angr 9.2.131__py3-none-manylinux2014_aarch64.whl → 9.2.132__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/structured_codegen/c.py

@@ -33,6 +33,7 @@ from angr.sim_type import (
     dereference_simtype,
     SimTypeInt128,
     SimTypeInt256,
+    SimTypeInt512,
 )
 from angr.knowledge_plugins.functions import Function
 from angr.sim_variable import SimVariable, SimTemporaryVariable, SimStackVariable, SimMemoryVariable
@@ -1869,7 +1870,6 @@ class CBinaryOp(CExpression):
             "Mul": self._c_repr_chunks_mul,
             "Mull": self._c_repr_chunks_mull,
             "Div": self._c_repr_chunks_div,
-            "DivMod": self._c_repr_chunks_divmod,
             "Mod": self._c_repr_chunks_mod,
             "And": self._c_repr_chunks_and,
             "Xor": self._c_repr_chunks_xor,
@@ -3465,7 +3465,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
     def _handle_Expr_Tmp(self, expr: Tmp, **kwargs):
         l.warning("FIXME: Leftover Tmp expressions are found.")
-        return self._variable(SimTemporaryVariable(expr.tmp_idx), expr.size)
+        return self._variable(SimTemporaryVariable(expr.tmp_idx, expr.bits), expr.size)
 
     def _handle_Expr_Const(self, expr: Expr.Const, type_=None, reference_values=None, variable=None, **kwargs):
         inline_string = False
@@ -3590,7 +3590,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
     def _handle_Expr_Convert(self, expr: Expr.Convert, **kwargs):
         # width of converted type is easy
         dst_type: SimTypeInt | SimTypeChar
-        if 258 >= expr.to_bits > 128:
+        if 512 >= expr.to_bits > 256:
+            dst_type = SimTypeInt512()
+        elif 256 >= expr.to_bits > 128:
             dst_type = SimTypeInt256()
         elif 128 >= expr.to_bits > 64:
             dst_type = SimTypeInt128()

angr/analyses/decompiler/structuring/phoenix.py

@@ -1569,6 +1569,15 @@ class PhoenixStructurer(StructurerBase):
 
         return case_and_entry_addrs
 
+    def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
+        jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+        if node.addr in jump_tables:
+            return True
+        for succ in graph.successors(node):
+            if succ.addr in jump_tables:
+                return True
+        return node in self.switch_case_known_heads
+
     # other acyclic schemas
 
     def _match_acyclic_sequence(self, graph, full_graph, start_node) -> bool:
@@ -1578,14 +1587,12 @@ class PhoenixStructurer(StructurerBase):
         succs = list(graph.successors(start_node))
         if len(succs) == 1:
             end_node = succs[0]
-            jump_tables = self.kb.cfgs["CFGFast"].jump_tables
             if (
                 full_graph.out_degree[start_node] == 1
                 and full_graph.in_degree[end_node] == 1
                 and not full_graph.has_edge(end_node, start_node)
-                and end_node.addr not in jump_tables
-                and end_node not in self.switch_case_known_heads
-                and start_node not in self.switch_case_known_heads
+                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, end_node)
+                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, start_node)
                 and end_node not in self.dowhile_known_tail_nodes
             ):
                 # merge two blocks
@@ -1606,7 +1613,9 @@ class PhoenixStructurer(StructurerBase):
         succs = list(full_graph.successors(start_node))
         if len(succs) == 2:
             left, right = succs
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 # structure the switch-case first before we wrap them into an ITE. give up
                 return False
 
@@ -2039,7 +2048,9 @@ class PhoenixStructurer(StructurerBase):
                 left, right = right, left
 
             # ensure left and right nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 return None
 
             if (
@@ -2086,7 +2097,9 @@ class PhoenixStructurer(StructurerBase):
                 left, right = right, left
 
             # ensure left and right nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or right in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, right):
                 return None
 
             if (
@@ -2127,7 +2140,9 @@ class PhoenixStructurer(StructurerBase):
                 left, successor = successor, left
 
             # ensure left and successor nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or successor in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, successor):
                 return None
 
             if (
@@ -2175,7 +2190,9 @@ class PhoenixStructurer(StructurerBase):
                 left, else_node = else_node, left
 
