angr 9.2.139__py3-none-manylinux2014_x86_64.whl → 9.2.140__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/structuring/structurer_base.py

@@ -20,6 +20,7 @@ from angr.analyses.decompiler.utils import (
 )
 from angr.analyses.decompiler.label_collector import LabelCollector
 from angr.errors import AngrDecompilationError
+from angr.knowledge_plugins.cfg import IndirectJump
 from .structurer_nodes import (
     MultiNode,
     SequenceNode,
@@ -33,6 +34,7 @@ from .structurer_nodes import (
     BreakNode,
     LoopNode,
     EmptyBlockNotice,
+    IncompleteSwitchCaseNode,
 )
 
 if TYPE_CHECKING:
@@ -60,6 +62,7 @@ class StructurerBase(Analysis):
         func: Function | None = None,
         case_entry_to_switch_head: dict[int, int] | None = None,
         parent_region=None,
+        jump_tables: dict[int, IndirectJump] | None = None,
         **kwargs,
     ):
         self._region: GraphRegion = region
@@ -67,6 +70,7 @@ class StructurerBase(Analysis):
         self.function = func
         self._case_entry_to_switch_head = case_entry_to_switch_head
         self._parent_region = parent_region
+        self.jump_tables = jump_tables or {}
 
         self.cond_proc = (
             condition_processor if condition_processor is not None else ConditionProcessor(self.project.arch)
@@ -304,6 +308,7 @@ class StructurerBase(Analysis):
                         jump_stmt = this_node.statements[-1]  # type: ignore
 
                     if isinstance(jump_stmt, ailment.Stmt.Jump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.target, ailment.Expr.Const)
@@ -312,6 +317,7 @@ class StructurerBase(Analysis):
                             # this goto is useless
                             this_node.statements = this_node.statements[:-1]
                     elif isinstance(jump_stmt, ailment.Stmt.ConditionalJump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.true_target, ailment.Expr.Const)
@@ -365,6 +371,7 @@ class StructurerBase(Analysis):
                         jump_stmt = this_node.nodes[-1].statements[-1]
                         this_node = this_node.nodes[-1]
 
+                    assert isinstance(this_node, ailment.Block)
                     if isinstance(jump_stmt, ailment.Stmt.Jump):
                         next_node = node.nodes[i + 1]
                         if (
@@ -785,10 +792,6 @@ class StructurerBase(Analysis):
 
         return _Holder.merged, seq
 
-    #
-    # Util methods
-    #
-
     def _reorganize_switch_cases(
         self, cases: OrderedDict[int | tuple[int, ...], SequenceNode]
     ) -> OrderedDict[int | tuple[int, ...], SequenceNode]:
@@ -891,12 +894,12 @@ class StructurerBase(Analysis):
                 if isinstance(last_stmt.false_target, ailment.Expr.Const):
                     jump_targets.append((last_stmt.false_target.value, last_stmt.false_target_idx))
             if any(tpl in addr_and_ids for tpl in jump_targets):
-                return remove_last_statement(node)
+                return remove_last_statement(node)  # type: ignore
         return None
 
     @staticmethod
     def _remove_last_statement_if_jump(
-        node: BaseNode | ailment.Block,
+        node: BaseNode | ailment.Block | MultiNode,
     ) -> ailment.Stmt.Jump | ailment.Stmt.ConditionalJump | None:
         try:
             last_stmts = ConditionProcessor.get_last_statements(node)
@@ -904,7 +907,7 @@ class StructurerBase(Analysis):
             return None
 
         if len(last_stmts) == 1 and isinstance(last_stmts[0], (ailment.Stmt.Jump, ailment.Stmt.ConditionalJump)):
-            return remove_last_statement(node)
+            return remove_last_statement(node)  # type: ignore
         return None
 
