angr 9.2.124__py3-none-macosx_11_0_arm64.whl → 9.2.126__py3-none-macosx_11_0_arm64.whl

angr/analyses/smc.py

@@ -0,0 +1,159 @@
+from __future__ import annotations
+import logging
+import random
+
+from enum import auto, IntFlag
+from collections.abc import Generator
+
+import angr
+from angr.analyses import Analysis, AnalysesHub
+from angr.knowledge_plugins import Function
+from angr.sim_state import SimState
+
+from angr.utils.tagged_interval_map import TaggedIntervalMap
+
+
+log = logging.getLogger(__name__)
+log.setLevel(logging.INFO)
+
+
+class TraceActions(IntFlag):
+    """
+    Describe memory access actions.
+    """
+
+    WRITE = auto()
+    EXECUTE = auto()
+
+
+class TraceClassifier:
+    """
+    Classify traces.
+    """
+
+    def __init__(self, state: SimState | None = None):
+        self.map = TaggedIntervalMap()
+        if state:
+            self.instrument(state)
+
+    def act_mem_write(self, state) -> None:
+        """
+        SimInspect callback for memory writes.
+        """
+        addr = state.solver.eval(state.inspect.mem_write_address)
+        length = state.inspect.mem_write_length
+        if not isinstance(length, int):
+            length = state.solver.eval(length)
+        self.map.add(addr, length, TraceActions.WRITE)
+
+    def act_instruction(self, state) -> None:
+        """
+        SimInspect callback for instruction execution.
+        """
+        addr = state.inspect.instruction
+        if addr is None:
+            log.warning("Symbolic addr")
+            return
+
+        # FIXME: Ensure block size is correct
+        self.map.add(addr, state.block().size, TraceActions.EXECUTE)
+
+    def instrument(self, state) -> None:
+        """
+        Instrument `state` for tracing.
+        """
+        state.inspect.b("mem_write", when=angr.BP_BEFORE, action=self.act_mem_write)
+        state.inspect.b("instruction", when=angr.BP_BEFORE, action=self.act_instruction)
+
+    def get_smc_address_and_lengths(self) -> Generator[tuple[int, int]]:
+        """
+        Evaluate the trace to find which areas of memory were both written to and executed.
+        """
+        smc_flags = TraceActions.WRITE | TraceActions.EXECUTE
+        for addr, size, flags in self.map.irange():
+            if (flags & smc_flags) == smc_flags:
+                yield (addr, size)
+
+    def determine_smc(self) -> bool:
+        """
+        Evaluate the trace to find areas of memory that were both written to and executed.
+        """
+        return any(self.get_smc_address_and_lengths())
+
+    def pp(self):
+        for a, b, c in self.map.irange():
+            print(f"{a:8x} {b} {c}")
+
+
+class SelfModifyingCodeAnalysis(Analysis):
+    """
+    Determine if some piece of code is self-modifying.
+
+    This determination is made by simply executing. If an address is executed
+    that is also written to, the code is determined to be self-modifying. The
+    determination is stored in the `result` property. The `regions` property
+    contains a list of (addr, length) regions that were both written to and
+    executed.
+    """
+
+    result: bool
+    regions: list[tuple[int, int]]
+
+    def __init__(self, subject: None | int | str | Function, max_bytes: int = 0, state: SimState | None = None):
+        """
+        :param subject: Subject of analysis
+        :param max_bytes: Maximum number of bytes from subject address. 0 for no limit (default).
+        :param state: State to begin executing from from.
+        """
+        assert self.project.selfmodifying_code
+
+        if subject is None:
+            subject = self.project.entry
+        if isinstance(subject, str):
+            try:
+                addr = self.project.kb.labels.lookup(subject)
+            except KeyError:
+                addr = self.project.kb.functions[subject].addr
+        elif isinstance(subject, Function):
+            addr = subject.addr
+        elif isinstance(subject, int):
+            addr = subject
+        else:
+            raise ValueError("Not a supported subject")
+
+        if state is None:
+            init_state = self.project.factory.call_state(addr)
+        else:
+            init_state = state.copy()
+            init_state.regs.pc = addr
+
+        init_state.options -= angr.sim_options.simplification
+
+        self._trace_classifier = TraceClassifier(init_state)
+        simgr = self.project.factory.simgr(init_state)
+
+        kwargs = {}
+        if max_bytes:
+            kwargs["filter_func"] = lambda s: (
+                "active" if s.solver.eval(addr <= s.regs.pc) and s.solver.eval(s.regs.pc < addr + max_bytes) else "oob"
+            )
+
+        # FIXME: Early out on SMC detect
+        # FIXME: Configurable step threshold
+        # FIXME: Loop analysis
+
+        for n in range(100):
+            self._update_progress(n)
+            simgr.step(n=3)
+            random.shuffle(simgr.active)
+            simgr.split(from_stash="active", to_stash=simgr.DROP, limit=10)
+
+        # Classify any out of bound entrypoints
+        for state_ in simgr.stashes["oob"]:
+            self._trace_classifier.act_instruction(state_)
+
+        self.regions = list(self._trace_classifier.get_smc_address_and_lengths())
+        self.result = len(self.regions) > 0
+
+
+AnalysesHub.register_default("SMC", SelfModifyingCodeAnalysis)

