PyPI - angr - Versions diffs - 9.2.124__py3-none-macosx_11_0_arm64.whl → 9.2.126__py3-none-macosx_11_0_arm64.whl - Mend

angr 9.2.124__py3-none-macosx_11_0_arm64.whl → 9.2.126__py3-none-macosx_11_0_arm64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (53) hide show

angr/__init__.py +1 -1
angr/analyses/__init__.py +13 -1
angr/analyses/codecave.py +77 -0
angr/analyses/decompiler/ail_simplifier.py +1 -0
angr/analyses/decompiler/callsite_maker.py +9 -1
angr/analyses/decompiler/clinic.py +32 -2
angr/analyses/decompiler/condition_processor.py +104 -66
angr/analyses/decompiler/decompiler.py +7 -0
angr/analyses/decompiler/optimization_passes/__init__.py +18 -1
angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py +6 -0
angr/analyses/decompiler/optimization_passes/tag_slicer.py +41 -0
angr/analyses/decompiler/peephole_optimizations/constant_derefs.py +2 -2
angr/analyses/decompiler/return_maker.py +1 -0
angr/analyses/decompiler/ssailification/rewriting.py +4 -0
angr/analyses/decompiler/ssailification/rewriting_engine.py +10 -3
angr/analyses/decompiler/structured_codegen/c.py +18 -2
angr/analyses/deobfuscator/__init__.py +18 -0
angr/analyses/deobfuscator/api_obf_finder.py +313 -0
angr/analyses/deobfuscator/api_obf_peephole_optimizer.py +51 -0
angr/analyses/deobfuscator/irsb_reg_collector.py +85 -0
angr/analyses/deobfuscator/string_obf_finder.py +774 -0
angr/analyses/deobfuscator/string_obf_opt_passes.py +133 -0
angr/analyses/deobfuscator/string_obf_peephole_optimizer.py +47 -0
angr/analyses/patchfinder.py +137 -0
angr/analyses/pathfinder.py +282 -0
angr/analyses/reaching_definitions/function_handler_library/stdio.py +8 -1
angr/analyses/smc.py +159 -0
angr/analyses/unpacker/__init__.py +6 -0
angr/analyses/unpacker/obfuscation_detector.py +103 -0
angr/analyses/unpacker/packing_detector.py +138 -0
angr/angrdb/models.py +1 -2
angr/calling_conventions.py +3 -1
angr/engines/vex/claripy/irop.py +10 -5
angr/engines/vex/heavy/heavy.py +2 -0
angr/exploration_techniques/spiller_db.py +1 -2
angr/knowledge_plugins/__init__.py +2 -0
angr/knowledge_plugins/functions/function.py +4 -0
angr/knowledge_plugins/functions/function_manager.py +18 -9
angr/knowledge_plugins/functions/function_parser.py +1 -1
angr/knowledge_plugins/functions/soot_function.py +1 -0
angr/knowledge_plugins/obfuscations.py +36 -0
angr/lib/angr_native.dylib +0 -0
angr/misc/ux.py +2 -2
angr/project.py +17 -1
angr/state_plugins/history.py +6 -4
angr/utils/bits.py +4 -0
angr/utils/tagged_interval_map.py +112 -0
{angr-9.2.124.dist-info → angr-9.2.126.dist-info}/METADATA +6 -6
{angr-9.2.124.dist-info → angr-9.2.126.dist-info}/RECORD +53 -36
{angr-9.2.124.dist-info → angr-9.2.126.dist-info}/WHEEL +1 -1
{angr-9.2.124.dist-info → angr-9.2.126.dist-info}/LICENSE +0 -0
{angr-9.2.124.dist-info → angr-9.2.126.dist-info}/entry_points.txt +0 -0
{angr-9.2.124.dist-info → angr-9.2.126.dist-info}/top_level.txt +0 -0

angr/analyses/decompiler/peephole_optimizations/constant_derefs.py CHANGED Viewed

