angr 9.2.143__py3-none-win_amd64.whl → 9.2.144__py3-none-win_amd64.whl

angr/analyses/cfg/indirect_jump_resolvers/syscall_resolver.py

@@ -0,0 +1,92 @@
+from __future__ import annotations
+import contextlib
+from typing import TYPE_CHECKING
+import logging
+
+from angr import sim_options as o
+from angr import BP, BP_AFTER
+from angr.errors import (
+    AngrUnsupportedSyscallError,
+    SimOperationError,
+    SimError,
+)
+
+from .resolver import IndirectJumpResolver
+from .constant_value_manager import ConstantValueManager
+
+if TYPE_CHECKING:
+    from angr import Block
+    from angr.engines import SimSuccessors
+    from angr.sim_state import SimState
+    from angr.sim_procedure import SimProcedure
+
+
+_l = logging.getLogger(name=__name__)
+
+
+class SyscallResolver(IndirectJumpResolver):
+    """
+    Resolve syscalls to SimProcedures.
+    """
+
+    def __init__(self, project):
+        super().__init__(project, timeless=True)
+
+    def filter(self, cfg, addr, func_addr, block, jumpkind):
+        return jumpkind.startswith("Ijk_Sys")
+
+    def resolve(  # pylint:disable=unused-argument
+        self, cfg, addr: int, func_addr: int, block: Block, jumpkind: str, func_graph_complete: bool = True, **kwargs
+    ):
+        stub = self._resolve_syscall_to_stub(cfg, addr, func_addr, block)
+        return (True, [stub.addr]) if stub else (False, [])
+
+    def _resolve_syscall_to_stub(self, cfg, addr: int, func_addr: int, block: Block) -> SimProcedure | None:
+        if not cfg.functions.contains_addr(func_addr):
+            return None
+        func = cfg.functions.get_by_addr(func_addr)
+
+        cv_manager = ConstantValueManager(self.project, cfg.kb, func, addr)
+        constant_value_reg_read_bp = BP(when=BP_AFTER, enabled=True, action=cv_manager.reg_read_callback)
+
+        state = self.project.factory.blank_state(
+            mode="fastpath",
+            addr=block.addr,
+            add_options={o.SYMBOL_FILL_UNCONSTRAINED_MEMORY, o.SYMBOL_FILL_UNCONSTRAINED_REGISTERS},
+        )
+        state.inspect.add_breakpoint("reg_read", constant_value_reg_read_bp)
+
+        successors = self._simulate_block_with_resilience(state)
+        if successors:
+            state = self._get_syscall_state_from_successors(successors)
+            if state:
+                with contextlib.suppress(AngrUnsupportedSyscallError):
+                    return self.project.simos.syscall(state)
+        return None
+
+    def _simulate_block_with_resilience(self, state: SimState) -> SimSuccessors | None:
+        """
+        Execute a basic block with "On Error Resume Next". Give up when there is no way moving forward.
+        """
+
+        stmt_idx = 0
+        successors = None  # make PyCharm's linting happy
+
+        while True:
+            try:
+                successors = self.project.factory.successors(state, skip_stmts=stmt_idx)
+                break
+            except SimOperationError:
+                stmt_idx += 1
+                continue
+            except SimError:
+                return None
+
+        return successors
+
+    @staticmethod
+    def _get_syscall_state_from_successors(successors: SimSuccessors) -> SimState | None:
+        for state in successors.flat_successors:
+            if state.history.jumpkind and state.history.jumpkind.startswith("Ijk_Sys"):
+                return state
+        return None

angr/analyses/decompiler/ail_simplifier.py

@@ -1307,6 +1307,11 @@ class AILSimplifier(Analysis):
                 # check its predecessors
                 succ_predecessors = list(self.func_graph.predecessors(succ))
                 if len(succ_predecessors) == 1:
+                    if succ in lst:
+                        # we are about to form a loop - bad!
+                        # example: binary ce1897b492c80bf94083dd783aefb413ab1f6d8d4981adce8420f6669d0cb3e1, block
+                        # 0x2976EF7.
+                        break
                     lst.append(succ)
                 else:
                     break

