angr 9.2.141__py3-none-win_amd64.whl → 9.2.142__py3-none-win_amd64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.141"
+__version__ = "9.2.142"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -165,6 +165,19 @@ class CallingConventionAnalysis(Analysis):
             ):
                 return
 
+            if (
+                hooker is not None
+                and hooker.cc is not None
+                and hooker.is_function
+                and not hooker.guessed_prototype
+                and hooker.prototype is not None
+            ):
+                # copy the calling convention and prototype from the SimProcedure instance
+                self.cc = hooker.cc
+                self.prototype = hooker.prototype
+                self.prototype_libname = hooker.library_name
+                return
+
             if self._function.prototype is None:
                 # try our luck
                 # we set ignore_binary_name to True because the binary name SimProcedures is "cle##externs" and does not
@@ -309,9 +322,10 @@ class CallingConventionAnalysis(Analysis):
                 if self.project.is_hooked(real_func.addr):
                     # prioritize the hooker
                     hooker = self.project.hooked_by(real_func.addr)
-                    if hooker is not None and (
-                        not hooker.is_stub or (hooker.is_function and not hooker.guessed_prototype)
-                    ):
+                    if hooker is not None and hooker.is_function and not hooker.guessed_prototype:
+                        # we only take the prototype from the SimProcedure if
+                        # - the SimProcedure is a function
+                        # - the prototype of the SimProcedure is not guessed
                         return cc, hooker.prototype
                 if real_func.prototype is not None:
                     return cc, real_func.prototype

angr/analyses/cfg/cfg_base.py

@@ -11,7 +11,7 @@ import pyvex
 from cle import ELF, PE, Blob, TLSObject, MachO, ExternObject, KernelObject, FunctionHintSource, Hex, Coff, SRec, XBE
 from cle.backends import NamedRegion
 import archinfo
-from archinfo.arch_soot import SootAddressDescriptor
+from archinfo.arch_soot import SootAddressDescriptor, SootMethodDescriptor
 from archinfo.arch_arm import is_arm_arch, get_real_address_if_arm
 
 from angr.knowledge_plugins.functions.function_manager import FunctionManager
@@ -129,7 +129,7 @@ class CFGBase(Analysis):
 
         # Store all the functions analyzed before the set is cleared
         # Used for performance optimization
-        self._updated_nonreturning_functions: set[int] | None = None
+        self._updated_nonreturning_functions: set[int | SootMethodDescriptor] | None = None
 
         self._normalize = normalize
 
@@ -246,7 +246,7 @@ class CFGBase(Analysis):
             )
 
         self._regions_size = sum((end - start) for start, end in regions)
-        self._regions: dict[int, int] = SortedDict(regions)
+        self._regions: SortedDict = SortedDict(regions)
 
         l.debug("CFG recovery covers %d regions:", len(self._regions))
         for start, end in self._regions.items():
@@ -1556,6 +1556,7 @@ class CFGBase(Analysis):
                     self.kb.functions[func_addr].alignment = True
                     continue
                 node = function.get_node(block.addr)
+                assert node is not None
                 successors = list(function.graph.successors(node))
                 if len(successors) == 1 and successors[0].addr == node.addr:
                     # self loop. mark this function as a function alignment
@@ -2151,6 +2152,11 @@ class CFGBase(Analysis):
             f = self.kb.functions.function(addr=addr)
             assert f is not None
 
+            # copy over existing metadata
+            if known_functions.contains_addr(addr):
+                kf = known_functions.get_by_addr(addr)
+                f.is_plt = kf.is_plt
+
             blockaddr_to_function[addr] = f
 
             function_is_returning = False
@@ -2532,6 +2538,34 @@ class CFGBase(Analysis):
     # Other functions
     #
 
