angr 9.2.130__py3-none-manylinux2014_aarch64.whl → 9.2.132__py3-none-manylinux2014_aarch64.whl

angr/analyses/ddg.py

@@ -2,8 +2,10 @@ from __future__ import annotations
 import logging
 from collections import defaultdict
 
+import claripy
 import networkx
 import pyvex
+
 from . import Analysis
 
 from angr.code_location import CodeLocation
@@ -1030,9 +1032,9 @@ class DDG(Analysis):
 
         if not action.data.reg_deps and not action.data.tmp_deps:
             # might be a constant assignment
-            v = action.data.ast
+            v: claripy.ast.BV = action.data.ast
             if not v.symbolic:
-                const_var = SimConstantVariable(v.concrete_value)
+                const_var = SimConstantVariable(value=v.concrete_value, size=v.size())
                 const_progvar = ProgramVariable(const_var, prog_var.location)
                 self._data_graph_add_edge(const_progvar, prog_var, type="mem_data")
 
@@ -1109,7 +1111,8 @@ class DDG(Analysis):
                 elif isinstance(statement.data, pyvex.IRExpr.Const):
                     # assignment
                     const = statement.data.con.value
-                    self._ast_graph.add_edge(ProgramVariable(SimConstantVariable(const), location), pv)
+                    size = statement.data.con.size
+                    self._ast_graph.add_edge(ProgramVariable(SimConstantVariable(value=const, size=size), location), pv)
 
     def _handle_reg_read(self, action, location, state, statement):  # pylint:disable=unused-argument
         reg_offset = action.offset
@@ -1140,7 +1143,7 @@ class DDG(Analysis):
         elif reg_offset == self.project.arch.bp_offset:
             self._custom_data_per_statement = ("bp", 0)
 
-    def _handle_reg_write(self, action, location, state, statement):  # pylint:disable=unused-argument
+    def _handle_reg_write(self, action, location, state, statement: pyvex.stmt.Put):  # pylint:disable=unused-argument
         reg_offset = action.offset
         variable = SimRegisterVariable(reg_offset, action.data.ast.size() // 8)
 
@@ -1157,9 +1160,9 @@ class DDG(Analysis):
         if not action.reg_deps and not action.tmp_deps:
             # moving a constant into the register
             # try to parse out the constant from statement
-            const_variable = SimConstantVariable()
+            const_variable = SimConstantVariable(size=1)
             if statement is not None and isinstance(statement.data, pyvex.IRExpr.Const):
-                const_variable = SimConstantVariable(value=statement.data.con.value)
+                const_variable = SimConstantVariable(value=statement.data.con.value, size=statement.data.con.size)
             const_pv = ProgramVariable(const_variable, location, arch=self.project.arch)
             self._data_graph_add_edge(const_pv, pv)
 
@@ -1187,7 +1190,7 @@ class DDG(Analysis):
         ast = None
 
         tmp = action.tmp
-        pv = ProgramVariable(SimTemporaryVariable(tmp), location, arch=self.project.arch)
+        pv = ProgramVariable(SimTemporaryVariable(tmp, len(action.data)), location, arch=self.project.arch)
 
         if ast is not None:
             for operand in ast.operands:
@@ -1230,12 +1233,12 @@ class DDG(Analysis):
         if not action.tmp_deps and not self._variables_per_statement and not ast:
             # read in a constant
             # try to parse out the constant from statement
-            const_variable = SimConstantVariable()
+            const_variable = SimConstantVariable(size=1)
             if statement is not None:
                 if isinstance(statement, pyvex.IRStmt.Dirty):
                     l.warning("Dirty statements are not supported in DDG for now.")
                 elif isinstance(statement.data, pyvex.IRExpr.Const):
-                    const_variable = SimConstantVariable(value=statement.data.con.value)
+                    const_variable = SimConstantVariable(value=statement.data.con.value, size=statement.data.con.size)
             const_pv = ProgramVariable(const_variable, location, arch=self.project.arch)
             self._data_graph_add_edge(const_pv, pv)
 
@@ -1296,7 +1299,7 @@ class DDG(Analysis):
                 const_value = expr_1.ast.args[0]
                 tmp = next(iter(expr_0.tmp_deps))
 
