angr 9.2.147__py3-none-macosx_11_0_arm64.whl → 9.2.149__py3-none-macosx_11_0_arm64.whl

angr/analyses/decompiler/utils.py

@@ -851,11 +851,16 @@ def peephole_optimize_stmts(block, stmt_opts):
                     r = opt.optimize(stmt, stmt_idx=stmt_idx, block=block)
                     if r is not None and r is not stmt:
                         stmt = r
+                        if r == ():
+                            # the statement is gone; no more redo
+                            redo = False
+                            break
                         redo = True
                         break
 
         if stmt is not None and stmt is not old_stmt:
-            statements.append(stmt)
+            if stmt != ():
+                statements.append(stmt)
             any_update = True
         else:
             statements.append(old_stmt)

angr/analyses/deobfuscator/api_obf_finder.py

@@ -315,7 +315,11 @@ class APIObfuscationFinder(Analysis):
 
     @staticmethod
     def is_apiname(name: str) -> bool:
-        return any(not isinstance(lib, SimSyscallLibrary) and lib.has_prototype(name) for lib in SIM_LIBRARIES.values())
+        return any(
+            not isinstance(lib, SimSyscallLibrary) and lib.has_prototype(name)
+            for libs in SIM_LIBRARIES.values()
+            for lib in libs
+        )
 
 
 AnalysesHub.register_default("APIObfuscationFinder", APIObfuscationFinder)

angr/analyses/deobfuscator/api_obf_peephole_optimizer.py

@@ -30,7 +30,7 @@ class APIObfType1PeepholeOptimizer(PeepholeOptimizationExprBase):
                 # assign a new function on-demand
                 symbol = self.project.loader.extern_object.make_extern(funcname)
                 hook_addr = self.project.hook_symbol(
-                    symbol.rebased_addr, SIM_LIBRARIES["linux"].get_stub(funcname, self.project.arch)
+                    symbol.rebased_addr, SIM_LIBRARIES["linux"][0].get_stub(funcname, self.project.arch)
                 )
                 func = self.kb.functions.function(addr=hook_addr, name=funcname, create=True)
                 func.is_simprocedure = True

angr/analyses/forward_analysis/visitors/graph.py

@@ -3,7 +3,6 @@ from typing import TypeVar, Generic
 from collections.abc import Collection, Iterator
 from collections import defaultdict
 
-from angr.misc.ux import deprecated
 from angr.utils.algo import binary_insert
 
 NodeType = TypeVar("NodeType")
@@ -94,13 +93,6 @@ class GraphVisitor(Generic[NodeType]):
 
         return iter(self.sort_nodes())
 
-    @deprecated(replacement="nodes")
-    def nodes_iter(self):
-        """
-        (Deprecated) Return an iterator of nodes following an optimal traversal order. Will be removed in the future.
-        """
-        return self.nodes()
-
     # Traversal
 
     def reset(self):

angr/analyses/identifier/runner.py

@@ -29,7 +29,7 @@ assert len(FLAG_DATA) == 0x1000
 class Runner:
     def __init__(self, project, cfg):
         # this is kind of fucked up
-        project.simos.syscall_library.update(SIM_LIBRARIES["cgcabi_tracer"])
+        project.simos.syscall_library.update(SIM_LIBRARIES["cgcabi_tracer"][0])
 
         self.project = project
         self.cfg = cfg

angr/analyses/reaching_definitions/function_handler.py

@@ -401,10 +401,10 @@ class FunctionHandler:
             )
             type_collections = []
             if prototype_libname is not None and prototype_libname in SIM_LIBRARIES:
-                prototype_lib = SIM_LIBRARIES[prototype_libname]
-                if prototype_lib.type_collection_names:
-                    for typelib_name in prototype_lib.type_collection_names:
-                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
             if type_collections:
                 prototype = dereference_simtype(data.prototype, type_collections).with_arch(state.arch)
                 data.prototype = cast(SimTypeFunction, prototype)

angr/analyses/reassembler.py

@@ -2410,7 +2410,7 @@ class Reassembler(Analysis):
 
