angr 9.2.115__py3-none-macosx_11_0_arm64.whl → 9.2.117__py3-none-macosx_11_0_arm64.whl

angr/analyses/reaching_definitions/function_handler_library/stdlib.py

@@ -16,9 +16,9 @@ if TYPE_CHECKING:
 
 
 class EnvironAtom(Atom):
-    def __init__(self, name: str | None):
+    def __init__(self, size: int, name: str | None):
         self.name = name
-        super().__init__(1)
+        super().__init__(size)
 
     def _identity(self):
         if self.name is not None:
@@ -31,9 +31,9 @@ class EnvironAtom(Atom):
 
 
 class SystemAtom(Atom):
-    def __init__(self):
+    def __init__(self, size: int = 1):
         self.nonce = random.randint(0, 999999999999)
-        super().__init__(1)
+        super().__init__(size)
 
     def _identity(self):
         return (self.nonce,)
@@ -49,7 +49,7 @@ class ExecveAtom(Atom):
         super().__init__(size)
 
     def _identity(self):
-        return (self.nonce,)
+        return (self.nonce, self.idx)
 
     def __repr__(self):
         return f"<ExecveAtom {self.idx}>"
@@ -61,7 +61,10 @@ class LibcStdlibHandlers(FunctionHandler):
         buf_atoms = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
         buf_value = state.get_concrete_value(buf_atoms, cast_to=bytes)
         if buf_value is not None:
-            buf_value = int(buf_value.decode().strip("\0"))
+            try:
+                buf_value = int(buf_value.decode().strip("\0"))
+            except ValueError:
+                buf_value = 0
         data.depends(data.ret_atoms, buf_atoms, value=buf_value)
 
     @FunctionCallDataUnwrapped.decorate
@@ -92,7 +95,7 @@ class LibcStdlibHandlers(FunctionHandler):
         heap_ptr = state.heap_allocator.allocate(2)
         heap_atom = state.deref(heap_ptr, 2)
         heap_value = claripy.BVS("weh", 8).concat(claripy.BVV(0, 8))
-        data.depends(heap_atom, EnvironAtom(name_value), value=heap_value)
+        data.depends(heap_atom, EnvironAtom(2, name_value), value=heap_value)
         data.depends(data.ret_atoms, value=state.heap_address(heap_ptr))
 
     @FunctionCallDataUnwrapped.decorate
@@ -105,12 +108,15 @@ class LibcStdlibHandlers(FunctionHandler):
 
         src_atom = state.deref(data.args_atoms[1], DerefSize.NULL_TERMINATE)
         src_value = state.get_values(src_atom)
-        data.depends(EnvironAtom(name_value), src_atom, value=src_value)
+        data.depends(
+            EnvironAtom(len(src_value) // 8 if src_value is not None else 1, name_value), src_atom, value=src_value
+        )
 
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_system(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         buf_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)
-        data.depends(SystemAtom(), buf_atom)
+        buf_value = state.get_values(buf_atom)
+        data.depends(SystemAtom(len(buf_value) // 8 if buf_value is not None else 1), buf_atom, value=buf_value)
 
     handle_impl_popen = handle_impl_execl = handle_impl_system
 
@@ -131,12 +137,12 @@ class LibcStdlibHandlers(FunctionHandler):
                 # unknown if array continues
                 break
 
-            argv_deref_concrete = state.get_concrete_value(argv_deref_atom)
+            argv_deref_concrete = state.get_one_value(argv_deref_atom)
             if argv_deref_concrete is None:
                 # unknown if array continues
                 break
 
-            if argv_deref_concrete == 0:
+            if (argv_deref_concrete == 0).is_true():
                 # End of array
                 break
 

angr/analyses/reaching_definitions/function_handler_library/string.py

@@ -6,7 +6,7 @@ from angr.knowledge_plugins.key_definitions.live_definitions import DerefSize
 # pylint: disable=no-self-use,missing-class-docstring,unused-argument
 
