angr 9.2.135__py3-none-macosx_11_0_arm64.whl → 9.2.137__py3-none-macosx_11_0_arm64.whl

angr/analyses/cfg/cfg_fast.py

@@ -1,5 +1,6 @@
 # pylint:disable=superfluous-parens,too-many-boolean-expressions,line-too-long
 from __future__ import annotations
+from typing import TYPE_CHECKING
 import itertools
 import logging
 import math
@@ -52,6 +53,10 @@ from .cfg_arch_options import CFGArchOptions
 from .cfg_base import CFGBase
 from .indirect_jump_resolvers.jumptable import JumpTableResolver
 
+if TYPE_CHECKING:
+    from angr.block import Block
+    from angr.engines.pcode.lifter import IRSB as PcodeIRSB
+
 
 VEX_IRSB_MAX_SIZE = 400
 
@@ -135,9 +140,9 @@ class PendingJobs:
     A collection of pending jobs during CFG recovery.
     """
 
-    def __init__(self, functions, deregister_job_callback):
+    def __init__(self, kb, deregister_job_callback):
         self._jobs = OrderedDict()  # A mapping between function addresses and lists of pending jobs
-        self._functions = functions
+        self._kb = kb
         self._deregister_job_callback = deregister_job_callback
 
         self._returning_functions = set()
@@ -145,6 +150,10 @@ class PendingJobs:
         # consecutive calls to cleanup().
         self._job_count = 0
 
+    @property
+    def _functions(self):
+        return self._kb.functions
+
     def __len__(self):
         return self._job_count
 
@@ -821,10 +830,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         #
         # Variables used during analysis
         #
-        self._pending_jobs = None
-        self._traced_addresses = None
+        self._pending_jobs = None  # type:ignore
+        self._traced_addresses = None  # type:ignore
         self._function_returns = None
-        self._function_exits = None
+        self._function_exits = None  # type:ignore
         self._gp_value: int | None = None
         self._ro_region_cdata_cache: list | None = None
         self._job_ctr = 0
@@ -868,7 +877,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if size is None:
             size = len(data)
 
-        data = bytes(pyvex.ffi.buffer(data, size))
+        data = bytes(pyvex.ffi.buffer(data, size))  # type:ignore
         for x in range(256):
             p_x = float(data.count(x)) / size
             if p_x > 0:
@@ -1225,7 +1234,9 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 # umm now it's probably code
                 break
 
-        instr_alignment = self._initial_state.arch.instruction_alignment
+        instr_alignment = self.project.arch.instruction_alignment
+        if not instr_alignment:
+            instr_alignment = 1
         if start_addr % instr_alignment > 0:
             # occupy those few bytes
             size = instr_alignment - (start_addr % instr_alignment)
@@ -1282,7 +1293,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         nodecode_bytes_ratio = (
             0.0 if self._next_addr is None else self._nodecode_bytes_ratio(self._next_addr, self._nodecode_window_size)
         )
-        if nodecode_bytes_ratio >= self._nodecode_threshold:
+        if nodecode_bytes_ratio >= self._nodecode_threshold and self._next_addr is not None:
             next_allowed_addr = self._next_addr + self._nodecode_step
         else:
             next_allowed_addr = 0
@@ -1309,6 +1320,9 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         return job.addr
 
     def _pre_analysis(self):
+        # Create a read-only memory view in loader for faster data loading
+        self.project.loader.gen_ro_memview()
+
         # Call _initialize_cfg() before self.functions is used.
         self._initialize_cfg()
 
@@ -1316,7 +1330,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self._known_thunks = self._find_thunks()
 
         # Initialize variables used during analysis
-        self._pending_jobs: PendingJobs = PendingJobs(self.functions, self._deregister_analysis_job)
+        self._pending_jobs: PendingJobs = PendingJobs(self.kb, self._deregister_analysis_job)
         self._traced_addresses: set[int] = {a for a, n in self._nodes_by_addr.items() if n}
         self._function_returns = defaultdict(set)
 