-                const_def = ProgramVariable(SimConstantVariable(const_value), location)
+                const_def = ProgramVariable(SimConstantVariable(value=const_value, size=len(expr_1.ast)), location)
                 tmp_def = self._temp_variables[tmp]
                 return AST("-", tmp_def, const_def)
 
@@ -1310,7 +1313,7 @@ class DDG(Analysis):
                 const_value = expr_1.ast.args[0]
                 tmp = next(iter(expr_0.tmp_deps))
 
-                const_def = ProgramVariable(SimConstantVariable(const_value), location)
+                const_def = ProgramVariable(SimConstantVariable(value=const_value, size=len(expr_1.ast)), location)
                 tmp_def = self._temp_variables[tmp]
                 return AST("+", tmp_def, const_def)
 

angr/analyses/decompiler/ail_simplifier.py

@@ -24,6 +24,7 @@ from ailment.expression import (
     VirtualVariable,
 )
 
+from angr.analyses.s_propagator import SPropagatorAnalysis
 from angr.analyses.s_reaching_definitions import SRDAModel
 from angr.utils.ail import is_phi_assignment, HasExprWalker
 from angr.code_location import CodeLocation, ExternalCodeLocation
@@ -213,11 +214,11 @@ class AILSimplifier(Analysis):
         self._reaching_definitions = rd
         return rd
 
-    def _compute_propagation(self, immediate_stmt_removal: bool = False):
+    def _compute_propagation(self, immediate_stmt_removal: bool = False) -> SPropagatorAnalysis:
         # Propagate expressions or return the existing result
         if self._propagator is not None:
             return self._propagator
-        prop = self.project.analyses.SPropagator(
+        prop = self.project.analyses[SPropagatorAnalysis].prep()(
             subject=self.func,
             func_graph=self.func_graph,
             # gp=self._gp,

angr/analyses/decompiler/block_simplifier.py

@@ -2,10 +2,10 @@
 from __future__ import annotations
 import logging
 from typing import TYPE_CHECKING
-from collections.abc import Iterable
+from collections.abc import Iterable, Mapping
 
 from ailment.statement import Statement, Assignment, Call, Store, Jump
-from ailment.expression import Tmp, Load, Const, Register, Convert
+from ailment.expression import Tmp, Load, Const, Register, Convert, Expression
 from ailment import AILBlockWalkerBase
 
 from angr.code_location import ExternalCodeLocation, CodeLocation
@@ -139,7 +139,7 @@ class BlockSimplifier(Analysis):
 
         self.result_block = block
 
-    def _compute_propagation(self, block):
+    def _compute_propagation(self, block) -> SPropagatorAnalysis:
         if self._propagator is None:
             self._propagator = self.project.analyses[SPropagatorAnalysis].prep()(
                 subject=block,
@@ -155,7 +155,6 @@ class BlockSimplifier(Analysis):
                 .prep()(
                     subject=block,
                     track_tmps=True,
-                    stack_pointer_tracker=self._stack_pointer_tracker,
                     func_addr=self.func_addr,
                 )
                 .model
@@ -201,8 +200,8 @@ class BlockSimplifier(Analysis):
 
     @staticmethod
     def _replace_and_build(
-        block,
-        replacements,
+        block: Block,
+        replacements: Mapping[CodeLocation, Mapping[Expression, Expression]],
         replace_assignment_dsts: bool = False,
         replace_loads: bool = False,
         gp: int | None = None,
@@ -211,14 +210,9 @@ class BlockSimplifier(Analysis):
         new_statements = block.statements[::]
         replaced = False
 
-        stmts_to_remove = set()
         for codeloc, repls in replacements.items():
             for old, new in repls.items():
-                stmt_to_remove = None
-                if isinstance(new, dict):
-                    stmt_to_remove = new["stmt_to_remove"]
-                    new = new["expr"]
-
+                assert codeloc.stmt_idx is not None
                 stmt = new_statements[codeloc.stmt_idx]
                 if (
                     not replace_loads
@@ -229,7 +223,9 @@ class BlockSimplifier(Analysis):
                     # skip memory-based replacement for non-Call and non-gp-loading statements
                     continue
                 if stmt == old:
-                    # replace this statement
+                    # the replacement must be a call, since replacements can only be expressions
+                    # and call is the only thing which is both a statement and an expression
+                    assert isinstance(new, Call)
                     r = True
                     new_stmt = new
                 else:
@@ -257,20 +253,13 @@ class BlockSimplifier(Analysis):
                         r, new_stmt = stmt.replace(old, new)
 
                 if r:
+                    assert new_stmt is not None
                     replaced = True
                     new_statements[codeloc.stmt_idx] = new_stmt
-                    if stmt_to_remove is not None:
-                        stmts_to_remove.add(stmt_to_remove)
 
         if not replaced:
             return False, block
 
-        if stmts_to_remove:
-            stmt_ids_to_remove = {a.stmt_idx for a in stmts_to_remove}
-            all_stmts = {idx: stmt for idx, stmt in enumerate(new_statements) if idx not in stmt_ids_to_remove}
-            filtered_stmts = sorted(all_stmts.items(), key=lambda x: x[0])
-            new_statements = [stmt for _, stmt in filtered_stmts]
-
         new_block = block.copy()
         new_block.statements = new_statements
         return True, new_block

angr/analyses/decompiler/clinic.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from typing import Any, NamedTuple, TYPE_CHECKING
 import copy
@@ -12,12 +13,14 @@ import capstone
 
 import ailment
 
+from angr.analyses.decompiler.ssailification.ssailification import Ssailification
 from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.functions import Function
 from angr.knowledge_plugins.cfg.memory_data import MemoryDataSort
 from angr.codenode import BlockNode
 from angr.utils import timethis
+from angr.utils.graph import GraphUtils
 from angr.calling_conventions import SimRegArg, SimStackArg, SimFunctionArgument
 from angr.sim_type import (
     SimTypeChar,
@@ -115,6 +118,7 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
+        unsound_fix_abnormal_switches: bool = True,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -146,6 +150,7 @@ class Clinic(Analysis):
         self._must_struct = must_struct
         self._reset_variable_names = reset_variable_names
         self._rewrite_ites_to_diamonds = rewrite_ites_to_diamonds
+        self._unsound_fix_abnormal_switches = unsound_fix_abnormal_switches
         self.reaching_definitions: ReachingDefinitionsAnalysis | None = None
         self._cache = cache
         self._mode = mode
@@ -265,6 +270,9 @@ class Clinic(Analysis):
     def _decompilation_fixups(self, ail_graph):
         is_pcode_arch = ":" in self.project.arch.name
 
+        self._remove_redundant_jump_blocks(ail_graph)
+        # _fix_abnormal_switch_case_heads may re-lift from VEX blocks, so it should be placed as high up as possible
+        self._fix_abnormal_switch_case_heads(ail_graph)
         if self._rewrite_ites_to_diamonds:
             self._rewrite_ite_expressions(ail_graph)
         self._remove_redundant_jump_blocks(ail_graph)
@@ -941,7 +949,7 @@ class Clinic(Analysis):
 
     def _convert(self, block_node):
         """
-        Convert a VEX block to an AIL block.
+        Convert a BlockNode to an AIL block.
 
         :param block_node:  A BlockNode instance.
         :return:            A converted AIL block.
@@ -955,13 +963,16 @@ class Clinic(Analysis):
             return ailment.Block(block_node.addr, 0, statements=[])
 
         block = self.project.factory.block(block_node.addr, block_node.size, cross_insn_opt=False)
+        return self._convert_vex(block)
+
+    def _convert_vex(self, block):
         if block.vex.jumpkind not in {"Ijk_Call", "Ijk_Boring", "Ijk_Ret"} and not block.vex.jumpkind.startswith(
             "Ijk_Sys"
         ):
             # we don't support lifting this block. use a dummy block instead
             dirty_expr = ailment.Expr.DirtyExpression(
                 self._ail_manager.next_atom,
-                f"Unsupported jumpkind {block.vex.jumpkind} at address {block_node.addr}",
+                f"Unsupported jumpkind {block.vex.jumpkind} at address {block.addr}",
                 [],
                 bits=0,
             )
@@ -969,10 +980,10 @@ class Clinic(Analysis):
                 ailment.Stmt.DirtyStatement(
                     self._ail_manager.next_atom(),
                     dirty_expr,
-                    ins_addr=block_node.addr,
+                    ins_addr=block.addr,
                 )
             ]
-            return ailment.Block(block_node.addr, block_node.size, statements=statements)
+            return ailment.Block(block.addr, block.size, statements=statements)
 
         return ailment.IRSBConverter.convert(block.vex, self._ail_manager)
 
@@ -1351,10 +1362,9 @@ class Clinic(Analysis):
 
     @timethis
     def _transform_to_ssa_level0(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
-        ssailification = self.project.analyses.Ssailification(
+        ssailification = self.project.analyses[Ssailification].prep(fail_fast=self._fail_fast)(
             self.function,
             ail_graph,
-            fail_fast=self._fail_fast,
             entry=next(iter(bb for bb in ail_graph if (bb.addr, bb.idx) == self.entry_node_addr)),
             ail_manager=self._ail_manager,
             ssa_stackvars=False,
@@ -1924,10 +1934,12 @@ class Clinic(Analysis):
                         break
 
     def _create_triangle_for_ite_expression(self, ail_graph, block_addr: int, ite_ins_addr: int):
-        # lift the ite instruction to get its size
-        ite_insn_size = self.project.factory.block(ite_ins_addr, num_inst=1).size
+        ite_insn_only_block = self.project.factory.block(ite_ins_addr, num_inst=1)
+        ite_insn_size = ite_insn_only_block.size
         if ite_insn_size <= 2:  # we need an address for true_block and another address for false_block
             return None
+        if ite_insn_only_block.vex.exit_statements:
+            return None
 
         # relift the head and the ITE instruction
         new_head = self.project.factory.block(
@@ -2029,6 +2041,10 @@ class Clinic(Analysis):
             ):
                 return None
 
+        # corner-case: the last statement of original_block might have been patched by _remove_redundant_jump_blocks.
+        # we detect such case and fix it in new_head_ail
+        self._remove_redundant_jump_blocks_repatch_relifted_block(original_block, end_block_ail)
+
         ail_graph.remove_node(original_block)
 
         if end_block_ail not in ail_graph:
@@ -2055,6 +2071,310 @@ class Clinic(Analysis):
 