 
-class LibcUnistdHandlers(FunctionHandler):
+class LibcStringHandlers(FunctionHandler):
     @FunctionCallDataUnwrapped.decorate
     def handle_impl_strcat(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         src0_atom = state.deref(data.args_atoms[0], DerefSize.NULL_TERMINATE)

angr/analyses/reaching_definitions/function_handler_library/unistd.py

@@ -10,7 +10,7 @@ class LibcUnistdHandlers(FunctionHandler):
     def handle_impl_read(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[2]) or 1
         dst_atom = state.deref(data.args_atoms[1], size)
-        data.depends(dst_atom, StdinAtom(data.function.name))
+        data.depends(dst_atom, StdinAtom(data.function.name, size))
 
     handle_impl_recv = handle_impl_recvfrom = handle_impl_read
 
@@ -18,6 +18,6 @@ class LibcUnistdHandlers(FunctionHandler):
     def handle_impl_write(self, state: ReachingDefinitionsState, data: FunctionCallDataUnwrapped):
         size = state.get_concrete_value(data.args_atoms[2]) or 1
         src_atom = state.deref(data.args_atoms[1], size)
-        data.depends(StdoutAtom(data.function.name), src_atom, value=state.get_values(src_atom))
+        data.depends(StdoutAtom(data.function.name, size), src_atom, value=state.get_values(src_atom))
 
     handle_impl_send = handle_impl_write

angr/analyses/reaching_definitions/rd_state.py

@@ -9,6 +9,7 @@ from angr.misc.ux import deprecated
 from angr.knowledge_plugins.key_definitions.environment import Environment
 from angr.knowledge_plugins.key_definitions.tag import Tag
 from angr.knowledge_plugins.key_definitions.heap_address import HeapAddress
+from angr.knowledge_plugins.key_definitions.definition import A
 from angr.engines.light import SpOffset
 from angr.code_location import CodeLocation
 from ...storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
@@ -90,7 +91,7 @@ class ReachingDefinitionsState:
         heap_allocator: HeapAllocator = None,
         environment: Environment = None,
         sp_adjusted: bool = False,
-        all_definitions: set[Definition] | None = None,
+        all_definitions: set[Definition[A]] | None = None,
         initializer: Optional["RDAStateInitializer"] = None,
         element_limit: int = 5,
         merge_into_tops: bool = True,
@@ -106,12 +107,12 @@ class ReachingDefinitionsState:
         self._sp_adjusted: bool = sp_adjusted
         self._element_limit: int = element_limit
 
-        self.all_definitions: set[Definition] = set() if all_definitions is None else all_definitions
+        self.all_definitions: set[Definition[A]] = set() if all_definitions is None else all_definitions
 
         self.heap_allocator = heap_allocator or HeapAllocator(canonical_size)
         self._environment: Environment = environment or Environment()
 
-        self.codeloc_uses: set[Definition] = set()
+        self.codeloc_uses: set[Definition[A]] = set()
 
         # have we observed an exit statement or not during the analysis of the *last instruction* of a block? we should
         # not perform any sp updates if it is the case. this is for handling conditional returns in ARM binaries.
@@ -189,7 +190,7 @@ class ReachingDefinitionsState:
             return n - 2**self.arch.bits
         return n
 
-    def annotate_with_def(self, symvar: claripy.ast.Base, definition: Definition) -> claripy.ast.Base:
+    def annotate_with_def(self, symvar: claripy.ast.Base, definition: Definition[A]) -> claripy.ast.Base:
         """
 
         :param symvar:
@@ -198,14 +199,14 @@ class ReachingDefinitionsState:
         """
         return self.live_definitions.annotate_with_def(symvar, definition)
 
-    def annotate_mv_with_def(self, mv: MultiValues, definition: Definition) -> MultiValues:
+    def annotate_mv_with_def(self, mv: MultiValues, definition: Definition[A]) -> MultiValues:
         return MultiValues(
             offset_to_values={
                 offset: {self.annotate_with_def(value, definition) for value in values} for offset, values in mv.items()
             }
         )
 