@@ -1498,6 +1512,18 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         pass
 
     def _function_completed(self, func_addr: int):
+        if self.project.arch.name == "AMD64":
+            # determine if the function is __rust_probestack
+            func = self.kb.functions.get_by_addr(func_addr) if self.kb.functions.contains_addr(func_addr) else None
+            if func is not None and len(func.block_addrs_set) == 3:
+                block_bytes = {func.get_block(block_addr).bytes for block_addr in func.block_addrs_set}
+                if block_bytes == {
+                    b"UH\x89\xe5I\x89\xc3I\x81\xfb\x00\x10\x00\x00v\x1c",
+                    b"H\x81\xec\x00\x10\x00\x00H\x85d$\x08I\x81\xeb\x00\x10\x00\x00I\x81\xfb\x00\x10\x00\x00w\xe4",
+                    b"L)\xdcH\x85d$\x08H\x01\xc4\xc9\xc3",
+                }:
+                    func.info["is_rust_probestack"] = True
+
         if self._collect_data_ref and self.project is not None and ":" in self.project.arch.name:
             # this is a pcode arch - use Clinic to recover data references
 
@@ -1741,9 +1767,13 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         CFGBase._post_analysis(self)
 
+        # drop the read-only memory view in loader
+        self.project.loader.discard_ro_memview()
+
         # Clean up
         self._traced_addresses = None
         self._lifter_deregister_readonly_regions()
+        self._function_returns = None
 
         self._finish_progress()
 
@@ -1825,19 +1855,18 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                         break
 
             # special handling: some binaries do not have SecurityCookie set, but still contain _security_init_cookie
-            if security_init_cookie_found is False:
+            if security_init_cookie_found is False and self.functions.contains_addr(self.project.entry):
                 start_func = self.functions.get_by_addr(self.project.entry)
-                if start_func is not None:
-                    for callee in start_func.transition_graph:
-                        if (
-                            isinstance(callee, Function)
-                            and not security_init_cookie_found
-                            and is_function_likely_security_init_cookie(callee)
-                        ):
-                            security_init_cookie_found = True
-                            callee.is_default_name = False
-                            callee.name = "_security_init_cookie"
-                            break
+                for callee in start_func.transition_graph:
+                    if (
+                        isinstance(callee, Function)
+                        and not security_init_cookie_found
+                        and is_function_likely_security_init_cookie(callee)
+                    ):
+                        security_init_cookie_found = True
+                        callee.is_default_name = False
+                        callee.name = "_security_init_cookie"
+                        break
 
     def _post_process_string_references(self) -> None:
         """
@@ -2910,7 +2939,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                         if v is not None:
                             tmps[stmt.tmp] = v
 
-                elif type(stmt.data) in (pyvex.IRExpr.Binop,):  # pylint: disable=unidiomatic-typecheck
+                elif type(stmt.data) is pyvex.IRExpr.Binop:  # pylint: disable=unidiomatic-typecheck
                     # rip-related addressing
                     if stmt.data.op in ("Iop_Add32", "Iop_Add64"):
                         if all(type(arg) is pyvex.expr.Const for arg in stmt.data.args):
@@ -4396,8 +4425,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
             # Let's try to create the pyvex IRSB directly, since it's much faster
             nodecode = False
-            irsb = None
-            lifted_block = None
+            irsb: pyvex.IRSB | PcodeIRSB | None = None
+            lifted_block: Block = None  # type:ignore
             try:
                 lifted_block = self._lift(
                     addr,
@@ -4411,10 +4440,13 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             except SimTranslationError:
                 nodecode = True
 
-            irsb_string: bytes = lifted_block.bytes[: irsb.size] if irsb is not None else lifted_block.bytes
+            irsb_string: bytes = b""
+            lifted_block_bytes = lifted_block.bytes if lifted_block.bytes is not None else b""
+            if lifted_block is not None:
+                irsb_string = lifted_block_bytes[: irsb.size] if irsb is not None else lifted_block_bytes
 
             # special logic during the complete scanning phase
-            if cfg_job.job_type == CFGJobType.COMPLETE_SCANNING and is_arm_arch(self.project.arch):
+            if cfg_job.job_type == CFGJobType.COMPLETE_SCANNING and is_arm_arch(self.project.arch) and irsb is not None:
                 # it's way too easy to incorrectly disassemble THUMB code contains 0x4f as ARM code svc?? #????
                 # if we get a single block that getting decoded to svc?? under ARM mode, we treat it as nodecode
                 if (
@@ -4452,7 +4484,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     except SimTranslationError:
                         nodecode = True
 
-                    irsb_string: bytes = lifted_block.bytes[: irsb.size] if irsb is not None else lifted_block.bytes
+                    irsb_string = lifted_block.bytes[: irsb.size] if irsb is not None else lifted_block.bytes
 
                     if not (nodecode or irsb.size == 0 or irsb.jumpkind == "Ijk_NoDecode"):
                         # it is decodeable
@@ -4765,6 +4797,37 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 func = self.kb.functions.get_by_addr(func_addr)
                 func.info["get_pc"] = "ebx"
 
+            # determine if the function uses ebp as a general purpose register or not
+            if addr == func_addr or 0 < addr - func_addr <= 0x20:
+                ebp_as_gpr = True
+                cap = self._lift(addr, size=cfg_node.size).capstone
+                for insn in cap.insns:
+                    if (
+                        insn.mnemonic == "mov"
+                        and len(insn.operands) == 2
+                        and insn.operands[0].type == capstone.x86.X86_OP_REG
+                        and insn.operands[1].type == capstone.x86.X86_OP_REG
+                    ):
+                        if (
+                            insn.operands[0].reg == capstone.x86.X86_REG_EBP
+                            and insn.operands[1].reg == capstone.x86.X86_REG_ESP
+                        ):
+                            ebp_as_gpr = False
+                            break
+                    elif (
+                        insn.mnemonic == "lea"
+                        and len(insn.operands) == 2
+                        and insn.operands[0].type == capstone.x86.X86_OP_REG
+                        and insn.operands[1].type == capstone.x86.X86_OP_MEM
+                    ) and (
+                        insn.operands[0].reg == capstone.x86.X86_REG_EBP
+                        and insn.operands[1].mem.base == capstone.x86.X86_REG_ESP
+                    ):
+                        ebp_as_gpr = False
+                        break
+                func = self.kb.functions.get_by_addr(func_addr)
+                func.info["bp_as_gpr"] = ebp_as_gpr
+
         elif self.project.arch.name == "AMD64":
             # determine if the function uses rbp as a general purpose register or not
             if addr == func_addr or 0 < addr - func_addr <= 0x20:

angr/analyses/cfg/cfg_fast_soot.py

@@ -50,7 +50,7 @@ class CFGFastSoot(CFGFast):
         self._initialize_cfg()
 
         # Initialize variables used during analysis
-        self._pending_jobs = PendingJobs(self.functions, self._deregister_analysis_job)
+        self._pending_jobs = PendingJobs(self.kb, self._deregister_analysis_job)
         self._traced_addresses = set()
         self._changed_functions = set()
         self._updated_nonreturning_functions = set()

angr/analyses/cfg/indirect_jump_resolvers/__init__.py

@@ -9,6 +9,7 @@ from .amd64_elf_got import AMD64ElfGotResolver
 from .arm_elf_fast import ArmElfFastResolver
 from .const_resolver import ConstantResolver
 from .amd64_pe_iat import AMD64PeIatResolver
+from .memload_resolver import MemoryLoadResolver
 
 
 __all__ = (
@@ -17,6 +18,7 @@ __all__ = (
     "ArmElfFastResolver",
     "ConstantResolver",
     "JumpTableResolver",
+    "MemoryLoadResolver",
     "MipsElfFastResolver",
     "MipsElfGotResolver",
     "X86ElfPicPltResolver",

angr/analyses/cfg/indirect_jump_resolvers/const_resolver.py

@@ -75,7 +75,31 @@ class ConstantResolver(IndirectJumpResolver):
 
