PyPI - angr - Versions diffs - 9.2.123__py3-none-win_amd64.whl → 9.2.125__py3-none-win_amd64.whl - Mend

angr 9.2.123__py3-none-win_amd64.whl → 9.2.125__py3-none-win_amd64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (104) hide show

angr/__init__.py CHANGED Viewed

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
-__version__ = "9.2.123"
+__version__ = "9.2.125"
 if bytes is str:
     raise Exception(

angr/analyses/__init__.py CHANGED Viewed

@@ -1,4 +1,4 @@
-# pylint:disable=wrong-import-position
+# " pylint:disable=wrong-import-position
 from __future__ import annotations
 from .analysis import Analysis, AnalysesHub
@@ -49,6 +49,10 @@ from .flirt import FlirtAnalysis
 from .s_propagator import SPropagatorAnalysis
 from .s_reaching_definitions import SReachingDefinitionsAnalysis
 from .s_liveness import SLivenessAnalysis
+from .codecave import CodeCaveAnalysis
+from .patchfinder import PatchFinderAnalysis
+from .pathfinder import Pathfinder
+from .smc import SelfModifyingCodeAnalysis
 __all__ = (
@@ -101,4 +105,8 @@ __all__ = (
     "SPropagatorAnalysis",
     "SReachingDefinitionsAnalysis",
     "SLivenessAnalysis",
+    "CodeCaveAnalysis",
+    "PatchFinderAnalysis",
+    "Pathfinder",
+    "SelfModifyingCodeAnalysis",
 )

angr/analyses/cfg/indirect_jump_resolvers/mips_elf_fast.py CHANGED Viewed

@@ -153,6 +153,11 @@ class MipsElfFastResolver(IndirectJumpResolver):
     def _resolve_case_1(self, addr: int, block: pyvex.IRSB, func_addr: int, gp_value: int, cfg) -> int | None:
         # lift the block again with the correct setting
+        inital_regs = [(self.project.arch.registers["t9"][0], self.project.arch.registers["t9"][1], func_addr)]
+        if gp_value is not None:
+            inital_regs.append((self.project.arch.registers["gp"][0], self.project.arch.registers["gp"][1], gp_value))
         first_irsb = self.project.factory.block(
             addr,
             size=block.size,
@@ -160,10 +165,7 @@ class MipsElfFastResolver(IndirectJumpResolver):
             const_prop=True,
             cross_insn_opt=False,
             load_from_ro_regions=True,
-            initial_regs=[
-                (self.project.arch.registers["t9"][0], self.project.arch.registers["t9"][1], func_addr),
-                (self.project.arch.registers["gp"][0], self.project.arch.registers["gp"][1], gp_value),
-            ],
+            initial_regs=inital_regs,
         ).vex_nostmt
         if not isinstance(first_irsb.next, pyvex.IRExpr.RdTmp):
@@ -193,6 +195,10 @@ class MipsElfFastResolver(IndirectJumpResolver):
             # the register (t9) is set in this block - we can resolve the jump target using only the current block
             return Case2Result.RESUME, None
+        inital_regs = [(self.project.arch.registers["t9"][0], self.project.arch.registers["t9"][1], func_addr)]
+        if gp_value is not None:
+            inital_regs.append((self.project.arch.registers["gp"][0], self.project.arch.registers["gp"][1], gp_value))
         # lift the first block again with the correct setting
         first_irsb = self.project.factory.block(
             first_block_addr,
@@ -200,10 +206,7 @@ class MipsElfFastResolver(IndirectJumpResolver):
             collect_data_refs=False,
             const_prop=True,
             load_from_ro_regions=True,
-            initial_regs=[
-                (self.project.arch.registers["t9"][0], self.project.arch.registers["t9"][1], func_addr),
-                (self.project.arch.registers["gp"][0], self.project.arch.registers["gp"][1], gp_value),
-            ],
+            initial_regs=inital_regs,
         ).vex_nostmt
         last_reg_setting_tmp = self._get_last_reg_setting_tmp(first_irsb, jump_target_reg)