-    def extract_defs(self, symvar: claripy.ast.Base) -> Iterator[Definition]:
+    def extract_defs(self, symvar: claripy.ast.Base) -> Iterator[Definition[A]]:
         yield from self.live_definitions.extract_defs(symvar)
 
     #
@@ -364,9 +365,9 @@ class ReachingDefinitionsState:
         tags: set[Tag] = None,
         endness=None,  # XXX destroy
         annotated: bool = False,
-        uses: set[Definition] | None = None,
+        uses: set[Definition[A]] | None = None,
         override_codeloc: CodeLocation | None = None,
-    ) -> tuple[MultiValues | None, set[Definition]]:
+    ) -> tuple[MultiValues | None, set[Definition[A]]]:
         codeloc = override_codeloc or self.codeloc
         existing_defs = self.live_definitions.get_definitions(atom)
         mv = self.live_definitions.kill_and_add_definition(
@@ -446,7 +447,7 @@ class ReachingDefinitionsState:
         self.codeloc_uses.update(self.get_definitions(atom))
         self.live_definitions.add_use(atom, self.codeloc, expr=expr)
 
-    def add_use_by_def(self, definition: Definition, expr: Any | None = None) -> None:
+    def add_use_by_def(self, definition: Definition[A], expr: Any | None = None) -> None:
         self.codeloc_uses.add(definition)
         self.live_definitions.add_use_by_def(definition, self.codeloc, expr=expr)
 
@@ -455,7 +456,7 @@ class ReachingDefinitionsState:
         self.add_tmp_use_by_defs(defs, expr=expr)
 
     def add_tmp_use_by_defs(
-        self, defs: Iterable[Definition], expr: Any | None = None
+        self, defs: Iterable[Definition[A]], expr: Any | None = None
     ) -> None:  # pylint:disable=unused-argument
         for definition in defs:
             self.codeloc_uses.add(definition)
@@ -466,7 +467,7 @@ class ReachingDefinitionsState:
         defs = self.live_definitions.get_register_definitions(reg_offset, size)
         self.add_register_use_by_defs(defs, expr=expr)
 
-    def add_register_use_by_defs(self, defs: Iterable[Definition], expr: Any | None = None) -> None:
+    def add_register_use_by_defs(self, defs: Iterable[Definition[A]], expr: Any | None = None) -> None:
         for definition in defs:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_register_use_by_def(definition, self.codeloc, expr=expr)
@@ -475,7 +476,7 @@ class ReachingDefinitionsState:
         defs = self.live_definitions.get_stack_definitions(stack_offset, size)
         self.add_stack_use_by_defs(defs, expr=expr)
 
-    def add_stack_use_by_defs(self, defs: Iterable[Definition], expr: Any | None = None):
+    def add_stack_use_by_defs(self, defs: Iterable[Definition[A]], expr: Any | None = None):
         for definition in defs:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_stack_use_by_def(definition, self.codeloc, expr=expr)
@@ -484,43 +485,39 @@ class ReachingDefinitionsState:
         defs = self.live_definitions.get_heap_definitions(heap_offset, size)
         self.add_heap_use_by_defs(defs, expr=expr)
 
-    def add_heap_use_by_defs(self, defs: Iterable[Definition], expr: Any | None = None):
+    def add_heap_use_by_defs(self, defs: Iterable[Definition[A]], expr: Any | None = None):
         for definition in defs:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_heap_use_by_def(definition, self.codeloc, expr=expr)
 
-    def add_memory_use_by_def(self, definition: Definition, expr: Any | None = None):
+    def add_memory_use_by_def(self, definition: Definition[A], expr: Any | None = None):
         self.codeloc_uses.add(definition)
         self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
-    def add_memory_use_by_defs(self, defs: Iterable[Definition], expr: Any | None = None):
+    def add_memory_use_by_defs(self, defs: Iterable[Definition[A]], expr: Any | None = None):
         for definition in defs:
             self.codeloc_uses.add(definition)
             self.live_definitions.add_memory_use_by_def(definition, self.codeloc, expr=expr)
 
