angr 9.2.145__py3-none-manylinux2014_x86_64.whl → 9.2.147__py3-none-manylinux2014_x86_64.whl

angr/analyses/cfg/cfg_fast.py

@@ -1649,6 +1649,13 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             if addr is not None:
                 # if this is ARM and addr % 4 != 0, it has to be THUMB
                 if is_arm_arch(self.project.arch):
+                    if (
+                        "has_arm_code" in self._arch_options
+                        and self._arch_options["has_arm_code"] is False
+                        and addr % 2 == 0
+                    ):
+                        addr |= 1
+
                     if addr % 2 == 0 and addr % 4 != 0:
                         # it's not aligned by 4, so it's definitely not ARM mode
                         addr |= 1
@@ -1968,9 +1975,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
         # Pre-compile all regexes
         regexes = []
-        for ins_regex in self.project.arch.function_prologs:
-            r = re.compile(ins_regex)
-            regexes.append(r)
+        if "has_arm_code" not in self._arch_options or self._arch_options["has_arm_code"]:
+            for ins_regex in self.project.arch.function_prologs:
+                r = re.compile(ins_regex)
+                regexes.append(r)
         # EDG says: I challenge anyone bothering to read this to come up with a better
         # way to handle CPU modes that affect instruction decoding.
         # Since the only one we care about is ARM/Thumb right now
@@ -2832,6 +2840,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     and not self._seg_list.is_occupied(v)
                     and v % self.project.arch.instruction_alignment == 0
                 ):
+                    if is_arm_arch(self.project.arch) and not self._arch_options.has_arm_code and v % 2 != 1:
+                        # no ARM code in this binary!
+                        return
+
                     # create a new CFG job
                     ce = CFGJob(
                         v,
@@ -4430,6 +4442,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                                 self._cascading_remove_lifted_blocks(cfg_job.src_node.addr & 0xFFFF_FFFE)
                             return None, None, None, None
 
+                if not self._arch_options.has_arm_code and addr % 2 == 0:
+                    # No ARM code for this architecture!
+                    return None, None, None, None
+
             initial_regs = self._get_initial_registers(addr, cfg_job, current_function_addr)
 
             # Let's try to create the pyvex IRSB directly, since it's much faster

angr/analyses/decompiler/optimization_passes/engine_base.py

@@ -312,7 +312,15 @@ class SimplifierAILEngine(
         return expr
 
     def _handle_expr_ITE(self, expr):
-        return expr
+        return ailment.expression.ITE(
+            expr.idx,
+            self._expr(expr.cond),
+            self._expr(expr.iffalse),
+            self._expr(expr.iftrue),
+            variable=expr.variable,
+            variable_offset=expr.variable_offset,
+            **expr.tags,
+        )
 
     def _handle_expr_Call(self, expr):
         return expr

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -222,6 +222,17 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                     )
                     return BinaryOp(expr.idx, "Div", (mul, new_const_0), expr.signed, bits=expr.bits, **expr.tags)
 
+        elif expr.op == "Mod":
+            op0, op1 = expr.operands
+            if (
+                isinstance(op0, Const)
+                and isinstance(op0.value, int)
+                and isinstance(op1, Const)
+                and isinstance(op1.value, int)
+                and op1.value != 0
+            ):
+                return Const(expr.idx, None, op0.value % op1.value, expr.bits, **expr.tags)
+
         elif expr.op in {"Shr", "Sar"} and isinstance(expr.operands[1], Const):
             expr0, expr1 = expr.operands
             if isinstance(expr0, BinaryOp) and expr0.op == "Shr" and isinstance(expr0.operands[1], Const):

angr/analyses/decompiler/ssailification/ssailification.py

@@ -145,7 +145,7 @@ class Ssailification(Analysis):  # pylint:disable=abstract-method
             stackvar_locs = {}
             sorted_stackvar_offs = []
 
