angr 9.2.139__py3-none-manylinux2014_aarch64.whl → 9.2.141__py3-none-manylinux2014_aarch64.whl

angr/analyses/deobfuscator/string_obf_finder.py

@@ -9,11 +9,11 @@ import networkx
 
 import claripy
 
-from angr import sim_options
 from angr.analyses import Analysis, AnalysesHub
-from angr.errors import SimMemoryMissingError, AngrCallableMultistateError, AngrCallableError
+from angr.errors import SimMemoryMissingError, AngrCallableMultistateError, AngrCallableError, AngrAnalysisError
 from angr.calling_conventions import SimRegArg, default_cc
 from angr.state_plugins.sim_action import SimActionData
+from angr.sim_options import ZERO_FILL_UNCONSTRAINED_REGISTERS, ZERO_FILL_UNCONSTRAINED_MEMORY, TRACK_MEMORY_ACTIONS
 from angr.sim_type import SimTypeFunction, SimTypeBottom, SimTypePointer
 from angr.analyses.reaching_definitions import ObservationPointType
 from angr.utils.graph import GraphUtils
@@ -23,12 +23,23 @@ from .irsb_reg_collector import IRSBRegisterCollector
 _l = logging.getLogger(__name__)
 
 
+STEP_LIMIT_FIND = 500
+STEP_LIMIT_ANALYSIS = 5000
+
+
 class StringDeobFuncDescriptor:
+    """
+    Describes a string deobfuscation function.
+    """
+
+    string_input_arg_idx: int
+    string_output_arg_idx: int
+    string_length_arg_idx: int | None
+    string_null_terminating: bool | None
+
     def __init__(self):
-        self.string_input_arg_idx = None
-        self.string_output_arg_idx = None
         self.string_length_arg_idx = None
-        self.string_null_terminating: bool | None = None
+        self.string_null_terminating = None
 
 
 class StringObfuscationFinder(Analysis):
@@ -89,6 +100,9 @@ class StringObfuscationFinder(Analysis):
         # Type 1 string deobfuscation functions will decrypt each string once and for good.
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         arch = self.project.arch
 
         type1_candidates: list[tuple[int, StringDeobFuncDescriptor]] = []
@@ -100,6 +114,10 @@ class StringObfuscationFinder(Analysis):
             if func.prototype is None or len(func.prototype.args) < 1:
                 continue
 
+            if len(func.arguments) != len(func.prototype.args):
+                # function argument locations and function prototype arguments do not match
+                continue
+
             if self.project.kb.functions.callgraph.out_degree[func.addr] != 0:
                 continue
 
@@ -123,14 +141,22 @@ class StringObfuscationFinder(Analysis):
                 dec = self.project.analyses.Decompiler(func, cfg=cfg)
             except Exception:  # pylint:disable=broad-exception-caught
                 continue
-            if dec.codegen is None or not self._like_type1_deobfuscation_function(dec.codegen.text):
+            if (
+                dec.codegen is None
+                or not dec.codegen.text
+                or not self._like_type1_deobfuscation_function(dec.codegen.text)
+            ):
+                continue
+
+            func_node = cfg.get_any_node(func.addr)
+            if func_node is None:
                 continue
 
             args_list = []
             for caller in callers:
                 callsite_nodes = [
                     pred
-                    for pred in cfg.get_predecessors(cfg.get_any_node(func.addr))
+                    for pred in cfg.get_predecessors(func_node)
                     if pred.function_address == caller and pred.instruction_addrs
                 ]
                 observation_points = []
@@ -148,15 +174,21 @@ class StringObfuscationFinder(Analysis):
                         callsite_node.instruction_addrs[-1],
                         ObservationPointType.OP_BEFORE,
                     )
+                    if observ is None:
+                        continue
                     # load values for each function argument
                     args: list[tuple[int, Any]] = []
                     for arg_idx, func_arg in enumerate(func.arguments):
                         # FIXME: We are ignoring all non-register function arguments until we see a test case where
                         # FIXME: stack-passing arguments are used
+                        real_arg = func.prototype.args[arg_idx]
                         if isinstance(func_arg, SimRegArg):
                             reg_offset, reg_size = arch.registers[func_arg.reg_name]
+                            arg_size = (
+                                real_arg.size if real_arg.size is not None else reg_size
+                            ) // self.project.arch.byte_width
                             try:
-                                mv = observ.registers.load(reg_offset, size=reg_size)
+                                mv = observ.registers.load(reg_offset, size=arg_size)
                             except SimMemoryMissingError:
                                 args.append((arg_idx, claripy.BVV(0xDEADBEEF, self.project.arch.bits)))
                                 continue
@@ -185,7 +217,15 @@ class StringObfuscationFinder(Analysis):
             # now that we have good arguments, let's test the function!
             for args in args_list:
                 func_call = self.project.factory.callable(
-                    func.addr, concrete_only=True, cc=func.calling_convention, prototype=func.prototype
+                    func.addr,
+                    concrete_only=True,
+                    cc=func.calling_convention,
+                    prototype=func.prototype,
+                    add_options={
+                        ZERO_FILL_UNCONSTRAINED_MEMORY,
+                        ZERO_FILL_UNCONSTRAINED_REGISTERS,
+                    },
+                    step_limit=STEP_LIMIT_FIND,
                 )
 
                 # before calling the function, let's record the crime scene
@@ -202,6 +242,9 @@ class StringObfuscationFinder(Analysis):
                 except (AngrCallableMultistateError, AngrCallableError):
                     continue
 
+                if func_call.result_state is None:
+                    continue
+
                 # let's see what this amazing function has done
                 # TODO: Support cases where input and output are using different function arguments
                 for arg_idx, addr, old_value in values:
@@ -240,6 +283,9 @@ class StringObfuscationFinder(Analysis):
 
         arch = self.project.arch
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         func = self.kb.functions.get_by_addr(func_addr)
         func_node = cfg.get_any_node(func_addr)
         assert func_node is not None
@@ -260,14 +306,20 @@ class StringObfuscationFinder(Analysis):
                 callsite_node.instruction_addrs[-1],
                 ObservationPointType.OP_BEFORE,
             )
+            if observ is None:
+                continue
             args = []
-            for func_arg in func.arguments:
+            assert func.prototype is not None and len(func.arguments) == len(func.prototype.args)
+            for func_arg, real_arg in zip(func.arguments, func.prototype.args):
                 # FIXME: We are ignoring all non-register function arguments until we see a test case where
                 # FIXME: stack-passing arguments are used
                 if isinstance(func_arg, SimRegArg):
                     reg_offset, reg_size = arch.registers[func_arg.reg_name]
+                    arg_size = (
+                        real_arg.size if real_arg.size is not None else reg_size
+                    ) // self.project.arch.byte_width
                     try:
-                        mv = observ.registers.load(reg_offset, size=reg_size)
+                        mv = observ.registers.load(reg_offset, size=arg_size)
                     except SimMemoryMissingError:
                         args.append(claripy.BVV(0xDEADBEEF, self.project.arch.bits))
                         continue
@@ -286,7 +338,12 @@ class StringObfuscationFinder(Analysis):
 
             # call the function
             func_call = self.project.factory.callable(
-                func.addr, concrete_only=True, cc=func.calling_convention, prototype=func.prototype
+                func.addr,
+                concrete_only=True,
+                cc=func.calling_convention,
+                prototype=func.prototype,
+                add_options={ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+                step_limit=STEP_LIMIT_ANALYSIS,
             )
             try:
                 func_call(*args)
@@ -303,6 +360,9 @@ class StringObfuscationFinder(Analysis):
                 )
                 continue
 
+            if func_call.result_state is None:
+                continue
+
             # dump the decrypted string!
             output_addr = args[desc.string_output_arg_idx]
             length = args[desc.string_length_arg_idx].concrete_value if desc.string_length_arg_idx is not None else 256
@@ -322,6 +382,8 @@ class StringObfuscationFinder(Analysis):
             xref_set = xrefs.get_xrefs_by_dst(str_addr)
             block_addrs = {xref.block_addr for xref in xref_set}
             for block_addr in block_addrs:
+                if block_addr is None:
+                    continue
                 node = cfg.get_any_node(block_addr)
                 if node is not None:
                     callees = list(self.kb.functions.callgraph.successors(node.function_address))
@@ -340,6 +402,8 @@ class StringObfuscationFinder(Analysis):
         # Type 2 string deobfuscation functions will decrypt each string once and for good.
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         type2_candidates: list[tuple[int, StringDeobFuncDescriptor, list[tuple[int, int, bytes]]]] = []
 
@@ -374,7 +438,11 @@ class StringObfuscationFinder(Analysis):
                 dec = self.project.analyses.Decompiler(func, cfg=cfg, expr_collapse_depth=64)
             except Exception:  # pylint:disable=broad-exception-caught
                 continue
-            if dec.codegen is None or not self._like_type2_deobfuscation_function(dec.codegen.text):
+            if (
+                dec.codegen is None
+                or not dec.codegen.text
+                or not self._like_type2_deobfuscation_function(dec.codegen.text)
+            ):
                 continue
 
             desc = StringDeobFuncDescriptor()
@@ -384,7 +452,8 @@ class StringObfuscationFinder(Analysis):
                 concrete_only=True,
                 cc=func.calling_convention,
                 prototype=func.prototype,
-                add_options={sim_options.TRACK_MEMORY_ACTIONS},
+                add_options={TRACK_MEMORY_ACTIONS, ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+                step_limit=STEP_LIMIT_FIND,
             )
 
             try:
@@ -392,6 +461,9 @@ class StringObfuscationFinder(Analysis):
             except (AngrCallableMultistateError, AngrCallableError):
                 continue
 
+            if func_call.result_state is None:
+                continue
+
             # where are the reads and writes?
             all_global_reads = []
             all_global_writes = []
@@ -399,7 +471,7 @@ class StringObfuscationFinder(Analysis):
                 if not isinstance(action, SimActionData):
                     continue
                 if not action.actual_addrs:
-                    if not action.addr.ast.concrete:
+                    if action.addr is None or not action.addr.ast.concrete:
                         continue
                     actual_addrs = [action.addr.ast.concrete_value]
                 else:
@@ -469,6 +541,8 @@ class StringObfuscationFinder(Analysis):
         """
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         # for each string table address, we find its string loader function
         # an obvious candidate function is 0x140001b20
@@ -478,6 +552,8 @@ class StringObfuscationFinder(Analysis):
             xref_set = xrefs.get_xrefs_by_dst(table_addr)
             block_addrs = {xref.block_addr for xref in xref_set}
             for block_addr in block_addrs:
+                if block_addr is None:
+                    continue
                 node = cfg.get_any_node(block_addr)
                 if node is not None:
                     callees = list(self.kb.functions.callgraph.successors(node.function_address))
@@ -496,6 +572,9 @@ class StringObfuscationFinder(Analysis):
         #   not have a SimProcedure for)
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         functions = self.kb.functions
         callgraph_digraph = networkx.DiGraph(functions.callgraph)
 
