angr 9.2.125__py3-none-macosx_11_0_arm64.whl → 9.2.126__py3-none-macosx_11_0_arm64.whl

angr/analyses/deobfuscator/string_obf_opt_passes.py

@@ -0,0 +1,133 @@
+# pylint:disable=too-many-boolean-expressions
+from __future__ import annotations
+
+import archinfo
+
+from ailment import Block
+from ailment.statement import Statement, Call, Assignment
+from ailment.expression import Const, Register, VirtualVariable
+
+from angr.analyses.decompiler.optimization_passes.optimization_pass import OptimizationPass, OptimizationPassStage
+from angr.analyses.decompiler.optimization_passes import register_optimization_pass
+
+WIN64_REG_ARGS = {
+    archinfo.ArchAMD64().registers["rcx"][0],
+    archinfo.ArchAMD64().registers["rdx"][0],
+    archinfo.ArchAMD64().registers["r8"][0],
+    archinfo.ArchAMD64().registers["r9"][0],
+}
+
+
+class StringObfType3Rewriter(OptimizationPass):
+    """
+    Type-3 optimization pass replaces deobfuscate_string calls with the deobfuscated strings, and then removes
+    arguments on the stack.
+    """
+
+    ARCHES = ["X86", "AMD64"]
+    PLATFORMS = ["windows"]
+    STAGE = OptimizationPassStage.AFTER_MAKING_CALLSITES
+
+    NAME = "Simplify Type 3 string deobfuscation calls"
+    DESCRIPTION = "Simplify Type 3 string deobfuscation calls"
+    stmt_classes = ()
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+
+        self.analyze()
+
+    def _check(self):
+        if self.kb.obfuscations.type3_deobfuscated_strings:
+            return True, None
+        return False, None
+
+    @staticmethod
+    def is_call_or_call_assignment(stmt) -> bool:
+        return isinstance(stmt, Call) or isinstance(stmt, Assignment) and isinstance(stmt.src, Call)
+
+    def _analyze(self, cache=None):
+
+        # find all blocks with type-3 deobfuscation calls
+        for block in list(self._graph):
+            if not block.statements:
+                continue
+            last_stmt = block.statements[-1]
+            if (
+                self.is_call_or_call_assignment(last_stmt)
+                and last_stmt.ins_addr in self.kb.obfuscations.type3_deobfuscated_strings
+            ):
+                new_block = self._process_block(
+                    block, self.kb.obfuscations.type3_deobfuscated_strings[block.statements[-1].ins_addr]
+                )
+                if new_block is not None:
+                    self._update_block(block, new_block)
+
+    def _process_block(self, block: Block, deobf_content: bytes):
+        # FIXME: This rewriter is very specific to the implementation of the deobfuscation scheme. we can make it more
+        # generic when there are more cases available in the wild.
+
+        # TODO: Support multiple blocks
+
+        # replace the call
+        old_stmt: Statement = block.statements[-1]
+        str_id = self.kb.custom_strings.allocate(deobf_content)
+        old_call: Call = old_stmt.src if isinstance(old_stmt, Assignment) else old_stmt
+        new_call = Call(
+            old_call.idx,
+            "init_str",
+            args=[
+                old_call.args[0],
+                Const(None, None, str_id, self.project.arch.bits, custom_string=True),
+                Const(None, None, len(deobf_content), self.project.arch.bits),
+            ],
+            ret_expr=old_call.ret_expr,
+            bits=old_call.bits,
+            **old_call.tags,
+        )
+        if isinstance(old_stmt, Assignment):
+            new_stmt = Assignment(old_stmt.idx, old_stmt.dst, new_call, **old_stmt.tags)
+        else:
+            new_stmt = new_call
+
+        statements = block.statements[:-1] + [new_stmt]
+
+        # remove N-2 continuous stack assignment
+        if len(deobf_content) > 2:
+            stack_offset_to_stmtid: dict[int, int] = {}
+            for idx, stmt in enumerate(statements):
+                if (
+                    isinstance(stmt, Assignment)
+                    and isinstance(stmt.dst, VirtualVariable)
+                    and stmt.dst.was_stack
+                    and isinstance(stmt.dst.stack_offset, int)
+                    and isinstance(stmt.src, Const)
+                    and stmt.src.value <= 0xFF
+                ):
+                    stack_offset_to_stmtid[stmt.dst.stack_offset] = idx
+            sorted_offsets = sorted(stack_offset_to_stmtid)
+            if sorted_offsets:
+                spacing = 8  # FIXME: Make it adjustable
+                distance = min(len(deobf_content) - 2, len(sorted_offsets) - 1)
+                for start_idx in range(len(sorted_offsets) - distance):
+                    if sorted_offsets[start_idx] + spacing * distance == sorted_offsets[start_idx + distance]:
+                        # found them
+                        # remove these statements
+                        for i in range(start_idx, start_idx + distance + 1):
+                            statements[stack_offset_to_stmtid[sorted_offsets[i]]] = None
+                        break
+                statements = [stmt for stmt in statements if stmt is not None]
+
+        # remove writes to rdx, rcx, r8, and r9
+        if self.project.arch.name == "AMD64":
+            statements = [stmt for stmt in statements if not self._stmt_sets_win64_reg_arg(stmt)]
+
+        # return the new block
+        return block.copy(statements=statements)
+
+    @staticmethod
+    def _stmt_sets_win64_reg_arg(stmt) -> bool:
+        return isinstance(stmt, Assignment) and isinstance(stmt.dst, Register) and stmt.dst.reg_offset in WIN64_REG_ARGS
+
+
+register_optimization_pass(StringObfType3Rewriter, presets=["fast", "full"])