angr/analyses/decompiler/clinic.py

@@ -12,6 +12,7 @@ import networkx
 import capstone
 
 import ailment
+from angr import SIM_LIBRARIES, SIM_TYPE_COLLECTIONS
 
 from angr.errors import AngrDecompilationError
 from angr.knowledge_base import KnowledgeBase
@@ -22,6 +23,7 @@ from angr.utils import timethis
 from angr.utils.graph import GraphUtils
 from angr.calling_conventions import SimRegArg, SimStackArg, SimFunctionArgument
 from angr.sim_type import (
+    dereference_simtype,
     SimTypeChar,
     SimTypeInt,
     SimTypeLongLong,
@@ -120,6 +122,7 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
+        max_type_constraints: int = 750,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -130,7 +133,7 @@ class Clinic(Analysis):
         self.cc_graph: networkx.DiGraph | None = None
         self.unoptimized_graph: networkx.DiGraph | None = None
         self.arg_list = None
-        self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimRegArg]] | None = None
+        self.arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None
         self.variable_kb = variable_kb
         self.externs: set[SimMemoryVariable] = set()
         self.data_refs: dict[int, list[DataRefDesc]] = {}  # data address to data reference description
@@ -153,6 +156,7 @@ class Clinic(Analysis):
         self.reaching_definitions: ReachingDefinitionsAnalysis | None = None
         self._cache = cache
         self._mode = mode
+        self._max_type_constraints = max_type_constraints
         self.vvar_id_start = vvar_id_start
         self.vvar_to_vvar: dict[int, int] | None = None
         # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
@@ -304,10 +308,10 @@ class Clinic(Analysis):
             self._update_progress(29.0, text="Recovering calling conventions (AIL mode)")
             self._recover_calling_conventions(func_graph=ail_graph)
 
-        return ail_graph
+        return self._apply_callsite_prototype_and_calling_convention(ail_graph)
 
     def _slice_variables(self, ail_graph):
-        assert self.variable_kb is not None
+        assert self.variable_kb is not None and self._desired_variables is not None
 
         nodes_index = {(n.addr, n.idx): n for n in ail_graph.nodes()}
 
@@ -383,7 +387,7 @@ class Clinic(Analysis):
                     # replace the return statement with an assignment to the return register
                     blk.statements.pop(idx)
 
-                    if stmt.ret_exprs:
+                    if stmt.ret_exprs and self.project.arch.ret_offset is not None:
                         assign_to_retreg = ailment.Stmt.Assignment(
                             self._ail_manager.next_atom(),
                             ailment.Expr.Register(
@@ -430,14 +434,17 @@ class Clinic(Analysis):
         if callee_clinic.arg_vvars:
             for arg_idx in sorted(callee_clinic.arg_vvars.keys()):
                 param_vvar, reg_arg = callee_clinic.arg_vvars[arg_idx]
-                reg_offset = reg_arg.reg
-                stmt = ailment.Stmt.Assignment(
-                    self._ail_manager.next_atom(),
-                    param_vvar,
-                    ailment.Expr.Register(self._ail_manager.next_atom(), None, reg_offset, reg_arg.bits),
-                    ins_addr=caller_block.addr + caller_block.original_size,
-                )
-                caller_block.statements.append(stmt)
+                if isinstance(reg_arg, SimRegisterVariable):
+                    reg_offset = reg_arg.reg
+                    stmt = ailment.Stmt.Assignment(
+                        self._ail_manager.next_atom(),
+                        param_vvar,
+                        ailment.Expr.Register(self._ail_manager.next_atom(), None, reg_offset, reg_arg.bits),
+                        ins_addr=caller_block.addr + caller_block.original_size,
+                    )
+                    caller_block.statements.append(stmt)
+                else:
+                    raise NotImplementedError("Unsupported parameter type")
 
         ail_graph.add_edge(caller_block, callee_start)
 
