angr 9.2.134__py3-none-win_amd64.whl → 9.2.136__py3-none-win_amd64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.134"
+__version__ = "9.2.136"
 
 if bytes is str:
     raise Exception(

angr/analyses/__init__.py

@@ -1,13 +1,7 @@
 # " pylint:disable=wrong-import-position
 from __future__ import annotations
 
-from .analysis import Analysis, AnalysesHub
-
-
-def register_analysis(cls, name):
-    AnalysesHub.register_default(name, cls)
-
-
+from .analysis import Analysis, AnalysesHub, register_analysis
 from .forward_analysis import ForwardAnalysis, visitors
 from .propagator import PropagatorAnalysis
 from .cfg import CFGFast, CFGEmulated, CFG, CFGArchOptions, CFGFastSoot
@@ -30,7 +24,7 @@ from .variable_recovery import VariableRecovery, VariableRecoveryFast
 from .identifier import Identifier
 from .callee_cleanup_finder import CalleeCleanupFinder
 from .reaching_definitions import ReachingDefinitionsAnalysis
-from .calling_convention import CallingConventionAnalysis
+from .calling_convention import CallingConventionAnalysis, FactCollector
 from .code_tagging import CodeTagging
 from .stack_pointer_tracker import StackPointerTracker
 from .dominance_frontier import DominanceFrontier
@@ -54,6 +48,7 @@ from .patchfinder import PatchFinderAnalysis
 from .pathfinder import Pathfinder
 from .smc import SelfModifyingCodeAnalysis
 from .unpacker import PackingDetector
+from .fcp import FastConstantPropagation
 from . import deobfuscator
 
 
@@ -84,6 +79,8 @@ __all__ = (
     "Decompiler",
     "Disassembly",
     "DominanceFrontier",
+    "FactCollector",
+    "FastConstantPropagation",
     "FlirtAnalysis",
     "ForwardAnalysis",
     "Identifier",

angr/analyses/analysis.py

@@ -409,3 +409,7 @@ class Analysis:
 
 default_analyses = VendorPreset()
 AnalysesHub.register_preset("default", default_analyses)
+
+
+def register_analysis(cls, name):
+    AnalysesHub.register_default(name, cls)

angr/analyses/backward_slice.py

@@ -6,6 +6,7 @@ import networkx
 import pyvex
 from . import Analysis
 
+from angr.analyses import AnalysesHub
 from angr.code_location import CodeLocation
 from angr.annocfg import AnnotatedCFG
 from angr.errors import AngrBackwardSlicingError
@@ -682,6 +683,4 @@ class BackwardSlice(Analysis):
         return cmp_stmt_id, cmp_tmp_id
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BackwardSlice", BackwardSlice)

angr/analyses/binary_optimizer.py

@@ -4,6 +4,7 @@ import re
 from typing import TYPE_CHECKING
 from collections import defaultdict
 
+from angr.analyses import AnalysesHub
 from angr.knowledge_base import KnowledgeBase
 from angr.codenode import HookNode
 from angr.sim_variable import SimConstantVariable, SimRegisterVariable, SimMemoryVariable, SimStackVariable
@@ -430,7 +431,7 @@ class BinaryOptimizer(Analysis):
 
         # find out all call instructions
         call_insns = set()
-        for src, dst, data in function.transition_graph.edges(data=True):
+        for src, _dst, data in function.transition_graph.edges(data=True):
             if "type" in data and data["type"] == "call":
                 src_block = function._get_block(src.addr)
                 call_insns.add(src_block.instruction_addrs[-1])
@@ -460,7 +461,7 @@ class BinaryOptimizer(Analysis):
         # make sure we never gets the address of those stack variables into any register
         # say, lea edx, [ebp-0x4] is forbidden
         # check all edges in data graph
-        for src, dst, data in data_graph.edges(data=True):
+        for src, dst in data_graph.edges():
             if (
                 isinstance(dst.variable, SimRegisterVariable)
                 and dst.variable.reg != ebp_offset
@@ -666,6 +667,4 @@ class BinaryOptimizer(Analysis):
                 self.dead_assignments.append(da)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BinaryOptimizer", BinaryOptimizer)

angr/analyses/bindiff.py

@@ -3,17 +3,17 @@ import logging
 import math
 import types
 from collections import deque, defaultdict
+from typing import TYPE_CHECKING
 
 import networkx
 
-from typing import TYPE_CHECKING
+from angr.analyses import AnalysesHub, Analysis, CFGEmulated
+from angr.errors import SimEngineError, SimMemoryError
+
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins import Function
 
-from . import Analysis, CFGEmulated
-
-from angr.errors import SimEngineError, SimMemoryError
 
 # todo include an explanation of the algorithm
 # todo include a method that detects any change other than constants
@@ -1234,6 +1234,4 @@ class BinDiff(Analysis):
         return matches
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BinDiff", BinDiff)

angr/analyses/boyscout.py

@@ -6,7 +6,7 @@ from collections import defaultdict
 from archinfo import all_arches
 from archinfo.arch_arm import is_arm_arch
 
-from . import Analysis
+from angr.analyses import AnalysesHub, Analysis
 
 
 l = logging.getLogger(name=__name__)
@@ -73,6 +73,4 @@ class BoyScout(Analysis):
         l.debug("The architecture should be %s with %s", self.arch, self.endianness)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BoyScout", BoyScout)

angr/analyses/callee_cleanup_finder.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
-from . import Analysis
-from angr import SIM_PROCEDURES
 
 import logging
 
+from angr import SIM_PROCEDURES
+from angr.analyses import AnalysesHub, Analysis
+
+
 l = logging.getLogger(name=__name__)
 
 
@@ -69,6 +71,4 @@ class CalleeCleanupFinder(Analysis):
         return None
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CalleeCleanupFinder", CalleeCleanupFinder)

angr/analyses/calling_convention/__init__.py

@@ -0,0 +1,6 @@
+from __future__ import annotations
+from .calling_convention import CallingConventionAnalysis
+from .fact_collector import FactCollector
+
+
+__all__ = ["CallingConventionAnalysis", "FactCollector"]

angr/analyses/{calling_convention.py → calling_convention/calling_convention.py}

@@ -9,7 +9,6 @@ import capstone
 
 from pyvex.stmt import Put
 from pyvex.expr import RdTmp
-from archinfo.arch_arm import is_arm_arch, ArchARMHF
 import ailment
 
 from angr.code_location import ExternalCodeLocation
@@ -35,8 +34,9 @@ from angr.knowledge_plugins.variables.variable_access import VariableAccessSort
 from angr.knowledge_plugins.functions import Function
 from angr.utils.constants import DEFAULT_STATEMENT
 from angr import SIM_PROCEDURES
-from .reaching_definitions import get_all_definitions
-from . import Analysis, register_analysis, ReachingDefinitionsAnalysis
+from angr.analyses import Analysis, register_analysis, ReachingDefinitionsAnalysis
+from angr.analyses.reaching_definitions import get_all_definitions
+from .utils import is_sane_register_variable
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins.cfg import CFGModel
@@ -95,6 +95,8 @@ class CallingConventionAnalysis(Analysis):
         callsite_block_addr: int | None = None,
         callsite_insn_addr: int | None = None,
         func_graph: networkx.DiGraph | None = None,
+        input_args: list[SimRegArg | SimStackArg] | None = None,
+        retval_size: int | None = None,
     ):
         if func is not None and not isinstance(func, Function):
             func = self.kb.functions[func]
@@ -106,6 +108,15 @@ class CallingConventionAnalysis(Analysis):
         self.callsite_block_addr = callsite_block_addr
         self.callsite_insn_addr = callsite_insn_addr
         self._func_graph = func_graph
+        self._input_args = input_args
+        self._retval_size = retval_size
+
+        if self._retval_size is not None and self._input_args is None:
+            # retval size will be ignored if input_args is not specified - user error?
+            raise TypeError(
+                "input_args must be provided to use retval_size. Otherwise please set both input_args and "
+                "retval_size to None."
+            )
 
         self.cc: SimCC | None = None
         self.prototype: SimTypeFunction | None = None
@@ -308,9 +319,17 @@ class CallingConventionAnalysis(Analysis):
             # we do not analyze SimProcedures or PLT stubs
             return None
 
-        if not self._variable_manager.has_function_manager(self._function.addr):
-            l.warning("Please run variable recovery on %r before analyzing its calling convention.", self._function)
-            return None
+        if self._input_args is None:
+            if not self._variable_manager.has_function_manager(self._function.addr):
+                l.warning("Please run variable recovery on %r before analyzing its calling convention.", self._function)
+                return None
+            vm = self._variable_manager[self._function.addr]
+            retval_size = vm.ret_val_size
+            input_variables = vm.input_variables()
+            input_args = self._args_from_vars(input_variables, vm)
+        else:
+            input_args = self._input_args
+            retval_size = self._retval_size
 
         # check if this function is a variadic function
         if self.project.arch.name == "AMD64":
@@ -319,11 +338,6 @@ class CallingConventionAnalysis(Analysis):
             is_variadic = False
             fixed_args = None
 
