angr 9.2.141__py3-none-macosx_11_0_arm64.whl → 9.2.143__py3-none-macosx_11_0_arm64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.141"
+__version__ = "9.2.143"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -165,6 +165,19 @@ class CallingConventionAnalysis(Analysis):
             ):
                 return
 
+            if (
+                hooker is not None
+                and hooker.cc is not None
+                and hooker.is_function
+                and not hooker.guessed_prototype
+                and hooker.prototype is not None
+            ):
+                # copy the calling convention and prototype from the SimProcedure instance
+                self.cc = hooker.cc
+                self.prototype = hooker.prototype
+                self.prototype_libname = hooker.library_name
+                return
+
             if self._function.prototype is None:
                 # try our luck
                 # we set ignore_binary_name to True because the binary name SimProcedures is "cle##externs" and does not
@@ -207,9 +220,9 @@ class CallingConventionAnalysis(Analysis):
                 self.prototype = prototype  # type: ignore
             return
         if self._function.is_plt:
-            r = self._analyze_plt()
-            if r is not None:
-                self.cc, self.prototype = r
+            r_plt = self._analyze_plt()
+            if r_plt is not None:
+                self.cc, self.prototype, self.prototype_libname = r_plt
             return
 
         r = self._analyze_function()
@@ -265,11 +278,11 @@ class CallingConventionAnalysis(Analysis):
         self.cc = cc
         self.prototype = prototype
 
-    def _analyze_plt(self) -> tuple[SimCC, SimTypeFunction | None] | None:
+    def _analyze_plt(self) -> tuple[SimCC, SimTypeFunction | None, str | None] | None:
         """
         Get the calling convention for a PLT stub.
 
-        :return:    A calling convention.
+        :return:    A calling convention, the function type, as well as the library name if available.
         """
         assert self._function is not None
 
@@ -309,14 +322,15 @@ class CallingConventionAnalysis(Analysis):
                 if self.project.is_hooked(real_func.addr):
                     # prioritize the hooker
                     hooker = self.project.hooked_by(real_func.addr)
-                    if hooker is not None and (
-                        not hooker.is_stub or (hooker.is_function and not hooker.guessed_prototype)
-                    ):
-                        return cc, hooker.prototype
+                    if hooker is not None and hooker.is_function and not hooker.guessed_prototype:
+                        # we only take the prototype from the SimProcedure if
+                        # - the SimProcedure is a function
+                        # - the prototype of the SimProcedure is not guessed
+                        return cc, hooker.prototype, hooker.library_name
                 if real_func.prototype is not None:
-                    return cc, real_func.prototype
+                    return cc, real_func.prototype, real_func.prototype_libname
             else:
-                return cc, real_func.prototype
+                return cc, real_func.prototype, real_func.prototype_libname
 
         if self.analyze_callsites:
             # determine the calling convention by analyzing its callsites
@@ -330,7 +344,7 @@ class CallingConventionAnalysis(Analysis):
             prototype = self._adjust_prototype(
                 prototype, callsite_facts, update_arguments=UpdateArgumentsOption.AlwaysUpdate
             )
-            return cc, prototype
+            return cc, prototype, None
 
         return None
 

angr/analyses/calling_convention/fact_collector.py

@@ -1,10 +1,11 @@
 # pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
-from typing import Any
+from typing import Any, TYPE_CHECKING
 
 import pyvex
 import claripy
 
+from angr import SIM_LIBRARIES, SIM_TYPE_COLLECTIONS
 from angr.utils.bits import s2u, u2s
 from angr.block import Block
 from angr.analyses.analysis import Analysis
@@ -13,9 +14,12 @@ from angr.knowledge_plugins.functions import Function
 from angr.codenode import BlockNode, HookNode
 from angr.engines.light import SimEngineNostmtVEX, SimEngineLight, SpOffset, RegisterOffset
 from angr.calling_conventions import SimRegArg, SimStackArg, default_cc
-from angr.sim_type import SimTypeBottom
+from angr.sim_type import SimTypeBottom, dereference_simtype, SimTypeFunction
 from .utils import is_sane_register_variable
 
+if TYPE_CHECKING:
+    from angr.codenode import CodeNode
+
 
 class FactCollectorState:
     """
@@ -224,9 +228,12 @@ class FactCollector(Analysis):
         callee_restored_regs = self._analyze_endpoints_for_restored_regs()
         self._determine_input_args(end_states, callee_restored_regs)
 
-    def _analyze_startpoint(self):
+    def _analyze_startpoint(self) -> list[FactCollectorState]:
         func_graph = self.function.transition_graph
         startpoint = self.function.startpoint
+        if startpoint is None:
+            return []
+
         bp_as_gpr = self.function.info.get("bp_as_gpr", False)
         engine = SimEngineFactCollectorVEX(self.project, bp_as_gpr)
         init_state = FactCollectorState()
@@ -235,9 +242,9 @@ class FactCollector(Analysis):
         init_state.bp_value = init_state.sp_value
 
         traversed = set()
-        queue: list[tuple[int, FactCollectorState, BlockNode | HookNode | Function, BlockNode | HookNode | None]] = [
-            (0, init_state, startpoint, None)
-        ]
+        queue: list[
+            tuple[int, FactCollectorState, CodeNode | BlockNode | HookNode | Function, BlockNode | HookNode | None]
+        ] = [(0, init_state, startpoint, None)]
         end_states: list[FactCollectorState] = []
         while queue:
             depth, state, node, retnode = queue.pop(0)
@@ -398,9 +405,24 @@ class FactCollector(Analysis):
                             and not isinstance(func_succ.prototype.returnty, SimTypeBottom)
                         ):
                             # assume the function overwrites the return variable
-                            returnty_size = func_succ.prototype.returnty.with_arch(self.project.arch).size
-                            assert returnty_size is not None
-                            retval_size = returnty_size // self.project.arch.byte_width
+                            proto = func_succ.prototype
+                            if func_succ.prototype_libname is not None:
+                                # we need to deref the prototype in case it uses SimTypeRef internally
+                                type_collections = []
+                                prototype_lib = SIM_LIBRARIES[func_succ.prototype_libname]
+                                if prototype_lib.type_collection_names:
+                                    for typelib_name in prototype_lib.type_collection_names:
+                                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                                    proto = dereference_simtype(proto, type_collections)
+
+                            assert isinstance(proto, SimTypeFunction) and proto.returnty is not None
+                            returnty_size = proto.returnty.with_arch(self.project.arch).size
+                            if returnty_size is None:
+                                # it may be None if somehow we cannot resolve a SimTypeRef; we fall back to the full
+                                # machine word size
+                                retval_size = self.project.arch.bytes
+                            else:
+                                retval_size = returnty_size // self.project.arch.byte_width
                             retval_sizes.append(retval_size)
                         continue
 

angr/analyses/cfg/cfg_base.py

@@ -11,7 +11,7 @@ import pyvex
 from cle import ELF, PE, Blob, TLSObject, MachO, ExternObject, KernelObject, FunctionHintSource, Hex, Coff, SRec, XBE
 from cle.backends import NamedRegion
 import archinfo
-from archinfo.arch_soot import SootAddressDescriptor
+from archinfo.arch_soot import SootAddressDescriptor, SootMethodDescriptor
 from archinfo.arch_arm import is_arm_arch, get_real_address_if_arm
 
 from angr.knowledge_plugins.functions.function_manager import FunctionManager
@@ -129,7 +129,7 @@ class CFGBase(Analysis):
 
         # Store all the functions analyzed before the set is cleared
         # Used for performance optimization
-        self._updated_nonreturning_functions: set[int] | None = None
+        self._updated_nonreturning_functions: set[int | SootMethodDescriptor] | None = None
 
         self._normalize = normalize
 
@@ -246,7 +246,7 @@ class CFGBase(Analysis):
             )
 
         self._regions_size = sum((end - start) for start, end in regions)
-        self._regions: dict[int, int] = SortedDict(regions)
+        self._regions: SortedDict = SortedDict(regions)
 
         l.debug("CFG recovery covers %d regions:", len(self._regions))
         for start, end in self._regions.items():
@@ -1556,6 +1556,7 @@ class CFGBase(Analysis):
                     self.kb.functions[func_addr].alignment = True
                     continue
                 node = function.get_node(block.addr)
+                assert node is not None
                 successors = list(function.graph.successors(node))
                 if len(successors) == 1 and successors[0].addr == node.addr:
                     # self loop. mark this function as a function alignment
@@ -2151,6 +2152,11 @@ class CFGBase(Analysis):
             f = self.kb.functions.function(addr=addr)
             assert f is not None
 