         vex_block = block.vex
         if isinstance(vex_block.next, pyvex.expr.RdTmp):
-            # what does the jump rely on? slice it back and see
+            tmp_stmt_idx, tmp_ins_addr = self._find_tmp_write_stmt_and_ins(vex_block, vex_block.next.tmp)
+            if tmp_stmt_idx is None or tmp_ins_addr is None:
+                return False, []
+
+            # first check: is it jumping to a target loaded from memory? if so, it should have been resolved by
+            # MemoryLoadResolver.
+            stmt = vex_block.statements[tmp_stmt_idx]
+            assert isinstance(stmt, pyvex.IRStmt.WrTmp)
+            if (
+                isinstance(stmt.data, pyvex.IRExpr.Load)
+                and isinstance(stmt.data.addr, pyvex.IRExpr.Const)
+                and stmt.data.result_size(vex_block.tyenv) == self.project.arch.bits
+            ):
+                # well, if MemoryLoadResolver hasn't resolved it, we can try to resolve it here, or bail early because
+                # ConstantResolver won't help.
+                load_addr = stmt.data.addr.con.value
+                try:
+                    value = self.project.loader.memory.unpack_word(load_addr, size=self.project.arch.bytes)
+                    if isinstance(value, int) and self._is_target_valid(cfg, value):
+                        return True, [value]
+                except KeyError:
+                    pass
+                return False, []
+
+            # second check: what does the jump rely on? slice it back and see
             b = Blade(
                 cfg.graph,
                 addr,
@@ -104,26 +128,25 @@ class ConstantResolver(IndirectJumpResolver):
                     block = self.project.factory.block(pred_addr, cross_insn_opt=True).vex
                     if stmt_idx != DEFAULT_STATEMENT:
                         stmt = block.statements[stmt_idx]
-                        if isinstance(stmt, pyvex.IRStmt.WrTmp) and isinstance(stmt.data, pyvex.IRExpr.Load):
+                        if (
+                            isinstance(stmt, pyvex.IRStmt.WrTmp)
+                            and isinstance(stmt.data, pyvex.IRExpr.Load)
+                            and not isinstance(stmt.data.addr, pyvex.IRExpr.Const)
+                        ):
                             # loading from memory - unsupported
                             return False, []
                 break
 
             _l.debug("ConstantResolver: Propagating for %r at %#x.", func, addr)
-            prop = self.project.analyses.Propagator(
-                func=func,
-                only_consts=True,
-                do_binops=True,
+            prop = self.project.analyses.FastConstantPropagation(
+                func,
                 vex_cross_insn_opt=False,
-                completed_funcs=cfg._completed_functions,
                 load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-                cache_results=True,
-                key_prefix="cfg_intermediate",
             )
 
             replacements = prop.replacements
             if replacements:
-                block_loc = CodeLocation(block.addr, None)
+                block_loc = CodeLocation(block.addr, tmp_stmt_idx, ins_addr=tmp_ins_addr)
                 tmp_var = vex_vars.VEXTmp(vex_block.next.tmp)
 
                 if exists_in_replacements(replacements, block_loc, tmp_var):
@@ -135,5 +158,18 @@ class ConstantResolver(IndirectJumpResolver):
                         and self._is_target_valid(cfg, resolved_tmp.args[0])
                     ):
                         return True, [resolved_tmp.args[0]]
+                    if isinstance(resolved_tmp, int) and self._is_target_valid(cfg, resolved_tmp):
+                        return True, [resolved_tmp]
 
         return False, []
+
+    @staticmethod
+    def _find_tmp_write_stmt_and_ins(vex_block, tmp: int) -> tuple[int | None, int | None]:
+        stmt_idx = None
+        for idx, stmt in enumerate(reversed(vex_block.statements)):
+            if isinstance(stmt, pyvex.IRStmt.IMark) and stmt_idx is not None:
+                ins_addr = stmt.addr + stmt.delta
+                return stmt_idx, ins_addr
+            if isinstance(stmt, pyvex.IRStmt.WrTmp) and stmt.tmp == tmp:
+                stmt_idx = len(vex_block.statements) - idx - 1
+        return None, None

angr/analyses/cfg/indirect_jump_resolvers/default_resolvers.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 import cle
+from angr.analyses.cfg.indirect_jump_resolvers import MemoryLoadResolver
 
 from . import MipsElfFastResolver
 from . import X86ElfPicPltResolver
@@ -19,6 +20,9 @@ DEFAULT_RESOLVERS = {
         cle.PE: [
             X86PeIatResolver,
         ],
+        cle.XBE: [
+            X86PeIatResolver,
+        ],
     },
     "AMD64": {
         cle.MetaELF: [
@@ -54,7 +58,7 @@ DEFAULT_RESOLVERS = {
             ArmElfFastResolver,
         ]
     },
-    "ALL": [JumpTableResolver, ConstantResolver],
+    "ALL": [MemoryLoadResolver, JumpTableResolver, ConstantResolver],
 }
 
 

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -10,6 +10,7 @@ import functools
 import pyvex
 import claripy
 from archinfo.arch_arm import is_arm_arch
+from claripy.annotation import UninitializedAnnotation
 
 from angr import sim_options as o
 from angr import BP, BP_BEFORE, BP_AFTER
@@ -144,20 +145,22 @@ class ConstantValueManager:
 
     __slots__ = (
         "func",
+        "indirect_jump_addr",
         "kb",
         "mapping",
         "project",
     )
 
-    def __init__(self, project: Project, kb, func: Function):
+    def __init__(self, project: Project, kb, func: Function, ij_addr: int):
         self.project = project
         self.kb = kb
         self.func = func
+        self.indirect_jump_addr = ij_addr
 
         self.mapping: dict[Any, dict[Any, claripy.ast.Base]] | None = None
 
     def reg_read_callback(self, state: SimState):
-        if not self.mapping:
+        if self.mapping is None:
             self._build_mapping()
             assert self.mapping is not None
 
@@ -168,18 +171,54 @@ class ConstantValueManager:
                 reg_read_offset = reg_read_offset.args[0]
             variable = VEXReg(reg_read_offset, state.inspect.reg_read_length)
             if variable in self.mapping[codeloc]:
-                state.inspect.reg_read_expr = self.mapping[codeloc][variable]
+                v = self.mapping[codeloc][variable]
+                if isinstance(v, int):
+                    v = claripy.BVV(v, state.inspect.reg_read_length * state.arch.byte_width)
+                state.inspect.reg_read_expr = v
 
     def _build_mapping(self):
         # constant propagation
-        l.debug("JumpTable: Propagating for %r.", self.func)
-        prop = self.project.analyses[PropagatorAnalysis].prep()(
-            func=self.func,
-            only_consts=True,
+        l.debug("JumpTable: Propagating for %r at %#x.", self.func, self.indirect_jump_addr)
+
+        # determine blocks to run FCP on
+
+        # - include at most three levels of successors from the entrypoint
+        startpoint = self.func.startpoint
+        blocks = set()
+        succs = [startpoint]
+        for _ in range(3):
+            new_succs = []
+            for node in succs:
+                if node in blocks:
+                    continue
+                blocks.add(node)
+                if node.addr == self.indirect_jump_addr:
+                    # stop at the indirect jump block
+                    continue
+                new_succs += list(self.func.graph.successors(node))
+            succs = new_succs
+            if not succs:
+                break
+
+        # - include at most six levels of predecessors from the indirect jump block
+        ij_block = self.func.get_node(self.indirect_jump_addr)
+        preds = [ij_block]
+        for _ in range(6):
+            new_preds = []
+            for node in preds:
+                if node in blocks:
+                    continue
+                blocks.add(node)
+                new_preds += list(self.func.graph.predecessors(node))
+            preds = new_preds
+            if not preds:
+                break
+
+        prop = self.project.analyses.FastConstantPropagation(
+            self.func,
+            blocks=blocks,
             vex_cross_insn_opt=True,
             load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-            cache_results=True,
-            key_prefix="cfg_intermediate",
         )
         self.mapping = prop.replacements
 
@@ -466,6 +505,21 @@ class JumpTableProcessor(
             return self._top(expr.result_size(self.tyenv))
         return v
 
+    @binop_handler
+    def _handle_binop_And(self, expr):
+        arg0 = self._expr(expr.args[0])
+        if (
+            isinstance(arg0, claripy.ast.BV)
+            and self._is_registeroffset(arg0)
+            and isinstance(expr.args[1], pyvex.IRExpr.Const)
+        ):
+            mask_value = expr.args[1].con.value
+            if mask_value in {1, 3, 7, 15, 31, 63, 127, 255}:
+                # 1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51:0x40bd1b
+                self.state.is_jumptable = True
+                return arg0 & mask_value
+        return self._top(expr.result_size(self.tyenv))
+
     @binop_handler
     def _handle_binop_CmpLE(self, expr):
         return self._handle_Comparison(*expr.args)
@@ -853,7 +907,7 @@ class JumpTableResolver(IndirectJumpResolver):
         potential_call_table = jumpkind == "Ijk_Call" or self._sp_moved_up(block) or len(func.block_addrs_set) <= 5
         # we only perform full-function propagation for jump tables or call tables in really small functions
         if not potential_call_table or len(func.block_addrs_set) <= 5:
-            cv_manager = ConstantValueManager(self.project, cfg.kb, func)
+            cv_manager = ConstantValueManager(self.project, cfg.kb, func, addr)
         else:
             cv_manager = None
 
@@ -2131,7 +2185,7 @@ class JumpTableResolver(IndirectJumpResolver):
         read_addr = state.inspect.mem_read_address
         cond = state.inspect.mem_read_condition
 
-        if not isinstance(read_addr, int) and read_addr.uninitialized and cond is None:
+        if not isinstance(read_addr, int) and read_addr.has_annotation_type(UninitializedAnnotation) and cond is None:
             # if this AST has been initialized before, just use the cached addr
             cached_addr = self._cached_memread_addrs.get(read_addr, None)
             if cached_addr is not None:
@@ -2402,6 +2456,3 @@ class JumpTableResolver(IndirectJumpResolver):
         if load_stmt_ids:
             return [load_stmt_ids[-1]]
         return []
-
-
-from angr.analyses.propagator import PropagatorAnalysis

angr/analyses/cfg/indirect_jump_resolvers/memload_resolver.py

@@ -0,0 +1,81 @@
+from __future__ import annotations
+import logging
+
+import pyvex
+
+from .resolver import IndirectJumpResolver
+
+_l = logging.getLogger(name=__name__)
+
+
+class MemoryLoadResolver(IndirectJumpResolver):
+    """
+    Resolve an indirect jump that looks like the following::
+
+    .text:
+                    call    off_3314A8
+
+    .data:
+    off_3314A8      dd offset sub_1E426F
+
+    This indirect jump resolver may not be the best solution for all cases (e.g., when the .data section can be
+    intentionally altered by the binary itself).
+    """
+
+    def __init__(self, project):
+        super().__init__(project, timeless=True)
+
+    def filter(self, cfg, addr, func_addr, block, jumpkind):
+        return jumpkind in {"Ijk_Boring", "Ijk_Call"}
+
+    def resolve(  # pylint:disable=unused-argument
+        self,
+        cfg,
+        addr: int,
+        func_addr: int,
+        block: pyvex.IRSB,
+        jumpkind: str,
+        func_graph_complete: bool = True,
+        **kwargs,
+    ):
+        """
+        :param cfg:         CFG with specified function
+        :param addr:        Address of indirect jump
+        :param func_addr:   Address of function of indirect jump
+        :param block:       Block of indirect jump (Block object)
+        :param jumpkind:    VEX jumpkind (Ijk_Boring or Ijk_Call)
+        :return:            Bool tuple with replacement address
+        """
+        vex_block = block
+        if isinstance(vex_block.next, pyvex.expr.RdTmp):
+            tmp_stmt_idx, tmp_ins_addr = self._find_tmp_write_stmt_and_ins(vex_block, vex_block.next.tmp)
+            if tmp_stmt_idx is None or tmp_ins_addr is None:
+                return False, []
+
+            stmt = vex_block.statements[tmp_stmt_idx]
+            assert isinstance(stmt, pyvex.IRStmt.WrTmp)
+            if (
+                isinstance(stmt.data, pyvex.IRExpr.Load)
+                and isinstance(stmt.data.addr, pyvex.IRExpr.Const)
+                and stmt.data.result_size(vex_block.tyenv) == self.project.arch.bits
+            ):
+                load_addr = stmt.data.addr.con.value
+                try:
+                    value = self.project.loader.memory.unpack_word(load_addr, size=self.project.arch.bytes)
+                    if isinstance(value, int) and self._is_target_valid(cfg, value):
+                        return True, [value]
+                except KeyError:
+                    return False, []
+
+        return False, []
+
+    @staticmethod
+    def _find_tmp_write_stmt_and_ins(vex_block, tmp: int) -> tuple[int | None, int | None]:
+        stmt_idx = None
+        for idx, stmt in enumerate(reversed(vex_block.statements)):
+            if isinstance(stmt, pyvex.IRStmt.IMark) and stmt_idx is not None:
+                ins_addr = stmt.addr + stmt.delta
+                return stmt_idx, ins_addr
+            if isinstance(stmt, pyvex.IRStmt.WrTmp) and stmt.tmp == tmp:
+                stmt_idx = len(vex_block.statements) - idx - 1
+        return None, None

angr/analyses/cfg/indirect_jump_resolvers/propagator_utils.py

@@ -10,7 +10,7 @@ class PropagatorLoadCallback:
     def __init__(self, project):
         self.project = project
 
-    def propagator_load_callback(self, addr, size) -> bool:  # pylint:disable=unused-argument
+    def propagator_load_callback(self, addr: claripy.ast.BV | int, size: int) -> bool:  # pylint:disable=unused-argument
         # only allow loading if the address falls into a read-only region
         if isinstance(addr, claripy.ast.BV) and addr.op == "BVV":
             addr_v = addr.args[0]
@@ -19,9 +19,28 @@ class PropagatorLoadCallback:
         else:
             return False
         section = self.project.loader.find_section_containing(addr_v)
+        segment = None
         if section is not None:
-            return section.is_readable and not section.is_writable
-        segment = self.project.loader.find_segment_containing(addr_v)
-        if segment is not None:
-            return segment.is_readable and not segment.is_writable
+            if section.is_readable and not section.is_writable:
+                # read-only section
+                return True
+        else:
+            segment = self.project.loader.find_segment_containing(addr_v)
+            if segment is not None and segment.is_readable and not segment.is_writable:
+                # read-only segment
+                return True
+
+        if (size == self.project.arch.bytes and (section is not None and section.is_readable)) or (
+            segment is not None and segment.is_readable
+        ):
+            # memory is mapped and readable. does it contain a valid address?
+            try:
+                target_addr = self.project.loader.memory.unpack_word(
+                    addr_v, size=size, endness=self.project.arch.memory_endness
+                )
+                if target_addr >= 0x1000 and self.project.loader.find_object_containing(target_addr) is not None:
+                    return True
+            except KeyError:
+                return False
+
         return False

angr/analyses/cfg/indirect_jump_resolvers/x86_pe_iat.py

@@ -3,7 +3,6 @@ import logging
 
 from capstone.x86_const import X86_OP_MEM
 
-from angr.simos import SimWindows
 from .resolver import IndirectJumpResolver
 
 l = logging.getLogger(name=__name__)
@@ -11,16 +10,14 @@ l = logging.getLogger(name=__name__)
 
 class X86PeIatResolver(IndirectJumpResolver):
     """
-    A timeless indirect jump resolver for IAT in x86 PEs.
+    A timeless indirect jump resolver for IAT in x86 PEs and xbes.
     """
 
     def __init__(self, project):
         super().__init__(project, timeless=True)
 
     def filter(self, cfg, addr, func_addr, block, jumpkind):
-        if not isinstance(self.project.simos, SimWindows):
-            return False
-        if jumpkind != "Ijk_Call":
+        if jumpkind not in {"Ijk_Call", "Ijk_Boring"}:  # both call and jmp
             return False
 
         insns = self.project.factory.block(addr).capstone.insns