     @staticmethod
@@ -994,8 +997,8 @@ class StructurerBase(Analysis):
     @staticmethod
     def replace_node_in_node(
         parent_node: BaseNode,
-        old_node: BaseNode | ailment.Block,
-        new_node: BaseNode | ailment.Block,
+        old_node: BaseNode | ailment.Block | MultiNode,
+        new_node: BaseNode | ailment.Block | MultiNode,
     ) -> None:
         if isinstance(parent_node, SequenceNode):
             for i in range(len(parent_node.nodes)):  # pylint:disable=consider-using-enumerate
@@ -1018,7 +1021,9 @@ class StructurerBase(Analysis):
             raise TypeError(f"Unsupported node type {type(parent_node)}")
 
     @staticmethod
-    def is_a_jump_target(stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Jump, addr: int) -> bool:
+    def is_a_jump_target(
+        stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Jump | ailment.Stmt.Statement, addr: int
+    ) -> bool:
         if isinstance(stmt, ailment.Stmt.ConditionalJump):
             if isinstance(stmt.true_target, ailment.Expr.Const) and stmt.true_target.value == addr:
                 return True
@@ -1038,3 +1043,24 @@ class StructurerBase(Analysis):
         if isinstance(node, SequenceNode):
             return any(StructurerBase.has_nonlabel_nonphi_statements(nn) for nn in node.nodes)
         return False
+
+    def _node_ending_with_jump_table_header(self, node: BaseNode) -> tuple[int | None, IndirectJump | None]:
+        if isinstance(node, (ailment.Block, MultiNode, IncompleteSwitchCaseNode)):
+            assert node.addr is not None
+            return node.addr, self.jump_tables.get(node.addr, None)
+        if isinstance(node, SequenceNode):
+            return node.addr, self._node_ending_with_jump_table_header(node.nodes[-1])[1]
+        return None, None
+
+    @staticmethod
+    def _switch_find_default_node(
+        graph: networkx.DiGraph, head_node: BaseNode, default_node_addr: int
+    ) -> BaseNode | None:
+        # it is possible that the default node gets duplicated by other analyses and creates a default node (addr.a)
+        # and a case node (addr.b). The addr.a node is a successor to the head node while the addr.b node is a
+        # successor to node_a
+        default_node_candidates = [nn for nn in graph.nodes if nn.addr == default_node_addr]
+        node_default: BaseNode | None = next(
+            iter(nn for nn in default_node_candidates if graph.has_edge(head_node, nn)), None
+        )
+        return node_default

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -231,7 +231,10 @@ class CascadingConditionNode(BaseNode):
     )
 
     def __init__(
-        self, addr, condition_and_nodes: list[tuple[Any, BaseNode | ailment.Block]], else_node: BaseNode = None
+        self,
+        addr,
+        condition_and_nodes: list[tuple[Any, BaseNode | ailment.Block | MultiNode]],
+        else_node: BaseNode = None,
     ):
         self.addr = addr
         self.condition_and_nodes = condition_and_nodes

angr/analyses/decompiler/utils.py

@@ -144,7 +144,9 @@ def extract_jump_targets(stmt):
     return targets
 
 
-def switch_extract_cmp_bounds(last_stmt: ailment.Stmt.ConditionalJump) -> tuple[Any, int, int] | None:
+def switch_extract_cmp_bounds(
+    last_stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Statement,
+) -> tuple[Any, int, int] | None:
     """
     Check the last statement of the switch-case header node, and extract lower+upper bounds for the comparison.
 
@@ -175,6 +177,54 @@ def switch_extract_cmp_bounds(last_stmt: ailment.Stmt.ConditionalJump) -> tuple[
     return None
 
 
+def switch_extract_switch_expr_from_jump_target(target: ailment.Expr.Expression) -> ailment.Expr.Expression | None:
+    """
+    Extract the switch expression from the indirect jump target expression.
+
+    :param target:  The target of the indirect jump statement.
+    :return:        The extracted expression if successful, or None otherwise.
+    """
+
+    # e.g.: Jump (Conv(32->64, (Load(addr=((0x140000000<64> + (vvar_229{reg 80} * 0x4<64>)) + 0x2290<64>),
+    #               size=4,
+    #               endness=Iend_LE
+    #             ) + 0x140000000<32>)))
+
+    found_load = False
+    while True:
+        if isinstance(target, ailment.Expr.Convert):
+            if target.from_bits < target.to_bits:
+                target = target.operand
+            else:
+                return None
+        elif isinstance(target, ailment.Expr.BinaryOp):
+            if target.op == "Add":
+                # it must be adding the target expr with a constant
+                if isinstance(target.operands[0], ailment.Expr.Const):
+                    target = target.operands[1]
+                elif isinstance(target.operands[1], ailment.Expr.Const):
+                    target = target.operands[0]
+                else:
+                    return None
+            elif target.op == "Mul":
+                # it must be multiplying the target expr with a constant
+                if isinstance(target.operands[0], ailment.Expr.Const):
+                    target = target.operands[1]
+                elif isinstance(target.operands[1], ailment.Expr.Const):
+                    target = target.operands[0]
+                else:
+                    return None
+        elif isinstance(target, ailment.Expr.Load):
+            # we want the address!
+            found_load = True
+            target = target.addr
+        elif isinstance(target, ailment.Expr.VirtualVariable):
+            break
+        else:
+            return None
+    return target if found_load else None
+
+
 def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tuple[Any, int, int] | None:
     """
     Check the last statement of the switch-case header node (whose address is loaded from a jump table and computed
@@ -973,6 +1023,15 @@ def sequence_to_statements(
     return statements
 
 
+def remove_edges_in_ailgraph(
+    ail_graph: networkx.DiGraph, edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]]
+) -> None:
+    d = {(bb.addr, bb.idx): bb for bb in ail_graph}
+    for src_addr, dst_addr in edges_to_remove:
+        if src_addr in d and dst_addr in d and ail_graph.has_edge(d[src_addr], d[dst_addr]):
+            ail_graph.remove_edge(d[src_addr], d[dst_addr])
+
+
 # delayed import
 from .structuring.structurer_nodes import (
     MultiNode,

angr/analyses/deobfuscator/api_obf_finder.py

@@ -12,6 +12,7 @@ import claripy
 from angr import SIM_LIBRARIES
 from angr.calling_conventions import SimRegArg
 from angr.errors import SimMemoryMissingError
+from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
 from angr.sim_type import SimTypePointer, SimTypeChar
 from angr.analyses import Analysis, AnalysesHub
@@ -35,7 +36,7 @@ class APIObfuscationType(IntEnum):
 
 
 class APIDeobFuncDescriptor:
-    def __init__(self, type_: APIObfuscationType, func_addr=None, libname_argidx=None, funcname_argidx=None):
+    def __init__(self, type_: APIObfuscationType, *, func_addr: int, libname_argidx: int, funcname_argidx: int):
         self.type = type_
         self.func_addr = func_addr
         self.libname_argidx = libname_argidx
@@ -96,8 +97,9 @@ class APIObfuscationFinder(Analysis):
     - Type 2: GetProcAddress(_, "api_name").
     """
 
-    def __init__(self):
+    def __init__(self, variable_kb: KnowledgeBase | None = None):
         self.type1_candidates = []
+        self.variable_kb = variable_kb or self.project.kb
 
         self.analyze()
 
@@ -109,7 +111,7 @@ class APIObfuscationFinder(Analysis):
                 type1_deobfuscated = self._analyze_type1(desc.func_addr, desc)
                 self.kb.obfuscations.type1_deobfuscated_apis.update(type1_deobfuscated)
 
-        APIObfuscationType2Finder(self.project).analyze()
+        APIObfuscationType2Finder(self.project, self.variable_kb).analyze()
 
     def _find_type1(self):
         cfg = self.kb.cfgs.get_most_accurate()
@@ -195,6 +197,8 @@ class APIObfuscationFinder(Analysis):
                     callsite_node.instruction_addrs[-1],
                     ObservationPointType.OP_BEFORE,
                 )
+                if observ is None:
+                    continue
                 args: list[tuple[int, Any]] = []
                 for arg_idx, func_arg in enumerate(func.arguments):
                     # FIXME: We are ignoring all non-register function arguments until we see a test case where
@@ -232,9 +236,8 @@ class APIObfuscationFinder(Analysis):
                                 acceptable_args = False
                                 break
                             arg_strs.append((idx, value.decode("utf-8")))
-                if acceptable_args:
+                if acceptable_args and len(arg_strs) == 2:
                     libname_arg_idx, funcname_arg_idx = None, None
-                    assert len(arg_strs) == 2
                     for arg_idx, name in arg_strs:
                         if self.is_libname(name):
                             libname_arg_idx = arg_idx

angr/analyses/deobfuscator/api_obf_type2_finder.py

@@ -1,21 +1,24 @@
 from __future__ import annotations
-from typing import cast
+from typing import TYPE_CHECKING, cast
 
 from collections.abc import Iterator
 from dataclasses import dataclass
 import logging
 
 from angr.project import Project
-from angr.analyses.reaching_definitions.reaching_definitions import (
-    ReachingDefinitionsAnalysis,
-    FunctionCallRelationships,
-)
+from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.functions.function import Function
 from angr.knowledge_plugins.key_definitions import DerefSize
 from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
 from angr.knowledge_plugins.key_definitions.atoms import MemoryLocation
 from angr.sim_variable import SimMemoryVariable
 
+if TYPE_CHECKING:
+    from angr.analyses.reaching_definitions import (
+        ReachingDefinitionsAnalysis,
+        FunctionCallRelationships,
+    )
+
 
 log = logging.getLogger(__name__)
 
@@ -40,8 +43,9 @@ class APIObfuscationType2Finder:
 
     results: list[APIObfuscationType2]
 
-    def __init__(self, project: Project):
+    def __init__(self, project: Project, variable_kb: KnowledgeBase | None = None):
         self.project = project
+        self.variable_kb = variable_kb or self.project.kb
         self.results = []
 
     def analyze(self) -> list[APIObfuscationType2]:
@@ -91,8 +95,12 @@ class APIObfuscationType2Finder:
             log.debug("...Failed to resolve a function name")
             return
 
-        proc_name = result.rstrip(b"\x00").decode("utf-8")
-        log.debug("...Resolved concrete function name: %s", proc_name)
+        try:
+            func_name = result.rstrip(b"\x00").decode("utf-8")
+            log.debug("...Resolved concrete function name: %s", func_name)
+        except UnicodeDecodeError:
+            log.debug("...Failed to decode utf-8 function name")
+            return
 
         # Examine successor definitions to find where the function pointer is written
         for successor in rda.dep_graph.find_all_successors(callsite_info.ret_defns):
@@ -121,7 +129,7 @@ class APIObfuscationType2Finder:
 
             self.results.append(
                 APIObfuscationType2(
-                    resolved_func_name=proc_name,
+                    resolved_func_name=func_name,
                     resolved_func_ptr=ptr,
                     resolved_in=caller,
                     resolved_by=callee,
@@ -139,7 +147,7 @@ class APIObfuscationType2Finder:
             log.debug("...Created label %s for address %x", lbl, result.resolved_func_ptr.addr)
 
             # Create a variable
-            global_variables = self.project.kb.variables["global"]
+            global_variables = self.variable_kb.variables["global"]
             variables = global_variables.get_global_variables(result.resolved_func_ptr.addr)
             if not variables:
                 ident = global_variables.next_variable_ident("global")

angr/analyses/deobfuscator/string_obf_finder.py

@@ -9,11 +9,11 @@ import networkx
 
 import claripy
 
-from angr import sim_options
 from angr.analyses import Analysis, AnalysesHub
-from angr.errors import SimMemoryMissingError, AngrCallableMultistateError, AngrCallableError
+from angr.errors import SimMemoryMissingError, AngrCallableMultistateError, AngrCallableError, AngrAnalysisError
 from angr.calling_conventions import SimRegArg, default_cc
 from angr.state_plugins.sim_action import SimActionData
+from angr.sim_options import ZERO_FILL_UNCONSTRAINED_REGISTERS, ZERO_FILL_UNCONSTRAINED_MEMORY, TRACK_MEMORY_ACTIONS
 from angr.sim_type import SimTypeFunction, SimTypeBottom, SimTypePointer
 from angr.analyses.reaching_definitions import ObservationPointType
 from angr.utils.graph import GraphUtils
@@ -23,12 +23,23 @@ from .irsb_reg_collector import IRSBRegisterCollector
 _l = logging.getLogger(__name__)
 
 
+STEP_LIMIT_FIND = 500
+STEP_LIMIT_ANALYSIS = 5000
+
+
 class StringDeobFuncDescriptor:
+    """
+    Describes a string deobfuscation function.
+    """
+
+    string_input_arg_idx: int
+    string_output_arg_idx: int
+    string_length_arg_idx: int | None
+    string_null_terminating: bool | None
+
     def __init__(self):
-        self.string_input_arg_idx = None
-        self.string_output_arg_idx = None
         self.string_length_arg_idx = None
-        self.string_null_terminating: bool | None = None
+        self.string_null_terminating = None
 
 
 class StringObfuscationFinder(Analysis):
@@ -89,6 +100,9 @@ class StringObfuscationFinder(Analysis):
         # Type 1 string deobfuscation functions will decrypt each string once and for good.
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         arch = self.project.arch
 
         type1_candidates: list[tuple[int, StringDeobFuncDescriptor]] = []
@@ -100,6 +114,10 @@ class StringObfuscationFinder(Analysis):
             if func.prototype is None or len(func.prototype.args) < 1:
                 continue
 
+            if len(func.arguments) != len(func.prototype.args):
+                # function argument locations and function prototype arguments do not match
+                continue
+
             if self.project.kb.functions.callgraph.out_degree[func.addr] != 0:
                 continue
 
@@ -123,14 +141,22 @@ class StringObfuscationFinder(Analysis):
                 dec = self.project.analyses.Decompiler(func, cfg=cfg)
             except Exception:  # pylint:disable=broad-exception-caught
                 continue
-            if dec.codegen is None or not self._like_type1_deobfuscation_function(dec.codegen.text):
+            if (
+                dec.codegen is None
+                or not dec.codegen.text
+                or not self._like_type1_deobfuscation_function(dec.codegen.text)
+            ):
+                continue
+
+            func_node = cfg.get_any_node(func.addr)
+            if func_node is None:
                 continue
 
             args_list = []
             for caller in callers:
                 callsite_nodes = [
                     pred
-                    for pred in cfg.get_predecessors(cfg.get_any_node(func.addr))
+                    for pred in cfg.get_predecessors(func_node)
                     if pred.function_address == caller and pred.instruction_addrs
                 ]
                 observation_points = []
@@ -148,15 +174,21 @@ class StringObfuscationFinder(Analysis):
                         callsite_node.instruction_addrs[-1],
                         ObservationPointType.OP_BEFORE,
                     )
+                    if observ is None:
+                        continue
                     # load values for each function argument
                     args: list[tuple[int, Any]] = []
                     for arg_idx, func_arg in enumerate(func.arguments):
                         # FIXME: We are ignoring all non-register function arguments until we see a test case where
                         # FIXME: stack-passing arguments are used
+                        real_arg = func.prototype.args[arg_idx]
                         if isinstance(func_arg, SimRegArg):
                             reg_offset, reg_size = arch.registers[func_arg.reg_name]
+                            arg_size = (
+                                real_arg.size if real_arg.size is not None else reg_size
+                            ) // self.project.arch.byte_width
                             try:
-                                mv = observ.registers.load(reg_offset, size=reg_size)
+                                mv = observ.registers.load(reg_offset, size=arg_size)
                             except SimMemoryMissingError:
                                 args.append((arg_idx, claripy.BVV(0xDEADBEEF, self.project.arch.bits)))
                                 continue
@@ -185,7 +217,15 @@ class StringObfuscationFinder(Analysis):
             # now that we have good arguments, let's test the function!
             for args in args_list:
                 func_call = self.project.factory.callable(
-                    func.addr, concrete_only=True, cc=func.calling_convention, prototype=func.prototype
+                    func.addr,
+                    concrete_only=True,
+                    cc=func.calling_convention,
+                    prototype=func.prototype,
+                    add_options={
+                        ZERO_FILL_UNCONSTRAINED_MEMORY,
+                        ZERO_FILL_UNCONSTRAINED_REGISTERS,
+                    },
+                    step_limit=STEP_LIMIT_FIND,
                 )
 
                 # before calling the function, let's record the crime scene
@@ -202,6 +242,9 @@ class StringObfuscationFinder(Analysis):
                 except (AngrCallableMultistateError, AngrCallableError):
                     continue
 
+                if func_call.result_state is None:
+                    continue
+
                 # let's see what this amazing function has done
                 # TODO: Support cases where input and output are using different function arguments
                 for arg_idx, addr, old_value in values:
@@ -240,6 +283,9 @@ class StringObfuscationFinder(Analysis):
 
         arch = self.project.arch
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         func = self.kb.functions.get_by_addr(func_addr)
         func_node = cfg.get_any_node(func_addr)
         assert func_node is not None
@@ -260,14 +306,20 @@ class StringObfuscationFinder(Analysis):
                 callsite_node.instruction_addrs[-1],
                 ObservationPointType.OP_BEFORE,
             )
+            if observ is None:
+                continue
             args = []
-            for func_arg in func.arguments:
+            assert func.prototype is not None and len(func.arguments) == len(func.prototype.args)
+            for func_arg, real_arg in zip(func.arguments, func.prototype.args):
                 # FIXME: We are ignoring all non-register function arguments until we see a test case where
                 # FIXME: stack-passing arguments are used
                 if isinstance(func_arg, SimRegArg):
                     reg_offset, reg_size = arch.registers[func_arg.reg_name]
+                    arg_size = (
+                        real_arg.size if real_arg.size is not None else reg_size
+                    ) // self.project.arch.byte_width
                     try:
-                        mv = observ.registers.load(reg_offset, size=reg_size)
+                        mv = observ.registers.load(reg_offset, size=arg_size)
                     except SimMemoryMissingError:
                         args.append(claripy.BVV(0xDEADBEEF, self.project.arch.bits))
                         continue
@@ -286,7 +338,12 @@ class StringObfuscationFinder(Analysis):
 
             # call the function
             func_call = self.project.factory.callable(
-                func.addr, concrete_only=True, cc=func.calling_convention, prototype=func.prototype
+                func.addr,
+                concrete_only=True,
+                cc=func.calling_convention,
+                prototype=func.prototype,
+                add_options={ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+                step_limit=STEP_LIMIT_ANALYSIS,
             )
             try:
                 func_call(*args)
@@ -303,6 +360,9 @@ class StringObfuscationFinder(Analysis):
                 )
                 continue
 
+            if func_call.result_state is None:
+                continue
+
             # dump the decrypted string!
             output_addr = args[desc.string_output_arg_idx]
             length = args[desc.string_length_arg_idx].concrete_value if desc.string_length_arg_idx is not None else 256
@@ -322,6 +382,8 @@ class StringObfuscationFinder(Analysis):
             xref_set = xrefs.get_xrefs_by_dst(str_addr)
             block_addrs = {xref.block_addr for xref in xref_set}
             for block_addr in block_addrs:
+                if block_addr is None:
+                    continue
                 node = cfg.get_any_node(block_addr)
                 if node is not None:
                     callees = list(self.kb.functions.callgraph.successors(node.function_address))
@@ -340,6 +402,8 @@ class StringObfuscationFinder(Analysis):
         # Type 2 string deobfuscation functions will decrypt each string once and for good.
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         type2_candidates: list[tuple[int, StringDeobFuncDescriptor, list[tuple[int, int, bytes]]]] = []
 
@@ -374,7 +438,11 @@ class StringObfuscationFinder(Analysis):
                 dec = self.project.analyses.Decompiler(func, cfg=cfg, expr_collapse_depth=64)
             except Exception:  # pylint:disable=broad-exception-caught
                 continue
-            if dec.codegen is None or not self._like_type2_deobfuscation_function(dec.codegen.text):
+            if (
+                dec.codegen is None
+                or not dec.codegen.text
+                or not self._like_type2_deobfuscation_function(dec.codegen.text)
+            ):
                 continue
 
             desc = StringDeobFuncDescriptor()
@@ -384,7 +452,8 @@ class StringObfuscationFinder(Analysis):
                 concrete_only=True,
                 cc=func.calling_convention,
                 prototype=func.prototype,
-                add_options={sim_options.TRACK_MEMORY_ACTIONS},
+                add_options={TRACK_MEMORY_ACTIONS, ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+                step_limit=STEP_LIMIT_FIND,
             )
 
             try:
@@ -392,6 +461,9 @@ class StringObfuscationFinder(Analysis):
             except (AngrCallableMultistateError, AngrCallableError):
                 continue
 
+            if func_call.result_state is None:
+                continue
+
             # where are the reads and writes?
             all_global_reads = []
             all_global_writes = []
@@ -399,7 +471,7 @@ class StringObfuscationFinder(Analysis):
                 if not isinstance(action, SimActionData):
                     continue
                 if not action.actual_addrs:
-                    if not action.addr.ast.concrete:
+                    if action.addr is None or not action.addr.ast.concrete:
                         continue
                     actual_addrs = [action.addr.ast.concrete_value]
                 else:
@@ -469,6 +541,8 @@ class StringObfuscationFinder(Analysis):
         """
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         # for each string table address, we find its string loader function
         # an obvious candidate function is 0x140001b20
@@ -478,6 +552,8 @@ class StringObfuscationFinder(Analysis):
             xref_set = xrefs.get_xrefs_by_dst(table_addr)
             block_addrs = {xref.block_addr for xref in xref_set}
             for block_addr in block_addrs:
+                if block_addr is None:
+                    continue
                 node = cfg.get_any_node(block_addr)
                 if node is not None:
                     callees = list(self.kb.functions.callgraph.successors(node.function_address))
@@ -496,6 +572,9 @@ class StringObfuscationFinder(Analysis):
         #   not have a SimProcedure for)
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         functions = self.kb.functions
         callgraph_digraph = networkx.DiGraph(functions.callgraph)
 
@@ -554,7 +633,7 @@ class StringObfuscationFinder(Analysis):
             except Exception:  # pylint:disable=broad-exception-caught
                 # catch all exceptions
                 continue
-            if dec.codegen is None:
+            if dec.codegen is None or not dec.codegen.text:
                 continue
             if not self._like_type3_deobfuscation_function(dec.codegen.text):
                 continue
@@ -605,6 +684,8 @@ class StringObfuscationFinder(Analysis):
         """
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         call_sites = cfg.get_predecessors(cfg.get_any_node(func_addr))
         callinsn2content = {}
@@ -687,7 +768,7 @@ class StringObfuscationFinder(Analysis):
         # execute the block at the call site
         state = self.project.factory.blank_state(
             addr=call_site_addr,
-            add_options={sim_options.ZERO_FILL_UNCONSTRAINED_REGISTERS, sim_options.ZERO_FILL_UNCONSTRAINED_MEMORY},
+            add_options={ZERO_FILL_UNCONSTRAINED_REGISTERS, ZERO_FILL_UNCONSTRAINED_MEMORY},
         )
         # setup sp and bp, just in case
         state.regs._sp = 0x7FFF0000
@@ -728,7 +809,13 @@ class StringObfuscationFinder(Analysis):
             self.project.arch
         )
         callable_0 = self.project.factory.callable(
-            func_addr, concrete_only=True, base_state=in_state, cc=cc, prototype=prototype_0
+            func_addr,
+            concrete_only=True,
+            base_state=in_state,
+            cc=cc,
+            prototype=prototype_0,
+            add_options={ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+            step_limit=STEP_LIMIT_ANALYSIS,
         )
 
         try:

angr/analyses/forward_analysis/forward_analysis.py

@@ -181,7 +181,7 @@ class ForwardAnalysis(Generic[AnalysisState, NodeType, JobType, JobKey]):
         """
         return node
 
-    def _run_on_node(self, node: NodeType, state: AnalysisState) -> tuple[bool, AnalysisState]:
+    def _run_on_node(self, node: NodeType, state: AnalysisState) -> tuple[bool | None, AnalysisState]:
         """
         The analysis routine that runs on each node in the graph.