angr 9.2.123__py3-none-manylinux2014_x86_64.whl → 9.2.125__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 from collections import OrderedDict
 
 from ailment.statement import Assignment, Call, Store, ConditionalJump
-from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression
+from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCallExpression, Tmp, DirtyExpression
 
 from angr.engines.light import SimEngineLight, SimEngineLightAILMixin
 from angr.utils.ssa import get_reg_offset_base
@@ -21,7 +21,14 @@ class SimEngineSSATraversal(
     state: TraversalState
 
     def __init__(
-        self, arch, sp_tracker=None, bp_as_gpr: bool = False, def_to_loc=None, loc_to_defs=None, stackvars: bool = False
+        self,
+        arch,
+        sp_tracker=None,
+        bp_as_gpr: bool = False,
+        def_to_loc=None,
+        loc_to_defs=None,
+        stackvars: bool = False,
+        tmps: bool = False,
     ):
         super().__init__()
 
@@ -29,14 +36,15 @@ class SimEngineSSATraversal(
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
         self.stackvars = stackvars
+        self.tmps = tmps
 
-        self.def_to_loc = def_to_loc if def_to_loc is not None else OrderedDict()
+        self.def_to_loc = def_to_loc if def_to_loc is not None else []
         self.loc_to_defs = loc_to_defs if loc_to_defs is not None else OrderedDict()
 
     def _handle_Assignment(self, stmt: Assignment):
         if isinstance(stmt.dst, Register):
             codeloc = self._codeloc()
-            self.def_to_loc[stmt.dst] = codeloc
+            self.def_to_loc.append((stmt.dst, codeloc))
             if codeloc not in self.loc_to_defs:
                 self.loc_to_defs[codeloc] = OrderedSet()
             self.loc_to_defs[codeloc].add(stmt.dst)
@@ -52,7 +60,7 @@ class SimEngineSSATraversal(
 
         if self.stackvars and isinstance(stmt.addr, StackBaseOffset) and isinstance(stmt.addr.offset, int):
             codeloc = self._codeloc()
-            self.def_to_loc[stmt] = codeloc
+            self.def_to_loc.append((stmt, codeloc))
             if codeloc not in self.loc_to_defs:
                 self.loc_to_defs[codeloc] = OrderedSet()
             self.loc_to_defs[codeloc].add(stmt)
@@ -69,7 +77,7 @@ class SimEngineSSATraversal(
     def _handle_Call(self, stmt: Call):
         if stmt.ret_expr is not None and isinstance(stmt.ret_expr, Register):
             codeloc = self._codeloc()
-            self.def_to_loc[stmt.ret_expr] = codeloc
+            self.def_to_loc.append((stmt.ret_expr, codeloc))
             if codeloc not in self.loc_to_defs:
                 self.loc_to_defs[codeloc] = OrderedSet()
             self.loc_to_defs[codeloc].add(stmt.ret_expr)
@@ -79,18 +87,30 @@ class SimEngineSSATraversal(
 
         super()._ail_handle_Call(stmt)
 
+    _handle_CallExpr = _handle_Call
+
     def _handle_Register(self, expr: Register):
         base_offset = get_reg_offset_base(expr.reg_offset, self.arch)
 
         if base_offset not in self.state.live_registers:
             codeloc = self._codeloc()
-            self.def_to_loc[expr] = codeloc
+            self.def_to_loc.append((expr, codeloc))
             if codeloc not in self.loc_to_defs:
                 self.loc_to_defs[codeloc] = OrderedSet()
             self.loc_to_defs[codeloc].add(expr)
 
             self.state.live_registers.add(base_offset)
 
+    def _handle_Tmp(self, expr: Tmp):
+        if self.tmps:
+            codeloc = self._codeloc()
+            self.def_to_loc.append((expr, codeloc))
+            if codeloc not in self.loc_to_defs:
+                self.loc_to_defs[codeloc] = OrderedSet()
+            self.loc_to_defs[codeloc].add(expr)
+
+            self.state.live_tmps.add(expr.tmp_idx)
+
     def _handle_Cmp(self, expr: BinaryOp):
         self._expr(expr.operands[0])
         self._expr(expr.operands[1])
@@ -123,9 +143,16 @@ class SimEngineSSATraversal(
         for operand in expr.operands:
             self._expr(operand)
 