@@ -1,6 +1,6 @@
 from __future__ import annotations
 from ailment.expression import Load, Const
-from cle.backends import Blob
+from cle.backends import Blob, Hex
 from .base import PeepholeOptimizationExprBase
@@ -32,7 +32,7 @@ class ConstantDereferences(PeepholeOptimizationExprBase):
             # is it loading from a blob?
             obj = self.project.loader.find_object_containing(expr.addr.value)
-            if obj is not None and isinstance(obj, Blob):
+            if obj is not None and isinstance(obj, (Blob, Hex)):
                 # do we know the value that it's reading?
                 try:
                     val = self.project.loader.memory.unpack_word(expr.addr.value, size=self.project.arch.bytes)

angr/analyses/decompiler/return_maker.py CHANGED Viewed

@@ -48,6 +48,7 @@ class ReturnMaker(AILGraphWalker):
                         reg[0],
                         ret_val.size * self.arch.byte_width,
                         reg_name=self.arch.translate_register_name(reg[0], ret_val.size),
+                        ins_addr=stmt.ins_addr,
                     )
                 )
             else:

angr/analyses/decompiler/ssailification/rewriting.py CHANGED Viewed

@@ -119,6 +119,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
                         self._ail_manager.next_atom(),
                         reg_bits,
                         src_and_vvars=[],  # back patch later
+                        ins_addr=node.addr,
                     )
                     phi_dst = VirtualVariable(
                         self._ail_manager.next_atom(),
@@ -126,6 +127,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
                         reg_bits,
                         VirtualVariableCategory.REGISTER,
                         oident=reg_offset,
+                        ins_addr=node.addr,
                     )
                 case "stack":
@@ -135,6 +137,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
                         self._ail_manager.next_atom(),
                         stack_size * self.project.arch.byte_width,
                         src_and_vvars=[],  # back patch later
+                        ins_addr=node.addr,
                     )
                     phi_dst = VirtualVariable(
                         self._ail_manager.next_atom(),
@@ -142,6 +145,7 @@ class RewritingAnalysis(ForwardAnalysis[RewritingState, NodeType, object, object
                         stack_size * self.project.arch.byte_width,
                         VirtualVariableCategory.STACK,
                         oident=stack_offset,
+                        ins_addr=node.addr,
                     )
                 case _:
                     raise NotImplementedError

angr/analyses/decompiler/ssailification/rewriting_engine.py CHANGED Viewed

@@ -525,7 +525,7 @@ class SimEngineSSARewriting(
             **expr.tags,
         )
-    def _get_full_reg_vvar(self, reg_offset: int, size: int) -> VirtualVariable:
+    def _get_full_reg_vvar(self, reg_offset: int, size: int, ins_addr: int | None = None) -> VirtualVariable:
         base_off, base_size = get_reg_offset_base_and_size(reg_offset, self.arch, size=size)
         if (
             base_off not in self.state.registers
@@ -534,13 +534,16 @@ class SimEngineSSARewriting(
         ):
             # somehow it's never defined before...
             _l.debug("Creating a new virtual variable for an undefined register (%d [%d]).", base_off, base_size)
+            tags = {}
+            if ins_addr is not None:
+                tags["ins_addr"] = ins_addr
             vvar = VirtualVariable(
                 self.ail_manager.next_atom(),
                 self.next_vvar_id(),
                 base_size * self.arch.byte_width,
                 category=VirtualVariableCategory.REGISTER,
                 oident=base_off,
-                # FIXME: tags
+                **tags,
             )
             self.state.registers[base_off][base_size] = vvar
             return vvar
@@ -628,7 +631,11 @@ class SimEngineSSARewriting(
         # no good size available
         # get the full register, then extract from there
-        vvar = self._get_full_reg_vvar(reg_expr.reg_offset, reg_expr.size)
+        vvar = self._get_full_reg_vvar(
+            reg_expr.reg_offset,
+            reg_expr.size,
+            ins_addr=reg_expr.ins_addr,
+        )
         # extract
         shift_amount = Const(
             self.ail_manager.next_atom(),