-        # computer phi node locations for each unified definition
+        # compute phi node locations for each unified definition
         udef_to_defs = defaultdict(set)
         udef_to_blockkeys = defaultdict(set)
         for def_, loc in def_to_loc:

angr/analyses/flirt/__init__.py

@@ -0,0 +1,47 @@
+from __future__ import annotations
+from .flirt import FlirtAnalysis
+from .flirt_sig import FlirtSignature, FlirtSignatureParsed, FlirtSignatureError
+from .consts import FLIRT_ARCH_TO_ARCHNAME, FLIRT_OS_TO_OSNAME, FlirtAppType, FlirtOSType
+
+
+def flirt_arch_to_arch_name(flirt_arch: int, app_types: int) -> str:
+    """
+    Convert FLIRT architecture ID to architecture name.
+
+    :param flirt_arch: FLIRT architecture ID.
+    :param app_types: FLIRT application types.
+    :return: Architecture name.
+    """
+    try:
+        arches = FLIRT_ARCH_TO_ARCHNAME[flirt_arch]
+    except KeyError:
+        return "Unknown"
+    if app_types & FlirtAppType.APP_32_BIT and 32 in arches:
+        return arches[32]
+    if app_types & FlirtAppType.APP_64_BIT and 64 in arches:
+        return arches[64]
+    return "Unknown"
+
+
+def flirt_os_type_to_os_name(os_type: int) -> str:
+    """
+    Convert FLIRT OS type to OS name.
+
+    :param os_type: FLIRT OS type.
+    :return: OS name.
+    """
+    try:
+        v = FlirtOSType(os_type)
+        return FLIRT_OS_TO_OSNAME.get(v, v.name)
+    except ValueError:
+        return "UnknownOS"
+
+
+__all__ = [
+    "FlirtAnalysis",
+    "FlirtSignature",
+    "FlirtSignatureError",
+    "FlirtSignatureParsed",
+    "flirt_arch_to_arch_name",
+    "flirt_os_type_to_os_name",
+]

