angr 9.2.146__py3-none-manylinux2014_x86_64.whl → 9.2.147__py3-none-manylinux2014_x86_64.whl

angr/analyses/flirt/flirt_sig.py

@@ -0,0 +1,356 @@
+from __future__ import annotations
+import struct
+import zlib
+from io import BytesIO
+
+from angr.errors import AngrError
+from .consts import FlirtParseFlag, FlirtFeatureFlag, FlirtFunctionFlag
+from .flirt_utils import read_max_2_bytes, read_multiple_bytes
+from .flirt_function import FlirtFunction
+from .flirt_module import FlirtModule
+from .flirt_node import FlirtNode
+
+
+class FlirtSignatureError(AngrError):
+    """
+    Describes errors related to FLIRT signatures, especially parsing.
+    """
+
+
+class FlirtSignature:
+    """
+    This class describes a FLIRT signature without any internal data that is only available after parsing.
+    """
+
+    def __init__(
+        self,
+        arch: str,
+        platform: str,
+        sig_name: str,
+        sig_path: str,
+        unique_strings: set[str] | None = None,
+        compiler: str | None = None,
+        compiler_version: str | None = None,
+        os_name: str | None = None,
+        os_version: str | None = None,
+    ):
+        self.arch = arch
+        self.platform = platform
+        self.sig_name = sig_name
+        self.sig_path = sig_path
+        self.unique_strings = unique_strings
+        self.compiler = compiler
+        self.compiler_version = compiler_version
+        self.os_name = os_name
+        self.os_version = os_version
+
+    def __repr__(self):
+        if self.os_name:
+            if self.os_version:
+                return f"<{self.sig_name}@{self.arch}-{self.os_name}-{self.os_version}>"
+            return f"<{self.sig_name}@{self.arch}-{self.os_name}>"
+        return f"<{self.sig_name}@{self.arch}-{self.platform}>"
+
+
+class FlirtSignatureParsed:
+    """
+    Describes a FLIRT signature file after parsing.
+    """
+
+    __slots__ = (
+        "app_types",
+        "arch",
+        "crc",
+        "ctype",
+        "ctypes_crc",
+        "features",
+        "file_types",
+        "libname",
+        "nfuncs",
+        "os_types",
+        "pattern_size",
+        "root",
+        "version",
+    )
+
+    def __init__(
+        self,
+        version: int,
+        arch: int,
+        file_types: int,
+        os_types: int,
+        app_types: int,
+        features: int,
+        crc: int,
+        ctype: int,
+        ctypes_crc: int,
+        nfuncs: int | None,
+        pattern_size: int | None,
+        libname: str,
+        root: FlirtNode | None,
+    ):
+        self.version = version
+        self.arch = arch
+        self.file_types = file_types
+        self.os_types = os_types
+        self.app_types = app_types
+        self.features = features
+        self.crc = crc
+        self.ctype = ctype
+        self.ctypes_crc = ctypes_crc
+        self.nfuncs = nfuncs
+        self.pattern_size = pattern_size
+        self.libname = libname
+        self.root = root
+
+    def parse_tree(self, file_obj, root: bool = False) -> FlirtNode:
+        """
+        Parse a FLIRT function tree.
+        """
+
+        if not root:
+            length = file_obj.read(1)[0]
+            variant_mask = self.parse_variant_mask(file_obj, length)
+            pattern = self.parse_node(file_obj, length, variant_mask)
+        else:
+            length = 0
+            pattern = []
+
+        node_count = read_multiple_bytes(file_obj)
+        if node_count > 0:
+            # non-leaf; load its child nodes
+            nodes: list[FlirtNode] = [None] * node_count  # type: ignore
+            for i in range(node_count):
+                nn = self.parse_tree(file_obj)
+                nodes[i] = nn
+            return FlirtNode(nodes, [], length, pattern)
+        # leaf
+        modules = self.parse_modules(file_obj)
+        return FlirtNode([], modules, length, pattern)
+
+    def parse_public_function(self, file_obj, offset: int) -> tuple[FlirtFunction, int, int]:
+        off = read_multiple_bytes(file_obj) if self.version >= 9 else read_max_2_bytes(file_obj)
+        off += offset
+
+        local = False  # is it a local function?
+        collision = False  # is it an unresolved collision?
+
+        flags = file_obj.read(1)[0]
+        if flags < 0x20:
+            local = bool(flags & FlirtFunctionFlag.FUNCTION_LOCAL)
+            collision = bool(flags & FlirtFunctionFlag.FUNCTION_UNRESOLVED_COLLISION)
+            next_byte = file_obj.read(1)[0]
+        else:
+            next_byte = flags
+
+        name_lst = []
+        name_end = False  # in case the function name is too long...
+        for _ in range(1024):  # max length of a function name
+            if next_byte < 0x20:
+                name_end = True
+                break
+            name_lst.append(next_byte)
+            next_byte = file_obj.read(1)[0]
+
+        name = bytes(name_lst).decode("utf-8")
+        if not name_end:
+            name = name + "..."
+        return FlirtFunction(name, off, local, collision), off, next_byte
+
+    def parse_referenced_functions(self, file_obj) -> list[FlirtFunction]:
+        func_count = file_obj.read(1)[0] if self.version >= 8 else 1
+        lst = []
+        for _ in range(func_count):
+            off = read_multiple_bytes(file_obj) if self.version >= 9 else read_max_2_bytes(file_obj)
+            name_len = file_obj.read(1)[0]
+            if name_len == 0:
+                name_len = read_multiple_bytes(file_obj)
+            if name_len > 1024:
+                raise FlirtSignatureError(f"Function name too long: {name_len}")
+            name_bytes = file_obj.read(name_len)
+            if len(name_bytes) < name_len:
+                raise FlirtSignatureError("Unexpected EOF")
+            name = name_bytes.decode("utf-8").rstrip("\x00")
+            lst.append(FlirtFunction(name, off, False, False))
+        return lst
+
+    def parse_tail_bytes(self, file_obj) -> list[tuple[int, int]]:
+        bytes_count = file_obj.read(1)[0] if self.version >= 8 else 1
+        lst = []
+        for _ in range(bytes_count):
+            off = read_multiple_bytes(file_obj) if self.version >= 9 else read_max_2_bytes(file_obj)
+            value = file_obj.read(1)[0]
+            lst.append((off, value))
+        return lst
+
+    def parse_modules(self, file_obj) -> list[FlirtModule]:
+        modules = []
+        while True:
+            crc_len = file_obj.read(1)[0]
+            crc = struct.unpack(">H", file_obj.read(2))[0]
+
+            while True:
+                # parse all modules with the same CRC
+                module, flags = self.parse_module(file_obj)
+                module.crc_len = crc_len
+                module.crc = crc
+                modules.append(module)
+                if flags & FlirtParseFlag.PARSE_MORE_MODULES_WITH_SAME_CRC == 0:
+                    break
+
+            # same crc length but different crc
+            if flags & FlirtParseFlag.PARSE_MORE_MODULES == 0:
+                break
+        return modules
+
+    def parse_module(self, file_obj) -> tuple[FlirtModule, int]:
+        length = read_multiple_bytes(file_obj) if self.version >= 9 else read_max_2_bytes(file_obj)
+        pub_funcs = []
+        off = 0
+        while True:
+            func, off, flags = self.parse_public_function(file_obj, off)
+            pub_funcs.append(func)
+            if flags & FlirtParseFlag.PARSE_MORE_PUBLIC_NAMES == 0:
+                break
+
+        tail_bytes: list[tuple[int, int]] = []
+        if flags & FlirtParseFlag.PARSE_READ_TAIL_BYTES:
+            tail_bytes = self.parse_tail_bytes(file_obj)
+
+        ref_funcs = []
+        if flags & FlirtParseFlag.PARSE_READ_REFERENCED_FUNCTIONS:
+            ref_funcs = self.parse_referenced_functions(file_obj)
+
+        return (
+            FlirtModule(
+                length,
+                0,  # back-filled in its caller
+                0,  # back-filled in its caller
+                pub_funcs,
+                ref_funcs,
+                tail_bytes,
+            ),
+            flags,
+        )
+
+    @staticmethod
+    def parse_variant_mask(file_obj, length: int) -> int:
+        if length < 0x10:
+            return read_max_2_bytes(file_obj)
+        if length <= 0x20:
+            return read_multiple_bytes(file_obj)
+        if length <= 0x40:
+            return (read_multiple_bytes(file_obj) << 32) | read_multiple_bytes(file_obj)
+        raise FlirtSignatureError(f"Unexpected variant mask length: {length}")
+
+    @staticmethod
+    def is_bit_set_be(mask: int, mask_len: int, bit_offset: int) -> bool:
+        assert mask_len > bit_offset
+        return mask & (1 << (mask_len - bit_offset - 1)) != 0
+
+    @staticmethod
+    def parse_node(file_obj, length: int, variant_mask: int) -> list[int]:
+        pattern = [-1] * length
+        for i in range(length):
+            if not FlirtSignatureParsed.is_bit_set_be(variant_mask, length, i):
+                pattern[i] = file_obj.read(1)[0]
+        return pattern
+
+    @classmethod
+    def parse(cls, file_obj) -> FlirtSignatureParsed:
+        """
+        Parse a FLIRT signature file.
+
+        The following struct definitions come from radare2
+
+        // FLIRT v5+
+        ut8 magic[6];
+        ut8 version;
+        ut8 arch;
+        ut32 file_types;
+        ut16 os_types;
+        ut16 app_types;
+        ut16 features;
+        ut16 old_n_functions;
+        ut16 crc16;
+        ut8 ctype[12];
+        ut8 library_name_len;
+        ut16 ctypes_crc16;
+
+        // FLIRT v6+
+        ut32 nfuncs;
+
+        // FLIRT v8+
+        ut16 pattern_size;
+
+        // FLIRT v10
+        ut16 unknown;
+        """
+
+        struct_str = "<6s B B I H H H H H 12s B H".replace(" ", "")
+        sz = struct.calcsize(struct_str)
+        header_bytes = file_obj.read(sz)
+        if len(header_bytes) != sz:
+            raise FlirtSignatureError
+        unpacked = struct.unpack(struct_str, header_bytes)
+
+        # sanity check
+        if unpacked[0] != b"IDASGN":
+            raise FlirtSignatureError("Unexpected magic bytes")
+
+        version = unpacked[1]
+        if version < 5:
+            raise FlirtSignatureError("Unsupported FLIRT signature version")
+
+        if version >= 6:
+            # nfuncs
+            data = file_obj.read(4)
+            if len(data) != 4:
+                raise FlirtSignatureError("Unexpected EOF")
+            nfuncs = struct.unpack("<I", data)[0]
+        else:
+            nfuncs = None
+        if version >= 8:
+            # pattern_size
+            data = file_obj.read(2)
+            if len(data) != 2:
+                raise FlirtSignatureError("Unexpected EOF")
+            pattern_size = struct.unpack("<H", data)[0]
+        else:
+            pattern_size = None
+
+        if version >= 10:
+            # unknown
+            data = file_obj.read(2)
+            if len(data) != 2:
+                raise FlirtSignatureError("Unexpected EOF")
+
+        libname_len = unpacked[10]
+        libname = file_obj.read(libname_len).decode("utf-8")
+
+        obj = cls(
+            version=version,
+            arch=unpacked[2],
+            file_types=unpacked[3],
+            os_types=unpacked[4],
+            app_types=unpacked[5],
+            features=unpacked[6],
+            crc=unpacked[7],
+            ctype=unpacked[8],
+            ctypes_crc=unpacked[11],
+            nfuncs=nfuncs,
+            pattern_size=pattern_size,
+            libname=libname,
+            root=None,
+        )
+
+        # is it compressed?
+        if obj.features & FlirtFeatureFlag.FEATURE_COMPRESSED:
+            data = file_obj.read()
+            decompressed = BytesIO(zlib.decompress(data))
+            file_obj = decompressed
+
+        root = obj.parse_tree(file_obj, root=True)
+
+        obj.root = root
+        return obj

angr/analyses/flirt/flirt_utils.py

@@ -0,0 +1,31 @@
+# Util functions that are mostly rewrite of the original code in redare2
+from __future__ import annotations
+import struct
+
+
+def read_short(file_obj) -> int:
+    return struct.unpack(">H", file_obj.read(2))[0]
+
+
+def read_word(file_obj) -> int:
+    return struct.unpack(">I", file_obj.read(4))[0]
+
+
+def read_max_2_bytes(file_obj) -> int:
+    b = file_obj.read(1)[0]
+    if b & 0x80 != 0x80:
+        return b
+    return ((b & 0x7F) << 8) + file_obj.read(1)[0]
+
+
+def read_multiple_bytes(file_obj) -> int:
+    b = file_obj.read(1)[0]
+    if b & 0x80 != 0x80:
+        return b
+    if b & 0xC0 != 0xC0:
+        return ((b & 0x7F) << 8) + file_obj.read(1)[0]
+    if b & 0xE0 != 0xE0:
+        b = ((b & 0x3F) << 24) + (file_obj.read(1)[0] << 16)
+        b += read_short(file_obj)
+        return b
+    return read_word(file_obj)

angr/analyses/stack_pointer_tracker.py

@@ -7,6 +7,7 @@ import re
 import logging
 from collections import defaultdict
 
+from archinfo.arch_arm import is_arm_arch
 import pyvex
 
 from angr.analyses import ForwardAnalysis, visitors
@@ -16,6 +17,7 @@ from angr.knowledge_plugins import Function
 from angr.block import BlockNode
 from angr.errors import SimTranslationError
 from angr.calling_conventions import SimStackArg
+
 from .analysis import Analysis
 
 try:
@@ -381,6 +383,10 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
             block_start_addr = func.addr if func is not None else block.addr  # type: ignore
             self._reg_value_at_block_start[block_start_addr] = initial_reg_values
 
+        self._itstate_regoffset = None
+        if is_arm_arch(self.project.arch):
+            self._itstate_regoffset = self.project.arch.registers["itstate"][0]
+
         _l.debug("Running on function %r", self._func)
         self._analyze()
 
@@ -617,18 +623,43 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                         and is_alignment_mask(arg1_expr.val)
                     ):
                         return arg0_expr
+                    # also handle bitwise-and between constants
+                    if isinstance(arg0_expr, Constant) and isinstance(arg1_expr, Constant):
+                        return Constant(arg0_expr.val & arg1_expr.val)
+                elif expr.op.startswith("Iop_Xor"):
+                    # handle bitwise-xor between constants
+                    arg0_expr = _resolve_expr(arg0)
+                    arg1_expr = _resolve_expr(arg1)
+                    if isinstance(arg0_expr, Constant) and isinstance(arg1_expr, Constant):
+                        return Constant(arg0_expr.val ^ arg1_expr.val)
                 elif expr.op.startswith("Iop_CmpEQ"):
                     arg0_expr = _resolve_expr(arg0)
                     arg1_expr = _resolve_expr(arg1)
                     if isinstance(arg0_expr, (Register, OffsetVal)) and isinstance(arg1_expr, (Register, OffsetVal)):
                         return Eq(arg0_expr, arg1_expr)
+                elif expr.op.startswith("Iop_CmpNE"):
+                    arg0_expr = _resolve_expr(arg0)
+                    arg1_expr = _resolve_expr(arg1)
+                    if isinstance(arg0_expr, Constant) and isinstance(arg1_expr, Constant):
+                        return Constant(1 if arg0_expr.val == arg1_expr.val else 0)
+                elif expr.op.startswith("Iop_Shr"):
+                    arg0_expr = _resolve_expr(arg0)
+                    arg1_expr = _resolve_expr(arg1)
+                    if isinstance(arg0_expr, Constant) and isinstance(arg1_expr, Constant):
+                        return Constant(arg0_expr.val >> arg1_expr.val)
                 raise CouldNotResolveException
             if type(expr) is pyvex.IRExpr.RdTmp and expr.tmp in tmps and tmps[expr.tmp] is not None:
                 return tmps[expr.tmp]
             if type(expr) is pyvex.IRExpr.Const:
                 return Constant(expr.con.value)
             if type(expr) is pyvex.IRExpr.Get:
+                if self._itstate_regoffset is not None and expr.offset == self._itstate_regoffset:
+                    return Constant(0)
                 return state.get(expr.offset)
+            if type(expr) is pyvex.IRExpr.ITE:
+                cond = _resolve_expr(expr.cond)
+                if isinstance(cond, Constant):
+                    return _resolve_expr(expr.iftrue) if cond.val == 1 else _resolve_expr(expr.iffalse)
             if type(expr) is pyvex.IRExpr.Unop:
                 m = IROP_CONVERT_REGEX.match(expr.op)
                 if m is not None:
@@ -646,6 +677,9 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                     if isinstance(v, Eq):
                         return v
                     return TOP
+            elif type(expr) is pyvex.IRExpr.CCall and expr.callee.name == "armg_calculate_condition":
+                # this is a hack for handling ARM THUMB conditional instructions and may not always work...
+                return Constant(0)
             elif self.track_mem and type(expr) is pyvex.IRExpr.Load:
                 return state.load(_resolve_expr(expr.addr))
             raise CouldNotResolveException