angr/analyses/unpacker/__init__.py

@@ -0,0 +1,6 @@
+from __future__ import annotations
+from .packing_detector import PackingDetector
+from .obfuscation_detector import ObfuscationDetector
+
+
+__all__ = ("PackingDetector", "ObfuscationDetector")

angr/analyses/unpacker/obfuscation_detector.py

@@ -0,0 +1,103 @@
+from __future__ import annotations
+import logging
+
+import networkx
+
+from angr.analyses.analysis import Analysis, AnalysesHub
+from angr.knowledge_plugins.cfg import CFGModel
+
+_l = logging.getLogger(__name__)
+
+
+class ObfuscationDetector(Analysis):
+    """
+    This analysis detects, usually in ways that are more robust than section name matching or signature matching, the
+    existence of obfuscation techniques in a binary.
+    """
+
+    def __init__(self, cfg: CFGModel | None = None):
+        self.obfuscated: bool = False
+        self.possible_obfuscators: list[str] = []
+
+        if cfg is None:
+            _l.warning(
+                "PackingDetector is using a most accurate CFG model in the knowledge base. We assume it is "
+                "generated with force_smart_scan=False and force_complete_scan=False."
+            )
+            self._cfg = self.kb.cfgs.get_most_accurate()
+        else:
+            self._cfg = cfg
+
+        self.analyze()
+
+    def analyze(self):
+
+        analysis_routines = [
+            self._analyze_vmprotect,
+        ]
+
+        for routine in analysis_routines:
+            tool = routine()
+            if tool:
+                self.obfuscated = True
+                self.possible_obfuscators.append(tool)
+
+    def _analyze_vmprotect(self) -> str | None:
+        """
+        We detect VMProtect v3 (with control-flow obfuscation) based on two main characteristics:
+
+        - In amd64 binaries, there exists a strongly connected component in the call graph with over 1,000 nodes.
+          Edge/node ratio is >= 1.3
+        - There is a high number of pushf and popf instructions in the visible functions.
+        """
+
+        high_scc_node_edge_ratio = False
+        high_pushf = False
+        high_popf = False
+        high_clc = False  # pylint:disable=unused-variable
+
+        if self.project.arch.name == "AMD64":
+            cg = self.kb.functions.callgraph
+            sccs = networkx.strongly_connected_components(cg)
+
+            for scc in sccs:
+                subgraph = networkx.subgraph(cg, scc)
+                node_count = len(scc)
+                if node_count > 1000:
+                    edge_count = len(subgraph.edges)
+
+                    if edge_count / node_count >= 1.3:
+                        high_scc_node_edge_ratio = True
+                        break
+        else:
+            high_scc_node_edge_ratio = True
+
+        pushf_ctr = 0
+        popf_ctr = 0
+        clc_ctr = 0  # only used for x86
+        is_x86 = self.project.arch.name == "X86"
+        cfg_node_count = len(self._cfg.graph)
+        for node in self._cfg.nodes():
+            if node.size > 0 and node.instruction_addrs:
+                block = node.block
+                for insn in block.capstone.insns:
+                    if insn.mnemonic in {"pushf", "pushfd", "pushfq"}:
+                        pushf_ctr += 1
+                    elif insn.mnemonic in {"popf", "popfd", "popfq"}:
+                        popf_ctr += 1
+                    elif is_x86 and insn.mnemonic == "clc":
+                        clc_ctr += 1
+
+        if pushf_ctr > cfg_node_count * 0.002:
+            high_pushf = True
+        if popf_ctr > cfg_node_count * 0.002:
+            high_popf = True
+        if not is_x86 or clc_ctr > cfg_node_count * 0.002:
+            high_clc = True  # noqa: F841
+
+        if high_scc_node_edge_ratio and high_pushf and high_popf:
+            return "vmprotect"
+        return None
+
+
+AnalysesHub.register_default("ObfuscationDetector", ObfuscationDetector)