         # collect address of all instructions
         l.debug("Collecting instruction addresses...")
-        for cfg_node in self.cfg.nodes():
+        for cfg_node in self.cfg.model.nodes():
             self.all_insn_addrs |= set(cfg_node.instruction_addrs)
 
         # Functions

angr/analyses/s_reaching_definitions/s_rda_view.py

@@ -130,6 +130,7 @@ class SRDAView:
 
             for stmt in reversed(stmts):
                 r = predicate(stmt)
+                predicate_returned_true |= r
                 should_break = (predicate_returned_true and r is False) if consecutive else r
                 if should_break:
                     break

angr/analyses/stack_pointer_tracker.py

@@ -520,7 +520,7 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                 # Setting register values to fresh ones will cause problems down the line when merging with normal
                 # register values happen. therefore, we set their values to BOTTOM. these BOTTOMs will be replaced once
                 # a merge with normal blocks happen.
-                initial_regs = {r: BOTTOM for r in self.reg_offsets}
+                initial_regs = dict.fromkeys(self.reg_offsets, BOTTOM)
 
         return StackPointerTrackerState(
             regs=initial_regs, memory={}, is_tracking_memory=self.track_mem, resilient=self._resilient

angr/analyses/static_hooker.py

@@ -21,7 +21,7 @@ class StaticHooker(Analysis):
     def __init__(self, library, binary=None):
         self.results = {}
         try:
-            lib = SIM_LIBRARIES[library]
+            libs = SIM_LIBRARIES[library]
         except KeyError as err:
             raise AngrValueError(f"No such library {library}") from err
 
@@ -36,14 +36,16 @@ class StaticHooker(Analysis):
                 l.debug("Skipping %s at %#x, already hooked", func.name, func.rebased_addr)
                 continue
 
-            if lib.has_implementation(func.name):
-                proc = lib.get(func.name, self.project.arch)
-                self.results[func.rebased_addr] = proc
-                if self.project.is_hooked(func.rebased_addr):
-                    l.debug("Skipping %s at %#x, already hooked", func.name, func.rebased_addr)
-                else:
-                    self.project.hook(func.rebased_addr, proc)
-                    l.info("Hooked %s at %#x", func.name, func.rebased_addr)
+            for lib in libs:
+                if lib.has_implementation(func.name):
+                    proc = lib.get(func.name, self.project.arch)
+                    self.results[func.rebased_addr] = proc
+                    if self.project.is_hooked(func.rebased_addr):
+                        l.debug("Skipping %s at %#x, already hooked", func.name, func.rebased_addr)
+                    else:
+                        self.project.hook(func.rebased_addr, proc)
+                        l.info("Hooked %s at %#x", func.name, func.rebased_addr)
+                    break
             else:
                 l.debug("Failed to hook %s at %#x", func.name, func.rebased_addr)
 

angr/analyses/typehoon/lifter.py

@@ -13,6 +13,7 @@ from angr.sim_type import (
     SimTypeArray,
     SimTypeFloat,
     SimTypeDouble,
+    SimCppClass,
 )
 from .typeconsts import BottomType, Int8, Int16, Int32, Int64, Pointer32, Pointer64, Struct, Array, Float32, Float64
 
@@ -77,6 +78,24 @@ class TypeLifter:
         obj.field_names = field_names
         return obj
 
+    def _lift_SimCppClass(self, ty: SimCppClass) -> TypeConstant | BottomType:
+        if ty in self.memo:
+            return BottomType()
+
+        obj = Struct(fields={}, name=ty.name, is_cppclass=True)
+        self.memo[ty] = obj
+        converted_fields = {}
+        field_names = {}
+        ty_offsets = ty.offsets
+        for field_name, simtype in ty.members.items():
+            if field_name not in ty_offsets:
+                return BottomType()
+            converted_fields[ty_offsets[field_name]] = self.lift(simtype)
+            field_names[ty_offsets[field_name]] = field_name
+        obj.fields = converted_fields
+        obj.field_names = field_names
+        return obj
+
     def _lift_SimTypeArray(self, ty: SimTypeArray) -> Array:
         elem_type = self.lift(ty.elem_type)
         return Array(elem_type, count=ty.length)
@@ -96,6 +115,7 @@ _mapping = {
     SimTypeLongLong: TypeLifter._lift_SimTypeLongLong,
     SimTypePointer: TypeLifter._lift_SimTypePointer,
     SimStruct: TypeLifter._lift_SimStruct,
+    SimCppClass: TypeLifter._lift_SimCppClass,
     SimTypeArray: TypeLifter._lift_SimTypeArray,
     SimTypeFloat: TypeLifter._lift_SimTypeFloat,
     SimTypeDouble: TypeLifter._lift_SimTypeDouble,