angr/analyses/deobfuscator/string_obf_peephole_optimizer.py

@@ -0,0 +1,47 @@
+from __future__ import annotations
+from ailment.statement import Call
+from ailment.expression import Const
+import claripy
+
+from angr.analyses.decompiler.peephole_optimizations.base import PeepholeOptimizationExprBase
+from angr.analyses.decompiler.peephole_optimizations import EXPR_OPTS
+from angr.errors import AngrCallableMultistateError
+
+
+class StringObfType1PeepholeOptimizer(PeepholeOptimizationExprBase):
+    """
+    Integrate type-1 deobfuscated strings into decompilation output.
+    """
+
+    __slots__ = ()
+
+    NAME = "Simplify Type 1/2 string deobfuscation references"
+    expr_classes = (Call,)
+
+    def optimize(self, expr: Call, **kwargs):
+        if isinstance(expr.target, Const) and (  # noqa: SIM102
+            expr.target.value in self.kb.obfuscations.type1_string_loader_candidates
+            or expr.target.value in self.kb.obfuscations.type2_string_loader_candidates
+        ):
+            # this is a function calling a type1 or a type2 string loader
+            # optimize this call away if possible
+            if expr.args and all(isinstance(arg, Const) for arg in expr.args):
+                # execute the function with the given argument
+                func = self.kb.functions[expr.target.value]
+                func_call = self.project.factory.callable(
+                    expr.target.value, concrete_only=True, cc=func.calling_convention, prototype=func.prototype
+                )
+                try:
+                    out = func_call(*[claripy.BVV(arg.value, arg.bits) for arg in expr.args])
+                except AngrCallableMultistateError:
+                    return None
+
+                if out.concrete:
+                    return Const(
+                        None, None, out.concrete_value, self.project.arch.bits, **expr.tags
+                    )  # FIXME: use out.bits when the function prototype recovery is more reliable
+
+        return None
+
+
+EXPR_OPTS.append(StringObfType1PeepholeOptimizer)