         return end_block_ail.addr
 
+    def _fix_abnormal_switch_case_heads(self, ail_graph: networkx.DiGraph) -> None:
+        """
+        Detect the existence of switch-case heads whose indirect jump node has more than one predecessor, and attempt
+        to fix those cases by altering the graph.
+        """
+
+        if self._cfg is None:
+            return
+
+        if not self._cfg.jump_tables:
+            return
+
+        node_dict: defaultdict[int, list[ailment.Block]] = defaultdict(list)
+        for node in ail_graph:
+            node_dict[node.addr].append(node)
+
+        candidates = []
+        for block_addr in self._cfg.jump_tables:
+            block_nodes = node_dict[block_addr]
+            for block_node in block_nodes:
+                if ail_graph.in_degree[block_node] > 1:
+                    # found it
+                    candidates.append(block_node)
+
+        if not candidates:
+            return
+
+        sorted_nodes = GraphUtils.quasi_topological_sort_nodes(ail_graph)
+        node_to_rank = {node: rank for rank, node in enumerate(sorted_nodes)}
+        for candidate in candidates:
+            # determine the "intended" switch-case head using topological order
+            preds = list(ail_graph.predecessors(candidate))
+            preds = sorted(preds, key=lambda n_: node_to_rank[n_])
+            intended_head = preds[0]
+            other_heads = preds[1:]
+
+            # now here is the tricky part. there are two cases:
+            # Case 1: the intended head and the other heads share the same suffix (of instructions)
+            #    Example:
+            #       ; binary 736cb27201273f6c4f83da362c9595b50d12333362e02bc7a77dd327cc6b045a
+            #       0041DA97 mov     ecx, [esp+2Ch+var_18]  ; this is the intended head
+            #       0041DA9B mov     ecx, [ecx]
+            #       0041DA9D cmp     ecx, 9
+            #       0041DAA0 jbe     loc_41D5A8
+            #
+            #       0041D599 mov     ecx, [ecx]             ; this is the other head
+            #       0041D59B mov     [esp+2Ch+var_10], eax
+            #       0041D59F cmp     ecx, 9
+            #       0041D5A2 ja      loc_41DAA6             ; fallthrough to 0x41d5a8
+            # given the overlap of two instructions at the end of both blocks, we will alter the second block to remove
+            # the overlapped instructions and add an unconditional jump so that it jumps to 0x41da9d.
+            # this is the most common case created by jump threading optimization in compilers. it's easy to handle.
+
+            # Case 2: the intended head and the other heads do not share the same suffix of instructions. in this case,
+            # we cannot reliably convert the blocks into a properly structured switch-case construct. we will alter the
+            # last instruction of all other heads to jump to the cmp instruction in the intended head, but do not remove
+            # any other instructions in these other heads. this is unsound, but is the best we can do in this case.
+
+            overlaps = [self._get_overlapping_suffix_instructions(intended_head, head) for head in other_heads]
+            if overlaps and (overlap := min(overlaps)) > 0:
+                # Case 1
+                self._fix_abnormal_switch_case_heads_case1(ail_graph, candidate, intended_head, other_heads, overlap)
+            else:
+                if self._unsound_fix_abnormal_switches:
+                    # Case 2
+                    l.warning("Switch-case at %#x has multiple head nodes but cannot be fixed soundly.", candidate.addr)
+                    # find the comparison instruction in the intended head
+                    comparison_stmt = None
+                    if "cc_op" in self.project.arch.registers:
+                        comparison_stmt = next(
+                            iter(
+                                stmt
+                                for stmt in intended_head.statements
+                                if isinstance(stmt, ailment.Stmt.Assignment)
+                                and isinstance(stmt.dst, ailment.Expr.Register)
+                                and stmt.dst.reg_offset == self.project.arch.registers["cc_op"][0]
+                            ),
+                            None,
+                        )
+                    intended_head_block = self.project.factory.block(
+                        intended_head.addr, size=intended_head.original_size
+                    )
+                    if comparison_stmt is not None:
+                        cmp_rpos = len(
+                            intended_head_block.instruction_addrs
+                        ) - intended_head_block.instruction_addrs.index(comparison_stmt.ins_addr)
+                    else:
+                        cmp_rpos = min(len(intended_head_block.instruction_addrs), 2)
+                    self._fix_abnormal_switch_case_heads_case2(
+                        ail_graph,
+                        candidate,
+                        intended_head,
+                        other_heads,
+                        intended_head_split_insns=cmp_rpos,
+                        other_head_split_insns=0,
+                    )
+
+    def _get_overlapping_suffix_instructions(self, ailblock_0: ailment.Block, ailblock_1: ailment.Block) -> int:
+        # we first compare their ending conditional jumps
+        if not self._get_overlapping_suffix_instructions_compare_conditional_jumps(ailblock_0, ailblock_1):
+            return 0
+
+        # we re-lift the blocks and compare the instructions
+        block_0 = self.project.factory.block(ailblock_0.addr, size=ailblock_0.original_size)
+        block_1 = self.project.factory.block(ailblock_1.addr, size=ailblock_1.original_size)
+
+        i0 = len(block_0.capstone.insns) - 2
+        i1 = len(block_1.capstone.insns) - 2
+        overlap = 1
+        while i0 >= 0 and i1 >= 0:
+            same = self._get_overlapping_suffix_instructions_compare_instructions(
+                block_0.capstone.insns[i0], block_1.capstone.insns[i1]
+            )
+            if not same:
+                break
+            overlap += 1
+            i0 -= 1
+            i1 -= 1
+
+        return overlap
+
+    @staticmethod
+    def _get_overlapping_suffix_instructions_compare_instructions(insn_0, insn_1) -> bool:
+        return insn_0.mnemonic == insn_1.mnemonic and insn_0.op_str == insn_1.op_str
+
+    @staticmethod
+    def _get_overlapping_suffix_instructions_compare_conditional_jumps(
+        ailblock_0: ailment.Block, ailblock_1: ailment.Block
+    ) -> bool:
+        # TODO: The logic here is naive and highly customized to the only example I can access. Expand this method
+        #  later to handle more cases if needed.
+        if len(ailblock_0.statements) == 0 or len(ailblock_1.statements) == 0:
+            return False
+
+        # 12 | 0x41d5a2 | t17 = (t4 <= 0x9<32>)
+        # 13 | 0x41d5a2 | t16 = Conv(1->32, t17)
+        # 14 | 0x41d5a2 | t14 = t16
+        # 15 | 0x41d5a2 | t18 = Conv(32->1, t14)
+        # 16 | 0x41d5a2 | t9 = t18
+        # 17 | 0x41d5a2 | if (t9) { Goto 0x41d5a8<32> } else { Goto 0x41daa6<32> }
+
+        last_stmt_0 = ailblock_0.statements[-1]
+        last_stmt_1 = ailblock_1.statements[-1]