angr/analyses/typehoon/simple_solver.py

@@ -181,7 +181,7 @@ class Sketch:
 
     def __init__(self, solver: SimpleSolver, root: TypeVariable):
         self.root: SketchNode = SketchNode(root)
-        self.graph = networkx.DiGraph()
+        self.graph = networkx.MultiDiGraph()
         self.node_mapping: dict[TypeVariable | DerivedTypeVariable, SketchNodeBase] = {}
         self.solver = solver
 
@@ -200,7 +200,7 @@ class Sketch:
             for label in typevar.labels:
                 succs = []
                 for _, dst, data in self.graph.out_edges(node, data=True):
-                    if "label" in data and data["label"] == label:
+                    if "label" in data and data["label"] == label and dst not in succs:
                         succs.append(dst)
                 if len(succs) > 1:
                     _l.warning(
@@ -215,6 +215,11 @@ class Sketch:
         return node
 
     def add_edge(self, src: SketchNodeBase, dst: SketchNodeBase, label) -> None:
+        # ensure the label does not already exist in existing edges
+        if self.graph.has_edge(src, dst):
+            for data in self.graph.get_edge_data(src, dst).values():
+                if "label" in data and data["label"] == label:
+                    return
         self.graph.add_edge(src, dst, label=label)
 
     def add_constraint(self, constraint: TypeConstraint) -> None:
@@ -315,7 +320,7 @@ class ConstraintGraphNode:
             tag_str = "R"
         else:
             tag_str = "U"
-        forgotten_str = "PRE" if FORGOTTEN.PRE_FORGOTTEN else "POST"
+        forgotten_str = "PRE" if self.forgotten == FORGOTTEN.PRE_FORGOTTEN else "POST"
         s = f"{self.typevar}#{variance_str}.{tag_str}.{forgotten_str}"
         if ":" in s:
             return '"' + s + '"'
@@ -820,6 +825,7 @@ class SimpleSolver:
         """
 
         graph = networkx.DiGraph()
+        constraints = self._get_transitive_subtype_constraints(constraints)
         for constraint in constraints:
             if isinstance(constraint, Subtype):
                 self._constraint_graph_add_edges(
@@ -830,6 +836,33 @@ class SimpleSolver:
         self._constraint_graph_recall_forget_split(graph)
         return graph
 
+    @staticmethod
+    def _get_transitive_subtype_constraints(constraints: set[TypeConstraint]) -> set[TypeConstraint]:
+        """
+        Apply the S-Trans rule: a <: b, b <: c => a <: c
+        """
+        tv2supertypes = defaultdict(set)
+        for constraint in constraints:
+            if isinstance(constraint, Subtype):
+                tv2supertypes[constraint.sub_type].add(constraint.super_type)
+
+        new_constraints = set()
+        while True:
+            changed = False
+            for subtype, supertypes in tv2supertypes.items():
+                supertypes_copy = set(supertypes)
+                for supertype in supertypes_copy:
+                    if supertype in tv2supertypes:
+                        for supertype_ in tv2supertypes[supertype]:
+                            if supertype_ not in supertypes_copy:
+                                changed = True
+                                supertypes.add(supertype_)
+                                new_constraints.add(Subtype(subtype, supertype_))
+            if not changed:
+                break
+
+        return constraints | new_constraints
+
     @staticmethod
     def _constraint_graph_add_recall_edges(graph: networkx.DiGraph, node: ConstraintGraphNode) -> None:
         while True:
@@ -1234,21 +1267,21 @@ class SimpleSolver:
                     offset_to_maxsize[base] = max(offset_to_maxsize[base], (last_label.offset - base) + access_size)
                     offset_to_sizes[base].add(access_size)
 
