angr 9.2.146__py3-none-manylinux2014_aarch64.whl → 9.2.148__py3-none-manylinux2014_aarch64.whl

angr/analyses/decompiler/structuring/phoenix.py

@@ -90,6 +90,7 @@ class PhoenixStructurer(StructurerBase):
         parent_region=None,
         improve_algorithm=False,
         use_multistmtexprs: MultiStmtExprMode = MultiStmtExprMode.MAX_ONE_CALL,
+        multistmtexpr_stmt_threshold: int = 5,
         **kwargs,
     ):
         super().__init__(
@@ -126,6 +127,7 @@ class PhoenixStructurer(StructurerBase):
         self._edge_virtualization_hints = []
 
         self._use_multistmtexprs = use_multistmtexprs
+        self._multistmtexpr_stmt_threshold = multistmtexpr_stmt_threshold
         self._analyze()
 
     @staticmethod
@@ -540,7 +542,11 @@ class PhoenixStructurer(StructurerBase):
                             ):
                                 stmts = self._build_multistatementexpr_statements(succ)
                                 assert stmts is not None
-                                if stmts:
+                                if (
+                                    stmts
+                                    and sum(1 for stmt in stmts if not isinstance(stmt, Label))
+                                    <= self._multistmtexpr_stmt_threshold
+                                ):
                                     edge_cond_succhead = MultiStatementExpression(
                                         None,
                                         stmts,
@@ -2612,12 +2618,14 @@ class PhoenixStructurer(StructurerBase):
         if self._use_multistmtexprs == MultiStmtExprMode.NEVER:
             return False
         if self._use_multistmtexprs == MultiStmtExprMode.ALWAYS:
-            return True
+            ctr = AILCallCounter()
+            ctr.walk(node)
+            return ctr.non_label_stmts <= self._multistmtexpr_stmt_threshold
         if self._use_multistmtexprs == MultiStmtExprMode.MAX_ONE_CALL:
             # count the number of calls
             ctr = AILCallCounter()
             ctr.walk(node)
-            return ctr.calls <= 1
+            return ctr.calls <= 1 and ctr.non_label_stmts <= self._multistmtexpr_stmt_threshold
         l.warning("Unsupported enum value for _use_multistmtexprs: %s", self._use_multistmtexprs)
         return False
 

angr/analyses/deobfuscator/api_obf_finder.py

@@ -315,7 +315,11 @@ class APIObfuscationFinder(Analysis):
 
     @staticmethod
     def is_apiname(name: str) -> bool:
-        return any(not isinstance(lib, SimSyscallLibrary) and lib.has_prototype(name) for lib in SIM_LIBRARIES.values())
+        return any(
+            not isinstance(lib, SimSyscallLibrary) and lib.has_prototype(name)
+            for libs in SIM_LIBRARIES.values()
+            for lib in libs
+        )
 
 
 AnalysesHub.register_default("APIObfuscationFinder", APIObfuscationFinder)

angr/analyses/deobfuscator/api_obf_peephole_optimizer.py

@@ -30,7 +30,7 @@ class APIObfType1PeepholeOptimizer(PeepholeOptimizationExprBase):
                 # assign a new function on-demand
                 symbol = self.project.loader.extern_object.make_extern(funcname)
                 hook_addr = self.project.hook_symbol(
-                    symbol.rebased_addr, SIM_LIBRARIES["linux"].get_stub(funcname, self.project.arch)
+                    symbol.rebased_addr, SIM_LIBRARIES["linux"][0].get_stub(funcname, self.project.arch)
                 )
                 func = self.kb.functions.function(addr=hook_addr, name=funcname, create=True)
                 func.is_simprocedure = True

angr/analyses/flirt/__init__.py

@@ -0,0 +1,47 @@
+from __future__ import annotations
+from .flirt import FlirtAnalysis
+from .flirt_sig import FlirtSignature, FlirtSignatureParsed, FlirtSignatureError
+from .consts import FLIRT_ARCH_TO_ARCHNAME, FLIRT_OS_TO_OSNAME, FlirtAppType, FlirtOSType
+
+
+def flirt_arch_to_arch_name(flirt_arch: int, app_types: int) -> str:
+    """
+    Convert FLIRT architecture ID to architecture name.
+
+    :param flirt_arch: FLIRT architecture ID.
+    :param app_types: FLIRT application types.
+    :return: Architecture name.
+    """
+    try:
+        arches = FLIRT_ARCH_TO_ARCHNAME[flirt_arch]
+    except KeyError:
+        return "Unknown"
+    if app_types & FlirtAppType.APP_32_BIT and 32 in arches:
+        return arches[32]
+    if app_types & FlirtAppType.APP_64_BIT and 64 in arches:
+        return arches[64]
+    return "Unknown"
+
+
+def flirt_os_type_to_os_name(os_type: int) -> str:
+    """
+    Convert FLIRT OS type to OS name.
+
+    :param os_type: FLIRT OS type.
+    :return: OS name.
+    """
+    try:
+        v = FlirtOSType(os_type)
+        return FLIRT_OS_TO_OSNAME.get(v, v.name)
+    except ValueError:
+        return "UnknownOS"
+
+
+__all__ = [
+    "FlirtAnalysis",
+    "FlirtSignature",
+    "FlirtSignatureError",
+    "FlirtSignatureParsed",
+    "flirt_arch_to_arch_name",
+    "flirt_os_type_to_os_name",
+]

angr/analyses/flirt/consts.py

@@ -0,0 +1,160 @@
+# pylint:disable=missing-class-docstring
+from __future__ import annotations
+from enum import Enum
+
+
+class FlirtArch(int, Enum):
+    ARCH_386 = 0  # Intel 80x86
+    ARCH_Z80 = 1  # 8085, Z80
+    ARCH_I860 = 2  # Intel 860
+    ARCH_8051 = 3  # 8051
+    ARCH_TMS = 4  # Texas Instruments TMS320C5x
+    ARCH_6502 = 5  # 6502
+    ARCH_PDP = 6  # PDP11
+    ARCH_68K = 7  # Motorola 680x0
+    ARCH_JAVA = 8  # Java
+    ARCH_6800 = 9  # Motorola 68xx
+    ARCH_ST7 = 10  # SGS-Thomson ST7
+    ARCH_MC6812 = 11  # Motorola 68HC12
+    ARCH_MIPS = 12  # MIPS
+    ARCH_ARM = 13  # Advanced RISC Machines
+    ARCH_TMSC6 = 14  # Texas Instruments TMS320C6x
+    ARCH_PPC = 15  # PowerPC
+    ARCH_80196 = 16  # Intel 80196
+    ARCH_Z8 = 17  # Z8
+    ARCH_SH = 18  # Renesas (formerly Hitachi) SuperH
+    ARCH_NET = 19  # Microsoft Visual Studio.Net
+    ARCH_AVR = 20  # Atmel 8-bit RISC processor(s)
+    ARCH_H8 = 21  # Hitachi H8/300, H8/2000
+    ARCH_PIC = 22  # Microchip's PIC
+    ARCH_SPARC = 23  # SPARC
+    ARCH_ALPHA = 24  # DEC Alpha
+    ARCH_HPPA = 25  # Hewlett-Packard PA-RISC
+    ARCH_H8500 = 26  # Hitachi H8/500
+    ARCH_TRICORE = 27  # Tasking Tricore
+    ARCH_DSP56K = 28  # Motorola DSP5600x
+    ARCH_C166 = 29  # Siemens C166 family
+    ARCH_ST20 = 30  # SGS-Thomson ST20
+    ARCH_IA64 = 31  # Intel Itanium IA64
+    ARCH_I960 = 32  # Intel 960
+    ARCH_F2MC = 33  # Fujitsu F2MC-16
+    ARCH_TMS320C54 = 34  # Texas Instruments TMS320C54xx
+    ARCH_TMS320C55 = 35  # Texas Instruments TMS320C55xx
+    ARCH_TRIMEDIA = 36  # Trimedia
+    ARCH_M32R = 37  # Mitsubishi 32bit RISC
+    ARCH_NEC_78K0 = 38  # NEC 78K0
+    ARCH_NEC_78K0S = 39  # NEC 78K0S
+    ARCH_M740 = 40  # Mitsubishi 8bit
+    ARCH_M7700 = 41  # Mitsubishi 16bit
+    ARCH_ST9 = 42  # ST9+
+    ARCH_FR = 43  # Fujitsu FR Family
+    ARCH_MC6816 = 44  # Motorola 68HC16
+    ARCH_M7900 = 45  # Mitsubishi 7900
+    ARCH_TMS320C3 = 46  # Texas Instruments TMS320C3
+    ARCH_KR1878 = 47  # Angstrem KR1878
+    ARCH_AD218X = 48  # Analog Devices ADSP 218X
+    ARCH_OAKDSP = 49  # Atmel OAK DSP
+    ARCH_TLCS900 = 50  # Toshiba TLCS-900
+    ARCH_C39 = 51  # Rockwell C39
+    ARCH_CR16 = 52  # NSC CR16
+    ARCH_MN102L00 = 53  # Panasonic MN10200
+    ARCH_TMS320C1X = 54  # Texas Instruments TMS320C1x
+    ARCH_NEC_V850X = 55  # NEC V850 and V850ES/E1/E2
+    ARCH_SCR_ADPT = 56  # Processor module adapter for processor modules written in scripting languages
+    ARCH_EBC = 57  # EFI Bytecode
+    ARCH_MSP430 = 58  # Texas Instruments MSP430
+    ARCH_SPU = 59  # Cell Broadband Engine Synergistic Processor Unit
+    ARCH_DALVIK = 60  # Android Dalvik Virtual Machine
+
+
+FLIRT_ARCH_TO_ARCHNAME: dict[int, dict[int, str]] = {
+    FlirtArch.ARCH_386: {32: "X86", 64: "AMD64"},
+    FlirtArch.ARCH_MIPS: {32: "MIPS32", 64: "MIPS64"},
+    FlirtArch.ARCH_ARM: {32: "ARM", 64: "AARCH64"},
+    FlirtArch.ARCH_PPC: {32: "PPC32", 64: "PPC64"},
+    FlirtArch.ARCH_SPARC: {32: "SPARC32", 64: "SPARC64"},
+}
+
+
+class FlirtFileType(int, Enum):
+    FILE_DOS_EXE_OLD = 0x00000001
+    FILE_DOS_COM_OLD = 0x00000002
+    FILE_BIN = 0x00000004
+    FILE_DOSDRV = 0x00000008
+    FILE_NE = 0x00000010
+    FILE_INTELHEX = 0x00000020
+    FILE_MOSHEX = 0x00000040
+    FILE_LX = 0x00000080
+    FILE_LE = 0x00000100
+    FILE_NLM = 0x00000200
+    FILE_COFF = 0x00000400
+    FILE_PE = 0x00000800
+    FILE_OMF = 0x00001000
+    FILE_SREC = 0x00002000
+    FILE_ZIP = 0x00004000
+    FILE_OMFLIB = 0x00008000
+    FILE_AR = 0x00010000
+    FILE_LOADER = 0x00020000
+    FILE_ELF = 0x00040000
+    FILE_W32RUN = 0x00080000
+    FILE_AOUT = 0x00100000
+    FILE_PILOT = 0x00200000
+    FILE_DOS_EXE = 0x00400000
+    FILE_DOS_COM = 0x00800000
+    FILE_AIXAR = 0x01000000
+
+
+class FlirtOSType(int, Enum):
+    """
+    Actually no longer used in IDA.
+    """
+
+    OS_MSDOS = 0x01
+    OS_WIN = 0x02
+    OS_OS2 = 0x04
+    OS_NETWARE = 0x08
+    OS_UNIX = 0x10
+    OS_OTHER = 0x20
+
+
+FLIRT_OS_TO_OSNAME = {
+    FlirtOSType.OS_MSDOS: "MSDOS",
+    FlirtOSType.OS_WIN: "Win32",
+    FlirtOSType.OS_OS2: "OS/2",
+    FlirtOSType.OS_UNIX: "Linux",
+    FlirtOSType.OS_OTHER: "Other",
+}
+
+
+class FlirtAppType(int, Enum):
+    APP_CONSOLE = 0x0001
+    APP_GRAPHICS = 0x0002
+    APP_EXE = 0x0004
+    APP_DLL = 0x0008
+    APP_DRV = 0x0010
+    APP_SINGLE_THREADED = 0x0020
+    APP_MULTI_THREADED = 0x0040
+    APP_16_BIT = 0x0080
+    APP_32_BIT = 0x0100
+    APP_64_BIT = 0x0200
+
+
+class FlirtFeatureFlag(int, Enum):
+    FEATURE_STARTUP = 0x1
+    FEATURE_CTYPE_CRC = 0x2
+    FEATURE_2BYTE_CTYPE = 0x4
+    FEATURE_ALT_CTYPE_CRC = 0x8
+    FEATURE_COMPRESSED = 0x10
+
+
+class FlirtParseFlag(int, Enum):
+    PARSE_MORE_PUBLIC_NAMES = 0x1
+    PARSE_READ_TAIL_BYTES = 0x2
+    PARSE_READ_REFERENCED_FUNCTIONS = 0x4
+    PARSE_MORE_MODULES_WITH_SAME_CRC = 0x8
+    PARSE_MORE_MODULES = 0x10
+
+
+class FlirtFunctionFlag(int, Enum):
+    FUNCTION_LOCAL = 0x2
+    FUNCTION_UNRESOLVED_COLLISION = 0x8

angr/analyses/{flirt.py → flirt/flirt.py}

@@ -1,17 +1,19 @@
 from __future__ import annotations
 from typing import TYPE_CHECKING
-from functools import partial
+
+from collections.abc import Generator
 from collections import defaultdict
+import contextlib
 import logging
 
-import nampa
 from archinfo.arch_arm import is_arm_arch
 
 from angr.analyses import AnalysesHub
+from angr.analyses.analysis import Analysis
 from angr.errors import AngrRuntimeError
-from angr.flirt import FlirtSignature, STRING_TO_LIBRARIES, LIBRARY_TO_SIGNATURES, FLIRT_SIGNATURES_BY_ARCH
-from .analysis import Analysis
-import contextlib
+from .flirt_sig import FlirtSignature, FlirtSignatureParsed
+from .flirt_function import FlirtFunction
+from .flirt_matcher import FlirtMatcher
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins.functions import Function
@@ -33,19 +35,22 @@ class FlirtAnalysis(Analysis):
       current binary, and then match all possible signatures for the architecture.
     """
 
-    def __init__(self, sig: FlirtSignature | str | None = None):
+    def __init__(self, sig: FlirtSignature | str | None = None, max_mismatched_bytes: int = 0):
+
+        from angr.flirt import FLIRT_SIGNATURES_BY_ARCH  # pylint:disable=import-outside-toplevel
+
         self._is_arm = is_arm_arch(self.project.arch)
         self._all_suggestions: dict[str, dict[str, dict[int, str]]] = {}
         self._suggestions: dict[int, str] = {}
         self.matched_suggestions: dict[str, tuple[FlirtSignature, dict[int, str]]] = {}
         self._temporary_sig = False
+        self._max_mismatched_bytes = max_mismatched_bytes
 
         if sig:
             if isinstance(sig, str):
                 # this is a file path
-                sig = FlirtSignature(
-                    self.project.arch.name.lower(), self.project.simos.name.lower(), "Temporary", sig, None
-                )
+                simos_name = self.project.arch.name if self.project.simos.name is not None else "UnknownOS"
+                sig = FlirtSignature(simos_name.lower(), simos_name.lower(), "Temporary", sig, None)
 
                 self.signatures = [sig]
                 self._temporary_sig = True
@@ -87,13 +92,17 @@ class FlirtAnalysis(Analysis):
 
             if max_suggestion_sig_path is not None:
                 sig_ = path_to_sig.get(max_suggestion_sig_path)
+                assert sig_ is not None
                 _l.info("Applying FLIRT signature %s for library %s.", sig_, lib)
                 self._apply_changes(
                     sig_.sig_name if not self._temporary_sig else None, sig_to_suggestions[max_suggestion_sig_path]
                 )
                 self.matched_suggestions[lib] = (sig_, sig_to_suggestions[max_suggestion_sig_path])
 
-    def _find_hits_by_strings(self, regions: list[bytes]) -> list[FlirtSignature]:
+    def _find_hits_by_strings(self, regions: list[bytes]) -> Generator[FlirtSignature]:
+
+        from angr.flirt import STRING_TO_LIBRARIES, LIBRARY_TO_SIGNATURES  # pylint:disable=import-outside-toplevel
+
         library_hits: dict[str, int] = defaultdict(int)
         for s, libs in STRING_TO_LIBRARIES.items():
             for region in regions:
@@ -117,39 +126,91 @@ class FlirtAnalysis(Analysis):
         # match each function
         self._suggestions = {}
         with open(sig.sig_path, "rb") as sigfile:
-            flirt = nampa.parse_flirt_file(sigfile)
-            for func in self.project.kb.functions.values():
-                func: Function
-                if func.is_simprocedure or func.is_plt:
-                    continue
-                if not func.is_default_name:
-                    # it already has a name. skip
-                    continue
-
-                start = func.addr
-                if self._is_arm:
-                    start = start & 0xFFFF_FFFE
-
-                max_block_addr = max(func.block_addrs_set)
-                end_block = func.get_block(max_block_addr)
-                end = max_block_addr + end_block.size
-
-                if self._is_arm:
-                    end = end & 0xFFFF_FFFE
-
-                # load all bytes
-                func_bytes = self.project.loader.memory.load(start, end - start + 0x100)
-                _callback = partial(self._on_func_matched, func)
-                nampa.match_function(flirt, func_bytes, start, _callback)
-
-    def _on_func_matched(self, func: Function, base_addr: int, flirt_func: nampa.FlirtFunction):
+            flirt = FlirtSignatureParsed.parse(sigfile)
+            tolerances = range(self._max_mismatched_bytes + 1)
+            for tolerance in tolerances:
+                # we iteratively match until we find no new matches
+                updated_funcs = set()
+                while True:
+                    matched = False
+
+                    funcs = (
+                        self.project.kb.functions.values()
+                        if not updated_funcs
+                        else {self.project.kb.functions.get_by_addr(a) for a in self._get_caller_funcs(updated_funcs)}
+                    )
+                    updated_funcs = set()
+
+                    for func in funcs:
+                        func: Function
+                        if func.is_simprocedure or func.is_plt:
+                            continue
+                        if func.addr in self._suggestions:
+                            # we already have a suggestion for this function
+                            continue
+                        if not func.is_default_name:
+                            # it already has a name. skip
+                            continue
+
+                        # print(tolerance, repr(func))
+                        start = func.addr
+                        if self._is_arm:
+                            start = start & 0xFFFF_FFFE
+
+                        max_block_addr = max(func.block_addrs_set)
+                        end_block = func.get_block(max_block_addr)
+                        end = max_block_addr + end_block.size
+
+                        if self._is_arm:
+                            end = end & 0xFFFF_FFFE
+
+                        # load all bytes
+                        func_bytes = self.project.loader.memory.load(start, end - start + 0x100)
+                        matcher = FlirtMatcher(
+                            flirt,
+                            func,
+                            self._get_callee_name,
+                            self._on_func_matched,
+                            mismatch_bytes_tolerance=tolerance,
+                        )
+                        func_matched = matcher.match_function(func_bytes, start)
+                        if func_matched:
+                            updated_funcs.add(func.addr)
+                        matched |= func_matched
+
+                    if not matched:
+                        break
+
+    def _get_caller_funcs(self, update_func_addrs: set[int]) -> set[int]:
+        caller_funcs = set()
+        for func_addr in update_func_addrs:
+            for pred in self.kb.functions.callgraph.predecessors(func_addr):
+                if pred != func_addr:
+                    caller_funcs.add(pred)
+        return caller_funcs
+
+    def _get_callee_name(
+        self, func, func_addr: int, call_addr: int, expected_name: str  # pylint:disable=unused-argument
+    ) -> str | None:
+        for block_addr, (call_target, _) in func._call_sites.items():
+            block = func.get_block(block_addr)
+            call_ins_addr = (
+                block.instruction_addrs[-2] if self.project.arch.branch_delay_slot else block.instruction_addrs[-1]
+            )
+            if block_addr <= call_addr < block_addr + block.size and call_ins_addr <= call_addr:
+                if call_target is None or not self.kb.functions.contains_addr(call_target):
+                    return None
+                callee = self.kb.functions.get_by_addr(call_target)
+                return callee.name
+        return None
+
+    def _on_func_matched(self, func: Function, base_addr: int, flirt_func: FlirtFunction):
         func_addr = base_addr + flirt_func.offset
         _l.debug(
             "_on_func_matched() is called with func_addr %#x with a suggested name %s.", func_addr, flirt_func.name
         )
-        if func_addr != base_addr:
+        if func_addr != base_addr and (self._is_arm and func_addr != base_addr + 1):
             # get the correct function
-            func = None
             try:
                 func = self.kb.functions.get_by_addr(func_addr)
             except KeyError:

angr/analyses/flirt/flirt_function.py

@@ -0,0 +1,20 @@
+from __future__ import annotations
+
+
+class FlirtFunction:
+    """
+    Describes a function object in a FLIRT signature.
+    """
+
+    __slots__ = (
+        "collision",
+        "local",
+        "name",
+        "offset",
+    )
+
+    def __init__(self, name: str, offset: int, local: bool, collision: bool):
+        self.name = name
+        self.offset = offset
+        self.local = local
+        self.collision = collision