+        if not (isinstance(last_stmt_0, ailment.Stmt.ConditionalJump) and last_stmt_0.likes(last_stmt_1)):
+            return False
+
+        last_cmp_stmt_0 = next(
+            iter(
+                stmt
+                for stmt in reversed(ailblock_0.statements)
+                if isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.src, ailment.Expr.BinaryOp)
+                and stmt.src.op in ailment.Expr.BinaryOp.COMPARISON_NEGATION
+                and stmt.ins_addr == last_stmt_0.ins_addr
+            ),
+            None,
+        )
+        last_cmp_stmt_1 = next(
+            iter(
+                stmt
+                for stmt in reversed(ailblock_1.statements)
+                if isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.src, ailment.Expr.BinaryOp)
+                and stmt.src.op in ailment.Expr.BinaryOp.COMPARISON_NEGATION
+                and stmt.ins_addr == last_stmt_1.ins_addr
+            ),
+            None,
+        )
+        return (
+            last_cmp_stmt_0 is not None
+            and last_cmp_stmt_1 is not None
+            and last_cmp_stmt_0.src.op == last_cmp_stmt_1.src.op
+            and last_cmp_stmt_0.src.operands[1].likes(last_cmp_stmt_1.src.operands[1])
+        )
+
+    def _fix_abnormal_switch_case_heads_case1(
+        self,
+        ail_graph: networkx.DiGraph,
+        indirect_jump_node: ailment.Block,
+        intended_head: ailment.Block,
+        other_heads: list[ailment.Block],
+        overlap: int,
+    ) -> None:
+        self._fix_abnormal_switch_case_heads_case2(
+            ail_graph,
+            indirect_jump_node,
+            intended_head,
+            other_heads,
+            intended_head_split_insns=overlap,
+            other_head_split_insns=overlap,
+        )
+
+    def _fix_abnormal_switch_case_heads_case2(
+        self,
+        ail_graph: networkx.DiGraph,
+        indirect_jump_node: ailment.Block,
+        intended_head: ailment.Block,
+        other_heads: list[ailment.Block],
+        intended_head_split_insns: int = 1,
+        other_head_split_insns: int = 0,
+    ) -> None:
+
+        # split the intended head into two
+        intended_head_block = self.project.factory.block(intended_head.addr, size=intended_head.original_size)
+        split_ins_addr = intended_head_block.instruction_addrs[-intended_head_split_insns]
+        # note that the two blocks can be fully overlapping, so block_0 will be empty...
+        intended_head_block_0 = (
+            self.project.factory.block(intended_head.addr, size=split_ins_addr - intended_head.addr)
+            if split_ins_addr != intended_head.addr
+            else None
+        )
+        intended_head_block_1 = self.project.factory.block(
+            split_ins_addr, size=intended_head.addr + intended_head.original_size - split_ins_addr
+        )
+        intended_head_0 = self._convert_vex(intended_head_block_0) if intended_head_block_0 is not None else None
+        intended_head_1 = self._convert_vex(intended_head_block_1)
+
+        # corner-case: the last statement of intended_head might have been patched by _remove_redundant_jump_blocks. we
+        # detect such case and fix it in intended_head_1
+        self._remove_redundant_jump_blocks_repatch_relifted_block(intended_head, intended_head_1)
+
+        # adjust the graph accordingly
+        preds = list(ail_graph.predecessors(intended_head))
+        succs = list(ail_graph.successors(intended_head))
+        ail_graph.remove_node(intended_head)
+
+        if intended_head_0 is None:
+            # perfect overlap; the first block is empty
+            for pred in preds:
+                if pred is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_1)
+                else:
+                    ail_graph.add_edge(pred, intended_head_1)
+            for succ in succs:
+                if succ is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_1)
+                else:
+                    ail_graph.add_edge(intended_head_1, succ)
+        else:
+            ail_graph.add_edge(intended_head_0, intended_head_1)
+            for pred in preds:
+                if pred is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_0)
+                else:
+                    ail_graph.add_edge(pred, intended_head_0)
+            for succ in succs:
+                if succ is intended_head:
+                    ail_graph.add_edge(intended_head_1, intended_head_0)
+                else:
+                    ail_graph.add_edge(intended_head_1, succ)
+
+        # split other heads
+        for o in other_heads:
+            if other_head_split_insns > 0:
+                o_block = self.project.factory.block(o.addr, size=o.original_size)
+                o_split_addr = o_block.instruction_addrs[-other_head_split_insns]
+                new_o_block = (
+                    self.project.factory.block(o.addr, size=o_split_addr - o.addr) if o_split_addr != o.addr else None
+                )
+                new_head = self._convert_vex(new_o_block) if new_o_block is not None else None
+            else:
+                new_head = o
+
+            if new_head is None:
+                # the head is removed - let's replace it with a jump to the target
+                jump_stmt = ailment.Stmt.Jump(
+                    None,
+                    ailment.Expr.Const(None, None, intended_head_1.addr, self.project.arch.bits),
+                    target_idx=intended_head_1.idx,
+                    ins_addr=o.addr,
+                )
+                new_head = ailment.Block(o.addr, 1, statements=[jump_stmt], idx=o.idx)
+            else:
+                if (
+                    new_head.statements
+                    and isinstance(new_head.statements[-1], ailment.Stmt.Jump)
+                    and isinstance(new_head.statements[-1].target, ailment.Expr.Const)
+                ):
+                    # update the jump target
+                    new_head.statements[-1] = ailment.Stmt.Jump(
+                        new_head.statements[-1].idx,
+                        ailment.Expr.Const(None, None, intended_head_1.addr, self.project.arch.bits),
+                        target_idx=intended_head_1.idx,
+                        **new_head.statements[-1].tags,
+                    )
+
+            # adjust the graph accordingly
+            preds = list(ail_graph.predecessors(o))
+            succs = list(ail_graph.successors(o))
+            ail_graph.remove_node(o)
+            for pred in preds:
+                if pred is o:
+                    ail_graph.add_edge(new_head, new_head)
+                else:
+                    ail_graph.add_edge(pred, new_head)
+            for succ in succs:
+                if succ is o:
+                    ail_graph.add_edge(new_head, new_head)
+                elif succ is indirect_jump_node:
+                    ail_graph.add_edge(new_head, intended_head_1)
+                else:
+                    # it should be going to the default node. ignore it
+                    pass
+
     @staticmethod
     def _remove_redundant_jump_blocks(ail_graph):
         def first_conditional_jump(block: ailment.Block) -> ailment.Stmt.ConditionalJump | None:
@@ -2105,6 +2425,39 @@ class Clinic(Analysis):
                             ail_graph.add_edge(pred, succs[0])
                         ail_graph.remove_node(node)
 
+    @staticmethod
+    def _remove_redundant_jump_blocks_repatch_relifted_block(
+        patched_block: ailment.Block, new_block: ailment.Block
+    ) -> None:
+        """
+        The last statement of patched_block might have been patched by _remove_redundant_jump_blocks. In this case, we
+        fix the last instruction for new_block, which is a newly lifted (from VEX) block that ends at the same address
+        as patched_block.
+
+        :param patched_block:   Previously patched block.
+        :param new_block:       Newly lifted block.
+        """
+
+        if (
+            isinstance(patched_block.statements[-1], ailment.Stmt.Jump)
+            and isinstance(patched_block.statements[-1].target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1], ailment.Stmt.Jump)
+            and isinstance(new_block.statements[-1].target, ailment.Expr.Const)
+            and not patched_block.statements[-1].likes(new_block.statements[-1])
+        ):
+            new_block.statements[-1].target = patched_block.statements[-1].target
+        if (
+            isinstance(patched_block.statements[-1], ailment.Stmt.ConditionalJump)
+            and isinstance(patched_block.statements[-1].true_target, ailment.Expr.Const)
+            and isinstance(patched_block.statements[-1].false_target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1], ailment.Stmt.ConditionalJump)
+            and isinstance(new_block.statements[-1].true_target, ailment.Expr.Const)
+            and isinstance(new_block.statements[-1].false_target, ailment.Expr.Const)
+            and not patched_block.statements[-1].likes(new_block.statements[-1])
+        ):
+            new_block.statements[-1].true_target = patched_block.statements[-1].true_target
+            new_block.statements[-1].false_target = patched_block.statements[-1].false_target
+
     @staticmethod
     def _insert_block_labels(ail_graph):
         for node in ail_graph.nodes: