angr 9.2.134__py3-none-manylinux2014_aarch64.whl → 9.2.136__py3-none-manylinux2014_aarch64.whl

angr/analyses/cfg/indirect_jump_resolvers/propagator_utils.py

@@ -10,7 +10,7 @@ class PropagatorLoadCallback:
     def __init__(self, project):
         self.project = project
 
-    def propagator_load_callback(self, addr, size) -> bool:  # pylint:disable=unused-argument
+    def propagator_load_callback(self, addr: claripy.ast.BV | int, size: int) -> bool:  # pylint:disable=unused-argument
         # only allow loading if the address falls into a read-only region
         if isinstance(addr, claripy.ast.BV) and addr.op == "BVV":
             addr_v = addr.args[0]
@@ -19,9 +19,28 @@ class PropagatorLoadCallback:
         else:
             return False
         section = self.project.loader.find_section_containing(addr_v)
+        segment = None
         if section is not None:
-            return section.is_readable and not section.is_writable
-        segment = self.project.loader.find_segment_containing(addr_v)
-        if segment is not None:
-            return segment.is_readable and not segment.is_writable
+            if section.is_readable and not section.is_writable:
+                # read-only section
+                return True
+        else:
+            segment = self.project.loader.find_segment_containing(addr_v)
+            if segment is not None and segment.is_readable and not segment.is_writable:
+                # read-only segment
+                return True
+
+        if (size == self.project.arch.bytes and (section is not None and section.is_readable)) or (
+            segment is not None and segment.is_readable
+        ):
+            # memory is mapped and readable. does it contain a valid address?
+            try:
+                target_addr = self.project.loader.memory.unpack_word(
+                    addr_v, size=size, endness=self.project.arch.memory_endness
+                )
+                if target_addr >= 0x1000 and self.project.loader.find_object_containing(target_addr) is not None:
+                    return True
+            except KeyError:
+                return False
+
         return False

angr/analyses/cfg/indirect_jump_resolvers/x86_pe_iat.py

@@ -3,7 +3,6 @@ import logging
 
 from capstone.x86_const import X86_OP_MEM
 
-from angr.simos import SimWindows
 from .resolver import IndirectJumpResolver
 
 l = logging.getLogger(name=__name__)
@@ -11,16 +10,14 @@ l = logging.getLogger(name=__name__)
 
 class X86PeIatResolver(IndirectJumpResolver):
     """
-    A timeless indirect jump resolver for IAT in x86 PEs.
+    A timeless indirect jump resolver for IAT in x86 PEs and xbes.
     """
 
     def __init__(self, project):
         super().__init__(project, timeless=True)
 
     def filter(self, cfg, addr, func_addr, block, jumpkind):
-        if not isinstance(self.project.simos, SimWindows):
-            return False
-        if jumpkind != "Ijk_Call":
+        if jumpkind not in {"Ijk_Call", "Ijk_Boring"}:  # both call and jmp
             return False
 
         insns = self.project.factory.block(addr).capstone.insns

angr/analyses/complete_calling_conventions.py

@@ -7,6 +7,7 @@ import threading
 import time
 import logging
 from collections import defaultdict
+from enum import Enum
 
 import networkx
 
@@ -16,7 +17,7 @@ from angr.utils.graph import GraphUtils
 from angr.simos import SimWindows
 from angr.utils.mp import mp_context, Initializer
 from angr.knowledge_plugins.cfg import CFGModel
-from . import Analysis, register_analysis, VariableRecoveryFast, CallingConventionAnalysis
+from . import Analysis, register_analysis, VariableRecoveryFast, CallingConventionAnalysis, FactCollector
 
 if TYPE_CHECKING:
     from angr.calling_conventions import SimCC
@@ -30,6 +31,18 @@ _l = logging.getLogger(name=__name__)
 _mp_context = mp_context()
 