-    def get_definitions(self, atom: Atom | Definition | Iterable[Atom] | Iterable[Definition]) -> set[Definition]:
+    def get_definitions(self, atom: A | Definition[A] | Iterable[A] | Iterable[Definition[A]]) -> set[Definition[A]]:
         return self.live_definitions.get_definitions(atom)
 
-    def get_values(self, spec: Atom | Definition | Iterable[Atom]) -> MultiValues | None:
+    def get_values(self, spec: A | Definition[A] | Iterable[A]) -> MultiValues | None:
         return self.live_definitions.get_values(spec)
 
     def get_one_value(
-        self, spec: Atom | Definition | Iterable[Atom] | Iterable[Definition], strip_annotations: bool = False
+        self, spec: A | Definition[A] | Iterable[A] | Iterable[Definition[A]], strip_annotations: bool = False
     ) -> claripy.ast.bv.BV | None:
         return self.live_definitions.get_one_value(spec, strip_annotations=strip_annotations)
 
     @overload
-    def get_concrete_value(
-        self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[int] = ...
-    ) -> int | None: ...
+    def get_concrete_value(self, spec: A | Definition[A] | Iterable[A], cast_to: type[int] = ...) -> int | None: ...
 
     @overload
-    def get_concrete_value(
-        self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[bytes] = ...
-    ) -> bytes | None: ...
+    def get_concrete_value(self, spec: A | Definition[A] | Iterable[A], cast_to: type[bytes] = ...) -> bytes | None: ...
 
     def get_concrete_value(
-        self, spec: Atom | Definition[Atom] | Iterable[Atom], cast_to: type[int] | type[bytes] = int
+        self, spec: A | Definition[A] | Iterable[A], cast_to: type[int] | type[bytes] = int
     ) -> int | bytes | None:
         return self.live_definitions.get_concrete_value(spec, cast_to)
 
@@ -593,7 +590,7 @@ class ReachingDefinitionsState:
     @overload
     def deref(
         self,
-        pointer: MultiValues | Atom | Definition | Iterable[Atom] | Iterable[Definition],
+        pointer: MultiValues | A | Definition | Iterable[A] | Iterable[Definition[A]],
         size: int | DerefSize,
         endness: str = ...,
     ) -> set[MemoryLocation]: ...
@@ -602,10 +599,10 @@ class ReachingDefinitionsState:
         self,
         pointer: (
             MultiValues
-            | Atom
+            | A
             | Definition
-            | Iterable[Atom]
-            | Iterable[Definition]
+            | Iterable[A]
+            | Iterable[Definition[A]]
             | int
             | claripy.ast.BV
             | HeapAddress

angr/analyses/variable_recovery/engine_vex.py

@@ -563,15 +563,6 @@ class SimEngineVRVEX(
             return RichR(self.state.top(expr_0.data.size()))
         return RichR(self.state.top(expr_0.data.size()))
 
-    def _handle_Ctz(self, expr):
-        arg0 = expr.args[0]
-        expr_0 = self._expr(arg0)
-        if expr_0 is None:
-            return None
-        if self.state.is_top(expr_0.data):
-            return RichR(self.state.top(expr_0.data.size()))
-        return RichR(self.state.top(expr_0.data.size()))
-
     _handle_CmpEQ_v = _handle_Cmp_v
     _handle_CmpNE_v = _handle_Cmp_v
     _handle_CmpLE_v = _handle_Cmp_v

angr/analyses/vfg.py

@@ -1303,7 +1303,7 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
         # TODO: the following code is totally untested other than X86 and AMD64. Don't freak out if you find bugs :)
         # TODO: Test it
 
-        ret_bvv = state.solver.BVV(ret_addr, self.project.arch.bits)
+        ret_bvv = claripy.BVV(ret_addr, self.project.arch.bits)
 
         if self.project.arch.name in ("X86", "AMD64"):
             state.stack_push(ret_bvv)
@@ -1524,13 +1524,13 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
                 successor_state.registers.store(arch.sp_offset, reg_sp_expr)
 