+            # copy over existing metadata
+            if known_functions.contains_addr(addr):
+                kf = known_functions.get_by_addr(addr)
+                f.is_plt = kf.is_plt
+
             blockaddr_to_function[addr] = f
 
             function_is_returning = False
@@ -2532,6 +2538,34 @@ class CFGBase(Analysis):
     # Other functions
     #
 
+    @staticmethod
+    def _is_noop_jump_block(block) -> bool:
+        """
+        Check if the block does nothing but jumping to a constant address.
+
+        :param block:   The block instance. We assume the block is already optimized.
+        :return:        True if the entire block is a jump to a constant address, False otherwise.
+        """
+
+        vex = block.vex
+        if vex.jumpkind != "Ijk_Boring":
+            return False
+        if isinstance(vex.next, pyvex.expr.Const):
+            return all(isinstance(stmt, pyvex.stmt.IMark) for stmt in vex.statements)
+        if isinstance(vex.next, pyvex.expr.RdTmp):
+            next_tmp = vex.next.tmp
+            return all(
+                isinstance(stmt, pyvex.stmt.IMark)
+                or (
+                    isinstance(stmt, pyvex.stmt.WrTmp)
+                    and stmt.tmp == next_tmp
+                    and isinstance(stmt.data, pyvex.expr.Load)
+                    and isinstance(stmt.data.addr, pyvex.expr.Const)
+                )
+                for stmt in vex.statements
+            )
+        return False
+
     @staticmethod
     def _is_noop_block(arch: archinfo.Arch, block) -> bool:
         """
@@ -2755,7 +2789,7 @@ class CFGBase(Analysis):
         cfg_node: CFGNode,
         irsb: pyvex.IRSB,
         func_addr: int,
-        stmt_idx: int | str = DEFAULT_STATEMENT,
+        stmt_idx: int = DEFAULT_STATEMENT,
     ) -> tuple[bool, set[int], IndirectJump | None]:
         """
         Called when we encounter an indirect jump. We will try to resolve this indirect jump using timeless (fast)

angr/analyses/cfg/cfg_fast.py

@@ -1782,7 +1782,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self.project.loader.discard_ro_memview()
 
         # Clean up
-        self._traced_addresses = None
+        self._traced_addresses = None  # type: ignore
         self._lifter_deregister_readonly_regions()
         self._function_returns = None
 
@@ -1838,6 +1838,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 xrefs = self.kb.xrefs.get_xrefs_by_dst(security_cookie_addr)
                 tested_func_addrs = set()
                 for xref in xrefs:
+                    assert xref.block_addr is not None
                     cfg_node = self.model.get_any_node(xref.block_addr)
                     if cfg_node is None:
                         continue
@@ -2081,13 +2082,20 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         if (
             cfg_job.src_node is not None
-            and self.functions.contains_addr(cfg_job.src_node.addr)
-            and self.functions[cfg_job.src_node.addr].is_default_name
             and cfg_job.src_node.addr not in self.kb.labels
             and cfg_job.jumpkind == "Ijk_Boring"
+            and self._is_noop_jump_block(cfg_job.src_node.block)
         ):
-            # assign a name to the caller function that jumps to this procedure
-            self.functions[cfg_job.src_node.addr].name = procedure.display_name
+            # the caller node is very likely to be a PLT stub
+            if not self.functions.contains_addr(cfg_job.src_node.addr):
+                src_func = self.functions.function(addr=cfg_job.src_node.addr, create=True)
+            else:
+                src_func = self.functions.get_by_addr(cfg_job.src_node.addr)
+            if len(src_func.block_addrs_set) <= 1 and src_func.is_default_name:
+                # assign a name to the caller function that jumps to this procedure
+                src_func.name = procedure.display_name
+                # mark it as PLT
+                src_func.is_plt = True
 
         if procedure.ADDS_EXITS:
             # Get two blocks ahead
@@ -3714,7 +3722,12 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
     #
 
     def _graph_add_edge(
-        self, cfg_node: CFGNode, src_node: CFGNode | None, src_jumpkind: str, src_ins_addr: int, src_stmt_idx: int
+        self,
+        cfg_node: CFGNode,
+        src_node: CFGNode | None,
+        src_jumpkind: str,
+        src_ins_addr: int | None,
+        src_stmt_idx: int | None,
     ):
         """
         Add edge between nodes, or add node if entry point
@@ -4584,6 +4597,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 elif (
                     lifted_block is not None
                     and is_x86_x64_arch
+                    and lifted_block.bytes is not None
                     and len(lifted_block.bytes) - irsb_size > 2
                     and lifted_block.bytes[irsb_size : irsb_size + 2]
                     in {
@@ -4659,7 +4673,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     self._seg_list.occupy(real_addr + irsb_size, nodecode_size, "nodecode")
 
             # Occupy the block in segment list
-            if irsb.size > 0:
+            if irsb is not None and irsb.size > 0:
                 self._seg_list.occupy(real_addr, irsb.size, "code")
 
             # Create a CFG node, and add it to the graph
@@ -4969,6 +4983,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         for assumption_addr in to_remove:
             # remove this assumption from the graph (since we may have new relationships formed later)
+            assert self._decoding_assumption_relations is not None
             if assumption_addr in self._decoding_assumption_relations:
                 self._decoding_assumption_relations.remove_node(assumption_addr)
 
@@ -5159,6 +5174,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     target_func = edges[0][1]
                     if isinstance(target_func, (HookNode, Function)) and self.project.is_hooked(target_func.addr):
                         hooker = self.project.hooked_by(target_func.addr)
+                        assert hooker is not None
                         if hooker.DYNAMIC_RET:
                             return self._is_call_returning(callsite_cfgnode, target_func.addr)
 

angr/analyses/cfg/indirect_jump_resolvers/const_resolver.py

@@ -43,11 +43,22 @@ class ConstantResolver(IndirectJumpResolver):
     be resolved to a constant value. This resolver must be run after all other more specific resolvers.
     """
 
-    def __init__(self, project):
+    def __init__(self, project, max_func_nodes: int = 512):
         super().__init__(project, timeless=False)
+        self.max_func_nodes = max_func_nodes
 
     def filter(self, cfg, addr, func_addr, block, jumpkind):
+        if not cfg.functions.contains_addr(func_addr):
+            # the function does not exist
+            return False
+
+        # for performance, we don't run constant resolver if the function is too large
+        func = cfg.functions.get_by_addr(func_addr)
+        if len(func.block_addrs_set) > self.max_func_nodes:
+            return False
+
         # we support both an indirect call and jump since the value can be resolved
+
         return jumpkind in {"Ijk_Boring", "Ijk_Call"}
 
     def resolve(  # pylint:disable=unused-argument

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -6,6 +6,7 @@ from collections.abc import Sequence
 from collections import defaultdict, OrderedDict
 import logging
 import functools
+import contextlib
 
 import pyvex
 import claripy
@@ -183,7 +184,11 @@ class ConstantValueManager:
         # determine blocks to run FCP on
 
         # - include at most three levels of superblock successors from the entrypoint
+        self.mapping = {}
         startpoint = self.func.startpoint
+        if startpoint is None:
+            return
+
         blocks = set()
         succ_and_levels = [(startpoint, 0)]
         while succ_and_levels:
@@ -1794,7 +1799,9 @@ class JumpTableResolver(IndirectJumpResolver):
                         # swap the two tmps
                         jump_base_addr.tmp, jump_base_addr.tmp_1 = jump_base_addr.tmp_1, jump_base_addr.tmp
                     # Load the concrete base address
-                    jump_base_addr.base_addr = state.solver.eval(state.scratch.temps[jump_base_addr.tmp_1])
+                    with contextlib.suppress(SimError):
+                        # silently eat the claripy exception
+                        jump_base_addr.base_addr = state.solver.eval(state.scratch.temps[jump_base_addr.tmp_1])
             else:
                 # We do not support the cases where the base address involves more than one addition.
                 # One such case exists in libc-2.27.so shipped with Ubuntu x86 where esi is used as the address of the

angr/analyses/class_identifier.py

@@ -1,6 +1,8 @@
 from __future__ import annotations
+
 from angr.sim_type import SimCppClass, SimTypeCppFunction
 from angr.analyses import AnalysesHub
+from angr.utils.cpp import is_cpp_funcname_ctor
 from . import Analysis, CFGFast, VtableFinder
 
 
@@ -33,17 +35,13 @@ class ClassIdentifier(Analysis):
             class_name = class_name.removeprefix("non-virtual thunk for ")
             if col_ind != -1:
                 if class_name not in self.classes:
-                    ctor = False
-                    if func.demangled_name.find("{ctor}"):
-                        ctor = True
+                    ctor = is_cpp_funcname_ctor(func.demangled_name)
                     function_members = {func.addr: SimTypeCppFunction([], None, label=func.demangled_name, ctor=ctor)}
                     new_class = SimCppClass(name=class_name, function_members=function_members)
                     self.classes[class_name] = new_class
 
                 else:
-                    ctor = False
-                    if func.demangled_name.find("{ctor}"):
-                        ctor = True
+                    ctor = is_cpp_funcname_ctor(func.demangled_name)
                     cur_class = self.classes[class_name]
                     cur_class.function_members[func.addr] = SimTypeCppFunction(
                         [], None, label=func.demangled_name, ctor=ctor
@@ -55,7 +53,10 @@ class ClassIdentifier(Analysis):
                 vtable_calling_func = self.project.kb.functions.floor_func(ref.ins_addr)
                 tmp_col_ind = vtable_calling_func.demangled_name.rfind("::")
                 possible_constructor_class_name = vtable_calling_func.demangled_name[:tmp_col_ind]
-                if "ctor" in vtable_calling_func.demangled_name and possible_constructor_class_name in self.classes:
+                if (
+                    is_cpp_funcname_ctor(vtable_calling_func.demangled_name)
+                    and possible_constructor_class_name in self.classes
+                ):
                     self.classes[possible_constructor_class_name].vtable_ptrs.append(vtable.vaddr)
 
 

angr/analyses/complete_calling_conventions.py

@@ -63,7 +63,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
         max_function_size: int | None = None,
         workers: int = 0,
         cc_callback: Callable | None = None,
-        prioritize_func_addrs: Iterable[int] | None = None,
+        prioritize_func_addrs: list[int] | set[int] | None = None,
         skip_other_funcs: bool = False,
         auto_start: bool = True,
         func_graphs: dict[int, networkx.DiGraph] | None = None,
@@ -130,9 +130,20 @@ class CompleteCallingConventionsAnalysis(Analysis):
         Infer calling conventions for all functions in the current project.
         """
 
-        # get an ordering of functions based on the call graph
-        # note that the call graph is a multi-digraph. we convert it to a digraph to speed up topological sort
-        directed_callgraph = networkx.DiGraph(self.kb.functions.callgraph)
+        # special case: if both _prioritize_func_addrs and _skip_other_funcs are set, we only need to sort part of
+        # the call graph; even better, if there is only one function set, we don't need to sort the call graph at all!
+        if self._prioritize_func_addrs and self._skip_other_funcs:
+            if len(self._prioritize_func_addrs) == 1:
+                self._func_addrs = list(self._prioritize_func_addrs)
+                self._total_funcs = 1
+                return
+            directed_callgraph = networkx.DiGraph(self.kb.functions.callgraph)
+            directed_callgraph = directed_callgraph.subgraph(self._prioritize_func_addrs)
+        else:
+            # get an ordering of functions based on the call graph
+            # note that the call graph is a multi-digraph. we convert it to a digraph to speed up topological sort
+            directed_callgraph = networkx.DiGraph(self.kb.functions.callgraph)
+        assert isinstance(directed_callgraph, networkx.DiGraph)
         sorted_funcs = GraphUtils.quasi_topological_sort_nodes(directed_callgraph)
 
         total_funcs = 0
@@ -148,7 +159,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
                     continue
 
                 if self._max_function_size is not None:
-                    func_size = sum(block.size for block in func.blocks)
+                    func_size = sum(block.size for block in func.blocks if block.size is not None)
                     if func_size > self._max_function_size:
                         _l.info(
                             "Skipping variable recovery for %r since its size (%d) is greater than the cutoff "
@@ -189,6 +200,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
 
     def work(self):
         total_funcs = self._total_funcs
+        assert total_funcs is not None
         if self._workers == 0:
             self._update_progress(0)
             for idx, func_addr in enumerate(self._func_addrs):
@@ -211,6 +223,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
             self._finish_progress()
 
         else:
+            assert self._remaining_funcs is not None and self._func_queue is not None
             self._remaining_funcs.value = len(self._func_addrs)
 
             # generate a call tree (obviously, it's acyclic)
@@ -383,7 +396,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
             return (
                 cc_analysis.cc,
                 cc_analysis.prototype,
-                func.prototype_libname,
+                cc_analysis.prototype_libname if cc_analysis.prototype_libname is not None else func.prototype_libname,
                 self.kb.variables.get_function_manager(func_addr),
             )
         _l.info("Cannot determine calling convention for %r.", func)