angr 9.2.135__py3-none-macosx_11_0_arm64.whl → 9.2.136__py3-none-macosx_11_0_arm64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.135"
+__version__ = "9.2.136"
 
 if bytes is str:
     raise Exception(

angr/analyses/__init__.py

@@ -1,13 +1,7 @@
 # " pylint:disable=wrong-import-position
 from __future__ import annotations
 
-from .analysis import Analysis, AnalysesHub
-
-
-def register_analysis(cls, name):
-    AnalysesHub.register_default(name, cls)
-
-
+from .analysis import Analysis, AnalysesHub, register_analysis
 from .forward_analysis import ForwardAnalysis, visitors
 from .propagator import PropagatorAnalysis
 from .cfg import CFGFast, CFGEmulated, CFG, CFGArchOptions, CFGFastSoot
@@ -54,6 +48,7 @@ from .patchfinder import PatchFinderAnalysis
 from .pathfinder import Pathfinder
 from .smc import SelfModifyingCodeAnalysis
 from .unpacker import PackingDetector
+from .fcp import FastConstantPropagation
 from . import deobfuscator
 
 
@@ -85,6 +80,7 @@ __all__ = (
     "Disassembly",
     "DominanceFrontier",
     "FactCollector",
+    "FastConstantPropagation",
     "FlirtAnalysis",
     "ForwardAnalysis",
     "Identifier",

angr/analyses/analysis.py

@@ -409,3 +409,7 @@ class Analysis:
 
 default_analyses = VendorPreset()
 AnalysesHub.register_preset("default", default_analyses)
+
+
+def register_analysis(cls, name):
+    AnalysesHub.register_default(name, cls)

angr/analyses/backward_slice.py

@@ -6,6 +6,7 @@ import networkx
 import pyvex
 from . import Analysis
 
+from angr.analyses import AnalysesHub
 from angr.code_location import CodeLocation
 from angr.annocfg import AnnotatedCFG
 from angr.errors import AngrBackwardSlicingError
@@ -682,6 +683,4 @@ class BackwardSlice(Analysis):
         return cmp_stmt_id, cmp_tmp_id
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BackwardSlice", BackwardSlice)

angr/analyses/binary_optimizer.py

@@ -4,6 +4,7 @@ import re
 from typing import TYPE_CHECKING
 from collections import defaultdict
 
+from angr.analyses import AnalysesHub
 from angr.knowledge_base import KnowledgeBase
 from angr.codenode import HookNode
 from angr.sim_variable import SimConstantVariable, SimRegisterVariable, SimMemoryVariable, SimStackVariable
@@ -430,7 +431,7 @@ class BinaryOptimizer(Analysis):
 
         # find out all call instructions
         call_insns = set()
-        for src, dst, data in function.transition_graph.edges(data=True):
+        for src, _dst, data in function.transition_graph.edges(data=True):
             if "type" in data and data["type"] == "call":
                 src_block = function._get_block(src.addr)
                 call_insns.add(src_block.instruction_addrs[-1])
@@ -460,7 +461,7 @@ class BinaryOptimizer(Analysis):
         # make sure we never gets the address of those stack variables into any register
         # say, lea edx, [ebp-0x4] is forbidden
         # check all edges in data graph
-        for src, dst, data in data_graph.edges(data=True):
+        for src, dst in data_graph.edges():
             if (
                 isinstance(dst.variable, SimRegisterVariable)
                 and dst.variable.reg != ebp_offset
@@ -666,6 +667,4 @@ class BinaryOptimizer(Analysis):
                 self.dead_assignments.append(da)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BinaryOptimizer", BinaryOptimizer)

angr/analyses/bindiff.py

@@ -3,17 +3,17 @@ import logging
 import math
 import types
 from collections import deque, defaultdict
+from typing import TYPE_CHECKING
 
 import networkx
 
-from typing import TYPE_CHECKING
+from angr.analyses import AnalysesHub, Analysis, CFGEmulated
+from angr.errors import SimEngineError, SimMemoryError
+
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins import Function
 
-from . import Analysis, CFGEmulated
-
-from angr.errors import SimEngineError, SimMemoryError
 
 # todo include an explanation of the algorithm
 # todo include a method that detects any change other than constants
@@ -1234,6 +1234,4 @@ class BinDiff(Analysis):
         return matches
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BinDiff", BinDiff)

angr/analyses/boyscout.py

@@ -6,7 +6,7 @@ from collections import defaultdict
 from archinfo import all_arches
 from archinfo.arch_arm import is_arm_arch
 
-from . import Analysis
+from angr.analyses import AnalysesHub, Analysis
 
 
 l = logging.getLogger(name=__name__)
@@ -73,6 +73,4 @@ class BoyScout(Analysis):
         l.debug("The architecture should be %s with %s", self.arch, self.endianness)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("BoyScout", BoyScout)

angr/analyses/callee_cleanup_finder.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
-from . import Analysis
-from angr import SIM_PROCEDURES
 
 import logging
 
+from angr import SIM_PROCEDURES
+from angr.analyses import AnalysesHub, Analysis
+
+
 l = logging.getLogger(name=__name__)
 
 
@@ -69,6 +71,4 @@ class CalleeCleanupFinder(Analysis):
         return None
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CalleeCleanupFinder", CalleeCleanupFinder)

angr/analyses/calling_convention/calling_convention.py

@@ -923,9 +923,10 @@ class CallingConventionAnalysis(Analysis):
         if not set(spilled_regs).issubset(set(allowed_spilled_regs)):
             return False, None
 
-        for i, reg in enumerate(allowed_spilled_regs):
-            if reg in spilled_regs:
-                break
+        i = next(
+            (i for i, reg in enumerate(allowed_spilled_regs) if reg in spilled_regs),
+            len(allowed_spilled_regs),
+        )
 
         return True, i
 

angr/analyses/calling_convention/fact_collector.py

@@ -297,7 +297,6 @@ class FactCollector(Analysis):
         try:
             arg_locs = func.calling_convention.arg_locs(func.prototype)
         except (TypeError, ValueError):
-            func.prototype = None
             return
 
         if None in arg_locs:

angr/analyses/cdg.py

@@ -3,6 +3,7 @@ import logging
 
 import networkx
 
+from angr.analyses import AnalysesHub
 from angr.utils.graph import compute_dominance_frontier, PostDominators, TemporaryNode
 from . import Analysis
 
@@ -185,6 +186,4 @@ class CDG(Analysis):
                     _l.debug("%s is not in post dominator dict.", b2)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CDG", CDG)

angr/analyses/cfg/cfb.py

@@ -6,9 +6,9 @@ from collections.abc import Callable
 import cle
 from cle.backends.externs import KernelObject, ExternObject
 from cle.backends.tls.elf_tls import ELFTLSObject
-
 from sortedcontainers import SortedDict
 
+from angr.analyses import AnalysesHub
 from angr.knowledge_plugins.cfg.memory_data import MemoryDataSort, MemoryData
 from angr.analyses.analysis import Analysis
 
@@ -424,7 +424,5 @@ class CFBlanket(Analysis):
                 addr = max_addr
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CFB", CFBlanket)
 AnalysesHub.register_default("CFBlanket", CFBlanket)

angr/analyses/cfg/cfg.py

@@ -1,6 +1,8 @@
 from __future__ import annotations
+
 import sys
 
+from angr.analyses import AnalysesHub
 from .cfg_fast import CFGFast
 
 
@@ -69,6 +71,4 @@ class CFG(CFGFast):  # pylint: disable=abstract-method
         CFGFast.__init__(self, **kwargs)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("CFG", CFG)

angr/analyses/cfg/cfg_base.py

@@ -1570,13 +1570,13 @@ class CFGBase(Analysis):
         # TODO: Is it required that PLT stubs are always aligned by 16? If so, on what architectures and platforms is it
         # TODO:  enforced?
 
-        tmp_functions = self.kb.functions.copy()
+        tmp_functions = self.kb.functions
 
         for function in tmp_functions.values():
             function.mark_nonreturning_calls_endpoints()
             if function.returning is False:
                 # remove all FakeRet edges that are related to this function
-                func_node = self.model.get_any_node(function.addr)
+                func_node = self.model.get_any_node(function.addr, force_fastpath=True)
                 if func_node is not None:
                     callsite_nodes = [
                         src
@@ -1588,8 +1588,8 @@ class CFGBase(Analysis):
                             if data.get("jumpkind", None) == "Ijk_FakeRet":
                                 self.graph.remove_edge(callsite_node, dst)
 
-        # Clear old functions dict
-        self.kb.functions.clear()
+        # Clear old functions dict by creating a new function manager
+        self.kb.functions = FunctionManager(self.kb)
 
         blockaddr_to_function = {}
         traversed_cfg_nodes = set()
@@ -1602,7 +1602,7 @@ class CFGBase(Analysis):
             if jumpkind == "Ijk_Call" or jumpkind.startswith("Ijk_Sys"):
                 function_nodes.add(dst)
 
-        entry_node = self.model.get_any_node(self._binary.entry)
+        entry_node = self.model.get_any_node(self._binary.entry, force_fastpath=True)
         if entry_node is not None:
             function_nodes.add(entry_node)
 
@@ -1663,7 +1663,7 @@ class CFGBase(Analysis):
         secondary_function_nodes = set()
         # add all function chunks ("functions" that are not called from anywhere)
         for func_addr in tmp_functions:
-            node = self.model.get_any_node(func_addr)
+            node = self.model.get_any_node(func_addr, force_fastpath=True)
             if node is None:
                 continue
             if node.addr not in blockaddr_to_function:
@@ -1992,8 +1992,8 @@ class CFGBase(Analysis):
                 if not transition_found:
                     continue
 
-                cfgnode_0 = self.model.get_any_node(block_node.addr)
-                cfgnode_1 = self.model.get_any_node(addr_1)
+                cfgnode_0 = self.model.get_any_node(block_node.addr, force_fastpath=True)
+                cfgnode_1 = self.model.get_any_node(addr_1, force_fastpath=True)
 
                 if cfgnode_0 is None or cfgnode_1 is None:
                     continue
@@ -2089,7 +2089,7 @@ class CFGBase(Analysis):
                 continue
             if func_addr in jumptable_entries:
                 # is there any call edge pointing to it?
-                func_node = self.get_any_node(func_addr)
+                func_node = self.get_any_node(func_addr, force_fastpath=True)
                 if func_node is not None:
                     in_edges = self.graph.in_edges(func_node, data=True)
                     has_transition_pred = None
@@ -2128,7 +2128,7 @@ class CFGBase(Analysis):
         else:
             is_syscall = self.project.simos.is_syscall_addr(addr)
 
-            n = self.model.get_any_node(addr, is_syscall=is_syscall)
+            n = self.model.get_any_node(addr, is_syscall=is_syscall, force_fastpath=True)
             node = addr if n is None else self._to_snippet(n)
 
             if isinstance(addr, SootAddressDescriptor):
@@ -2304,7 +2304,7 @@ class CFGBase(Analysis):
         src_function = self._addr_to_function(src_addr, blockaddr_to_function, known_functions)
 
         if src_addr not in src_function.block_addrs_set:
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             node = src_addr if n is None else self._to_snippet(n)
             self.kb.functions._add_node(src_function.addr, node)
 
@@ -2315,7 +2315,7 @@ class CFGBase(Analysis):
         jumpkind = data["jumpkind"]
 
         if jumpkind == "Ijk_Ret":
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             from_node = src_addr if n is None else self._to_snippet(n)
             self.kb.functions._add_return_from(src_function.addr, from_node, None)
 
@@ -2334,7 +2334,7 @@ class CFGBase(Analysis):
             # It must be calling a function
             dst_function = self._addr_to_function(dst_addr, blockaddr_to_function, known_functions)
 
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             if n is None:
                 src_snippet = self._to_snippet(addr=src_addr, base_state=self._base_state)
             else:
@@ -2349,21 +2349,12 @@ class CFGBase(Analysis):
             else:
                 fakeret_node = self._one_fakeret_node(all_edges)
 
-            fakeret_snippet = None if fakeret_node is None else self._to_snippet(cfg_node=fakeret_node)
-
             if isinstance(dst_addr, SootAddressDescriptor):
                 dst_addr = dst_addr.method
 
-            self.kb.functions._add_call_to(
-                src_function.addr,
-                src_snippet,
-                dst_addr,
-                fakeret_snippet,
-                syscall=is_syscall,
-                ins_addr=ins_addr,
-                stmt_idx=stmt_idx,
-            )
-
+            # determining the returning target
+            return_to_outside = False
+            returning_snippet = None
             if dst_function.returning and fakeret_node is not None:
                 returning_target = src.addr + src.size
                 if returning_target not in blockaddr_to_function:
@@ -2372,9 +2363,9 @@ class CFGBase(Analysis):
                     else:
                         self._addr_to_function(returning_target, blockaddr_to_function, known_functions)
 
-                to_outside = blockaddr_to_function[returning_target] is not src_function
+                return_to_outside = blockaddr_to_function[returning_target] is not src_function
 
-                n = self.model.get_any_node(returning_target)
+                n = self.model.get_any_node(returning_target, force_fastpath=True)
                 if n is None:
                     try:
                         returning_snippet = self._to_snippet(addr=returning_target, base_state=self._base_state)
@@ -2384,17 +2375,28 @@ class CFGBase(Analysis):
                 else:
                     returning_snippet = self._to_snippet(cfg_node=n)
 
-                if returning_snippet is not None:
-                    self.kb.functions._add_fakeret_to(
-                        src_function.addr, src_snippet, returning_snippet, confirmed=True, to_outside=to_outside
-                    )
+            self.kb.functions._add_call_to(
+                src_function.addr,
+                src_snippet,
+                dst_addr,
+                retn_node=returning_snippet,
+                syscall=is_syscall,
+                ins_addr=ins_addr,
+                stmt_idx=stmt_idx,
+                return_to_outside=return_to_outside,
+            )
+
+            if returning_snippet is not None:
+                self.kb.functions._add_fakeret_to(
+                    src_function.addr, src_snippet, returning_snippet, confirmed=True, to_outside=return_to_outside
+                )
 
         elif jumpkind in ("Ijk_Boring", "Ijk_InvalICache", "Ijk_Exception"):
             # convert src_addr and dst_addr to CodeNodes
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             src_node = src_addr if n is None else self._to_snippet(cfg_node=n)
 
-            n = self.model.get_any_node(dst_addr)
+            n = self.model.get_any_node(dst_addr, force_fastpath=True)
             dst_node = dst_addr if n is None else self._to_snippet(cfg_node=n)
 
             if self._skip_unmapped_addrs:
@@ -2460,10 +2462,10 @@ class CFGBase(Analysis):
 
         elif jumpkind == "Ijk_FakeRet":
             # convert src_addr and dst_addr to CodeNodes
-            n = self.model.get_any_node(src_addr)
+            n = self.model.get_any_node(src_addr, force_fastpath=True)
             src_node = src_addr if n is None else self._to_snippet(n)
 
-            n = self.model.get_any_node(dst_addr)
+            n = self.model.get_any_node(dst_addr, force_fastpath=True)
             dst_node = dst_addr if n is None else self._to_snippet(n)
 
             if dst_addr not in blockaddr_to_function:

angr/analyses/cfg/cfg_emulated.py

@@ -2083,7 +2083,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         if src_node_key is None:
             if dst_node is None:
                 raise ValueError("Either src_node_key or dst_node_key must be specified.")
-            self.kb.functions.function(dst_node.function_address, create=True)._register_nodes(True, dst_codenode)
+            self.kb.functions.function(dst_node.function_address, create=True)._register_node(True, dst_codenode)
             return
 
         src_node = self._graph_get_node(src_node_key, terminator_for_nonexistent_node=True)

angr/analyses/cfg/cfg_fast.py

@@ -135,9 +135,9 @@ class PendingJobs:
     A collection of pending jobs during CFG recovery.
     """
 
-    def __init__(self, functions, deregister_job_callback):
+    def __init__(self, kb, deregister_job_callback):
         self._jobs = OrderedDict()  # A mapping between function addresses and lists of pending jobs
-        self._functions = functions
+        self._kb = kb
         self._deregister_job_callback = deregister_job_callback
 
         self._returning_functions = set()
@@ -145,6 +145,10 @@ class PendingJobs:
         # consecutive calls to cleanup().
         self._job_count = 0
 
+    @property
+    def _functions(self):
+        return self._kb.functions
+
     def __len__(self):
         return self._job_count
 
@@ -1316,7 +1320,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self._known_thunks = self._find_thunks()
 
         # Initialize variables used during analysis
-        self._pending_jobs: PendingJobs = PendingJobs(self.functions, self._deregister_analysis_job)
+        self._pending_jobs: PendingJobs = PendingJobs(self.kb, self._deregister_analysis_job)
         self._traced_addresses: set[int] = {a for a, n in self._nodes_by_addr.items() if n}
         self._function_returns = defaultdict(set)
 
@@ -1498,6 +1502,18 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         pass
 
     def _function_completed(self, func_addr: int):
+        if self.project.arch.name == "AMD64":
+            # determine if the function is __rust_probestack
+            func = self.kb.functions.get_by_addr(func_addr) if self.kb.functions.contains_addr(func_addr) else None
+            if func is not None and len(func.block_addrs_set) == 3:
+                block_bytes = {func.get_block(block_addr).bytes for block_addr in func.block_addrs_set}
+                if block_bytes == {
+                    b"UH\x89\xe5I\x89\xc3I\x81\xfb\x00\x10\x00\x00v\x1c",
+                    b"H\x81\xec\x00\x10\x00\x00H\x85d$\x08I\x81\xeb\x00\x10\x00\x00I\x81\xfb\x00\x10\x00\x00w\xe4",
+                    b"L)\xdcH\x85d$\x08H\x01\xc4\xc9\xc3",
+                }:
+                    func.info["is_rust_probestack"] = True
+
         if self._collect_data_ref and self.project is not None and ":" in self.project.arch.name:
             # this is a pcode arch - use Clinic to recover data references
 
@@ -1744,6 +1760,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         # Clean up
         self._traced_addresses = None
         self._lifter_deregister_readonly_regions()
+        self._function_returns = None
 
         self._finish_progress()
 
@@ -1825,19 +1842,18 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                         break
 
             # special handling: some binaries do not have SecurityCookie set, but still contain _security_init_cookie
-            if security_init_cookie_found is False:
+            if security_init_cookie_found is False and self.functions.contains_addr(self.project.entry):
                 start_func = self.functions.get_by_addr(self.project.entry)
-                if start_func is not None:
-                    for callee in start_func.transition_graph:
-                        if (
-                            isinstance(callee, Function)
-                            and not security_init_cookie_found
-                            and is_function_likely_security_init_cookie(callee)
-                        ):
-                            security_init_cookie_found = True
-                            callee.is_default_name = False
-                            callee.name = "_security_init_cookie"
-                            break
+                for callee in start_func.transition_graph:
+                    if (
+                        isinstance(callee, Function)
+                        and not security_init_cookie_found
+                        and is_function_likely_security_init_cookie(callee)
+                    ):
+                        security_init_cookie_found = True
+                        callee.is_default_name = False
+                        callee.name = "_security_init_cookie"
+                        break
 
     def _post_process_string_references(self) -> None:
         """
@@ -4765,6 +4781,37 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 func = self.kb.functions.get_by_addr(func_addr)
                 func.info["get_pc"] = "ebx"
 
+            # determine if the function uses ebp as a general purpose register or not
+            if addr == func_addr or 0 < addr - func_addr <= 0x20:
+                ebp_as_gpr = True
+                cap = self._lift(addr, size=cfg_node.size).capstone
+                for insn in cap.insns:
+                    if (
+                        insn.mnemonic == "mov"
+                        and len(insn.operands) == 2
+                        and insn.operands[0].type == capstone.x86.X86_OP_REG
+                        and insn.operands[1].type == capstone.x86.X86_OP_REG
+                    ):
+                        if (
+                            insn.operands[0].reg == capstone.x86.X86_REG_EBP
+                            and insn.operands[1].reg == capstone.x86.X86_REG_ESP
+                        ):
+                            ebp_as_gpr = False
+                            break
+                    elif (
+                        insn.mnemonic == "lea"
+                        and len(insn.operands) == 2
+                        and insn.operands[0].type == capstone.x86.X86_OP_REG
+                        and insn.operands[1].type == capstone.x86.X86_OP_MEM
+                    ) and (
+                        insn.operands[0].reg == capstone.x86.X86_REG_EBP
+                        and insn.operands[1].mem.base == capstone.x86.X86_REG_ESP
+                    ):
+                        ebp_as_gpr = False
+                        break
+                func = self.kb.functions.get_by_addr(func_addr)
+                func.info["bp_as_gpr"] = ebp_as_gpr
+
         elif self.project.arch.name == "AMD64":
             # determine if the function uses rbp as a general purpose register or not
             if addr == func_addr or 0 < addr - func_addr <= 0x20:

angr/analyses/cfg/cfg_fast_soot.py

@@ -50,7 +50,7 @@ class CFGFastSoot(CFGFast):
         self._initialize_cfg()
 
         # Initialize variables used during analysis
-        self._pending_jobs = PendingJobs(self.functions, self._deregister_analysis_job)
+        self._pending_jobs = PendingJobs(self.kb, self._deregister_analysis_job)
         self._traced_addresses = set()
         self._changed_functions = set()
         self._updated_nonreturning_functions = set()

angr/analyses/cfg/indirect_jump_resolvers/__init__.py

@@ -9,6 +9,7 @@ from .amd64_elf_got import AMD64ElfGotResolver
 from .arm_elf_fast import ArmElfFastResolver
 from .const_resolver import ConstantResolver
 from .amd64_pe_iat import AMD64PeIatResolver
+from .memload_resolver import MemoryLoadResolver
 
 
 __all__ = (
@@ -17,6 +18,7 @@ __all__ = (
     "ArmElfFastResolver",
     "ConstantResolver",
     "JumpTableResolver",
+    "MemoryLoadResolver",
     "MipsElfFastResolver",
     "MipsElfGotResolver",
     "X86ElfPicPltResolver",