angr 9.2.135__py3-none-manylinux2014_x86_64.whl → 9.2.137__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/structuring/phoenix.py

@@ -1,4 +1,5 @@
 # pylint:disable=line-too-long,import-outside-toplevel,import-error,multiple-statements,too-many-boolean-expressions
+# ruff: noqa: SIM102
 from __future__ import annotations
 from typing import Any, TYPE_CHECKING
 from collections import defaultdict, OrderedDict
@@ -26,6 +27,7 @@ from angr.analyses.decompiler.utils import (
     is_empty_or_label_only_node,
     has_nonlabel_nonphi_statements,
     first_nonlabel_nonphi_statement,
+    switch_extract_bitwiseand_jumptable_info,
 )
 from angr.analyses.decompiler.counters.call_counter import AILCallCounter
 from .structurer_nodes import (
@@ -1045,6 +1047,11 @@ class PhoenixStructurer(StructurerBase):
         if r:
             return r
         jump_tables = self.kb.cfgs["CFGFast"].jump_tables
+        r = self._match_acyclic_switch_cases_address_loaded_from_memory_no_ob_check(
+            node, graph, full_graph, jump_tables
+        )
+        if r:
+            return r
         r = self._match_acyclic_switch_cases_address_loaded_from_memory(node, graph, full_graph, jump_tables)
         if r:
             return r
@@ -1240,6 +1247,93 @@ class PhoenixStructurer(StructurerBase):
 
         return True
 
+    def _match_acyclic_switch_cases_address_loaded_from_memory_no_ob_check(
+        self, node, graph, full_graph, jump_tables
+    ) -> bool:
+        if node.addr not in jump_tables:
+            return False
+
+        try:
+            last_stmt = self.cond_proc.get_last_statement(node)
+        except EmptyBlockNotice:
+            return False
+        if not (isinstance(last_stmt, Jump) and not isinstance(last_stmt.target, Const)):
+            return False
+
+        jump_table = jump_tables[node.addr]
+        if jump_table.type != IndirectJumpType.Jumptable_AddressLoadedFromMemory:
+            return False
+
+        # extract the index expression, lower-, and upper-bounds from the last statement
+        index = switch_extract_bitwiseand_jumptable_info(last_stmt)
+        if not index:
+            return False
+        index_expr, cmp_lb, cmp_ub = index  # pylint:disable=unused-variable
+        case_count = cmp_ub - cmp_lb + 1
+
+        # ensure we have the same number of cases
+        if case_count != len(jump_table.jumptable_entries):
+            return False
+
+        # populate whitelist_edges
+        for case_node_addr in jump_table.jumptable_entries:
+            self.whitelist_edges.add((node.addr, case_node_addr))
+        self.switch_case_known_heads.add(node)
+
+        # sanity check: case nodes are successors to node. all case nodes must have at most common one successor
+        node_pred = None
+        if graph.in_degree[node] == 1:
+            node_pred = next(iter(graph.predecessors(node)))
+
+        case_nodes = list(graph.successors(node))
+
+        # case 1: the common successor happens to be directly reachable from node_a (usually as a result of compiler
+        # optimization)
+        # example: touch_touch_no_switch.o:main
+        r = self.switch_case_entry_node_has_common_successor_case_1(graph, jump_table, case_nodes, node_pred)
+
+        # case 2: the common successor is not directly reachable from node_a. this is a more common case.
+        if not r:
+            r |= self.switch_case_entry_node_has_common_successor_case_2(graph, jump_table, case_nodes, node_pred)
+
+        if not r:
+            return False
+
+        case_and_entry_addrs = self._find_case_and_entry_addrs(node, graph, cmp_lb, jump_table)
+
+        cases, node_default, to_remove = self._switch_build_cases(
+            case_and_entry_addrs,
+            node,
+            node,
+            None,
+            graph,
+            full_graph,
+        )
+
+        assert node_default is None
+        switch_end_addr = None
+
+        r = self._make_switch_cases_core(
+            node,
+            index_expr,
+            cases,
+            None,
+            None,
+            last_stmt.ins_addr,
+            to_remove,
+            graph,
+            full_graph,
+            node_a=None,
+        )
+        if not r:
+            return False
+
+        # fully structured into a switch-case. remove node from switch_case_known_heads
+        self.switch_case_known_heads.remove(node)
+        self._switch_handle_gotos(cases, node_default, switch_end_addr)
+
+        return True
+
     def _match_acyclic_switch_cases_address_computed(self, node, graph, full_graph, jump_tables) -> bool:
         if node.addr not in jump_tables:
             return False
@@ -1333,7 +1427,7 @@ class PhoenixStructurer(StructurerBase):
         case_and_entryaddrs: dict[int, int | tuple[int, int | None]],
         head_node,
         node_a: BaseNode,
-        node_b_addr,
+        node_b_addr: int | None,
         graph,
         full_graph,
     ) -> tuple[OrderedDict, Any, set[Any]]:
@@ -1343,7 +1437,9 @@ class PhoenixStructurer(StructurerBase):
         # it is possible that the default node gets duplicated by other analyses and creates a default node (addr.a)
         # and a case node (addr.b). The addr.a node is a successor to the head node while the addr.b node is a
         # successor to node_a
-        default_node_candidates = [nn for nn in graph.nodes if nn.addr == node_b_addr]
+        default_node_candidates = (
+            [nn for nn in graph.nodes if nn.addr == node_b_addr] if node_b_addr is not None else []
+        )
         node_default: BaseNode | None = next(
             iter(nn for nn in default_node_candidates if graph.has_edge(head_node, nn)), None
         )
@@ -1355,7 +1451,6 @@ class PhoenixStructurer(StructurerBase):
             self.replace_nodes(full_graph, node_default, new_node)
             node_default = new_node
 
-        # entry_addrs_set = set(jumptable_entries)
         converted_nodes: dict[tuple[int, int | None], Any] = {}
         entry_addr_to_ids: defaultdict[tuple[int, int | None], set[int]] = defaultdict(set)
 
@@ -1442,7 +1537,7 @@ class PhoenixStructurer(StructurerBase):
         head,
         cmp_expr,
         cases: OrderedDict,
-        node_default_addr: int,
+        node_default_addr: int | None,
         node_default,
         addr,
         to_remove: set,
@@ -1491,7 +1586,7 @@ class PhoenixStructurer(StructurerBase):
                 pass
             graph.remove_edge(head, node_default)
             full_graph.remove_edge(head, node_default)
-        else:
+        elif node_default_addr is not None:
             # the default node is not in the current graph, but it might be in the full graph
             node_default_in_full_graph = next(iter(nn for nn in full_graph if nn.addr == node_default_addr), None)
             if node_default_in_full_graph is not None and full_graph.has_edge(head, node_default_in_full_graph):
@@ -1536,7 +1631,7 @@ class PhoenixStructurer(StructurerBase):
                     full_graph.remove_edge(head, out_dst)
 
                 # fix full_graph if needed: remove successors that are no longer needed
-                for out_src, out_dst in out_edges[1:]:
+                for _out_src, out_dst in out_edges[1:]:
                     if out_dst in full_graph and out_dst not in graph and full_graph.in_degree[out_dst] == 0:
                         full_graph.remove_node(out_dst)
                         if out_dst in self._region.successors:
@@ -1570,12 +1665,22 @@ class PhoenixStructurer(StructurerBase):
 
         return case_and_entry_addrs
 
-    def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
+    def _is_node_unstructured_switch_case_head(self, node) -> bool:
         jump_tables = self.kb.cfgs["CFGFast"].jump_tables
         if node.addr in jump_tables:
+            # maybe it has been structured?
+            try:
+                last_stmts = self.cond_proc.get_last_statements(node)
+            except EmptyBlockNotice:
+                return False
+            return len(last_stmts) == 1 and isinstance(last_stmts[0], Jump)
+        return False
+
+    def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
+        if self._is_node_unstructured_switch_case_head(node):
             return True
         for succ in graph.successors(node):
-            if succ.addr in jump_tables:
+            if self._is_node_unstructured_switch_case_head(succ):
                 return True
         return node in self.switch_case_known_heads
 