                 # Clear the return value with a TOP
-                top_si = successor_state.solver.TSI(arch.bits)
+                top_si = claripy.TSI(arch.bits)
                 successor_state.registers.store(arch.ret_offset, top_si)
 
             if job.call_skipped:
                 # TODO: Make sure the return values make sense
                 # if self.project.arch.name == "X86":
-                #     successor_state.regs.eax = successor_state.solver.BVS(
+                #     successor_state.regs.eax = claripy.BVS(
                 #         "ret_val", 32, min=0, max=0xFFFFFFFF, stride=1
                 #     )
 
@@ -1564,7 +1564,7 @@ class VFG(ForwardAnalysis[SimState, VFGNode, VFGJob, BlockID], Analysis):  # pyl
                     reg_sp_si = self._create_stack_region(successor_state, successor_addr)
 
                     # Save the new sp register
-                    new_reg_sp_expr = successor_state.solver.ValueSet(successor_state.arch.bits, "global", 0, reg_sp_si)
+                    new_reg_sp_expr = claripy.ValueSet(successor_state.arch.bits, "global", 0, reg_sp_si)
                     successor_state.regs.sp = new_reg_sp_expr
 
                 elif successor.history.jumpkind == "Ijk_Ret":

angr/calling_conventions.py

@@ -413,7 +413,7 @@ class SimComboArg(SimFunctionArgument):
         vals = []
         for loc in reversed(self.locations):
             vals.append(loc.get_value(state, **kwargs))
-        return self.check_value_get(state.solver.Concat(*vals))
+        return self.check_value_get(claripy.Concat(*vals))
 
 
 class SimStructArg(SimFunctionArgument):
@@ -1031,7 +1031,7 @@ class SimCC:
             if isinstance(ty, SimTypeFloat):
                 return SimCC._standardize_value(float(arg), ty, state, alloc)
 
-            val = state.solver.BVV(arg, ty.size)
+            val = claripy.BVV(arg, ty.size)
             return val
 
         elif isinstance(arg, float):
@@ -2300,6 +2300,8 @@ def default_cc(  # pylint:disable=unused-argument
     if alias not in cc_map or platform not in cc_map[alias]:
         if default is not ...:
             return default
+        else:
+            return None
     return cc_map[alias][platform]
 
 

angr/concretization_strategies/any_named.py

@@ -1,3 +1,5 @@
+import claripy
+
 from . import SimConcretizationStrategy
 
 
@@ -24,7 +26,7 @@ class SimConcretizationStrategyAnyNamed(SimConcretizationStrategy):
         target = self._any(memory, addr, extra_constraints=child_constraints, **kwargs)
         # Create new BVS
         old_name = " ".join(repr(addr)[:-1].split(" ")[1:])
-        new_BVS = memory.state.solver.BVS(f"[{old_name}]", memory.state.arch.bits, explicit_name=True)
+        new_BVS = claripy.BVS(f"[{old_name}]", memory.state.arch.bits, explicit_name=True)
         memory.store(target, new_BVS, endness=memory.state.arch.memory_endness)
         # Enforce the address
         memory.state.solver.add(addr == target)

angr/concretization_strategies/controlled_data.py

@@ -1,5 +1,7 @@
 from itertools import groupby
 
+import claripy
+
 from . import SimConcretizationStrategy
 
 
@@ -40,10 +42,10 @@ class SimConcretizationStrategyControlledData(SimConcretizationStrategy):
 
         # create constraints from intervals
         for base, length in intervals:
-            constraints.append(memory.state.solver.And(addr >= base, addr < base + length))
+            constraints.append(claripy.And(addr >= base, addr < base + length))
 
