angr 9.2.139__py3-none-manylinux2014_x86_64.whl → 9.2.141__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/structuring/structurer_base.py

@@ -20,6 +20,7 @@ from angr.analyses.decompiler.utils import (
 )
 from angr.analyses.decompiler.label_collector import LabelCollector
 from angr.errors import AngrDecompilationError
+from angr.knowledge_plugins.cfg import IndirectJump
 from .structurer_nodes import (
     MultiNode,
     SequenceNode,
@@ -33,6 +34,7 @@ from .structurer_nodes import (
     BreakNode,
     LoopNode,
     EmptyBlockNotice,
+    IncompleteSwitchCaseNode,
 )
 
 if TYPE_CHECKING:
@@ -60,6 +62,7 @@ class StructurerBase(Analysis):
         func: Function | None = None,
         case_entry_to_switch_head: dict[int, int] | None = None,
         parent_region=None,
+        jump_tables: dict[int, IndirectJump] | None = None,
         **kwargs,
     ):
         self._region: GraphRegion = region
@@ -67,6 +70,7 @@ class StructurerBase(Analysis):
         self.function = func
         self._case_entry_to_switch_head = case_entry_to_switch_head
         self._parent_region = parent_region
+        self.jump_tables = jump_tables or {}
 
         self.cond_proc = (
             condition_processor if condition_processor is not None else ConditionProcessor(self.project.arch)
@@ -304,6 +308,7 @@ class StructurerBase(Analysis):
                         jump_stmt = this_node.statements[-1]  # type: ignore
 
                     if isinstance(jump_stmt, ailment.Stmt.Jump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.target, ailment.Expr.Const)
@@ -312,6 +317,7 @@ class StructurerBase(Analysis):
                             # this goto is useless
                             this_node.statements = this_node.statements[:-1]
                     elif isinstance(jump_stmt, ailment.Stmt.ConditionalJump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.true_target, ailment.Expr.Const)
@@ -366,6 +372,7 @@ class StructurerBase(Analysis):
                         this_node = this_node.nodes[-1]
 
                     if isinstance(jump_stmt, ailment.Stmt.Jump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.target, ailment.Expr.Const)
@@ -374,6 +381,7 @@ class StructurerBase(Analysis):
                             # this goto is useless
                             this_node.statements = this_node.statements[:-1]
                     elif isinstance(jump_stmt, ailment.Stmt.ConditionalJump):
+                        assert isinstance(this_node, ailment.Block)
                         next_node = node.nodes[i + 1]
                         if (
                             isinstance(jump_stmt.true_target, ailment.Expr.Const)
@@ -785,10 +793,6 @@ class StructurerBase(Analysis):
 
         return _Holder.merged, seq
 
-    #
-    # Util methods
-    #
-
     def _reorganize_switch_cases(
         self, cases: OrderedDict[int | tuple[int, ...], SequenceNode]
     ) -> OrderedDict[int | tuple[int, ...], SequenceNode]:
@@ -891,12 +895,12 @@ class StructurerBase(Analysis):
                 if isinstance(last_stmt.false_target, ailment.Expr.Const):
                     jump_targets.append((last_stmt.false_target.value, last_stmt.false_target_idx))
             if any(tpl in addr_and_ids for tpl in jump_targets):
-                return remove_last_statement(node)
+                return remove_last_statement(node)  # type: ignore
         return None
 
     @staticmethod
     def _remove_last_statement_if_jump(
-        node: BaseNode | ailment.Block,
+        node: BaseNode | ailment.Block | MultiNode,
     ) -> ailment.Stmt.Jump | ailment.Stmt.ConditionalJump | None:
         try:
             last_stmts = ConditionProcessor.get_last_statements(node)
@@ -904,7 +908,7 @@ class StructurerBase(Analysis):
             return None
 
         if len(last_stmts) == 1 and isinstance(last_stmts[0], (ailment.Stmt.Jump, ailment.Stmt.ConditionalJump)):
-            return remove_last_statement(node)
+            return remove_last_statement(node)  # type: ignore
         return None
 
     @staticmethod
@@ -994,8 +998,8 @@ class StructurerBase(Analysis):
     @staticmethod
     def replace_node_in_node(
         parent_node: BaseNode,
-        old_node: BaseNode | ailment.Block,
-        new_node: BaseNode | ailment.Block,
+        old_node: BaseNode | ailment.Block | MultiNode,
+        new_node: BaseNode | ailment.Block | MultiNode,
     ) -> None:
         if isinstance(parent_node, SequenceNode):
             for i in range(len(parent_node.nodes)):  # pylint:disable=consider-using-enumerate
@@ -1018,7 +1022,9 @@ class StructurerBase(Analysis):
             raise TypeError(f"Unsupported node type {type(parent_node)}")
 
     @staticmethod
-    def is_a_jump_target(stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Jump, addr: int) -> bool:
+    def is_a_jump_target(
+        stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Jump | ailment.Stmt.Statement, addr: int
+    ) -> bool:
         if isinstance(stmt, ailment.Stmt.ConditionalJump):
             if isinstance(stmt.true_target, ailment.Expr.Const) and stmt.true_target.value == addr:
                 return True
@@ -1038,3 +1044,24 @@ class StructurerBase(Analysis):
         if isinstance(node, SequenceNode):
             return any(StructurerBase.has_nonlabel_nonphi_statements(nn) for nn in node.nodes)
         return False
+
+    def _node_ending_with_jump_table_header(self, node: BaseNode) -> tuple[int | None, IndirectJump | None]:
+        if isinstance(node, (ailment.Block, MultiNode, IncompleteSwitchCaseNode)):
+            assert node.addr is not None
+            return node.addr, self.jump_tables.get(node.addr, None)
+        if isinstance(node, SequenceNode):
+            return node.addr, self._node_ending_with_jump_table_header(node.nodes[-1])[1]
+        return None, None
+
+    @staticmethod
+    def _switch_find_default_node(
+        graph: networkx.DiGraph, head_node: BaseNode, default_node_addr: int
+    ) -> BaseNode | None:
+        # it is possible that the default node gets duplicated by other analyses and creates a default node (addr.a)
+        # and a case node (addr.b). The addr.a node is a successor to the head node while the addr.b node is a
+        # successor to node_a
+        default_node_candidates = [nn for nn in graph.nodes if nn.addr == default_node_addr]
+        node_default: BaseNode | None = next(
+            iter(nn for nn in default_node_candidates if graph.has_edge(head_node, nn)), None
+        )
+        return node_default

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -231,7 +231,10 @@ class CascadingConditionNode(BaseNode):
     )
 
     def __init__(
-        self, addr, condition_and_nodes: list[tuple[Any, BaseNode | ailment.Block]], else_node: BaseNode = None
+        self,
+        addr,
+        condition_and_nodes: list[tuple[Any, BaseNode | ailment.Block | MultiNode]],
+        else_node: BaseNode = None,
     ):
         self.addr = addr
         self.condition_and_nodes = condition_and_nodes

angr/analyses/decompiler/utils.py

@@ -144,7 +144,9 @@ def extract_jump_targets(stmt):
     return targets
 
 
-def switch_extract_cmp_bounds(last_stmt: ailment.Stmt.ConditionalJump) -> tuple[Any, int, int] | None:
+def switch_extract_cmp_bounds(
+    last_stmt: ailment.Stmt.ConditionalJump | ailment.Stmt.Statement,
+) -> tuple[Any, int, int] | None:
     """
     Check the last statement of the switch-case header node, and extract lower+upper bounds for the comparison.
 
@@ -175,6 +177,54 @@ def switch_extract_cmp_bounds(last_stmt: ailment.Stmt.ConditionalJump) -> tuple[
     return None
 
 
+def switch_extract_switch_expr_from_jump_target(target: ailment.Expr.Expression) -> ailment.Expr.Expression | None:
+    """
+    Extract the switch expression from the indirect jump target expression.
+
+    :param target:  The target of the indirect jump statement.
+    :return:        The extracted expression if successful, or None otherwise.
+    """
+
+    # e.g.: Jump (Conv(32->64, (Load(addr=((0x140000000<64> + (vvar_229{reg 80} * 0x4<64>)) + 0x2290<64>),
+    #               size=4,
+    #               endness=Iend_LE
+    #             ) + 0x140000000<32>)))
+
+    found_load = False
+    while True:
+        if isinstance(target, ailment.Expr.Convert):
+            if target.from_bits < target.to_bits:
+                target = target.operand
+            else:
+                return None
+        elif isinstance(target, ailment.Expr.BinaryOp):
+            if target.op == "Add":
+                # it must be adding the target expr with a constant
+                if isinstance(target.operands[0], ailment.Expr.Const):
+                    target = target.operands[1]
+                elif isinstance(target.operands[1], ailment.Expr.Const):
+                    target = target.operands[0]
+                else:
+                    return None
+            elif target.op == "Mul":
+                # it must be multiplying the target expr with a constant
+                if isinstance(target.operands[0], ailment.Expr.Const):
+                    target = target.operands[1]
+                elif isinstance(target.operands[1], ailment.Expr.Const):
+                    target = target.operands[0]
+                else:
+                    return None
+        elif isinstance(target, ailment.Expr.Load):
+            # we want the address!
+            found_load = True
+            target = target.addr
+        elif isinstance(target, ailment.Expr.VirtualVariable):
+            break
+        else:
+            return None
+    return target if found_load else None
+
+
 def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tuple[Any, int, int] | None:
     """
     Check the last statement of the switch-case header node (whose address is loaded from a jump table and computed
@@ -575,6 +625,48 @@ def update_labels(graph: networkx.DiGraph):
     return add_labels(remove_labels(graph))
 
 
+def _flatten_structured_node(packed_node: SequenceNode | MultiNode) -> list[ailment.Block]:
+    if not packed_node or not packed_node.nodes:
+        return []
+
+    blocks = []
+    if packed_node.nodes is not None:
+        for _node in packed_node.nodes:
+            if isinstance(_node, (SequenceNode, MultiNode)):
+                blocks += _flatten_structured_node(_node)
+            else:
+                blocks.append(_node)
+
+    return blocks
+
+
+def _find_node_in_graph(node: ailment.Block, graph: networkx.DiGraph) -> ailment.Block | None:
+    for bb in graph:
+        if bb.addr == node.addr and bb.idx == node.idx:
+            return bb
+    return None
+
+
+def structured_node_has_multi_predecessors(node: SequenceNode | MultiNode, graph: networkx.DiGraph) -> bool:
+    if graph is None:
+        return False
+
+    first_block = None
+    if isinstance(node, (SequenceNode, MultiNode)) and node.nodes:
+        flat_blocks = _flatten_structured_node(node)
+        node = flat_blocks[0]
+
+    if isinstance(node, ailment.Block):
+        first_block = node
+
+    if first_block is not None:
+        graph_node = _find_node_in_graph(first_block, graph)
+        if graph_node is not None:
+            return len(list(graph.predecessors(graph_node))) > 1
+
+    return False
+
+
 def structured_node_is_simple_return(
     node: SequenceNode | MultiNode, graph: networkx.DiGraph, use_packed_successors=False
 ) -> bool:
@@ -589,21 +681,6 @@ def structured_node_is_simple_return(
 
     Returns true on any block ending in linear statements and a return.
     """
-
-    def _flatten_structured_node(packed_node: SequenceNode | MultiNode) -> list[ailment.Block]:
-        if not packed_node or not packed_node.nodes:
-            return []
-
-        blocks = []
-        if packed_node.nodes is not None:
-            for _node in packed_node.nodes:
-                if isinstance(_node, (SequenceNode, MultiNode)):
-                    blocks += _flatten_structured_node(_node)
-                else:
-                    blocks.append(_node)
-
-        return blocks
-
     # sanity check: we need a graph to understand returning blocks
     if graph is None:
         return False
@@ -626,11 +703,10 @@ def structured_node_is_simple_return(
     if valid_last_stmt:
         # note that the block may not be the same block in the AIL graph post dephication. we must find the block again
         # in the graph.
-        for bb in graph:
-            if bb.addr == last_block.addr and bb.idx == last_block.idx:
-                # found it
-                succs = list(graph.successors(bb))
-                return not succs or succs == [bb]
+        last_graph_block = _find_node_in_graph(last_block, graph)
+        if last_graph_block is not None:
+            succs = list(graph.successors(last_graph_block))
+            return not succs or succs == [last_graph_block]
     return False
 
 
@@ -973,6 +1049,15 @@ def sequence_to_statements(
     return statements
 
 
+def remove_edges_in_ailgraph(
+    ail_graph: networkx.DiGraph, edges_to_remove: list[tuple[tuple[int, int | None], tuple[int, int | None]]]
+) -> None:
+    d = {(bb.addr, bb.idx): bb for bb in ail_graph}
+    for src_addr, dst_addr in edges_to_remove:
+        if src_addr in d and dst_addr in d and ail_graph.has_edge(d[src_addr], d[dst_addr]):
+            ail_graph.remove_edge(d[src_addr], d[dst_addr])
+
+
 # delayed import
 from .structuring.structurer_nodes import (
     MultiNode,

angr/analyses/deobfuscator/api_obf_finder.py

@@ -12,6 +12,7 @@ import claripy
 from angr import SIM_LIBRARIES
 from angr.calling_conventions import SimRegArg
 from angr.errors import SimMemoryMissingError
+from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
 from angr.sim_type import SimTypePointer, SimTypeChar
 from angr.analyses import Analysis, AnalysesHub
@@ -35,7 +36,7 @@ class APIObfuscationType(IntEnum):
 
 
 class APIDeobFuncDescriptor:
-    def __init__(self, type_: APIObfuscationType, func_addr=None, libname_argidx=None, funcname_argidx=None):
+    def __init__(self, type_: APIObfuscationType, *, func_addr: int, libname_argidx: int, funcname_argidx: int):
         self.type = type_
         self.func_addr = func_addr
         self.libname_argidx = libname_argidx
@@ -96,8 +97,9 @@ class APIObfuscationFinder(Analysis):
     - Type 2: GetProcAddress(_, "api_name").
     """
 
-    def __init__(self):
+    def __init__(self, variable_kb: KnowledgeBase | None = None):
         self.type1_candidates = []
+        self.variable_kb = variable_kb or self.project.kb
 
         self.analyze()
 
@@ -109,7 +111,7 @@ class APIObfuscationFinder(Analysis):
                 type1_deobfuscated = self._analyze_type1(desc.func_addr, desc)
                 self.kb.obfuscations.type1_deobfuscated_apis.update(type1_deobfuscated)
 
-        APIObfuscationType2Finder(self.project).analyze()
+        APIObfuscationType2Finder(self.project, self.variable_kb).analyze()
 
     def _find_type1(self):
         cfg = self.kb.cfgs.get_most_accurate()
@@ -195,6 +197,8 @@ class APIObfuscationFinder(Analysis):
                     callsite_node.instruction_addrs[-1],
                     ObservationPointType.OP_BEFORE,
                 )
+                if observ is None:
+                    continue
                 args: list[tuple[int, Any]] = []
                 for arg_idx, func_arg in enumerate(func.arguments):
                     # FIXME: We are ignoring all non-register function arguments until we see a test case where
@@ -232,9 +236,8 @@ class APIObfuscationFinder(Analysis):
                                 acceptable_args = False
                                 break
                             arg_strs.append((idx, value.decode("utf-8")))
-                if acceptable_args:
+                if acceptable_args and len(arg_strs) == 2:
                     libname_arg_idx, funcname_arg_idx = None, None
-                    assert len(arg_strs) == 2
                     for arg_idx, name in arg_strs:
                         if self.is_libname(name):
                             libname_arg_idx = arg_idx

angr/analyses/deobfuscator/api_obf_type2_finder.py

@@ -1,21 +1,24 @@
 from __future__ import annotations
-from typing import cast
+from typing import TYPE_CHECKING, cast
 
 from collections.abc import Iterator
 from dataclasses import dataclass
 import logging
 
 from angr.project import Project
-from angr.analyses.reaching_definitions.reaching_definitions import (
-    ReachingDefinitionsAnalysis,
-    FunctionCallRelationships,
-)
+from angr.knowledge_base import KnowledgeBase
 from angr.knowledge_plugins.functions.function import Function
 from angr.knowledge_plugins.key_definitions import DerefSize
 from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
 from angr.knowledge_plugins.key_definitions.atoms import MemoryLocation
 from angr.sim_variable import SimMemoryVariable
 
+if TYPE_CHECKING:
+    from angr.analyses.reaching_definitions import (
+        ReachingDefinitionsAnalysis,
+        FunctionCallRelationships,
+    )
+
 
 log = logging.getLogger(__name__)
 
@@ -40,8 +43,9 @@ class APIObfuscationType2Finder:
 
     results: list[APIObfuscationType2]
 
-    def __init__(self, project: Project):
+    def __init__(self, project: Project, variable_kb: KnowledgeBase | None = None):
         self.project = project
+        self.variable_kb = variable_kb or self.project.kb
         self.results = []
 
     def analyze(self) -> list[APIObfuscationType2]:
@@ -91,8 +95,12 @@ class APIObfuscationType2Finder:
             log.debug("...Failed to resolve a function name")
             return
 
-        proc_name = result.rstrip(b"\x00").decode("utf-8")
-        log.debug("...Resolved concrete function name: %s", proc_name)
+        try:
+            func_name = result.rstrip(b"\x00").decode("utf-8")
+            log.debug("...Resolved concrete function name: %s", func_name)
+        except UnicodeDecodeError:
+            log.debug("...Failed to decode utf-8 function name")
+            return
 
         # Examine successor definitions to find where the function pointer is written
         for successor in rda.dep_graph.find_all_successors(callsite_info.ret_defns):
@@ -121,7 +129,7 @@ class APIObfuscationType2Finder:
 
             self.results.append(
                 APIObfuscationType2(
-                    resolved_func_name=proc_name,
+                    resolved_func_name=func_name,
                     resolved_func_ptr=ptr,
                     resolved_in=caller,
                     resolved_by=callee,
@@ -139,7 +147,7 @@ class APIObfuscationType2Finder:
             log.debug("...Created label %s for address %x", lbl, result.resolved_func_ptr.addr)
 
             # Create a variable
-            global_variables = self.project.kb.variables["global"]
+            global_variables = self.variable_kb.variables["global"]
             variables = global_variables.get_global_variables(result.resolved_func_ptr.addr)
             if not variables:
                 ident = global_variables.next_variable_ident("global")