-            node_to_base = {}
+            idx_to_base = {}
 
-            for labels, succ in path_and_successors:
+            for idx, (labels, _) in enumerate(path_and_successors):
                 last_label = labels[-1] if labels else None
                 if isinstance(last_label, HasField):
                     prev_offset = next(offset_to_base.irange(maximum=last_label.offset, reverse=True))
-                    node_to_base[succ] = offset_to_base[prev_offset]
+                    idx_to_base[idx] = offset_to_base[prev_offset]
 
             node_by_offset = defaultdict(set)
 
-            for labels, succ in path_and_successors:
+            for idx, (labels, succ) in enumerate(path_and_successors):
                 last_label = labels[-1] if labels else None
                 if isinstance(last_label, HasField):
-                    if succ in node_to_base:
-                        node_by_offset[node_to_base[succ]].add(succ)
+                    if idx in idx_to_base:
+                        node_by_offset[idx_to_base[idx]].add(succ)
                     else:
                         node_by_offset[last_label.offset].add(succ)
 

angr/analyses/typehoon/translator.py

@@ -105,7 +105,10 @@ class TypeTranslator:
 
         name = tc.name if tc.name else self.struct_name()
 
-        s = sim_type.SimStruct({}, name=name).with_arch(self.arch)
+        if tc.is_cppclass:
+            s = sim_type.SimCppClass(name=name).with_arch(self.arch)
+        else:
+            s = sim_type.SimStruct({}, name=name).with_arch(self.arch)
         self.structs[tc] = s
 
         next_offset = 0

angr/analyses/typehoon/typeconsts.py

@@ -114,6 +114,18 @@ class Int512(Int):
         return "int512"
 
 
+class IntVar(Int):
+    def __init__(self, size):
+        self._size = size
+
+    @property
+    def size(self) -> int:
+        return self._size
+
+    def __repr__(self, memo=None):
+        return "intvar"
+
+
 class Float(TypeConstant):
     def __repr__(self, memo=None) -> str:
         return "floatbase"
@@ -211,10 +223,11 @@ class Array(TypeConstant):
 
 
 class Struct(TypeConstant):
-    def __init__(self, fields=None, name=None, field_names=None):
+    def __init__(self, fields=None, name=None, field_names=None, is_cppclass: bool = False):
         self.fields = {} if fields is None else fields  # offset to type
         self.name = name
         self.field_names = field_names
+        self.is_cppclass = is_cppclass
 
     def _hash(self, visited: set[int]):
         if id(self) in visited:
@@ -236,9 +249,9 @@ class Struct(TypeConstant):
 
     @memoize
     def __repr__(self, memo=None):
-        prefix = "struct"
+        prefix = "CppClass" if self.is_cppclass else "struct"
         if self.name:
-            prefix = f"struct {self.name}"
+            prefix = f"{prefix} {self.name}"
         return (
             prefix
             + "{"
@@ -312,9 +325,7 @@ def int_type(bits: int) -> Int:
         256: Int256,
         512: Int512,
     }
-    if bits in mapping:
-        return mapping[bits]()
-    raise TypeError(f"Not a known size of int: {bits}")
+    return mapping[bits]() if bits in mapping else IntVar(bits)
 
 
 def float_type(bits: int) -> Float | None:

angr/analyses/typehoon/typehoon.py

@@ -10,7 +10,7 @@ from angr.sim_variable import SimVariable, SimStackVariable
 from .simple_solver import SimpleSolver
 from .translator import TypeTranslator
 from .typeconsts import Struct, Pointer, TypeConstant, Array, TopType
-from .typevars import Equivalence, Subtype, TypeVariable
+from .typevars import Equivalence, Subtype, TypeVariable, DerivedTypeVariable
 
 if TYPE_CHECKING:
     from angr.sim_type import SimType
@@ -187,6 +187,10 @@ class Typehoon(Analysis):
         if self._ground_truth and self.simtypes_solution is not None:
             self.simtypes_solution.update(self._ground_truth)
 
+    @staticmethod
+    def _resolve_derived(tv):
+        return tv.type_var if isinstance(tv, DerivedTypeVariable) else tv
+
     def _solve(self):
         typevars = set()
         if self._var_mapping:
@@ -198,9 +202,10 @@ class Typehoon(Analysis):
             for constraint in self._constraints[self.func_var]:
                 if isinstance(constraint, Subtype):
                     if isinstance(constraint.sub_type, TypeVariable):
-                        typevars.add(constraint.sub_type)
+                        typevars.add(self._resolve_derived(constraint.sub_type))
                     if isinstance(constraint.super_type, TypeVariable):
-                        typevars.add(constraint.super_type)
+                        typevars.add(self._resolve_derived(constraint.super_type))
+
         solver = SimpleSolver(self.bits, self._constraints, typevars, stackvar_max_sizes=self._stackvar_max_sizes)
         self.solution = solver.solution
 
@@ -214,13 +219,16 @@ class Typehoon(Analysis):
         if not self.solution:
             return
 
+        memo = set()
         for tv in list(self.solution.keys()):
             if self._must_struct and tv in self._must_struct:
                 continue
             sol = self.solution[tv]
-            specialized = self._specialize_struct(sol)
+            specialized = self._specialize_struct(sol, memo=memo)
             if specialized is not None:
                 self.solution[tv] = specialized
+            else:
+                memo.add(sol)
 
     def _specialize_struct(self, tc, memo: set | None = None):
         if isinstance(tc, Pointer):
@@ -240,7 +248,11 @@ class Typehoon(Analysis):
                 return field0
 
             # are all fields the same?
-            if len(tc.fields) > 1 and all(tc.fields[off] == field0 for off in offsets):
+            if (
+                len(tc.fields) > 1
+                and not self._is_pointer_to(field0, tc)
+                and all(tc.fields[off] == field0 for off in offsets)
+            ):
                 # are all fields aligned properly?
                 try:
                     alignment = field0.size
@@ -257,6 +269,10 @@ class Typehoon(Analysis):
 
         return None
 
+    @staticmethod
+    def _is_pointer_to(pointer_to: TypeConstant, base_type: TypeConstant) -> bool:
+        return isinstance(pointer_to, Pointer) and pointer_to.basetype == base_type
+
     def _translate_to_simtypes(self):
         """
         Translate solutions in type variables to solutions in SimTypes.

angr/analyses/variable_recovery/engine_ail.py

@@ -4,6 +4,7 @@ from typing import TYPE_CHECKING, cast
 import logging
 
 import ailment
+from ailment.constant import UNDETERMINED_SIZE
 import claripy
 from unique_log_filter import UniqueLogFilter
 
@@ -30,8 +31,15 @@ class SimEngineVRAIL(
     The engine for variable recovery on AIL.
     """
 
-    def __init__(self, *args, call_info=None, vvar_to_vvar: dict[int, int] | None, **kwargs):
-        super().__init__(*args, **kwargs)
+    def __init__(
+        self,
+        *args,
+        call_info=None,
+        vvar_to_vvar: dict[int, int] | None,
+        vvar_type_hints: dict[int, typeconsts.TypeConstant] | None = None,
+        **kwargs,
+    ):
+        super().__init__(*args, vvar_type_hints=vvar_type_hints, **kwargs)
 
         self._reference_spoffset: bool = False
         self.call_info = call_info or {}
@@ -100,6 +108,13 @@ class SimEngineVRAIL(
         else:
             l.warning("Unsupported dst type %s.", dst_type)
 
+    def _handle_stmt_WeakAssignment(self, stmt) -> None:
+        src = self._expr(stmt.src)
+        dst = self._expr(stmt.dst)
+        if isinstance(src, RichR) and isinstance(dst, RichR) and src.typevar is not None and dst.typevar is not None:
+            tc = typevars.Subtype(src.typevar, dst.typevar)
+            self.state.add_type_constraint(tc)
+
     def _handle_stmt_Store(self, stmt: ailment.Stmt.Store):
         addr_r = self._expr_bv(stmt.addr)
         data = self._expr(stmt.data)
@@ -169,10 +184,10 @@ class SimEngineVRAIL(
 
             type_collections = []
             if prototype_libname is not None:
-                prototype_lib = SIM_LIBRARIES[prototype_libname]
-                if prototype_lib.type_collection_names:
-                    for typelib_name in prototype_lib.type_collection_names:
-                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
 
             for arg, arg_type in zip(args, prototype.args):
                 if arg.typevar is not None:
@@ -262,10 +277,10 @@ class SimEngineVRAIL(
 
             type_collections = []
             if prototype_libname is not None:
-                prototype_lib = SIM_LIBRARIES[prototype_libname]
-                if prototype_lib.type_collection_names:
-                    for typelib_name in prototype_lib.type_collection_names:
-                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
 
             for arg, arg_type in zip(args, prototype.args):
                 if arg.typevar is not None:
@@ -325,7 +340,9 @@ class SimEngineVRAIL(
         addr_r = self._expr_bv(expr.addr)
         size = expr.size
 
-        return self._load(addr_r, size, expr=expr)
+        if size != UNDETERMINED_SIZE:
+            return self._load(addr_r, size, expr=expr)
+        return self._top(8)
 
     def _handle_expr_VirtualVariable(self, expr: ailment.Expr.VirtualVariable):
         return self._read_from_vvar(expr, expr=expr, vvar_id=self._mapped_vvarid(expr.varid))
@@ -419,6 +436,29 @@ class SimEngineVRAIL(
             self._reference(richr, codeloc, src=expr)
         return richr
 
+    def _handle_unop_Reference(self, expr: ailment.Expr.UnaryOp):
+        if isinstance(expr.operand, ailment.Expr.VirtualVariable) and expr.operand.was_stack:
+            off = expr.operand.stack_offset
+            refbase_typevar = self.state.stack_offset_typevars.get(off, None)
+            if refbase_typevar is None:
+                # allocate a new type variable
+                refbase_typevar = typevars.TypeVariable()
+                self.state.stack_offset_typevars[off] = refbase_typevar
+
+            ref_typevar = typevars.TypeVariable()
+            access_derived_typevar = self._create_access_typevar(ref_typevar, False, None, 0)
+            load_constraint = typevars.Subtype(refbase_typevar, access_derived_typevar)
+            self.state.add_type_constraint(load_constraint)
+
+            value_v = self.state.stack_address(off)
+            richr = RichR(value_v, typevar=ref_typevar)
+            codeloc = self._codeloc()
+            self._ensure_variable_existence(richr, codeloc, src_expr=expr.operand)
+            if self._reference_spoffset:
+                self._reference(richr, codeloc, src=expr.operand)
+            return richr
+        return RichR(self.state.top(expr.bits))
+
     def _handle_expr_BasePointerOffset(self, expr):
         # TODO
         return self._top(expr.bits)
@@ -433,7 +473,7 @@ class SimEngineVRAIL(
     def _handle_binop_Add(self, expr):
         arg0, arg1 = expr.operands
         r0, r1 = self._expr_pair(arg0, arg1)
-        compute = r0.data + r1.data  # type: ignore
+        compute = r0.data + r1.data if r0.data.size() == r1.data.size() else self.state.top(expr.bits)  # type: ignore
 
         type_constraints = set()
         # create a new type variable and add constraints accordingly
@@ -844,7 +884,6 @@ class SimEngineVRAIL(
         self._expr(expr.operands[0])
         return RichR(self.state.top(expr.bits))
 
-    _handle_unop_Reference = _handle_unop_Default
     _handle_unop_Dereference = _handle_unop_Default
     _handle_unop_Clz = _handle_unop_Default
     _handle_unop_Ctz = _handle_unop_Default