angr 9.2.120__py3-none-win_amd64.whl → 9.2.121__py3-none-win_amd64.whl

angr/analyses/cfg/indirect_jump_resolvers/mips_elf_got.py

@@ -0,0 +1,148 @@
+# pylint:disable=too-many-positional-arguments
+from __future__ import annotations
+import logging
+
+from capstone.mips_const import (
+    MIPS_REG_T7,
+    MIPS_REG_T8,
+    MIPS_REG_T9,
+    MIPS_REG_RA,
+    MIPS_REG_ZERO,
+    MIPS_OP_REG,
+    MIPS_OP_IMM,
+)
+
+import cle
+
+from .resolver import IndirectJumpResolver
+
+l = logging.getLogger(name=__name__)
+
+
+class MipsElfGotResolver(IndirectJumpResolver):
+    """
+    A timeless indirect jump resolver that resolves GOT stub entries in MIPS ELF binaries.
+
+    Reference: MIPS Assembly Language Programmer's Guide, Calling Position Independent Functions
+    """
+
+    def __init__(self, project):
+        super().__init__(project, timeless=True)
+
+        self._section_cache: dict[tuple[int, str], int] = {}
+        self._simproc_cache: dict[str, int] | None = None
+
+    def filter(self, cfg, addr, func_addr, block, jumpkind):
+        return jumpkind == "Ijk_Call" and addr == func_addr
+
+    def resolve(  # pylint:disable=unused-argument
+        self, cfg, addr, func_addr, block, jumpkind, func_graph_complete: bool = True, **kwargs
+    ):
+        # The stub must look like the following:
+        #   585b80  lw      $t9, -0x7ff0($gp)
+        #   585b84  move    $t7, $ra
+        #   585b88  jalr    $t9
+        #   585b8c  addiu   $t8, $zero, 0x84b
+
+        obj = self.project.loader.find_object_containing(addr)
+        if obj is None:
+            return False, []
+        if not isinstance(obj, cle.ELF):
+            return False, []
+        dynsym_addr = self._find_and_cache_section_addr(obj, ".dynsym")
+        if dynsym_addr is None:
+            return None
+
+        dynstr_addr = self._find_and_cache_section_addr(obj, ".dynstr")
+        if dynstr_addr is None:
+            return None
+
+        if block.size != 16:
+            return False, []
+        the_block = self.project.factory.block(block.addr, size=block.size)
+        if len(the_block.capstone.insns) != 4:
+            return False, []
+
+        insn0 = the_block.capstone.insns[0]
+        if not (
+            insn0.insn.mnemonic == "lw"
+            and insn0.insn.operands[0].type == MIPS_OP_REG
+            and insn0.insn.operands[0].reg == MIPS_REG_T9
+        ):
+            return False, []
+
+        insn1 = the_block.capstone.insns[1]
+        if not (
+            insn1.insn.mnemonic == "move"
+            and insn1.insn.operands[0].type == MIPS_OP_REG
+            and insn1.insn.operands[0].reg == MIPS_REG_T7
+            and insn1.insn.operands[1].type == MIPS_OP_REG
+            and insn1.insn.operands[1].reg == MIPS_REG_RA
+        ):
+            return False, []
+
+        insn2 = the_block.capstone.insns[2]
+        if not (
+            insn2.insn.mnemonic == "jalr"
+            and insn2.insn.operands[0].type == MIPS_OP_REG
+            and insn2.insn.operands[0].reg == MIPS_REG_T9
+        ):
+            return False, []
+
+        insn3 = the_block.capstone.insns[3]
+        if not (
+            insn3.insn.mnemonic == "addiu"
+            and insn3.insn.operands[0].type == MIPS_OP_REG
+            and insn3.insn.operands[0].reg == MIPS_REG_T8
+            and insn3.insn.operands[1].type == MIPS_OP_REG
+            and insn3.insn.operands[1].reg == MIPS_REG_ZERO
+            and insn3.insn.operands[2].type == MIPS_OP_IMM
+        ):
+            return False, []
+
+        dynsym_index = insn3.insn.operands[2].imm
+        symbol_addr = dynsym_addr + dynsym_index * 16
+
+        symbol_name_index = self.project.loader.memory.unpack_word(symbol_addr, size=4)
+        symbol_name_addr = dynstr_addr + symbol_name_index
+        symbol_name_bytes = self.project.loader.memory.load_null_terminated_bytes(symbol_name_addr, 512)
+
+        try:
+            symbol_name = symbol_name_bytes.strip(b"\x00").decode("ascii")
+        except UnicodeDecodeError:
+            return False, []
+
+        symbol = obj.symbols_by_name.get(symbol_name, None)
+        if symbol is None:
+            return False, []
+
+        if symbol.rebased_addr != func_addr:
+            l.debug("Resolved target to %s @ %#x", symbol_name, symbol.rebased_addr)
+            return True, [symbol.rebased_addr]
+
+        # find out if there is a SimProcedure for this import symbol
+        simproc_addr = self._cache_and_find_simproc_by_name(symbol_name)
+        if simproc_addr is not None:
+            l.debug("Resolved target to %s @ %#x", symbol_name, simproc_addr)
+            return True, [simproc_addr]
+        return False, []
+
+    def _find_and_cache_section_addr(self, obj, section_name: str) -> int | None:
+        cache_key = (obj.min_addr, section_name)
+        if cache_key in self._section_cache:
+            return self._section_cache[cache_key]
+
+        for sec in obj.sections:
+            if sec.name == section_name:
+                # cache it
+                self._section_cache[cache_key] = sec.vaddr
+                return sec.vaddr
+        return None
+
+    def _cache_and_find_simproc_by_name(self, symbol_name: str) -> int | None:
+        if self._simproc_cache is None:
+            self._simproc_cache = {}
+            for addr, simproc in self.project._sim_procedures.items():
+                self._simproc_cache[simproc.display_name] = addr
+
+        return self._simproc_cache.get(symbol_name)

angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py

@@ -240,6 +240,26 @@ class AMD64CCallRewriter(CCallRewriterBase):
 
                         r = Expr.BinaryOp(ccall.idx, expr_op, (masked_dep, zero), False, **ccall.tags)
                         return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
+                    if op_v in {
+                        AMD64_OpTypes["G_CC_OP_DECB"],
+                        AMD64_OpTypes["G_CC_OP_DECW"],
+                        AMD64_OpTypes["G_CC_OP_DECL"],
+                        AMD64_OpTypes["G_CC_OP_DECQ"],
+                    }:
+                        # dep_1 == 0 or dep_1 != 0
+                        dep_1 = self._fix_size(
+                            dep_1,
+                            op_v,
+                            AMD64_OpTypes["G_CC_OP_SHRB"],
+                            AMD64_OpTypes["G_CC_OP_SHRW"],
+                            AMD64_OpTypes["G_CC_OP_SHRL"],
+                            ccall.tags,
+                        )
+                        expr_op = "CmpEQ" if cond_v == AMD64_CondTypes["CondZ"] else "CmpNE"
+
+                        zero = Expr.Const(None, None, 0, dep_1.bits)
+                        r = Expr.BinaryOp(ccall.idx, expr_op, (dep_1, zero), False, **ccall.tags)
+                        return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
                 elif cond_v == AMD64_CondTypes["CondL"]:
                     if op_v in {
                         AMD64_OpTypes["G_CC_OP_SUBB"],

angr/analyses/typehoon/typevars.py

@@ -28,11 +28,13 @@ class Equivalence(TypeConstraint):
     __slots__ = (
         "type_a",
         "type_b",
+        "_cached_hash",
     )
 
     def __init__(self, type_a, type_b):
         self.type_a = type_a
         self.type_b = type_b
+        self._cached_hash = hash((Equivalence, self.type_a, self.type_b))
 
     def pp_str(self, mapping: dict[TypeVariable, Any]) -> str:
         return f"{self.type_a.pp_str(mapping)} == {self.type_b.pp_str(mapping)}"
@@ -49,14 +51,15 @@ class Equivalence(TypeConstraint):
         )
 
     def __hash__(self):
-        return hash((Equivalence, tuple(sorted((hash(self.type_a), hash(self.type_b))))))
+        return self._cached_hash
 
 
 class Existence(TypeConstraint):
-    __slots__ = ("type_",)
+    __slots__ = ("type_", "_cached_hash")
 
     def __init__(self, type_):
         self.type_ = type_
+        self._cached_hash = hash((Existence, self.type_))
 
     def pp_str(self, mapping: dict[TypeVariable, Any]) -> str:
         return f"V {self.type_.pp_str(mapping)}"
@@ -68,7 +71,7 @@ class Existence(TypeConstraint):
         return type(other) is Existence and self.type_ == other.type_
 
     def __hash__(self):
-        return hash((Existence, self.type_))
+        return self._cached_hash
 
     def replace(self, replacements):
         if self.type_ in replacements:
@@ -84,11 +87,13 @@ class Subtype(TypeConstraint):
     __slots__ = (
         "super_type",
         "sub_type",
+        "_cached_hash",
     )
 
     def __init__(self, sub_type: TypeType, super_type: TypeType):
         self.super_type = super_type
         self.sub_type = sub_type
+        self._cached_hash = hash((Subtype, self.sub_type, self.super_type))
 
     def pp_str(self, mapping: dict[TypeVariable, Any]) -> str:
         return f"{self.sub_type.pp_str(mapping)} <: {self.super_type.pp_str(mapping)}"
@@ -100,7 +105,7 @@ class Subtype(TypeConstraint):
         return type(other) is Subtype and self.sub_type == other.sub_type and self.super_type == other.super_type
 
     def __hash__(self):
-        return hash((Subtype, hash(self.sub_type), hash(self.super_type)))
+        return self._cached_hash
 
     def replace(self, replacements):
         subtype, supertype = None, None
@@ -139,12 +144,14 @@ class Add(TypeConstraint):
         "type_0",
         "type_1",
         "type_r",
+        "_cached_hash",
     )
 
     def __init__(self, type_0, type_1, type_r):
         self.type_0 = type_0
         self.type_1 = type_1
         self.type_r = type_r
+        self._cached_hash = hash((Add, self.type_0, self.type_1, self.type_r))
 
     def pp_str(self, mapping: dict[TypeVariable, Any]) -> str:
         return f"{self.type_r.pp_str(mapping)} == {self.type_0.pp_str(mapping)} + {self.type_1.pp_str(mapping)}"
@@ -161,7 +168,7 @@ class Add(TypeConstraint):
         )
 
     def __hash__(self):
-        return hash((Add, self.type_0, self.type_1, self.type_r))
+        return self._cached_hash
 
     def replace(self, replacements):
         t0, t1, tr = None, None, None
@@ -206,12 +213,14 @@ class Sub(TypeConstraint):
         "type_0",
         "type_1",
         "type_r",
+        "_cached_hash",
     )
 
     def __init__(self, type_0, type_1, type_r):
         self.type_0 = type_0
         self.type_1 = type_1
         self.type_r = type_r
+        self._cached_hash = hash((Sub, self.type_0, self.type_1, self.type_r))
 
     def pp_str(self, mapping: dict[TypeVariable, Any]) -> str:
         return f"{self.type_r.pp_str(mapping)} == {self.type_0.pp_str(mapping)} - {self.type_1.pp_str(mapping)}"
@@ -228,7 +237,7 @@ class Sub(TypeConstraint):
         )
 
     def __hash__(self):
-        return hash((Sub, self.type_0, self.type_1, self.type_r))
+        return self._cached_hash
 
     def replace(self, replacements):
         t0, t1, tr = None, None, None
@@ -268,7 +277,7 @@ _typevariable_counter = count()
 
 
 class TypeVariable:
-    __slots__ = ("idx", "name")
+    __slots__ = ("idx", "name", "_cached_hash")
 
     def __init__(self, idx: int | None = None, name: str | None = None):
         if idx is None:
@@ -277,6 +286,8 @@ class TypeVariable:
             self.idx: int = idx
         self.name = name
 
+        self._cached_hash = hash((TypeVariable, self.name if self.name else self.idx))
+
     def pp_str(self, mapping: dict[TypeVariable, Any]) -> str:
         varname = mapping.get(self, self.name)
         if varname is None:
@@ -291,12 +302,10 @@ class TypeVariable:
         return self.idx == other.idx
 
     def _hash(self, visited=None):  # pylint:disable=unused-argument
-        if self.name:
-            return hash((TypeVariable, self.name))
-        return hash((TypeVariable, self.idx))
+        return self._cached_hash
 
     def __hash__(self):
-        return self._hash()
+        return self._cached_hash
 
     def __repr__(self):
         if self.name:
@@ -336,6 +345,8 @@ class DerivedTypeVariable(TypeVariable):
         if not self.labels:
             raise ValueError("A DerivedTypeVariable must have at least one label")
 
+        self._cached_hash = hash((DerivedTypeVariable, self.type_var, self.labels))
+
     def one_label(self) -> BaseLabel | None:
         return self.labels[0] if len(self.labels) == 1 else None
 
@@ -358,10 +369,10 @@ class DerivedTypeVariable(TypeVariable):
         )
 
     def _hash(self, visited=None):
-        return hash((DerivedTypeVariable, self.type_var, self.labels))
+        return self._cached_hash
 
     def __hash__(self):
-        return self._hash()
+        return self._cached_hash
 
     def __repr__(self):
         return ".".join([repr(self.type_var)] + [repr(lbl) for lbl in self.labels])
@@ -437,13 +448,16 @@ class TypeVariables:
 
 
 class BaseLabel:
-    __slots__ = ()
+    __slots__ = ("_cached_hash",)
+
+    def __init__(self):
+        self._cached_hash = hash((type(self), *tuple(getattr(self, k) for k in self.__slots__ if k != "_cached_hash")))
 
     def __eq__(self, other):
-        return type(self) is type(other) and hash(self) == hash(other)
+        return type(self) is type(other) and self._cached_hash == other._cached_hash
 
     def __hash__(self):
-        return hash((type(self), *tuple(getattr(self, k) for k in self.__slots__)))
+        return self._cached_hash
 
     @property
     def variance(self) -> Variance:
@@ -455,6 +469,7 @@ class FuncIn(BaseLabel):
 
     def __init__(self, loc):
         self.loc = loc
+        super().__init__()
 
     def __repr__(self):
         return f"in<{self.loc}>"
@@ -465,6 +480,7 @@ class FuncOut(BaseLabel):
 
     def __init__(self, loc):
         self.loc = loc
+        super().__init__()
 
     def __repr__(self):
         return f"out<{self.loc}>"
@@ -493,6 +509,7 @@ class AddN(BaseLabel):
 
     def __init__(self, n):
         self.n = n
+        super().__init__()
 
     def __repr__(self):
         return "+%d" % self.n
@@ -503,6 +520,7 @@ class SubN(BaseLabel):
 
     def __init__(self, n):
         self.n = n
+        super().__init__()
 
     def __repr__(self):
         return "-%d" % self.n
@@ -513,6 +531,7 @@ class ConvertTo(BaseLabel):
 
     def __init__(self, to_bits):
         self.to_bits = to_bits
+        super().__init__()
 
     def __repr__(self):
         return "conv(%d)" % self.to_bits
@@ -527,6 +546,7 @@ class ReinterpretAs(BaseLabel):
     def __init__(self, to_type, to_bits):
         self.to_type = to_type
         self.to_bits = to_bits
+        super().__init__()
 
     def __repr__(self):
         return f"reinterpret({self.to_type}{self.to_bits})"
@@ -541,6 +561,7 @@ class HasField(BaseLabel):
     def __init__(self, bits, offset):
         self.bits = bits
         self.offset = offset
+        super().__init__()
 
     def __repr__(self):
         if self.bits == MAX_POINTSTO_BITS:

angr/angrdb/db.py

@@ -43,7 +43,7 @@ class AngrDB:
         except DatabaseError as ex:
             raise AngrCorruptDBError("The target file may not be an angr database or it is corrupted.") from ex
         except Exception as ex:
-            raise AngrDBError(str(ex)) from ex
+            raise AngrDBError from ex
 
     @staticmethod
     @contextmanager

angr/block.py

@@ -142,6 +142,7 @@ class Block(Serializable):
         "_strict_block_end",
         "_cross_insn_opt",
         "_load_from_ro_regions",
+        "_const_prop",
         "_initial_regs",
     ]
 
@@ -164,6 +165,7 @@ class Block(Serializable):
         collect_data_refs=False,
         cross_insn_opt=True,
         load_from_ro_regions=False,
+        const_prop=False,
         initial_regs=None,
         skip_stmts=False,
     ):
@@ -191,7 +193,9 @@ class Block(Serializable):
         self.thumb = thumb
         self.addr = addr
         self._opt_level = opt_level
-        self._initial_regs: list[tuple[int, int, int]] | None = initial_regs if collect_data_refs else None
+        self._initial_regs: list[tuple[int, int, int]] | None = (
+            initial_regs if (collect_data_refs or const_prop) else None
+        )
 
         if self._project is None and byte_string is None:
             raise ValueError('"byte_string" has to be specified if "project" is not provided.')
@@ -218,6 +222,7 @@ class Block(Serializable):
                     strict_block_end=strict_block_end,
                     collect_data_refs=collect_data_refs,
                     load_from_ro_regions=load_from_ro_regions,
+                    const_prop=const_prop,
                     cross_insn_opt=cross_insn_opt,
                     skip_stmts=skip_stmts,
                 )
@@ -238,6 +243,7 @@ class Block(Serializable):
         self._strict_block_end = strict_block_end
         self._cross_insn_opt = cross_insn_opt
         self._load_from_ro_regions = load_from_ro_regions
+        self._const_prop = const_prop
 
         self._instructions = num_inst
         self._instruction_addrs: list[int] = []
@@ -342,6 +348,7 @@ class Block(Serializable):
                 strict_block_end=self._strict_block_end,
                 cross_insn_opt=self._cross_insn_opt,
                 load_from_ro_regions=self._load_from_ro_regions,
+                const_prop=self._const_prop,
             )
             if self._initial_regs:
                 self.reset_initial_regs()
@@ -373,6 +380,7 @@ class Block(Serializable):
             strict_block_end=self._strict_block_end,
             cross_insn_opt=self._cross_insn_opt,
             load_from_ro_regions=self._load_from_ro_regions,
+            const_prop=self._const_prop,
         )
         if self._initial_regs:
             self.reset_initial_regs()

angr/calling_conventions.py

@@ -69,7 +69,7 @@ class AllocHelper:
                 val.struct, {field: self.translate(subval, base) for field, subval in val._values.items()}
             )
         if isinstance(val, claripy.ast.Bits):
-            return val.replace(self.base, base)
+            return claripy.replace(val, self.base, base)
         if type(val) is list:
             return [self.translate(subval, base) for subval in val]
         raise TypeError(type(val))

angr/engines/engine.py

@@ -4,10 +4,16 @@ from __future__ import annotations
 import abc
 import logging
 import threading
-import angr
 
 from archinfo.arch_soot import SootAddressDescriptor
 
+import angr
+from angr import sim_options as o
+from angr.errors import SimException
+from angr.state_plugins.inspect import BP_AFTER, BP_BEFORE
+
+from .successors import SimSuccessors
+
 l = logging.getLogger(name=__name__)
 
 
@@ -32,12 +38,6 @@ class SimEngineBase:
         self.project = state[0]
         self.state = None
 
-    def _is_true(self, v):
-        return v is True
-
-    def _is_false(self, v):
-        return v is False
-
 
 class SimEngine(SimEngineBase, metaclass=abc.ABCMeta):
     """
@@ -183,7 +183,7 @@ class SuccessorsMixin(SimEngine):
 
         return self.successors
 
-    def process_successors(self, successors, **kwargs):
+    def process_successors(self, successors, **kwargs):  # pylint:disable=unused-argument
         """
         Implement this function to fill out the SimSuccessors object with the results of stepping state.
 
@@ -201,10 +201,3 @@ class SuccessorsMixin(SimEngine):
         :param kwargs:          Any extra arguments. Do not fail if you are passed unexpected arguments.
         """
         successors.processed = False  # mark failure
-
-
-# pylint:disable=wrong-import-position
-from angr import sim_options as o
-from angr.state_plugins.inspect import BP_BEFORE, BP_AFTER
-from .successors import SimSuccessors
-from angr.errors import SimException

angr/engines/pcode/lifter.py

@@ -122,6 +122,7 @@ class IRSB:
         "arch",
         "behaviors",
         "data_refs",
+        "const_vals",
         "default_exit_target",
         "jumpkind",
         "next",
@@ -138,6 +139,7 @@ class IRSB:
     arch: archinfo.Arch
     behaviors: BehaviorFactory | None
     data_refs: Sequence  # Note: currently unused
+    const_vals: Sequence  # Note: currently unused
     default_exit_target: Optional  # Note: currently used
     jumpkind: str | None
     next: int | None
@@ -204,6 +206,7 @@ class IRSB:
         self.arch = arch
         self.behaviors = None
         self.data_refs = ()
+        self.const_vals = ()
         self.default_exit_target = None
         self.jumpkind = None
         self.next = None
@@ -1043,6 +1046,7 @@ class PcodeLifterEngineMixin(SimEngineBase):
         collect_data_refs: bool = False,
         load_from_ro_regions: bool = False,
         cross_insn_opt: bool | None = None,
+        const_prop: bool | None = None,
     ):
         """
         Temporary compatibility interface for integration with block code.
@@ -1064,6 +1068,7 @@ class PcodeLifterEngineMixin(SimEngineBase):
             collect_data_refs,
             load_from_ro_regions,
             cross_insn_opt,
+            const_prop,
         )
 
     def lift_pcode(
@@ -1084,6 +1089,7 @@ class PcodeLifterEngineMixin(SimEngineBase):
         collect_data_refs: bool = False,
         load_from_ro_regions: bool = False,
         cross_insn_opt: bool | None = None,
+        const_prop: bool | None = None,
     ):
         """
         Lift an IRSB.
@@ -1111,6 +1117,8 @@ class PcodeLifterEngineMixin(SimEngineBase):
         """
         if cross_insn_opt:
             l.debug("cross_insn_opt is ignored for p-code lifter")
+        if const_prop:
+            l.debug("const_prop is ignored for p-code lifter")
         if load_from_ro_regions:
             l.debug("load_from_ro_regions is ignored for p-code lifter")
 

angr/engines/successors.py

@@ -356,7 +356,7 @@ class SimSuccessors:
                         if o.KEEP_IP_SYMBOLIC in split_state.options:
                             split_state.regs.ip = target
                         else:
-                            split_state.add_constraints(cond, action=True)
+                            split_state.add_constraints(cond)
                             split_state.regs.ip = a
                         if split_state.supports_inspect:
                             split_state.inspect.downsize()

angr/engines/vex/claripy/ccall.py

@@ -43,7 +43,7 @@ def boolean_extend(O, a, b, size):
 def op_concretize(op):
     if type(op) is int:
         return op
-    op_e = op.ite_excavated
+    op_e = claripy.excavate_ite(op)
     if op_e.op == "If":
         cases = list(claripy.reverse_ite_cases(op_e))
         if all(c.op == "BVV" for _, c in cases):

angr/engines/vex/claripy/datalayer.py

@@ -1,14 +1,15 @@
 from __future__ import annotations
+
 import logging
 
 import claripy
 import pyvex
 
-from . import irop
-from . import ccall
-from angr.engines.vex.light import VEXMixin
 from angr import errors
 from angr import sim_options as o
+from angr.engines.vex.light import VEXMixin
+
+from . import ccall, irop
 
 l = logging.getLogger(__name__)
 zero = claripy.BVV(0, 32)
@@ -39,13 +40,8 @@ class ClaripyDataMixin(VEXMixin):
 
     # util methods
 
-    def _is_true(self, v):
-        return claripy.is_true(v)
-
-    def _is_false(self, v):
-        return claripy.is_false(v)
-
-    def _optimize_guarded_addr(self, addr, guard):
+    @staticmethod
+    def _optimize_guarded_addr(addr, guard):
         # optimization: is the guard the same as the condition inside the address? if so, unpack the address and remove
         # the guarding condition.
         if (
@@ -65,6 +61,7 @@ class ClaripyDataMixin(VEXMixin):
 
     # statements
 
+    # pylint: disable=too-many-positional-arguments
     def _perform_vex_stmt_LoadG(self, addr, alt, guard, dst, cvt, end):
         addr = self._optimize_guarded_addr(addr, guard)
         super()._perform_vex_stmt_LoadG(addr, alt, guard, dst, cvt, end)