PyPI - angr - Versions diffs - 9.2.123__py3-none-macosx_11_0_arm64.whl → 9.2.124__py3-none-macosx_11_0_arm64.whl - Mend

angr 9.2.123__py3-none-macosx_11_0_arm64.whl → 9.2.124__py3-none-macosx_11_0_arm64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (84) hide show

angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py CHANGED Viewed

@@ -13,6 +13,7 @@ from ailment.expression import (
     BinaryOp,
     VirtualVariable,
     Phi,
+    UnaryOp,
     VirtualVariableCategory,
 )
 from ailment.statement import ConditionalJump, Jump, Assignment
@@ -238,6 +239,12 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
                 return self.state.vvar_load(vvar)
         return None
+    def _handle_Neg(self, expr: UnaryOp):
+        v = self._expr(expr.operand)
+        if isinstance(v, claripy.ast.Bits):
+            return ~v
+        return None
     def _handle_Convert(self, expr: Convert):
         v = self._expr(expr.operand)
         if isinstance(v, claripy.ast.Bits):

angr/analyses/decompiler/optimization_passes/ite_region_converter.py CHANGED Viewed

@@ -202,6 +202,7 @@ class ITERegionConverter(OptimizationPass):
         true_stmt_src = true_stmt.src if isinstance(true_stmt, Assignment) else true_stmt
         true_stmt_dst = true_stmt.dst if isinstance(true_stmt, Assignment) else true_stmt.ret_expr
         false_stmt_src = false_stmt.src if isinstance(false_stmt, Assignment) else false_stmt
+        false_stmt_dst = false_stmt.dst if isinstance(false_stmt, Assignment) else false_stmt.ret_expr
         addr_obj = true_stmt_src if "ins_addr" in true_stmt_src.tags else true_stmt
         ternary_expr = ITE(
@@ -209,9 +210,7 @@ class ITERegionConverter(OptimizationPass):
             conditional_jump.condition,
             false_stmt_src,
             true_stmt_src,
-            ins_addr=addr_obj.ins_addr,
-            vex_block_addr=addr_obj.vex_block_addr,
-            vex_stmt_idx=addr_obj.vex_stmt_idx,
+            **addr_obj.tags,
         )
         dst = VirtualVariable(
             true_stmt_dst.idx,
@@ -261,12 +260,32 @@ class ITERegionConverter(OptimizationPass):
             if not is_phi_assignment(stmt):
                 stmts.append(stmt)
                 continue
+            # is this the statement that we are looking for?
+            found_true_src_vvar, found_false_src_vvar = False, False
+            for src, vvar in stmt.src.src_and_vvars:
+                if vvar is not None:
+                    if vvar.varid == true_stmt_dst.varid:
+                        found_true_src_vvar = True
+                    elif vvar.varid == false_stmt_dst.varid:
+                        found_false_src_vvar = True
+            # we should only update the vvars of this phi statement if we found both true and false source vvars
+            update_vars = found_true_src_vvar and found_false_src_vvar
             new_src_and_vvars = []
+            original_vvars = []
             for src, vvar in stmt.src.src_and_vvars:
                 if src not in region_tail_pred_srcs:
                     new_src_and_vvars.append((src, vvar))
+                else:
+                    original_vvars.append(vvar)
             new_vvar = new_assignment.dst.copy()
-            new_src_and_vvars.append(((region_head.addr, region_head.idx), new_vvar))
+            if update_vars:
+                new_src_and_vvars.append(((region_head.addr, region_head.idx), new_vvar))
+            else:
+                new_src_and_vvars.append(
+                    ((region_head.addr, region_head.idx), original_vvars[0] if original_vvars else None)
+                )
             new_phi = Phi(
                 stmt.src.idx,