angr/analyses/unpacker/packing_detector.py

@@ -0,0 +1,138 @@
+from __future__ import annotations
+from typing import TYPE_CHECKING
+import math
+import logging
+
+from angr.analyses.analysis import Analysis, AnalysesHub
+from angr.knowledge_plugins.cfg import CFGModel
+
+
+if TYPE_CHECKING:
+    from cle import Section
+
+_l = logging.getLogger(__name__)
+
+
+class PackingDetector(Analysis):
+    """
+    This analysis detects if a binary is likely packed or not. We may extend it to identify which packer is in use in
+    the future.
+    """
+
+    PACKED_MIN_BYTES = 256
+    PACKED_ENTROPY_MIN_THRESHOLD = 0.88
+
+    def __init__(self, cfg: CFGModel | None = None, region_size_threshold: int = 0x20):
+        self.packed: bool = False
+        self.region_size_threshold: int = region_size_threshold
+
+        if cfg is None:
+            _l.warning(
+                "PackingDetector is using a most accurate CFG model in the knowledge base. We assume it is "
+                "generated with force_smart_scan=False and force_complete_scan=False."
+            )
+            self._cfg = self.kb.cfgs.get_most_accurate()
+        else:
+            self._cfg = cfg
+
+        self.analyze()
+
+    def analyze(self):
+        # assume we already have a CFG with complete scanning disabled
+        # collect all regions that are not covered by the CFG in r+x sections, and then compute the entropy. we believe
+        # the binary is packed if it is beyond a threshold
+
+        covered_regions: list[tuple[int, int]] = []
+        last_known_section: Section | None = None
+        for node in sorted(self._cfg.nodes(), key=lambda n: n.addr):
+            section = None
+            if last_known_section is not None and last_known_section.contains_addr(node.addr):
+                section = last_known_section
+            if section is None:
+                section = self.project.loader.find_section_containing(node.addr)
+                if section is None:
+                    # this node does not belong to any known section - ignore it
+                    continue
+                if section.is_readable and section.is_executable:
+                    last_known_section = section
+
+            if section is None:
+                # the node does not belong to any section. ignore it
+                continue
+
+            if node.size == 0:
+                # ignore empty nodes
+                continue
+
+            if not covered_regions:
+                covered_regions.append((node.addr, node.addr + node.size))
+            else:
+                last_item = covered_regions[-1]
+                if last_item[0] <= node.addr <= last_item[1] < node.addr + node.size:
+                    # update the last item
+                    covered_regions[-1] = last_item[0], node.addr + node.size
+                else:
+                    # add a new item
+                    covered_regions.append((node.addr, node.addr + node.size))
+
+        # now we get the uncovered regions
+        uncovered_regions: list[tuple[int, int]] = self._get_uncovered_regions(covered_regions)
+
+        # compute entropy
+        total_bytes, entropy = self._compute_entropy(uncovered_regions)
+
+        self.packed = total_bytes >= self.PACKED_MIN_BYTES and entropy >= self.PACKED_ENTROPY_MIN_THRESHOLD
+
+    def _get_uncovered_regions(self, covered_regions: list[tuple[int, int]]) -> list[tuple[int, int]]:
+        # FIXME: We only support binaries with sections. Add support for segments in the future
+        all_executable_sections = [
+            sec
+            for sec in self.project.loader.main_object.sections
+            if sec.is_executable and sec.is_readable and not sec.only_contains_uninitialized_data
+        ]
+        all_executable_sections = sorted(all_executable_sections, key=lambda sec: sec.vaddr)
+        idx = 0
+
+        uncovered_regions: list[tuple[int, int]] = []
+        for section in all_executable_sections:
+            if idx >= len(covered_regions):
+                if section.memsize > self.region_size_threshold:
+                    uncovered_regions.append((section.vaddr, section.vaddr + section.memsize))
+            else:
+                i = idx
+                last_end = section.vaddr
+                while i < len(covered_regions):
+                    region_start, region_end = covered_regions[i]
+                    if region_end >= section.vaddr + section.memsize:
+                        # move on to the next section
+                        break
+                    if last_end < region_start and region_start - last_end > self.region_size_threshold:
+                        uncovered_regions.append((last_end, region_start))
+                    i += 1
+                    last_end = max(last_end, region_end)
+                idx = i
+
+        return uncovered_regions
+
+    def _compute_entropy(self, regions: list[tuple[int, int]]) -> tuple[int, float]:
+        byte_counts = [0] * 256
+
+        for start, end in regions:
+            for b in self.project.loader.memory.load(start, end - start):
+                byte_counts[b] += 1
+
+        total = sum(byte_counts)
+        if total == 0:
+            return 0, 0.0
+
+        entropy = 0.0
+        for count in byte_counts:
+            if count == 0:
+                continue
+            p = 1.0 * count / total
+            entropy -= p * math.log(p, 256)
+
+        return total, entropy
+
+
+AnalysesHub.register_default("PackingDetector", PackingDetector)