angr/analyses/decompiler/structured_codegen/c.py CHANGED Viewed

@@ -2148,6 +2148,12 @@ class CConstant(CExpression):
                 elif isinstance(v, Function):
                     yield get_cpp_function_name(v.demangled_name, specialized=False, qualified=True), self
                     return
+                elif isinstance(v, str):
+                    yield CConstant.str_to_c_str(v), self
+                    return
+                elif isinstance(v, bytes):
+                    yield CConstant.str_to_c_str(v.replace(b"\x00", b"").decode("utf-8")), self
+                    return
         if self.reference_values is not None and self._type is not None and self._type in self.reference_values:
             if isinstance(self._type, SimTypeInt):
@@ -3415,7 +3421,17 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         if reference_values is None:
             reference_values = {}
             type_ = unpack_typeref(type_)
-            if isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, SimTypeChar):
+            if expr.value in self.kb.obfuscations.type1_deobfuscated_strings:
+                reference_values[SimTypePointer(SimTypeChar())] = self.kb.obfuscations.type1_deobfuscated_strings[
+                    expr.value
+                ]
+                inline_string = True
+            elif expr.value in self.kb.obfuscations.type2_deobfuscated_strings:
+                reference_values[SimTypePointer(SimTypeChar())] = self.kb.obfuscations.type2_deobfuscated_strings[
+                    expr.value
+                ]
+                inline_string = True
+            elif isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, SimTypeChar):
                 # char*
                 # Try to get a string
                 if (
@@ -3433,7 +3449,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             # edge cases: (void*)"this is a constant string pointer". in this case, the type_ will be a void*
             # (BOT*) instead of a char*.
-            if isinstance(expr.value, int):
+            if not reference_values and isinstance(expr.value, int):
                 if expr.value in self.project.kb.functions:
                     # It's a function pointer
                     # We don't care about the actual prototype here

angr/analyses/deobfuscator/__init__.py ADDED Viewed

@@ -0,0 +1,18 @@
+# deobfuscator is a collection of analyses that automatically identifies functions where obfuscation techniques are
+# in-use.
+from __future__ import annotations
+from .string_obf_finder import StringObfuscationFinder
+from .string_obf_peephole_optimizer import StringObfType1PeepholeOptimizer
+from .string_obf_opt_passes import StringObfType3Rewriter
+from .api_obf_finder import APIObfuscationFinder
+from .api_obf_peephole_optimizer import APIObfType1PeepholeOptimizer
+__all__ = (
+    "StringObfuscationFinder",
+    "StringObfType1PeepholeOptimizer",
+    "StringObfType3Rewriter",
+    "APIObfuscationFinder",
+    "APIObfType1PeepholeOptimizer",
+)

angr/analyses/deobfuscator/api_obf_finder.py ADDED Viewed

@@ -0,0 +1,313 @@
+# pylint:disable=missing-class-docstring,too-many-boolean-expressions
+from __future__ import annotations
+from typing import Any
+from enum import IntEnum
+import string
+import logging
+import networkx
+import claripy
+from angr import SIM_LIBRARIES
+from angr.calling_conventions import SimRegArg
+from angr.errors import SimMemoryMissingError
+from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
+from angr.sim_type import SimTypePointer, SimTypeChar
+from angr.analyses import Analysis, AnalysesHub
+from angr.procedures.definitions import SimSyscallLibrary
+from angr.sim_variable import SimMemoryVariable
+from angr.analyses.decompiler.structured_codegen.c import (
+    CStructuredCodeWalker,
+    CFunctionCall,
+    CConstant,
+    CAssignment,
+    CVariable,
+)
+_l = logging.getLogger(name=__name__)
+class APIObfuscationType(IntEnum):
+    TYPE_1 = 0
+class APIDeobFuncDescriptor:
+    def __init__(self, type_: APIObfuscationType, func_addr=None, libname_argidx=None, funcname_argidx=None):
+        self.type = type_
+        self.func_addr = func_addr
+        self.libname_argidx = libname_argidx
+        self.funcname_argidx = funcname_argidx
+class Type1AssignmentFinder(CStructuredCodeWalker):
+    def __init__(self, func_addr: int, desc: APIDeobFuncDescriptor):
+        self.func_addr = func_addr
+        self.desc = desc
+        self.assignments: dict[int, tuple[str, str]] = {}
+    def handle_CAssignment(self, obj: CAssignment):
+        if (
+            isinstance(obj.lhs, CVariable)
+            and isinstance(obj.lhs.variable, SimMemoryVariable)
+            and isinstance(obj.lhs.variable.addr, int)
+            and isinstance(obj.rhs, CFunctionCall)
+            and isinstance(obj.rhs.callee_target, CConstant)
+            and obj.rhs.callee_target.value == self.func_addr
+        ):
+            # found it!
+            func_args = obj.rhs.args
+            if self.desc.funcname_argidx < len(func_args) and self.desc.libname_argidx < len(func_args):
+                funcname_arg = func_args[self.desc.funcname_argidx]
+                libname_arg = func_args[self.desc.libname_argidx]
+                if isinstance(funcname_arg, CConstant) and isinstance(libname_arg, CConstant):
+                    # load two strings
+                    funcname, libname = None, None
+                    if funcname_arg.type in funcname_arg.reference_values and isinstance(
+                        funcname_arg.reference_values[funcname_arg.type].content, bytes
+                    ):
+                        funcname = funcname_arg.reference_values[funcname_arg.type].content.decode("utf-8")
+                    if libname_arg.type in libname_arg.reference_values and isinstance(
+                        libname_arg.reference_values[libname_arg.type].content, bytes
+                    ):
+                        libname = libname_arg.reference_values[libname_arg.type].content.decode("utf-8")
+                    if funcname and libname:
+                        if obj.lhs.variable.addr in self.assignments:
+                            if self.assignments[obj.lhs.variable.addr] != (libname, funcname):
+                                _l.warning(
+                                    "Observed more than one assignment for variable at %#x.", obj.lhs.variable.addr
+                                )
+                        else:
+                            self.assignments[obj.lhs.variable.addr] = libname, funcname
+        return super().handle_CAssignment(obj)
+class APIObfuscationFinder(Analysis):
+    """
+    An analysis that automatically finds API "obfuscation" routines.
+    Currently, we support the following API "obfuscation" styles:
+    - sub_A("dll_name", "api_name) where sub_a ends up calling LoadLibrary.
+    """
+    def __init__(self):
+        self.type1_candidates = []
+        self.analyze()
+    def analyze(self):
+        self.type1_candidates = self._find_type1()
+        if self.type1_candidates:
+            for desc in self.type1_candidates:
+                type1_deobfuscated = self._analyze_type1(desc.func_addr, desc)
+                self.kb.obfuscations.type1_deobfuscated_apis.update(type1_deobfuscated)
+    def _find_type1(self):
+        cfg = self.kb.cfgs.get_most_accurate()
+        load_library_funcs = []
+        if "LoadLibraryA" in self.kb.functions:
+            load_library_funcs += list(self.kb.functions.get_by_name("LoadLibraryA"))
+        if "LoadLibraryW" in self.kb.functions:
+            load_library_funcs += list(self.kb.functions.get_by_name("LoadLibraryW"))
+        if "LoadLibrary" in self.kb.functions:
+            load_library_funcs += list(self.kb.functions.get_by_name("LoadLibrary"))
+        load_library_funcs = [func for func in load_library_funcs if func.is_simprocedure]
+        if not load_library_funcs:
+            return None
+        # find callers of each load library func, up to three callers back
+        callgraph = self.kb.functions.callgraph
+        candidates = []
+        for load_library_func in load_library_funcs:
+            subtree = self._build_caller_subtree(callgraph, load_library_func.addr, 3)
+            for _, succs in networkx.bfs_successors(subtree, load_library_func.addr):
+                for succ_addr in succs:
+                    func = self.kb.functions.get_by_addr(succ_addr)
+                    likely, info = self._is_likely_type1_func(func, cfg)
+                    if likely:
+                        candidates.append((func.addr, info))
+        descs = []
+        for func_addr, info in candidates:
+            desc = APIDeobFuncDescriptor(
+                APIObfuscationType.TYPE_1,
+                func_addr=func_addr,
+                libname_argidx=info["libname_arg_idx"],
+                funcname_argidx=info["funcname_arg_idx"],
+            )
+            descs.append(desc)
+        return descs
+    def _is_likely_type1_func(self, func, cfg):
+        if func.prototype is None:
+            return False, None
+        if len(func.prototype.args) < 2:
+            return False, None
+        arch = self.project.arch
+        valid_apiname_charset = {ord(ch) for ch in (string.ascii_letters + string.digits + "._")}
+        # decompile the function to get a prototype with types
+        _ = self.project.analyses.Decompiler(func, cfg=cfg)
+        char_ptr_args = [
+            idx
+            for (idx, arg) in enumerate(func.prototype.args)
+            if isinstance(arg, SimTypePointer) and isinstance(arg.pts_to, SimTypeChar)
+        ]
+        if len(char_ptr_args) != 2:
+            return False, None
+        libname_arg_idx = None
+        funcname_arg_idx = None
+        # who's calling it?
+        caller_addrs = sorted(set(self.kb.functions.callgraph.predecessors(func.addr)))
+        for caller_addr in caller_addrs:
+            # what arguments are used to call this function with?
+            callsite_nodes = [
+                pred
+                for pred in cfg.get_predecessors(cfg.get_any_node(func.addr))
+                if pred.function_address == caller_addr and pred.instruction_addrs
+            ]
+            observation_points = []
+            for callsite_node in callsite_nodes:
+                observation_points.append(("insn", callsite_node.instruction_addrs[-1], ObservationPointType.OP_BEFORE))
+            rda = self.project.analyses.ReachingDefinitions(
+                self.kb.functions[caller_addr],
+                observe_all=False,
+                observation_points=observation_points,
+            )
+            for callsite_node in callsite_nodes:
+                observ = rda.model.get_observation_by_insn(
+                    callsite_node.instruction_addrs[-1],
+                    ObservationPointType.OP_BEFORE,
+                )
+                args: list[tuple[int, Any]] = []
+                for arg_idx, func_arg in enumerate(func.arguments):
+                    # FIXME: We are ignoring all non-register function arguments until we see a test case where
+                    # FIXME: stack-passing arguments are used
+                    if isinstance(func_arg, SimRegArg):
+                        reg_offset, reg_size = arch.registers[func_arg.reg_name]
+                        try:
+                            mv = observ.registers.load(reg_offset, size=reg_size)
+                        except SimMemoryMissingError:
+                            args.append((arg_idx, claripy.BVV(0xDEADBEEF, self.project.arch.bits)))
+                            continue
+                        arg_value = mv.one_value()
+                        if arg_value is None:
+                            arg_value = claripy.BVV(0xDEADBEEF, self.project.arch.bits)
+                        args.append((arg_idx, arg_value))
+                # the args must have at least one concrete address that points to an initialized memory location
+                acceptable_args = True
+                arg_strs: list[tuple[int, str]] = []
+                for idx, arg in args:
+                    if arg is not None and arg.concrete:
+                        v = arg.concrete_value
+                        section = self.project.loader.find_section_containing(v)
+                        if section is not None:
+                            # what string is it?
+                            max_size = min(64, section.max_addr - v)
+                            try:
+                                value = self.project.loader.memory.load(v, max_size)
+                            except KeyError:
+                                acceptable_args = False
+                                break
+                            if b"\x00" in value:
+                                value = value[: value.index(b"\x00")]
+                            if not all(ch in valid_apiname_charset for ch in value):
+                                acceptable_args = False
+                                break
+                            arg_strs.append((idx, value.decode("utf-8")))
+                if acceptable_args:
+                    libname_arg_idx, funcname_arg_idx = None, None
+                    assert len(arg_strs) == 2
+                    for arg_idx, name in arg_strs:
+                        if self.is_libname(name):
+                            libname_arg_idx = arg_idx
+                        elif self.is_apiname(name):
+                            funcname_arg_idx = arg_idx
+                    if libname_arg_idx is not None and funcname_arg_idx is not None:
+                        break
+            if libname_arg_idx is not None and funcname_arg_idx is not None:
+                break
+        if libname_arg_idx is not None and funcname_arg_idx is not None:
+            return True, {"libname_arg_idx": libname_arg_idx, "funcname_arg_idx": funcname_arg_idx}
+        return False, None
+    def _analyze_type1(self, func_addr, desc: APIDeobFuncDescriptor) -> dict[int, tuple[str, str]]:
+        cfg = self.kb.cfgs.get_most_accurate()
+        assignments: dict[int, tuple[str, str]] = {}
+        # get all call sites
+        caller_addrs = sorted(set(self.kb.functions.callgraph.predecessors(func_addr)))
+        for caller_addr in caller_addrs:
+            # decompile the function and get all assignments of the return value of the func at func_addr
+            try:
+                dec = self.project.analyses.Decompiler(self.kb.functions.get_by_addr(caller_addr), cfg=cfg)
+            except Exception:  # pylint:disable=broad-exception-caught
+                continue
+            if dec.codegen is None:
+                continue
+            finder = Type1AssignmentFinder(func_addr, desc)
+            finder.handle(dec.codegen.cfunc)
+            duplicate_addrs = set(assignments.keys()).intersection(set(finder.assignments.keys()))
+            if duplicate_addrs:
+                # duplicate entries
+                _l.warning(
+                    "Observed duplicate assignments at the following addresses: %s.",
+                    str(map(hex, sorted(duplicate_addrs))),  # pylint:disable=bad-builtin
+                )
+            assignments.update(finder.assignments)
+        return assignments
+    @staticmethod
+    def _build_caller_subtree(callgraph: networkx.DiGraph, func_addr: int, max_level: int) -> networkx.DiGraph:
+        tree = networkx.DiGraph()
+        if func_addr not in callgraph:
+            return tree
+        queue = [(0, func_addr)]
+        traversed = {func_addr}
+        while queue:
+            level, addr = queue.pop(0)
+            for pred in callgraph.predecessors(addr):
+                if pred not in traversed and level + 1 <= max_level:
+                    traversed.add(pred)
+                    queue.append((level + 1, pred))
+                    tree.add_edge(addr, pred)
+        return tree
+    @staticmethod
+    def is_libname(name: str) -> bool:
+        name = name.lower()
+        if name in SIM_LIBRARIES:
+            return True
+        if "." not in name:
+            return name + ".dll" in SIM_LIBRARIES or name + ".exe" in SIM_LIBRARIES
+        return False
+    @staticmethod
+    def is_apiname(name: str) -> bool:
+        return any(not isinstance(lib, SimSyscallLibrary) and lib.has_prototype(name) for lib in SIM_LIBRARIES.values())
+AnalysesHub.register_default("APIObfuscationFinder", APIObfuscationFinder)

angr/analyses/deobfuscator/api_obf_peephole_optimizer.py ADDED Viewed

@@ -0,0 +1,51 @@
+from __future__ import annotations
+from ailment.expression import Const, Load
+from angr import SIM_LIBRARIES
+from angr.calling_conventions import default_cc
+from angr.analyses.decompiler.peephole_optimizations.base import PeepholeOptimizationExprBase
+from angr.analyses.decompiler.peephole_optimizations import EXPR_OPTS
+class APIObfType1PeepholeOptimizer(PeepholeOptimizationExprBase):
+    """
+    Integrate type-1 deobfuscated API into decompilation output.
+    """
+    __slots__ = ()
+    NAME = "Simplify Type 1 API obfuscation references"
+    expr_classes = (Load,)
+    def optimize(self, expr: Load, **kwargs):
+        if (
+            isinstance(expr.addr, Const)
+            and (expr.addr.value in self.kb.obfuscations.type1_deobfuscated_apis)
+            and expr.bits == self.project.arch.bits
+        ):
+            # this is actually a function calling a known API
+            # replace it with the actual API and the actual arguments
+            _, funcname = self.kb.obfuscations.type1_deobfuscated_apis[expr.addr.value]
+            if funcname not in self.kb.functions:
+                # assign a new function on-demand
+                symbol = self.project.loader.extern_object.make_extern(funcname)
+                hook_addr = self.project.hook_symbol(
+                    symbol.rebased_addr, SIM_LIBRARIES["linux"].get_stub(funcname, self.project.arch)
+                )
+                func = self.kb.functions.function(addr=hook_addr, name=funcname, create=True)
+                func.is_simprocedure = True
+                default_cc_kwargs = {}
+                if self.project.simos is not None:
+                    default_cc_kwargs["platform"] = self.project.simos.name
+                default_cc_cls = default_cc(self.project.arch.name, **default_cc_kwargs)
+                if default_cc_cls is not None:
+                    func.calling_convention = default_cc_cls(self.project.arch)
+                func.find_declaration(ignore_binary_name=True)
+            else:
+                func = self.kb.functions[funcname]
+            return Const(expr.idx, None, func.addr, self.project.arch.bits, **expr.tags)
+        return None
+EXPR_OPTS.append(APIObfType1PeepholeOptimizer)

angr/analyses/deobfuscator/irsb_reg_collector.py ADDED Viewed

@@ -0,0 +1,85 @@
+# pylint:disable=no-self-use,unused-argument,attribute-defined-outside-init
+from __future__ import annotations
+import pyvex
+from angr.engines.light import SimEngineLightVEXMixin
+class IRSBRegisterCollector(SimEngineLightVEXMixin):
+    """
+    Scan the VEX IRSB to collect all registers that are read.
+    """
+    def __init__(self, block, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.block = block
+        self.reg_reads: set[tuple[int, int]] = set()
+    def process(self):
+        self.tmps = {}
+        self.tyenv = self.block.vex.tyenv
+        self._process_Stmt()
+        self.stmt_idx = None
+        self.ins_addr = None
+    def _handle_Put(self, stmt):
+        pass
+    def _handle_Load(self, expr):
+        pass
+    def _handle_Store(self, stmt):
+        pass
+    def _handle_LoadG(self, stmt):
+        pass
+    def _handle_LLSC(self, stmt: pyvex.IRStmt.LLSC):
+        pass
+    def _handle_StoreG(self, stmt):
+        pass
+    def _handle_Get(self, expr: pyvex.IRExpr.Get):
+        self.reg_reads.add((expr.offset, expr.result_size(self.tyenv)))
+    def _handle_RdTmp(self, expr):
+        pass
+    def _handle_Conversion(self, expr: pyvex.IRExpr.Unop):
+        pass
+    def _handle_16HLto32(self, expr):
+        pass
+    def _handle_Cmp_v(self, expr, _vector_size, _vector_count):
+        pass
+    _handle_CmpEQ_v = _handle_Cmp_v
+    _handle_CmpNE_v = _handle_Cmp_v
+    _handle_CmpLE_v = _handle_Cmp_v
+    _handle_CmpLT_v = _handle_Cmp_v
+    _handle_CmpGE_v = _handle_Cmp_v
+    _handle_CmpGT_v = _handle_Cmp_v
+    def _handle_ExpCmpNE64(self, expr):
+        pass
+    def _handle_CCall(self, expr):
+        pass
+    def _handle_function(self, func_addr):
+        pass
+    def _handle_Unop(self, expr):
+        pass
+    def _handle_Binop(self, expr: pyvex.IRExpr.Binop):
+        pass
+    def _handle_Triop(self, expr: pyvex.IRExpr.Triop):
+        pass