angr 9.2.138__py3-none-manylinux2014_x86_64.whl → 9.2.140__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/structuring/recursive_structurer.py

@@ -92,6 +92,7 @@ class RecursiveStructurer(Analysis):
                     case_entry_to_switch_head=self._case_entry_to_switch_head,
                     func=self.function,
                     parent_region=parent_region,
+                    jump_tables=self.kb.cfgs["CFGFast"].jump_tables,
                     **self.structurer_options,
                 )
                 # replace this region with the resulting node in its parent region... if it's not an orphan

angr/analyses/decompiler/structuring/structurer_base.py

@@ -19,6 +19,8 @@ from angr.analyses.decompiler.utils import (
     has_nonlabel_nonphi_statements,
 )
 from angr.analyses.decompiler.label_collector import LabelCollector
+from angr.errors import AngrDecompilationError
+from angr.knowledge_plugins.cfg import IndirectJump
 from .structurer_nodes import (
     MultiNode,
     SequenceNode,
@@ -32,6 +34,7 @@ from .structurer_nodes import (
     BreakNode,
     LoopNode,
     EmptyBlockNotice,
+    IncompleteSwitchCaseNode,
 )
 
 if TYPE_CHECKING:
@@ -49,7 +52,7 @@ class StructurerBase(Analysis):
     longer exist due to empty node removal during structuring or prior steps.
     """
 
-    NAME: str = None
+    NAME: str = "StructurerBase"
 
     def __init__(
         self,
@@ -59,6 +62,7 @@ class StructurerBase(Analysis):
         func: Function | None = None,
         case_entry_to_switch_head: dict[int, int] | None = None,
         parent_region=None,
+        jump_tables: dict[int, IndirectJump] | None = None,
         **kwargs,
     ):
         self._region: GraphRegion = region
@@ -66,6 +70,7 @@ class StructurerBase(Analysis):
         self.function = func
         self._case_entry_to_switch_head = case_entry_to_switch_head
         self._parent_region = parent_region
+        self.jump_tables = jump_tables or {}
 
         self.cond_proc = (
             condition_processor if condition_processor is not None else ConditionProcessor(self.project.arch)
@@ -132,16 +137,9 @@ class StructurerBase(Analysis):
         return seq
 
     @staticmethod
-    def _switch_handle_gotos(cases, default, switch_end_addr):
-        """
-        For each case, convert the goto that goes outside of the switch-case to a break statement.
-
-        :param dict cases:              A dict of switch-cases.
-        :param default:                 The default node.
-        :param int|None node_b_addr:    Address of the end of the switch.
-        :return:                        None
-        """
-
+    def _switch_find_switch_end_addr(
+        cases: dict[int, BaseNode], default: BaseNode | ailment.Block | None, region_node_addrs: set[int]
+    ) -> int | None:
         goto_addrs = defaultdict(int)
 
         def _find_gotos(block, **kwargs):
@@ -155,20 +153,54 @@ class StructurerBase(Analysis):
                             continue
                         goto_addrs[t] += 1
 
-        if switch_end_addr is None:
-            # we need to figure this out
-            handlers = {ailment.Block: _find_gotos}
+        # we need to figure this out
+        handlers = {ailment.Block: _find_gotos}
 
-            walker = SequenceWalker(handlers=handlers)
-            for case_node in cases.values():
-                walker.walk(case_node)
-            if default is not None:
-                walker.walk(default)
+        walker = SequenceWalker(handlers=handlers)
+        for case_node in cases.values():
+            walker.walk(case_node)
+        if default is not None:
+            walker.walk(default)
 