angr/angrdb/models.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 from sqlalchemy import Column, Integer, String, Boolean, BLOB, ForeignKey
-from sqlalchemy.orm import relationship
-from sqlalchemy.ext.declarative import declarative_base
+from sqlalchemy.orm import declarative_base, relationship
 
 Base = declarative_base()
 

angr/calling_conventions.py

@@ -1061,7 +1061,9 @@ class SimCC:
         if isinstance(arg, claripy.ast.BV):
             if isinstance(ty, (SimTypeReg, SimTypeNum)):
                 if len(arg) != ty.size:
-                    raise TypeError("Type mismatch: expected %s, got %d bits" % (ty, len(arg)))
+                    if arg.concrete:
+                        return claripy.BVV(arg.concrete_value, ty.size)
+                    raise TypeError("Type mismatch of symbolic data: expected %s, got %d bits" % (ty, len(arg)))
                 return arg
             if isinstance(ty, (SimTypeFloat)):
                 raise TypeError(

angr/engines/vex/claripy/irop.py

@@ -2,6 +2,7 @@
 This module contains symbolic implementations of VEX operations.
 """
 
+# pylint:disable=no-member
 from __future__ import annotations
 
 from functools import partial
@@ -10,14 +11,17 @@ import itertools
 import operator
 import math
 import re
-
 import logging
 
-l = logging.getLogger(name=__name__)
-
 import pyvex
 import claripy
 
+from angr.errors import UnsupportedIROpError, SimOperationError, SimValueError, SimZeroDivisionException
+
+
+l = logging.getLogger(name=__name__)
+
+
 #
 # The more sane approach
 #
@@ -1044,6 +1048,9 @@ class SimIROp:
         exp_threshold = (2 ** (exp_bits - 1) - 1) + mantissa_bits
         return claripy.If(exp_bv >= exp_threshold, args[1].raw_to_fp(), rounded_fp)
 
+    def _op_fgeneric_RSqrtEst(self, arg):  # pylint:disable=no-self-use
+        return claripy.BVS("RSqrtEst", arg.size())
+
     def _generic_pack_saturation(self, args, src_size, dst_size, src_signed, dst_signed):
         """
         Generic pack with saturation.
@@ -1255,6 +1262,4 @@ def vexop_to_simop(op, extended=True, fp=True):
     return res
 