@@ -669,6 +676,7 @@ class Clinic(Analysis):
         self._convert_all()
 
         # there must be at least one Load or one Store
+        assert self._blocks_by_addr_and_size is not None
         found_load_or_store = False
         for ail_block in self._blocks_by_addr_and_size.values():
             for stmt in ail_block.statements:
@@ -726,7 +734,7 @@ class Clinic(Analysis):
         self.arg_list = None
         self.variable_kb = None
         self.cc_graph = None
-        self.externs = None
+        self.externs = set()
         self.data_refs: dict[int, list[DataRefDesc]] = self._collect_data_refs(ail_graph)
 
     @staticmethod
@@ -754,7 +762,7 @@ class Clinic(Analysis):
         return graph_copy
 
     def copy_graph(self, graph=None) -> networkx.DiGraph:
-        return self._copy_graph(graph or self.graph)
+        return self._copy_graph(graph or self.graph)  # type:ignore
 
     @timethis
     def _set_function_graph(self):
@@ -765,6 +773,7 @@ class Clinic(Analysis):
         """
         Alignment blocks are basic blocks that only consist of nops. They should not be included in the graph.
         """
+        assert self._func_graph is not None
         for node in list(self._func_graph.nodes()):
             if self._func_graph.in_degree(node) == 0 and CFGBase._is_noop_block(
                 self.project.arch, self.project.factory.block(node.addr, node.size)
@@ -872,7 +881,7 @@ class Clinic(Analysis):
                     callsite_block_addr=callsite.addr,
                     callsite_insn_addr=callsite_ins_addr,
                     func_graph=func_graph,
-                    fail_fast=self._fail_fast,
+                    fail_fast=self._fail_fast,  # type:ignore
                 )
 
                 if cc.cc is not None and cc.prototype is not None:
@@ -953,6 +962,7 @@ class Clinic(Analysis):
 
         :return:    None
         """
+        assert self._func_graph is not None
 
         for block_node in self._func_graph.nodes():
             ail_block = self._convert(block_node)
@@ -1063,7 +1073,9 @@ class Clinic(Analysis):
                         self.project.hooked_by(successors[0].addr), UnresolvableCallTarget
                     ):
                         # found a single successor - replace the last statement
+                        assert isinstance(last_stmt.target, ailment.Expr.Expression)  # not a string
                         new_last_stmt = last_stmt.copy()
+                        assert isinstance(successors[0].addr, int)
                         new_last_stmt.target = ailment.Expr.Const(None, None, successors[0].addr, last_stmt.target.bits)
                         block.statements[-1] = new_last_stmt
 
@@ -1105,7 +1117,7 @@ class Clinic(Analysis):
                     if self.kb.functions.contains_addr(target_addr):
                         # replace the statement
                         target_func = self.kb.functions.get_by_addr(target_addr)
-                        if target_func.returning:
+                        if target_func.returning and self.project.arch.ret_offset is not None:
                             ret_reg_offset = self.project.arch.ret_offset
                             ret_expr = ailment.Expr.Register(
                                 None,
@@ -1136,6 +1148,74 @@ class Clinic(Analysis):
 