 
+class CallingConventionAnalysisMode(Enum):
+    """
+    The mode of calling convention analysis.
+
+    FAST: Using FactCollector to collect facts, then use facts for calling convention analysis.
+    VARIABLES: Using variables in VariableManager for calling convention analysis.
+    """
+
+    FAST = "fast"
+    VARIABLES = "variables"
+
+
 class CompleteCallingConventionsAnalysis(Analysis):
     """
     Implements full-binary calling convention analysis. During the initial analysis of a binary, you may set
@@ -39,6 +52,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
 
     def __init__(
         self,
+        mode: CallingConventionAnalysisMode = CallingConventionAnalysisMode.FAST,
         recover_variables=False,
         low_priority=False,
         force=False,
@@ -71,6 +85,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
         :param workers:             Number of multiprocessing workers.
         """
 
+        self.mode = mode
         self._recover_variables = recover_variables
         self._low_priority = low_priority
         self._force = force
@@ -88,6 +103,10 @@ class CompleteCallingConventionsAnalysis(Analysis):
         self._func_graphs = func_graphs if func_graphs else {}
         self.prototype_libnames: set[str] = set()
 
+        # sanity check
+        if self.mode not in {CallingConventionAnalysisMode.FAST, CallingConventionAnalysisMode.VARIABLES}:
+            raise ValueError(f"Invalid calling convention analysis mode {self.mode}.")
+
         self._func_addrs = []  # a list that holds addresses of all functions to be analyzed
         self._results = []
         if workers > 0:
@@ -322,7 +341,11 @@ class CompleteCallingConventionsAnalysis(Analysis):
                 self.kb.variables.get_function_manager(func_addr),
             )
 
-        if self._recover_variables and self.function_needs_variable_recovery(func):
+        if (
+            self.mode == CallingConventionAnalysisMode.VARIABLES
+            and self._recover_variables
+            and self.function_needs_variable_recovery(func)
+        ):
             # special case: we don't have a PCode-engine variable recovery analysis for PCode architectures!
             if ":" in self.project.arch.name and self._func_graphs and func.addr in self._func_graphs:
                 # this is a pcode architecture
@@ -341,9 +364,15 @@ class CompleteCallingConventionsAnalysis(Analysis):
                 )
                 return None, None, None, None
 
+        kwargs = {}
+        if self.mode == CallingConventionAnalysisMode.FAST:
+            facts = self.project.analyses[FactCollector].prep(kb=self.kb)(func)
+            kwargs["input_args"] = facts.input_args
+            kwargs["retval_size"] = facts.retval_size
+
         # determine the calling convention of each function
         cc_analysis = self.project.analyses[CallingConventionAnalysis].prep(kb=self.kb)(
-            func, cfg=self._cfg, analyze_callsites=self._analyze_callsites
+            func, cfg=self._cfg, analyze_callsites=self._analyze_callsites, **kwargs
         )
 
         if cc_analysis.cc is not None:

angr/analyses/congruency_check.py

@@ -3,6 +3,8 @@ import logging
 
 import claripy
 
+from angr.errors import AngrIncongruencyError
+from angr.analyses import AnalysesHub
 from . import Analysis
 
 l = logging.getLogger(name=__name__)
@@ -372,7 +374,4 @@ class CongruencyCheck(Analysis):
         return True
 
 
-from angr.errors import AngrIncongruencyError
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CongruencyCheck", CongruencyCheck)

angr/analyses/data_dep/data_dependency_analysis.py

@@ -9,7 +9,7 @@ from typing import TYPE_CHECKING
 from networkx import DiGraph
 
 import claripy
-from claripy.ast.bv import BV
+from claripy.ast import BV
 from .dep_nodes import DepNodeTypes, ConstantDepNode, MemDepNode, VarDepNode, RegDepNode, TmpDepNode
 from .sim_act_location import SimActLocation, DEFAULT_LOCATION, ParsedInstruction
 from angr.analyses import Analysis
@@ -173,7 +173,7 @@ class DataDependencyGraphAnalysis(Analysis):
         self,
         type_: int,
         sim_act: SimActionData,
-        val: tuple[BV, int],
+        val: tuple[claripy.ast.BV, int],
         *constructor_params,
     ) -> BaseDepNode:
         """

angr/analyses/ddg.py

@@ -6,8 +6,7 @@ import claripy
 import networkx
 import pyvex
 
-from . import Analysis
-
+from angr.analyses import Analysis, AnalysesHub
 from angr.code_location import CodeLocation
 from angr.errors import SimSolverModeError, SimUnsatError, AngrDDGError
 from angr.sim_variable import (
@@ -1668,6 +1667,4 @@ class DDG(Analysis):
         return sources
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("DDG", DDG)

angr/analyses/decompiler/ail_simplifier.py

@@ -216,7 +216,7 @@ class AILSimplifier(Analysis):
         self._reaching_definitions = rd
         return rd
 