-        vm = self._variable_manager[self._function.addr]
-
-        input_variables = vm.input_variables()
-        input_args = self._args_from_vars(input_variables, vm)
-
         # TODO: properly determine sp_delta
         sp_delta = self.project.arch.bytes if self.project.arch.call_pushes_ret else 0
 
@@ -342,7 +356,7 @@ class CallingConventionAnalysis(Analysis):
             args = args[:fixed_args]
 
         # guess the type of the return value -- it's going to be a wild guess...
-        ret_type = self._guess_retval_type(cc, vm.ret_val_size)
+        ret_type = self._guess_retval_type(cc, retval_size)
         if self._function.name == "main" and self.project.arch.bits == 64 and isinstance(ret_type, SimTypeLongLong):
             # hack - main must return an int even in 64-bit binaries
             ret_type = SimTypeInt()
@@ -698,14 +712,14 @@ class CallingConventionAnalysis(Analysis):
                     args.add(arg)
             elif isinstance(variable, SimRegisterVariable):
                 # a register variable, convert it to a register argument
-                if not self._is_sane_register_variable(variable, def_cc=def_cc):
+                if not is_sane_register_variable(self.project.arch, variable.reg, variable.size, def_cc=def_cc):
                     continue
-                reg_name = self.project.arch.translate_register_name(variable.reg, size=variable.size)
                 if self.project.arch.name in {"AMD64", "X86"} and variable.size < self.project.arch.bytes:
                     # use complete registers on AMD64 and X86
                     reg_name = self.project.arch.translate_register_name(variable.reg, size=self.project.arch.bytes)
                     arg = SimRegArg(reg_name, self.project.arch.bytes)
                 else:
+                    reg_name = self.project.arch.translate_register_name(variable.reg, size=variable.size)
                     arg = SimRegArg(reg_name, variable.size)
                 args.add(arg)
 
@@ -748,53 +762,6 @@ class CallingConventionAnalysis(Analysis):
 
         return args.difference(restored_reg_vars)
 
-    def _is_sane_register_variable(self, variable: SimRegisterVariable, def_cc: SimCC | None = None) -> bool:
-        """
-        Filters all registers that are surly not members of function arguments.
-        This can be seen as a workaround, since VariableRecoveryFast sometimes gives input variables of cc_ndep (which
-        is a VEX-specific register) :-(
-
-        :param variable: The variable to test.
-        :return:         True if it is an acceptable function argument, False otherwise.
-        :rtype:          bool
-        """
-
-        arch = self.project.arch
-        arch_name = arch.name
-        if ":" in arch_name:
-            # for pcode architectures, we only leave registers that are known to be used as input arguments
-            if def_cc is not None:
-                return arch.translate_register_name(variable.reg, size=variable.size) in def_cc.ARG_REGS
-            return True
-
-        # VEX
-        if arch_name == "AARCH64":
-            return 16 <= variable.reg < 80  # x0-x7
-
-        if arch_name == "AMD64":
-            return 24 <= variable.reg < 40 or 64 <= variable.reg < 104  # rcx, rdx  # rsi, rdi, r8, r9, r10
-            # 224 <= variable.reg < 480)  # xmm0-xmm7
-
-        if is_arm_arch(arch):
-            if isinstance(arch, ArchARMHF):
-                return 8 <= variable.reg < 24 or 128 <= variable.reg < 160  # r0 - 32  # s0 - s7, or d0 - d4
-            return 8 <= variable.reg < 24  # r0-r3
-
-        if arch_name == "MIPS32":
-            return 24 <= variable.reg < 40  # a0-a3
-
-        if arch_name == "MIPS64":
-            return 48 <= variable.reg < 80 or 112 <= variable.reg < 208  # a0-a3 or t4-t7
-
-        if arch_name == "PPC32":
-            return 28 <= variable.reg < 60  # r3-r10
-
-        if arch_name == "X86":
-            return 8 <= variable.reg < 24 or 160 <= variable.reg < 288  # eax, ebx, ecx, edx  # xmm0-xmm7
-
-        l.critical("Unsupported architecture %s.", arch.name)
-        return True
-
     def _reorder_args(self, args: list[SimRegArg | SimStackArg], cc: SimCC) -> list[SimRegArg | SimStackArg]:
         """
         Reorder arguments according to the calling convention identified.
@@ -956,9 +923,10 @@ class CallingConventionAnalysis(Analysis):
         if not set(spilled_regs).issubset(set(allowed_spilled_regs)):
             return False, None
 
-        for i, reg in enumerate(allowed_spilled_regs):
-            if reg in spilled_regs:
-                break
+        i = next(
+            (i for i, reg in enumerate(allowed_spilled_regs) if reg in spilled_regs),
+            len(allowed_spilled_regs),
+        )
 
         return True, i