angr/analyses/flirt/consts.py

@@ -0,0 +1,160 @@
+# pylint:disable=missing-class-docstring
+from __future__ import annotations
+from enum import Enum
+
+
+class FlirtArch(int, Enum):
+    ARCH_386 = 0  # Intel 80x86
+    ARCH_Z80 = 1  # 8085, Z80
+    ARCH_I860 = 2  # Intel 860
+    ARCH_8051 = 3  # 8051
+    ARCH_TMS = 4  # Texas Instruments TMS320C5x
+    ARCH_6502 = 5  # 6502
+    ARCH_PDP = 6  # PDP11
+    ARCH_68K = 7  # Motorola 680x0
+    ARCH_JAVA = 8  # Java
+    ARCH_6800 = 9  # Motorola 68xx
+    ARCH_ST7 = 10  # SGS-Thomson ST7
+    ARCH_MC6812 = 11  # Motorola 68HC12
+    ARCH_MIPS = 12  # MIPS
+    ARCH_ARM = 13  # Advanced RISC Machines
+    ARCH_TMSC6 = 14  # Texas Instruments TMS320C6x
+    ARCH_PPC = 15  # PowerPC
+    ARCH_80196 = 16  # Intel 80196
+    ARCH_Z8 = 17  # Z8
+    ARCH_SH = 18  # Renesas (formerly Hitachi) SuperH
+    ARCH_NET = 19  # Microsoft Visual Studio.Net
+    ARCH_AVR = 20  # Atmel 8-bit RISC processor(s)
+    ARCH_H8 = 21  # Hitachi H8/300, H8/2000
+    ARCH_PIC = 22  # Microchip's PIC
+    ARCH_SPARC = 23  # SPARC
+    ARCH_ALPHA = 24  # DEC Alpha
+    ARCH_HPPA = 25  # Hewlett-Packard PA-RISC
+    ARCH_H8500 = 26  # Hitachi H8/500
+    ARCH_TRICORE = 27  # Tasking Tricore
+    ARCH_DSP56K = 28  # Motorola DSP5600x
+    ARCH_C166 = 29  # Siemens C166 family
+    ARCH_ST20 = 30  # SGS-Thomson ST20
+    ARCH_IA64 = 31  # Intel Itanium IA64
+    ARCH_I960 = 32  # Intel 960
+    ARCH_F2MC = 33  # Fujitsu F2MC-16
+    ARCH_TMS320C54 = 34  # Texas Instruments TMS320C54xx
+    ARCH_TMS320C55 = 35  # Texas Instruments TMS320C55xx
+    ARCH_TRIMEDIA = 36  # Trimedia
+    ARCH_M32R = 37  # Mitsubishi 32bit RISC
+    ARCH_NEC_78K0 = 38  # NEC 78K0
+    ARCH_NEC_78K0S = 39  # NEC 78K0S
+    ARCH_M740 = 40  # Mitsubishi 8bit
+    ARCH_M7700 = 41  # Mitsubishi 16bit
+    ARCH_ST9 = 42  # ST9+
+    ARCH_FR = 43  # Fujitsu FR Family
+    ARCH_MC6816 = 44  # Motorola 68HC16
+    ARCH_M7900 = 45  # Mitsubishi 7900
+    ARCH_TMS320C3 = 46  # Texas Instruments TMS320C3
+    ARCH_KR1878 = 47  # Angstrem KR1878
+    ARCH_AD218X = 48  # Analog Devices ADSP 218X
+    ARCH_OAKDSP = 49  # Atmel OAK DSP
+    ARCH_TLCS900 = 50  # Toshiba TLCS-900
+    ARCH_C39 = 51  # Rockwell C39
+    ARCH_CR16 = 52  # NSC CR16
+    ARCH_MN102L00 = 53  # Panasonic MN10200
+    ARCH_TMS320C1X = 54  # Texas Instruments TMS320C1x
+    ARCH_NEC_V850X = 55  # NEC V850 and V850ES/E1/E2
+    ARCH_SCR_ADPT = 56  # Processor module adapter for processor modules written in scripting languages
+    ARCH_EBC = 57  # EFI Bytecode
+    ARCH_MSP430 = 58  # Texas Instruments MSP430
+    ARCH_SPU = 59  # Cell Broadband Engine Synergistic Processor Unit
+    ARCH_DALVIK = 60  # Android Dalvik Virtual Machine
+
+
+FLIRT_ARCH_TO_ARCHNAME: dict[int, dict[int, str]] = {
+    FlirtArch.ARCH_386: {32: "X86", 64: "AMD64"},
+    FlirtArch.ARCH_MIPS: {32: "MIPS32", 64: "MIPS64"},
+    FlirtArch.ARCH_ARM: {32: "ARM", 64: "AARCH64"},
+    FlirtArch.ARCH_PPC: {32: "PPC32", 64: "PPC64"},
+    FlirtArch.ARCH_SPARC: {32: "SPARC32", 64: "SPARC64"},
+}
+
+
+class FlirtFileType(int, Enum):
+    FILE_DOS_EXE_OLD = 0x00000001
+    FILE_DOS_COM_OLD = 0x00000002
+    FILE_BIN = 0x00000004
+    FILE_DOSDRV = 0x00000008
+    FILE_NE = 0x00000010
+    FILE_INTELHEX = 0x00000020
+    FILE_MOSHEX = 0x00000040
+    FILE_LX = 0x00000080
+    FILE_LE = 0x00000100
+    FILE_NLM = 0x00000200
+    FILE_COFF = 0x00000400
+    FILE_PE = 0x00000800
+    FILE_OMF = 0x00001000
+    FILE_SREC = 0x00002000
+    FILE_ZIP = 0x00004000
+    FILE_OMFLIB = 0x00008000
+    FILE_AR = 0x00010000
+    FILE_LOADER = 0x00020000
+    FILE_ELF = 0x00040000
+    FILE_W32RUN = 0x00080000
+    FILE_AOUT = 0x00100000
+    FILE_PILOT = 0x00200000
+    FILE_DOS_EXE = 0x00400000
+    FILE_DOS_COM = 0x00800000
+    FILE_AIXAR = 0x01000000
+
+
+class FlirtOSType(int, Enum):
+    """
+    Actually no longer used in IDA.
+    """
+
+    OS_MSDOS = 0x01
+    OS_WIN = 0x02
+    OS_OS2 = 0x04
+    OS_NETWARE = 0x08
+    OS_UNIX = 0x10
+    OS_OTHER = 0x20
+
+
+FLIRT_OS_TO_OSNAME = {
+    FlirtOSType.OS_MSDOS: "MSDOS",
+    FlirtOSType.OS_WIN: "Win32",
+    FlirtOSType.OS_OS2: "OS/2",
+    FlirtOSType.OS_UNIX: "Linux",
+    FlirtOSType.OS_OTHER: "Other",
+}
+
+
+class FlirtAppType(int, Enum):
+    APP_CONSOLE = 0x0001
+    APP_GRAPHICS = 0x0002
+    APP_EXE = 0x0004
+    APP_DLL = 0x0008
+    APP_DRV = 0x0010
+    APP_SINGLE_THREADED = 0x0020
+    APP_MULTI_THREADED = 0x0040
+    APP_16_BIT = 0x0080
+    APP_32_BIT = 0x0100
+    APP_64_BIT = 0x0200
+
+
+class FlirtFeatureFlag(int, Enum):
+    FEATURE_STARTUP = 0x1
+    FEATURE_CTYPE_CRC = 0x2
+    FEATURE_2BYTE_CTYPE = 0x4
+    FEATURE_ALT_CTYPE_CRC = 0x8
+    FEATURE_COMPRESSED = 0x10
+
+
+class FlirtParseFlag(int, Enum):
+    PARSE_MORE_PUBLIC_NAMES = 0x1
+    PARSE_READ_TAIL_BYTES = 0x2
+    PARSE_READ_REFERENCED_FUNCTIONS = 0x4
+    PARSE_MORE_MODULES_WITH_SAME_CRC = 0x8
+    PARSE_MORE_MODULES = 0x10
+
+
+class FlirtFunctionFlag(int, Enum):
+    FUNCTION_LOCAL = 0x2
+    FUNCTION_UNRESOLVED_COLLISION = 0x8