         return ail_graph
 
+    def _apply_callsite_prototype_and_calling_convention(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+        for block in ail_graph.nodes():
+            if not block.statements:
+                continue
+
+            last_stmt = block.statements[-1]
+            if not isinstance(last_stmt, ailment.Stmt.Call):
+                continue
+
+            cc = last_stmt.calling_convention
+            prototype = last_stmt.prototype
+            if cc and prototype:
+                continue
+
+            # manually-specified call-site prototype
+            has_callsite_prototype = self.kb.callsite_prototypes.has_prototype(block.addr)
+            if has_callsite_prototype:
+                manually_specified = self.kb.callsite_prototypes.get_prototype_type(block.addr)
+                if manually_specified:
+                    cc = self.kb.callsite_prototypes.get_cc(block.addr)
+                    prototype = self.kb.callsite_prototypes.get_prototype(block.addr)
+
+            # function-specific prototype
+            func = None
+            if cc is None or prototype is None:
+                target = None
+                if isinstance(last_stmt.target, ailment.Expr.Const):
+                    target = last_stmt.target.value
+
+                if target is not None and target in self.kb.functions:
+                    # function-specific logic when the calling target is known
+                    func = self.kb.functions[target]
+                    if func.prototype is None:
+                        func.find_declaration()
+                    cc = func.calling_convention
+                    prototype = func.prototype
+
+            # automatically recovered call-site prototype
+            if (cc is None or prototype is None) and has_callsite_prototype:
+                cc = self.kb.callsite_prototypes.get_cc(block.addr)
+                prototype = self.kb.callsite_prototypes.get_prototype(block.addr)
+
+            # ensure the prototype has been resolved
+            if prototype is not None and func is not None:
+                # make sure the function prototype is resolved.
+                # TODO: Cache resolved function prototypes globally
+                prototype_libname = func.prototype_libname
+                type_collections = []
+                if prototype_libname is not None:
+                    prototype_lib = SIM_LIBRARIES[prototype_libname]
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                if type_collections:
+                    prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
+                        self.project.arch
+                    )
+
+            if cc is None:
+                l.warning("Call site %#x (callee %s) has an unknown calling convention.", block.addr, repr(func))
+
+            new_last_stmt = last_stmt.copy()
+            new_last_stmt.calling_convention = cc
+            new_last_stmt.prototype = prototype
+            block.statements[-1] = new_last_stmt
+
+        return ail_graph
+
     @timethis
     def _make_ailgraph(self) -> networkx.DiGraph:
         return self._function_graph_to_ail_graph(self._func_graph)
@@ -1589,9 +1669,9 @@ class Clinic(Analysis):
         tmp_kb.functions = self.kb.functions
         vr = self.project.analyses.VariableRecoveryFast(
             self.function,  # pylint:disable=unused-variable
-            fail_fast=self._fail_fast,
+            fail_fast=self._fail_fast,  # type:ignore
             func_graph=ail_graph,
-            kb=tmp_kb,
+            kb=tmp_kb,  # type:ignore
             track_sp=False,
             func_args=arg_list,
             unify_variables=False,
@@ -1610,9 +1690,13 @@ class Clinic(Analysis):
         stackvar_max_sizes = var_manager.get_stackvar_max_sizes(self.stack_items)
         tv_max_sizes = {}
         for v, s in stackvar_max_sizes.items():
+            assert isinstance(v, SimStackVariable)
             if v in vr.var_to_typevars:
                 for tv in vr.var_to_typevars[v]:
                     tv_max_sizes[tv] = s
+            if v.offset in vr.stack_offset_typevars:
+                tv = vr.stack_offset_typevars[v.offset]
+                tv_max_sizes[tv] = s
         # clean up existing types for this function
         var_manager.remove_types()
         # TODO: Type inference for global variables
@@ -1624,35 +1708,49 @@ class Clinic(Analysis):
                     must_struct |= typevars
         else:
             must_struct = None
-        try:
-            tp = self.project.analyses.Typehoon(
-                vr.type_constraints,
-                vr.func_typevar,
-                kb=tmp_kb,
-                fail_fast=self._fail_fast,
-                var_mapping=vr.var_to_typevars,
-                must_struct=must_struct,
-                ground_truth=groundtruth,
-                stackvar_max_sizes=tv_max_sizes,
-            )
-            # tp.pp_constraints()
-            # tp.pp_solution()
-            tp.update_variable_types(
-                self.function.addr,
-                {v: t for v, t in vr.var_to_typevars.items() if isinstance(v, (SimRegisterVariable, SimStackVariable))},
-            )
-            tp.update_variable_types(
-                "global",
-                {
-                    v: t
-                    for v, t in vr.var_to_typevars.items()
-                    if isinstance(v, SimMemoryVariable) and not isinstance(v, SimStackVariable)
-                },
-            )
-        except Exception:  # pylint:disable=broad-except
-            l.warning(
-                "Typehoon analysis failed. Variables will not have types. Please report to GitHub.", exc_info=True
+        total_type_constraints = sum(len(tc) for tc in vr.type_constraints.values()) if vr.type_constraints else 0
+        if total_type_constraints > self._max_type_constraints:
+            l.info(
+                "The number of type constraints (%d) is greater than the threshold (%d). Skipping type inference.",
+                total_type_constraints,
+                self._max_type_constraints,
             )
+        else:
+            try:
+                tp = self.project.analyses.Typehoon(
+                    vr.type_constraints,
+                    vr.func_typevar,
+                    kb=tmp_kb,
+                    fail_fast=self._fail_fast,
+                    var_mapping=vr.var_to_typevars,
+                    stack_offset_tvs=vr.stack_offset_typevars,
+                    must_struct=must_struct,
+                    ground_truth=groundtruth,
+                    stackvar_max_sizes=tv_max_sizes,
+                )
+                # tp.pp_constraints()
+                # tp.pp_solution()
+                tp.update_variable_types(
+                    self.function.addr,
+                    {
+                        v: t
+                        for v, t in vr.var_to_typevars.items()
+                        if isinstance(v, (SimRegisterVariable, SimStackVariable))
+                    },
+                    vr.stack_offset_typevars,
+                )
+                tp.update_variable_types(
+                    "global",
+                    {
+                        v: t
+                        for v, t in vr.var_to_typevars.items()
+                        if isinstance(v, SimMemoryVariable) and not isinstance(v, SimStackVariable)
+                    },
+                )
+            except Exception:  # pylint:disable=broad-except
+                l.warning(
+                    "Typehoon analysis failed. Variables will not have types. Please report to GitHub.", exc_info=True
+                )
 