+    @staticmethod
+    def _is_noop_jump_block(block) -> bool:
+        """
+        Check if the block does nothing but jumping to a constant address.
+
+        :param block:   The block instance. We assume the block is already optimized.
+        :return:        True if the entire block is a jump to a constant address, False otherwise.
+        """
+
+        vex = block.vex
+        if vex.jumpkind != "Ijk_Boring":
+            return False
+        if isinstance(vex.next, pyvex.expr.Const):
+            return all(isinstance(stmt, pyvex.stmt.IMark) for stmt in vex.statements)
+        if isinstance(vex.next, pyvex.expr.RdTmp):
+            next_tmp = vex.next.tmp
+            return all(
+                isinstance(stmt, pyvex.stmt.IMark)
+                or (
+                    isinstance(stmt, pyvex.stmt.WrTmp)
+                    and stmt.tmp == next_tmp
+                    and isinstance(stmt.data, pyvex.expr.Load)
+                    and isinstance(stmt.data.addr, pyvex.expr.Const)
+                )
+                for stmt in vex.statements
+            )
+        return False
+
     @staticmethod
     def _is_noop_block(arch: archinfo.Arch, block) -> bool:
         """
@@ -2755,7 +2789,7 @@ class CFGBase(Analysis):
         cfg_node: CFGNode,
         irsb: pyvex.IRSB,
         func_addr: int,
-        stmt_idx: int | str = DEFAULT_STATEMENT,
+        stmt_idx: int = DEFAULT_STATEMENT,
     ) -> tuple[bool, set[int], IndirectJump | None]:
         """
         Called when we encounter an indirect jump. We will try to resolve this indirect jump using timeless (fast)

angr/analyses/cfg/cfg_fast.py

@@ -1782,7 +1782,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self.project.loader.discard_ro_memview()
 
         # Clean up
-        self._traced_addresses = None
+        self._traced_addresses = None  # type: ignore
         self._lifter_deregister_readonly_regions()
         self._function_returns = None
 
@@ -1838,6 +1838,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 xrefs = self.kb.xrefs.get_xrefs_by_dst(security_cookie_addr)
                 tested_func_addrs = set()
                 for xref in xrefs:
+                    assert xref.block_addr is not None
                     cfg_node = self.model.get_any_node(xref.block_addr)
                     if cfg_node is None:
                         continue
@@ -2081,13 +2082,20 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         if (
             cfg_job.src_node is not None
-            and self.functions.contains_addr(cfg_job.src_node.addr)
-            and self.functions[cfg_job.src_node.addr].is_default_name
             and cfg_job.src_node.addr not in self.kb.labels
             and cfg_job.jumpkind == "Ijk_Boring"
+            and self._is_noop_jump_block(cfg_job.src_node.block)
         ):
-            # assign a name to the caller function that jumps to this procedure
-            self.functions[cfg_job.src_node.addr].name = procedure.display_name
+            # the caller node is very likely to be a PLT stub
+            if not self.functions.contains_addr(cfg_job.src_node.addr):
+                src_func = self.functions.function(addr=cfg_job.src_node.addr, create=True)
+            else:
+                src_func = self.functions.get_by_addr(cfg_job.src_node.addr)
+            if len(src_func.block_addrs_set) <= 1 and src_func.is_default_name:
+                # assign a name to the caller function that jumps to this procedure
+                src_func.name = procedure.display_name
+                # mark it as PLT
+                src_func.is_plt = True
 
         if procedure.ADDS_EXITS:
             # Get two blocks ahead
@@ -3714,7 +3722,12 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
     #
 
     def _graph_add_edge(
-        self, cfg_node: CFGNode, src_node: CFGNode | None, src_jumpkind: str, src_ins_addr: int, src_stmt_idx: int
+        self,
+        cfg_node: CFGNode,
+        src_node: CFGNode | None,
+        src_jumpkind: str,
+        src_ins_addr: int | None,
+        src_stmt_idx: int | None,
     ):
         """
         Add edge between nodes, or add node if entry point
@@ -4584,6 +4597,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 elif (
                     lifted_block is not None
                     and is_x86_x64_arch
+                    and lifted_block.bytes is not None
                     and len(lifted_block.bytes) - irsb_size > 2
                     and lifted_block.bytes[irsb_size : irsb_size + 2]
                     in {
@@ -4659,7 +4673,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     self._seg_list.occupy(real_addr + irsb_size, nodecode_size, "nodecode")
 
             # Occupy the block in segment list
-            if irsb.size > 0:
+            if irsb is not None and irsb.size > 0:
                 self._seg_list.occupy(real_addr, irsb.size, "code")
 
