angr 9.2.138__py3-none-manylinux2014_x86_64.whl → 9.2.140__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/region_simplifiers/region_simplifier.py

@@ -12,7 +12,13 @@ from .if_ import IfSimplifier
 from .cascading_ifs import CascadingIfsRemover
 from .ifelse import IfElseFlattener
 from .loop import LoopSimplifier
-from .expr_folding import ExpressionCounter, ExpressionFolder, StoreStatementFinder, ExpressionLocation
+from .expr_folding import (
+    ExpressionCounter,
+    ExpressionFolder,
+    StoreStatementFinder,
+    ExpressionLocation,
+    InterferenceChecker,
+)
 from .cascading_cond_transformer import CascadingConditionTransformer
 from .switch_expr_simplifier import SwitchExpressionSimplifier
 from .switch_cluster_simplifier import SwitchClusterFinder, simplify_switch_clusters, simplify_lowered_switches
@@ -23,10 +29,17 @@ class RegionSimplifier(Analysis):
     Simplifies a given region.
     """
 
-    def __init__(self, func, region, variable_kb=None, simplify_switches: bool = True, simplify_ifelse: bool = True):
+    def __init__(
+        self,
+        func,
+        region,
+        arg_vvars: set[int] | None = None,
+        simplify_switches: bool = True,
+        simplify_ifelse: bool = True,
+    ):
         self.func = func
         self.region = region
-        self.variable_kb = variable_kb
+        self.arg_vvars = arg_vvars
         self._simplify_switches = simplify_switches
         self._should_simplify_ifelses = simplify_ifelse
 
@@ -54,7 +67,7 @@ class RegionSimplifier(Analysis):
         # Remove empty nodes again
         r = self._remove_empty_nodes(r)
 
-        if self.variable_kb is not None:
+        if self.arg_vvars is not None:
             # Fold expressions that are only used once into their use sites
             r = self._fold_oneuse_expressions(r)
             r = self._remove_empty_nodes(r)
@@ -88,8 +101,8 @@ class RegionSimplifier(Analysis):
     #
 
     def _fold_oneuse_expressions(self, region):
-        variable_manager = self.variable_kb.variables[self.func.addr]
-        expr_counter = ExpressionCounter(region, variable_manager)
+        # pylint:disable=unreachable
+        expr_counter = ExpressionCounter(region)
 
         variable_assignments = {}
         variable_uses = {}
@@ -126,7 +139,7 @@ class RegionSimplifier(Analysis):
             # make sure all variables that var depends on has been assigned at most once
             fail = False
             for dep_var in deps:
-                if dep_var.is_function_argument:
+                if self.arg_vvars is not None and dep_var in self.arg_vvars:
                     continue
                 if dep_var in expr_counter.assignments and len(expr_counter.assignments[dep_var]) > 1:
                     fail = True
@@ -151,8 +164,14 @@ class RegionSimplifier(Analysis):
                 del variable_assignments[var]
                 del variable_uses[var]
 
-        # replace them
-        ExpressionFolder(variable_assignments, variable_uses, region, variable_manager)
+        # ensure there is no interference between the call site and the use site
+        checker = InterferenceChecker(variable_assignments, variable_uses, region)
+        for varid in checker.interfered_assignments:
+            if varid in variable_assignments:
+                del variable_assignments[varid]
+                del variable_uses[varid]
+        # fold these expressions if possible
+        ExpressionFolder(variable_assignments, variable_uses, region)
         return region
 
     @staticmethod

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 
 from ailment.manager import Manager
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement
+from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement, Jump
 from ailment.expression import (
     Expression,
     Register,
@@ -19,6 +19,7 @@ from ailment.expression import (
     ITE,
     Tmp,
     DirtyExpression,
+    Reinterpret,
 )
 
 from angr.engines.light.engine import SimEngineNostmtAIL
@@ -183,6 +184,12 @@ class SimEngineSSARewriting(
 
         return None
 
+    def _handle_stmt_Jump(self, stmt: Jump) -> Jump | None:
+        new_target = self._expr(stmt.target)
+        if new_target is not None:
+            return Jump(stmt.idx, new_target, stmt.target_idx, **stmt.tags)
+        return None
+
     def _handle_stmt_ConditionalJump(self, stmt: ConditionalJump) -> ConditionalJump | None:
         new_cond = self._expr(stmt.condition)
         new_true_target = self._expr(stmt.true_target) if stmt.true_target is not None else None
@@ -429,7 +436,18 @@ class SimEngineSSARewriting(
     def _handle_expr_Phi(self, expr):
         return None
 
-    def _handle_expr_Reinterpret(self, expr):
+    def _handle_expr_Reinterpret(self, expr: Reinterpret) -> Reinterpret | None:
+        new_operand = self._expr(expr.operand)
+        if new_operand is not None:
+            return Reinterpret(
+                expr.idx,
+                expr.from_bits,
+                expr.from_type,
+                expr.to_bits,
+                expr.to_type,
+                new_operand,
+                **expr.tags,
+            )
         return None
 
     def _handle_expr_StackBaseOffset(self, expr):

angr/analyses/decompiler/ssailification/traversal_engine.py

@@ -205,7 +205,7 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
     _handle_binop_Set = _handle_binop_Default
 
     def _handle_unop_Default(self, expr):
-        self._expr(expr.operands[0])
+        self._expr(expr.operand)
 
