angr 9.2.143__py3-none-macosx_11_0_arm64.whl → 9.2.145__py3-none-macosx_11_0_arm64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.143"
+__version__ = "9.2.145"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -864,7 +864,19 @@ class CallingConventionAnalysis(Analysis):
                 else:
                     int_args.append(arg)
 
-        stack_args = sorted([a for a in args if isinstance(a, SimStackArg)], key=lambda a: a.stack_offset)
+        initial_stack_args = sorted([a for a in args if isinstance(a, SimStackArg)], key=lambda a: a.stack_offset)
+        # ensure stack args are consecutive if necessary
+        if cc.STACKARG_SP_DIFF is not None and initial_stack_args:
+            arg_by_offset = {a.stack_offset: a for a in initial_stack_args}
+            init_stackarg_offset = cc.STACKARG_SP_DIFF + cc.STACKARG_SP_BUFF
+            int_arg_size = self.project.arch.bytes
+            for stackarg_offset in range(init_stackarg_offset, max(arg_by_offset), int_arg_size):
+                if stackarg_offset not in arg_by_offset:
+                    arg_by_offset[stackarg_offset] = SimStackArg(stackarg_offset, int_arg_size)
+            stack_args = [arg_by_offset[offset] for offset in sorted(arg_by_offset)]
+        else:
+            stack_args = initial_stack_args
+
         stack_int_args = [a for a in stack_args if not a.is_fp]
         stack_fp_args = [a for a in stack_args if a.is_fp]
         # match int args first

angr/analyses/calling_convention/fact_collector.py

@@ -1,6 +1,7 @@
 # pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from typing import Any, TYPE_CHECKING
+from collections import defaultdict
 
 import pyvex
 import claripy
@@ -30,6 +31,7 @@ class FactCollectorState:
         "bp_value",
         "callee_stored_regs",
         "reg_reads",
+        "reg_reads_count",
         "reg_writes",
         "simple_stack",
         "sp_value",
@@ -44,6 +46,7 @@ class FactCollectorState:
 
         self.callee_stored_regs: dict[int, int] = {}  # reg offset -> stack offset
         self.reg_reads = {}
+        self.reg_reads_count = defaultdict(int)
         self.reg_writes: set[int] = set()
         self.stack_reads = {}
         self.stack_writes: set[int] = set()
@@ -51,6 +54,7 @@ class FactCollectorState:
         self.bp_value = 0
 
     def register_read(self, offset: int, size_in_bytes: int):
+        self.reg_reads_count[offset] += 1
         if offset in self.reg_writes:
             return
         if offset not in self.reg_reads:
@@ -58,6 +62,14 @@ class FactCollectorState:
         else:
             self.reg_reads[offset] = max(self.reg_reads[offset], size_in_bytes)
 
+    def register_read_undo(self, offset: int) -> None:
+        if offset not in self.reg_reads or offset not in self.reg_reads_count:
+            return
+        self.reg_reads_count[offset] -= 1
+        if self.reg_reads_count[offset] == 0:
+            self.reg_reads.pop(offset)
+            self.reg_reads_count.pop(offset)
+
     def register_written(self, offset: int, size_in_bytes: int):
         for o in range(size_in_bytes):
             self.reg_writes.add(offset + o)
@@ -84,6 +96,7 @@ class FactCollectorState:
         new_state.sp_value = self.sp_value
         new_state.bp_value = self.bp_value
         new_state.simple_stack = self.simple_stack.copy()
+        new_state.reg_reads_count = self.reg_reads_count.copy()
         if with_tmps:
             new_state.tmps = self.tmps.copy()
         return new_state
@@ -119,6 +132,26 @@ class SimEngineFactCollectorVEX(
 
     def _handle_stmt_Put(self, stmt):
         v = self._expr(stmt.data)
+        # there are cases like  VMOV.F32        S0, S0
+        # so we need to check if this register write is actually a no-op
+        if isinstance(stmt.data, pyvex.IRExpr.RdTmp):
+            t = self.state.tmps.get(stmt.data.tmp, None)
+            if isinstance(t, RegisterOffset) and t.reg == stmt.offset:
+                same_ins_read = False
+                for i in range(self.stmt_idx, -1, -1):
+                    if i >= self.block.vex.stmts_used:
+                        break
+                    prev_stmt = self.block.vex.statements[i]
+                    if isinstance(prev_stmt, pyvex.IRStmt.IMark):
+                        break
+                    if isinstance(prev_stmt, pyvex.IRStmt.WrTmp) and prev_stmt.tmp == stmt.data.tmp:
+                        same_ins_read = True
+                        break
+                if same_ins_read:
+                    # we need to revert the read operation as well
+                    self.state.register_read_undo(stmt.offset)
+                return
+
         if stmt.offset == self.arch.sp_offset and isinstance(v, SpOffset):
             self.state.sp_value = v.offset
         elif stmt.offset == self.arch.bp_offset and isinstance(v, SpOffset):
@@ -210,7 +243,7 @@ class FactCollector(Analysis):
     decision on the calling convention and prototype of a function.
     """
 
-    def __init__(self, func: Function, max_depth: int = 5):
+    def __init__(self, func: Function, max_depth: int = 30):
         self.function = func
         self._max_depth = max_depth
 
@@ -285,14 +318,17 @@ class FactCollector(Analysis):
             for _, succ, data in func_graph.out_edges(node, data=True):
                 edge_type = data.get("type")
                 outside = data.get("outside", False)
-                if succ not in traversed and depth + 1 <= self._max_depth:
+                if depth + 1 <= self._max_depth:
                     if edge_type == "fake_return":
-                        ret_succ = succ
+                        if succ not in traversed:
+                            ret_succ = succ
                     elif edge_type == "transition" and not outside:
-                        successor_added = True
-                        queue.append((depth + 1, state.copy(), succ, None))
+                        if succ not in traversed:
+                            successor_added = True
+                            queue.append((depth + 1, state.copy(), succ, None))
                     elif edge_type == "call" or (edge_type == "transition" and outside):
                         # a call or a tail-call
+                        # note that it's ok to traverse a called function multiple times
                         if not isinstance(succ, Function):
                             if self.kb.functions.contains_addr(succ.addr):
                                 succ = self.kb.functions.get_by_addr(succ.addr)

angr/analyses/cfg/cfg_base.py

@@ -1701,7 +1701,12 @@ class CFGBase(Analysis):
                 self._update_progress(progress)
 
             self._graph_bfs_custom(
-                self.graph, [fn], self._graph_traversal_handler, blockaddr_to_function, tmp_functions
+                self.graph,
+                [fn],
+                self._graph_traversal_handler,
+                blockaddr_to_function,
+                tmp_functions,
+                traversed_cfg_nodes,
             )
 
         to_remove = set()
@@ -2731,7 +2736,7 @@ class CFGBase(Analysis):
             relifted = self.project.factory.block(block.addr, size=block.size, opt_level=1, cross_insn_opt=True).vex
         except SimError:
             return False, []
-        if isinstance(relifted.next, pyvex.IRExpr.Const):
+        if not relifted.jumpkind.startswith("Ijk_Sys") and isinstance(relifted.next, pyvex.IRExpr.Const):
             # yes!
             return True, [relifted.next.con.value]
 

angr/analyses/cfg/cfg_emulated.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
+from typing import TYPE_CHECKING
 import itertools
 import logging
 import sys
 from collections import defaultdict
 from functools import reduce
+import contextlib
 
 import angr
 import claripy
@@ -45,7 +47,10 @@ from angr.analyses.backward_slice import BackwardSlice
 from angr.analyses.loopfinder import LoopFinder, Loop
 from .cfg_base import CFGBase
 from .cfg_job_base import BlockID, CFGJobBase
-import contextlib
+
+if TYPE_CHECKING:
+    from angr.knowledge_plugins.cfg import CFGNode
+
 
 l = logging.getLogger(name=__name__)
 
@@ -505,6 +510,8 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         :return: None
         """
 
+        assert self._starts is not None
+
         if not isinstance(max_loop_unrolling_times, int) or max_loop_unrolling_times < 0:
             raise AngrCFGError(
                 "Max loop unrolling times must be set to an integer greater than or equal to 0 if "
@@ -586,6 +593,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
             graph_copy.remove_node(new_end_node)
             src, dst = loop_backedge
+            assert src is not None and dst is not None
             if graph_copy.has_edge(src, dst):  # It might have been removed before
                 # Duplicate the dst node
                 new_dst = dst.copy()
@@ -713,9 +721,10 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         # FIXME: start should also take a CFGNode instance
 
         start_node = self.get_any_node(start)
+        assert start_node is not None
 
         node_wrapper = (start_node, 0)
-        stack = [node_wrapper]
+        stack: list[tuple[CFGNode, int]] = [node_wrapper]
         traversed_nodes = {start_node}
         subgraph_nodes = {start_node}
 