@@ -554,7 +633,7 @@ class StringObfuscationFinder(Analysis):
             except Exception:  # pylint:disable=broad-exception-caught
                 # catch all exceptions
                 continue
-            if dec.codegen is None:
+            if dec.codegen is None or not dec.codegen.text:
                 continue
             if not self._like_type3_deobfuscation_function(dec.codegen.text):
                 continue
@@ -605,6 +684,8 @@ class StringObfuscationFinder(Analysis):
         """
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         call_sites = cfg.get_predecessors(cfg.get_any_node(func_addr))
         callinsn2content = {}
@@ -687,7 +768,7 @@ class StringObfuscationFinder(Analysis):
         # execute the block at the call site
         state = self.project.factory.blank_state(
             addr=call_site_addr,
-            add_options={sim_options.ZERO_FILL_UNCONSTRAINED_REGISTERS, sim_options.ZERO_FILL_UNCONSTRAINED_MEMORY},
+            add_options={ZERO_FILL_UNCONSTRAINED_REGISTERS, ZERO_FILL_UNCONSTRAINED_MEMORY},
         )
         # setup sp and bp, just in case
         state.regs._sp = 0x7FFF0000
@@ -728,7 +809,13 @@ class StringObfuscationFinder(Analysis):
             self.project.arch
         )
         callable_0 = self.project.factory.callable(
-            func_addr, concrete_only=True, base_state=in_state, cc=cc, prototype=prototype_0
+            func_addr,
+            concrete_only=True,
+            base_state=in_state,
+            cc=cc,
+            prototype=prototype_0,
+            add_options={ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+            step_limit=STEP_LIMIT_ANALYSIS,
         )
 
         try:

angr/analyses/forward_analysis/forward_analysis.py

@@ -181,7 +181,7 @@ class ForwardAnalysis(Generic[AnalysisState, NodeType, JobType, JobKey]):
         """
         return node
 
-    def _run_on_node(self, node: NodeType, state: AnalysisState) -> tuple[bool, AnalysisState]:
+    def _run_on_node(self, node: NodeType, state: AnalysisState) -> tuple[bool | None, AnalysisState]:
         """
         The analysis routine that runs on each node in the graph.
 

angr/analyses/propagator/top_checker_mixin.py

@@ -31,7 +31,7 @@ class ClaripyDataEngineMixin(
 
 
 def _vex_make_comparison(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.Bool]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.Bool],
 ) -> Callable[[ClaripyDataEngineMixin, Binop], claripy.ast.BV]:
     @SimEngineLightVEX.binop_handler
     def inner(self, expr):
@@ -44,7 +44,7 @@ def _vex_make_comparison(
 
 
 def _vex_make_vec_comparison(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.Bool]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.Bool],
 ) -> Callable[[ClaripyDataEngineMixin, int, int, Binop], claripy.ast.BV]:
     @SimEngineLightVEX.binopv_handler
     def inner(self, size, count, expr):
@@ -56,7 +56,7 @@ def _vex_make_vec_comparison(
 
 
 def _vex_make_operation(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV],
 ) -> Callable[[ClaripyDataEngineMixin, Binop], claripy.ast.BV]:
     @SimEngineLightVEX.binop_handler
     def inner(self, expr: Binop):
@@ -70,7 +70,7 @@ def _vex_make_operation(
 
 
 def _vex_make_unary_operation(
-    func: Callable[[claripy.ast.BV], claripy.ast.BV]
+    func: Callable[[claripy.ast.BV], claripy.ast.BV],
 ) -> Callable[[ClaripyDataEngineMixin, Unop], claripy.ast.BV]:
     @SimEngineLightVEX.unop_handler
     def inner(self, expr):
@@ -84,7 +84,7 @@ def _vex_make_unary_operation(
 
 
 def _vex_make_shift_operation(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV],
 ) -> Callable[[ClaripyDataEngineMixin, Binop], claripy.ast.BV]:
     @_vex_make_operation
     def inner(a, b):
@@ -99,7 +99,7 @@ def _vex_make_shift_operation(
 
 
 def _vex_make_vec_operation(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV],
 ) -> Callable[[ClaripyDataEngineMixin, int, int, Binop], claripy.ast.BV]:
     @SimEngineLightVEX.binopv_handler
     def inner(self, size, count, expr):