 
-from angr.errors import UnsupportedIROpError, SimOperationError, SimValueError, SimZeroDivisionException
-
 make_operations()

angr/engines/vex/heavy/heavy.py

@@ -90,6 +90,7 @@ class HeavyVEXMixin(SuccessorsMixin, ClaripyDataMixin, SimStateStorageMixin, VEX
         num_inst=None,
         extra_stop_points=None,
         opt_level=None,
+        strict_block_end=None,
         **kwargs,
     ):
         if not pyvex.lifting.lifters[self.state.arch.name] or type(successors.addr) is not int:
@@ -144,6 +145,7 @@ class HeavyVEXMixin(SuccessorsMixin, ClaripyDataMixin, SimStateStorageMixin, VEX
                     num_inst=num_inst,
                     extra_stop_points=extra_stop_points,
                     opt_level=opt_level,
+                    strict_block_end=strict_block_end,
                 )
 
             if (

angr/exploration_techniques/spiller_db.py

@@ -5,8 +5,7 @@ import datetime
 try:
     import sqlalchemy
     from sqlalchemy import Column, Integer, String, Boolean, DateTime, create_engine
-    from sqlalchemy.orm import sessionmaker
-    from sqlalchemy.ext.declarative import declarative_base
+    from sqlalchemy.orm import declarative_base, sessionmaker
     from sqlalchemy.exc import OperationalError
 
     Base = declarative_base()

angr/knowledge_plugins/__init__.py

@@ -18,6 +18,7 @@ from .types import TypesStore
 from .callsite_prototypes import CallsitePrototypes
 from .custom_strings import CustomStrings
 from .decompilation import DecompilationManager
+from .obfuscations import Obfuscations
 
 
 __all__ = (
@@ -40,4 +41,5 @@ __all__ = (
     "CallsitePrototypes",
     "CustomStrings",
     "DecompilationManager",
+    "Obfuscations",
 )

angr/knowledge_plugins/functions/function.py

@@ -56,6 +56,7 @@ class Function(Serializable):
         "addr",
         "is_simprocedure",
         "_name",
+        "previous_names",
         "is_default_name",
         "from_signature",
         "binary_name",
@@ -224,6 +225,7 @@ class Function(Serializable):
         else:
             self.is_default_name = False
             self._name = name
+        self.previous_names = []
         self.from_signature = None
 
         # Determine the name the binary where this function is.
@@ -274,6 +276,7 @@ class Function(Serializable):
 
     @name.setter
     def name(self, v):
+        self.previous_names.append(self._name)
         self._name = v
         self._function_manager._kb.labels[self.addr] = v
 
@@ -1667,6 +1670,7 @@ class Function(Serializable):
         func._endpoints = self._endpoints.copy()
         func._call_sites = self._call_sites.copy()
         func._project = self._project
+        func.previous_names = list(self.previous_names)
         func.is_plt = self.is_plt
         func.is_simprocedure = self.is_simprocedure
         func.binary_name = self.binary_name

angr/knowledge_plugins/functions/function_manager.py

@@ -313,7 +313,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         if isinstance(k, self.function_address_types):
             f = self.function(addr=k)
         elif type(k) is str:
-            f = self.function(name=k)
+            f = self.function(name=k) or self.function(name=k, check_previous_names=True)
         else:
             raise ValueError(f"FunctionManager.__getitem__ does not support keys of type {type(k)}")
 
@@ -350,9 +350,9 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
     def get_by_addr(self, addr) -> Function:
         return self._function_map.get(addr)
 
-    def get_by_name(self, name: str) -> Generator[Function]:
+    def get_by_name(self, name: str, check_previous_names: bool = False) -> Generator[Function]:
         for f in self._function_map.values():
-            if f.name == name:
+            if f.name == name or (check_previous_names and name in f.previous_names):
                 yield f
 
     def _function_added(self, func: Function):
@@ -411,7 +411,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         except KeyError:
             return None
 
-    def query(self, query: str) -> Function | None:
+    def query(self, query: str, check_previous_names: bool = False) -> Function | None:
         """
         Query for a function using selectors to disambiguate. Supported variations:
 
@@ -430,19 +430,21 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
                 addr = int(matches.group(2), 0)
                 try:
                     func = self._function_map.get(addr)
-                    if func.name == name:
+                    if func.name == name or (check_previous_names and name in func.previous_names):
                         return func
                 except KeyError:
                     pass
 
             obj_name = selector or self._kb._project.loader.main_object.binary_basename
-            for func in self.get_by_name(name):
+            for func in self.get_by_name(name, check_previous_names=check_previous_names):
                 if func.binary_name == obj_name:
                     return func
 
         return None
 
-    def function(self, addr=None, name=None, create=False, syscall=False, plt=None) -> Function | None:
+    def function(
+        self, addr=None, name=None, check_previous_names=False, create=False, syscall=False, plt=None
+    ) -> Function | None:
         """
         Get a function object from the function manager.
 
@@ -457,6 +459,13 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         :return: The Function instance, or None if the function is not found and create is False.
         :rtype: Function or None
         """
+        if name is not None and name.startswith("sub_"):
+            try:
+                addr = int(name.split("_")[-1], 16)
+                name = None
+            except ValueError:
+                pass
+
         if addr is not None:
             try:
                 f = self._function_map.get(addr)
@@ -472,11 +481,11 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
                         f.is_syscall = True
                     return f
         elif name is not None:
-            func = self.query(name)
+            func = self.query(name, check_previous_names=check_previous_names)
             if func is not None:
                 return func
 
-            for func in self.get_by_name(name):
+            for func in self.get_by_name(name, check_previous_names=check_previous_names):
                 if plt is None or func.is_plt == plt:
                     return func
 

angr/knowledge_plugins/functions/function_parser.py

@@ -33,7 +33,7 @@ class FunctionParser:
         obj.is_syscall = function.is_syscall
         obj.is_simprocedure = function.is_simprocedure
         obj.returning = function.returning
-        obj.alignment = function.alignment
+        obj.alignment = function.is_alignment
         obj.binary_name = function.binary_name or ""
         obj.normalized = function.normalized
 

angr/knowledge_plugins/functions/soot_function.py

@@ -34,6 +34,7 @@ class SootFunction(Function):
         # block nodes (basic block nodes) at whose ends the function terminates
         # in theory, if everything works fine, endpoints == ret_sites | jumpout_sites | callout_sites
         self._endpoints = defaultdict(set)
+        self.previous_names = []
 
         self._call_sites = {}
         self.addr = addr

angr/knowledge_plugins/obfuscations.py

@@ -0,0 +1,36 @@
+from __future__ import annotations
+
+from .plugin import KnowledgeBasePlugin
+
+
+class Obfuscations(KnowledgeBasePlugin):
+    """
+    Store discovered information and artifacts about (string) obfuscation techniques in the project.
+    """
+
+    def __init__(self, kb):
+        super().__init__(kb)
+
+        self.obfuscated_strings_analyzed: bool = False
+        self.type1_deobfuscated_strings = {}
+        self.type1_string_loader_candidates = set()
+        self.type2_deobfuscated_strings = {}
+        self.type2_string_loader_candidates = set()
+        self.type3_deobfuscated_strings = {}  # from the address of the call instruction to the actual string (in bytes)
+
+        self.obfuscated_apis_analyzed: bool = False
+        self.type1_deobfuscated_apis: dict[int, tuple[str, str]] = {}
+
+    def copy(self):
+        o = Obfuscations(self._kb)
+        o.type1_deobfuscated_strings = dict(self.type1_deobfuscated_strings)
+        o.type1_string_loader_candidates = self.type1_string_loader_candidates.copy()
+        o.type2_deobfuscated_strings = dict(self.type2_deobfuscated_strings)
+        o.type2_string_loader_candidates = self.type2_string_loader_candidates.copy()
+        o.type3_deobfuscated_strings = self.type3_deobfuscated_strings.copy()
+
+        o.type1_deobfuscated_apis = self.type1_deobfuscated_apis.copy()
+        return o
+
+
+KnowledgeBasePlugin.register_default("obfuscations", Obfuscations)