-    def _compute_propagation(self, immediate_stmt_removal: bool = False) -> SPropagatorAnalysis:
+    def _compute_propagation(self) -> SPropagatorAnalysis:
         # Propagate expressions or return the existing result
         if self._propagator is not None:
             return self._propagator
@@ -225,7 +225,6 @@ class AILSimplifier(Analysis):
             func_graph=self.func_graph,
             # gp=self._gp,
             only_consts=self._only_consts,
-            immediate_stmt_removal=immediate_stmt_removal,
         )
         self._propagator = prop
         return prop
@@ -354,7 +353,7 @@ class AILSimplifier(Analysis):
     ):
         repeat = False
         narrowable_phivarids = set()
-        for def_vvarid, (_, narrow_info) in narrowing_candidates.items():
+        for def_vvarid in narrowing_candidates:
             if def_vvarid in blacklist_varids:
                 continue
             if def_vvarid in rd.phi_vvar_ids:
@@ -591,7 +590,7 @@ class AILSimplifier(Analysis):
         """
 
         # propagator
-        propagator = self._compute_propagation(immediate_stmt_removal=True)
+        propagator = self._compute_propagation()
         replacements = propagator.replacements
 
         # take replacements and rebuild the corresponding blocks

angr/analyses/decompiler/clinic.py

@@ -527,6 +527,9 @@ class Clinic(Analysis):
         # TODO: Totally remove this dict
         self._blocks_by_addr_and_size = None
 
+        # Rust-specific; only call this on Rust binaries when we can identify language and compiler
+        ail_graph = self._rewrite_rust_probestack_call(ail_graph)
+
         # Make call-sites
         self._update_progress(50.0, text="Making callsites")
         _, stackarg_offsets, removed_vvar_ids = self._make_callsites(ail_graph, stack_pointer_tracker=spt)
@@ -1010,13 +1013,15 @@ class Clinic(Analysis):
                 if node is None:
                     continue
                 successors = self._cfg.get_successors(node, excluding_fakeret=True, jumpkind="Ijk_Call")
-                if len(successors) == 1 and not isinstance(
-                    self.project.hooked_by(successors[0].addr), UnresolvableCallTarget
-                ):
-                    # found a single successor - replace the last statement
-                    new_last_stmt = last_stmt.copy()
-                    new_last_stmt.target = ailment.Expr.Const(None, None, successors[0].addr, last_stmt.target.bits)
-                    block.statements[-1] = new_last_stmt
+                if len(successors) == 1:
+                    succ_addr = successors[0].addr
+                    if not self.project.is_hooked(succ_addr) or not isinstance(
+                        self.project.hooked_by(successors[0].addr), UnresolvableCallTarget
+                    ):
+                        # found a single successor - replace the last statement
+                        new_last_stmt = last_stmt.copy()
+                        new_last_stmt.target = ailment.Expr.Const(None, None, successors[0].addr, last_stmt.target.bits)
+                        block.statements[-1] = new_last_stmt
 
             elif isinstance(last_stmt, ailment.Stmt.Jump) and not isinstance(last_stmt.target, ailment.Expr.Const):
                 # indirect jump
@@ -2732,6 +2737,36 @@ class Clinic(Analysis):
 
