
+        # perform all our analysis as a post-mortem on a given step
+        stop_points = kwargs.pop("extra_stop_points", set())
+        stop_points.add(self.address)
+        simgr = simgr.step(stash=stash, extra_stop_points=stop_points, **kwargs)
+        # self.mark_okfilter(simgr, stash)
+
+        # do filtering
+        new_stash = []
+        for state in simgr.stashes[stash]:
+            if self.filter_marker not in state.globals and state.addr == self.address:
+                self.wait_counter = 0
+                simgr.stashes[self.stash].append(state)
+            else:
+                new_stash.append(state)
+        simgr.stashes[stash][:] = new_stash
+
+        # nothing to do if there's no states waiting
+        if len(simgr.stashes[self.stash]) == 0:
+            return simgr
+
+        # tick the counter
+        self.wait_counter += 1
+
+        # see if it's time to merge (out of active or hit the wait limit)
+        if len(simgr.stashes[stash]) != 0 and self.wait_counter < self.wait_counter_limit:
+            return simgr
+
+        # self.mark_nofilter(simgr, self.stash)
+
+        # only both merging if, you know, there's actually states to merge
+        if len(simgr.stashes[self.stash]) == 1:
+            simgr.move(self.stash, stash)
+            return simgr
+
+        # do the merge, keyed by unique callstack
+        l.info("Merging %d states at %#x", len(simgr.stashes[self.stash]), self.address)
+        num_unique = 0
+        while len(simgr.stashes[self.stash]):
+            num_unique += 1
+            exemplar_callstack = simgr.stashes[self.stash][0].callstack
+            simgr.move(self.stash, "merge_tmp", lambda s: s.callstack == exemplar_callstack)
+            l.debug("...%d with unique callstack #%d", len(simgr.merge_tmp), num_unique)
+            if len(simgr.merge_tmp) > 1:
+                simgr = simgr.merge(stash="merge_tmp", prune=self.prune)
+            simgr = simgr.move("merge_tmp", stash)
+
+        return simgr

angr/exploration_techniques/memory_watcher.py

@@ -0,0 +1,40 @@
+from . import ExplorationTechnique
+import psutil
+
+
+class MemoryWatcher(ExplorationTechnique):
+    """Memory Watcher
+
+    Args:
+        min_memory (int,optional): Minimum amount of free memory in MB before
+                    stopping execution (default: 95% memory use)
+        memory_stash (str, optional): What to call the low memory stash
+                    (default: 'lowmem')
+
+    At each step, keep an eye on how much memory is left on the system. Stash
+    off states to effectively stop execution if we're below a given threshold.
+    """
+
+    def __init__(self, min_memory=512, memory_stash="lowmem"):
+        super().__init__()
+
+        if min_memory is not None:
+            self.min_memory = 1024 * 1024 * min_memory
+
+        else:
+            self.min_memory = int(psutil.virtual_memory().total * 0.05)
+
+        self.memory_stash = memory_stash
+
+    def setup(self, simgr):
+        if self.memory_stash not in simgr.stashes:
+            simgr.stashes[self.memory_stash] = []
+
+    def step(self, simgr, stash="active", **kwargs):
+        if psutil.virtual_memory().available <= self.min_memory:
+            simgr.move(from_stash="active", to_stash=self.memory_stash)
+
+        else:
+            simgr = simgr.step(stash=stash, **kwargs)
+
+        return simgr

angr/exploration_techniques/oppologist.py

@@ -0,0 +1,93 @@
+import claripy
+import functools
+
+import logging
+
+l = logging.getLogger(name=__name__)
+
+from ..errors import AngrError, SimError, SimUnsupportedError, SimCCallError
+from .. import sim_options
+from ..engines.successors import SimSuccessors
+
+exc_list = (AngrError, SimError, claripy.ClaripyError, TypeError, ValueError, ArithmeticError, MemoryError)
+
+from . import ExplorationTechnique
+
+
+class Oppologist(ExplorationTechnique):
+    """
+    The Oppologist is an exploration technique that forces uncooperative code through qemu.
+    """
+
+    def __init__(self):
+        ExplorationTechnique.__init__(self)
+
+    @staticmethod
+    def _restore_state(old, new):
+        new.release_plugin("unicorn")
+        new.register_plugin("unicorn", old.unicorn.copy())
+        new.options = old.options.copy()
+
+    def _oppologize(self, simgr, state, pn, **kwargs):
+        l.debug("... pn: %s", pn)
+
+        pn.options.add(sim_options.UNICORN)
+        pn.options.add(sim_options.UNICORN_AGGRESSIVE_CONCRETIZATION)
+        pn.unicorn.max_steps = 1
+        pn.unicorn.countdown_symbolic_stop = 0
+        pn.unicorn.countdown_unsupported_stop = 0
+        pn.unicorn.countdown_nonunicorn_blocks = 0
+        pn.unicorn.countdown_stop_point = 0
+        ss = simgr.successors(pn, throw=True, **kwargs)
+
+        fixup = functools.partial(self._restore_state, state)
+
+        l.debug("... successors: %s", ss)
+        for s in ss.flat_successors + ss.unconstrained_successors + ss.unsat_successors + ss.successors:
+            fixup(s)
+
+        return ss
+
+    @staticmethod
+    def _combine_results(*results):
+        final = SimSuccessors(results[0].addr, results[0].initial_state)
+        final.description = "Oppology"
+        final.sort = "Oppologist"
+
+        for med in results:
+            final.processed = True
+            final.successors.extend(med.successors)
+            final.all_successors.extend(med.all_successors)
+            final.flat_successors.extend(med.flat_successors)
+            final.unsat_successors.extend(med.unsat_successors)
+            final.unconstrained_successors.extend(med.unsat_successors)
+
+        return final
+
+    def _delayed_oppology(self, simgr, state, e, **kwargs):
+        ss = simgr.successors(state, num_inst=e.executed_instruction_count, **kwargs)
+        need_oppologizing = [s for s in ss.flat_successors if s.addr == e.ins_addr]
+        ss.flat_successors = [s for s in ss.flat_successors if s.addr != e.ins_addr]
+        results = [ss]
+
+        results.extend(map(functools.partial(self._oppologize, simgr, state, **kwargs), need_oppologizing))
+        return self._combine_results(*results)
+
+    def successors(self, simgr, state, **kwargs):
+        try:
+            kwargs.pop("throw", None)
+            return simgr.successors(state, **kwargs)
+
+        except (SimUnsupportedError, SimCCallError) as e:
+            l.debug("Errored on path %s after %d instructions", state, e.executed_instruction_count)
+            try:
+                if e.executed_instruction_count:
+                    return self._delayed_oppology(simgr, state, e, **kwargs)
+                else:
+                    return self._oppologize(simgr, state, state.copy(), **kwargs)
+            except exc_list:  # pylint:disable=broad-except
+                l.error("Oppologizer hit an error while trying to perform repairs", exc_info=True)
+                raise e
+        except Exception:  # pylint:disable=broad-except
+            l.error("Original block hit an unsupported error", exc_info=True)
+            raise