         # try to get solutions for controlled memory
-        ored_constraints = memory.state.solver.Or(*constraints)
+        ored_constraints = claripy.Or(*constraints)
         child_constraints = (ored_constraints,)
         extra_constraints = kwargs.pop("extra_constraints", None)
         if extra_constraints is not None:

angr/concretization_strategies/signed_add.py

@@ -1,3 +1,5 @@
+import claripy
+
 from . import SimConcretizationStrategy
 
 
@@ -21,4 +23,4 @@ class SimConcretizationStrategySignedAdd(SimConcretizationStrategy):
                     new_arg = (1 << addr.args[1].size()) - memory.state.solver.eval(addr.args[1])
                     if new_arg < self._substraction_limit:
                         addr.op = "__sub__"
-                        addr.args = (addr.args[0], memory.state.solver.BVV(new_arg, addr.args[1].size()))
+                        addr.args = (addr.args[0], claripy.BVV(new_arg, addr.args[1].size()))

angr/engines/concrete.py

@@ -1,6 +1,8 @@
 import logging
 import threading
 
+import claripy
+
 from angr.errors import AngrError
 from .engine import SuccessorsMixin
 from ..errors import SimConcreteRegisterError
@@ -58,7 +60,7 @@ class SimEngineConcrete(SuccessorsMixin):
 
         successors.engine = "SimEngineConcrete"
         successors.sort = "SimEngineConcrete"
-        successors.add_successor(new_state, new_state.ip, new_state.solver.true, new_state.unicorn.jumpkind)
+        successors.add_successor(new_state, new_state.ip, claripy.true, new_state.unicorn.jumpkind)
         successors.description = "Concrete Successors"
         successors.processed = True
 

angr/engines/pcode/behavior.py

@@ -868,6 +868,8 @@ class OpBehaviorSubpiece(OpBehavior):
     def evaluate_binary(self, size_out: int, size_in: int, in1: BV, in2: BV) -> BV:
         if in2.size() < in1.size():
             in2 = in2.sign_extend(in1.size() - in2.size())
+        if in1.size() < in2.size():
+            in1 = in1.sign_extend(in2.size() - in1.size())
         return (in1 >> (in2 * 8)) & (2 ** (size_out * 8) - 1)
 
 

angr/engines/pcode/cc.py

@@ -10,6 +10,7 @@ from ...calling_conventions import (
     register_default_cc,
     SimCCUnknown,
     default_cc,
+    SimCCO32,
 )
 
 
@@ -107,6 +108,7 @@ def register_pcode_arch_default_cc(arch: ArchPcode):
             "PowerPC:BE:32:e200": SimCCPowerPC,
             "PowerPC:BE:32:MPC8270": SimCCPowerPC,
             "Xtensa:LE:32:default": SimCCXtensa,
+            "MIPS:LE:32:default": SimCCO32,
         }
         if arch.name in manual_cc_mapping:
             # first attempt: manually specified mappings

angr/engines/pcode/emulate.py

@@ -187,7 +187,7 @@ class PcodeEmulatorMixin(SimEngineBase):
         elif space.name == "unique":
             self._pcode_tmps[varnode.offset] = value
 
-        elif space.name in ("ram", "mem"):
+        elif space.name.lower() in ("ram", "mem"):
             l.debug("Storing %s to offset %s", value, varnode.offset)
             self.state.memory.store(varnode.offset, value, endness=self.project.arch.memory_endness)
 
@@ -225,7 +225,7 @@ class PcodeEmulatorMixin(SimEngineBase):
                 self._pcode_tmps[varnode.offset] = claripy.BVV(0, size * 8)
             return self._pcode_tmps[varnode.offset]
 
-        elif space_name in ("ram", "mem"):
+        elif space_name.lower() in ("ram", "mem"):
             val = self.state.memory.load(varnode.offset, endness=self.project.arch.memory_endness, size=size)
             l.debug("Loaded %s from offset %s", val, varnode.offset)
             return val
@@ -285,7 +285,7 @@ class PcodeEmulatorMixin(SimEngineBase):
         space = self._current_op.inputs[0].getSpaceFromConst()
         offset = self._get_value(self._current_op.inputs[1])
         out = self._current_op.output
-        if space.name in ("ram", "mem"):
+        if space.name.lower() in ("ram", "mem"):
             res = self.state.memory.load(offset, out.size, endness=self.project.arch.memory_endness)
         elif space.name in "register":
             res = self.state.registers.load(offset, size=out.size, endness=self.project.arch.register_endness)
@@ -304,7 +304,7 @@ class PcodeEmulatorMixin(SimEngineBase):
         offset = self._get_value(self._current_op.inputs[1])
         data = self._get_value(self._current_op.inputs[2])
         l.debug("Storing %s at offset %s", data, offset)
-        if space.name in ("ram", "mem"):
+        if space.name.lower() in ("ram", "mem"):
             self.state.memory.store(offset, data, endness=self.project.arch.memory_endness)
         elif space.name == "register":
             self.state.registers.store(offset, data, endness=self.project.arch.register_endness)

angr/engines/pcode/engine.py

@@ -224,7 +224,7 @@ class HeavyPcodeMixin(
                             "return value in Call-less mode.",
                             exit_state.arch.name,
                         )
-                exit_state.scratch.target = exit_state.solver.BVV(
+                exit_state.scratch.target = claripy.BVV(
                     successors.addr + self.state.scratch.irsb.size, exit_state.arch.bits
                 )
                 exit_state.history.jumpkind = "Ijk_Ret"
@@ -238,12 +238,8 @@ class HeavyPcodeMixin(
                 l.debug("%s adding postcall exit.", self)
 
                 ret_state = exit_state.copy()
-                guard = (
-                    ret_state.solver.true
-                    if o.TRUE_RET_EMULATION_GUARD in self.state.options
-                    else ret_state.solver.false
-                )
-                ret_target = ret_state.solver.BVV(successors.addr + self.state.scratch.irsb.size, ret_state.arch.bits)
+                guard = claripy.true if o.TRUE_RET_EMULATION_GUARD in self.state.options else claripy.false
+                ret_target = claripy.BVV(successors.addr + self.state.scratch.irsb.size, ret_state.arch.bits)
                 if ret_state.arch.call_pushes_ret and not exit_jumpkind.startswith("Ijk_Sys"):
                     ret_state.regs.sp = ret_state.regs.sp + ret_state.arch.bytes
                 successors.add_successor(

angr/engines/soot/engine.py

@@ -1,5 +1,6 @@
 import logging
 
+import claripy
 from archinfo.arch_soot import (
     ArchSoot,
     SootAddressDescriptor,
@@ -134,7 +135,7 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
                 next_addr = self._get_next_linear_instruction(state, stmt_idx)
                 l.debug("Advancing execution linearly to %s", next_addr)
                 if next_addr is not None:
-                    successors.add_successor(state.copy(), next_addr, state.solver.true, "Ijk_Boring")
+                    successors.add_successor(state.copy(), next_addr, claripy.true, "Ijk_Boring")
 
     def _handle_soot_stmt(self, state, successors, stmt_idx, stmt):
         # execute statement
@@ -172,7 +173,7 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
             # add invoke state as the successor and terminate execution
             # prematurely, since Soot does not guarantee that an invoke stmt
             # terminates a block
-            successors.add_successor(invoke_state, addr, state.solver.true, "Ijk_Call")
+            successors.add_successor(invoke_state, addr, claripy.true, "Ijk_Call")
             return True
 
         # add jmp exit
@@ -198,7 +199,7 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
     def _add_return_exit(cls, state, successors, return_val=None):
         ret_state = state.copy()
         cls.prepare_return_state(ret_state, return_val)
-        successors.add_successor(ret_state, state.callstack.ret_addr, ret_state.solver.true, "Ijk_Ret")
+        successors.add_successor(ret_state, state.callstack.ret_addr, claripy.true, "Ijk_Ret")
         successors.processed = True
 
     def _get_sim_procedure(self, addr):
@@ -321,9 +322,9 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
         if type(statement) is SimSootStmt_Return:
             exit_code = statement.return_value
             # TODO symbolic exit code?
-            exit_code = state.solver.BVV(exit_code, state.arch.bits)
+            exit_code = claripy.BVV(exit_code, state.arch.bits)
         state.history.add_event("terminate", exit_code=exit_code)
-        successors.add_successor(state, state.regs.ip, state.solver.true, "Ijk_Exit")
+        successors.add_successor(state, state.regs.ip, claripy.true, "Ijk_Exit")
         successors.processed = True
         raise BlockTerminationNotice()
 