             # ensure left and else nodes are not the head of a switch-case construct
-            if left in self.switch_case_known_heads or else_node in self.switch_case_known_heads:
+            if self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(
+                full_graph, left
+            ) or self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, else_node):
                 return None
 
             if (

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -411,3 +411,12 @@ class IncompleteSwitchCaseHeadStatement(ailment.statement.Statement):
         return ailment.utils.stable_hash(
             (IncompleteSwitchCaseHeadStatement, self.idx, self.switch_variable, self._case_addrs_str)
         )
+
+    def replace(self, old_expr, new_expr):
+        return self
+
+    def likes(self, other):
+        return self == other
+
+    def matches(self, other):
+        return self == other

angr/analyses/deobfuscator/irsb_reg_collector.py

@@ -1,85 +1,54 @@
-# pylint:disable=no-self-use,unused-argument,attribute-defined-outside-init
+# pylint:disable=no-self-use,unused-argument
 from __future__ import annotations
 
-import pyvex
+from angr.engines.light import SimEngineNostmtVEX
 
-from angr.engines.light import SimEngineLightVEXMixin
 
-
-class IRSBRegisterCollector(SimEngineLightVEXMixin):
+class IRSBRegisterCollector(SimEngineNostmtVEX[None, None, None]):
     """
     Scan the VEX IRSB to collect all registers that are read.
     """
 
-    def __init__(self, block, *args, **kwargs):
+    def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
-        self.block = block
         self.reg_reads: set[tuple[int, int]] = set()
 
-    def process(self):
-        self.tmps = {}
-        self.tyenv = self.block.vex.tyenv
-
-        self._process_Stmt()
-
-        self.stmt_idx = None
-        self.ins_addr = None
-
-    def _handle_Put(self, stmt):
-        pass
-
-    def _handle_Load(self, expr):
-        pass
+    def _top(self, bits):
+        return None
 
-    def _handle_Store(self, stmt):
-        pass
+    def _is_top(self, expr):
+        return True
 
-    def _handle_LoadG(self, stmt):
-        pass
-
-    def _handle_LLSC(self, stmt: pyvex.IRStmt.LLSC):
-        pass
-
-    def _handle_StoreG(self, stmt):
-        pass
-
-    def _handle_Get(self, expr: pyvex.IRExpr.Get):
+    def _handle_expr_Get(self, expr):
         self.reg_reads.add((expr.offset, expr.result_size(self.tyenv)))
 
-    def _handle_RdTmp(self, expr):
-        pass
-
-    def _handle_Conversion(self, expr: pyvex.IRExpr.Unop):
-        pass
+    def _handle_stmt_WrTmp(self, stmt):
+        self._expr(stmt.data)
 
-    def _handle_16HLto32(self, expr):
-        pass
+    def _handle_conversion(self, from_size, to_size, signed, operand):
+        return None
 
-    def _handle_Cmp_v(self, expr, _vector_size, _vector_count):
-        pass
+    def _process_block_end(self, stmt_result, whitelist):
+        return None
 
-    _handle_CmpEQ_v = _handle_Cmp_v
-    _handle_CmpNE_v = _handle_Cmp_v
-    _handle_CmpLE_v = _handle_Cmp_v
-    _handle_CmpLT_v = _handle_Cmp_v
-    _handle_CmpGE_v = _handle_Cmp_v
-    _handle_CmpGT_v = _handle_Cmp_v
+    def _handle_expr_VECRET(self, expr):
+        return None
 
-    def _handle_ExpCmpNE64(self, expr):
-        pass
+    def _handle_expr_GSPTR(self, expr):
+        return None
 
-    def _handle_CCall(self, expr):
-        pass
+    def _handle_expr_RdTmp(self, expr):
+        return None
 
-    def _handle_function(self, func_addr):
-        pass
+    def _handle_expr_GetI(self, expr):
+        return None
 
-    def _handle_Unop(self, expr):
-        pass
+    def _handle_expr_Load(self, expr):
+        return None
 
-    def _handle_Binop(self, expr: pyvex.IRExpr.Binop):
-        pass
+    def _handle_expr_ITE(self, expr):
+        return None
 
-    def _handle_Triop(self, expr: pyvex.IRExpr.Triop):
-        pass
+    def _handle_expr_Const(self, expr):
+        return None

angr/analyses/deobfuscator/string_obf_finder.py

@@ -669,8 +669,8 @@ class StringObfuscationFinder(Analysis):
         # take a look at the call-site block to see what registers are used
         reg_reads = set()
         for block_addr in blocks_at_callsite:
-            reg_collector = IRSBRegisterCollector(self.project.factory.block(block_addr))
-            reg_collector.process()
+            reg_collector = IRSBRegisterCollector(self.project)
+            reg_collector.process(state=None, block=self.project.factory.block(block_addr))
             reg_reads |= set(reg_collector.reg_reads)
 