@@ -727,6 +736,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
             edges = self.graph.out_edges(n, data=True)
 
             for _, dst, data in edges:
+                assert dst is not None
                 if dst not in traversed_nodes:
                     # We see a new node!
                     traversed_nodes.add(dst)
@@ -1687,9 +1697,8 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
         for block_id in pending_exits_to_remove:
             l.debug(
-                "Removing all pending exits to %#x since the target function %#x does not return",
+                "Removing all pending exits to %#x since the target function does not return",
                 self._block_id_addr(block_id),
-                next(iter(self._pending_jobs[block_id])).returning_source,
             )
 
             for to_remove in self._pending_jobs[block_id]:

angr/analyses/cfg/cfg_fast.py

@@ -31,13 +31,10 @@ from angr import sim_options as o
 from angr.errors import (
     AngrCFGError,
     AngrSkipJobNotice,
-    AngrUnsupportedSyscallError,
     SimEngineError,
     SimMemoryError,
     SimTranslationError,
     SimValueError,
-    SimOperationError,
-    SimError,
     SimIRSBNoDecodeError,
 )
 from angr.utils.constants import DEFAULT_STATEMENT
@@ -200,7 +197,7 @@ class PendingJobs:
             return self._pop_job(next(reversed(self._jobs.keys())))
 
         # Prioritize returning functions
-        for func_addr in reversed(self._jobs.keys()):
+        for func_addr in reversed(self._jobs):
             if func_addr not in self._returning_functions:
                 continue
             return self._pop_job(func_addr)
@@ -621,6 +618,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         nodecode_window_size=512,
         nodecode_threshold=0.3,
         nodecode_step=16483,
+        check_funcret_max_job=500,
         indirect_calls_always_return: bool | None = None,
         jumptable_resolver_resolves_calls: bool | None = None,
         start=None,  # deprecated
@@ -680,6 +678,12 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                                         table resolver and must be resolved using their specific resolvers. By default,
                                         we will only disable JumpTableResolver from resolving indirect calls for large
                                         binaries (region > 50 KB).
+        :param check_funcret_max_job    When popping return-site jobs out of the job queue, angr will prioritize jobs
+                                        for which the callee is known to return. This check may be slow when there are
+                                        a large amount of jobs in different caller functions, and this situation often
+                                        occurs in obfuscated binaries where many functions never return. This parameter
+                                        acts as a threshold to disable this check when the number of jobs in the queue
+                                        exceeds this threshold.
         :param int start:               (Deprecated) The beginning address of CFG recovery.
         :param int end:                 (Deprecated) The end address of CFG recovery.
         :param CFGArchOptions arch_options: Architecture-specific options.
@@ -768,6 +772,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         self._force_complete_scan = force_complete_scan
         self._use_elf_eh_frame = elf_eh_frame
         self._use_exceptions = exceptions
+        self._check_funcret_max_job = check_funcret_max_job
 
         self._nodecode_window_size = nodecode_window_size
         self._nodecode_threshold = nodecode_threshold
@@ -1535,6 +1540,19 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 }:
                     func.info["is_alloca_probe"] = True
 
+        elif self.project.arch.name == "X86":
+            # determine if the function is __alloca_probe
+            func = self.kb.functions.get_by_addr(func_addr) if self.kb.functions.contains_addr(func_addr) else None
+            if func is not None and len(func.block_addrs_set) == 4:
+                block_bytes = {func.get_block(block_addr).bytes for block_addr in func.block_addrs_set}
+                if block_bytes == {
+                    b"-\x00\x10\x00\x00\x85\x00\xeb\xe9",
+                    b";\xc8r\n",
+                    b"Q\x8dL$\x04+\xc8\x1b\xc0\xf7\xd0#\xc8\x8b\xc4%\x00\xf0\xff\xff;\xc8r\n",
+                    b"\x8b\xc1Y\x94\x8b\x00\x89\x04$\xc3",
+                }:
+                    func.info["is_alloca_probe"] = True
+
         if self._collect_data_ref and self.project is not None and ":" in self.project.arch.name:
             # this is a pcode arch - use Clinic to recover data references
 
@@ -1824,7 +1842,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         if (
             self.project.simos is not None
-            and self.project.arch.name == "AMD64"
+            and self.project.arch.name in {"X86", "AMD64"}
             and self.project.simos.name == "Win32"
             and isinstance(self.project.loader.main_object, cle.PE)
         ):
@@ -2576,38 +2594,16 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         jobs: list[CFGJob] = []
 
         if is_syscall:
-            # Fix the target_addr for syscalls
-            tmp_state = self.project.factory.blank_state(
-                mode="fastpath",
-                addr=cfg_node.addr,
-                add_options={o.SYMBOL_FILL_UNCONSTRAINED_MEMORY, o.SYMBOL_FILL_UNCONSTRAINED_REGISTERS},
+            resolved, resolved_targets, ij = self._indirect_jump_encountered(
+                addr, cfg_node, irsb, current_function_addr, stmt_idx
             )
-            # Find the first successor with a syscall jumpkind
-            successors = self._simulate_block_with_resilience(tmp_state)
-            if successors is not None:
-                succ = next(
-                    iter(
-                        succ
-                        for succ in successors.flat_successors
-                        if succ.history.jumpkind and succ.history.jumpkind.startswith("Ijk_Sys")
-                    ),
-                    None,
-                )
-            else:
-                succ = None
-            if succ is None:
-                # For some reason, there is no such successor with a syscall jumpkind
-                target_addr = self._unresolvable_call_target_addr
+            target_addr = None
+            if resolved:
+                if len(resolved_targets) == 1:
+                    (target_addr,) = resolved_targets
             else:
-                try:
-                    syscall_stub = self.project.simos.syscall(succ)
-                    if syscall_stub:  # can be None if simos is not a subclass of SimUserspace
-                        syscall_addr = syscall_stub.addr
-                        target_addr = syscall_addr
-                    else:
-                        target_addr = self._unresolvable_call_target_addr
-                except AngrUnsupportedSyscallError:
-                    target_addr = self._unresolvable_call_target_addr
+                if ij is not None:
+                    self._indirect_jumps_to_resolve.add(ij)
 
         new_function_addr = target_addr.method if isinstance(target_addr, SootAddressDescriptor) else target_addr
 
@@ -2732,30 +2728,6 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         return jobs
 
-    def _simulate_block_with_resilience(self, state):
-        """
-        Execute a basic block with "On Error Resume Next". Give up when there is no way moving forward.
-
-        :param SimState state:  The initial state to start simulation with.
-        :return:                A SimSuccessors instance or None if we are unable to resume execution with resilience.
-        :rtype:                 SimSuccessors or None
-        """
-
-        stmt_idx = 0
-        successors = None  # make PyCharm's linting happy
-
-        while True:
-            try:
-                successors = self.project.factory.successors(state, skip_stmts=stmt_idx)
-                break
-            except SimOperationError as ex:
-                stmt_idx = ex.stmt_idx + 1
-                continue
-            except SimError:
-                return None
-
-        return successors
-
     def _is_branching_to_outside(self, src_addr, target_addr, current_function_addr):
         """
         Determine if a branch is branching to a different function (i.e., branching to outside the current function).
@@ -3236,7 +3208,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if jump.jumpkind == "Ijk_Boring":
             unresolvable_target_addr = self._unresolvable_jump_target_addr
             simprocedure_name = "UnresolvableJumpTarget"
-        elif jump.jumpkind == "Ijk_Call":
+        elif jump.jumpkind == "Ijk_Call" or jump.jumpkind.startswith("Ijk_Sys"):
             unresolvable_target_addr = self._unresolvable_call_target_addr
             simprocedure_name = "UnresolvableCallTarget"
         else:
@@ -3707,7 +3679,9 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
     def _pop_pending_job(self, returning=True) -> CFGJob | None:
         while self._pending_jobs:
-            job = self._pending_jobs.pop_job(returning=returning)
+            job = self._pending_jobs.pop_job(
+                returning=returning if len(self._pending_jobs) < self._check_funcret_max_job else False
+            )
             if job is not None and job.job_type == CFGJobType.DATAREF_HINTS and self._seg_list.is_occupied(job.addr):
                 # ignore this hint from data refs because the target address has already been analyzed
                 continue

angr/analyses/cfg/indirect_jump_resolvers/__init__.py

@@ -10,6 +10,7 @@ from .arm_elf_fast import ArmElfFastResolver
 from .const_resolver import ConstantResolver
 from .amd64_pe_iat import AMD64PeIatResolver
 from .memload_resolver import MemoryLoadResolver
+from .syscall_resolver import SyscallResolver
 
 
 __all__ = (
@@ -21,6 +22,7 @@ __all__ = (
     "MemoryLoadResolver",
     "MipsElfFastResolver",
     "MipsElfGotResolver",
+    "SyscallResolver",
     "X86ElfPicPltResolver",
     "X86PeIatResolver",
 )

angr/analyses/cfg/indirect_jump_resolvers/constant_value_manager.py

@@ -0,0 +1,107 @@
+from __future__ import annotations
+from typing import TYPE_CHECKING, Any
+import logging
+
+import claripy
+
+from angr.code_location import CodeLocation
+from angr.project import Project
+from angr.analyses.propagator.vex_vars import VEXReg
+from .propagator_utils import PropagatorLoadCallback
+
+if TYPE_CHECKING:
+    from angr import SimState
+    from angr.knowledge_plugins import Function
+
+
+l = logging.getLogger(name=__name__)
+
+
+class ConstantValueManager:
+    """
+    Manages the loading of registers who hold constant values.
+    """
+
+    __slots__ = (
+        "func",
+        "indirect_jump_addr",
+        "kb",
+        "mapping",
+        "project",
+    )
+
+    def __init__(self, project: Project, kb, func: Function, ij_addr: int):
+        self.project = project
+        self.kb = kb
+        self.func = func
+        self.indirect_jump_addr = ij_addr
+
+        self.mapping: dict[Any, dict[Any, claripy.ast.Base]] | None = None
+
+    def reg_read_callback(self, state: SimState):
+        if self.mapping is None:
+            self._build_mapping()
+            assert self.mapping is not None
+
+        codeloc = CodeLocation(state.scratch.bbl_addr, state.scratch.stmt_idx, ins_addr=state.scratch.ins_addr)
+        if codeloc in self.mapping:
+            reg_read_offset = state.inspect.reg_read_offset
+            if isinstance(reg_read_offset, claripy.ast.BV) and reg_read_offset.op == "BVV":
+                reg_read_offset = reg_read_offset.args[0]
+            variable = VEXReg(reg_read_offset, state.inspect.reg_read_length)
+            if variable in self.mapping[codeloc]:
+                v = self.mapping[codeloc][variable]
+                if isinstance(v, int):
+                    v = claripy.BVV(v, state.inspect.reg_read_length * state.arch.byte_width)
+                state.inspect.reg_read_expr = v
+
+    def _build_mapping(self):
+        # constant propagation
+        l.debug("JumpTable: Propagating for %r at %#x.", self.func, self.indirect_jump_addr)
+
+        # determine blocks to run FCP on
+
+        # - include at most three levels of superblock successors from the entrypoint
+        self.mapping = {}
+        startpoint = self.func.startpoint
+        if startpoint is None:
+            return
+
+        blocks = set()
+        succ_and_levels = [(startpoint, 0)]
+        while succ_and_levels:
+            new_succs = []
+            for node, level in succ_and_levels:
+                if node in blocks:
+                    continue
+                blocks.add(node)
+                if node.addr == self.indirect_jump_addr:
+                    # stop at the indirect jump block
+                    continue
+                for _, succ, data in self.func.graph.out_edges(node, data=True):
+                    new_level = level if data.get("type") == "fake_return" else level + 1
+                    if new_level <= 3:
+                        new_succs.append((succ, new_level))
+            succ_and_levels = new_succs
+
+        # - include at most six levels of predecessors from the indirect jump block
+        ij_block = self.func.get_node(self.indirect_jump_addr)
+        preds = [ij_block]
+        for _ in range(6):
+            new_preds = []
+            for node in preds:
+                if node in blocks:
+                    continue
+                blocks.add(node)
+                new_preds += list(self.func.graph.predecessors(node))
+            preds = new_preds
+            if not preds:
+                break
+
+        prop = self.project.analyses.FastConstantPropagation(
+            self.func,
+            blocks=blocks,
+            vex_cross_insn_opt=True,
+            load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
+        )
+        self.mapping = prop.replacements

angr/analyses/cfg/indirect_jump_resolvers/default_resolvers.py

@@ -11,6 +11,7 @@ from . import ConstantResolver
 from . import ArmElfFastResolver
 from . import AMD64PeIatResolver
 from . import MipsElfGotResolver
+from . import SyscallResolver
 
 DEFAULT_RESOLVERS = {
     "X86": {
@@ -58,7 +59,7 @@ DEFAULT_RESOLVERS = {
             ArmElfFastResolver,
         ]
     },
-    "ALL": [MemoryLoadResolver, JumpTableResolver, ConstantResolver],
+    "ALL": [MemoryLoadResolver, JumpTableResolver, ConstantResolver, SyscallResolver],
 }