@@ -345,7 +346,7 @@ class SootMixin(SuccessorsMixin, ProcedureMixin):
 
         # set successor flags
         ret_state.regs._ip = ret_state.callstack.ret_addr
-        ret_state.scratch.guard = ret_state.solver.true
+        ret_state.scratch.guard = claripy.true
         ret_state.history.jumpkind = "Ijk_Ret"
 
         # if available, lookup the return value in native memory

angr/engines/soot/expressions/constants.py

@@ -1,3 +1,4 @@
+import claripy
 from archinfo.arch_soot import SootClassDescriptor, SootNullConstant
 from claripy import FSORT_DOUBLE, FSORT_FLOAT
 
@@ -7,28 +8,28 @@ from .base import SimSootExpr
 
 class SimSootExpr_IntConstant(SimSootExpr):
     def _execute(self):
-        self.expr = self.state.solver.BVV(self.expr.value, 32)
+        self.expr = claripy.BVV(self.expr.value, 32)
 
 
 class SimSootExpr_LongConstant(SimSootExpr):
     def _execute(self):
-        self.expr = self.state.solver.BVV(self.expr.value, 64)
+        self.expr = claripy.BVV(self.expr.value, 64)
 
 
 class SimSootExpr_FloatConstant(SimSootExpr):
     def _execute(self):
-        self.expr = self.state.solver.FPV(self.expr.value, FSORT_FLOAT)
+        self.expr = claripy.FPV(self.expr.value, FSORT_FLOAT)
 
 
 class SimSootExpr_DoubleConstant(SimSootExpr):
     def _execute(self):
-        self.expr = self.state.solver.FPV(self.expr.value, FSORT_DOUBLE)
+        self.expr = claripy.FPV(self.expr.value, FSORT_DOUBLE)
 
 
 class SimSootExpr_StringConstant(SimSootExpr):
     def _execute(self):
         # strip away quotes introduced by soot
-        str_val = self.state.solver.StringV(self.expr.value.strip('"'))
+        str_val = claripy.StringV(self.expr.value.strip('"'))
         str_ref = SimSootValue_StringRef(self.state.memory.get_new_uuid())
         self.state.memory.store(str_ref, str_val)
         self.expr = str_ref

angr/engines/soot/expressions/newArray.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from ..values import SimSootValue_ArrayBaseRef
 from .base import SimSootExpr
 
@@ -27,7 +29,7 @@ class SimSootExpr_NewArray(SimSootExpr):
     @staticmethod
     def _bound_array_size(state, array_size):
         # check if array size can exceed MAX_ARRAY_SIZE
-        max_array_size = state.solver.BVV(state.javavm_memory.max_array_size, 32)
+        max_array_size = claripy.BVV(state.javavm_memory.max_array_size, 32)
         size_stays_below_maximum = state.solver.eval_upto(max_array_size.SGE(array_size), 2)
 
         # overwrite size, if it *always* exceeds the maximum

angr/engines/soot/expressions/newMultiArray.py

@@ -1,5 +1,7 @@
 import logging
 
+import claripy
+
 from .base import SimSootExpr
 from .newArray import SimSootExpr_NewArray
 from ..values import SimSootValue_ArrayBaseRef
@@ -39,7 +41,7 @@ class SimSootExpr_NewMultiArray(SimSootExpr):
     @staticmethod
     def _bound_multi_array_size(state, multi_array_size):
         # check if array size can exceed MAX_ARRAY_SIZE
-        max_multi_array_size = state.solver.BVV(state.javavm_memory.max_array_size, 32)
+        max_multi_array_size = claripy.BVV(state.javavm_memory.max_array_size, 32)
         size_stays_below_maximum = state.solver.eval_upto(max_multi_array_size.SGE(multi_array_size), 2)
 
         # overwrite size, if it *always* exceeds the maximum