             # Create a CFG node, and add it to the graph
@@ -4969,6 +4983,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         for assumption_addr in to_remove:
             # remove this assumption from the graph (since we may have new relationships formed later)
+            assert self._decoding_assumption_relations is not None
             if assumption_addr in self._decoding_assumption_relations:
                 self._decoding_assumption_relations.remove_node(assumption_addr)
 
@@ -5159,6 +5174,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     target_func = edges[0][1]
                     if isinstance(target_func, (HookNode, Function)) and self.project.is_hooked(target_func.addr):
                         hooker = self.project.hooked_by(target_func.addr)
+                        assert hooker is not None
                         if hooker.DYNAMIC_RET:
                             return self._is_call_returning(callsite_cfgnode, target_func.addr)
 

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -183,7 +183,11 @@ class ConstantValueManager:
         # determine blocks to run FCP on
 
         # - include at most three levels of superblock successors from the entrypoint
+        self.mapping = {}
         startpoint = self.func.startpoint
+        if startpoint is None:
+            return
+
         blocks = set()
         succ_and_levels = [(startpoint, 0)]
         while succ_and_levels:

angr/analyses/class_identifier.py

@@ -1,6 +1,8 @@
 from __future__ import annotations
+
 from angr.sim_type import SimCppClass, SimTypeCppFunction
 from angr.analyses import AnalysesHub
+from angr.utils.cpp import is_cpp_funcname_ctor
 from . import Analysis, CFGFast, VtableFinder
 
 
@@ -33,17 +35,13 @@ class ClassIdentifier(Analysis):
             class_name = class_name.removeprefix("non-virtual thunk for ")
             if col_ind != -1:
                 if class_name not in self.classes:
-                    ctor = False
-                    if func.demangled_name.find("{ctor}"):
-                        ctor = True
+                    ctor = is_cpp_funcname_ctor(func.demangled_name)
                     function_members = {func.addr: SimTypeCppFunction([], None, label=func.demangled_name, ctor=ctor)}
                     new_class = SimCppClass(name=class_name, function_members=function_members)
                     self.classes[class_name] = new_class
 
                 else:
-                    ctor = False
-                    if func.demangled_name.find("{ctor}"):
-                        ctor = True
+                    ctor = is_cpp_funcname_ctor(func.demangled_name)
                     cur_class = self.classes[class_name]
                     cur_class.function_members[func.addr] = SimTypeCppFunction(
                         [], None, label=func.demangled_name, ctor=ctor
@@ -55,7 +53,10 @@ class ClassIdentifier(Analysis):
                 vtable_calling_func = self.project.kb.functions.floor_func(ref.ins_addr)
                 tmp_col_ind = vtable_calling_func.demangled_name.rfind("::")
                 possible_constructor_class_name = vtable_calling_func.demangled_name[:tmp_col_ind]
-                if "ctor" in vtable_calling_func.demangled_name and possible_constructor_class_name in self.classes:
+                if (
+                    is_cpp_funcname_ctor(vtable_calling_func.demangled_name)
+                    and possible_constructor_class_name in self.classes
+                ):
                     self.classes[possible_constructor_class_name].vtable_ptrs.append(vtable.vaddr)
 
 

angr/analyses/complete_calling_conventions.py

@@ -383,7 +383,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
             return (
                 cc_analysis.cc,
                 cc_analysis.prototype,
-                func.prototype_libname,
+                cc_analysis.prototype_libname if cc_analysis.prototype_libname is not None else func.prototype_libname,
                 self.kb.variables.get_function_manager(func_addr),
             )
         _l.info("Cannot determine calling convention for %r.", func)

angr/analyses/decompiler/ail_simplifier.py

@@ -118,7 +118,7 @@ class AILSimplifier(Analysis):
         self._should_rewrite_ccalls = rewrite_ccalls
         self._removed_vvar_ids = removed_vvar_ids if removed_vvar_ids is not None else set()
         self._arg_vvars = arg_vvars
-        self._avoid_vvar_ids = avoid_vvar_ids
+        self._avoid_vvar_ids = avoid_vvar_ids if avoid_vvar_ids is not None else set()
         self._propagator_dead_vvar_ids: set[int] = set()
         self._secondary_stackvars: set[int] = secondary_stackvars if secondary_stackvars is not None else set()
 
@@ -132,12 +132,10 @@ class AILSimplifier(Analysis):
     def _simplify(self):
         if self._narrow_expressions:
             _l.debug("Removing dead assignments before narrowing expressions")
-            r = self._remove_dead_assignments()
+            r = self._iteratively_remove_dead_assignments()
             if r:
                 _l.debug("... dead assignments removed")
                 self.simplified = True
-                self._rebuild_func_graph()
-                self._clear_cache()
 
             _l.debug("Narrowing expressions")
             narrowed_exprs = self._narrow_exprs()
@@ -170,12 +168,10 @@ class AILSimplifier(Analysis):
 
         if self._unify_vars:
             _l.debug("Removing dead assignments")
-            r = self._remove_dead_assignments()
+            r = self._iteratively_remove_dead_assignments()
             if r:
                 _l.debug("... dead assignments removed")
                 self.simplified = True
-                self._rebuild_func_graph()
-                self._clear_cache()
 
             _l.debug("Unifying local variables")
             r = self._unify_local_variables()
@@ -194,11 +190,10 @@ class AILSimplifier(Analysis):
                 self._clear_cache()
 
         _l.debug("Removing dead assignments")
-        r = self._remove_dead_assignments()
+        r = self._iteratively_remove_dead_assignments()
         if r:
             _l.debug("... dead assignments removed")
             self.simplified = True
-            self._rebuild_func_graph()
 
     def _rebuild_func_graph(self):
         def _handler(node):
@@ -1319,14 +1314,27 @@ class AILSimplifier(Analysis):
 
         return False, None
 
+    def _iteratively_remove_dead_assignments(self) -> bool:
+        anything_removed = False
+        while True:
+            r = self._remove_dead_assignments()
+            if not r:
+                return anything_removed
+            self._rebuild_func_graph()
+            self._clear_cache()
+
     def _remove_dead_assignments(self) -> bool:
 
         # keeping tracking of statements to remove and statements (as well as dead vvars) to keep allows us to handle
-        # cases where a statement defines more than one atoms, e.g., a call statement that defines both the return
+        # cases where a statement defines more than one atom, e.g., a call statement that defines both the return
         # value and the floating-point return value.
         stmts_to_remove_per_block: dict[tuple[int, int | None], set[int]] = defaultdict(set)
         stmts_to_keep_per_block: dict[tuple[int, int | None], set[int]] = defaultdict(set)
         dead_vvar_ids: set[int] = set()
+        dead_vvar_codelocs: set[CodeLocation] = set()
+        blocks: dict[tuple[int, int | None], Block] = {
+            (node.addr, node.idx): self.blocks.get(node, node) for node in self.func_graph.nodes()
+        }
 
         # Find all statements that should be removed
         mask = (1 << self.project.arch.bits) - 1
@@ -1335,59 +1343,64 @@ class AILSimplifier(Analysis):
         stackarg_offsets = (
             {(tpl[1] & mask) for tpl in self._stack_arg_offsets} if self._stack_arg_offsets is not None else None
         )
-        for def_ in rd.all_definitions:
-            if def_.dummy:
-                continue
-            # we do not remove references to global memory regions no matter what
-            if isinstance(def_.atom, atoms.MemoryLocation) and isinstance(def_.atom.addr, int):
-                continue
-            if isinstance(def_.atom, atoms.VirtualVariable):
-                if def_.atom.varid in self._propagator_dead_vvar_ids:
+        while True:
+            new_dead_vars_found = False
+            for vvar, codeloc in rd.all_vvar_definitions.items():
+                if vvar.varid in dead_vvar_ids:
+                    continue
+                if vvar.varid in self._propagator_dead_vvar_ids:
                     # we are definitely removing this variable if it has no uses
-                    uses = rd.get_vvar_uses(def_.atom)
-                elif def_.atom.was_stack:
+                    uses = rd.all_vvar_uses[vvar]
+                elif vvar.was_stack:
                     if not self._remove_dead_memdefs:
-                        if rd.is_phi_vvar_id(def_.atom.varid):
+                        if rd.is_phi_vvar_id(vvar.varid):
                             # we always remove unused phi variables
                             pass
-                        elif def_.atom.varid in self._secondary_stackvars:
+                        elif vvar.varid in self._secondary_stackvars:
                             # secondary stack variables are potentially removable
                             pass
                         elif stackarg_offsets is not None:
                             # we always remove definitions for stack arguments
-                            assert def_.atom.stack_offset is not None
-                            if (def_.atom.stack_offset & mask) not in stackarg_offsets:
+                            assert vvar.stack_offset is not None
+                            if (vvar.stack_offset & mask) not in stackarg_offsets:
                                 continue
                         else:
                             continue
-                    uses = rd.get_vvar_uses(def_.atom)
+                    uses = rd.all_vvar_uses[vvar]
 
-                elif def_.atom.was_tmp or def_.atom.was_reg or def_.atom.was_parameter:
-                    uses = rd.get_vvar_uses(def_.atom)
+                elif vvar.was_tmp or vvar.was_reg or vvar.was_parameter:
+                    uses = rd.all_vvar_uses[vvar]
 
                 else:
                     uses = set()
 
-            else:
-                continue
-
-            if not uses:
-                if isinstance(def_.atom, atoms.VirtualVariable):
-                    dead_vvar_ids.add(def_.atom.varid)
+                # remove uses where vvars are going to be removed
+                filtered_uses_count = 0
+                for _, loc in uses:
+                    if loc in dead_vvar_codelocs and loc.block_addr is not None and loc.stmt_idx is not None:
+                        stmt = blocks[(loc.block_addr, loc.block_idx)].statements[loc.stmt_idx]
+                        if not self._statement_has_call_exprs(stmt) and not isinstance(stmt, (DirtyStatement, Call)):
+                            continue
+                    filtered_uses_count += 1
+
+                if filtered_uses_count == 0:
+                    new_dead_vars_found = True
+                    dead_vvar_ids.add(vvar.varid)
+                    dead_vvar_codelocs.add(codeloc)
+                    if not isinstance(codeloc, ExternalCodeLocation):
+                        assert codeloc.block_addr is not None
+                        assert codeloc.stmt_idx is not None
+                        stmts_to_remove_per_block[(codeloc.block_addr, codeloc.block_idx)].add(codeloc.stmt_idx)
+                        stmts_to_keep_per_block[(codeloc.block_addr, codeloc.block_idx)].discard(codeloc.stmt_idx)
+                else:
+                    if not isinstance(codeloc, ExternalCodeLocation):
+                        assert codeloc.block_addr is not None
+                        assert codeloc.stmt_idx is not None
+                        stmts_to_keep_per_block[(codeloc.block_addr, codeloc.block_idx)].add(codeloc.stmt_idx)
 
-                if not isinstance(def_.codeloc, ExternalCodeLocation):
-                    assert def_.codeloc.block_addr is not None
-                    assert def_.codeloc.stmt_idx is not None
-                    stmts_to_remove_per_block[(def_.codeloc.block_addr, def_.codeloc.block_idx)].add(
-                        def_.codeloc.stmt_idx
-                    )
-            else:
-                if not isinstance(def_.codeloc, ExternalCodeLocation):
-                    assert def_.codeloc.block_addr is not None
-                    assert def_.codeloc.stmt_idx is not None
-                    stmts_to_keep_per_block[(def_.codeloc.block_addr, def_.codeloc.block_idx)].add(
-                        def_.codeloc.stmt_idx
-                    )
+            if not new_dead_vars_found:
+                # nothing more is found. let's end the loop
+                break
 
         # find all phi variables that rely on variables that no longer exist
         all_removed_var_ids = self._removed_vvar_ids.copy()
@@ -1462,6 +1475,7 @@ class AILSimplifier(Analysis):
                         if codeloc in self._assignments_to_remove:
                             # it should be removed
                             simplified = True
+                            self._assignments_to_remove.discard(codeloc)
                             continue
 
                         if self._statement_has_call_exprs(stmt):
@@ -1489,6 +1503,7 @@ class AILSimplifier(Analysis):
                         codeloc = CodeLocation(block.addr, idx, ins_addr=stmt.ins_addr, block_idx=block.idx)
                         if codeloc in self._calls_to_remove:
                             # this call can be removed
+                            self._calls_to_remove.discard(codeloc)
                             simplified = True
                             continue