-            if not goto_addrs:
-                # there is no Goto statement - perfect
-                return
-            switch_end_addr = sorted(goto_addrs.items(), key=lambda x: x[1], reverse=True)[0][0]
+        if not goto_addrs:
+            # there is no Goto statement - perfect, we don't need a switch-end node
+            return None
+        if len(goto_addrs) > 1 and any(a in region_node_addrs for a in goto_addrs):
+            goto_addrs = {a: times for a, times in goto_addrs.items() if a in region_node_addrs}
+        return sorted(goto_addrs.items(), key=lambda x: x[1], reverse=True)[0][0]
+
+    def _switch_handle_gotos(self, cases: dict[int, BaseNode], default, switch_end_addr: int) -> None:
+        """
+        For each case, convert the goto that goes outside of the switch-case to a break statement.
+
+        :param cases:              A dict of switch-cases.
+        :param default:                 The default node.
+        :param node_b_addr:    Address of the end of the switch.
+        :return:                        None
+        """
+
+        # ensure every case node ends with a control-flow transition statement
+        # FIXME: The following logic only handles one case. are there other cases?
+        for case_addr in cases:
+            case_node = cases[case_addr]
+            if (
+                isinstance(case_node, SequenceNode)
+                and case_node.nodes
+                and isinstance(case_node.nodes[-1], ConditionNode)
+            ):
+                cond_node = case_node.nodes[-1]
+                if (cond_node.true_node is None and cond_node.false_node is not None) or (
+                    cond_node.false_node is None and cond_node.true_node is not None
+                ):
+                    # the last node is a condition node and only has one branch - we need a goto statement to ensure it
+                    # does not fall through to the next branch
+                    goto_stmt = ailment.Stmt.Jump(
+                        None,
+                        ailment.Expr.Const(None, None, switch_end_addr, self.project.arch.bits),
+                        target_idx=None,
+                        ins_addr=cond_node.addr,
+                    )
+                    case_node.nodes.append(ailment.Block(cond_node.addr, 0, statements=[goto_stmt], idx=None))
 
         # rewrite all _goto switch_end_addr_ to _break_
 
@@ -262,7 +294,7 @@ class StructurerBase(Analysis):
                         and this_node.statements
                         and isinstance(this_node.statements[-1], (ailment.Stmt.Jump, ailment.Stmt.ConditionalJump))
                     ):
-                        jump_stmt = this_node.statements[-1]
+                        jump_stmt = this_node.statements[-1]  # type: ignore
                     elif (
                         isinstance(this_node, MultiNode)
                         and this_node.nodes
@@ -273,9 +305,10 @@ class StructurerBase(Analysis):
                         )
                     ):
                         this_node = this_node.nodes[-1]
-                        jump_stmt = this_node.statements[-1]
+                        jump_stmt = this_node.statements[-1]  # type: ignore
 
                     if isinstance(jump_stmt, ailment.Stmt.Jump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.target, ailment.Expr.Const)
@@ -284,6 +317,7 @@ class StructurerBase(Analysis):
                             # this goto is useless
                             this_node.statements = this_node.statements[:-1]
                     elif isinstance(jump_stmt, ailment.Stmt.ConditionalJump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.true_target, ailment.Expr.Const)
@@ -337,6 +371,7 @@ class StructurerBase(Analysis):
                         jump_stmt = this_node.nodes[-1].statements[-1]
                         this_node = this_node.nodes[-1]
 
+                    assert isinstance(this_node, ailment.Block)
                     if isinstance(jump_stmt, ailment.Stmt.Jump):
                         next_node = node.nodes[i + 1]
                         if (
@@ -387,7 +422,7 @@ class StructurerBase(Analysis):
         return seq
 
     def _rewrite_conditional_jumps_to_breaks(self, loop_node, successor_addrs):
-        def _rewrite_conditional_jump_to_break(node: ailment.Block, parent=None, index=None, label=None, **kwargs):
+        def _rewrite_conditional_jump_to_break(node: ailment.Block, *, parent, index: int, label=None, **kwargs):
             if not node.statements:
                 return
 
@@ -481,7 +516,7 @@ class StructurerBase(Analysis):
         ):
             continue_node_addr = loop_node.condition.ins_addr
 
-        def _rewrite_jump_to_continue(node, parent=None, index=None, label=None, **kwargs):
+        def _rewrite_jump_to_continue(node, *, parent, index: int, label=None, **kwargs):
             if not node.statements:
                 return
             stmt = node.statements[-1]
@@ -593,6 +628,7 @@ class StructurerBase(Analysis):
             if (true_target_value is not None and true_target_value in loop_successor_addrs) and (
                 false_target_value is None or false_target_value not in loop_successor_addrs
             ):
+                assert last_stmt.true_target is not None
                 cond = last_stmt.condition
                 target = last_stmt.true_target.value
                 new_node = ConditionalBreakNode(
@@ -601,6 +637,7 @@ class StructurerBase(Analysis):
             elif (false_target_value is not None and false_target_value in loop_successor_addrs) and (
                 true_target_value is None or true_target_value not in loop_successor_addrs
             ):
+                assert last_stmt.false_target is not None
                 cond = ailment.Expr.UnaryOp(last_stmt.condition.idx, "Not", last_stmt.condition)
                 target = last_stmt.false_target.value
                 new_node = ConditionalBreakNode(
@@ -611,10 +648,11 @@ class StructurerBase(Analysis):
             ):
                 # both targets are pointing outside the loop
                 # we should use just add a break node
+                assert last_stmt.false_target is not None
                 new_node = BreakNode(last_stmt.ins_addr, last_stmt.false_target.value)
             else:
                 _l.warning("None of the branches is jumping to outside of the loop")
-                raise Exception
+                raise AngrDecompilationError("Unexpected: None of the branches is jumping to outside of the loop")
 
         return new_node
 
@@ -622,6 +660,13 @@ class StructurerBase(Analysis):
     def _merge_conditional_breaks(seq):
         # Find consecutive ConditionalBreakNodes and merge their conditions
 
+        class _Holder:
+            """
+            Holds values so that handlers can access them directly.
+            """
+
+            merged = False
+
         def _handle_SequenceNode(seq_node, parent=None, index=0, label=None):
             new_nodes = []
             i = 0
@@ -642,7 +687,7 @@ class StructurerBase(Analysis):
                             claripy.Or(node.condition, prev_node.condition)
                         )
                         new_node = ConditionalBreakNode(node.addr, merged_condition, node.target)
-                        walker.merged = True
+                        _Holder.merged = True
                 else:
                     walker._handle(node, parent=seq_node, index=i)
 
@@ -659,13 +704,20 @@ class StructurerBase(Analysis):
         }
 
         walker = SequenceWalker(handlers=handlers)
-        walker.merged = False  # this is just a hack
+        _Holder.merged = False  # this is just a hack
         walker.walk(seq)
-        return walker.merged, seq
+        return _Holder.merged, seq
 
     def _merge_nesting_conditionals(self, seq):
         # find if(A) { if(B) { ... ] } and simplify them to if( A && B ) { ... }
 
+        class _Holder:
+            """
+            Holds values so that handlers can access them directly.
+            """
+
+            merged = False
+
         def _condnode_truenode_only(node):
             if type(node) is CodeNode:
                 # unpack
@@ -693,9 +745,11 @@ class StructurerBase(Analysis):
                 node = seq_node.nodes[i]
                 r, cond_node = _condnode_truenode_only(node)
                 if r:
+                    assert cond_node is not None
                     r, cond_node_inner = _condnode_truenode_only(cond_node.true_node)
                     if r:
                         # amazing!
+                        assert cond_node_inner is not None
                         merged_cond = ConditionProcessor.simplify_condition(
                             claripy.And(
                                 self.cond_proc.claripy_ast_from_ail_condition(cond_node.condition),
@@ -704,13 +758,14 @@ class StructurerBase(Analysis):
                         )
                         new_node = ConditionNode(cond_node.addr, None, merged_cond, cond_node_inner.true_node, None)
                         seq_node.nodes[i] = new_node
-                        walker.merged = True
+                        _Holder.merged = True
                         i += 1
                         continue
                     # else:
                     r, condbreak_node = _condbreaknode(cond_node.true_node)
                     if r:
                         # amazing!
+                        assert condbreak_node is not None
                         merged_cond = ConditionProcessor.simplify_condition(
                             claripy.And(
                                 self.cond_proc.claripy_ast_from_ail_condition(cond_node.condition),
@@ -719,7 +774,7 @@ class StructurerBase(Analysis):
                         )
                         new_node = ConditionalBreakNode(condbreak_node.addr, merged_cond, condbreak_node.target)
                         seq_node.nodes[i] = new_node
-                        walker.merged = True
+                        _Holder.merged = True
                         i += 1
                         continue
 