angr/block.py

@@ -433,9 +433,9 @@ class Block(Serializable):
 
     @property
     def instructions(self) -> int:
-        if not self._instructions and self._vex is None:
-            # initialize from VEX
-            _ = self.vex
+        if not self._instructions and self._vex is None and self._vex_nostmt is None:
+            # initialize from VEX, but we do not need statements to know instructions
+            _ = self.vex_nostmt
 
         assert self._instructions is not None
         return self._instructions
@@ -446,9 +446,9 @@ class Block(Serializable):
             # hooks and other pseudo-functions
             return []
 
-        if not self._instruction_addrs and self._vex is None:
-            # initialize instruction addrs
-            _ = self.vex
+        if not self._instruction_addrs and self._vex is None and self._vex_nostmt is None:
+            # initialize instruction addrs, but we do not need statements
+            _ = self.vex_nostmt
 
         return self._instruction_addrs
 

angr/engines/vex/heavy/concretizers.py

@@ -160,6 +160,15 @@ def concretize_fscale(state, args):
     return claripy.FPV(arg_x * math.pow(2, arg_y), claripy.FSORT_DOUBLE)
 
 
+def concretize_fsqrt32(state, args):
+    # Concretize floating point square root. Z3 does support square root but unsure if that includes floating point
+    arg_1 = state.solver.eval(args[1])
+    if arg_1 < 0 or math.isnan(arg_1):
+        return claripy.FPV(math.nan, claripy.FSORT_FLOAT)
+
+    return claripy.FPV(math.sqrt(arg_1), claripy.FSORT_FLOAT)
+
+
 def concretize_fsqrt(state, args):
     # Concretize floating point square root. Z3 does support square root but unsure if that includes floating point
     arg_1 = state.solver.eval(args[1])
@@ -365,6 +374,7 @@ concretizers = {
     "Iop_Yl2xF64": concretize_yl2x,
     "Iop_ScaleF64": concretize_fscale,
     "Iop_2xm1F64": concretize_2xm1,
+    "Iop_SqrtF32": concretize_fsqrt32,
     "Iop_SqrtF64": concretize_fsqrt,
     "Iop_CosF64": concretize_trig_cos,
     "Iop_SinF64": concretize_trig_sin,

angr/flirt/__init__.py

@@ -6,44 +6,16 @@ import json
 from collections import defaultdict
 import logging
 
-import nampa
+from angr.analyses.flirt import (
+    FlirtSignature,
+    FlirtSignatureParsed,
+    FlirtSignatureError,
+    flirt_arch_to_arch_name,
+    flirt_os_type_to_os_name,
+)
 
-_l = logging.getLogger(__name__)
-
-
-class FlirtSignature:
-    """
-    This class describes a FLIRT signature.
-    """
 
-    def __init__(
-        self,
-        arch: str,
-        platform: str,
-        sig_name: str,
-        sig_path: str,
-        unique_strings: set[str] | None = None,
-        compiler: str | None = None,
-        compiler_version: str | None = None,
-        os_name: str | None = None,
-        os_version: str | None = None,
-    ):
-        self.arch = arch
-        self.platform = platform
-        self.sig_name = sig_name
-        self.sig_path = sig_path
-        self.unique_strings = unique_strings
-        self.compiler = compiler
-        self.compiler_version = compiler_version
-        self.os_name = os_name
-        self.os_version = os_version
-
-    def __repr__(self):
-        if self.os_name:
-            if self.os_version:
-                return f"<{self.sig_name}@{self.arch}-{self.os_name}-{self.os_version}>"
-            return f"<{self.sig_name}@{self.arch}-{self.os_name}>"
-        return f"<{self.sig_name}@{self.arch}-{self.platform}>"
+_l = logging.getLogger(__name__)
 
 
 FS = FlirtSignature
@@ -72,8 +44,8 @@ def load_signatures(path: str) -> None:
                 sig_path = os.path.join(root, filename)
                 try:
                     with open(sig_path, "rb") as f:
-                        flirt_header = nampa.flirt.parse_header(f)
-                except nampa.flirt.FlirtException:
+                        sig_parsed = FlirtSignatureParsed.parse(f)
+                except FlirtSignatureError:
                     _l.warning("Failed to load FLIRT signature file %s.", sig_path)
                     continue
 
@@ -84,8 +56,8 @@ def load_signatures(path: str) -> None:
                     with open(meta_path) as f:
                         meta = json.load(f)
 
-                    arch = meta.get("arch", None)
-                    platform = meta.get("platform", None)
+                    arch = str(meta.get("arch", "Unknown"))
+                    platform = str(meta.get("platform", "UnknownOS"))
                     os_name = meta.get("os", None)
                     os_version = meta.get("os_version", None)
                     compiler = meta.get("compiler", None)
@@ -94,9 +66,8 @@ def load_signatures(path: str) -> None:
 
                 else:
                     # nope... we need to extract information from the signature file
-                    # TODO: Convert them to angr-specific strings
-                    arch = flirt_header.arch
-                    platform = flirt_header.os_types
+                    arch = flirt_arch_to_arch_name(sig_parsed.arch, sig_parsed.app_types)
+                    platform = flirt_os_type_to_os_name(sig_parsed.os_types)
                     os_name = None
                     os_version = None
                     unique_strings = None
@@ -106,7 +77,7 @@ def load_signatures(path: str) -> None:
                 signature = FlirtSignature(
                     arch,
                     platform,
-                    flirt_header.library_name.decode("utf-8"),
+                    sig_parsed.libname,
                     sig_path,
                     unique_strings=unique_strings,
                     compiler=compiler,

angr/knowledge_plugins/functions/function.py

@@ -218,7 +218,7 @@ class Function(Serializable):
             self.is_default_name = False
             self._name = name
         self.previous_names = []
-        self.from_signature = None
+        self.from_signature: str | None = None
 
         # Determine the name the binary where this function is.
         if binary_name is not None:
@@ -612,7 +612,7 @@ class Function(Serializable):
 
     @property
     def size(self):
-        return sum(b.size for b in self.blocks)
+        return sum(self._block_sizes.values())
 
     @property
     def binary(self):

{angr-9.2.146.dist-info → angr-9.2.147.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: angr
-Version: 9.2.146
+Version: 9.2.147
 Summary: A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
 License: BSD-2-Clause
 Project-URL: Homepage, https://angr.io/
@@ -17,22 +17,21 @@ Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: CppHeaderParser
 Requires-Dist: GitPython
-Requires-Dist: ailment==9.2.146
-Requires-Dist: archinfo==9.2.146
+Requires-Dist: ailment==9.2.147
+Requires-Dist: archinfo==9.2.147
 Requires-Dist: cachetools
 Requires-Dist: capstone==5.0.3
 Requires-Dist: cffi>=1.14.0
-Requires-Dist: claripy==9.2.146
-Requires-Dist: cle==9.2.146
+Requires-Dist: claripy==9.2.147
+Requires-Dist: cle==9.2.147
 Requires-Dist: mulpyplexer
-Requires-Dist: nampa
 Requires-Dist: networkx!=2.8.1,>=2.0
 Requires-Dist: protobuf>=5.28.2
 Requires-Dist: psutil
 Requires-Dist: pycparser>=2.18
 Requires-Dist: pydemumble
 Requires-Dist: pyformlang
-Requires-Dist: pyvex==9.2.146
+Requires-Dist: pyvex==9.2.147
 Requires-Dist: rich>=13.1.0
 Requires-Dist: sortedcontainers
 Requires-Dist: sympy