angr 9.2.124__py3-none-macosx_11_0_arm64.whl → 9.2.126__py3-none-macosx_11_0_arm64.whl

angr/analyses/deobfuscator/string_obf_opt_passes.py

@@ -0,0 +1,133 @@
+# pylint:disable=too-many-boolean-expressions
+from __future__ import annotations
+
+import archinfo
+
+from ailment import Block
+from ailment.statement import Statement, Call, Assignment
+from ailment.expression import Const, Register, VirtualVariable
+
+from angr.analyses.decompiler.optimization_passes.optimization_pass import OptimizationPass, OptimizationPassStage
+from angr.analyses.decompiler.optimization_passes import register_optimization_pass
+
+WIN64_REG_ARGS = {
+    archinfo.ArchAMD64().registers["rcx"][0],
+    archinfo.ArchAMD64().registers["rdx"][0],
+    archinfo.ArchAMD64().registers["r8"][0],
+    archinfo.ArchAMD64().registers["r9"][0],
+}
+
+
+class StringObfType3Rewriter(OptimizationPass):
+    """
+    Type-3 optimization pass replaces deobfuscate_string calls with the deobfuscated strings, and then removes
+    arguments on the stack.
+    """
+
+    ARCHES = ["X86", "AMD64"]
+    PLATFORMS = ["windows"]
+    STAGE = OptimizationPassStage.AFTER_MAKING_CALLSITES
+
+    NAME = "Simplify Type 3 string deobfuscation calls"
+    DESCRIPTION = "Simplify Type 3 string deobfuscation calls"
+    stmt_classes = ()
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+
+        self.analyze()
+
+    def _check(self):
+        if self.kb.obfuscations.type3_deobfuscated_strings:
+            return True, None
+        return False, None
+
+    @staticmethod
+    def is_call_or_call_assignment(stmt) -> bool:
+        return isinstance(stmt, Call) or isinstance(stmt, Assignment) and isinstance(stmt.src, Call)
+
+    def _analyze(self, cache=None):
+
+        # find all blocks with type-3 deobfuscation calls
+        for block in list(self._graph):
+            if not block.statements:
+                continue
+            last_stmt = block.statements[-1]
+            if (
+                self.is_call_or_call_assignment(last_stmt)
+                and last_stmt.ins_addr in self.kb.obfuscations.type3_deobfuscated_strings
+            ):
+                new_block = self._process_block(
+                    block, self.kb.obfuscations.type3_deobfuscated_strings[block.statements[-1].ins_addr]
+                )
+                if new_block is not None:
+                    self._update_block(block, new_block)
+
+    def _process_block(self, block: Block, deobf_content: bytes):
+        # FIXME: This rewriter is very specific to the implementation of the deobfuscation scheme. we can make it more
+        # generic when there are more cases available in the wild.
+
+        # TODO: Support multiple blocks
+
+        # replace the call
+        old_stmt: Statement = block.statements[-1]
+        str_id = self.kb.custom_strings.allocate(deobf_content)
+        old_call: Call = old_stmt.src if isinstance(old_stmt, Assignment) else old_stmt
+        new_call = Call(
+            old_call.idx,
+            "init_str",
+            args=[
+                old_call.args[0],
+                Const(None, None, str_id, self.project.arch.bits, custom_string=True),
+                Const(None, None, len(deobf_content), self.project.arch.bits),
+            ],
+            ret_expr=old_call.ret_expr,
+            bits=old_call.bits,
+            **old_call.tags,
+        )
+        if isinstance(old_stmt, Assignment):
+            new_stmt = Assignment(old_stmt.idx, old_stmt.dst, new_call, **old_stmt.tags)
+        else:
+            new_stmt = new_call
+
+        statements = block.statements[:-1] + [new_stmt]
+
+        # remove N-2 continuous stack assignment
+        if len(deobf_content) > 2:
+            stack_offset_to_stmtid: dict[int, int] = {}
+            for idx, stmt in enumerate(statements):
+                if (
+                    isinstance(stmt, Assignment)
+                    and isinstance(stmt.dst, VirtualVariable)
+                    and stmt.dst.was_stack
+                    and isinstance(stmt.dst.stack_offset, int)
+                    and isinstance(stmt.src, Const)