@@ -732,14 +787,10 @@ class StructurerBase(Analysis):
         }
 
         walker = SequenceWalker(handlers=handlers)
-        walker.merged = False  # this is just a hack
+        _Holder.merged = False  # this is just a hack
         walker.walk(seq)
 
-        return walker.merged, seq
-
-    #
-    # Util methods
-    #
+        return _Holder.merged, seq
 
     def _reorganize_switch_cases(
         self, cases: OrderedDict[int | tuple[int, ...], SequenceNode]
@@ -747,10 +798,11 @@ class StructurerBase(Analysis):
         new_cases = OrderedDict()
 
         caseid2gotoaddrs = {}
-        addr2caseids: dict[int, list[int, tuple[int, ...]]] = defaultdict(list)
+        addr2caseids: dict[int, list[int | tuple[int, ...]]] = defaultdict(list)
 
         # collect goto locations
         for idx, case_node in cases.items():
+            assert case_node.addr is not None
             addr2caseids[case_node.addr].append(idx)
             try:
                 last_stmt = self.cond_proc.get_last_statement(case_node)
@@ -842,12 +894,12 @@ class StructurerBase(Analysis):
                 if isinstance(last_stmt.false_target, ailment.Expr.Const):
                     jump_targets.append((last_stmt.false_target.value, last_stmt.false_target_idx))
             if any(tpl in addr_and_ids for tpl in jump_targets):
-                return remove_last_statement(node)
+                return remove_last_statement(node)  # type: ignore
         return None
 
     @staticmethod
     def _remove_last_statement_if_jump(
-        node: BaseNode | ailment.Block,
+        node: BaseNode | ailment.Block | MultiNode,
     ) -> ailment.Stmt.Jump | ailment.Stmt.ConditionalJump | None:
         try:
             last_stmts = ConditionProcessor.get_last_statements(node)
@@ -855,7 +907,7 @@ class StructurerBase(Analysis):
             return None
 
         if len(last_stmts) == 1 and isinstance(last_stmts[0], (ailment.Stmt.Jump, ailment.Stmt.ConditionalJump)):
-            return remove_last_statement(node)
+            return remove_last_statement(node)  # type: ignore
         return None
 
     @staticmethod
@@ -945,8 +997,8 @@ class StructurerBase(Analysis):
     @staticmethod
     def replace_node_in_node(
         parent_node: BaseNode,
-        old_node: BaseNode | ailment.Block,
-        new_node: BaseNode | ailment.Block,
+        old_node: BaseNode | ailment.Block | MultiNode,
+        new_node: BaseNode | ailment.Block | MultiNode,
     ) -> None:
         if isinstance(parent_node, SequenceNode):
             for i in range(len(parent_node.nodes)):  # pylint:disable=consider-using-enumerate
@@ -969,7 +1021,9 @@ class StructurerBase(Analysis):
             raise TypeError(f"Unsupported node type {type(parent_node)}")
 