@@ -1634,13 +1739,11 @@ class PhoenixStructurer(StructurerBase):
                 )
             ):
                 # potentially ITE
-                jump_tables = self.kb.cfgs["CFGFast"].jump_tables
-
                 if (
                     full_graph.in_degree[left] == 1
                     and full_graph.in_degree[right] == 1
-                    and left.addr not in jump_tables
-                    and right.addr not in jump_tables
+                    and not self._is_node_unstructured_switch_case_head(left)
+                    and not self._is_node_unstructured_switch_case_head(right)
                 ):
                     edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
                     edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
@@ -1681,9 +1784,9 @@ class PhoenixStructurer(StructurerBase):
                 left_succs, right_succs = right_succs, left_succs
             if left in graph and not left_succs and full_graph.in_degree[left] == 1 and right in graph:
                 # potentially If-Then
-                jump_tables = self.kb.cfgs["CFGFast"].jump_tables
-
-                if left.addr not in jump_tables and right.addr not in jump_tables:
+                if not self._is_node_unstructured_switch_case_head(
+                    left
+                ) and not self._is_node_unstructured_switch_case_head(right):
                     edge_cond_left = self.cond_proc.recover_edge_condition(full_graph, start_node, left)
                     edge_cond_right = self.cond_proc.recover_edge_condition(full_graph, start_node, right)
                     if claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right):

angr/analyses/decompiler/utils.py

@@ -40,7 +40,7 @@ def remove_last_statement(node):
     elif type(node) is LoopNode:
         stmt = remove_last_statement(node.sequence_node)
     else:
-        raise NotImplementedError
+        raise NotImplementedError(type(node))
 
     return stmt
 
@@ -69,7 +69,7 @@ def remove_last_statements(node) -> bool:
         return r
     if type(node) is LoopNode:
         return remove_last_statements(node.sequence_node)
-    raise NotImplementedError
+    raise NotImplementedError(type(node))
 
 
 def append_statement(node, stmt):
@@ -83,16 +83,16 @@ def append_statement(node, stmt):
         if node.nodes:
             append_statement(node.nodes[-1], stmt)
         else:
-            raise NotImplementedError
+            raise NotImplementedError("MultiNode without nodes")
         return
     if type(node) is SequenceNode:
         if node.nodes:
             append_statement(node.nodes[-1], stmt)
         else:
-            raise NotImplementedError
+            raise NotImplementedError("SequenceNode without nodes")
         return
 
-    raise NotImplementedError
+    raise NotImplementedError(type(node))
 
 
 def replace_last_statement(node, old_stmt, new_stmt):
@@ -118,7 +118,7 @@ def replace_last_statement(node, old_stmt, new_stmt):
             replace_last_statement(node.false_node, old_stmt, new_stmt)
         return
 
-    raise NotImplementedError
+    raise NotImplementedError(type(node))
 
 
 def extract_jump_targets(stmt):
@@ -175,6 +175,111 @@ def switch_extract_cmp_bounds(last_stmt: ailment.Stmt.ConditionalJump) -> tuple[
     return None
 
 
+def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tuple[Any, int, int] | None:
+    """
+    Check the last statement of the switch-case header node (whose address is loaded from a jump table and computed
+    using an index) and extract necessary information for rebuilding the switch-case construct.
+
+    An example of the statement:
+
+    Goto(Conv(32->s64, (
+        Load(addr=(0x4530e4<64> + (Conv(32->64, (Conv(64->32, vvar_287{reg 32}) & 0x3<32>)) * 0x4<64>)),
+             size=4, endness=Iend_LE) + 0x4530e4<32>))
+    )
+
+    :param last_stmt:   The last statement of the switch-case header node.
+    :return:            A tuple of (index expression, lower bound, upper bound), or None
+    """
+
+    if not isinstance(last_stmt, ailment.Stmt.Jump):
+        return None
+
+    # unpack the target expression
+    target = last_stmt.target
+    jump_addr_offset = None
+    jumptable_load_addr = None
+    while True:
+        if isinstance(target, ailment.Expr.Convert) and (
+            (target.from_bits == 32 and target.to_bits == 64) or (target.from_bits == 16 and target.to_bits == 32)
+        ):
+            target = target.operand
+            continue
+        if isinstance(target, ailment.Expr.BinaryOp) and target.op == "Add":
+            if isinstance(target.operands[0], ailment.Expr.Const) and isinstance(target.operands[1], ailment.Expr.Load):
+                jump_addr_offset = target.operands[0]
+                jumptable_load_addr = target.operands[1].addr
+                break
+            if isinstance(target.operands[1], ailment.Expr.Const) and isinstance(target.operands[0], ailment.Expr.Load):
+                jump_addr_offset = target.operands[1]
+                jumptable_load_addr = target.operands[0].addr
+                break
+            return None
+        if isinstance(target, ailment.Expr.Const):
+            return None
+        break
+
+    if jump_addr_offset is None or jumptable_load_addr is None:
+        return None
+
+    # parse jumptable_load_addr
+    jumptable_offset = None
+    jumptable_base_addr = None
+    if isinstance(jumptable_load_addr, ailment.Expr.BinaryOp) and jumptable_load_addr.op == "Add":
+        if isinstance(jumptable_load_addr.operands[0], ailment.Expr.Const):
+            jumptable_base_addr = jumptable_load_addr.operands[0]
+            jumptable_offset = jumptable_load_addr.operands[1]
+        elif isinstance(jumptable_load_addr.operands[1], ailment.Expr.Const):
+            jumptable_offset = jumptable_load_addr.operands[0]
+            jumptable_base_addr = jumptable_load_addr.operands[1]
+
+    if jumptable_offset is None or jumptable_base_addr is None:
+        return None
+
+    # parse jumptable_offset
+    expr = jumptable_offset
+    coeff = None
+    index_expr = None
+    lb = None
+    ub = None
+    while expr is not None:
+        if isinstance(expr, ailment.Expr.BinaryOp):
+            if expr.op == "Mul":
+                if isinstance(expr.operands[1], ailment.Expr.Const):
+                    coeff = expr.operands[1].value
+                    expr = expr.operands[0]
+                elif isinstance(expr.operands[0], ailment.Expr.Const):
+                    coeff = expr.operands[0].value
+                    expr = expr.operands[1]
+                else:
+                    return None
+            elif expr.op == "And":
+                masks = {0x1, 0x3, 0x7, 0xF, 0x1F, 0x3F, 0x7F, 0xFF, 0x1FF, 0x3FF}
+                if isinstance(expr.operands[1], ailment.Expr.Const) and expr.operands[1].value in masks:
+                    lb = 0
+                    ub = expr.operands[1].value
+                    index_expr = expr
+                    break
+                if isinstance(expr.operands[0], ailment.Expr.Const) and expr.operands[1].value in masks:
+                    lb = 0
+                    ub = expr.operands[0].value
+                    index_expr = expr
+                    break
+                return None
+            else:
+                return None
+        elif isinstance(expr, ailment.Expr.Convert):
+            if expr.is_signed is False:
+                expr = expr.operand
+            else:
+                return None
+        else:
+            break
+
+    if coeff is not None and index_expr is not None and lb is not None and ub is not None:
+        return index_expr, lb, ub
+    return None
+
+
 def get_ast_subexprs(claripy_ast):
     queue = [claripy_ast]
     while queue:
@@ -267,9 +372,9 @@ def insert_node(parent, insert_location: str, node, node_idx: int | tuple[int] |
                 parent.sequence_node = SequenceNode(parent.sequence_node.addr, nodes=[parent.sequence_node])
             insert_node(parent.sequence_node, insert_location, node, node_idx)
         else:
-            raise NotImplementedError
+            raise NotImplementedError(label)
     else:
-        raise NotImplementedError
+        raise NotImplementedError(type(parent))
 
 
 def _merge_ail_nodes(graph, node_a: ailment.Block, node_b: ailment.Block) -> ailment.Block:

angr/analyses/disassembly.py

@@ -1,22 +1,24 @@
 from __future__ import annotations
+
+import contextlib
 import logging
 from collections import defaultdict
-from typing import Union, Any
 from collections.abc import Sequence
+from typing import Union, Any
 
 import pyvex
 import archinfo
-from angr.knowledge_plugins import Function
 
 from . import Analysis
 
+from angr.analyses import AnalysesHub
 from angr.errors import AngrTypeError
+from angr.knowledge_plugins import Function
 from angr.utils.library import get_cpp_function_name
 from angr.utils.formatting import ansi_color_enabled, ansi_color, add_edge_to_buffer
 from angr.block import DisassemblerInsn, CapstoneInsn, SootBlockNode
 from angr.codenode import BlockNode
 from .disassembly_utils import decode_instruction
-import contextlib
 
 try:
     from angr.engines import pcode
@@ -1295,6 +1297,4 @@ class Disassembly(Analysis):
         return "\n".join(buf)
 
 
-from angr.analyses import AnalysesHub
-
 AnalysesHub.register_default("Disassembly", Disassembly)

angr/analyses/fcp/__init__.py

@@ -0,0 +1,4 @@
+from __future__ import annotations
+from .fcp import FastConstantPropagation
+
+__all__ = ["FastConstantPropagation"]