+    def _handle_DirtyExpression(self, expr: DirtyExpression):
+        for operand in expr.operands:
+            self._expr(operand)
+        if expr.guard is not None:
+            self._expr(expr.guard)
+        if expr.maddr is not None:
+            self._expr(expr.maddr)
+
     def _handle_Dummy(self, expr):
         pass
 
     _handle_VirtualVariable = _handle_Dummy
     _handle_Phi = _handle_Dummy
-    _handle_DirtyExpression = _handle_Dummy

angr/analyses/decompiler/ssailification/traversal_state.py

@@ -18,6 +18,7 @@ class TraversalState:
 
         self.live_registers: set[int] = set() if live_registers is None else live_registers
         self.live_stackvars: set[tuple[int, int]] = set() if live_stackvars is None else live_stackvars
+        self.live_tmps: set[int] = set()  # tmps are internal to a block only and never propagated from another state
 
     def copy(self) -> TraversalState:
         return TraversalState(

angr/analyses/decompiler/structured_codegen/c.py

@@ -1408,7 +1408,7 @@ class CUnsupportedStatement(CStatement):
 class CDirtyStatement(CExpression):
     __slots__ = ("dirty",)
 
-    def __init__(self, dirty, **kwargs):
+    def __init__(self, dirty: CDirtyExpression, **kwargs):
         super().__init__(**kwargs)
         self.dirty = dirty
 
@@ -1420,7 +1420,7 @@ class CDirtyStatement(CExpression):
         indent_str = self.indent_str(indent=indent)
 
         yield indent_str, None
-        yield str(self.dirty), None
+        yield from self.dirty.c_repr_chunks()
         yield "\n", None
 
 
@@ -2303,6 +2303,38 @@ class CMultiStatementExpression(CExpression):
         yield ")", paren
 
 
+class CVEXCCallExpression(CExpression):
+    """
+    ccall_name(arg0, arg1, ...)
+    """
+
+    __slots__ = (
+        "callee",
+        "operands",
+        "tags",
+    )
+
+    def __init__(self, callee: str, operands: list[CExpression], tags=None, **kwargs):
+        super().__init__(**kwargs)
+        self.callee = callee
+        self.operands = operands
+        self.tags = tags
+
+    @property
+    def type(self):
+        return SimTypeInt().with_arch(self.codegen.project.arch)
+
+    def c_repr_chunks(self, indent=0, asexpr=False):
+        paren = CClosingObject("(")
+        yield f"{self.callee}", self
+        yield "(", paren
+        for idx, operand in enumerate(self.operands):
+            if idx != 0:
+                yield ", ", None
+            yield from operand.c_repr_chunks()
+        yield ")", paren
+
+
 class CDirtyExpression(CExpression):
     """
     Ideally all dirty expressions should be handled and converted to proper conversions during conversion from VEX to
@@ -2424,6 +2456,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             Expr.BinaryOp: self._handle_Expr_BinaryOp,
             Expr.Convert: self._handle_Expr_Convert,
             Expr.StackBaseOffset: self._handle_Expr_StackBaseOffset,
+            Expr.VEXCCallExpression: self._handle_Expr_VEXCCallExpression,
             Expr.DirtyExpression: self._handle_Expr_Dirty,
             Expr.ITE: self._handle_Expr_ITE,
             Expr.Reinterpret: self._handle_Reinterpret,
@@ -3318,7 +3351,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         return clabel
 
     def _handle_Stmt_Dirty(self, stmt: Stmt.DirtyStatement, **kwargs):
-        return CDirtyStatement(stmt, codegen=self)
+        dirty = self._handle(stmt.dirty)
+        return CDirtyStatement(dirty, codegen=self)
 
     #
     # AIL expression handlers
@@ -3519,7 +3553,11 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         return CTypeCast(None, dst_type.with_arch(self.project.arch), child, tags=expr.tags, codegen=self)
 
-    def _handle_Expr_Dirty(self, expr, **kwargs):
+    def _handle_Expr_VEXCCallExpression(self, expr: Expr.VEXCCallExpression, **kwargs):
+        operands = [self._handle(arg) for arg in expr.operands]
+        return CVEXCCallExpression(expr.callee, operands, tags=expr.tags, codegen=self)
+
+    def _handle_Expr_Dirty(self, expr: Expr.DirtyExpression, **kwargs):
         return CDirtyExpression(expr, codegen=self)
 
     def _handle_Expr_ITE(self, expr: Expr.ITE, **kwargs):

angr/analyses/decompiler/structuring/phoenix.py

@@ -566,6 +566,9 @@ class PhoenixStructurer(StructurerBase):
 
             if next_node is node:
                 break
+            if next_node is head:
+                # we don't want a loop with region head not as the first node of the body!
+                return False, None
             if next_node is not node and next_node in seen_nodes:
                 return False, None
 

angr/analyses/patchfinder.py

@@ -0,0 +1,137 @@
+# pylint:disable=missing-class-docstring
+from __future__ import annotations
+import logging
+from typing import TYPE_CHECKING
+from collections import defaultdict
+from dataclasses import dataclass
+
+from sortedcontainers import SortedDict
+
+from angr.analyses import Analysis, AnalysesHub
+from angr.utils.bits import ffs
+
+if TYPE_CHECKING:
+    from angr.knowledge_plugins import Function
+
+
+log = logging.getLogger(__name__)
+
+
+class OverlappingFunctionsAnalysis(Analysis):
+    """
+    Identify functions with interleaved blocks.
+    """
+
+    overlapping_functions: dict[int, list[int]]
+
+    def __init__(self):
+        self.overlapping_functions = defaultdict(list)
+        addr_to_func_max_addr = SortedDict()
+
+        for func in self.project.kb.functions.values():
+            if func.is_alignment:
+                continue
+            func_max_addr = max((block.addr + block.size) for block in func.blocks)
+            addr_to_func_max_addr[func.addr] = (func, func_max_addr)
+
+        for idx, (addr, (func, max_addr)) in enumerate(addr_to_func_max_addr.items()):
+            for other_addr in addr_to_func_max_addr.islice(idx + 1):
+                if other_addr >= max_addr:
+                    break
+
+                self.overlapping_functions[addr].append(other_addr)
+
+
+class FunctionAlignmentAnalysis(Analysis):
+    """
+    Determine typical function alignment
+    """
+
+    alignment: int | None
+
+    def __init__(self):
+        self.alignment = None
+
+        if len(self.project.kb.functions) == 0:
+            if self.project.kb.cfgs.get_most_accurate() is None:
+                log.warning("Please run CFGFast analysis first, to identify functions")
+            return
+
+        alignment_bins = defaultdict(int)
+        count = 0
+        for func in self.project.kb.functions.values():
+            if not (func.is_alignment or func.is_plt or func.is_simprocedure):
+                alignment_bins[ffs(func.addr)] += 1
+                count += 1
+
+        # FIXME: Higher alignment values will be naturally aligned
+
+        typical_alignment = max(alignment_bins, key=lambda k: alignment_bins[k])
+        if count > 10 and alignment_bins[typical_alignment] >= count / 4:  # XXX: cutoff
+            self.alignment = 1 << max(typical_alignment, 0)
+            log.debug("Function alignment appears to be %d bytes", self.alignment)
+
+
+@dataclass
+class AtypicallyAlignedFunction:
+    function: Function
+    expected_alignment: int
+
+
+@dataclass
+class PatchedOutFunctionality:
+    patched_function: Function
+    patched_out_function: Function
+
+
+class PatchFinderAnalysis(Analysis):
+    """
+    Looks for binary patches using some basic heuristics:
+    - Looking for interleaved functions
+    - Looking for unaligned functions
+    """
+
+    # FIXME: Possible additional heuristics:
+    # - Jumps out to end of function, then back
+    # - Looking for patch jumps, e.g. push <addr>; ret
+    # - Looking for instruction partials broken by a patch (nodecode)
+    # - Unusual stack manipulation
+
+    atypical_alignments: list[Function]
+    possibly_patched_out: list[PatchedOutFunctionality]
+
+    def __init__(self):
+        self.atypical_alignments = []
+        self.possibly_patched_out = []
+
+        if len(self.project.kb.functions) == 0:
+            if self.project.kb.cfgs.get_most_accurate() is None:
+                log.warning("Please run CFGFast analysis first, to identify functions")
+            return
+
+        # In CFGFast with scanning enabled, a function may be created from unreachable blocks within another function.
+        # Search for interleaved/overlapping functions to identify possible patches.
+        overlapping_functions = self.project.analyses.OverlappingFunctions().overlapping_functions
+        for addr, overlapping_func_addrs in overlapping_functions.items():
+            func = self.project.kb.functions[addr]
+
+            # Are the overlapping functions reachable?
+            for overlapping_addr in overlapping_func_addrs:
+                overlapping_func = self.project.kb.functions[overlapping_addr]
+                if self.project.kb.callgraph.in_degree(overlapping_addr) == 0:
+                    self.possibly_patched_out.append(PatchedOutFunctionality(func, overlapping_func))
+                    # FIXME: What does the patch do?
+
+        # Look for unaligned functions
+        expected_alignment = self.project.analyses.FunctionAlignment().alignment
+        if expected_alignment is not None and expected_alignment > self.project.arch.instruction_alignment:
+            for func in self.project.kb.functions.values():
+                if not (func.is_alignment or func.is_plt or func.is_simprocedure) and func.addr & (
+                    expected_alignment - 1
+                ):
+                    self.atypical_alignments.append(AtypicallyAlignedFunction(func, expected_alignment))
+
+
+AnalysesHub.register_default("OverlappingFunctions", OverlappingFunctionsAnalysis)
+AnalysesHub.register_default("FunctionAlignment", FunctionAlignmentAnalysis)
+AnalysesHub.register_default("PatchFinder", PatchFinderAnalysis)

angr/analyses/pathfinder.py

@@ -0,0 +1,282 @@
+# pylint:disable=missing-class-docstring
+from __future__ import annotations
+from enum import Enum, auto
+from dataclasses import dataclass
+from weakref import ref
+from collections import defaultdict
+
+from networkx import DiGraph
+from networkx.algorithms.shortest_paths import single_target_shortest_path_length
+
+from angr.sim_state import SimState
+from angr.engines.successors import SimSuccessors
+from angr.knowledge_plugins.cfg import CFGModel, CFGNode
+from .analysis import Analysis, AnalysesHub
+
+
+class Unreachable(Exception):
+    pass
+
+
+@dataclass(eq=False)
+class SimStateMarker:
+    addr: int
+    parent: SimStateMarker | None = None
+    banned: bool = False
+    misses: int = 0
+
+    def __repr__(self):
+        inner_repr = "None" if self.parent is None else "..."
+        return f"SimStateMarker(addr={self.addr:#x}, parent={inner_repr}, banned={self.banned}, misses={self.misses})"
+
+
+class SuccessorsKind(Enum):
+    SAT = auto()
+    UNSAT = auto()
+    MISSING = auto()
+
+
+@dataclass
+class TestPathReport:
+    path_markers: dict[int, SimStateMarker]
+    termination: SuccessorsKind
+
+
+def nilref():
+    return None
+
+
+class Pathfinder(Analysis):
+    def __init__(self, start_state: SimState, goal_addr: int, cfg: CFGModel, cache_size=10000):
+        self.start_state = start_state
+        self.goal_addr = goal_addr
+        self.goal_state: SimState | None = None
+        self.cfg = cfg
+        self.cache_size = cache_size
+
+        # HACK HACK HACK HACK TODO FIXME FISH PLEASE GET RID OF THIS
+        extra_edges = []
+        for node in self.cfg.graph.nodes:
+            if node.is_syscall:
+                for pred in self.cfg.graph.pred[node]:
+                    for succ, data in self.cfg.graph.succ[pred].items():
+                        if data["jumpkind"] == "Ijk_FakeRet":
+                            extra_edges.append((node, succ))
+        for node, succ in extra_edges:
+            self.cfg.graph.add_edge(node, succ, jumpkind="Ijk_Ret")
+
+        goal_node = self.cfg.get_any_node(goal_addr)
+        if goal_node is None:
+            raise ValueError(f"Node {goal_addr:#x} is not in graph")
+
+        self.start_marker = SimStateMarker(start_state.addr)
+        self.transition_cache: DiGraph[SimStateMarker] = DiGraph()
+        self.transition_cache.add_node(self.start_marker, state=ref(start_state))
+        self.base_heuristic: dict[int, int] = {
+            node.addr: dist for node, dist in single_target_shortest_path_length(cfg.graph, goal_node)
+        }
+        self.state_cache = {}
+        self.unsat_markers = set()
+        self.extra_weight = defaultdict(int)
+
+        self._search_frontier_marker = self.start_marker
+        self._search_path: list[tuple[int, str]] = [(self.start_marker.addr, "Ijk_Boring")]
+        self._search_stack = []
+        self._search_backtrack_to = {self.start_marker}
+        self._search_address_backtrack_points = {self.start_marker.addr: self.start_marker}
+
+    def cache_state(self, state: SimState):
+        self.state_cache[state] = self.state_cache.pop(state, None)
+        if len(self.state_cache) > self.cache_size:
+            self.state_cache.pop(next(iter(self.state_cache)))
+
+    def marker_to_state(self, marker: SimStateMarker) -> SimState | None:
+        return self.transition_cache.nodes[marker]["state"]()
+
+    def analyze(self) -> bool:
+        while True:
+            search_path = self.find_best_hypothesis_path()
+            result = self.test_path(search_path)
+            if result.termination == SuccessorsKind.SAT:
+                self.goal_state = self.marker_to_state(result.path_markers[len(search_path) - 1])
+                return True
+            marker = result.path_markers[max(result.path_markers)]
+            marker.banned = True
+            self._search_backtrack_to.add(marker)
+            if result.termination == SuccessorsKind.UNSAT:
+                self.unsat_markers.add(marker)
+
+    def _search_backtrack(self):
+        if self._search_address_backtrack_points[self._search_frontier_marker.addr] is self._search_frontier_marker:
+            self._search_address_backtrack_points.pop(self._search_frontier_marker.addr)
+
+        self._search_frontier_marker = self._search_frontier_marker.parent
+        if self._search_frontier_marker is None:
+            raise Unreachable
+
+        addr, jumpkind = self._search_path.pop()
+        if jumpkind == "Ijk_Ret":
+            self._search_stack.append(addr)
+        elif jumpkind == "Ijk_Call" or jumpkind.startswith("Ijk_Sys"):
+            self._search_stack.pop()
+
+    def find_best_hypothesis_path(self) -> tuple[int, ...]:
+        assert self._search_backtrack_to, "Uhh every iteration should set at least one backtrack point"
+        if self.start_marker in self._search_backtrack_to:
+            self._search_frontier_marker = self.start_marker
+            self._search_path: list[tuple[int, str]] = [(self.start_marker.addr, "Ijk_Boring")]
+            self._search_stack = []
+            self._search_backtrack_to = set()
+        else:
+            while self._search_backtrack_to:
+                self._search_backtrack_to.discard(self._search_frontier_marker)
+                try:
+                    self._search_backtrack()
+                except Unreachable as e:
+                    raise RuntimeError("oops") from e
+
+        while self._search_path[-1][0] != self.goal_addr:
+            banned = {
+                marker.addr for marker in self.transition_cache.succ[self._search_frontier_marker] if marker.banned
+            }
+            current_node = self.cfg.get_any_node(self._search_path[-1][0])
+            options = [
+                (node, data["jumpkind"], self.base_heuristic[node.addr] + self.extra_weight[node.addr])
+                for node, data in self.cfg.graph.succ[current_node].items()
+                if data["jumpkind"] != "Ijk_FakeRet"
+                and node.addr not in banned
+                and node.addr in self.base_heuristic
+                and (data["jumpkind"] != "Ijk_Ret" or node.addr == self._search_stack[-1])
+            ]
+            if not options:
+                # backtrack
+                self._search_frontier_marker.banned = True
+                self._search_backtrack()
+                continue
+
+            best_node, best_jumpkind, best_weight = min(
+                options,
+                default=(None, None),
+                key=lambda xyz: xyz[2],
+            )
+
+            assert isinstance(best_jumpkind, str)
+            assert isinstance(best_node, CFGNode)
+            self.extra_weight[best_node.addr] += 1
+            self._search_path.append((best_node.addr, best_jumpkind))
+
+            if best_jumpkind == "Ijk_Call" or best_jumpkind.startswith("Ijk_Sys"):
+                self._search_stack.append(
+                    next(
+                        iter(
+                            node.addr
+                            for node, data in self.cfg.graph.succ[current_node].items()
+                            if data["jumpkind"] == "Ijk_FakeRet"
+                        ),
+                        None,
+                    )
+                )
+            elif best_jumpkind == "Ijk_Ret":
+                self._search_stack.pop()
+
+            frontier_marker_nullable = next(
+                (
+                    marker
+                    for marker in self.transition_cache.succ[self._search_frontier_marker]
+                    if marker.addr == best_node.addr
+                ),
+                None,
+            )
+            if frontier_marker_nullable is None:
+                new_marker = SimStateMarker(best_node.addr, self._search_frontier_marker)
+                self.transition_cache.add_node(new_marker, state=nilref)
+                self.transition_cache.add_edge(self._search_frontier_marker, new_marker)
+                self._search_frontier_marker = new_marker
+            else:
+                self._search_frontier_marker = frontier_marker_nullable
+
+            if self._search_frontier_marker.addr not in self._search_address_backtrack_points:
+                self._search_address_backtrack_points[self._search_frontier_marker.addr] = self._search_frontier_marker
+
+            # TODO does this go above the above stanza?
+            if sum(weight == best_weight for _, _, weight in options) != 1:
+                self._search_backtrack_to.add(self._search_address_backtrack_points[self._search_frontier_marker.addr])
+
+        return tuple(addr for addr, _ in self._search_path)
+
+    def diagnose_unsat(self, state: SimState):
+        pass
+
+    def test_path(self, bbl_addr_trace: tuple[int, ...]) -> TestPathReport:
+        assert bbl_addr_trace[0] == self.start_marker.addr, "Paths must begin with the start state"
+
+        known_markers = [self.start_marker]
+        for addr in bbl_addr_trace[1:]:
+            for succ in self.transition_cache.succ[known_markers[-1]]:
+                if succ.addr == addr:
+                    break
+            else:
+                break
+            known_markers.append(succ)
+
+        marker = None
+        for ri, marker_ in enumerate(reversed(known_markers)):
+            i = len(known_markers) - 1 - ri
+            state: SimState = self.transition_cache.nodes[marker_]["state"]()
+            marker = marker_
+            if state is not None:
+                break
+        else:
+            assert False, "The first item in known_markers should always have a resolvable weakref"
+
+        while i != len(bbl_addr_trace) - 1:
+            assert state.addr == bbl_addr_trace[i]
+
+            marker.misses += 1
+            successors = state.step(strict_block_end=True)
+            succ, kind = find_successor(successors, bbl_addr_trace[i + 1])
+
+            # cache state
+            if i + 1 < len(known_markers):
+                succ_marker = known_markers[i + 1]
+            else:
+                succ_marker = SimStateMarker(bbl_addr_trace[i + 1], parent=marker)
+                self.transition_cache.add_node(succ_marker)
+            self.transition_cache.add_edge(marker, succ_marker)
+            self.transition_cache.nodes[succ_marker]["state"] = ref(succ) if succ is not None else nilref
+            if succ is not None:
+                self.cache_state(succ)
+
+            if kind == SuccessorsKind.SAT:
+                assert succ is not None
+                state = succ
+                marker = succ_marker
+                i += 1
+                continue
+            if kind == SuccessorsKind.UNSAT:
+                assert succ is not None
+                return TestPathReport(
+                    path_markers={i: marker, i + 1: succ_marker},
+                    termination=SuccessorsKind.UNSAT,
+                )
+            return TestPathReport(path_markers={i: marker, i + 1: succ_marker}, termination=SuccessorsKind.MISSING)
+
+        return TestPathReport(path_markers={i: marker}, termination=SuccessorsKind.SAT)
+
+
+def find_successor(successors: SimSuccessors, target_addr: int) -> tuple[SimState | None, SuccessorsKind]:
+    for succ in successors.flat_successors:
+        if succ.addr == target_addr:
+            return succ, SuccessorsKind.SAT
+    for succ in successors.unsat_successors:
+        if succ.addr == target_addr:
+            return succ, SuccessorsKind.UNSAT
+    for succ in successors.unconstrained_successors:
+        succ2 = succ.copy()
+        succ2.add_constraints(succ2._ip == target_addr)
+        if succ2.satisfiable():
+            return succ2, SuccessorsKind.SAT
+    return None, SuccessorsKind.MISSING
+
+
+AnalysesHub.register_default("Pathfinder", Pathfinder)

angr/analyses/propagator/engine_ail.py

@@ -740,9 +740,16 @@ class SimEnginePropagatorAIL(
         return PropValue.from_value_and_details(v, expr.size, expr, self._codeloc())
 
     def _ail_handle_DirtyExpression(self, expr: Expr.DirtyExpression) -> PropValue | None:  # pylint:disable=no-self-use
-        if isinstance(expr.dirty_expr, Expr.VEXCCallExpression):
-            for operand in expr.dirty_expr.operands:
-                _ = self._expr(operand)
+        for operand in expr.operands:
+            _ = self._expr(operand)
+
+        return PropValue.from_value_and_details(self.state.top(expr.bits), expr.size, expr, self._codeloc())
+
+    def _ail_handle_VEXCCallExpression(
+        self, expr: Expr.VEXCCallExpression
+    ) -> PropValue | None:  # pylint:disable=no-self-use
+        for operand in expr.operands:
+            _ = self._expr(operand)
 
         return PropValue.from_value_and_details(self.state.top(expr.bits), expr.size, expr, self._codeloc())