         # for any left-over variables, assign Bottom type (which will get "corrected" into a default type in
         # VariableManager)
@@ -1671,14 +1769,10 @@ class Clinic(Analysis):
             func_blocks=list(ail_graph),
         )
 
-        # Link variables to each statement
+        # Link variables and struct member information to every statement and expression
         for block in ail_graph.nodes():
             self._link_variables_on_block(block, tmp_kb)
 
-        # Link struct member info to Store statements
-        for block in ail_graph.nodes():
-            self._link_struct_member_info_on_block(block, tmp_kb)
-
         if self._cache is not None:
             self._cache.type_constraints = vr.type_constraints
             self._cache.func_typevar = vr.func_typevar
@@ -1686,22 +1780,6 @@ class Clinic(Analysis):
 
         return tmp_kb
 
-    def _link_struct_member_info_on_block(self, block, kb):
-        variable_manager = kb.variables[self.function.addr]
-        for stmt in block.statements:
-            if isinstance(stmt, ailment.Stmt.Store) and isinstance((var := stmt.variable), SimStackVariable):
-                offset = var.offset
-                if offset in variable_manager.stack_offset_to_struct_member_info:
-                    stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[offset]
-            elif (
-                isinstance(stmt, ailment.Stmt.Assignment)
-                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                and stmt.dst.was_stack
-            ):
-                offset = stmt.dst.stack_offset
-                if offset in variable_manager.stack_offset_to_struct_member_info:
-                    stmt.dst.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[offset]
-
     def _link_variables_on_block(self, block, kb):
         """
         Link atoms (AIL expressions) in the given block to corresponding variables identified previously.
@@ -1737,6 +1815,12 @@ class Clinic(Analysis):
                         )
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.data)
 