angr/analyses/cfg/indirect_jump_resolvers/mips_elf_got.py CHANGED Viewed

@@ -51,11 +51,11 @@ class MipsElfGotResolver(IndirectJumpResolver):
             return False, []
         dynsym_addr = self._find_and_cache_section_addr(obj, ".dynsym")
         if dynsym_addr is None:
-            return None
+            return False, []
         dynstr_addr = self._find_and_cache_section_addr(obj, ".dynstr")
         if dynstr_addr is None:
-            return None
+            return False, []
         if block.size != 16:
             return False, []

angr/analyses/codecave.py ADDED Viewed

@@ -0,0 +1,77 @@
+from __future__ import annotations
+import logging
+from enum import Enum, auto
+from typing import TYPE_CHECKING
+from dataclasses import dataclass
+from angr.analyses import Analysis, AnalysesHub
+if TYPE_CHECKING:
+    from angr.knowledge_plugins import Function
+log = logging.getLogger(__name__)
+class CodeCaveClassification(Enum):
+    """
+    Type of code caves.
+    """
+    ALIGNMENT = auto()
+    UNREACHABLE = auto()
+@dataclass
+class CodeCave:
+    """
+    Describes a code cave in a binary.
+    """
+    func: Function | None
+    addr: int
+    size: int
+    classification: CodeCaveClassification
+class CodeCaveAnalysis(Analysis):
+    """
+    Best-effort static location of potential vacant code caves for possible code injection:
+    - Padding functions
+    - Unreachable code
+    """
+    codecaves: list[CodeCave]
+    def __init__(self):
+        self.codecaves = []
+        if len(self.project.kb.functions) == 0 and self.project.kb.cfgs.get_most_accurate() is None:
+            log.warning("Please run CFGFast analysis first, to identify functions")
+            return
+        # Alignment functions
+        for func in self.project.kb.functions.values():
+            if func.is_alignment:
+                for block in func.blocks:
+                    self.codecaves.append(CodeCave(func, block.addr, block.size, CodeCaveClassification.ALIGNMENT))
+        # Unreachable code
+        for func in self.project.kb.functions.values():
+            if func.is_alignment or func.is_plt or func.is_simprocedure or func.addr in self.project.kb.labels:
+                continue
+            in_degree = self.project.kb.callgraph.in_degree(func.addr)
+            if in_degree == 0 or (
+                in_degree == 1
+                and self.project.kb.functions[next(self.project.kb.callgraph.predecessors(func.addr))].is_alignment
+            ):
+                for block in func.blocks:
+                    self.codecaves.append(CodeCave(func, block.addr, block.size, CodeCaveClassification.UNREACHABLE))
+            # FIXME: find dead blocks with argument propagation
+            # FIXME: find dead blocks with external coverage info
+AnalysesHub.register_default("CodeCaves", CodeCaveAnalysis)