angr/analyses/reaching_definitions/function_handler_library/stdio.py

@@ -197,6 +197,11 @@ def handle_printf(
             buf_data = state.get_values(buf_atoms)
             if buf_data is not None:
                 buf_data = buf_data.extract(0, len(buf_data) // 8 - 1, archinfo.Endness.BE)
+            else:
+                top_val = state.top(state.arch.bits)
+                for defn in state.get_definitions(atom):
+                    top_val = state.annotate_with_def(top_val, defn)
+                buf_data = MultiValues(top_val)
         elif fmt == "%u":
             buf_atoms = atom
             buf_data = state.get_concrete_value(buf_atoms)
@@ -217,7 +222,9 @@ def handle_printf(
         else:
             _l.warning("Unimplemented printf format string %s", fmt)
             buf_atoms = set()
-            buf_data = None
+            top_val = state.top(state.arch.bits)
+            buf_data = MultiValues(top_val)
+
         if result is not None and buf_data is not None:
             result = result.concat(buf_data)
         source_atoms.update(buf_atoms)

angr/analyses/unpacker/__init__.py

@@ -0,0 +1,6 @@
+from __future__ import annotations
+from .packing_detector import PackingDetector
+from .obfuscation_detector import ObfuscationDetector
+
+
+__all__ = ("PackingDetector", "ObfuscationDetector")

angr/analyses/unpacker/obfuscation_detector.py

@@ -0,0 +1,103 @@
+from __future__ import annotations
+import logging
+
+import networkx
+
+from angr.analyses.analysis import Analysis, AnalysesHub
+from angr.knowledge_plugins.cfg import CFGModel
+
+_l = logging.getLogger(__name__)
+
+
+class ObfuscationDetector(Analysis):
+    """
+    This analysis detects, usually in ways that are more robust than section name matching or signature matching, the
+    existence of obfuscation techniques in a binary.
+    """
+
+    def __init__(self, cfg: CFGModel | None = None):
+        self.obfuscated: bool = False
+        self.possible_obfuscators: list[str] = []
+
+        if cfg is None:
+            _l.warning(
+                "PackingDetector is using a most accurate CFG model in the knowledge base. We assume it is "
+                "generated with force_smart_scan=False and force_complete_scan=False."
+            )
+            self._cfg = self.kb.cfgs.get_most_accurate()
+        else:
+            self._cfg = cfg
+
+        self.analyze()
+
+    def analyze(self):
+
+        analysis_routines = [
+            self._analyze_vmprotect,
+        ]
+
+        for routine in analysis_routines:
+            tool = routine()
+            if tool:
+                self.obfuscated = True
+                self.possible_obfuscators.append(tool)
+
+    def _analyze_vmprotect(self) -> str | None:
+        """
+        We detect VMProtect v3 (with control-flow obfuscation) based on two main characteristics:
+
+        - In amd64 binaries, there exists a strongly connected component in the call graph with over 1,000 nodes.
+          Edge/node ratio is >= 1.3
+        - There is a high number of pushf and popf instructions in the visible functions.
+        """
+
+        high_scc_node_edge_ratio = False
+        high_pushf = False
+        high_popf = False
+        high_clc = False  # pylint:disable=unused-variable
+
+        if self.project.arch.name == "AMD64":
+            cg = self.kb.functions.callgraph
+            sccs = networkx.strongly_connected_components(cg)
+
+            for scc in sccs:
+                subgraph = networkx.subgraph(cg, scc)
+                node_count = len(scc)
+                if node_count > 1000:
+                    edge_count = len(subgraph.edges)
+
+                    if edge_count / node_count >= 1.3:
+                        high_scc_node_edge_ratio = True
+                        break
+        else:
+            high_scc_node_edge_ratio = True
+
+        pushf_ctr = 0
+        popf_ctr = 0
+        clc_ctr = 0  # only used for x86
+        is_x86 = self.project.arch.name == "X86"
+        cfg_node_count = len(self._cfg.graph)
+        for node in self._cfg.nodes():
+            if node.size > 0 and node.instruction_addrs:
+                block = node.block
+                for insn in block.capstone.insns:
+                    if insn.mnemonic in {"pushf", "pushfd", "pushfq"}:
+                        pushf_ctr += 1
+                    elif insn.mnemonic in {"popf", "popfd", "popfq"}:
+                        popf_ctr += 1
+                    elif is_x86 and insn.mnemonic == "clc":
+                        clc_ctr += 1
+
+        if pushf_ctr > cfg_node_count * 0.002:
+            high_pushf = True
+        if popf_ctr > cfg_node_count * 0.002:
+            high_popf = True
+        if not is_x86 or clc_ctr > cfg_node_count * 0.002:
+            high_clc = True  # noqa: F841
+
+        if high_scc_node_edge_ratio and high_pushf and high_popf:
+            return "vmprotect"
+        return None
+
+
+AnalysesHub.register_default("ObfuscationDetector", ObfuscationDetector)

angr/analyses/unpacker/packing_detector.py

@@ -0,0 +1,138 @@
+from __future__ import annotations
+from typing import TYPE_CHECKING
+import math
+import logging
+
+from angr.analyses.analysis import Analysis, AnalysesHub
+from angr.knowledge_plugins.cfg import CFGModel
+
+
+if TYPE_CHECKING:
+    from cle import Section
+
+_l = logging.getLogger(__name__)
+
+
+class PackingDetector(Analysis):
+    """
+    This analysis detects if a binary is likely packed or not. We may extend it to identify which packer is in use in
+    the future.
+    """
+
+    PACKED_MIN_BYTES = 256
+    PACKED_ENTROPY_MIN_THRESHOLD = 0.88
+
+    def __init__(self, cfg: CFGModel | None = None, region_size_threshold: int = 0x20):
+        self.packed: bool = False
+        self.region_size_threshold: int = region_size_threshold
+
+        if cfg is None:
+            _l.warning(
+                "PackingDetector is using a most accurate CFG model in the knowledge base. We assume it is "
+                "generated with force_smart_scan=False and force_complete_scan=False."
+            )
+            self._cfg = self.kb.cfgs.get_most_accurate()
+        else:
+            self._cfg = cfg
+
+        self.analyze()
+
+    def analyze(self):
+        # assume we already have a CFG with complete scanning disabled
+        # collect all regions that are not covered by the CFG in r+x sections, and then compute the entropy. we believe
+        # the binary is packed if it is beyond a threshold
+
+        covered_regions: list[tuple[int, int]] = []
+        last_known_section: Section | None = None
+        for node in sorted(self._cfg.nodes(), key=lambda n: n.addr):
+            section = None
+            if last_known_section is not None and last_known_section.contains_addr(node.addr):
+                section = last_known_section
+            if section is None:
+                section = self.project.loader.find_section_containing(node.addr)
+                if section is None:
+                    # this node does not belong to any known section - ignore it
+                    continue
+                if section.is_readable and section.is_executable:
+                    last_known_section = section
+
+            if section is None:
+                # the node does not belong to any section. ignore it
+                continue
+
+            if node.size == 0:
+                # ignore empty nodes
+                continue
+
+            if not covered_regions:
+                covered_regions.append((node.addr, node.addr + node.size))
+            else:
+                last_item = covered_regions[-1]
+                if last_item[0] <= node.addr <= last_item[1] < node.addr + node.size:
+                    # update the last item
+                    covered_regions[-1] = last_item[0], node.addr + node.size
+                else:
+                    # add a new item
+                    covered_regions.append((node.addr, node.addr + node.size))
+
+        # now we get the uncovered regions
+        uncovered_regions: list[tuple[int, int]] = self._get_uncovered_regions(covered_regions)
+
+        # compute entropy
+        total_bytes, entropy = self._compute_entropy(uncovered_regions)
+
+        self.packed = total_bytes >= self.PACKED_MIN_BYTES and entropy >= self.PACKED_ENTROPY_MIN_THRESHOLD
+
+    def _get_uncovered_regions(self, covered_regions: list[tuple[int, int]]) -> list[tuple[int, int]]:
+        # FIXME: We only support binaries with sections. Add support for segments in the future
+        all_executable_sections = [
+            sec
+            for sec in self.project.loader.main_object.sections
+            if sec.is_executable and sec.is_readable and not sec.only_contains_uninitialized_data
+        ]
+        all_executable_sections = sorted(all_executable_sections, key=lambda sec: sec.vaddr)
+        idx = 0
+
+        uncovered_regions: list[tuple[int, int]] = []
+        for section in all_executable_sections:
+            if idx >= len(covered_regions):
+                if section.memsize > self.region_size_threshold:
+                    uncovered_regions.append((section.vaddr, section.vaddr + section.memsize))
+            else:
+                i = idx
+                last_end = section.vaddr
+                while i < len(covered_regions):
+                    region_start, region_end = covered_regions[i]
+                    if region_end >= section.vaddr + section.memsize:
+                        # move on to the next section
+                        break
+                    if last_end < region_start and region_start - last_end > self.region_size_threshold:
+                        uncovered_regions.append((last_end, region_start))
+                    i += 1
+                    last_end = max(last_end, region_end)
+                idx = i
+
+        return uncovered_regions
+
+    def _compute_entropy(self, regions: list[tuple[int, int]]) -> tuple[int, float]:
+        byte_counts = [0] * 256
+
+        for start, end in regions:
+            for b in self.project.loader.memory.load(start, end - start):
+                byte_counts[b] += 1
+
+        total = sum(byte_counts)
+        if total == 0:
+            return 0, 0.0
+
+        entropy = 0.0
+        for count in byte_counts:
+            if count == 0:
+                continue
+            p = 1.0 * count / total
+            entropy -= p * math.log(p, 256)
+
+        return total, entropy
+
+
+AnalysesHub.register_default("PackingDetector", PackingDetector)

angr/calling_conventions.py

@@ -1061,7 +1061,9 @@ class SimCC:
         if isinstance(arg, claripy.ast.BV):
             if isinstance(ty, (SimTypeReg, SimTypeNum)):
                 if len(arg) != ty.size:
-                    raise TypeError("Type mismatch: expected %s, got %d bits" % (ty, len(arg)))
+                    if arg.concrete:
+                        return claripy.BVV(arg.concrete_value, ty.size)
+                    raise TypeError("Type mismatch of symbolic data: expected %s, got %d bits" % (ty, len(arg)))
                 return arg
             if isinstance(ty, (SimTypeFloat)):
                 raise TypeError(

angr/engines/vex/claripy/irop.py

@@ -2,6 +2,7 @@
 This module contains symbolic implementations of VEX operations.
 """
 
+# pylint:disable=no-member
 from __future__ import annotations
 
 from functools import partial
@@ -10,14 +11,17 @@ import itertools
 import operator
 import math
 import re
-
 import logging
 
-l = logging.getLogger(name=__name__)
-
 import pyvex
 import claripy
 
+from angr.errors import UnsupportedIROpError, SimOperationError, SimValueError, SimZeroDivisionException
+
+
+l = logging.getLogger(name=__name__)
+
+
 #
 # The more sane approach
 #
@@ -1044,6 +1048,9 @@ class SimIROp:
         exp_threshold = (2 ** (exp_bits - 1) - 1) + mantissa_bits
         return claripy.If(exp_bv >= exp_threshold, args[1].raw_to_fp(), rounded_fp)
 