angr/analyses/{flirt.py → flirt/flirt.py}

@@ -1,17 +1,19 @@
 from __future__ import annotations
 from typing import TYPE_CHECKING
-from functools import partial
+
+from collections.abc import Generator
 from collections import defaultdict
+import contextlib
 import logging
 
-import nampa
 from archinfo.arch_arm import is_arm_arch
 
 from angr.analyses import AnalysesHub
+from angr.analyses.analysis import Analysis
 from angr.errors import AngrRuntimeError
-from angr.flirt import FlirtSignature, STRING_TO_LIBRARIES, LIBRARY_TO_SIGNATURES, FLIRT_SIGNATURES_BY_ARCH
-from .analysis import Analysis
-import contextlib
+from .flirt_sig import FlirtSignature, FlirtSignatureParsed
+from .flirt_function import FlirtFunction
+from .flirt_matcher import FlirtMatcher
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins.functions import Function
@@ -33,19 +35,22 @@ class FlirtAnalysis(Analysis):
       current binary, and then match all possible signatures for the architecture.
     """
 
-    def __init__(self, sig: FlirtSignature | str | None = None):
+    def __init__(self, sig: FlirtSignature | str | None = None, max_mismatched_bytes: int = 0):
+
+        from angr.flirt import FLIRT_SIGNATURES_BY_ARCH  # pylint:disable=import-outside-toplevel
+
         self._is_arm = is_arm_arch(self.project.arch)
         self._all_suggestions: dict[str, dict[str, dict[int, str]]] = {}
         self._suggestions: dict[int, str] = {}
         self.matched_suggestions: dict[str, tuple[FlirtSignature, dict[int, str]]] = {}
         self._temporary_sig = False
+        self._max_mismatched_bytes = max_mismatched_bytes
 
         if sig:
             if isinstance(sig, str):
                 # this is a file path
-                sig = FlirtSignature(
-                    self.project.arch.name.lower(), self.project.simos.name.lower(), "Temporary", sig, None
-                )
+                simos_name = self.project.arch.name if self.project.simos.name is not None else "UnknownOS"
+                sig = FlirtSignature(simos_name.lower(), simos_name.lower(), "Temporary", sig, None)
 
                 self.signatures = [sig]
                 self._temporary_sig = True
@@ -87,13 +92,17 @@ class FlirtAnalysis(Analysis):
 
             if max_suggestion_sig_path is not None:
                 sig_ = path_to_sig.get(max_suggestion_sig_path)
+                assert sig_ is not None
                 _l.info("Applying FLIRT signature %s for library %s.", sig_, lib)
                 self._apply_changes(
                     sig_.sig_name if not self._temporary_sig else None, sig_to_suggestions[max_suggestion_sig_path]
                 )
                 self.matched_suggestions[lib] = (sig_, sig_to_suggestions[max_suggestion_sig_path])
 
