angr 9.2.123__py3-none-manylinux2014_x86_64.whl → 9.2.125__py3-none-manylinux2014_x86_64.whl

angr/analyses/reaching_definitions/engine_ail.py

@@ -7,7 +7,6 @@ import logging
 import archinfo
 import claripy
 import ailment
-import pyvex
 from claripy import FSORT_DOUBLE, FSORT_FLOAT
 
 from angr.engines.light import SimEngineLight, SimEngineLightAILMixin, SpOffset
@@ -364,17 +363,7 @@ class SimEngineRDAIL(
         # self.state.add_use(Register(self.project.arch.sp_offset, self.project.arch.bits // 8))
 
     def _ail_handle_DirtyStatement(self, stmt: ailment.Stmt.DirtyStatement):
-        # TODO: The logic below is subject to change when ailment.Stmt.DirtyStatement is changed
-
-        if isinstance(stmt.dirty_stmt, pyvex.stmt.Dirty):
-            # TODO: We need dirty helpers for a more complete understanding of clobbered registers
-            tmp = stmt.dirty_stmt.tmp
-            if tmp in (-1, 0xFFFFFFFF):
-                return
-            size = 32  # FIXME: We don't know the size.
-            self.state.kill_and_add_definition(Tmp(tmp, size), MultiValues(self.state.top(size)))
-        else:
-            l.warning("Unexpected type of dirty statement %s.", type(stmt.dirty_stmt))
+        self._expr(stmt.dirty)
 
     #
     # AIL expression handlers
@@ -1125,12 +1114,18 @@ class SimEngineRDAIL(
         stack_addr = self.state.stack_address(expr.offset)
         return MultiValues(stack_addr)
 
+    def _ail_handle_VEXCCallExpression(self, expr: ailment.Expr.VEXCCallExpression) -> MultiValues:
+        for operand in expr.operands:
+            self._expr(operand)
+
+        top = self.state.top(expr.bits)
+        return MultiValues(top)
+
     def _ail_handle_DirtyExpression(
         self, expr: ailment.Expr.DirtyExpression
     ) -> MultiValues:  # pylint:disable=no-self-use
-        if isinstance(expr.dirty_expr, ailment.Expr.VEXCCallExpression):
-            for operand in expr.dirty_expr.operands:
-                self._expr(operand)
+        for operand in expr.operands:
+            self._expr(operand)
 
         top = self.state.top(expr.bits)
         return MultiValues(top)

angr/analyses/s_propagator.py

@@ -238,15 +238,22 @@ class SPropagatorAnalysis(Analysis):
 
                     if len(tmp_uses) <= 2:
                         tmp_used, tmp_use_stmtidx = next(iter(tmp_uses))
-                        if is_const_vvar_load_dirty_assignment(stmt) and not any(
-                            isinstance(stmt_, Store)
-                            for stmt_ in block.statements[tmp_def_stmtidx + 1 : tmp_use_stmtidx]
-                        ):
-                            # we can propagate this load because there is no store between its def and use
-                            replacements[
-                                CodeLocation(block_loc.block_addr, tmp_use_stmtidx, block_idx=block_loc.block_idx)
-                            ][tmp_used] = stmt.src
-                            continue
+                        if is_const_vvar_load_dirty_assignment(stmt):
+                            same_inst = (
+                                block.statements[tmp_def_stmtidx].ins_addr == block.statements[tmp_use_stmtidx].ins_addr
+                            )
+                            has_store = any(
+                                isinstance(stmt_, Store)
+                                for stmt_ in block.statements[tmp_def_stmtidx + 1 : tmp_use_stmtidx]
+                            )
+                            if same_inst or not has_store:
+                                # we can propagate this load because either we do not consider memory aliasing problem
+                                # within the same instruction (blocks must be originally lifted with
+                                # CROSS_INSN_OPT=False), or there is no store between its def and use.
+                                replacements[
+                                    CodeLocation(block_loc.block_addr, tmp_use_stmtidx, block_idx=block_loc.block_idx)
+                                ][tmp_used] = stmt.src
+                                continue
 
         self.model.replacements = replacements
 

angr/analyses/s_reaching_definitions/s_rda_view.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 from collections import defaultdict
 
-from ailment.statement import Assignment, Call, Label
+from ailment.statement import Statement, Assignment, Call, Label
 from ailment.expression import VirtualVariable, Expression
 
 from angr.utils.ail import is_phi_assignment
@@ -17,27 +17,141 @@ from .s_rda_model import SRDAModel
 log = logging.getLogger(__name__)
 
 
-class SRDAView:
+class RegVVarPredicate:
     """
-    A view of SRDA model that provides various functionalities for querying the model.
+    Implements a predicate that is used in get_reg_vvar_by_stmt_idx and get_reg_vvar_by_insn.
     """
 
-    def __init__(self, model: SRDAModel):
-        self.model = model
+    def __init__(self, reg_offset: int, vvars: set[VirtualVariable], arch):
+        self.reg_offset = reg_offset
+        self.vvars = vvars
+        self.arch = arch
 
     def _get_call_clobbered_regs(self, stmt: Call) -> set[int]:
         cc = stmt.calling_convention
         if cc is None:
             # get the default calling convention
-            cc = default_cc(self.model.arch.name)  # TODO: platform and language
+            cc = default_cc(self.arch.name)  # TODO: platform and language
         if cc is not None:
             reg_list = cc.CALLER_SAVED_REGS
             if isinstance(cc.RETURN_VAL, SimRegArg):
                 reg_list.append(cc.RETURN_VAL.reg_name)
-            return {self.model.arch.registers[reg_name][0] for reg_name in reg_list}
+            return {self.arch.registers[reg_name][0] for reg_name in reg_list}
         log.warning("Cannot determine registers that are clobbered by call statement %r.", stmt)
         return set()
 
+    def predicate(self, stmt: Statement) -> bool:
+        if (
+            isinstance(stmt, Assignment)
+            and isinstance(stmt.dst, VirtualVariable)
+            and stmt.dst.was_reg
+            and stmt.dst.reg_offset == self.reg_offset
+        ):
+            self.vvars.add(stmt.dst)
+            return True
+        if isinstance(stmt, Call):
+            if (
+                isinstance(stmt.ret_expr, VirtualVariable)
+                and stmt.ret_expr.was_reg
+                and stmt.ret_expr.reg_offset == self.reg_offset
+            ):
+                self.vvars.add(stmt.ret_expr)
+                return True
+            # is it clobbered maybe?
+            clobbered_regs = self._get_call_clobbered_regs(stmt)
+            if self.reg_offset in clobbered_regs:
+                return True
+        return False
+
+
+class StackVVarPredicate:
+    """
+    Implements a predicate that is used in get_stack_vvar_by_stmt_idx and get_stack_vvar_by_insn.
+    """
+
+    def __init__(self, stack_offset: int, size: int, vvars: set[VirtualVariable]):
+        self.stack_offset = stack_offset
+        self.size = size
+        self.vvars = vvars
+
+    def predicate(self, stmt: Statement) -> bool:
+        if (
+            isinstance(stmt, Assignment)
+            and isinstance(stmt.dst, VirtualVariable)
+            and stmt.dst.was_stack
+            and stmt.dst.stack_offset == self.stack_offset
+            and stmt.dst.size == self.size
+        ):
+            self.vvars.add(stmt.dst)
+            return True
+        return False
+
+
+class SRDAView:
+    """
+    A view of SRDA model that provides various functionalities for querying the model.
+    """
+
+    def __init__(self, model: SRDAModel):
+        self.model = model
+
+    def _get_vvar_by_stmt(
+        self, block_addr: int, block_idx: int | None, stmt_idx: int, op_type: ObservationPointType, predicate
+    ):
+        # find the starting block
+        for block in self.model.func_graph:
+            if block.addr == block_addr and block.idx == block_idx:
+                the_block = block
+                break
+        else:
+            return
+
+        traversed = set()
+        queue = [(the_block, stmt_idx if op_type == ObservationPointType.OP_BEFORE else stmt_idx + 1)]
+        while queue:
+            block, start_stmt_idx = queue.pop(0)
+            traversed.add(block)
+
+            stmts = block.statements[:start_stmt_idx] if start_stmt_idx is not None else block.statements
+
+            for stmt in reversed(stmts):
+                should_break = predicate(stmt)
+                if should_break:
+                    break
+            else:
+                # not found
+                for pred in self.model.func_graph.predecessors(block):
+                    if pred not in traversed:
+                        traversed.add(pred)
+                        queue.append((pred, None))
+
+    def get_reg_vvar_by_stmt(
+        self, reg_offset: int, block_addr: int, block_idx: int | None, stmt_idx: int, op_type: ObservationPointType
+    ) -> VirtualVariable | None:
+        reg_offset = get_reg_offset_base(reg_offset, self.model.arch)
+        vvars = set()
+        predicater = RegVVarPredicate(reg_offset, vvars, self.model.arch)
+        self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate)
+
+        assert len(vvars) <= 1
+        return next(iter(vvars), None)
+
+    def get_stack_vvar_by_stmt(  # pylint: disable=too-many-positional-arguments
+        self,
+        stack_offset: int,
+        size: int,
+        block_addr: int,
+        block_idx: int | None,
+        stmt_idx: int,
+        op_type: ObservationPointType,
+    ) -> VirtualVariable | None:
+        vvars = set()
+        predicater = StackVVarPredicate(stack_offset, size, vvars)
+        self._get_vvar_by_stmt(block_addr, block_idx, stmt_idx, op_type, predicater.predicate)
+
+        assert len(vvars) <= 1
+        return next(iter(vvars), None)
+
     def _get_vvar_by_insn(self, addr: int, op_type: ObservationPointType, predicate, block_idx: int | None = None):
         # find the starting block
         for block in self.model.func_graph:
@@ -47,6 +161,7 @@ class SRDAView:
         else:
             return
 
+        # determine the starting stmt_idx
         starting_stmt_idx = len(the_block.statements) if op_type == ObservationPointType.OP_AFTER else 0
         for stmt_idx, stmt in enumerate(the_block.statements):
             # skip all labels and phi assignments
@@ -65,55 +180,16 @@ class SRDAView:
                 starting_stmt_idx = stmt_idx
                 break
 
-        traversed = set()
-        queue = [(the_block, starting_stmt_idx)]
-        while queue:
-            block, start_stmt_idx = queue.pop(0)
-            traversed.add(block)
-
-            stmts = block.statements[:start_stmt_idx] if start_stmt_idx is not None else block.statements
-
-            for stmt in reversed(stmts):
-                should_break = predicate(stmt)
-                if should_break:
-                    break
-            else:
-                # not found
-                for pred in self.model.func_graph.predecessors(block):
-                    if pred not in traversed:
-                        traversed.add(pred)
-                        queue.append((pred, None))
+        self._get_vvar_by_stmt(the_block.addr, the_block.idx, starting_stmt_idx, op_type, predicate)
 
     def get_reg_vvar_by_insn(
         self, reg_offset: int, addr: int, op_type: ObservationPointType, block_idx: int | None = None
     ) -> VirtualVariable | None:
         reg_offset = get_reg_offset_base(reg_offset, self.model.arch)
         vvars = set()
+        predicater = RegVVarPredicate(reg_offset, vvars, self.model.arch)
 
-        def _predicate(stmt) -> bool:
-            if (
-                isinstance(stmt, Assignment)
-                and isinstance(stmt.dst, VirtualVariable)
-                and stmt.dst.was_reg
-                and stmt.dst.reg_offset == reg_offset
-            ):
-                vvars.add(stmt.dst)
-                return True
-            if isinstance(stmt, Call):
-                if (
-                    isinstance(stmt.ret_expr, VirtualVariable)
-                    and stmt.ret_expr.was_reg
-                    and stmt.ret_expr.reg_offset == reg_offset
-                ):
-                    vvars.add(stmt.ret_expr)
-                    return True
-                # is it clobbered maybe?
-                clobbered_regs = self._get_call_clobbered_regs(stmt)
-                if reg_offset in clobbered_regs:
-                    return True
-            return False
-
-        self._get_vvar_by_insn(addr, op_type, _predicate, block_idx=block_idx)
+        self._get_vvar_by_insn(addr, op_type, predicater.predicate, block_idx=block_idx)
 
         assert len(vvars) <= 1
         return next(iter(vvars), None)
@@ -122,20 +198,8 @@ class SRDAView:
         self, stack_offset: int, size: int, addr: int, op_type: ObservationPointType, block_idx: int | None = None
     ) -> VirtualVariable | None:
         vvars = set()
-
-        def _predicate(stmt) -> bool:
-            if (
-                isinstance(stmt, Assignment)
-                and isinstance(stmt.dst, VirtualVariable)
-                and stmt.dst.was_stack
-                and stmt.dst.stack_offset == stack_offset
-                and stmt.dst.size == size
-            ):
-                vvars.add(stmt.dst)
-                return True
-            return False
-
-        self._get_vvar_by_insn(addr, op_type, _predicate, block_idx=block_idx)
+        predicater = StackVVarPredicate(stack_offset, size, vvars)
+        self._get_vvar_by_insn(addr, op_type, predicater.predicate, block_idx=block_idx)
 
         assert len(vvars) <= 1
         return next(iter(vvars), None)

angr/analyses/smc.py

@@ -0,0 +1,159 @@
+from __future__ import annotations
+import logging
+import random
+
+from enum import auto, IntFlag
+from collections.abc import Generator
+
+import angr
+from angr.analyses import Analysis, AnalysesHub
+from angr.knowledge_plugins import Function
+from angr.sim_state import SimState
+
+from angr.utils.tagged_interval_map import TaggedIntervalMap
+
+
+log = logging.getLogger(__name__)
+log.setLevel(logging.INFO)
+
+
+class TraceActions(IntFlag):
+    """
+    Describe memory access actions.
+    """
+
+    WRITE = auto()
+    EXECUTE = auto()
+
+
+class TraceClassifier:
+    """
+    Classify traces.
+    """
+
+    def __init__(self, state: SimState | None = None):
+        self.map = TaggedIntervalMap()
+        if state:
+            self.instrument(state)
+
+    def act_mem_write(self, state) -> None:
+        """
+        SimInspect callback for memory writes.
+        """
+        addr = state.solver.eval(state.inspect.mem_write_address)
+        length = state.inspect.mem_write_length
+        if not isinstance(length, int):
+            length = state.solver.eval(length)
+        self.map.add(addr, length, TraceActions.WRITE)
+
+    def act_instruction(self, state) -> None:
+        """
+        SimInspect callback for instruction execution.
+        """
+        addr = state.inspect.instruction
+        if addr is None:
+            log.warning("Symbolic addr")
+            return
+
+        # FIXME: Ensure block size is correct
+        self.map.add(addr, state.block().size, TraceActions.EXECUTE)
+
+    def instrument(self, state) -> None:
+        """
+        Instrument `state` for tracing.
+        """
+        state.inspect.b("mem_write", when=angr.BP_BEFORE, action=self.act_mem_write)
+        state.inspect.b("instruction", when=angr.BP_BEFORE, action=self.act_instruction)
+
+    def get_smc_address_and_lengths(self) -> Generator[tuple[int, int]]:
+        """
+        Evaluate the trace to find which areas of memory were both written to and executed.
+        """
+        smc_flags = TraceActions.WRITE | TraceActions.EXECUTE
+        for addr, size, flags in self.map.irange():
+            if (flags & smc_flags) == smc_flags:
+                yield (addr, size)
+
+    def determine_smc(self) -> bool:
+        """
+        Evaluate the trace to find areas of memory that were both written to and executed.
+        """
+        return any(self.get_smc_address_and_lengths())
+
+    def pp(self):
+        for a, b, c in self.map.irange():
+            print(f"{a:8x} {b} {c}")
+
+
+class SelfModifyingCodeAnalysis(Analysis):
+    """
+    Determine if some piece of code is self-modifying.
+
+    This determination is made by simply executing. If an address is executed
+    that is also written to, the code is determined to be self-modifying. The
+    determination is stored in the `result` property. The `regions` property
+    contains a list of (addr, length) regions that were both written to and
+    executed.
+    """
+
+    result: bool
+    regions: list[tuple[int, int]]
+
+    def __init__(self, subject: None | int | str | Function, max_bytes: int = 0, state: SimState | None = None):
+        """
+        :param subject: Subject of analysis
+        :param max_bytes: Maximum number of bytes from subject address. 0 for no limit (default).
+        :param state: State to begin executing from from.
+        """
+        assert self.project.selfmodifying_code
+
+        if subject is None:
+            subject = self.project.entry
+        if isinstance(subject, str):
+            try:
+                addr = self.project.kb.labels.lookup(subject)
+            except KeyError:
+                addr = self.project.kb.functions[subject].addr
+        elif isinstance(subject, Function):
+            addr = subject.addr
+        elif isinstance(subject, int):
+            addr = subject
+        else:
+            raise ValueError("Not a supported subject")
+
+        if state is None:
+            init_state = self.project.factory.call_state(addr)
+        else:
+            init_state = state.copy()
+            init_state.regs.pc = addr
+
+        init_state.options -= angr.sim_options.simplification
+
+        self._trace_classifier = TraceClassifier(init_state)
+        simgr = self.project.factory.simgr(init_state)
+
+        kwargs = {}
+        if max_bytes:
+            kwargs["filter_func"] = lambda s: (
+                "active" if s.solver.eval(addr <= s.regs.pc) and s.solver.eval(s.regs.pc < addr + max_bytes) else "oob"
+            )
+
+        # FIXME: Early out on SMC detect
+        # FIXME: Configurable step threshold
+        # FIXME: Loop analysis
+
+        for n in range(100):
+            self._update_progress(n)
+            simgr.step(n=3)
+            random.shuffle(simgr.active)
+            simgr.split(from_stash="active", to_stash=simgr.DROP, limit=10)
+
+        # Classify any out of bound entrypoints
+        for state_ in simgr.stashes["oob"]:
+            self._trace_classifier.act_instruction(state_)
+
+        self.regions = list(self._trace_classifier.get_smc_address_and_lengths())
+        self.result = len(self.regions) > 0
+
+
+AnalysesHub.register_default("SMC", SelfModifyingCodeAnalysis)

angr/analyses/variable_recovery/engine_ail.py

@@ -223,6 +223,20 @@ class SimEngineVRAIL(
             for ret_expr in stmt.ret_exprs:
                 self._expr(ret_expr)
 
+    def _ail_handle_DirtyExpression(self, expr: ailment.Expr.DirtyExpression) -> RichR:
+        for op in expr.operands:
+            self._expr(op)
+        if expr.guard:
+            self._expr(expr.guard)
+        if expr.maddr:
+            self._expr(expr.maddr)
+        return RichR(self.state.top(expr.bits))
+
+    def _ail_handle_VEXCCallExpression(self, expr: ailment.Expr.VEXCCallExpression) -> RichR:
+        for op in expr.operands:
+            self._expr(op)
+        return RichR(self.state.top(expr.bits))
+
     # Expression handlers
 
     def _expr(self, expr: ailment.Expr.Expression):

angr/analyses/variable_recovery/engine_base.py

@@ -435,6 +435,14 @@ class SimEngineVRBase(SimEngineLight):
                     region=self.func_addr,
                 )
                 self.variable_manager[self.func_addr].add_variable("register", vvar.oident, variable)
+            elif vvar.was_tmp:
+                # FIXME: we treat all tmp vvars as registers
+                variable = SimRegisterVariable(
+                    4096 + vvar.tmp_idx,
+                    vvar.size,
+                    ident=self.variable_manager[self.func_addr].next_variable_ident("register"),
+                    region=self.func_addr,
+                )
             else:
                 raise NotImplementedError
         else:
@@ -1071,6 +1079,9 @@ class SimEngineVRBase(SimEngineLight):
                     self.variable_manager[self.func_addr].add_variable("stack", vvar.stack_offset, variable)
                 elif vvar.category == ailment.Expr.VirtualVariableCategory.PARAMETER:
                     raise KeyError(f"Missing virtual variable for parameter {vvar}")
+                elif vvar.category == ailment.Expr.VirtualVariableCategory.TMP:
+                    # we don't track variables for tmps
+                    pass
                 else:
                     raise NotImplementedError
 

angr/angrdb/models.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 from sqlalchemy import Column, Integer, String, Boolean, BLOB, ForeignKey
-from sqlalchemy.orm import relationship
-from sqlalchemy.ext.declarative import declarative_base
+from sqlalchemy.orm import declarative_base, relationship
 
 Base = declarative_base()
 

angr/engines/light/engine.py

@@ -957,6 +957,9 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
     def _ail_handle_Return(self, stmt):
         pass
 
+    def _ail_handle_DirtyStatement(self, stmt):
+        self._expr(stmt.dirty)
+
     #
     # Expression handlers
     #
@@ -1009,6 +1012,15 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
 
         return expr
 
+    def _ail_handle_DirtyExpression(self, expr: ailment.Expr.DirtyExpression):
+        for operand in expr.operands:
+            self._expr(operand)
+        if expr.guard is not None:
+            self._expr(expr.guard)
+        if expr.maddr is not None:
+            self._expr(expr.maddr)
+        return expr
+
     def _ail_handle_UnaryOp(self, expr):
         handler_name = f"_handle_{expr.op}"
         try:

angr/engines/vex/heavy/heavy.py

@@ -90,6 +90,7 @@ class HeavyVEXMixin(SuccessorsMixin, ClaripyDataMixin, SimStateStorageMixin, VEX
         num_inst=None,
         extra_stop_points=None,
         opt_level=None,
+        strict_block_end=None,
         **kwargs,
     ):
         if not pyvex.lifting.lifters[self.state.arch.name] or type(successors.addr) is not int:
@@ -144,6 +145,7 @@ class HeavyVEXMixin(SuccessorsMixin, ClaripyDataMixin, SimStateStorageMixin, VEX
                     num_inst=num_inst,
                     extra_stop_points=extra_stop_points,
                     opt_level=opt_level,
+                    strict_block_end=strict_block_end,
                 )
 
             if (

angr/exploration_techniques/spiller_db.py

@@ -5,8 +5,7 @@ import datetime
 try:
     import sqlalchemy
     from sqlalchemy import Column, Integer, String, Boolean, DateTime, create_engine
-    from sqlalchemy.orm import sessionmaker
-    from sqlalchemy.ext.declarative import declarative_base
+    from sqlalchemy.orm import declarative_base, sessionmaker
     from sqlalchemy.exc import OperationalError
 
     Base = declarative_base()

angr/knowledge_plugins/__init__.py

@@ -17,6 +17,7 @@ from .structured_code import StructuredCodeManager
 from .types import TypesStore
 from .callsite_prototypes import CallsitePrototypes
 from .custom_strings import CustomStrings
+from .decompilation import DecompilationManager
 
 
 __all__ = (
@@ -38,4 +39,5 @@ __all__ = (
     "TypesStore",
     "CallsitePrototypes",
     "CustomStrings",
+    "DecompilationManager",
 )

angr/knowledge_plugins/decompilation.py

@@ -0,0 +1,45 @@
+# pylint:disable=import-outside-toplevel
+from __future__ import annotations
+
+from typing import Any, TYPE_CHECKING
+
+from .plugin import KnowledgeBasePlugin
+
+if TYPE_CHECKING:
+    from angr.analyses.decompiler.decompilation_cache import DecompilationCache
+
+
+class DecompilationManager(KnowledgeBasePlugin):
+    """A knowledge base plugin to store decompilation results."""
+
+    def __init__(self, kb):
+        super().__init__(kb=kb)
+        self.cached: dict[Any, DecompilationCache] = {}
+
+    def _normalize_key(self, item: int | str):
+        if type(item) is str:
+            item = (self._kb.labels.lookup(item[0]), *item[1:])
+        return item
+
+    def __getitem__(self, item) -> DecompilationCache:
+        return self.cached[self._normalize_key(item)]
+
+    def __setitem__(self, key, value: DecompilationCache):
+        self.cached[self._normalize_key(key)] = value
+
+    def __contains__(self, key):
+        return self._normalize_key(key) in self.cached
+
+    def __delitem__(self, key):
+        del self.cached[self._normalize_key(key)]
+
+    def discard(self, key):
+        normalized_key = self._normalize_key(key)
+        if normalized_key in self.cached:
+            del self.cached[normalized_key]
+
+    def copy(self):
+        raise NotImplementedError
+
+
+KnowledgeBasePlugin.register_default("decompilations", DecompilationManager)