+                # link struct member info
+                if isinstance(stmt.variable, SimStackVariable):
+                    off = stmt.variable.offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        stmt.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
             elif stmt_type is ailment.Stmt.Assignment:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.dst)
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.src)
@@ -1804,6 +1888,11 @@ class Clinic(Analysis):
                 expr.variable = var
                 expr.variable_offset = offset
 
+                if isinstance(expr, ailment.Expr.VirtualVariable) and expr.was_stack:
+                    off = expr.stack_offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        expr.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
         elif type(expr) is ailment.Expr.Load:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
             if len(variables) == 0:
@@ -1838,6 +1927,11 @@ class Clinic(Analysis):
                 expr.variable = var
                 expr.variable_offset = offset
 
+                if isinstance(var, SimStackVariable):
+                    off = var.offset
+                    if off in variable_manager.stack_offset_to_struct_member_info:
+                        expr.tags["struct_member_info"] = variable_manager.stack_offset_to_struct_member_info[off]
+
         elif type(expr) is ailment.Expr.BinaryOp:
             variables = variable_manager.find_variables_by_atom(block.addr, stmt_idx, expr, block_idx=block.idx)
             if len(variables) >= 1:
@@ -2683,7 +2777,7 @@ class Clinic(Analysis):
     def _next_atom(self) -> int:
         return self._ail_manager.next_atom()
 
-    def parse_variable_addr(self, addr: ailment.Expr.Expression) -> tuple[Any, Any] | None:
+    def parse_variable_addr(self, addr: ailment.Expr.Expression) -> tuple[Any, Any]:
         if isinstance(addr, ailment.Expr.Const):
             return addr, 0
         if isinstance(addr, ailment.Expr.BinaryOp) and addr.op == "Add":

angr/analyses/decompiler/decompiler.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 from collections import defaultdict
 from collections.abc import Iterable
-from typing import Optional, Union, Any, TYPE_CHECKING
+from typing import Any, TYPE_CHECKING
 
 import networkx
 from cle import SymbolType
@@ -35,9 +35,9 @@ if TYPE_CHECKING:
 
 l = logging.getLogger(name=__name__)
 
-_PEEPHOLE_OPTIMIZATIONS_TYPE = Optional[
-    Iterable[Union[type["PeepholeOptimizationStmtBase"], type["PeepholeOptimizationExprBase"]]]
-]
+_PEEPHOLE_OPTIMIZATIONS_TYPE = (
+    Iterable[type["PeepholeOptimizationStmtBase"] | type["PeepholeOptimizationExprBase"]] | None
+)
 
 
 class Decompiler(Analysis):

angr/analyses/decompiler/optimization_passes/base_ptr_save_simplifier.py

@@ -16,7 +16,7 @@ class BasePointerSaveSimplifier(OptimizationPass):
     """
 
     ARCHES = ["X86", "AMD64", "ARMEL", "ARMHF", "ARMCortexM", "MIPS32", "MIPS64"]
-    PLATFORMS = ["cgc", "linux"]
+    PLATFORMS = None
     STAGE = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
     NAME = "Simplify base pointer saving"
     DESCRIPTION = __doc__.strip()

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -443,6 +443,11 @@ class StructuringOptimizationPass(OptimizationPass):
         """
         Wrapper for _analyze() that verifies the graph is structurable before and after the optimization.
         """
+        # replace the normal check in OptimizationPass.analyze()
+        ret, cache = self._check()
+        if not ret:
+            return
+
         if not self._graph_is_structurable(self._graph, initial=True):
             return
 
@@ -450,11 +455,6 @@ class StructuringOptimizationPass(OptimizationPass):
         if self._require_gotos and not self._initial_gotos:
             return
 