angr/analyses/reaching_definitions/__init__.py

@@ -15,7 +15,7 @@ from angr.knowledge_plugins.key_definitions.atoms import (
 from angr.knowledge_plugins.key_definitions.definition import Definition
 from angr.analyses import register_analysis
 from .reaching_definitions import ReachingDefinitionsAnalysis, ReachingDefinitionsModel
-from .function_handler import FunctionHandler, FunctionCallData
+from .function_handler import FunctionHandler, FunctionCallData, FunctionCallRelationships
 from .rd_state import ReachingDefinitionsState
 
 if TYPE_CHECKING:
@@ -29,6 +29,7 @@ __all__ = (
     "ConstantSrc",
     "Definition",
     "FunctionCallData",
+    "FunctionCallRelationships",
     "FunctionHandler",
     "GuardUse",
     "LiveDefinitions",

angr/analyses/reaching_definitions/dep_graph.py

@@ -6,7 +6,6 @@ from typing import (
     Any,
 )
 from collections.abc import Iterable, Iterator
-from dataclasses import dataclass
 
 import networkx
 
@@ -35,16 +34,6 @@ def _is_definition(node):
     return isinstance(node, Definition)
 
 
-@dataclass
-class FunctionCallRelationships:  # TODO this doesn't belong in this file anymore
-    callsite: CodeLocation
-    target: int | None
-    args_defns: list[set[Definition]]
-    other_input_defns: set[Definition]
-    ret_defns: set[Definition]
-    other_output_defns: set[Definition]
-
-
 class DepGraph:
     """
     The representation of a dependency graph: a directed graph, where nodes are definitions, and edges represent uses.
@@ -84,7 +73,7 @@ class DepGraph:
         """
         self._graph.add_edge(source, destination, **labels)
 
-    def nodes(self) -> networkx.classes.reportviews.NodeView[Definition]:
+    def nodes(self) -> Iterator[Definition]:
         return self._graph.nodes()
 
     def predecessors(self, node: Definition) -> Iterator[Definition]:

angr/analyses/reaching_definitions/engine_vex.py

@@ -12,7 +12,8 @@ from angr.engines.light import SimEngineNostmtVEX, SpOffset
 from angr.engines.vex.claripy.datalayer import value as claripy_value
 from angr.errors import SimEngineError, SimMemoryMissingError
 from angr.utils.constants import DEFAULT_STATEMENT
-from angr.knowledge_plugins.key_definitions.live_definitions import Definition, LiveDefinitions
+from angr.knowledge_plugins.key_definitions.definition import Definition
+from angr.knowledge_plugins.key_definitions.live_definitions import LiveDefinitions
 from angr.knowledge_plugins.key_definitions.tag import LocalVariableTag, ParameterTag, Tag
 from angr.knowledge_plugins.key_definitions.atoms import Atom, Register, MemoryLocation, Tmp
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE, OP_AFTER
@@ -78,11 +79,15 @@ class SimEngineRDVEX(
         self._set_codeloc()
         if self.block.vex.jumpkind == "Ijk_Call":
             # it has to be a function
-            addr = self._expr_bv(self.block.vex.next)
+            block_next = self.block.vex.next
+            assert isinstance(block_next, pyvex.expr.IRExpr)
+            addr = self._expr_bv(block_next)
             self._handle_function(addr)
         elif self.block.vex.jumpkind == "Ijk_Boring":
             # test if the target addr is a function or not
-            addr = self._expr_bv(self.block.vex.next)
+            block_next = self.block.vex.next
+            assert isinstance(block_next, pyvex.expr.IRExpr)
+            addr = self._expr_bv(block_next)
             addr_v = addr.one_value()
             if addr_v is not None and addr_v.concrete:
                 addr_int = addr_v.concrete_value
@@ -550,7 +555,7 @@ class SimEngineRDVEX(
         return r
 
     @unop_handler
-    def _handle_unop_Not(self, expr):
+    def _handle_unop_Not(self, expr: pyvex.expr.Unop) -> MultiValues:
         arg0 = expr.args[0]
         expr_0 = self._expr_bv(arg0)
         bits = expr.result_size(self.tyenv)
@@ -563,7 +568,7 @@ class SimEngineRDVEX(
         return MultiValues(self.state.top(bits))
 
     @unop_handler
-    def _handle_unop_Clz(self, expr):
+    def _handle_unop_Clz(self, expr: pyvex.expr.Unop) -> MultiValues:
         arg0 = expr.args[0]
         _ = self._expr(arg0)
         bits = expr.result_size(self.tyenv)
@@ -571,7 +576,7 @@ class SimEngineRDVEX(
         return MultiValues(self.state.top(bits))
 
     @unop_handler
-    def _handle_unop_Ctz(self, expr):
+    def _handle_unop_Ctz(self, expr: pyvex.expr.Unop) -> MultiValues:
         arg0 = expr.args[0]
         _ = self._expr(arg0)
         bits = expr.result_size(self.tyenv)
@@ -582,19 +587,19 @@ class SimEngineRDVEX(
     # Binary operation handlers
     #
     @binop_handler
-    def _handle_binop_ExpCmpNE64(self, expr):
+    def _handle_binop_ExpCmpNE64(self, expr: pyvex.expr.Binop) -> MultiValues:
         _, _ = self._expr(expr.args[0]), self._expr(expr.args[1])
         bits = expr.result_size(self.tyenv)
         # Need to actually implement this later
         return MultiValues(self.state.top(bits))
 
     @binop_handler
-    def _handle_binop_16HLto32(self, expr):
+    def _handle_binop_16HLto32(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_bv(expr.args[0]), self._expr_bv(expr.args[1])
         return expr0.concat(expr1)
 
     @binop_handler
-    def _handle_binop_Add(self, expr):
+    def _handle_binop_Add(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_bv(expr.args[0]), self._expr_bv(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -625,7 +630,7 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_Sub(self, expr):
+    def _handle_binop_Sub(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_bv(expr.args[0]), self._expr_bv(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -656,7 +661,7 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_Mul(self, expr):
+    def _handle_binop_Mul(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_pair(expr.args[0], expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -687,13 +692,13 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_Mull(self, expr):
+    def _handle_binop_Mull(self, expr: pyvex.expr.Binop) -> MultiValues:
         _, _ = self._expr(expr.args[0]), self._expr(expr.args[1])
         bits = expr.result_size(self.tyenv)
         return MultiValues(self.state.top(bits))
 
     @binop_handler
-    def _handle_binop_Div(self, expr):
+    def _handle_binop_Div(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_pair(expr.args[0], expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -727,19 +732,20 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_DivMod(self, expr):
+    def _handle_binop_DivMod(self, expr: pyvex.expr.Binop) -> MultiValues:
         _, _ = self._expr(expr.args[0]), self._expr(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
         return MultiValues(self.state.top(bits))
 
-    def _handle_Mod(self, expr):
+    @binop_handler
+    def _handle_Mod(self, expr: pyvex.expr.Binop) -> MultiValues:
         _, _ = self._expr(expr.args[0]), self._expr(expr.args[1])
         bits = expr.result_size(self.tyenv)
         return MultiValues(self.state.top(bits))
 
     @binop_handler
-    def _handle_binop_And(self, expr):
+    def _handle_binop_And(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_bv(expr.args[0]), self._expr_bv(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -748,9 +754,8 @@ class SimEngineRDVEX(
         expr1_v = expr1.one_value()
 
         if expr0_v is not None and expr1_v is not None:
-            if expr0_v.concrete and expr1_v.concrete:
-                # bitwise-and two single values together
-                r = MultiValues(expr0_v & expr1_v)
+            # bitwise-and two single values together
+            r = MultiValues(expr0_v & expr1_v)
         elif expr0_v is None and expr1_v is not None:
             # bitwise-and a single value with a multivalue
             if expr0.count() == 1 and 0 in expr0:
@@ -771,7 +776,7 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_Xor(self, expr):
+    def _handle_binop_Xor(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_bv(expr.args[0]), self._expr_bv(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -803,7 +808,7 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_Or(self, expr):
+    def _handle_binop_Or(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_bv(expr.args[0]), self._expr_bv(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -834,7 +839,7 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_Sar(self, expr):
+    def _handle_binop_Sar(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_bv(expr.args[0]), self._expr_bv(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -877,7 +882,7 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_Shr(self, expr):
+    def _handle_binop_Shr(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr_bv(expr.args[0]), self._expr_bv(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -918,7 +923,7 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_Shl(self, expr):
+    def _handle_binop_Shl(self, expr: pyvex.expr.Binop) -> MultiValues:
         expr0, expr1 = self._expr(expr.args[0]), self._expr(expr.args[1])
         bits = expr.result_size(self.tyenv)
 
@@ -956,7 +961,7 @@ class SimEngineRDVEX(
         return r
 
     @binop_handler
-    def _handle_binop_CmpEQ(self, expr):
+    def _handle_binop_CmpEQ(self, expr: pyvex.expr.Binop) -> MultiValues:
         arg0, arg1 = expr.args
         expr_0 = self._expr(arg0)
         expr_1 = self._expr(arg1)
@@ -974,7 +979,7 @@ class SimEngineRDVEX(
         return MultiValues(self.state.top(1))
 
     @binop_handler
-    def _handle_binop_CmpNE(self, expr):
+    def _handle_binop_CmpNE(self, expr: pyvex.expr.Binop) -> MultiValues:
         arg0, arg1 = expr.args
         expr_0 = self._expr(arg0)
         expr_1 = self._expr(arg1)
@@ -989,7 +994,7 @@ class SimEngineRDVEX(
         return MultiValues(self.state.top(1))
 
     @binop_handler
-    def _handle_binop_CmpLT(self, expr):
+    def _handle_binop_CmpLT(self, expr: pyvex.expr.Binop) -> MultiValues:
         arg0, arg1 = expr.args
         expr_0, expr_1 = self._expr_pair(arg0, arg1)
 
@@ -1004,7 +1009,7 @@ class SimEngineRDVEX(
         return MultiValues(self.state.top(1))
 
     @binop_handler
-    def _handle_binop_CmpLE(self, expr):
+    def _handle_binop_CmpLE(self, expr: pyvex.expr.Binop) -> MultiValues:
         arg0, arg1 = expr.args
         expr_0, expr_1 = self._expr_pair(arg0, arg1)
 
@@ -1019,7 +1024,7 @@ class SimEngineRDVEX(
         return MultiValues(self.state.top(1))
 
     @binop_handler
-    def _handle_binop_CmpGT(self, expr):
+    def _handle_binop_CmpGT(self, expr: pyvex.expr.Binop) -> MultiValues:
         arg0, arg1 = expr.args
         expr_0, expr_1 = self._expr_pair(arg0, arg1)
 
@@ -1034,7 +1039,7 @@ class SimEngineRDVEX(
         return MultiValues(self.state.top(1))
 
     @binop_handler
-    def _handle_binop_CmpGE(self, expr):
+    def _handle_binop_CmpGE(self, expr: pyvex.expr.Binop) -> MultiValues:
         arg0, arg1 = expr.args
         expr_0, expr_1 = self._expr_pair(arg0, arg1)
 
@@ -1050,7 +1055,7 @@ class SimEngineRDVEX(
 
     # ppc only
     @binop_handler
-    def _handle_binop_CmpORD(self, expr):
+    def _handle_binop_CmpORD(self, expr: pyvex.expr.Binop) -> MultiValues:
         arg0, arg1 = expr.args
         expr_0, expr_1 = self._expr_pair(arg0, arg1)