angr/analyses/decompiler/optimization_passes/optimization_pass.py CHANGED Viewed

@@ -1,7 +1,7 @@
 # pylint:disable=unused-argument
 from __future__ import annotations
 import logging
-from typing import TYPE_CHECKING
+from typing import Any, TYPE_CHECKING
 from collections.abc import Generator
 from enum import Enum
@@ -117,6 +117,7 @@ class OptimizationPass(BaseOptimizationPass):
         reaching_definitions=None,
         vvar_id_start=None,
         entry_node_addr=None,
+        scratch: dict[str, Any] | None = None,
         **kwargs,
     ):
         super().__init__(func)
@@ -127,6 +128,7 @@ class OptimizationPass(BaseOptimizationPass):
         self._variable_kb = variable_kb
         self._ri = region_identifier
         self._rd = reaching_definitions
+        self._scratch = scratch if scratch is not None else {}
         self._new_block_addrs = set()
         self.vvar_id_start = vvar_id_start
         self.entry_node_addr: tuple[int, int | None] = (

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py CHANGED Viewed

@@ -1,6 +1,5 @@
 from __future__ import annotations
 from typing import Any
-from itertools import count
 import copy
 import logging
@@ -78,23 +77,27 @@ class ReturnDuplicatorBase:
     def __init__(
         self,
         func,
-        node_idx_start: int = 0,
         max_calls_in_regions: int = 2,
         minimize_copies_for_regions: bool = True,
         ri: RegionIdentifier | None = None,
         vvar_id_start: int | None = None,
-        **kwargs,
+        scratch: dict[str, Any] | None = None,
     ):
-        self.node_idx = count(start=node_idx_start)
         self._max_calls_in_region = max_calls_in_regions
         self._minimize_copies_for_regions = minimize_copies_for_regions
         self._supergraph = None
         # this should also be set by the optimization passes initer
+        self.scratch = scratch if scratch is not None else {}
         self._func = func
         self._ri: RegionIdentifier | None = ri
         self.vvar_id_start = vvar_id_start
+    def next_node_idx(self) -> int:
+        node_idx = self.scratch.get("returndup_node_idx", 0) + 1
+        self.scratch["returndup_node_idx"] = node_idx
+        return node_idx
     #
     # must implement these methods
     #
@@ -208,7 +211,7 @@ class ReturnDuplicatorBase:
                 else:
                     node_copy = copy.deepcopy(node)
                 node_copy = self._use_fresh_virtual_variables(node_copy, vvar_mapping)
-                node_copy.idx = next(self.node_idx)
+                node_copy.idx = self.next_node_idx()
                 self._fix_copied_node_labels(node_copy)
                 copies[node] = node_copy

angr/analyses/decompiler/optimization_passes/return_duplicator_high.py CHANGED Viewed

@@ -1,5 +1,6 @@
 from __future__ import annotations
 import logging
+from typing import Any
 import networkx
@@ -26,22 +27,26 @@ class ReturnDuplicatorHigh(OptimizationPass, ReturnDuplicatorBase):
     def __init__(
         self,
         func,
-        # internal parameters that should be used by Clinic
-        node_idx_start: int = 0,
         # settings
         max_calls_in_regions: int = 2,
         minimize_copies_for_regions: bool = True,
+        region_identifier=None,
+        vvar_id_start: int | None = None,
+        scratch: dict[str, Any] | None = None,
         **kwargs,
     ):
+        OptimizationPass.__init__(
+            self, func, vvar_id_start=vvar_id_start, scratch=scratch, region_identifier=region_identifier, **kwargs
+        )
         ReturnDuplicatorBase.__init__(
             self,
             func,
-            node_idx_start=node_idx_start,
             max_calls_in_regions=max_calls_in_regions,
             minimize_copies_for_regions=minimize_copies_for_regions,
-            **kwargs,
+            ri=region_identifier,
+            vvar_id_start=vvar_id_start,
+            scratch=scratch,
         )
-        OptimizationPass.__init__(self, func, **kwargs)
         # since we run before the RegionIdentification pass in the decompiler, we need to collect it early here
         self._ri = self._recover_regions(self._graph)

angr/analyses/decompiler/optimization_passes/return_duplicator_low.py CHANGED Viewed

@@ -1,6 +1,7 @@
 from __future__ import annotations
 import logging
 import inspect
+from typing import Any
 import networkx
@@ -46,25 +47,35 @@ class ReturnDuplicatorLow(StructuringOptimizationPass, ReturnDuplicatorBase):
     def __init__(
         self,
         func,
-        # internal parameters that should be used by Clinic
-        node_idx_start: int = 0,
         # settings
         max_opt_iters: int = 4,
         max_calls_in_regions: int = 2,
         prevent_new_gotos: bool = True,
         minimize_copies_for_regions: bool = True,
+        region_identifier=None,
+        vvar_id_start: int | None = None,
+        scratch: dict[str, Any] | None = None,
         **kwargs,
     ):
+        StructuringOptimizationPass.__init__(
+            self,
+            func,
+            max_opt_iters=max_opt_iters,
+            prevent_new_gotos=prevent_new_gotos,
+            require_gotos=True,
+            vvar_id_start=vvar_id_start,
+            scratch=scratch,
+            region_identifier=region_identifier,
+            **kwargs,
+        )
         ReturnDuplicatorBase.__init__(
             self,
             func,
-            node_idx_start=node_idx_start,
             max_calls_in_regions=max_calls_in_regions,
             minimize_copies_for_regions=minimize_copies_for_regions,
-            **kwargs,
-        )
-        StructuringOptimizationPass.__init__(
-            self, func, max_opt_iters=max_opt_iters, prevent_new_gotos=prevent_new_gotos, require_gotos=True, **kwargs
+            ri=region_identifier,
+            vvar_id_start=vvar_id_start,
+            scratch=scratch,
         )
         self.analyze()

angr/analyses/decompiler/optimization_passes/switch_default_case_duplicator.py CHANGED Viewed

@@ -75,8 +75,12 @@ class SwitchDefaultCaseDuplicator(OptimizationPass):
         default_case_node_addrs = cache["default_case_node_addrs"]
         out_graph = None
+        duplicated_default_addrs: set[int] = set()
         for switch_head_addr, jump_node_addr, default_addr in default_case_node_addrs:
+            if default_addr in duplicated_default_addrs:
+                continue
             default_case_node = self._func.get_node(default_addr)
             unexpected_pred_addrs = {
                 pred.addr
@@ -92,6 +96,8 @@ class SwitchDefaultCaseDuplicator(OptimizationPass):
                 for jump_node in jump_nodes:
                     jump_node_descedents |= networkx.descendants(self._graph, jump_node)
+                duplicated_default_addrs.add(default_addr)
                 # duplicate default_case_node for each unexpected predecessor
                 for unexpected_pred_addr in unexpected_pred_addrs:
                     for unexpected_pred in self._get_blocks(unexpected_pred_addr):

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py CHANGED Viewed

@@ -100,6 +100,8 @@ class WinStackCanarySimplifier(OptimizationPass):
         for pred_addr in pred_addr_to_endpoint_addrs:
             # the predecessor should call _security_check_cookie
             endpoint_preds = list(self._get_blocks(pred_addr))
+            if not endpoint_preds:
+                continue
             if self._find_stmt_calling_security_check_cookie(endpoint_preds[0]) is None:
                 _l.debug("The predecessor does not call _security_check_cookie().")
                 continue

angr/analyses/decompiler/peephole_optimizations/const_mull_a_shift.py CHANGED Viewed

@@ -182,6 +182,8 @@ class ConstMullAShift(PeepholeOptimizationExprBase):
     @staticmethod
     def _check_divisor(a, b, ndigits=6):
+        if b == 0:
+            return None
         divisor_1 = 1 + (a // b)
         divisor_2 = int(round(a / float(b), ndigits))
         return divisor_1 if divisor_1 == divisor_2 else None

angr/analyses/decompiler/peephole_optimizations/remove_cascading_conversions.py CHANGED Viewed

@@ -11,9 +11,15 @@ class RemoveCascadingConversions(PeepholeOptimizationExprBase):
     expr_classes = (Convert,)
     def optimize(self, expr: Convert, **kwargs):
-        if isinstance(expr.operand, Convert):
+        if (
+            expr.from_type == Convert.TYPE_INT
+            and expr.to_type == Convert.TYPE_INT
+            and isinstance(expr.operand, Convert)
+            and expr.operand.from_type == Convert.TYPE_INT
+            and expr.operand.to_type == Convert.TYPE_INT
+        ):
             inner = expr.operand
-            if inner.from_bits == expr.to_bits:
+            if inner.from_bits == expr.to_bits and inner.from_type == expr.to_type:
                 if inner.from_bits < inner.to_bits:
                     # extension -> truncation
                     return inner.operand

angr/analyses/decompiler/region_identifier.py CHANGED Viewed

@@ -163,6 +163,22 @@ class RegionIdentifier(Analysis):
                 raise AngrRuntimeError("Cannot find the start node from the graph!") from ex
         raise AngrRuntimeError("Cannot find the start node from the graph!")
+    def _get_entry_node(self, graph: networkx.DiGraph):
+        if self.entry_node_addr is None:
+            return None
+        return next(
+            (
+                n
+                for n in graph.nodes()
+                if (
+                    (n.addr, n.idx) == self.entry_node_addr
+                    if isinstance(n, Block)
+                    else n.addr == self.entry_node_addr[0]
+                )
+            ),
+            None,
+        )
     def _test_reducibility(self):
         # make a copy of the graph
         graph = networkx.DiGraph(self._graph)
@@ -188,8 +204,19 @@ class RegionIdentifier(Analysis):
         return len(graph.nodes) == 1
     def _make_supergraph(self, graph: networkx.DiGraph):
+        entry_node = None
+        if self.entry_node_addr is not None:
+            entry_node = next(iter(nn for nn in graph if nn.addr == self.entry_node_addr[0]), None)
         while True:
             for src, dst, data in graph.edges(data=True):
+                if entry_node is not None and dst is entry_node:
+                    # the entry node must be kept instead of merged with its predecessor (which can happen in real
+                    # binaries! e.g., 444a401b900eb825f216e95111dcb6ef94b01a81fc7b88a48599867db8c50365, function
+                    # 0x1802BEA28, block 0x1802BEA05 and 0x1802BEA28)
+                    continue
                 type_ = data.get("type", None)
                 if type_ == "fake_return":
                     if len(list(graph.successors(src))) == 1 and len(list(graph.predecessors(dst))) == 1:
@@ -452,6 +479,8 @@ class RegionIdentifier(Analysis):
     #
     def _make_cyclic_region(self, head, graph: networkx.DiGraph):
+        original_entry = self._get_entry_node(graph)
         l.debug("Found cyclic region at %#08x", head.addr)
         initial_loop_nodes = self._find_initial_loop_nodes(graph, head)
         l.debug("Initial loop nodes %s", self._dbg_block_list(initial_loop_nodes))
@@ -505,6 +534,13 @@ class RegionIdentifier(Analysis):
             # multi-successor region. refinement is required
             self._refine_loop_successors(region, graph)
+        # if the head node is in the graph and it's not the head of the graph, we will need to update the head node
+        # address.
+        if original_entry is not None and original_entry in region.graph and region.head is not original_entry:
+            self.entry_node_addr = (head.addr, None)
+            # FIXME: the identified region will probably be incorrect. we may need to add a jump block that jumps to
+            #  original_entry.
         return region
     def _refine_loop_successors(self, region, graph: networkx.DiGraph):

angr/analyses/decompiler/region_simplifiers/loop.py CHANGED Viewed

@@ -16,6 +16,7 @@ from angr.analyses.decompiler.structuring.structurer_nodes import (
     CascadingConditionNode,
 )
 from angr.analyses.decompiler.utils import is_statement_terminating, has_nonlabel_nonphi_statements
+from angr.utils.ail import is_phi_assignment
 class LoopSimplifier(SequenceWalker):
@@ -104,14 +105,7 @@ class LoopSimplifier(SequenceWalker):
             )
             and (
                 all(has_nonlabel_nonphi_statements(block) for block in self.continue_preludes[node])
-                and all(
-                    not self._control_transferring_statement(block.statements[-1])
-                    for block in self.continue_preludes[node]
-                )
-                and all(
-                    block.statements[-1] == self.continue_preludes[node][0].statements[-1]
-                    for block in self.continue_preludes[node]
-                )
+                and all(not is_phi_assignment(block.statements[-1]) for block in self.continue_preludes[node])
             )
         ):
             node.sort = "for"

angr/analyses/decompiler/region_simplifiers/switch_cluster_simplifier.py CHANGED Viewed

@@ -284,6 +284,10 @@ def simplify_switch_clusters(
     for variable in var2switches:
         switch_regions = var2switches[variable]
+        if len(switch_regions) <= 1:
+            # nothing to simplify or merge if there is only one switch region
+            continue
         cond_regions = list(var2condnodes[variable])
         if not cond_regions:
@@ -449,10 +453,10 @@ def simplify_switch_clusters(
         # build the SwitchCase node and replace old nodes in the parent node
         cases_dict = OrderedDict(cases)
         new_switchcase = SwitchCaseNode(
-            switch_regions_default_nodes[0].node.switch_expr,
+            switch_regions[0].node.switch_expr,
             cases_dict,
             default_node,
-            addr=switch_regions_default_nodes[0].node.addr,
+            addr=switch_regions[0].node.addr,
         )
         # what are we trying to replace?
@@ -525,13 +529,15 @@ def simplify_lowered_switches_core(
     if outermost_node is None:
         return False
+    if not isinstance(outermost_node, ConditionNode):
+        return False
     if isinstance(outermost_node.condition, UnaryOp) and outermost_node.condition.op == "Not":
         # attempt to flip any simple negated comparison for normalized operations
         outermost_node.condition = negate(outermost_node.condition.operand)
     caseno_to_node = {}
     default_node_candidates: list[tuple[BaseNode, BaseNode]] = []  # parent to default node candidate
-    stack: list[(ConditionNode, int, int)] = [(outermost_node, 0, 0xFFFF_FFFF_FFFF_FFFF)]
+    stack: list[tuple[BaseNode, int, int]] = [(outermost_node, 0, 0xFFFF_FFFF_FFFF_FFFF)]
     while stack:
         node, min_, max_ = stack.pop(0)
         if node not in node_to_condnode:

angr/analyses/decompiler/ssailification/rewriting.py CHANGED Viewed

@@ -9,7 +9,7 @@ import networkx
 import ailment
 from ailment import Block
 from ailment.expression import Expression, Phi, VirtualVariable, VirtualVariableCategory
-from ailment.statement import Assignment, Label
+from ailment.statement import Statement, Assignment, Label
 from angr.code_location import CodeLocation
 from angr.analyses import ForwardAnalysis
@@ -38,6 +38,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         udef_to_phiid: dict[tuple, set[int]],
         phiid_to_loc: dict[int, tuple[int, int | None]],
         stackvar_locs: dict[int, int],
+        rewrite_tmps: bool,
         ail_manager,
         vvar_id_start: int = 0,
     ):
@@ -52,6 +53,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         self._udef_to_phiid = udef_to_phiid
         self._phiid_to_loc = phiid_to_loc
         self._stackvar_locs = stackvar_locs
+        self._rewrite_tmps = rewrite_tmps
         self._ail_manager = ail_manager
         self._engine_ail = SimEngineSSARewriting(
             self.project.arch,
@@ -61,6 +63,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
             udef_to_phiid=self._udef_to_phiid,
             phiid_to_loc=self._phiid_to_loc,
             stackvar_locs=self._stackvar_locs,
+            rewrite_tmps=self._rewrite_tmps,
             ail_manager=ail_manager,
             vvar_id_start=vvar_id_start,
         )
@@ -71,7 +74,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
         self._analyze()
-        self.def_to_vvid: dict[Expression, int] = self._engine_ail.def_to_vvid
+        self.def_to_vvid: dict[tuple[int, int | None, int, Expression | Statement], int] = self._engine_ail.def_to_vvid
         self.out_graph = self._make_new_graph(ail_graph)
     @property