         return extra_regs
 
+    def _rewrite_rust_probestack_call(self, ail_graph):
+        for node in ail_graph:
+            if not node.statements or ail_graph.out_degree[node] != 1:
+                continue
+            last_stmt = node.statements[-1]
+            if isinstance(last_stmt, ailment.Stmt.Call) and isinstance(last_stmt.target, ailment.Expr.Const):
+                func = (
+                    self.project.kb.functions.get_by_addr(last_stmt.target.value)
+                    if self.project.kb.functions.contains_addr(last_stmt.target.value)
+                    else None
+                )
+                if func is not None and func.info.get("is_rust_probestack", False) is True:
+                    # get rid of this call
+                    node.statements = node.statements[:-1]
+                    if self.project.arch.call_pushes_ret and node.statements:
+                        last_stmt = node.statements[-1]
+                        succ = next(iter(ail_graph.successors(node)))
+                        if (
+                            isinstance(last_stmt, ailment.Stmt.Store)
+                            and isinstance(last_stmt.addr, ailment.Expr.StackBaseOffset)
+                            and isinstance(last_stmt.addr.offset, int)
+                            and last_stmt.addr.offset < 0
+                            and isinstance(last_stmt.data, ailment.Expr.Const)
+                            and last_stmt.data.value == succ.addr
+                        ):
+                            # remove the statement that pushes the return address
+                            node.statements = node.statements[:-1]
+                    break
+        return ail_graph
+
     def _rewrite_alloca(self, ail_graph):
         # pylint:disable=too-many-boolean-expressions
         alloca_node = None

angr/analyses/decompiler/optimization_passes/duplication_reverter/ail_merge_graph.py

@@ -304,7 +304,7 @@ class AILMergeGraph:
         end_pair_map = {}
         end_pairs = set()
         merge_to_end_pair = {}
-        for split, sblocks in self.merge_blocks_to_originals.items():
+        for sblocks in self.merge_blocks_to_originals.values():
             for sblock in sblocks:
                 if isinstance(sblock, AILBlockSplit) and sblock.original in self.merge_blocks_to_originals:
                     deletable_blocks.add(sblock.original)
@@ -429,7 +429,7 @@ class AILMergeGraph:
                     self.original_split_blocks[updated] = self.original_split_blocks[k]
                     del self.original_split_blocks[k]
 
-            for k, v in self.original_split_blocks.items():
+            for v in self.original_split_blocks.values():
                 for sblock in v:
                     for attr in ["up_split", "match_split", "down_split"]:
                         if getattr(sblock, attr) == original:

angr/analyses/decompiler/optimization_passes/duplication_reverter/duplication_reverter.py

@@ -167,7 +167,7 @@ class DuplicationReverter(StructuringOptimizationPass):
 
     def _reinsert_merged_candidate(self, ail_merge_graph: AILMergeGraph, candidate: tuple[Block, Block]) -> bool:
         og_succs, og_preds = {}, {}
-        for block, original_blocks in ail_merge_graph.original_blocks.items():
+        for original_blocks in ail_merge_graph.original_blocks.values():
             # collect all the old edges
             for og_block in original_blocks:
                 og_succs[og_block] = list(self.write_graph.successors(og_block))
@@ -364,7 +364,7 @@ class DuplicationReverter(StructuringOptimizationPass):
             new_nodes[node] = new_node
 
         # fixup every single jump target (before adding them to the graph)
-        for src, dst, data in graph.edges(data=True):
+        for src, dst in graph.edges():
             new_src = new_nodes[src]
             new_dst = new_nodes[dst]
             if new_dst is not dst:

angr/analyses/decompiler/optimization_passes/ite_region_converter.py

@@ -263,7 +263,7 @@ class ITERegionConverter(OptimizationPass):
 
             # is this the statement that we are looking for?
             found_true_src_vvar, found_false_src_vvar = False, False
-            for src, vvar in stmt.src.src_and_vvars:
+            for _src, vvar in stmt.src.src_and_vvars:
                 if vvar is not None:
                     if vvar.varid == true_stmt_dst.varid:
                         found_true_src_vvar = True

angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py

@@ -557,7 +557,7 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
                     varhash_to_caselists[v].append((cases, extra_cmp_nodes))
 
         for v, caselists in list(varhash_to_caselists.items()):
-            for idx, (cases, redundant_nodes) in list(enumerate(caselists)):
+            for idx, (cases, _redundant_nodes) in list(enumerate(caselists)):
                 # filter: each case value should only appear once
                 if len({case.value for case in cases}) != len(cases):
                     caselists[idx] = None

angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py

@@ -13,12 +13,6 @@ from .optimization_pass import OptimizationPass, OptimizationPassStage
 _l = logging.getLogger(name=__name__)
 
 
-def s2u(s, bits):
-    if s > 0:
-        return s
-    return (1 << bits) + s
-
-
 class RegisterSaveAreaSimplifier(OptimizationPass):
     """
     Optimizes away register spilling effects, including callee-saved registers.

angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py

@@ -5,18 +5,13 @@ import logging
 
 import ailment
 
+from angr.utils.bits import s2u
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
 _l = logging.getLogger(name=__name__)
 
 
-def s2u(s, bits):
-    if s > 0:
-        return s
-    return (1 << bits) + s
-
-
 class StackCanarySimplifier(OptimizationPass):
     """
     Removes stack canary checks from decompilation results.
@@ -149,7 +144,7 @@ class StackCanarySimplifier(OptimizationPass):
                 nodes_to_process.append((pred, canary_check_stmt_idx, stack_chk_fail_caller, ret_node))
 
             # Awesome. Now patch this function.
-            for pred, canary_check_stmt_idx, stack_chk_fail_caller, ret_node in nodes_to_process:
+            for pred, _canary_check_stmt_idx, stack_chk_fail_caller, ret_node in nodes_to_process:
                 # Patch the pred so that it jumps to the one that is not stack_chk_fail_caller
                 pred_copy = pred.copy()
                 pred_copy.statements[-1] = ailment.Stmt.Jump(

angr/analyses/decompiler/optimization_passes/switch_default_case_duplicator.py

@@ -17,12 +17,6 @@ from .optimization_pass import OptimizationPass, OptimizationPassStage
 _l = logging.getLogger(name=__name__)
 
 
-def s2u(s, bits):
-    if s > 0:
-        return s
-    return (1 << bits) + s
-
-
 class SwitchDefaultCaseDuplicator(OptimizationPass):
     """
     For each switch-case construct (identified by jump tables), duplicate the default-case node when we detect

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -13,12 +13,6 @@ from .optimization_pass import OptimizationPass, OptimizationPassStage
 _l = logging.getLogger(name=__name__)
 
 
-def s2u(s, bits):
-    if s > 0:
-        return s
-    return (1 << bits) + s
-
-
 class WinStackCanarySimplifier(OptimizationPass):
     """
     Removes stack canary checks from decompilation results for Windows PE files.

angr/analyses/decompiler/structuring/phoenix.py

@@ -1536,7 +1536,7 @@ class PhoenixStructurer(StructurerBase):
                     full_graph.remove_edge(head, out_dst)
 
                 # fix full_graph if needed: remove successors that are no longer needed
-                for out_src, out_dst in out_edges[1:]:
+                for _out_src, out_dst in out_edges[1:]:
                     if out_dst in full_graph and out_dst not in graph and full_graph.in_degree[out_dst] == 0:
                         full_graph.remove_node(out_dst)
                         if out_dst in self._region.successors:

angr/analyses/disassembly.py

@@ -1,22 +1,24 @@
 from __future__ import annotations
+
+import contextlib
 import logging
 from collections import defaultdict
-from typing import Union, Any
 from collections.abc import Sequence
+from typing import Union, Any
 
 import pyvex
 import archinfo
-from angr.knowledge_plugins import Function
 
 from . import Analysis
 
+from angr.analyses import AnalysesHub
 from angr.errors import AngrTypeError
+from angr.knowledge_plugins import Function
 from angr.utils.library import get_cpp_function_name
 from angr.utils.formatting import ansi_color_enabled, ansi_color, add_edge_to_buffer
 from angr.block import DisassemblerInsn, CapstoneInsn, SootBlockNode
 from angr.codenode import BlockNode
 from .disassembly_utils import decode_instruction
-import contextlib
 
 try:
     from angr.engines import pcode
@@ -1295,6 +1297,4 @@ class Disassembly(Analysis):
         return "\n".join(buf)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("Disassembly", Disassembly)

angr/analyses/fcp/__init__.py

@@ -0,0 +1,4 @@
+from __future__ import annotations
+from .fcp import FastConstantPropagation
+
+__all__ = ["FastConstantPropagation"]