angr 9.2.134__py3-none-macosx_11_0_arm64.whl → 9.2.136__py3-none-macosx_11_0_arm64.whl

angr/analyses/cfg/cfg_base.py

@@ -1570,13 +1570,13 @@ class CFGBase(Analysis):
         # TODO: Is it required that PLT stubs are always aligned by 16? If so, on what architectures and platforms is it
         # TODO:  enforced?
 
-        tmp_functions = self.kb.functions.copy()
+        tmp_functions = self.kb.functions
 
         for function in tmp_functions.values():
             function.mark_nonreturning_calls_endpoints()
             if function.returning is False:
                 # remove all FakeRet edges that are related to this function
-                func_node = self.model.get_any_node(function.addr)
+                func_node = self.model.get_any_node(function.addr, force_fastpath=True)
                 if func_node is not None:
                     callsite_nodes = [
                         src
@@ -1588,8 +1588,8 @@ class CFGBase(Analysis):
                             if data.get("jumpkind", None) == "Ijk_FakeRet":
                                 self.graph.remove_edge(callsite_node, dst)
 
-        # Clear old functions dict
-        self.kb.functions.clear()
+        # Clear old functions dict by creating a new function manager
+        self.kb.functions = FunctionManager(self.kb)
 
         blockaddr_to_function = {}
         traversed_cfg_nodes = set()
@@ -1602,7 +1602,7 @@ class CFGBase(Analysis):
             if jumpkind == "Ijk_Call" or jumpkind.startswith("Ijk_Sys"):
                 function_nodes.add(dst)
 
-        entry_node = self.model.get_any_node(self._binary.entry)
+        entry_node = self.model.get_any_node(self._binary.entry, force_fastpath=True)
         if entry_node is not None:
             function_nodes.add(entry_node)
 
@@ -1663,7 +1663,7 @@ class CFGBase(Analysis):
         secondary_function_nodes = set()
         # add all function chunks ("functions" that are not called from anywhere)
         for func_addr in tmp_functions:
-            node = self.model.get_any_node(func_addr)
+            node = self.model.get_any_node(func_addr, force_fastpath=True)
             if node is None:
                 continue
             if node.addr not in blockaddr_to_function:
@@ -1992,8 +1992,8 @@ class CFGBase(Analysis):
                 if not transition_found:
                     continue
 
-                cfgnode_0 = self.model.get_any_node(block_node.addr)
-                cfgnode_1 = self.model.get_any_node(addr_1)
+                cfgnode_0 = self.model.get_any_node(block_node.addr, force_fastpath=True)
+                cfgnode_1 = self.model.get_any_node(addr_1, force_fastpath=True)
 
                 if cfgnode_0 is None or cfgnode_1 is None:
                     continue
@@ -2089,7 +2089,7 @@ class CFGBase(Analysis):
                 continue
             if func_addr in jumptable_entries:
                 # is there any call edge pointing to it?
-                func_node = self.get_any_node(func_addr)
+                func_node = self.get_any_node(func_addr, force_fastpath=True)
                 if func_node is not None:
                     in_edges = self.graph.in_edges(func_node, data=True)
                     has_transition_pred = None
@@ -2128,7 +2128,7 @@ class CFGBase(Analysis):
         else:
             is_syscall = self.project.simos.is_syscall_addr(addr)
 
-            n = self.model.get_any_node(addr, is_syscall=is_syscall)
+            n = self.model.get_any_node(addr, is_syscall=is_syscall, force_fastpath=True)
             node = addr if n is None else self._to_snippet(n)
 
             if isinstance(addr, SootAddressDescriptor):
@@ -2304,7 +2304,7 @@ class CFGBase(Analysis):
         src_function = self._addr_to_function(src_addr, blockaddr_to_function, known_functions)
 
         if src_addr not in src_function.block_addrs_set:
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             node = src_addr if n is None else self._to_snippet(n)
             self.kb.functions._add_node(src_function.addr, node)
 
@@ -2315,7 +2315,7 @@ class CFGBase(Analysis):
         jumpkind = data["jumpkind"]
 
         if jumpkind == "Ijk_Ret":
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             from_node = src_addr if n is None else self._to_snippet(n)
             self.kb.functions._add_return_from(src_function.addr, from_node, None)
 
@@ -2334,7 +2334,7 @@ class CFGBase(Analysis):
             # It must be calling a function
             dst_function = self._addr_to_function(dst_addr, blockaddr_to_function, known_functions)
 
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             if n is None:
                 src_snippet = self._to_snippet(addr=src_addr, base_state=self._base_state)
             else:
@@ -2349,21 +2349,12 @@ class CFGBase(Analysis):
             else:
                 fakeret_node = self._one_fakeret_node(all_edges)
 
-            fakeret_snippet = None if fakeret_node is None else self._to_snippet(cfg_node=fakeret_node)
-
             if isinstance(dst_addr, SootAddressDescriptor):
                 dst_addr = dst_addr.method
 
-            self.kb.functions._add_call_to(
-                src_function.addr,
-                src_snippet,
-                dst_addr,
-                fakeret_snippet,
-                syscall=is_syscall,
-                ins_addr=ins_addr,
-                stmt_idx=stmt_idx,
-            )
-
+            # determining the returning target
+            return_to_outside = False
+            returning_snippet = None
             if dst_function.returning and fakeret_node is not None:
                 returning_target = src.addr + src.size
                 if returning_target not in blockaddr_to_function:
@@ -2372,9 +2363,9 @@ class CFGBase(Analysis):
                     else:
                         self._addr_to_function(returning_target, blockaddr_to_function, known_functions)
 
-                to_outside = blockaddr_to_function[returning_target] is not src_function
+                return_to_outside = blockaddr_to_function[returning_target] is not src_function
 
-                n = self.model.get_any_node(returning_target)
+                n = self.model.get_any_node(returning_target, force_fastpath=True)
                 if n is None:
                     try:
                         returning_snippet = self._to_snippet(addr=returning_target, base_state=self._base_state)
@@ -2384,17 +2375,28 @@ class CFGBase(Analysis):
                 else:
                     returning_snippet = self._to_snippet(cfg_node=n)
 
-                if returning_snippet is not None:
-                    self.kb.functions._add_fakeret_to(
-                        src_function.addr, src_snippet, returning_snippet, confirmed=True, to_outside=to_outside
-                    )
+            self.kb.functions._add_call_to(
+                src_function.addr,
+                src_snippet,
+                dst_addr,
+                retn_node=returning_snippet,
+                syscall=is_syscall,
+                ins_addr=ins_addr,
+                stmt_idx=stmt_idx,
+                return_to_outside=return_to_outside,
+            )
+
+            if returning_snippet is not None:
+                self.kb.functions._add_fakeret_to(
+                    src_function.addr, src_snippet, returning_snippet, confirmed=True, to_outside=return_to_outside
+                )
 
         elif jumpkind in ("Ijk_Boring", "Ijk_InvalICache", "Ijk_Exception"):
             # convert src_addr and dst_addr to CodeNodes
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             src_node = src_addr if n is None else self._to_snippet(cfg_node=n)
 
-            n = self.model.get_any_node(dst_addr)
+            n = self.model.get_any_node(dst_addr, force_fastpath=True)
             dst_node = dst_addr if n is None else self._to_snippet(cfg_node=n)
 
             if self._skip_unmapped_addrs:
@@ -2460,10 +2462,10 @@ class CFGBase(Analysis):
 
         elif jumpkind == "Ijk_FakeRet":
             # convert src_addr and dst_addr to CodeNodes
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             src_node = src_addr if n is None else self._to_snippet(n)
 
-            n = self.model.get_any_node(dst_addr)
+            n = self.model.get_any_node(dst_addr, force_fastpath=True)
             dst_node = dst_addr if n is None else self._to_snippet(n)
 
             if dst_addr not in blockaddr_to_function:

angr/analyses/cfg/cfg_emulated.py

@@ -2083,7 +2083,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         if src_node_key is None:
             if dst_node is None:
                 raise ValueError("Either src_node_key or dst_node_key must be specified.")
-            self.kb.functions.function(dst_node.function_address, create=True)._register_nodes(True, dst_codenode)
+            self.kb.functions.function(dst_node.function_address, create=True)._register_node(True, dst_codenode)
             return
 
         src_node = self._graph_get_node(src_node_key, terminator_for_nonexistent_node=True)

angr/analyses/cfg/cfg_fast.py

@@ -135,9 +135,9 @@ class PendingJobs:
     A collection of pending jobs during CFG recovery.
     """
 
-    def __init__(self, functions, deregister_job_callback):
+    def __init__(self, kb, deregister_job_callback):
         self._jobs = OrderedDict()  # A mapping between function addresses and lists of pending jobs
-        self._functions = functions
+        self._kb = kb
         self._deregister_job_callback = deregister_job_callback
 
         self._returning_functions = set()
@@ -145,6 +145,10 @@ class PendingJobs:
         # consecutive calls to cleanup().
         self._job_count = 0
 
+    @property
+    def _functions(self):
+        return self._kb.functions
+
     def __len__(self):
         return self._job_count
 
@@ -1316,7 +1320,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self._known_thunks = self._find_thunks()
 
         # Initialize variables used during analysis
-        self._pending_jobs: PendingJobs = PendingJobs(self.functions, self._deregister_analysis_job)
+        self._pending_jobs: PendingJobs = PendingJobs(self.kb, self._deregister_analysis_job)
         self._traced_addresses: set[int] = {a for a, n in self._nodes_by_addr.items() if n}
         self._function_returns = defaultdict(set)
 
@@ -1498,6 +1502,18 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         pass
 
     def _function_completed(self, func_addr: int):
+        if self.project.arch.name == "AMD64":
+            # determine if the function is __rust_probestack
+            func = self.kb.functions.get_by_addr(func_addr) if self.kb.functions.contains_addr(func_addr) else None
+            if func is not None and len(func.block_addrs_set) == 3:
+                block_bytes = {func.get_block(block_addr).bytes for block_addr in func.block_addrs_set}
+                if block_bytes == {
+                    b"UH\x89\xe5I\x89\xc3I\x81\xfb\x00\x10\x00\x00v\x1c",
+                    b"H\x81\xec\x00\x10\x00\x00H\x85d$\x08I\x81\xeb\x00\x10\x00\x00I\x81\xfb\x00\x10\x00\x00w\xe4",
+                    b"L)\xdcH\x85d$\x08H\x01\xc4\xc9\xc3",
+                }:
+                    func.info["is_rust_probestack"] = True
+
         if self._collect_data_ref and self.project is not None and ":" in self.project.arch.name:
             # this is a pcode arch - use Clinic to recover data references
 
@@ -1744,6 +1760,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         # Clean up
         self._traced_addresses = None
         self._lifter_deregister_readonly_regions()
+        self._function_returns = None
 
         self._finish_progress()
 
@@ -1825,19 +1842,18 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                         break
 
             # special handling: some binaries do not have SecurityCookie set, but still contain _security_init_cookie
-            if security_init_cookie_found is False:
+            if security_init_cookie_found is False and self.functions.contains_addr(self.project.entry):
                 start_func = self.functions.get_by_addr(self.project.entry)
-                if start_func is not None:
-                    for callee in start_func.transition_graph:
-                        if (
-                            isinstance(callee, Function)
-                            and not security_init_cookie_found
-                            and is_function_likely_security_init_cookie(callee)
-                        ):
-                            security_init_cookie_found = True
-                            callee.is_default_name = False
-                            callee.name = "_security_init_cookie"
-                            break
+                for callee in start_func.transition_graph:
+                    if (
+                        isinstance(callee, Function)
+                        and not security_init_cookie_found
+                        and is_function_likely_security_init_cookie(callee)
+                    ):
+                        security_init_cookie_found = True
+                        callee.is_default_name = False
+                        callee.name = "_security_init_cookie"
+                        break
 
     def _post_process_string_references(self) -> None:
         """
@@ -4765,6 +4781,37 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 func = self.kb.functions.get_by_addr(func_addr)
                 func.info["get_pc"] = "ebx"
 
+            # determine if the function uses ebp as a general purpose register or not
+            if addr == func_addr or 0 < addr - func_addr <= 0x20:
+                ebp_as_gpr = True
+                cap = self._lift(addr, size=cfg_node.size).capstone
+                for insn in cap.insns:
+                    if (
+                        insn.mnemonic == "mov"
+                        and len(insn.operands) == 2
+                        and insn.operands[0].type == capstone.x86.X86_OP_REG
+                        and insn.operands[1].type == capstone.x86.X86_OP_REG
+                    ):
+                        if (
+                            insn.operands[0].reg == capstone.x86.X86_REG_EBP
+                            and insn.operands[1].reg == capstone.x86.X86_REG_ESP
+                        ):
+                            ebp_as_gpr = False
+                            break
+                    elif (
+                        insn.mnemonic == "lea"
+                        and len(insn.operands) == 2
+                        and insn.operands[0].type == capstone.x86.X86_OP_REG
+                        and insn.operands[1].type == capstone.x86.X86_OP_MEM
+                    ) and (
+                        insn.operands[0].reg == capstone.x86.X86_REG_EBP
+                        and insn.operands[1].mem.base == capstone.x86.X86_REG_ESP
+                    ):
+                        ebp_as_gpr = False
+                        break
+                func = self.kb.functions.get_by_addr(func_addr)
+                func.info["bp_as_gpr"] = ebp_as_gpr
+
         elif self.project.arch.name == "AMD64":
             # determine if the function uses rbp as a general purpose register or not
             if addr == func_addr or 0 < addr - func_addr <= 0x20:

angr/analyses/cfg/cfg_fast_soot.py

@@ -50,7 +50,7 @@ class CFGFastSoot(CFGFast):
         self._initialize_cfg()
 
         # Initialize variables used during analysis
-        self._pending_jobs = PendingJobs(self.functions, self._deregister_analysis_job)
+        self._pending_jobs = PendingJobs(self.kb, self._deregister_analysis_job)
         self._traced_addresses = set()
         self._changed_functions = set()
         self._updated_nonreturning_functions = set()

angr/analyses/cfg/indirect_jump_resolvers/__init__.py

@@ -9,6 +9,7 @@ from .amd64_elf_got import AMD64ElfGotResolver
 from .arm_elf_fast import ArmElfFastResolver
 from .const_resolver import ConstantResolver
 from .amd64_pe_iat import AMD64PeIatResolver
+from .memload_resolver import MemoryLoadResolver
 
 
 __all__ = (
@@ -17,6 +18,7 @@ __all__ = (
     "ArmElfFastResolver",
     "ConstantResolver",
     "JumpTableResolver",
+    "MemoryLoadResolver",
     "MipsElfFastResolver",
     "MipsElfGotResolver",
     "X86ElfPicPltResolver",

angr/analyses/cfg/indirect_jump_resolvers/const_resolver.py

@@ -75,7 +75,31 @@ class ConstantResolver(IndirectJumpResolver):
 
         vex_block = block.vex
         if isinstance(vex_block.next, pyvex.expr.RdTmp):
-            # what does the jump rely on? slice it back and see
+            tmp_stmt_idx, tmp_ins_addr = self._find_tmp_write_stmt_and_ins(vex_block, vex_block.next.tmp)
+            if tmp_stmt_idx is None or tmp_ins_addr is None:
+                return False, []
+
+            # first check: is it jumping to a target loaded from memory? if so, it should have been resolved by
+            # MemoryLoadResolver.
+            stmt = vex_block.statements[tmp_stmt_idx]
+            assert isinstance(stmt, pyvex.IRStmt.WrTmp)
+            if (
+                isinstance(stmt.data, pyvex.IRExpr.Load)
+                and isinstance(stmt.data.addr, pyvex.IRExpr.Const)
+                and stmt.data.result_size(vex_block.tyenv) == self.project.arch.bits
+            ):
+                # well, if MemoryLoadResolver hasn't resolved it, we can try to resolve it here, or bail early because
+                # ConstantResolver won't help.
+                load_addr = stmt.data.addr.con.value
+                try:
+                    value = self.project.loader.memory.unpack_word(load_addr, size=self.project.arch.bytes)
+                    if isinstance(value, int) and self._is_target_valid(cfg, value):
+                        return True, [value]
+                except KeyError:
+                    pass
+                return False, []
+
+            # second check: what does the jump rely on? slice it back and see
             b = Blade(
                 cfg.graph,
                 addr,
@@ -104,26 +128,25 @@ class ConstantResolver(IndirectJumpResolver):
                     block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
                     if stmt_idx != DEFAULT_STATEMENT:
                         stmt = block.statements[stmt_idx]
-                        if isinstance(stmt, pyvex.IRStmt.WrTmp) and isinstance(stmt.data, pyvex.IRExpr.Load):
+                        if (
+                            isinstance(stmt, pyvex.IRStmt.WrTmp)
+                            and isinstance(stmt.data, pyvex.IRExpr.Load)
+                            and not isinstance(stmt.data.addr, pyvex.IRExpr.Const)
+                        ):
                             # loading from memory - unsupported
                             return False, []
                 break
 
             _l.debug("ConstantResolver: Propagating for %r at %#x.", func, addr)
-            prop = self.project.analyses.Propagator(
-                func=func,
-                only_consts=True,
-                do_binops=True,
+            prop = self.project.analyses.FastConstantPropagation(
+                func,
                 vex_cross_insn_opt=False,
-                completed_funcs=cfg._completed_functions,
                 load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-                cache_results=True,
-                key_prefix="cfg_intermediate",
             )
 
             replacements = prop.replacements
             if replacements:
-                block_loc = CodeLocation(block.addr, None)
+                block_loc = CodeLocation(block.addr, tmp_stmt_idx, ins_addr=tmp_ins_addr)
                 tmp_var = vex_vars.VEXTmp(vex_block.next.tmp)
 
                 if exists_in_replacements(replacements, block_loc, tmp_var):
@@ -135,5 +158,18 @@ class ConstantResolver(IndirectJumpResolver):
                         and self._is_target_valid(cfg, resolved_tmp.args[0])
                     ):
                         return True, [resolved_tmp.args[0]]
+                    if isinstance(resolved_tmp, int) and self._is_target_valid(cfg, resolved_tmp):
+                        return True, [resolved_tmp]
 
         return False, []
+
+    @staticmethod
+    def _find_tmp_write_stmt_and_ins(vex_block, tmp: int) -> tuple[int | None, int | None]:
+        stmt_idx = None
+        for idx, stmt in enumerate(reversed(vex_block.statements)):
+            if isinstance(stmt, pyvex.IRStmt.IMark) and stmt_idx is not None:
+                ins_addr = stmt.addr + stmt.delta
+                return stmt_idx, ins_addr
+            if isinstance(stmt, pyvex.IRStmt.WrTmp) and stmt.tmp == tmp:
+                stmt_idx = len(vex_block.statements) - idx - 1
+        return None, None

angr/analyses/cfg/indirect_jump_resolvers/default_resolvers.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 import cle
+from angr.analyses.cfg.indirect_jump_resolvers import MemoryLoadResolver
 
 from . import MipsElfFastResolver
 from . import X86ElfPicPltResolver
@@ -19,6 +20,9 @@ DEFAULT_RESOLVERS = {
         cle.PE: [
             X86PeIatResolver,
         ],
+        cle.XBE: [
+            X86PeIatResolver,
+        ],
     },
     "AMD64": {
         cle.MetaELF: [
@@ -54,7 +58,7 @@ DEFAULT_RESOLVERS = {
             ArmElfFastResolver,
         ]
     },
-    "ALL": [JumpTableResolver, ConstantResolver],
+    "ALL": [MemoryLoadResolver, JumpTableResolver, ConstantResolver],
 }
 
 

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -10,6 +10,7 @@ import functools
 import pyvex
 import claripy
 from archinfo.arch_arm import is_arm_arch
+from claripy.annotation import UninitializedAnnotation
 
 from angr import sim_options as o
 from angr import BP, BP_BEFORE, BP_AFTER
@@ -144,20 +145,22 @@ class ConstantValueManager:
 
     __slots__ = (
         "func",
+        "indirect_jump_addr",
         "kb",
         "mapping",
         "project",
     )
 
-    def __init__(self, project: Project, kb, func: Function):
+    def __init__(self, project: Project, kb, func: Function, ij_addr: int):
         self.project = project
         self.kb = kb
         self.func = func
+        self.indirect_jump_addr = ij_addr
 
         self.mapping: dict[Any, dict[Any, claripy.ast.Base]] | None = None
 
     def reg_read_callback(self, state: SimState):
-        if not self.mapping:
+        if self.mapping is None:
             self._build_mapping()
             assert self.mapping is not None
 
@@ -168,18 +171,54 @@ class ConstantValueManager:
                 reg_read_offset = reg_read_offset.args[0]
             variable = VEXReg(reg_read_offset, state.inspect.reg_read_length)
             if variable in self.mapping[codeloc]:
-                state.inspect.reg_read_expr = self.mapping[codeloc][variable]
+                v = self.mapping[codeloc][variable]
+                if isinstance(v, int):
+                    v = claripy.BVV(v, state.inspect.reg_read_length * state.arch.byte_width)
+                state.inspect.reg_read_expr = v
 
     def _build_mapping(self):
         # constant propagation
-        l.debug("JumpTable: Propagating for %r.", self.func)
-        prop = self.project.analyses[PropagatorAnalysis].prep()(
-            func=self.func,
-            only_consts=True,
+        l.debug("JumpTable: Propagating for %r at %#x.", self.func, self.indirect_jump_addr)
+
+        # determine blocks to run FCP on
+
+        # - include at most three levels of successors from the entrypoint
+        startpoint = self.func.startpoint
+        blocks = set()
+        succs = [startpoint]
+        for _ in range(3):
+            new_succs = []
+            for node in succs:
+                if node in blocks:
+                    continue
+                blocks.add(node)
+                if node.addr == self.indirect_jump_addr:
+                    # stop at the indirect jump block
+                    continue
+                new_succs += list(self.func.graph.successors(node))
+            succs = new_succs
+            if not succs:
+                break
+
+        # - include at most six levels of predecessors from the indirect jump block
+        ij_block = self.func.get_node(self.indirect_jump_addr)
+        preds = [ij_block]
+        for _ in range(6):
+            new_preds = []
+            for node in preds:
+                if node in blocks:
+                    continue
+                blocks.add(node)
+                new_preds += list(self.func.graph.predecessors(node))
+            preds = new_preds
+            if not preds:
+                break
+
+        prop = self.project.analyses.FastConstantPropagation(
+            self.func,
+            blocks=blocks,
             vex_cross_insn_opt=True,
             load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-            cache_results=True,
-            key_prefix="cfg_intermediate",
         )
         self.mapping = prop.replacements
 
@@ -853,7 +892,7 @@ class JumpTableResolver(IndirectJumpResolver):
         potential_call_table = jumpkind == "Ijk_Call" or self._sp_moved_up(block) or len(func.block_addrs_set) <= 5
         # we only perform full-function propagation for jump tables or call tables in really small functions
         if not potential_call_table or len(func.block_addrs_set) <= 5:
-            cv_manager = ConstantValueManager(self.project, cfg.kb, func)
+            cv_manager = ConstantValueManager(self.project, cfg.kb, func, addr)
         else:
             cv_manager = None
 
@@ -2131,7 +2170,7 @@ class JumpTableResolver(IndirectJumpResolver):
         read_addr = state.inspect.mem_read_address
         cond = state.inspect.mem_read_condition
 
-        if not isinstance(read_addr, int) and read_addr.uninitialized and cond is None:
+        if not isinstance(read_addr, int) and read_addr.has_annotation_type(UninitializedAnnotation) and cond is None:
             # if this AST has been initialized before, just use the cached addr
             cached_addr = self._cached_memread_addrs.get(read_addr, None)
             if cached_addr is not None:
@@ -2402,6 +2441,3 @@ class JumpTableResolver(IndirectJumpResolver):
         if load_stmt_ids:
             return [load_stmt_ids[-1]]
         return []
-
-
-from angr.analyses.propagator import PropagatorAnalysis

angr/analyses/cfg/indirect_jump_resolvers/memload_resolver.py

@@ -0,0 +1,81 @@
+from __future__ import annotations
+import logging
+
+import pyvex
+
+from .resolver import IndirectJumpResolver
+
+_l = logging.getLogger(name=__name__)
+
+
+class MemoryLoadResolver(IndirectJumpResolver):
+    """
+    Resolve an indirect jump that looks like the following::
+
+    .text:
+                    call    off_3314A8
+
+    .data:
+    off_3314A8      dd offset sub_1E426F
+
+    This indirect jump resolver may not be the best solution for all cases (e.g., when the .data section can be
+    intentionally altered by the binary itself).
+    """
+
+    def __init__(self, project):
+        super().__init__(project, timeless=True)
+
+    def filter(self, cfg, addr, func_addr, block, jumpkind):
+        return jumpkind in {"Ijk_Boring", "Ijk_Call"}
+
+    def resolve(  # pylint:disable=unused-argument
+        self,
+        cfg,
+        addr: int,
+        func_addr: int,
+        block: pyvex.IRSB,
+        jumpkind: str,
+        func_graph_complete: bool = True,
+        **kwargs,
+    ):
+        """
+        :param cfg:         CFG with specified function
+        :param addr:        Address of indirect jump
+        :param func_addr:   Address of function of indirect jump
+        :param block:       Block of indirect jump (Block object)
+        :param jumpkind:    VEX jumpkind (Ijk_Boring or Ijk_Call)
+        :return:            Bool tuple with replacement address
+        """
+        vex_block = block
+        if isinstance(vex_block.next, pyvex.expr.RdTmp):
+            tmp_stmt_idx, tmp_ins_addr = self._find_tmp_write_stmt_and_ins(vex_block, vex_block.next.tmp)
+            if tmp_stmt_idx is None or tmp_ins_addr is None:
+                return False, []
+
+            stmt = vex_block.statements[tmp_stmt_idx]
+            assert isinstance(stmt, pyvex.IRStmt.WrTmp)
+            if (
+                isinstance(stmt.data, pyvex.IRExpr.Load)
+                and isinstance(stmt.data.addr, pyvex.IRExpr.Const)
+                and stmt.data.result_size(vex_block.tyenv) == self.project.arch.bits
+            ):
+                load_addr = stmt.data.addr.con.value
+                try:
+                    value = self.project.loader.memory.unpack_word(load_addr, size=self.project.arch.bytes)
+                    if isinstance(value, int) and self._is_target_valid(cfg, value):
+                        return True, [value]
+                except KeyError:
+                    return False, []
+
+        return False, []
+
+    @staticmethod
+    def _find_tmp_write_stmt_and_ins(vex_block, tmp: int) -> tuple[int | None, int | None]:
+        stmt_idx = None
+        for idx, stmt in enumerate(reversed(vex_block.statements)):
+            if isinstance(stmt, pyvex.IRStmt.IMark) and stmt_idx is not None:
+                ins_addr = stmt.addr + stmt.delta
+                return stmt_idx, ins_addr
+            if isinstance(stmt, pyvex.IRStmt.WrTmp) and stmt.tmp == tmp:
+                stmt_idx = len(vex_block.statements) - idx - 1
+        return None, None