angr/analyses/decompiler/ail_simplifier.py CHANGED Viewed

@@ -1316,18 +1316,7 @@ class AILSimplifier(Analysis):
                             continue
                     uses = rd.get_vvar_uses(def_.atom)
-                elif def_.atom.was_reg:
-                    uses = rd.get_vvar_uses(def_.atom)
-                    if (
-                        def_.atom.reg_offset in self.project.arch.artificial_registers_offsets
-                        and len(uses) == 1
-                        and next(iter(uses)) == def_.codeloc
-                    ):
-                        # TODO: Verify if we still need this hack after moving to SSA
-                        # cc_ndep = amd64g_calculate_condition(..., cc_ndep)
-                        uses = set()
-                elif def_.atom.was_parameter:
+                elif def_.atom.was_reg or def_.atom.was_parameter:
                     uses = rd.get_vvar_uses(def_.atom)
                 else:
@@ -1425,9 +1414,17 @@ class AILSimplifier(Analysis):
                                 simplified = True
                                 continue
                             if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
-                                # no one is using the returned virtual variable. replace this assignment statement with
-                                # a call statement
-                                stmt = stmt.src
+                                # no one is using the returned virtual variable.
+                                # now the things are a bit tricky here
+                                if isinstance(stmt.src, Call):
+                                    # replace this assignment statement with a call statement
+                                    stmt = stmt.src
+                                elif isinstance(stmt.src, Convert) and isinstance(stmt.src.operand, Call):
+                                    # the convert is useless now
+                                    stmt = stmt.src.operand
+                                else:
+                                    # we can't change this stmt at all because it has an expression with Calls inside
+                                    pass
                         else:
                             # no calls. remove it
                             simplified = True
@@ -1460,7 +1457,7 @@ class AILSimplifier(Analysis):
     def _find_cyclic_dependent_phis_and_dirty_vvars(self, rd: SRDAModel) -> set[int]:
         blocks_dict = {(bb.addr, bb.idx): bb for bb in self.func_graph}
-        # find dirty vvars
+        # find dirty vvars and vexccall vvars
         dirty_vvar_ids = set()
         for bb in self.func_graph:
             for stmt in bb.statements:
@@ -1468,7 +1465,7 @@ class AILSimplifier(Analysis):
                     isinstance(stmt, Assignment)
                     and isinstance(stmt.dst, VirtualVariable)
                     and stmt.dst.was_reg
-                    and isinstance(stmt.src, DirtyExpression)
+                    and isinstance(stmt.src, (DirtyExpression, VEXCCallExpression))
                 ):
                     dirty_vvar_ids.add(stmt.dst.varid)
@@ -1544,8 +1541,8 @@ class AILSimplifier(Analysis):
             v = False
         def _handle_expr(expr_idx: int, expr: Expression, stmt_idx: int, stmt: Statement, block) -> Expression | None:
-            if isinstance(expr, DirtyExpression) and isinstance(expr.dirty_expr, VEXCCallExpression):
-                rewriter = rewriter_cls(expr.dirty_expr, self.project.arch)
+            if isinstance(expr, VEXCCallExpression):
+                rewriter = rewriter_cls(expr, self.project.arch)
                 if rewriter.result is not None:
                     _any_update.v = True
                     return rewriter.result

angr/analyses/decompiler/callsite_maker.py CHANGED Viewed

@@ -143,7 +143,7 @@ class CallSiteMaker(Analysis):
                 if isinstance(arg_loc, SimRegArg):
                     size = arg_loc.size
                     offset = arg_loc.check_offset(cc.arch)
-                    value_and_def = self._resolve_register_argument(call_stmt, arg_loc)
+                    value_and_def = self._resolve_register_argument(arg_loc)
                     if value_and_def is not None:
                         vvar_def = value_and_def[1]
                         arg_vvars.append(vvar_def)
@@ -283,14 +283,15 @@ class CallSiteMaker(Analysis):
         l.warning("TODO: Unsupported statement type %s for definitions.", type(stmt))
         return None
-    def _resolve_register_argument(self, call_stmt, arg_loc) -> tuple[int | None, Expr.VirtualVariable] | None:
+    def _resolve_register_argument(self, arg_loc) -> tuple[int | None, Expr.VirtualVariable] | None:
         offset = arg_loc.check_offset(self.project.arch)
         if self._reaching_definitions is not None:
             # Find its definition
-            ins_addr = call_stmt.tags["ins_addr"]
             view = SRDAView(self._reaching_definitions.model)
-            vvar = view.get_reg_vvar_by_insn(offset, ins_addr, OP_BEFORE, block_idx=self.block.idx)
+            vvar = view.get_reg_vvar_by_stmt(
+                offset, self.block.addr, self.block.idx, len(self.block.statements) - 1, OP_BEFORE
+            )
             if vvar is not None:
                 vvar_value = view.get_vvar_value(vvar)
@@ -318,8 +319,8 @@ class CallSiteMaker(Analysis):
             if self._reaching_definitions is not None:
                 # find its definition
                 view = SRDAView(self._reaching_definitions.model)
-                vvar = view.get_stack_vvar_by_insn(
-                    sp_offset, size, call_stmt.ins_addr, OP_BEFORE, block_idx=self.block.idx
+                vvar = view.get_stack_vvar_by_stmt(
+                    sp_offset, size, self.block.addr, self.block.idx, len(self.block.statements) - 1, OP_BEFORE
                 )
                 if vvar is not None:
                     value = view.get_vvar_value(vvar)
@@ -416,7 +417,7 @@ class CallSiteMaker(Analysis):
             value = None
             if isinstance(arg_loc, SimRegArg):
-                value_and_def = self._resolve_register_argument(call_stmt, arg_loc)
+                value_and_def = self._resolve_register_argument(arg_loc)
                 if value_and_def is not None:
                     value = value_and_def[0]

angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py CHANGED Viewed

@@ -20,7 +20,7 @@ class AMD64CCallRewriter(CCallRewriterBase):
     __slots__ = ()
     def _rewrite(self, ccall: Expr.VEXCCallExpression) -> Expr.Expression | None:
-        if ccall.cee_name == "amd64g_calculate_condition":
+        if ccall.callee == "amd64g_calculate_condition":
             cond = ccall.operands[0]
             op = ccall.operands[1]
             dep_1 = ccall.operands[2]
@@ -288,6 +288,28 @@ class AMD64CCallRewriter(CCallRewriterBase):
                         r = Expr.BinaryOp(ccall.idx, "CmpLT", (dep_1, dep_2), True, **ccall.tags)
                         return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
+                    if op_v in {
+                        AMD64_OpTypes["G_CC_OP_LOGICB"],
+                        AMD64_OpTypes["G_CC_OP_LOGICW"],
+                        AMD64_OpTypes["G_CC_OP_LOGICL"],
+                        AMD64_OpTypes["G_CC_OP_LOGICQ"],
+                    }:
+                        # dep_1 is the result, dep_2 is always zero
+                        # dep_1 <s 0
+                        dep_1 = self._fix_size(
+                            dep_1,
+                            op_v,
+                            AMD64_OpTypes["G_CC_OP_LOGICB"],
+                            AMD64_OpTypes["G_CC_OP_LOGICW"],
+                            AMD64_OpTypes["G_CC_OP_LOGICL"],
+                            ccall.tags,
+                        )
+                        zero = Expr.Const(None, None, 0, dep_1.bits)
+                        r = Expr.BinaryOp(ccall.idx, "CmpLT", (dep_1, zero), True, **ccall.tags)
+                        return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
                 elif cond_v == AMD64_CondTypes["CondNBE"]:
                     if op_v in {
                         AMD64_OpTypes["G_CC_OP_SUBB"],
@@ -390,7 +412,7 @@ class AMD64CCallRewriter(CCallRewriterBase):
                     )
                     return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
-        elif ccall.cee_name == "amd64g_calculate_rflags_c":
+        elif ccall.callee == "amd64g_calculate_rflags_c":
             # calculate the carry flag
             op = ccall.operands[0]
             dep_1 = ccall.operands[1]

angr/analyses/decompiler/clinic.py CHANGED Viewed

@@ -42,6 +42,7 @@ from .optimization_passes import (
     OptimizationPassStage,
     RegisterSaveAreaSimplifier,
     StackCanarySimplifier,
+    TagSlicer,
     DUPLICATING_OPTS,
     CONDENSING_OPTS,
 )
@@ -110,6 +111,8 @@ class Clinic(Analysis):
         inlined_counts: dict[int, int] | None = None,
         inlining_parents: set[int] | None = None,
         vvar_id_start: int = 0,
+        optimization_scratch: dict[str, Any] | None = None,
+        desired_variables: set[str] | None = None,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -124,6 +127,7 @@ class Clinic(Analysis):
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
         self.data_refs: dict[int, int] = {}  # data address to instruction address
+        self.optimization_scratch = optimization_scratch if optimization_scratch is not None else {}
         self._func_graph: networkx.DiGraph | None = None
         self._ail_manager = None
@@ -152,6 +156,7 @@ class Clinic(Analysis):
         self._inline_functions = inline_functions
         self._inlined_counts = {} if inlined_counts is None else inlined_counts
         self._inlining_parents = inlining_parents or ()
+        self._desired_variables = desired_variables
         self._register_save_areas_removed: bool = False
@@ -218,6 +223,9 @@ class Clinic(Analysis):
             ail_graph = self._inline_child_functions(ail_graph)
         ail_graph = self._decompilation_simplifications(ail_graph)
+        if self._desired_variables:
+            ail_graph = self._slice_variables(ail_graph)
         self.graph = ail_graph
     def _decompilation_graph_recovery(self):
@@ -277,6 +285,27 @@ class Clinic(Analysis):
         return ail_graph
+    def _slice_variables(self, ail_graph):
+        nodes_index = {(n.addr, n.idx): n for n in ail_graph.nodes()}
+        vfm = self.variable_kb.variables.function_managers[self.function.addr]
+        for v_name in self._desired_variables:
+            v = next(iter(vv for vv in vfm._unified_variables if vv.name == v_name))
+            for va in vfm.get_variable_accesses(v):
+                nodes_index[(va.location.block_addr, va.location.block_idx)].statements[va.location.stmt_idx].tags[
+                    "keep_in_slice"
+                ] = True
+        a = TagSlicer(
+            self.function,
+            graph=ail_graph,
+            variable_kb=self.variable_kb,
+        )
+        if a.out_graph:
+            # use the new graph
+            ail_graph = a.out_graph
+        return ail_graph
     def _inline_child_functions(self, ail_graph):
         for blk in ail_graph.nodes():
             for idx, stmt in enumerate(blk.statements):
@@ -907,22 +936,31 @@ class Clinic(Analysis):
         Convert a VEX block to an AIL block.
         :param block_node:  A BlockNode instance.
-        :return:            An converted AIL block.
+        :return:            A converted AIL block.
         :rtype:             ailment.Block
         """
         if type(block_node) is not BlockNode:
             return block_node
+        if block_node.size == 0:
+            return ailment.Block(block_node.addr, 0, statements=[])
         block = self.project.factory.block(block_node.addr, block_node.size, cross_insn_opt=False)
         if block.vex.jumpkind not in {"Ijk_Call", "Ijk_Boring", "Ijk_Ret"} and not block.vex.jumpkind.startswith(
             "Ijk_Sys"
         ):
             # we don't support lifting this block. use a dummy block instead
+            dirty_expr = ailment.Expr.DirtyExpression(
+                self._ail_manager.next_atom,
+                f"Unsupported jumpkind {block.vex.jumpkind} at address {block_node.addr}",
+                [],
+                bits=0,
+            )
             statements = [
                 ailment.Stmt.DirtyStatement(
                     self._ail_manager.next_atom(),
-                    f"Unsupported jumpkind {block.vex.jumpkind} at address {block_node.addr}",
+                    dirty_expr,
                     ins_addr=block_node.addr,
                 )
             ]
@@ -1219,6 +1257,7 @@ class Clinic(Analysis):
                 variable_kb=variable_kb,
                 vvar_id_start=self.vvar_id_start,
                 entry_node_addr=self.entry_node_addr,
+                scratch=self.optimization_scratch,
                 **kwargs,
             )
             if a.out_graph:
@@ -1256,6 +1295,7 @@ class Clinic(Analysis):
                 ailment.Expr.VirtualVariableCategory.PARAMETER,
                 oident=arg.reg,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             self.vvar_id_start += 1
             arg_vvars[arg_vvar.varid] = arg_vvar, arg
@@ -1269,6 +1309,7 @@ class Clinic(Analysis):
                     False,
                     arg_vvar,
                     ins_addr=self.function.addr,
+                    vex_block_addr=self.function.addr,
                 )
             fullreg_dst = ailment.Expr.Register(
@@ -1277,12 +1318,14 @@ class Clinic(Analysis):
                 basereg_offset,
                 basereg_size * self.project.arch.byte_width,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             stmt = ailment.Stmt.Assignment(
                 self._ail_manager.next_atom(),
                 fullreg_dst,
                 arg_vvar,
                 ins_addr=self.function.addr,
+                vex_block_addr=self.function.addr,
             )
             new_stmts.append(stmt)
@@ -1313,6 +1356,7 @@ class Clinic(Analysis):
             ail_graph,
             entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr)),
             ail_manager=self._ail_manager,
+            ssa_tmps=True,
             ssa_stackvars=True,
             vvar_id_start=self.vvar_id_start,
         )
@@ -1792,6 +1836,18 @@ class Clinic(Analysis):
         elif isinstance(expr, ailment.Stmt.Call):
             self._link_variables_on_call(variable_manager, global_variables, block, stmt_idx, expr, is_expr=True)
+        elif isinstance(expr, ailment.Expr.VEXCCallExpression):
+            for operand in expr.operands:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, operand)
+        elif isinstance(expr, ailment.Expr.DirtyExpression):
+            for operand in expr.operands:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, operand)
+            if expr.maddr:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.maddr)
+            if expr.guard:
+                self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr.guard)
     def _function_graph_to_ail_graph(self, func_graph, blocks_by_addr_and_size=None):
         if blocks_by_addr_and_size is None:
             blocks_by_addr_and_size = self._blocks_by_addr_and_size

angr/analyses/decompiler/condition_processor.py CHANGED Viewed

@@ -160,6 +160,8 @@ _ail2claripy_op_mapping = {
     "GetMSBs": lambda expr, _, m: _dummy_bvs(expr, m),
     "InterleaveLOV": lambda expr, _, m: _dummy_bvs(expr, m),
     "InterleaveHIV": lambda expr, _, m: _dummy_bvs(expr, m),
+    # catch-all
+    "_DUMMY_": lambda expr, _, m: _dummy_bvs(expr, m),
 }
 #
@@ -771,7 +773,7 @@ class ConditionProcessor:
         if isinstance(
             condition,
-            (ailment.Expr.DirtyExpression, ailment.Expr.BasePointerOffset, ailment.Expr.ITE),
+            (ailment.Expr.VEXCCallExpression, ailment.Expr.BasePointerOffset, ailment.Expr.ITE),
         ):
             return _dummy_bvs(condition, self._condition_mapping)
         if isinstance(condition, ailment.Stmt.Call):
@@ -828,9 +830,14 @@ class ConditionProcessor:
             # fall back to op
             lambda_expr = _ail2claripy_op_mapping.get(condition.op, None)
         if lambda_expr is None:
-            raise NotImplementedError(
-                f"Unsupported AIL expression operation {condition.op} or {condition.verbose_op}. Consider implementing."
+            # fall back to the catch-all option
+            l.debug(
+                "Unsupported AIL expression operation %s (or verbose: %s). Fall back to the default catch-all dummy "
+                "option. Consider implementing.",
+                condition.op,
+                condition.verbose_op,
             )
+            lambda_expr = _ail2claripy_op_mapping["_DUMMY_"]
         r = lambda_expr(condition, self.claripy_ast_from_ail_condition, self._condition_mapping)
         if isinstance(r, claripy.ast.Bool) and nobool:

angr/analyses/decompiler/decompilation_cache.py CHANGED Viewed

@@ -14,6 +14,7 @@ class DecompilationCache:
     """
     __slots__ = (
+        "parameters",
         "addr",
         "type_constraints",
         "func_typevar",
@@ -25,6 +26,7 @@ class DecompilationCache:
     )
     def __init__(self, addr):
+        self.parameters: dict[str, Any] = {}
         self.addr = addr
         self.type_constraints: set | None = None
         self.func_typevar = None