+    def _op_fgeneric_RSqrtEst(self, arg):  # pylint:disable=no-self-use
+        return claripy.BVS("RSqrtEst", arg.size())
+
     def _generic_pack_saturation(self, args, src_size, dst_size, src_signed, dst_signed):
         """
         Generic pack with saturation.
@@ -1255,6 +1262,4 @@ def vexop_to_simop(op, extended=True, fp=True):
     return res
 
 
-from angr.errors import UnsupportedIROpError, SimOperationError, SimValueError, SimZeroDivisionException
-
 make_operations()

angr/knowledge_plugins/__init__.py

@@ -18,6 +18,7 @@ from .types import TypesStore
 from .callsite_prototypes import CallsitePrototypes
 from .custom_strings import CustomStrings
 from .decompilation import DecompilationManager
+from .obfuscations import Obfuscations
 
 
 __all__ = (
@@ -40,4 +41,5 @@ __all__ = (
     "CallsitePrototypes",
     "CustomStrings",
     "DecompilationManager",
+    "Obfuscations",
 )

angr/knowledge_plugins/obfuscations.py

@@ -0,0 +1,36 @@
+from __future__ import annotations
+
+from .plugin import KnowledgeBasePlugin
+
+
+class Obfuscations(KnowledgeBasePlugin):
+    """
+    Store discovered information and artifacts about (string) obfuscation techniques in the project.
+    """
+
+    def __init__(self, kb):
+        super().__init__(kb)
+
+        self.obfuscated_strings_analyzed: bool = False
+        self.type1_deobfuscated_strings = {}
+        self.type1_string_loader_candidates = set()
+        self.type2_deobfuscated_strings = {}
+        self.type2_string_loader_candidates = set()
+        self.type3_deobfuscated_strings = {}  # from the address of the call instruction to the actual string (in bytes)
+
+        self.obfuscated_apis_analyzed: bool = False
+        self.type1_deobfuscated_apis: dict[int, tuple[str, str]] = {}
+
+    def copy(self):
+        o = Obfuscations(self._kb)
+        o.type1_deobfuscated_strings = dict(self.type1_deobfuscated_strings)
+        o.type1_string_loader_candidates = self.type1_string_loader_candidates.copy()
+        o.type2_deobfuscated_strings = dict(self.type2_deobfuscated_strings)
+        o.type2_string_loader_candidates = self.type2_string_loader_candidates.copy()
+        o.type3_deobfuscated_strings = self.type3_deobfuscated_strings.copy()
+
+        o.type1_deobfuscated_apis = self.type1_deobfuscated_apis.copy()
+        return o
+
+
+KnowledgeBasePlugin.register_default("obfuscations", Obfuscations)

{angr-9.2.125.dist-info → angr-9.2.126.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: angr
-Version: 9.2.125
+Version: 9.2.126
 Summary: A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
 Home-page: https://github.com/angr/angr
 License: BSD-2-Clause
@@ -16,13 +16,13 @@ Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: CppHeaderParser
 Requires-Dist: GitPython
-Requires-Dist: ailment==9.2.125
-Requires-Dist: archinfo==9.2.125
+Requires-Dist: ailment==9.2.126
+Requires-Dist: archinfo==9.2.126
 Requires-Dist: cachetools
 Requires-Dist: capstone==5.0.3
 Requires-Dist: cffi>=1.14.0
-Requires-Dist: claripy==9.2.125
-Requires-Dist: cle==9.2.125
+Requires-Dist: claripy==9.2.126
+Requires-Dist: cle==9.2.126
 Requires-Dist: itanium-demangler
 Requires-Dist: mulpyplexer
 Requires-Dist: nampa
@@ -31,7 +31,7 @@ Requires-Dist: protobuf>=5.28.2
 Requires-Dist: psutil
 Requires-Dist: pycparser>=2.18
 Requires-Dist: pyformlang
-Requires-Dist: pyvex==9.2.125
+Requires-Dist: pyvex==9.2.126
 Requires-Dist: rich>=13.1.0
 Requires-Dist: sortedcontainers
 Requires-Dist: sympy