-        # replace the normal check in OptimizationPass.analyze()
-        ret, cache = self._check()
-        if not ret:
-            return
-
         # setup for the very first analysis
         self.out_graph = networkx.DiGraph(self._graph)
         if self._max_opt_iters > 1:

angr/analyses/decompiler/optimization_passes/return_duplicator_base.py

@@ -95,6 +95,7 @@ class ReturnDuplicatorBase:
         minimize_copies_for_regions: bool = True,
         ri: RegionIdentifier | None = None,
         scratch: dict[str, Any] | None = None,
+        max_func_blocks: int = 1500,
     ):
         self._max_calls_in_region = max_calls_in_regions
         self._minimize_copies_for_regions = minimize_copies_for_regions
@@ -105,6 +106,7 @@ class ReturnDuplicatorBase:
         self._func = func
         self._ri: RegionIdentifier | None = ri
         self.vvar_id_start = vvar_id_start
+        self._max_func_blocks = max_func_blocks
 
     def next_node_idx(self) -> int:
         node_idx = self.scratch.get("returndup_node_idx", 0) + 1
@@ -123,6 +125,9 @@ class ReturnDuplicatorBase:
     #
 
     def _check(self):
+        # is this function too large?
+        if len(self._func.block_addrs_set) > self._max_func_blocks:
+            return False, None
         # does this function have end points?
         return bool(self._func.endpoints), None
 

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -5,6 +5,7 @@ from .a_mul_const_div_shr_const import AMulConstDivShrConst
 from .a_shl_const_sub_a import AShlConstSubA
 from .a_sub_a_div import ASubADiv
 from .a_sub_a_div_const_mul_const import ASubADivConstMulConst
+from .a_sub_a_shr_const_shr_const import ASubAShrConstShrConst
 from .arm_cmpf import ARMCmpF
 from .bswap import Bswap
 from .coalesce_same_cascading_ifs import CoalesceSameCascadingIfs
@@ -57,6 +58,7 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     AMulConstSubA,
     ASubADiv,
     ASubADivConstMulConst,
+    ASubAShrConstShrConst,
     ARMCmpF,
     Bswap,
     CoalesceSameCascadingIfs,

angr/analyses/decompiler/peephole_optimizations/a_sub_a_shr_const_shr_const.py

@@ -0,0 +1,37 @@
+# pylint:disable=no-self-use,too-many-boolean-expressions
+from __future__ import annotations
+from ailment.expression import BinaryOp, Const
+
+from .base import PeepholeOptimizationExprBase
+
+
+class ASubAShrConstShrConst(PeepholeOptimizationExprBase):
+    """
+    Convert `cdq; sub eax, edx; sar eax, 1` to `eax /= 2`.
+    """
+
+    __slots__ = ()
+
+    NAME = "(a - (a >> 31)) >> N => a / 2 ** N (signed)"
+    expr_classes = (BinaryOp,)
+
+    def optimize(self, expr: BinaryOp, **kwargs):
+        if (
+            expr.op == "Sar"
+            and len(expr.operands) == 2
+            and isinstance(expr.operands[1], Const)
+            and expr.operands[1].is_int
+            and isinstance(expr.operands[0], BinaryOp)
+            and expr.operands[0].op == "Sub"
+        ):
+            a0, a1 = expr.operands[0].operands
+            if (
+                isinstance(a1, BinaryOp)
+                and a1.op == "Sar"
+                and isinstance(a1.operands[1], Const)
+                and a1.operands[1].value == 31
+                and a0.likes(a1.operands[0])
+            ):
+                dividend = 2 ** expr.operands[1].value
+                return BinaryOp(a0.idx, "Div", [a0, Const(None, None, dividend, expr.bits)], True, **expr.tags)
+        return None

angr/analyses/decompiler/ssailification/rewriting_engine.py

@@ -698,6 +698,8 @@ class SimEngineSSARewriting(
             raise NotImplementedError("Store expressions are not supported in _replace_use_expr.")
         if isinstance(thing, Tmp) and self.rewrite_tmps:
             return self._replace_use_tmp(self.block.addr, self.block.idx, self.stmt_idx, thing)
+        if isinstance(thing, Load):
+            return self._replace_use_load(thing)
         return None
 
     def _replace_use_reg(self, reg_expr: Register) -> VirtualVariable | Expression: