angr 9.2.125__py3-none-win_amd64.whl → 9.2.127__py3-none-win_amd64.whl

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -7,6 +7,7 @@ from ailment.expression import Register, BinaryOp, StackBaseOffset, ITE, VEXCCal
 from angr.engines.light import SimEngineLight, SimEngineLightAILMixin
 from angr.utils.ssa import get_reg_offset_base
 from angr.utils.orderedset import OrderedSet
+from angr.calling_conventions import default_cc
 from .traversal_state import TraversalState
 
 
@@ -23,6 +24,7 @@ class SimEngineSSATraversal(
     def __init__(
         self,
         arch,
+        simos,
         sp_tracker=None,
         bp_as_gpr: bool = False,
         def_to_loc=None,
@@ -33,6 +35,7 @@ class SimEngineSSATraversal(
         super().__init__()
 
         self.arch = arch
+        self.simos = simos
         self.sp_tracker = sp_tracker
         self.bp_as_gpr = bp_as_gpr
         self.stackvars = stackvars
@@ -75,6 +78,18 @@ class SimEngineSSATraversal(
             self._expr(stmt.false_target)
 
     def _handle_Call(self, stmt: Call):
+
+        # kill caller-saved registers
+        cc = (
+            default_cc(self.arch.name, platform=self.simos.name if self.simos is not None else None)
+            if stmt.calling_convention is None
+            else stmt.calling_convention
+        )
+        for reg_name in cc.CALLER_SAVED_REGS:
+            reg_offset = self.arch.registers[reg_name][0]
+            base_off = get_reg_offset_base(reg_offset, self.arch)
+            self.state.live_registers.discard(base_off)
+
         if stmt.ret_expr is not None and isinstance(stmt.ret_expr, Register):
             codeloc = self._codeloc()
             self.def_to_loc.append((stmt.ret_expr, codeloc))

angr/analyses/decompiler/structured_codegen/c.py

@@ -2148,6 +2148,12 @@ class CConstant(CExpression):
                 elif isinstance(v, Function):
                     yield get_cpp_function_name(v.demangled_name, specialized=False, qualified=True), self
                     return
+                elif isinstance(v, str):
+                    yield CConstant.str_to_c_str(v), self
+                    return
+                elif isinstance(v, bytes):
+                    yield CConstant.str_to_c_str(v.replace(b"\x00", b"").decode("utf-8")), self
+                    return
 
         if self.reference_values is not None and self._type is not None and self._type in self.reference_values:
             if isinstance(self._type, SimTypeInt):
@@ -2505,9 +2511,6 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         self._analyze()
 
-        if flavor is not None:
-            self.kb.structured_code[(func.addr, flavor)] = self
-
     def reapply_options(self, options):
         for option, value in options:
             if option.param == "braces_on_own_lines":
@@ -3415,7 +3418,17 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         if reference_values is None:
             reference_values = {}
             type_ = unpack_typeref(type_)
-            if isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, SimTypeChar):
+            if expr.value in self.kb.obfuscations.type1_deobfuscated_strings:
+                reference_values[SimTypePointer(SimTypeChar())] = self.kb.obfuscations.type1_deobfuscated_strings[
+                    expr.value
+                ]
+                inline_string = True
+            elif expr.value in self.kb.obfuscations.type2_deobfuscated_strings:
+                reference_values[SimTypePointer(SimTypeChar())] = self.kb.obfuscations.type2_deobfuscated_strings[
+                    expr.value
+                ]
+                inline_string = True
+            elif isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, SimTypeChar):
                 # char*
                 # Try to get a string
                 if (
@@ -3433,7 +3446,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             # edge cases: (void*)"this is a constant string pointer". in this case, the type_ will be a void*
             # (BOT*) instead of a char*.
 
-            if isinstance(expr.value, int):
+            if not reference_values and isinstance(expr.value, int):
                 if expr.value in self.project.kb.functions:
                     # It's a function pointer
                     # We don't care about the actual prototype here

angr/analyses/decompiler/structured_codegen/dwarf_import.py

@@ -5,6 +5,7 @@ import logging
 from sortedcontainers import SortedList
 
 from angr.analyses import Analysis, register_analysis
+from angr.analyses.decompiler.decompilation_cache import DecompilationCache
 from .base import BaseStructuredCodeGenerator, InstructionMapping, PositionMapping
 from angr.knowledge_plugins.functions.function import Function
 
@@ -30,7 +31,9 @@ class ImportSourceCode(BaseStructuredCodeGenerator, Analysis):
         self.regenerate_text()
 
         if flavor is not None and self.text:
-            self.kb.structured_code[(function.addr, flavor)] = self
+            if (function.addr, flavor) not in self.kb.decompilations:
+                self.kb.decompilations[(function.addr, flavor)] = DecompilationCache(function.addr)
+            self.kb.decompilations[(function.addr, flavor)].codegen = self
 
     def regenerate_text(self):
         cache = {}

angr/analyses/deobfuscator/__init__.py

@@ -0,0 +1,18 @@
+# deobfuscator is a collection of analyses that automatically identifies functions where obfuscation techniques are
+# in-use.
+from __future__ import annotations
+
+from .string_obf_finder import StringObfuscationFinder
+from .string_obf_peephole_optimizer import StringObfType1PeepholeOptimizer
+from .string_obf_opt_passes import StringObfType3Rewriter
+from .api_obf_finder import APIObfuscationFinder
+from .api_obf_peephole_optimizer import APIObfType1PeepholeOptimizer
+
+
+__all__ = (
+    "StringObfuscationFinder",
+    "StringObfType1PeepholeOptimizer",
+    "StringObfType3Rewriter",
+    "APIObfuscationFinder",
+    "APIObfType1PeepholeOptimizer",
+)

angr/analyses/deobfuscator/api_obf_finder.py

@@ -0,0 +1,313 @@
+# pylint:disable=missing-class-docstring,too-many-boolean-expressions
+from __future__ import annotations
+from typing import Any
+from enum import IntEnum
+import string
+import logging
+
+import networkx
+
+import claripy
+
+from angr import SIM_LIBRARIES
+from angr.calling_conventions import SimRegArg
+from angr.errors import SimMemoryMissingError
+from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
+from angr.sim_type import SimTypePointer, SimTypeChar
+from angr.analyses import Analysis, AnalysesHub
+from angr.procedures.definitions import SimSyscallLibrary
+from angr.sim_variable import SimMemoryVariable
+from angr.analyses.decompiler.structured_codegen.c import (
+    CStructuredCodeWalker,
+    CFunctionCall,
+    CConstant,
+    CAssignment,
+    CVariable,
+)
+
+_l = logging.getLogger(name=__name__)
+
+
+class APIObfuscationType(IntEnum):
+    TYPE_1 = 0
+
+
+class APIDeobFuncDescriptor:
+    def __init__(self, type_: APIObfuscationType, func_addr=None, libname_argidx=None, funcname_argidx=None):
+        self.type = type_
+        self.func_addr = func_addr
+        self.libname_argidx = libname_argidx
+        self.funcname_argidx = funcname_argidx
+
+
+class Type1AssignmentFinder(CStructuredCodeWalker):
+    def __init__(self, func_addr: int, desc: APIDeobFuncDescriptor):
+        self.func_addr = func_addr
+        self.desc = desc
+        self.assignments: dict[int, tuple[str, str]] = {}
+
+    def handle_CAssignment(self, obj: CAssignment):
+        if (
+            isinstance(obj.lhs, CVariable)
+            and isinstance(obj.lhs.variable, SimMemoryVariable)
+            and isinstance(obj.lhs.variable.addr, int)
+            and isinstance(obj.rhs, CFunctionCall)
+            and isinstance(obj.rhs.callee_target, CConstant)
+            and obj.rhs.callee_target.value == self.func_addr
+        ):
+            # found it!
+            func_args = obj.rhs.args
+            if self.desc.funcname_argidx < len(func_args) and self.desc.libname_argidx < len(func_args):
+                funcname_arg = func_args[self.desc.funcname_argidx]
+                libname_arg = func_args[self.desc.libname_argidx]
+                if isinstance(funcname_arg, CConstant) and isinstance(libname_arg, CConstant):
+                    # load two strings
+                    funcname, libname = None, None
+                    if funcname_arg.type in funcname_arg.reference_values and isinstance(
+                        funcname_arg.reference_values[funcname_arg.type].content, bytes
+                    ):
+                        funcname = funcname_arg.reference_values[funcname_arg.type].content.decode("utf-8")
+                    if libname_arg.type in libname_arg.reference_values and isinstance(
+                        libname_arg.reference_values[libname_arg.type].content, bytes
+                    ):
+                        libname = libname_arg.reference_values[libname_arg.type].content.decode("utf-8")
+
+                    if funcname and libname:
+                        if obj.lhs.variable.addr in self.assignments:
+                            if self.assignments[obj.lhs.variable.addr] != (libname, funcname):
+                                _l.warning(
+                                    "Observed more than one assignment for variable at %#x.", obj.lhs.variable.addr
+                                )
+                        else:
+                            self.assignments[obj.lhs.variable.addr] = libname, funcname
+
+        return super().handle_CAssignment(obj)
+
+
+class APIObfuscationFinder(Analysis):
+    """
+    An analysis that automatically finds API "obfuscation" routines.
+
+    Currently, we support the following API "obfuscation" styles:
+
+    - sub_A("dll_name", "api_name) where sub_a ends up calling LoadLibrary.
+    """
+
+    def __init__(self):
+        self.type1_candidates = []
+
+        self.analyze()
+
+    def analyze(self):
+        self.type1_candidates = self._find_type1()
+
+        if self.type1_candidates:
+            for desc in self.type1_candidates:
+                type1_deobfuscated = self._analyze_type1(desc.func_addr, desc)
+                self.kb.obfuscations.type1_deobfuscated_apis.update(type1_deobfuscated)
+
+    def _find_type1(self):
+        cfg = self.kb.cfgs.get_most_accurate()
+        load_library_funcs = []
+
+        if "LoadLibraryA" in self.kb.functions:
+            load_library_funcs += list(self.kb.functions.get_by_name("LoadLibraryA"))
+        if "LoadLibraryW" in self.kb.functions:
+            load_library_funcs += list(self.kb.functions.get_by_name("LoadLibraryW"))
+        if "LoadLibrary" in self.kb.functions:
+            load_library_funcs += list(self.kb.functions.get_by_name("LoadLibrary"))
+
+        load_library_funcs = [func for func in load_library_funcs if func.is_simprocedure]
+
+        if not load_library_funcs:
+            return None
+
+        # find callers of each load library func, up to three callers back
+        callgraph = self.kb.functions.callgraph
+        candidates = []
+        for load_library_func in load_library_funcs:
+            subtree = self._build_caller_subtree(callgraph, load_library_func.addr, 3)
+            for _, succs in networkx.bfs_successors(subtree, load_library_func.addr):
+                for succ_addr in succs:
+                    func = self.kb.functions.get_by_addr(succ_addr)
+                    likely, info = self._is_likely_type1_func(func, cfg)
+                    if likely:
+                        candidates.append((func.addr, info))
+
+        descs = []
+        for func_addr, info in candidates:
+            desc = APIDeobFuncDescriptor(
+                APIObfuscationType.TYPE_1,
+                func_addr=func_addr,
+                libname_argidx=info["libname_arg_idx"],
+                funcname_argidx=info["funcname_arg_idx"],
+            )
+            descs.append(desc)
+
+        return descs
+
+    def _is_likely_type1_func(self, func, cfg):
+        if func.prototype is None:
+            return False, None
+        if len(func.prototype.args) < 2:
+            return False, None
+
+        arch = self.project.arch
+        valid_apiname_charset = {ord(ch) for ch in (string.ascii_letters + string.digits + "._")}
+
+        # decompile the function to get a prototype with types
+        _ = self.project.analyses.Decompiler(func, cfg=cfg)
+
+        char_ptr_args = [
+            idx
+            for (idx, arg) in enumerate(func.prototype.args)
+            if isinstance(arg, SimTypePointer) and isinstance(arg.pts_to, SimTypeChar)
+        ]
+        if len(char_ptr_args) != 2:
+            return False, None
+
+        libname_arg_idx = None
+        funcname_arg_idx = None
+        # who's calling it?
+        caller_addrs = sorted(set(self.kb.functions.callgraph.predecessors(func.addr)))
+        for caller_addr in caller_addrs:
+            # what arguments are used to call this function with?
+            callsite_nodes = [
+                pred
+                for pred in cfg.get_predecessors(cfg.get_any_node(func.addr))
+                if pred.function_address == caller_addr and pred.instruction_addrs
+            ]
+            observation_points = []
+            for callsite_node in callsite_nodes:
+                observation_points.append(("insn", callsite_node.instruction_addrs[-1], ObservationPointType.OP_BEFORE))
+            rda = self.project.analyses.ReachingDefinitions(
+                self.kb.functions[caller_addr],
+                observe_all=False,
+                observation_points=observation_points,
+            )
+            for callsite_node in callsite_nodes:
+                observ = rda.model.get_observation_by_insn(
+                    callsite_node.instruction_addrs[-1],
+                    ObservationPointType.OP_BEFORE,
+                )
+                args: list[tuple[int, Any]] = []
+                for arg_idx, func_arg in enumerate(func.arguments):
+                    # FIXME: We are ignoring all non-register function arguments until we see a test case where
+                    # FIXME: stack-passing arguments are used
+                    if isinstance(func_arg, SimRegArg):
+                        reg_offset, reg_size = arch.registers[func_arg.reg_name]
+                        try:
+                            mv = observ.registers.load(reg_offset, size=reg_size)
+                        except SimMemoryMissingError:
+                            args.append((arg_idx, claripy.BVV(0xDEADBEEF, self.project.arch.bits)))
+                            continue
+                        arg_value = mv.one_value()
+                        if arg_value is None:
+                            arg_value = claripy.BVV(0xDEADBEEF, self.project.arch.bits)
+                        args.append((arg_idx, arg_value))
+
+                # the args must have at least one concrete address that points to an initialized memory location
+                acceptable_args = True
+                arg_strs: list[tuple[int, str]] = []
+                for idx, arg in args:
+                    if arg is not None and arg.concrete:
+                        v = arg.concrete_value
+                        section = self.project.loader.find_section_containing(v)
+                        if section is not None:
+                            # what string is it?
+                            max_size = min(64, section.max_addr - v)
+                            try:
+                                value = self.project.loader.memory.load(v, max_size)
+                            except KeyError:
+                                acceptable_args = False
+                                break
+                            if b"\x00" in value:
+                                value = value[: value.index(b"\x00")]
+                            if not all(ch in valid_apiname_charset for ch in value):
+                                acceptable_args = False
+                                break
+                            arg_strs.append((idx, value.decode("utf-8")))
+                if acceptable_args:
+                    libname_arg_idx, funcname_arg_idx = None, None
+                    assert len(arg_strs) == 2
+                    for arg_idx, name in arg_strs:
+                        if self.is_libname(name):
+                            libname_arg_idx = arg_idx
+                        elif self.is_apiname(name):
+                            funcname_arg_idx = arg_idx
+
+                    if libname_arg_idx is not None and funcname_arg_idx is not None:
+                        break
+
+            if libname_arg_idx is not None and funcname_arg_idx is not None:
+                break
+
+        if libname_arg_idx is not None and funcname_arg_idx is not None:
+            return True, {"libname_arg_idx": libname_arg_idx, "funcname_arg_idx": funcname_arg_idx}
+        return False, None
+
+    def _analyze_type1(self, func_addr, desc: APIDeobFuncDescriptor) -> dict[int, tuple[str, str]]:
+        cfg = self.kb.cfgs.get_most_accurate()
+
+        assignments: dict[int, tuple[str, str]] = {}
+
+        # get all call sites
+        caller_addrs = sorted(set(self.kb.functions.callgraph.predecessors(func_addr)))
+        for caller_addr in caller_addrs:
+            # decompile the function and get all assignments of the return value of the func at func_addr
+            try:
+                dec = self.project.analyses.Decompiler(self.kb.functions.get_by_addr(caller_addr), cfg=cfg)
+            except Exception:  # pylint:disable=broad-exception-caught
+                continue
+            if dec.codegen is None:
+                continue
+
+            finder = Type1AssignmentFinder(func_addr, desc)
+            finder.handle(dec.codegen.cfunc)
+
+            duplicate_addrs = set(assignments.keys()).intersection(set(finder.assignments.keys()))
+            if duplicate_addrs:
+                # duplicate entries
+                _l.warning(
+                    "Observed duplicate assignments at the following addresses: %s.",
+                    str(map(hex, sorted(duplicate_addrs))),  # pylint:disable=bad-builtin
+                )
+
+            assignments.update(finder.assignments)
+
+        return assignments
+
+    @staticmethod
+    def _build_caller_subtree(callgraph: networkx.DiGraph, func_addr: int, max_level: int) -> networkx.DiGraph:
+        tree = networkx.DiGraph()
+
+        if func_addr not in callgraph:
+            return tree
+
+        queue = [(0, func_addr)]
+        traversed = {func_addr}
+        while queue:
+            level, addr = queue.pop(0)
+            for pred in callgraph.predecessors(addr):
+                if pred not in traversed and level + 1 <= max_level:
+                    traversed.add(pred)
+                    queue.append((level + 1, pred))
+                    tree.add_edge(addr, pred)
+
+        return tree
+
+    @staticmethod
+    def is_libname(name: str) -> bool:
+        name = name.lower()
+        if name in SIM_LIBRARIES:
+            return True
+        if "." not in name:
+            return name + ".dll" in SIM_LIBRARIES or name + ".exe" in SIM_LIBRARIES
+        return False
+
+    @staticmethod
+    def is_apiname(name: str) -> bool:
+        return any(not isinstance(lib, SimSyscallLibrary) and lib.has_prototype(name) for lib in SIM_LIBRARIES.values())
+
+
+AnalysesHub.register_default("APIObfuscationFinder", APIObfuscationFinder)

angr/analyses/deobfuscator/api_obf_peephole_optimizer.py

@@ -0,0 +1,51 @@
+from __future__ import annotations
+from ailment.expression import Const, Load
+
+from angr import SIM_LIBRARIES
+from angr.calling_conventions import default_cc
+from angr.analyses.decompiler.peephole_optimizations.base import PeepholeOptimizationExprBase
+from angr.analyses.decompiler.peephole_optimizations import EXPR_OPTS
+
+
+class APIObfType1PeepholeOptimizer(PeepholeOptimizationExprBase):
+    """
+    Integrate type-1 deobfuscated API into decompilation output.
+    """
+
+    __slots__ = ()
+
+    NAME = "Simplify Type 1 API obfuscation references"
+    expr_classes = (Load,)
+
+    def optimize(self, expr: Load, **kwargs):
+        if (
+            isinstance(expr.addr, Const)
+            and (expr.addr.value in self.kb.obfuscations.type1_deobfuscated_apis)
+            and expr.bits == self.project.arch.bits
+        ):
+            # this is actually a function calling a known API
+            # replace it with the actual API and the actual arguments
+            _, funcname = self.kb.obfuscations.type1_deobfuscated_apis[expr.addr.value]
+            if funcname not in self.kb.functions:
+                # assign a new function on-demand
+                symbol = self.project.loader.extern_object.make_extern(funcname)
+                hook_addr = self.project.hook_symbol(
+                    symbol.rebased_addr, SIM_LIBRARIES["linux"].get_stub(funcname, self.project.arch)
+                )
+                func = self.kb.functions.function(addr=hook_addr, name=funcname, create=True)
+                func.is_simprocedure = True
+
+                default_cc_kwargs = {}
+                if self.project.simos is not None:
+                    default_cc_kwargs["platform"] = self.project.simos.name
+                default_cc_cls = default_cc(self.project.arch.name, **default_cc_kwargs)
+                if default_cc_cls is not None:
+                    func.calling_convention = default_cc_cls(self.project.arch)
+                func.find_declaration(ignore_binary_name=True)
+            else:
+                func = self.kb.functions[funcname]
+            return Const(expr.idx, None, func.addr, self.project.arch.bits, **expr.tags)
+        return None
+
+
+EXPR_OPTS.append(APIObfType1PeepholeOptimizer)

angr/analyses/deobfuscator/irsb_reg_collector.py

@@ -0,0 +1,85 @@
+# pylint:disable=no-self-use,unused-argument,attribute-defined-outside-init
+from __future__ import annotations
+
+import pyvex
+
+from angr.engines.light import SimEngineLightVEXMixin
+
+
+class IRSBRegisterCollector(SimEngineLightVEXMixin):
+    """
+    Scan the VEX IRSB to collect all registers that are read.
+    """
+
+    def __init__(self, block, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        self.block = block
+        self.reg_reads: set[tuple[int, int]] = set()
+
+    def process(self):
+        self.tmps = {}
+        self.tyenv = self.block.vex.tyenv
+
+        self._process_Stmt()
+
+        self.stmt_idx = None
+        self.ins_addr = None
+
+    def _handle_Put(self, stmt):
+        pass
+
+    def _handle_Load(self, expr):
+        pass
+
+    def _handle_Store(self, stmt):
+        pass
+
+    def _handle_LoadG(self, stmt):
+        pass
+
+    def _handle_LLSC(self, stmt: pyvex.IRStmt.LLSC):
+        pass
+
+    def _handle_StoreG(self, stmt):
+        pass
+
+    def _handle_Get(self, expr: pyvex.IRExpr.Get):
+        self.reg_reads.add((expr.offset, expr.result_size(self.tyenv)))
+
+    def _handle_RdTmp(self, expr):
+        pass
+
+    def _handle_Conversion(self, expr: pyvex.IRExpr.Unop):
+        pass
+
+    def _handle_16HLto32(self, expr):
+        pass
+
+    def _handle_Cmp_v(self, expr, _vector_size, _vector_count):
+        pass
+
+    _handle_CmpEQ_v = _handle_Cmp_v
+    _handle_CmpNE_v = _handle_Cmp_v
+    _handle_CmpLE_v = _handle_Cmp_v
+    _handle_CmpLT_v = _handle_Cmp_v
+    _handle_CmpGE_v = _handle_Cmp_v
+    _handle_CmpGT_v = _handle_Cmp_v
+
+    def _handle_ExpCmpNE64(self, expr):
+        pass
+
+    def _handle_CCall(self, expr):
+        pass
+
+    def _handle_function(self, func_addr):
+        pass
+
+    def _handle_Unop(self, expr):
+        pass
+
+    def _handle_Binop(self, expr: pyvex.IRExpr.Binop):
+        pass
+
+    def _handle_Triop(self, expr: pyvex.IRExpr.Triop):
+        pass