-    def _find_hits_by_strings(self, regions: list[bytes]) -> list[FlirtSignature]:
+    def _find_hits_by_strings(self, regions: list[bytes]) -> Generator[FlirtSignature]:
+
+        from angr.flirt import STRING_TO_LIBRARIES, LIBRARY_TO_SIGNATURES  # pylint:disable=import-outside-toplevel
+
         library_hits: dict[str, int] = defaultdict(int)
         for s, libs in STRING_TO_LIBRARIES.items():
             for region in regions:
@@ -117,39 +126,91 @@ class FlirtAnalysis(Analysis):
         # match each function
         self._suggestions = {}
         with open(sig.sig_path, "rb") as sigfile:
-            flirt = nampa.parse_flirt_file(sigfile)
-            for func in self.project.kb.functions.values():
-                func: Function
-                if func.is_simprocedure or func.is_plt:
-                    continue
-                if not func.is_default_name:
-                    # it already has a name. skip
-                    continue
-
-                start = func.addr
-                if self._is_arm:
-                    start = start & 0xFFFF_FFFE
-
-                max_block_addr = max(func.block_addrs_set)
-                end_block = func.get_block(max_block_addr)
-                end = max_block_addr + end_block.size
-
-                if self._is_arm:
-                    end = end & 0xFFFF_FFFE
-
-                # load all bytes
-                func_bytes = self.project.loader.memory.load(start, end - start + 0x100)
-                _callback = partial(self._on_func_matched, func)
-                nampa.match_function(flirt, func_bytes, start, _callback)
-
-    def _on_func_matched(self, func: Function, base_addr: int, flirt_func: nampa.FlirtFunction):
+            flirt = FlirtSignatureParsed.parse(sigfile)
+            tolerances = range(self._max_mismatched_bytes + 1)
+            for tolerance in tolerances:
+                # we iteratively match until we find no new matches
+                updated_funcs = set()
+                while True:
+                    matched = False
+
+                    funcs = (
+                        self.project.kb.functions.values()
+                        if not updated_funcs
+                        else {self.project.kb.functions.get_by_addr(a) for a in self._get_caller_funcs(updated_funcs)}
+                    )
+                    updated_funcs = set()
+
+                    for func in funcs:
+                        func: Function
+                        if func.is_simprocedure or func.is_plt:
+                            continue
+                        if func.addr in self._suggestions:
+                            # we already have a suggestion for this function
+                            continue
+                        if not func.is_default_name:
+                            # it already has a name. skip
+                            continue
+
+                        # print(tolerance, repr(func))
+                        start = func.addr
+                        if self._is_arm:
+                            start = start & 0xFFFF_FFFE
+
+                        max_block_addr = max(func.block_addrs_set)
+                        end_block = func.get_block(max_block_addr)
+                        end = max_block_addr + end_block.size
+
+                        if self._is_arm:
+                            end = end & 0xFFFF_FFFE
+
+                        # load all bytes
+                        func_bytes = self.project.loader.memory.load(start, end - start + 0x100)
+                        matcher = FlirtMatcher(
+                            flirt,
+                            func,
+                            self._get_callee_name,
+                            self._on_func_matched,
+                            mismatch_bytes_tolerance=tolerance,
+                        )
+                        func_matched = matcher.match_function(func_bytes, start)
+                        if func_matched:
+                            updated_funcs.add(func.addr)
+                        matched |= func_matched
+
+                    if not matched:
+                        break
+
+    def _get_caller_funcs(self, update_func_addrs: set[int]) -> set[int]:
+        caller_funcs = set()
+        for func_addr in update_func_addrs:
+            for pred in self.kb.functions.callgraph.predecessors(func_addr):
+                if pred != func_addr:
+                    caller_funcs.add(pred)
+        return caller_funcs
+
+    def _get_callee_name(
+        self, func, func_addr: int, call_addr: int, expected_name: str  # pylint:disable=unused-argument
+    ) -> str | None:
+        for block_addr, (call_target, _) in func._call_sites.items():
+            block = func.get_block(block_addr)
+            call_ins_addr = (
+                block.instruction_addrs[-2] if self.project.arch.branch_delay_slot else block.instruction_addrs[-1]
+            )
+            if block_addr <= call_addr < block_addr + block.size and call_ins_addr <= call_addr:
+                if call_target is None or not self.kb.functions.contains_addr(call_target):
+                    return None
+                callee = self.kb.functions.get_by_addr(call_target)
+                return callee.name
+        return None
+
+    def _on_func_matched(self, func: Function, base_addr: int, flirt_func: FlirtFunction):
         func_addr = base_addr + flirt_func.offset
         _l.debug(
             "_on_func_matched() is called with func_addr %#x with a suggested name %s.", func_addr, flirt_func.name
         )
-        if func_addr != base_addr:
+        if func_addr != base_addr and (self._is_arm and func_addr != base_addr + 1):
             # get the correct function
-            func = None
             try:
                 func = self.kb.functions.get_by_addr(func_addr)
             except KeyError:

angr/analyses/flirt/flirt_function.py

@@ -0,0 +1,20 @@
+from __future__ import annotations
+
+
+class FlirtFunction:
+    """
+    Describes a function object in a FLIRT signature.
+    """
+
+    __slots__ = (
+        "collision",
+        "local",
+        "name",
+        "offset",
+    )
+
+    def __init__(self, name: str, offset: int, local: bool, collision: bool):
+        self.name = name
+        self.offset = offset
+        self.local = local
+        self.collision = collision