+                    and stmt.src.value <= 0xFF
+                ):
+                    stack_offset_to_stmtid[stmt.dst.stack_offset] = idx
+            sorted_offsets = sorted(stack_offset_to_stmtid)
+            if sorted_offsets:
+                spacing = 8  # FIXME: Make it adjustable
+                distance = min(len(deobf_content) - 2, len(sorted_offsets) - 1)
+                for start_idx in range(len(sorted_offsets) - distance):
+                    if sorted_offsets[start_idx] + spacing * distance == sorted_offsets[start_idx + distance]:
+                        # found them
+                        # remove these statements
+                        for i in range(start_idx, start_idx + distance + 1):
+                            statements[stack_offset_to_stmtid[sorted_offsets[i]]] = None
+                        break
+                statements = [stmt for stmt in statements if stmt is not None]
+
+        # remove writes to rdx, rcx, r8, and r9
+        if self.project.arch.name == "AMD64":
+            statements = [stmt for stmt in statements if not self._stmt_sets_win64_reg_arg(stmt)]
+
+        # return the new block
+        return block.copy(statements=statements)
+
+    @staticmethod
+    def _stmt_sets_win64_reg_arg(stmt) -> bool:
+        return isinstance(stmt, Assignment) and isinstance(stmt.dst, Register) and stmt.dst.reg_offset in WIN64_REG_ARGS
+
+
+register_optimization_pass(StringObfType3Rewriter, presets=["fast", "full"])

angr/analyses/deobfuscator/string_obf_peephole_optimizer.py

@@ -0,0 +1,47 @@
+from __future__ import annotations
+from ailment.statement import Call
+from ailment.expression import Const
+import claripy
+
+from angr.analyses.decompiler.peephole_optimizations.base import PeepholeOptimizationExprBase
+from angr.analyses.decompiler.peephole_optimizations import EXPR_OPTS
+from angr.errors import AngrCallableMultistateError
+
+
+class StringObfType1PeepholeOptimizer(PeepholeOptimizationExprBase):
+    """
+    Integrate type-1 deobfuscated strings into decompilation output.
+    """
+
+    __slots__ = ()
+
+    NAME = "Simplify Type 1/2 string deobfuscation references"
+    expr_classes = (Call,)
+
+    def optimize(self, expr: Call, **kwargs):
+        if isinstance(expr.target, Const) and (  # noqa: SIM102
+            expr.target.value in self.kb.obfuscations.type1_string_loader_candidates
+            or expr.target.value in self.kb.obfuscations.type2_string_loader_candidates
+        ):
+            # this is a function calling a type1 or a type2 string loader
+            # optimize this call away if possible
+            if expr.args and all(isinstance(arg, Const) for arg in expr.args):
+                # execute the function with the given argument
+                func = self.kb.functions[expr.target.value]
+                func_call = self.project.factory.callable(
+                    expr.target.value, concrete_only=True, cc=func.calling_convention, prototype=func.prototype
+                )
+                try:
+                    out = func_call(*[claripy.BVV(arg.value, arg.bits) for arg in expr.args])
+                except AngrCallableMultistateError:
+                    return None
+
+                if out.concrete:
+                    return Const(
+                        None, None, out.concrete_value, self.project.arch.bits, **expr.tags
+                    )  # FIXME: use out.bits when the function prototype recovery is more reliable
+
+        return None
+
+
+EXPR_OPTS.append(StringObfType1PeepholeOptimizer)

angr/analyses/patchfinder.py

@@ -0,0 +1,137 @@
+# pylint:disable=missing-class-docstring
+from __future__ import annotations
+import logging
+from typing import TYPE_CHECKING
+from collections import defaultdict
+from dataclasses import dataclass
+
+from sortedcontainers import SortedDict
+
+from angr.analyses import Analysis, AnalysesHub
+from angr.utils.bits import ffs
+
+if TYPE_CHECKING:
+    from angr.knowledge_plugins import Function
+
+
+log = logging.getLogger(__name__)
+
+
+class OverlappingFunctionsAnalysis(Analysis):
+    """
+    Identify functions with interleaved blocks.
+    """
+
+    overlapping_functions: dict[int, list[int]]
+
+    def __init__(self):
+        self.overlapping_functions = defaultdict(list)
+        addr_to_func_max_addr = SortedDict()
+
+        for func in self.project.kb.functions.values():
+            if func.is_alignment:
+                continue
+            func_max_addr = max((block.addr + block.size) for block in func.blocks)
+            addr_to_func_max_addr[func.addr] = (func, func_max_addr)
+
+        for idx, (addr, (func, max_addr)) in enumerate(addr_to_func_max_addr.items()):
+            for other_addr in addr_to_func_max_addr.islice(idx + 1):
+                if other_addr >= max_addr:
+                    break
+
+                self.overlapping_functions[addr].append(other_addr)
+
+
+class FunctionAlignmentAnalysis(Analysis):
+    """
+    Determine typical function alignment
+    """
+
+    alignment: int | None
+
+    def __init__(self):
+        self.alignment = None
+
+        if len(self.project.kb.functions) == 0:
+            if self.project.kb.cfgs.get_most_accurate() is None:
+                log.warning("Please run CFGFast analysis first, to identify functions")
+            return
+
+        alignment_bins = defaultdict(int)
+        count = 0
+        for func in self.project.kb.functions.values():
+            if not (func.is_alignment or func.is_plt or func.is_simprocedure):
+                alignment_bins[ffs(func.addr)] += 1
+                count += 1
+
+        # FIXME: Higher alignment values will be naturally aligned
+
+        typical_alignment = max(alignment_bins, key=lambda k: alignment_bins[k])
+        if count > 10 and alignment_bins[typical_alignment] >= count / 4:  # XXX: cutoff
+            self.alignment = 1 << max(typical_alignment, 0)
+            log.debug("Function alignment appears to be %d bytes", self.alignment)
+
+
+@dataclass
+class AtypicallyAlignedFunction:
+    function: Function
+    expected_alignment: int
+
+
+@dataclass
+class PatchedOutFunctionality:
+    patched_function: Function
+    patched_out_function: Function
+
+
+class PatchFinderAnalysis(Analysis):
+    """
+    Looks for binary patches using some basic heuristics:
+    - Looking for interleaved functions
+    - Looking for unaligned functions
+    """
+
+    # FIXME: Possible additional heuristics:
+    # - Jumps out to end of function, then back
+    # - Looking for patch jumps, e.g. push <addr>; ret
+    # - Looking for instruction partials broken by a patch (nodecode)
+    # - Unusual stack manipulation
+
+    atypical_alignments: list[Function]
+    possibly_patched_out: list[PatchedOutFunctionality]
+
+    def __init__(self):
+        self.atypical_alignments = []
+        self.possibly_patched_out = []
+
+        if len(self.project.kb.functions) == 0:
+            if self.project.kb.cfgs.get_most_accurate() is None:
+                log.warning("Please run CFGFast analysis first, to identify functions")
+            return
+
+        # In CFGFast with scanning enabled, a function may be created from unreachable blocks within another function.
+        # Search for interleaved/overlapping functions to identify possible patches.
+        overlapping_functions = self.project.analyses.OverlappingFunctions().overlapping_functions
+        for addr, overlapping_func_addrs in overlapping_functions.items():
+            func = self.project.kb.functions[addr]
+
+            # Are the overlapping functions reachable?
+            for overlapping_addr in overlapping_func_addrs:
+                overlapping_func = self.project.kb.functions[overlapping_addr]
+                if self.project.kb.callgraph.in_degree(overlapping_addr) == 0:
+                    self.possibly_patched_out.append(PatchedOutFunctionality(func, overlapping_func))
+                    # FIXME: What does the patch do?
+
+        # Look for unaligned functions
+        expected_alignment = self.project.analyses.FunctionAlignment().alignment
+        if expected_alignment is not None and expected_alignment > self.project.arch.instruction_alignment:
+            for func in self.project.kb.functions.values():
+                if not (func.is_alignment or func.is_plt or func.is_simprocedure) and func.addr & (
+                    expected_alignment - 1
+                ):
+                    self.atypical_alignments.append(AtypicallyAlignedFunction(func, expected_alignment))
+
+
+AnalysesHub.register_default("OverlappingFunctions", OverlappingFunctionsAnalysis)
+AnalysesHub.register_default("FunctionAlignment", FunctionAlignmentAnalysis)
+AnalysesHub.register_default("PatchFinder", PatchFinderAnalysis)

angr/analyses/pathfinder.py

@@ -0,0 +1,282 @@
+# pylint:disable=missing-class-docstring
+from __future__ import annotations
+from enum import Enum, auto
+from dataclasses import dataclass
+from weakref import ref
+from collections import defaultdict
+
+from networkx import DiGraph
+from networkx.algorithms.shortest_paths import single_target_shortest_path_length
+
+from angr.sim_state import SimState
+from angr.engines.successors import SimSuccessors
+from angr.knowledge_plugins.cfg import CFGModel, CFGNode
+from .analysis import Analysis, AnalysesHub
+
+
+class Unreachable(Exception):
+    pass
+
+
+@dataclass(eq=False)
+class SimStateMarker:
+    addr: int
+    parent: SimStateMarker | None = None
+    banned: bool = False
+    misses: int = 0
+
+    def __repr__(self):
+        inner_repr = "None" if self.parent is None else "..."
+        return f"SimStateMarker(addr={self.addr:#x}, parent={inner_repr}, banned={self.banned}, misses={self.misses})"
+
+
+class SuccessorsKind(Enum):
+    SAT = auto()
+    UNSAT = auto()
+    MISSING = auto()
+
+
+@dataclass
+class TestPathReport:
+    path_markers: dict[int, SimStateMarker]
+    termination: SuccessorsKind
+
+
+def nilref():
+    return None
+
+
+class Pathfinder(Analysis):
+    def __init__(self, start_state: SimState, goal_addr: int, cfg: CFGModel, cache_size=10000):
+        self.start_state = start_state
+        self.goal_addr = goal_addr
+        self.goal_state: SimState | None = None
+        self.cfg = cfg
+        self.cache_size = cache_size
+
+        # HACK HACK HACK HACK TODO FIXME FISH PLEASE GET RID OF THIS
+        extra_edges = []
+        for node in self.cfg.graph.nodes:
+            if node.is_syscall:
+                for pred in self.cfg.graph.pred[node]:
+                    for succ, data in self.cfg.graph.succ[pred].items():
+                        if data["jumpkind"] == "Ijk_FakeRet":
+                            extra_edges.append((node, succ))
+        for node, succ in extra_edges:
+            self.cfg.graph.add_edge(node, succ, jumpkind="Ijk_Ret")
+
+        goal_node = self.cfg.get_any_node(goal_addr)
+        if goal_node is None:
+            raise ValueError(f"Node {goal_addr:#x} is not in graph")
+
+        self.start_marker = SimStateMarker(start_state.addr)
+        self.transition_cache: DiGraph[SimStateMarker] = DiGraph()
+        self.transition_cache.add_node(self.start_marker, state=ref(start_state))
+        self.base_heuristic: dict[int, int] = {
+            node.addr: dist for node, dist in single_target_shortest_path_length(cfg.graph, goal_node)
+        }
+        self.state_cache = {}
+        self.unsat_markers = set()
+        self.extra_weight = defaultdict(int)
+
+        self._search_frontier_marker = self.start_marker
+        self._search_path: list[tuple[int, str]] = [(self.start_marker.addr, "Ijk_Boring")]
+        self._search_stack = []
+        self._search_backtrack_to = {self.start_marker}
+        self._search_address_backtrack_points = {self.start_marker.addr: self.start_marker}
+
+    def cache_state(self, state: SimState):
+        self.state_cache[state] = self.state_cache.pop(state, None)
+        if len(self.state_cache) > self.cache_size:
+            self.state_cache.pop(next(iter(self.state_cache)))
+
+    def marker_to_state(self, marker: SimStateMarker) -> SimState | None:
+        return self.transition_cache.nodes[marker]["state"]()
+
+    def analyze(self) -> bool:
+        while True:
+            search_path = self.find_best_hypothesis_path()
+            result = self.test_path(search_path)
+            if result.termination == SuccessorsKind.SAT:
+                self.goal_state = self.marker_to_state(result.path_markers[len(search_path) - 1])
+                return True
+            marker = result.path_markers[max(result.path_markers)]
+            marker.banned = True
+            self._search_backtrack_to.add(marker)
+            if result.termination == SuccessorsKind.UNSAT:
+                self.unsat_markers.add(marker)
+
+    def _search_backtrack(self):
+        if self._search_address_backtrack_points[self._search_frontier_marker.addr] is self._search_frontier_marker:
+            self._search_address_backtrack_points.pop(self._search_frontier_marker.addr)
+
+        self._search_frontier_marker = self._search_frontier_marker.parent
+        if self._search_frontier_marker is None:
+            raise Unreachable
+
+        addr, jumpkind = self._search_path.pop()
+        if jumpkind == "Ijk_Ret":
+            self._search_stack.append(addr)
+        elif jumpkind == "Ijk_Call" or jumpkind.startswith("Ijk_Sys"):
+            self._search_stack.pop()
+
+    def find_best_hypothesis_path(self) -> tuple[int, ...]:
+        assert self._search_backtrack_to, "Uhh every iteration should set at least one backtrack point"
+        if self.start_marker in self._search_backtrack_to:
+            self._search_frontier_marker = self.start_marker
+            self._search_path: list[tuple[int, str]] = [(self.start_marker.addr, "Ijk_Boring")]
+            self._search_stack = []
+            self._search_backtrack_to = set()
+        else:
+            while self._search_backtrack_to:
+                self._search_backtrack_to.discard(self._search_frontier_marker)
+                try:
+                    self._search_backtrack()
+                except Unreachable as e:
+                    raise RuntimeError("oops") from e
+
+        while self._search_path[-1][0] != self.goal_addr:
+            banned = {
+                marker.addr for marker in self.transition_cache.succ[self._search_frontier_marker] if marker.banned
+            }
+            current_node = self.cfg.get_any_node(self._search_path[-1][0])
+            options = [
+                (node, data["jumpkind"], self.base_heuristic[node.addr] + self.extra_weight[node.addr])
+                for node, data in self.cfg.graph.succ[current_node].items()
+                if data["jumpkind"] != "Ijk_FakeRet"
+                and node.addr not in banned
+                and node.addr in self.base_heuristic
+                and (data["jumpkind"] != "Ijk_Ret" or node.addr == self._search_stack[-1])
+            ]
+            if not options:
+                # backtrack
+                self._search_frontier_marker.banned = True
+                self._search_backtrack()
+                continue
+
+            best_node, best_jumpkind, best_weight = min(
+                options,
+                default=(None, None),
+                key=lambda xyz: xyz[2],
+            )
+
+            assert isinstance(best_jumpkind, str)
+            assert isinstance(best_node, CFGNode)
+            self.extra_weight[best_node.addr] += 1
+            self._search_path.append((best_node.addr, best_jumpkind))
+
+            if best_jumpkind == "Ijk_Call" or best_jumpkind.startswith("Ijk_Sys"):
+                self._search_stack.append(
+                    next(
+                        iter(
+                            node.addr
+                            for node, data in self.cfg.graph.succ[current_node].items()
+                            if data["jumpkind"] == "Ijk_FakeRet"
+                        ),
+                        None,
+                    )
+                )
+            elif best_jumpkind == "Ijk_Ret":
+                self._search_stack.pop()
+
+            frontier_marker_nullable = next(
+                (
+                    marker
+                    for marker in self.transition_cache.succ[self._search_frontier_marker]
+                    if marker.addr == best_node.addr
+                ),
+                None,
+            )
+            if frontier_marker_nullable is None:
+                new_marker = SimStateMarker(best_node.addr, self._search_frontier_marker)
+                self.transition_cache.add_node(new_marker, state=nilref)
+                self.transition_cache.add_edge(self._search_frontier_marker, new_marker)
+                self._search_frontier_marker = new_marker
+            else:
+                self._search_frontier_marker = frontier_marker_nullable
+
+            if self._search_frontier_marker.addr not in self._search_address_backtrack_points:
+                self._search_address_backtrack_points[self._search_frontier_marker.addr] = self._search_frontier_marker
+
+            # TODO does this go above the above stanza?
+            if sum(weight == best_weight for _, _, weight in options) != 1:
+                self._search_backtrack_to.add(self._search_address_backtrack_points[self._search_frontier_marker.addr])
+
+        return tuple(addr for addr, _ in self._search_path)
+
+    def diagnose_unsat(self, state: SimState):
+        pass
+
+    def test_path(self, bbl_addr_trace: tuple[int, ...]) -> TestPathReport:
+        assert bbl_addr_trace[0] == self.start_marker.addr, "Paths must begin with the start state"
+
+        known_markers = [self.start_marker]
+        for addr in bbl_addr_trace[1:]:
+            for succ in self.transition_cache.succ[known_markers[-1]]:
+                if succ.addr == addr:
+                    break
+            else:
+                break
+            known_markers.append(succ)
+
+        marker = None
+        for ri, marker_ in enumerate(reversed(known_markers)):
+            i = len(known_markers) - 1 - ri
+            state: SimState = self.transition_cache.nodes[marker_]["state"]()
+            marker = marker_
+            if state is not None:
+                break
+        else:
+            assert False, "The first item in known_markers should always have a resolvable weakref"
+
+        while i != len(bbl_addr_trace) - 1:
+            assert state.addr == bbl_addr_trace[i]
+
+            marker.misses += 1
+            successors = state.step(strict_block_end=True)
+            succ, kind = find_successor(successors, bbl_addr_trace[i + 1])
+
+            # cache state
+            if i + 1 < len(known_markers):
+                succ_marker = known_markers[i + 1]
+            else:
+                succ_marker = SimStateMarker(bbl_addr_trace[i + 1], parent=marker)
+                self.transition_cache.add_node(succ_marker)
+            self.transition_cache.add_edge(marker, succ_marker)
+            self.transition_cache.nodes[succ_marker]["state"] = ref(succ) if succ is not None else nilref
+            if succ is not None:
+                self.cache_state(succ)
+
+            if kind == SuccessorsKind.SAT:
+                assert succ is not None
+                state = succ
+                marker = succ_marker
+                i += 1
+                continue
+            if kind == SuccessorsKind.UNSAT:
+                assert succ is not None
+                return TestPathReport(
+                    path_markers={i: marker, i + 1: succ_marker},
+                    termination=SuccessorsKind.UNSAT,
+                )
+            return TestPathReport(path_markers={i: marker, i + 1: succ_marker}, termination=SuccessorsKind.MISSING)
+
+        return TestPathReport(path_markers={i: marker}, termination=SuccessorsKind.SAT)
+
+
+def find_successor(successors: SimSuccessors, target_addr: int) -> tuple[SimState | None, SuccessorsKind]:
+    for succ in successors.flat_successors:
+        if succ.addr == target_addr:
+            return succ, SuccessorsKind.SAT
+    for succ in successors.unsat_successors:
+        if succ.addr == target_addr:
+            return succ, SuccessorsKind.UNSAT
+    for succ in successors.unconstrained_successors:
+        succ2 = succ.copy()
+        succ2.add_constraints(succ2._ip == target_addr)
+        if succ2.satisfiable():
+            return succ2, SuccessorsKind.SAT
+    return None, SuccessorsKind.MISSING
+
+
+AnalysesHub.register_default("Pathfinder", Pathfinder)

angr/analyses/reaching_definitions/function_handler_library/stdio.py

@@ -197,6 +197,11 @@ def handle_printf(
             buf_data = state.get_values(buf_atoms)
             if buf_data is not None:
                 buf_data = buf_data.extract(0, len(buf_data) // 8 - 1, archinfo.Endness.BE)
+            else:
+                top_val = state.top(state.arch.bits)
+                for defn in state.get_definitions(atom):
+                    top_val = state.annotate_with_def(top_val, defn)
+                buf_data = MultiValues(top_val)
         elif fmt == "%u":
             buf_atoms = atom
             buf_data = state.get_concrete_value(buf_atoms)
@@ -217,7 +222,9 @@ def handle_printf(
         else:
             _l.warning("Unimplemented printf format string %s", fmt)
             buf_atoms = set()
-            buf_data = None
+            top_val = state.top(state.arch.bits)
+            buf_data = MultiValues(top_val)
+
         if result is not None and buf_data is not None:
             result = result.concat(buf_data)
         source_atoms.update(buf_atoms)