         # run constant propagation to track constant registers

angr/analyses/init_finder.py

@@ -1,33 +1,36 @@
 from __future__ import annotations
 from collections import defaultdict
+from typing import cast
 
 from cle.loader import MetaELF
-from cle.backends import Section, Segment
 import pyvex
 import claripy
 
 from angr.analyses import visitors, ForwardAnalysis
-from angr.engines.light import SimEngineLight, SimEngineLightVEXMixin
+from angr.code_location import CodeLocation
+from angr.engines.light import SimEngineNostmtVEX
 from . import register_analysis, PropagatorAnalysis
 from .analysis import Analysis
 from .propagator.vex_vars import VEXTmp
 
 
-class SimEngineInitFinderVEX(
-    SimEngineLightVEXMixin,
-    SimEngineLight,
-):
+class SimEngineInitFinderVEX(SimEngineNostmtVEX[None, claripy.ast.Base | int | None, None]):
     """
     The VEX engine class for InitFinder.
     """
 
     def __init__(self, project, replacements, overlay, pointers_only=False):
-        super().__init__()
-        self.project = project
-        self.replacements = replacements
+        super().__init__(project)
+        self.replacements: dict[CodeLocation, dict[int, claripy.ast.Base | int]] = replacements
         self.overlay = overlay
         self.pointers_only = pointers_only
 
+    def _top(self, bits):
+        return None
+
+    def _is_top(self, expr):
+        return expr is None
+
     #
     # Utils
     #
@@ -38,18 +41,19 @@ class SimEngineInitFinderVEX(
             return True
         return bool(isinstance(expr, int))
 
-    def _is_addr_uninitialized(self, addr):
+    def _is_addr_uninitialized(self, addr: int | claripy.ast.Base):
         # is it writing to a global, uninitialized region?
 
         if isinstance(addr, claripy.ast.Base):
-            addr = addr.args[0]
+            assert addr.op == "BVV"
+            addr = cast(int, addr.args[0])
 
         obj = self.project.loader.find_object_containing(addr)
         if obj is not None:
             if not obj.has_memory:
                 # Objects without memory are definitely uninitialized
                 return True
-            section: Section = obj.find_section_containing(addr)
+            section = obj.find_section_containing(addr)
             if section is not None:
                 return section.name in {
                     ".bss",
@@ -58,7 +62,7 @@ class SimEngineInitFinderVEX(
             if isinstance(obj, MetaELF):
                 # for ELFs, if p_memsz >= p_filesz, the extra bytes are considered NOBITS
                 # https://docs.oracle.com/cd/E19120-01/open.solaris/819-0690/gjpww/index.html
-                segment: Segment = obj.find_segment_containing(addr)
+                segment = obj.find_segment_containing(addr)
                 if segment is not None and segment.memsize > segment.filesize:
                     return segment.vaddr + segment.filesize <= addr < segment.vaddr + segment.memsize
         return False
@@ -71,6 +75,9 @@ class SimEngineInitFinderVEX(
             return self.project.loader.find_object_containing(addr) is not None
         return False
 
+    def _process_block_end(self, stmt_result, whitelist):
+        return None
+
     #
     # Statement handlers
     #
@@ -78,15 +85,15 @@ class SimEngineInitFinderVEX(
     def _handle_function(self, *args, **kwargs):
         pass
 
-    def _handle_WrTmp(self, stmt):
+    def _handle_stmt_WrTmp(self, stmt):
         # Don't do anything since constant propagation has already processed it
         return
 
-    def _handle_Put(self, stmt):
+    def _handle_stmt_Put(self, stmt):
         # Don't do anything since constant propagation has already processed it
         return
 
-    def _handle_Store(self, stmt):
+    def _handle_stmt_Store(self, stmt):
         blockloc = self._codeloc(block_only=True)
 
         if type(stmt.addr) is pyvex.IRExpr.RdTmp:
@@ -107,7 +114,7 @@ class SimEngineInitFinderVEX(
                         if not self.pointers_only or self._is_pointer(data_v):
                             self.overlay.store(addr_v, data_v, endness=self.project.arch.memory_endness)
 
-    def _handle_StoreG(self, stmt):
+    def _handle_stmt_StoreG(self, stmt):
         blockloc = self._codeloc(block_only=True)
         repl = self.replacements[blockloc]
 
@@ -144,16 +151,16 @@ class SimEngineInitFinderVEX(
     # Expression handlers
     #
 
-    def _handle_Get(self, expr):
+    def _handle_expr_Get(self, expr):
         return None
 
-    def _handle_Load(self, expr):
+    def _handle_expr_Load(self, expr):
         return None
 
-    def _handle_LoadG(self, stmt):
+    def _handle_stmt_LoadG(self, stmt):
         return None
 
-    def _handle_RdTmp(self, expr):
+    def _handle_expr_RdTmp(self, expr):
         blockloc = self._codeloc(block_only=True)
 
         tmp = VEXTmp(expr.tmp)
@@ -161,6 +168,24 @@ class SimEngineInitFinderVEX(
             return self.replacements[blockloc][tmp]
         return None
 
+    def _handle_expr_VECRET(self, expr):
+        return None
+
+    def _handle_expr_GSPTR(self, expr):
+        return None
+
+    def _handle_expr_GetI(self, expr):
+        return None
+
+    def _handle_expr_ITE(self, expr):
+        return None
+
+    def _handle_conversion(self, from_size, to_size, signed, operand):
+        return None
+
+    def _handle_expr_Const(self, expr):
+        return None
+
 
 class InitializationFinder(ForwardAnalysis, Analysis):  # pylint:disable=abstract-method
     """
@@ -238,7 +263,7 @@ class InitializationFinder(ForwardAnalysis, Analysis):  # pylint:disable=abstrac
         return None
 
     def _merge_states(self, node, *states):
-        return None
+        return None, False
 
     def _run_on_node(self, node, state):
         block = self.project.factory.block(node.addr, node.size, opt_level=1, cross_insn_opt=False)

angr/analyses/propagator/engine_base.py

@@ -1,9 +1,14 @@
 from __future__ import annotations
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Generic
 import logging
 
+
+from angr.engines.light.engine import BlockType, DataType_co, StateType
+
 from angr.engines.light import SimEngineLight
 from angr.errors import SimEngineError
+from angr.project import Project
+from angr.misc.testing import is_testing
 
 if TYPE_CHECKING:
     from angr.analyses.reaching_definitions.reaching_definitions import ReachingDefinitionsModel
@@ -11,22 +16,22 @@ if TYPE_CHECKING:
 l = logging.getLogger(name=__name__)
 
 
-class SimEnginePropagatorBase(SimEngineLight):  # pylint:disable=abstract-method
+class SimEnginePropagatorBaseMixin(
+    Generic[StateType, DataType_co, BlockType], SimEngineLight[StateType, DataType_co, BlockType, StateType]
+):  # pylint:disable=abstract-method
     def __init__(
         self,
+        project: Project,
         stack_pointer_tracker=None,
-        project=None,
         propagate_tmps=True,
-        arch=None,
         reaching_definitions: ReachingDefinitionsModel | None = None,
         immediate_stmt_removal: bool = False,
         bp_as_gpr: bool = False,
     ):
-        super().__init__()
+        super().__init__(project)
 
         # Used in the VEX engine
-        self._project = project
-        self.arch = arch
+        self.arch = project.arch
         self.base_state = None
         self._load_callback = None
         self._propagate_tmps: bool = propagate_tmps
@@ -40,15 +45,17 @@ class SimEnginePropagatorBase(SimEngineLight):  # pylint:disable=abstract-method
 
         self._multi_occurrence_registers = None
 
-    def process(self, state, *args, **kwargs):
-        self.project = kwargs.pop("project", None)
-        self.base_state = kwargs.pop("base_state", None)
-        self._load_callback = kwargs.pop("load_callback", None)
+    def process(
+        self, state: StateType, *, block: BlockType | None = None, base_state=None, load_callback=None, **kwargs
+    ) -> StateType:
+        self.base_state = base_state
+        self._load_callback = load_callback
         try:
-            self._process(state, None, block=kwargs.pop("block", None))
+            result_state = super().process(state, block=block, **kwargs)
         except SimEngineError as ex:
-            if kwargs.pop("fail_fast", False) is True:
+            if kwargs.pop("fail_fast", is_testing) is True:
                 raise ex
             l.error(ex, exc_info=True)
+            result_state = state
 
-        return self.state
+        return result_state