     @staticmethod
-    def is_a_jump_target(stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Jump, addr: int) -> bool:
+    def is_a_jump_target(
+        stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Jump | ailment.Stmt.Statement, addr: int
+    ) -> bool:
         if isinstance(stmt, ailment.Stmt.ConditionalJump):
             if isinstance(stmt.true_target, ailment.Expr.Const) and stmt.true_target.value == addr:
                 return True
@@ -989,3 +1043,24 @@ class StructurerBase(Analysis):
         if isinstance(node, SequenceNode):
             return any(StructurerBase.has_nonlabel_nonphi_statements(nn) for nn in node.nodes)
         return False
+
+    def _node_ending_with_jump_table_header(self, node: BaseNode) -> tuple[int | None, IndirectJump | None]:
+        if isinstance(node, (ailment.Block, MultiNode, IncompleteSwitchCaseNode)):
+            assert node.addr is not None
+            return node.addr, self.jump_tables.get(node.addr, None)
+        if isinstance(node, SequenceNode):
+            return node.addr, self._node_ending_with_jump_table_header(node.nodes[-1])[1]
+        return None, None
+
+    @staticmethod
+    def _switch_find_default_node(
+        graph: networkx.DiGraph, head_node: BaseNode, default_node_addr: int
+    ) -> BaseNode | None:
+        # it is possible that the default node gets duplicated by other analyses and creates a default node (addr.a)
+        # and a case node (addr.b). The addr.a node is a successor to the head node while the addr.b node is a
+        # successor to node_a
+        default_node_candidates = [nn for nn in graph.nodes if nn.addr == default_node_addr]
+        node_default: BaseNode | None = next(
+            iter(nn for nn in default_node_candidates if graph.has_edge(head_node, nn)), None
+        )
+        return node_default

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -230,7 +230,12 @@ class CascadingConditionNode(BaseNode):
         "else_node",
     )
 
-    def __init__(self, addr, condition_and_nodes: list[tuple[Any, BaseNode]], else_node: BaseNode = None):
+    def __init__(
+        self,
+        addr,
+        condition_and_nodes: list[tuple[Any, BaseNode | ailment.Block | MultiNode]],
+        else_node: BaseNode = None,
+    ):
         self.addr = addr
         self.condition_and_nodes = condition_and_nodes
         self.else_node = else_node

angr/analyses/decompiler/utils.py

@@ -144,7 +144,9 @@ def extract_jump_targets(stmt):
     return targets
 
 
-def switch_extract_cmp_bounds(last_stmt: ailment.Stmt.ConditionalJump) -> tuple[Any, int, int] | None:
+def switch_extract_cmp_bounds(
+    last_stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Statement,
+) -> tuple[Any, int, int] | None:
     """
     Check the last statement of the switch-case header node, and extract lower+upper bounds for the comparison.
 
@@ -175,6 +177,54 @@ def switch_extract_cmp_bounds(last_stmt: ailment.Stmt.ConditionalJump) -> tuple[
     return None
 
 
+def switch_extract_switch_expr_from_jump_target(target: ailment.Expr.Expression) -> ailment.Expr.Expression | None:
+    """
+    Extract the switch expression from the indirect jump target expression.
+
+    :param target:  The target of the indirect jump statement.
+    :return:        The extracted expression if successful, or None otherwise.
+    """
+
+    # e.g.: Jump (Conv(32->64, (Load(addr=((0x140000000<64> + (vvar_229{reg 80} * 0x4<64>)) + 0x2290<64>),
+    #               size=4,
+    #               endness=Iend_LE
+    #             ) + 0x140000000<32>)))
+
+    found_load = False
+    while True:
+        if isinstance(target, ailment.Expr.Convert):
+            if target.from_bits < target.to_bits:
+                target = target.operand
+            else:
+                return None
+        elif isinstance(target, ailment.Expr.BinaryOp):
+            if target.op == "Add":
+                # it must be adding the target expr with a constant
+                if isinstance(target.operands[0], ailment.Expr.Const):
+                    target = target.operands[1]
+                elif isinstance(target.operands[1], ailment.Expr.Const):
+                    target = target.operands[0]
+                else:
+                    return None
+            elif target.op == "Mul":
+                # it must be multiplying the target expr with a constant
+                if isinstance(target.operands[0], ailment.Expr.Const):
+                    target = target.operands[1]
+                elif isinstance(target.operands[1], ailment.Expr.Const):
+                    target = target.operands[0]
+                else:
+                    return None
+        elif isinstance(target, ailment.Expr.Load):
+            # we want the address!
+            found_load = True
+            target = target.addr
+        elif isinstance(target, ailment.Expr.VirtualVariable):
+            break
+        else:
+            return None
+    return target if found_load else None
+
+
 def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tuple[Any, int, int] | None:
     """
     Check the last statement of the switch-case header node (whose address is loaded from a jump table and computed
@@ -973,6 +1023,15 @@ def sequence_to_statements(
     return statements
 
 
+def remove_edges_in_ailgraph(
+    ail_graph: networkx.DiGraph, edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]]
+) -> None:
+    d = {(bb.addr, bb.idx): bb for bb in ail_graph}
+    for src_addr, dst_addr in edges_to_remove:
+        if src_addr in d and dst_addr in d and ail_graph.has_edge(d[src_addr], d[dst_addr]):
+            ail_graph.remove_edge(d[src_addr], d[dst_addr])
+
+
 # delayed import
 from .structuring.structurer_nodes import (
     MultiNode,

angr/analyses/deobfuscator/api_obf_finder.py

@@ -12,6 +12,7 @@ import claripy
 from angr import SIM_LIBRARIES
 from angr.calling_conventions import SimRegArg
 from angr.errors import SimMemoryMissingError
+from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
 from angr.sim_type import SimTypePointer, SimTypeChar
 from angr.analyses import Analysis, AnalysesHub
@@ -25,6 +26,8 @@ from angr.analyses.decompiler.structured_codegen.c import (
     CVariable,
 )
 
+from .api_obf_type2_finder import APIObfuscationType2Finder
+
 _l = logging.getLogger(name=__name__)
 
 
@@ -33,7 +36,7 @@ class APIObfuscationType(IntEnum):
 
 
 class APIDeobFuncDescriptor:
-    def __init__(self, type_: APIObfuscationType, func_addr=None, libname_argidx=None, funcname_argidx=None):
+    def __init__(self, type_: APIObfuscationType, *, func_addr: int, libname_argidx: int, funcname_argidx: int):
         self.type = type_
         self.func_addr = func_addr
         self.libname_argidx = libname_argidx
@@ -90,11 +93,13 @@ class APIObfuscationFinder(Analysis):
 
     Currently, we support the following API "obfuscation" styles:
 
-    - sub_A("dll_name", "api_name) where sub_a ends up calling LoadLibrary.
+    - Type 1: sub_A("dll_name", "api_name") where sub_A ends up calling LoadLibrary.
+    - Type 2: GetProcAddress(_, "api_name").
     """
 
-    def __init__(self):
+    def __init__(self, variable_kb: KnowledgeBase | None = None):
         self.type1_candidates = []
+        self.variable_kb = variable_kb or self.project.kb
 
         self.analyze()
 
@@ -106,6 +111,8 @@ class APIObfuscationFinder(Analysis):
                 type1_deobfuscated = self._analyze_type1(desc.func_addr, desc)
                 self.kb.obfuscations.type1_deobfuscated_apis.update(type1_deobfuscated)
 
+        APIObfuscationType2Finder(self.project, self.variable_kb).analyze()
+
     def _find_type1(self):
         cfg = self.kb.cfgs.get_most_accurate()
         load_library_funcs = []
@@ -190,6 +197,8 @@ class APIObfuscationFinder(Analysis):
                     callsite_node.instruction_addrs[-1],
                     ObservationPointType.OP_BEFORE,
                 )
+                if observ is None:
+                    continue
                 args: list[tuple[int, Any]] = []
                 for arg_idx, func_arg in enumerate(func.arguments):
                     # FIXME: We are ignoring all non-register function arguments until we see a test case where
@@ -227,9 +236,8 @@ class APIObfuscationFinder(Analysis):
                                 acceptable_args = False
                                 break
                             arg_strs.append((idx, value.decode("utf-8")))
-                if acceptable_args:
+                if acceptable_args and len(arg_strs) == 2:
                     libname_arg_idx, funcname_arg_idx = None, None
-                    assert len(arg_strs) == 2
                     for arg_idx, name in arg_strs:
                         if self.is_libname(name):
                             libname_arg_idx = arg_idx