     _handle_unop_BitwiseNeg = _handle_unop_Default
     _handle_unop_Dereference = _handle_unop_Default
@@ -243,16 +243,17 @@ class SimEngineSSATraversal(SimEngineLightAIL[TraversalState, None, None, None])
         if expr.maddr is not None:
             self._expr(expr.maddr)
 
+    _handle_expr_Convert = _handle_unop_Default
+    _handle_expr_Reinterpret = _handle_unop_Default
+
     def _handle_Dummy(self, expr):
         pass
 
     _handle_expr_VirtualVariable = _handle_Dummy
     _handle_expr_Phi = _handle_Dummy
     _handle_expr_Load = _handle_Dummy
-    _handle_expr_Convert = _handle_Dummy
     _handle_expr_Const = _handle_Dummy
     _handle_expr_MultiStatementExpression = _handle_Dummy
-    _handle_expr_Reinterpret = _handle_Dummy
     _handle_expr_StackBaseOffset = _handle_Dummy
     _handle_expr_BasePointerOffset = _handle_Dummy
     _handle_expr_Call = _handle_Dummy

angr/analyses/decompiler/structured_codegen/c.py

@@ -2504,6 +2504,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         omit_func_header=False,
         display_block_addrs=False,
         display_vvar_ids=False,
+        min_data_addr: int = 0x400_000,
     ):
         super().__init__(flavor=flavor)
 
@@ -2578,6 +2579,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         self.omit_func_header = omit_func_header
         self.display_block_addrs = display_block_addrs
         self.display_vvar_ids = display_vvar_ids
+        self.min_data_addr = min_data_addr
         self.text = None
         self.map_pos_to_node = None
         self.map_pos_to_addr = None
@@ -3519,8 +3521,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                     expr.value
                 ]
                 inline_string = True
-            elif isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, SimTypeChar):
-                # char*
+            elif isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, (SimTypeChar, SimTypeBottom)):
+                # char* or void*
                 # Try to get a string
                 if (
                     self._cfg is not None
@@ -3583,11 +3585,16 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             elif function_pointer:
                 self._function_pointers.add(expr.reference_variable)
 
+        var_access = None
         if variable is not None and not reference_values:
             cvar = self._variable(variable, None)
             offset = getattr(expr, "reference_variable_offset", 0)
-            return self._access_constant_offset_reference(self._get_variable_reference(cvar), offset, None)
+            var_access = self._access_constant_offset_reference(self._get_variable_reference(cvar), offset, None)
 
+        if var_access is not None and expr.value >= self.min_data_addr:
+            return var_access
+
+        reference_values["offset"] = var_access
         return CConstant(expr.value, type_, reference_values=reference_values, tags=expr.tags, codegen=self)
 
     def _handle_Expr_UnaryOp(self, expr, **kwargs):

angr/analyses/decompiler/structuring/dream.py

@@ -10,7 +10,7 @@ import claripy
 import ailment
 
 from angr.utils.graph import GraphUtils
-from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
+from angr.knowledge_plugins.cfg import IndirectJumpType
 from angr.analyses.decompiler.graph_region import GraphRegion
 from angr.analyses.decompiler.empty_node_remover import EmptyNodeRemover
 from angr.analyses.decompiler.jumptable_entry_condition_rewriter import JumpTableEntryConditionRewriter
@@ -112,6 +112,7 @@ class DreamStructurer(StructurerBase):
 
         loop_subgraph = self._region.graph
         successors = self._region.successors
+        assert successors is not None
 
         assert len(successors) <= 1
 
@@ -267,6 +268,7 @@ class DreamStructurer(StructurerBase):
 
     def _to_loop_body_sequence(self, loop_head, loop_subgraph, loop_successors):
         graph = self._region.graph_with_successors
+        assert graph is not None
         loop_region_graph = networkx.DiGraph()
 
         # TODO: Make sure the loop body has been structured
@@ -372,7 +374,7 @@ class DreamStructurer(StructurerBase):
             node.condition_and_nodes = new_cond_and_nodes
 
             if node.else_node is not None:
-                node.else_node = walker._handle(node.else_node)
+                node.else_node = walker._handle(node.else_node)  # type: ignore
             return node
 
         def _handle_SwitchCaseNode(node, **kwargs):  # pylint:disable=unused-argument
@@ -480,8 +482,6 @@ class DreamStructurer(StructurerBase):
         :return:        None
         """
 
-        jump_tables = self.kb.cfgs["CFGFast"].jump_tables
-
         addr2nodes: dict[int, set[CodeNode]] = defaultdict(set)
         for node in seq.nodes:
             addr2nodes[node.addr].add(node)
@@ -491,14 +491,14 @@ class DreamStructurer(StructurerBase):
                 node = seq.nodes[i]
 
                 # Jumptable_AddressLoadedFromMemory
-                r = self._make_switch_cases_address_loaded_from_memory(seq, i, node, addr2nodes, jump_tables)
+                r = self._make_switch_cases_address_loaded_from_memory(seq, i, node, addr2nodes)
                 if r:
                     # we found a node that looks like a switch-case. seq.nodes are changed. resume to find the next such
                     # case
                     break
 
                 # Jumptable_AddressComputed
-                r = self._make_switch_cases_address_computed(seq, i, node, addr2nodes, jump_tables)
+                r = self._make_switch_cases_address_computed(seq, i, node, addr2nodes)
                 if r:
                     break
 
@@ -506,9 +506,7 @@ class DreamStructurer(StructurerBase):
                 # we did not find any node that looks like a switch-case. exit.
                 break
 
-    def _make_switch_cases_address_loaded_from_memory(
-        self, seq, i, node, addr2nodes: dict[int, set[CodeNode]], jump_tables: dict[int, IndirectJump]
-    ) -> bool:
+    def _make_switch_cases_address_loaded_from_memory(self, seq, i, node, addr2nodes: dict[int, set[CodeNode]]) -> bool:
         """
         A typical jump table involves multiple nodes, which look like the following:
 
@@ -526,6 +524,8 @@ class DreamStructurer(StructurerBase):
 
         try:
             last_stmt = self.cond_proc.get_last_statement(node)
+            if not isinstance(last_stmt, ailment.Stmt.ConditionalJump):
+                return False
         except EmptyBlockNotice:
             return False
         successor_addrs = extract_jump_targets(last_stmt)
@@ -533,14 +533,14 @@ class DreamStructurer(StructurerBase):
             return False
 
         for t in successor_addrs:
-            if t in addr2nodes and t in jump_tables:
+            if t in addr2nodes and t in self.jump_tables:
                 # this is a candidate!
                 target = t
                 break
         else:
             return False
 
-        jump_table = jump_tables[target]
+        jump_table = self.jump_tables[target]
         if jump_table.type != IndirectJumpType.Jumptable_AddressLoadedFromMemory:
             return False
 
@@ -563,13 +563,20 @@ class DreamStructurer(StructurerBase):
             return False
 
         # build switch-cases
+        assert jump_table.jumptable_entries is not None
         cases, node_default, to_remove = self._switch_build_cases(
             seq, cmp_lb, jump_table.jumptable_entries, i, node_b_addr, addr2nodes
         )
         # if we don't know what the end address of this switch-case structure is, let's figure it out
-        switch_end_addr = node_b_addr if node_default is None else None
-        self._switch_handle_gotos(cases, node_default, switch_end_addr)
+        switch_end_addr = (
+            node_b_addr
+            if node_default is None
+            else self._switch_find_switch_end_addr(cases, node_default, {nn.addr for nn in self._region.graph})
+        )
+        if switch_end_addr is not None:
+            self._switch_handle_gotos(cases, node_default, switch_end_addr)
 
+        assert last_stmt.ins_addr is not None
         self._make_switch_cases_core(
             seq,
             i,
@@ -586,12 +593,10 @@ class DreamStructurer(StructurerBase):
 
         return True
 
-    def _make_switch_cases_address_computed(
-        self, seq, i, node, addr2nodes: dict[int, set[CodeNode]], jump_tables: dict[int, IndirectJump]
-    ) -> bool:
-        if node.addr not in jump_tables:
+    def _make_switch_cases_address_computed(self, seq, i, node, addr2nodes: dict[int, set[CodeNode]]) -> bool:
+        if node.addr not in self.jump_tables:
             return False
-        jump_table = jump_tables[node.addr]
+        jump_table = self.jump_tables[node.addr]
         if jump_table.type != IndirectJumpType.Jumptable_AddressComputed:
             return False
 
@@ -617,9 +622,11 @@ class DreamStructurer(StructurerBase):
         cmp_expr, cmp_lb, cmp_ub = cmp  # pylint:disable=unused-variable
 
         jumptable_entries = jump_table.jumptable_entries
+        assert jumptable_entries is not None
 
         if isinstance(last_stmt.false_target, ailment.Expr.Const):
             default_addr = last_stmt.false_target.value
+            assert isinstance(default_addr, int)
         else:
             return False
 
@@ -656,8 +663,9 @@ class DreamStructurer(StructurerBase):
         addr,
         addr2nodes,
         to_remove,
+        *,
+        jumptable_addr: int,
         node_a=None,
-        jumptable_addr=None,
     ):
         scnode = SwitchCaseNode(cmp_expr, cases, node_default, addr=addr)
         scnode = CodeNode(scnode, node.reaching_condition)
@@ -715,6 +723,7 @@ class DreamStructurer(StructurerBase):
         ):
             # unpacking is needed
             for n in node_a.node.nodes:
+                assert n.addr is not None
                 if isinstance(n, ConditionNode):
                     unpacked = self._switch_unpack_condition_node(n, jumptable)
                     if unpacked is None: