angr 9.2.147__py3-none-manylinux2014_aarch64.whl → 9.2.148__py3-none-manylinux2014_aarch64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.147"
+__version__ = "9.2.148"
 
 if bytes is str:
     raise Exception(

angr/analyses/analysis.py

@@ -18,7 +18,6 @@ import typing
 from rich import progress
 
 from angr.misc.plugins import PluginVendor, VendorPreset
-from angr.misc.ux import deprecated
 from angr.misc import telemetry
 from angr.misc.testing import is_testing
 
@@ -121,10 +120,6 @@ class AnalysesHub(PluginVendor[A]):
         super().__init__()
         self.project = project
 
-    @deprecated()
-    def reload_analyses(self):  # pylint: disable=no-self-use
-        return
-
     def _init_plugin(self, plugin_cls: type[A]) -> AnalysisFactory[A]:
         return AnalysisFactory(self.project, plugin_cls)
 
@@ -392,12 +387,9 @@ class Analysis:
 
     def __getstate__(self):
         d = dict(self.__dict__)
-        if "_progressbar" in d:
-            del d["_progressbar"]
-        if "_progress_callback" in d:
-            del d["_progress_callback"]
-        if "_statusbar" in d:
-            del d["_statusbar"]
+        d.pop("_progressbar", None)
+        d.pop("_progress_callback", None)
+        d.pop("_statusbar", None)
         return d
 
     def __setstate__(self, state):

angr/analyses/calling_convention/fact_collector.py

@@ -445,10 +445,11 @@ class FactCollector(Analysis):
                             if func_succ.prototype_libname is not None:
                                 # we need to deref the prototype in case it uses SimTypeRef internally
                                 type_collections = []
-                                prototype_lib = SIM_LIBRARIES[func_succ.prototype_libname]
-                                if prototype_lib.type_collection_names:
-                                    for typelib_name in prototype_lib.type_collection_names:
-                                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                                for prototype_lib in SIM_LIBRARIES[func_succ.prototype_libname]:
+                                    if prototype_lib.type_collection_names:
+                                        for typelib_name in prototype_lib.type_collection_names:
+                                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                                if type_collections:
                                     proto = dereference_simtype(proto, type_collections)
 
                             assert isinstance(proto, SimTypeFunction) and proto.returnty is not None

angr/analyses/calling_convention/utils.py

@@ -35,6 +35,7 @@ def is_sane_register_variable(
         return 16 <= reg_offset < 80  # x0-x7
 
     if arch_name == "AMD64":
+        # TODO is rbx ever a register?
         return 24 <= reg_offset < 40 or 64 <= reg_offset < 104  # rcx, rdx  # rsi, rdi, r8, r9, r10
         # 224 <= reg_offset < 480)  # xmm0-xmm7
 

angr/analyses/cfg/cfg_base.py

@@ -17,7 +17,6 @@ from archinfo.arch_arm import is_arm_arch, get_real_address_if_arm
 from angr.knowledge_plugins.functions.function_manager import FunctionManager
 from angr.knowledge_plugins.functions.function import Function
 from angr.knowledge_plugins.cfg import IndirectJump, CFGNode, CFGENode, CFGModel  # pylint:disable=unused-import
-from angr.misc.ux import deprecated
 from angr.procedures.stubs.UnresolvableJumpTarget import UnresolvableJumpTarget
 from angr.utils.constants import DEFAULT_STATEMENT
 from angr.procedures.procedure_dict import SIM_PROCEDURES
@@ -354,64 +353,9 @@ class CFGBase(Analysis):
 
         raise NotImplementedError("I'm too lazy to implement it right now")
 
-    @deprecated(replacement="self.model.get_predecessors()")
-    def get_predecessors(self, cfgnode, excluding_fakeret=True, jumpkind=None):
-        return self._model.get_predecessors(cfgnode, excluding_fakeret=excluding_fakeret, jumpkind=jumpkind)
-
-    @deprecated(replacement="self.model.get_successors()")
-    def get_successors(self, node, excluding_fakeret=True, jumpkind=None):
-        return self._model.get_successors(node, excluding_fakeret=excluding_fakeret, jumpkind=jumpkind)
-
-    @deprecated(replacement="self.model.get_successors_and_jumpkind")
-    def get_successors_and_jumpkind(self, node, excluding_fakeret=True):
-        return self._model.get_successors_and_jumpkind(node, excluding_fakeret=excluding_fakeret)
-
-    @deprecated(replacement="self.model.get_all_predecessors()")
-    def get_all_predecessors(self, cfgnode, depth_limit=None):
-        return self._model.get_all_predecessors(cfgnode, depth_limit)
-
-    @deprecated(replacement="self.model.get_all_successors()")
-    def get_all_successors(self, cfgnode, depth_limit=None):
-        return self._model.get_all_successors(cfgnode, depth_limit)
-
-    @deprecated(replacement="self.model.get_node()")
-    def get_node(self, block_id):
-        return self._model.get_node(block_id)
-
-    @deprecated(replacement="self.model.get_any_node()")
-    def get_any_node(self, addr, is_syscall=None, anyaddr=False, force_fastpath=False):
-        return self._model.get_any_node(addr, is_syscall=is_syscall, anyaddr=anyaddr, force_fastpath=force_fastpath)
-
-    @deprecated(replacement="self.model.get_all_nodes()")
-    def get_all_nodes(self, addr, is_syscall=None, anyaddr=False):
-        return self._model.get_all_nodes(addr, is_syscall=is_syscall, anyaddr=anyaddr)
-
-    @deprecated(replacement="self.model.nodes()")
-    def nodes(self):
-        return self._model.nodes()
-
-    @deprecated(replacement="nodes")
-    def nodes_iter(self):
-        """
-        (Decrepated) An iterator of all nodes in the graph. Will be removed in the future.
-
-        :return: The iterator.
-        :rtype: iterator
-        """
-
-        return self.nodes()
-
     def get_loop_back_edges(self):
         return self._loop_back_edges
 
-    @deprecated(replacement="self.model.get_branching_nodes()")
-    def get_branching_nodes(self):
-        return self._model.get_branching_nodes()
-
-    @deprecated(replacement="self.model.get_exit_stmt_idx")
-    def get_exit_stmt_idx(self, src_block, dst_block):
-        return self._model.get_exit_stmt_idx(src_block, dst_block)
-
     @property
     def graph(self) -> networkx.DiGraph[CFGNode]:
         raise NotImplementedError
@@ -1555,7 +1499,7 @@ class CFGBase(Analysis):
                 ):
                     # all nops. mark this function as a function alignment
                     l.debug("Function chunk %#x is probably used as a function alignment (all nops).", func_addr)
-                    self.kb.functions[func_addr].alignment = True
+                    self.kb.functions[func_addr].is_alignment = True
                     continue
                 node = function.get_node(block.addr)
                 assert node is not None
@@ -1563,7 +1507,7 @@ class CFGBase(Analysis):
                 if len(successors) == 1 and successors[0].addr == node.addr:
                     # self loop. mark this function as a function alignment
                     l.debug("Function chunk %#x is probably used as a function alignment (self-loop).", func_addr)
-                    self.kb.functions[func_addr].alignment = True
+                    self.kb.functions[func_addr].is_alignment = True
                     continue
 
     def make_functions(self):
@@ -2110,7 +2054,7 @@ class CFGBase(Analysis):
                 continue
             if func_addr in jumptable_entries:
                 # is there any call edge pointing to it?
-                func_node = self.get_any_node(func_addr, force_fastpath=True)
+                func_node = self.model.get_any_node(func_addr, force_fastpath=True)
                 if func_node is not None:
                     in_edges = self.graph.in_edges(func_node, data=True)
                     has_transition_pred = None

angr/analyses/cfg/cfg_emulated.py

@@ -472,7 +472,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                 src_blocknode: BlockNode = back_edge[0]
                 dst_blocknode: BlockNode = back_edge[1]
 
-                for src in self.get_all_nodes(src_blocknode.addr):
+                for src in self.model.get_all_nodes(src_blocknode.addr):
                     for dst in graph.successors(src):
                         if dst.addr != dst_blocknode.addr:
                             continue
@@ -524,7 +524,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         start = self._starts[0]
         if isinstance(start, tuple):
             start, _ = start  # pylint: disable=unpacking-non-sequence
-        start_node = self.get_any_node(start)
+        start_node = self.model.get_any_node(start)
         if start_node is None:
             raise AngrCFGError("Cannot find start node when trying to unroll loops. The CFG might be empty.")
 
@@ -720,7 +720,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         # FIXME: syscalls are not supported
         # FIXME: start should also take a CFGNode instance
 
-        start_node = self.get_any_node(start)
+        start_node = self.model.get_any_node(start)
         assert start_node is not None
 
         node_wrapper = (start_node, 0)
@@ -2286,9 +2286,9 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                     # Remove that edge!
                     graph.remove_edge(call_func_addr, return_to_addr)
                     # Remove the edge in CFG
-                    nodes = self.get_all_nodes(callsite_block_addr)
+                    nodes = self.model.get_all_nodes(callsite_block_addr)
                     for n in nodes:
-                        successors = self.get_successors_and_jumpkind(n, excluding_fakeret=False)
+                        successors = self.model.get_successors_and_jumpkind(n, excluding_fakeret=False)
                         for successor, jumpkind in successors:
                             if jumpkind == "Ijk_FakeRet" and successor.addr == return_to_addr:
                                 self.remove_edge(n, successor)
@@ -2548,7 +2548,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         for start in starts:
             l.debug("Start symbolic execution at 0x%x on program slice.", start)
             # Get the state from our CFG
-            node = self.get_any_node(start)
+            node = self.model.get_any_node(start)
             if node is None:
                 # Well, we have to live with an empty state
                 base_state = self.project.factory.blank_state(addr=start)
@@ -2561,7 +2561,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                 initial_nodes = [n for n in bc.taint_graph.nodes() if bc.taint_graph.in_degree(n) == 0]
                 for cl in initial_nodes:
                     # Iterate in all actions of this node, and pick corresponding actions
-                    cfg_nodes = self.get_all_nodes(cl.block_addr)
+                    cfg_nodes = self.model.get_all_nodes(cl.block_addr)
                     for n in cfg_nodes:
                         if not n.final_states:
                             continue
@@ -3376,9 +3376,9 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
         all_predecessors = []
 
-        nodes = self.get_all_nodes(function_address)
+        nodes = self.model.get_all_nodes(function_address)
         for n in nodes:
-            predecessors = list(self.get_predecessors(n))
+            predecessors = list(self.model.get_predecessors(n))
             all_predecessors.extend(predecessors)
 
         return all_predecessors
@@ -3391,8 +3391,8 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
         Return: a list of lists of nodes representing paths.
         """
         if isinstance(begin, int) and isinstance(end, int):
-            n_begin = self.get_any_node(begin)
-            n_end = self.get_any_node(end)
+            n_begin = self.model.get_any_node(begin)
+            n_end = self.model.get_any_node(end)
 
         elif isinstance(begin, CFGENode) and isinstance(end, CFGENode):
             n_begin = begin
@@ -3417,7 +3417,7 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
 
         for ep in self._entry_points:
             # FIXME: This is not always correct. We'd better store CFGNodes in self._entry_points
-            ep_node = self.get_any_node(ep)
+            ep_node = self.model.get_any_node(ep)
 
             if not ep_node:
                 continue

angr/analyses/cfg/cfg_fast.py

@@ -22,10 +22,10 @@ from archinfo.arch_soot import SootAddressDescriptor
 from archinfo.arch_arm import is_arm_arch, get_real_address_if_arm
 
 from angr.analyses import AnalysesHub
+from angr.misc.ux import once
 from angr.knowledge_plugins.cfg import CFGNode, MemoryDataSort, MemoryData, IndirectJump, IndirectJumpType
 from angr.knowledge_plugins.xrefs import XRef, XRefType
 from angr.knowledge_plugins.functions import Function
-from angr.misc.ux import deprecated
 from angr.codenode import HookNode
 from angr import sim_options as o
 from angr.errors import (
@@ -589,10 +589,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         regions=None,
         pickle_intermediate_results=False,
         symbols=True,
-        function_prologues=True,
+        function_prologues: bool | None = None,
         resolve_indirect_jumps=True,
         force_segment=False,
-        force_smart_scan=True,
+        force_smart_scan: bool | None = None,
         force_complete_scan=False,
         indirect_jump_target_limit=100000,
         data_references=True,
@@ -712,6 +712,20 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if binary is not None and not objects:
             objects = [binary]
 
+        is_dotnet = (
+            isinstance(self.project.loader.main_object, cle.backends.pe.PE)
+            and self.project.loader.main_object.is_dotnet
+        )
+
+        if function_prologues is None:
+            function_prologues = not is_dotnet
+            if is_dotnet and once("dotnet_native"):
+                l.warning("You're trying to analyze a .NET binary as native code. Are you sure?")
+        if force_smart_scan is None:
+            force_smart_scan = not is_dotnet
+            if is_dotnet and once("dotnet_native"):
+                l.warning("You're trying to analyze a .NET binary as native code. Are you sure?")
+
         CFGBase.__init__(
             self,
             "fast",
@@ -2117,6 +2131,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 src_func = self.functions.function(addr=cfg_job.src_node.addr, create=True)
             else:
                 src_func = self.functions.get_by_addr(cfg_job.src_node.addr)
+            assert src_func is not None
             if len(src_func.block_addrs_set) <= 1 and src_func.is_default_name:
                 # assign a name to the caller function that jumps to this procedure
                 src_func.name = procedure.display_name
@@ -3843,6 +3858,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
             for ep in endpoints:
                 src = self.model.get_any_node(ep.addr)
+                assert src is not None
                 for rt in return_targets:
                     if not src.instruction_addrs:
                         ins_addr = None
@@ -4333,7 +4349,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
             # extra check for ARM
             if is_arm_arch(self.project.arch) and self._seg_list.occupied_by_sort(addr) == "code":
-                existing_node = self.get_any_node(addr, anyaddr=True)
+                existing_node = self.model.get_any_node(addr, anyaddr=True)
                 if existing_node is not None and (addr & 1) != (existing_node.addr & 1):
                     # we are trying to break an existing ARM node with a THUMB node, or vice versa
                     # this is probably because our current node is unexpected
@@ -5212,18 +5228,5 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
     def output(self):
         return f"{self._graph.edges(data=True)}"
 
-    @deprecated(replacement="angr.analyses.CFB")
-    def generate_code_cover(self):
-        """
-        Generate a list of all recovered basic blocks.
-        """
-
-        lst = []
-        for cfg_node in self.graph.nodes():
-            size = cfg_node.size
-            lst.append((cfg_node.addr, size))
-
-        return sorted(lst, key=lambda x: x[0])
-
 
 AnalysesHub.register_default("CFGFast", CFGFast)

angr/analyses/cfg/cfg_fast_soot.py

@@ -487,7 +487,7 @@ class CFGFastSoot(CFGFast):
                 # it might be a jumpout
                 target_func_addr = None
                 if target_addr in self._traced_addresses:
-                    node = self.get_any_node(target_addr)
+                    node = self.model.get_any_node(target_addr)
                     if node is not None:
                         target_func_addr = node.function_address
                 if target_func_addr is None:
@@ -578,7 +578,7 @@ class CFGFastSoot(CFGFast):
             if jumpkind == "Ijk_Call" or jumpkind.startswith("Ijk_Sys"):
                 function_nodes.add(dst)
 
-        entry_node = self.get_any_node(self._binary.entry)
+        entry_node = self.model.get_any_node(self._binary.entry)
         if entry_node is not None:
             function_nodes.add(entry_node)
 
@@ -616,7 +616,7 @@ class CFGFastSoot(CFGFast):
         secondary_function_nodes = set()
         # add all function chunks ("functions" that are not called from anywhere)
         for func_addr in tmp_functions:
-            node = self.get_any_node(func_addr)
+            node = self.model.get_any_node(func_addr)
             if node is None:
                 continue
             if node.addr not in blockaddr_to_function:

angr/analyses/decompiler/callsite_maker.py

@@ -18,7 +18,7 @@ from angr.sim_type import (
     SimTypeFunction,
     SimTypeLongLong,
 )
-from angr.calling_conventions import SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
+from angr.calling_conventions import SimReferenceArgument, SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE
 from angr.analyses import Analysis, register_analysis
 from angr.analyses.s_reaching_definitions import SRDAView
@@ -111,10 +111,10 @@ class CallSiteMaker(Analysis):
             prototype_libname = func.prototype_libname
             type_collections = []
             if prototype_libname is not None:
-                prototype_lib = SIM_LIBRARIES[prototype_libname]
-                if prototype_lib.type_collection_names:
-                    for typelib_name in prototype_lib.type_collection_names:
-                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
             if type_collections:
                 prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
                     self.project.arch
@@ -144,17 +144,30 @@ class CallSiteMaker(Analysis):
                         arg_locs = cc.arg_locs(callsite_ty)
 
         if arg_locs is not None and cc is not None:
-            expanded_arg_locs = []
+            expanded_arg_locs: list[SimStackArg | SimRegArg | SimReferenceArgument] = []
             for arg_loc in arg_locs:
                 if isinstance(arg_loc, SimComboArg):
                     # a ComboArg spans across multiple locations (mostly stack but *in theory* can also be spanning
                     # across registers). most importantly, a ComboArg represents one variable, not multiple, but we
                     # have no way to know that until later down the pipeline.
                     expanded_arg_locs += arg_loc.locations
-                else:
+                elif isinstance(arg_loc, (SimRegArg, SimStackArg, SimReferenceArgument)):
                     expanded_arg_locs.append(arg_loc)
+                else:
+                    raise NotImplementedError("Not implemented yet.")
 
             for arg_loc in expanded_arg_locs:
+                if isinstance(arg_loc, SimReferenceArgument):
+                    if not isinstance(arg_loc.ptr_loc, (SimRegArg, SimStackArg)):
+                        raise NotImplementedError("Why would a calling convention produce this?")
+                    if isinstance(arg_loc.main_loc, SimStructArg):
+                        dereference_size = arg_loc.main_loc.struct.size // self.project.arch.byte_width
+                    else:
+                        dereference_size = arg_loc.main_loc.size
+                    arg_loc = arg_loc.ptr_loc
+                else:
+                    dereference_size = None
+
                 if isinstance(arg_loc, SimRegArg):
                     size = arg_loc.size
                     offset = arg_loc.check_offset(cc.arch)
@@ -202,7 +215,7 @@ class CallSiteMaker(Analysis):
                                 vvar_use,
                                 **vvar_use.tags,
                             )
-                        args.append(vvar_use)
+                        arg_expr = vvar_use
                     else:
                         reg = Expr.Register(
                             self._atom_idx(),
@@ -212,20 +225,17 @@ class CallSiteMaker(Analysis):
                             reg_name=arg_loc.reg_name,
                             ins_addr=last_stmt.ins_addr,
                         )
-                        args.append(reg)
+                        arg_expr = reg
                 elif isinstance(arg_loc, SimStackArg):
                     stack_arg_locs.append(arg_loc)
                     _, the_arg = self._resolve_stack_argument(call_stmt, arg_loc)
-
-                    if the_arg is not None:
-                        args.append(the_arg)
-                    else:
-                        args.append(None)
-                elif isinstance(arg_loc, SimStructArg):
-                    l.warning("SimStructArg is not yet supported")
-
+                    arg_expr = the_arg if the_arg is not None else None
                 else:
-                    raise NotImplementedError("Not implemented yet.")
+                    assert False, "Unreachable"
+
+                if arg_expr is not None and dereference_size is not None:
+                    arg_expr = Expr.Load(self._atom_idx(), arg_expr, dereference_size, endness=archinfo.Endness.BE)
+                args.append(arg_expr)
 
         # Remove the old call statement
         new_stmts = self.block.statements[:-1]

angr/analyses/decompiler/clinic.py

@@ -1197,10 +1197,10 @@ class Clinic(Analysis):
                 prototype_libname = func.prototype_libname
                 type_collections = []
                 if prototype_libname is not None:
-                    prototype_lib = SIM_LIBRARIES[prototype_libname]
-                    if prototype_lib.type_collection_names:
-                        for typelib_name in prototype_lib.type_collection_names:
-                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                    for prototype_lib in SIM_LIBRARIES[prototype_libname]:
+                        if prototype_lib.type_collection_names:
+                            for typelib_name in prototype_lib.type_collection_names:
+                                type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
                 if type_collections:
                     prototype = dereference_simtype(prototype, type_collections).with_arch(  # type: ignore
                         self.project.arch

angr/analyses/decompiler/condition_processor.py

@@ -961,27 +961,6 @@ class ConditionProcessor:
         sympy_expr = ConditionProcessor.claripy_ast_to_sympy_expr(cond, memo=memo)
         return ConditionProcessor.sympy_expr_to_claripy_ast(sympy.simplify_logic(sympy_expr, deep=False), memo)
 
-    @staticmethod
-    def simplify_condition_deprecated(cond):
-        # Z3's simplification may yield weird and unreadable results
-        # hence we mostly rely on our own simplification. we only use Z3's simplification results when it returns a
-        # concrete value.
-        claripy_simplified = claripy.simplify(cond)
-        if not claripy_simplified.symbolic:
-            return claripy_simplified
-
-        simplified = ConditionProcessor._fold_double_negations(cond)
-        cond = simplified if simplified is not None else cond
-        simplified = ConditionProcessor._revert_short_circuit_conditions(cond)
-        cond = simplified if simplified is not None else cond
-        simplified = ConditionProcessor._extract_common_subexpressions(cond)
-        cond = simplified if simplified is not None else cond
-        # simplified = ConditionProcessor._remove_redundant_terms(cond)
-        # cond = simplified if simplified is not None else cond
-        # in the end, use claripy's simplification to handle really easy cases again
-        simplified = ConditionProcessor._simplify_trivial_cases(cond)
-        return simplified if simplified is not None else cond
-
     @staticmethod
     def _simplify_trivial_cases(cond):
         if cond.op == "And":

angr/analyses/decompiler/counters/call_counter.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 from typing import TYPE_CHECKING
 
 from ailment import Block
+from ailment.statement import Label
 from ailment.block_walker import AILBlockWalkerBase
 
 from angr.analyses.decompiler.sequence_walker import SequenceWalker
@@ -37,8 +38,10 @@ class AILCallCounter(SequenceWalker):
         }
         super().__init__(handlers)
         self.calls = 0
+        self.non_label_stmts = 0
 
     def _handle_Block(self, node: Block, **kwargs):  # pylint:disable=unused-argument
         ctr = AILBlockCallCounter()
         ctr.walk(node)
         self.calls += ctr.calls
+        self.non_label_stmts += sum(1 for stmt in node.statements if not isinstance(stmt, Label))

angr/analyses/decompiler/optimization_passes/const_prop_reverter.py

@@ -66,7 +66,7 @@ class PairAILBlockWalker:
         def _handle_call_expr(expr_idx: int, expr: Call, stmt_idx: int, stmt: Statement, block_):
             walked_objs[Call].add(expr)
 
-        _stmt_handlers = {typ: _handle_ail_obj for typ in walked_objs}
+        _stmt_handlers = dict.fromkeys(walked_objs, _handle_ail_obj)
         walker.stmt_handlers = _stmt_handlers
         walker.expr_handlers[Call] = _handle_call_expr
 

angr/analyses/decompiler/peephole_optimizations/remove_redundant_conversions.py

@@ -164,6 +164,20 @@ class RemoveRedundantConversions(PeepholeOptimizationExprBase):
                                 **expr.tags,
                             )
 
+        # simpler cases
+        # (A & mask) & mask  ==>  A & mask
+        if (
+            expr.op == "And"
+            and isinstance(expr.operands[1], Const)
+            and isinstance(expr.operands[0], BinaryOp)
+            and expr.operands[0].op == "And"
+        ):
+            inner_op0, inner_op1 = expr.operands[0].operands
+            if (isinstance(inner_op0, Const) and inner_op0.value == expr.operands[1].value) or (
+                isinstance(inner_op1, Const) and inner_op1.value == expr.operands[1].value
+            ):
+                return expr.operands[0]
+
         return None
 
     @staticmethod

angr/analyses/decompiler/structured_codegen/c.py

@@ -1281,11 +1281,11 @@ class CFunctionCall(CStatement, CExpression):
             if self.callee_func.prototype_libname is not None:
                 # we need to deref the prototype in case it uses SimTypeRef internally
                 type_collections = []
-                prototype_lib = SIM_LIBRARIES[self.callee_func.prototype_libname]
-                if prototype_lib.type_collection_names:
-                    for typelib_name in prototype_lib.type_collection_names:
-                        type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
-                    proto = dereference_simtype(proto, type_collections)
+                for prototype_lib in SIM_LIBRARIES[self.callee_func.prototype_libname]:
+                    if prototype_lib.type_collection_names:
+                        for typelib_name in prototype_lib.type_collection_names:
+                            type_collections.append(SIM_TYPE_COLLECTIONS[typelib_name])
+                proto = dereference_simtype(proto, type_collections)
             return proto
         returnty = SimTypeInt(signed=False)
         return SimTypeFunction([arg.type for arg in self.args], returnty).with_arch(self.codegen.project.arch)

angr/analyses/decompiler/structuring/phoenix.py

@@ -90,6 +90,7 @@ class PhoenixStructurer(StructurerBase):
         parent_region=None,
         improve_algorithm=False,
         use_multistmtexprs: MultiStmtExprMode = MultiStmtExprMode.MAX_ONE_CALL,
+        multistmtexpr_stmt_threshold: int = 5,
         **kwargs,
     ):
         super().__init__(
@@ -126,6 +127,7 @@ class PhoenixStructurer(StructurerBase):
         self._edge_virtualization_hints = []
 
         self._use_multistmtexprs = use_multistmtexprs
+        self._multistmtexpr_stmt_threshold = multistmtexpr_stmt_threshold
         self._analyze()
 
     @staticmethod
@@ -540,7 +542,11 @@ class PhoenixStructurer(StructurerBase):
                             ):
                                 stmts = self._build_multistatementexpr_statements(succ)
                                 assert stmts is not None
-                                if stmts:
+                                if (
+                                    stmts
+                                    and sum(1 for stmt in stmts if not isinstance(stmt, Label))
+                                    <= self._multistmtexpr_stmt_threshold
+                                ):
                                     edge_cond_succhead = MultiStatementExpression(
                                         None,
                                         stmts,
@@ -2612,12 +2618,14 @@ class PhoenixStructurer(StructurerBase):
         if self._use_multistmtexprs == MultiStmtExprMode.NEVER:
             return False
         if self._use_multistmtexprs == MultiStmtExprMode.ALWAYS:
-            return True
+            ctr = AILCallCounter()
+            ctr.walk(node)
+            return ctr.non_label_stmts <= self._multistmtexpr_stmt_threshold
         if self._use_multistmtexprs == MultiStmtExprMode.MAX_ONE_CALL:
             # count the number of calls
             ctr = AILCallCounter()
             ctr.walk(node)
-            return ctr.calls <= 1
+            return ctr.calls <= 1 and ctr.non_label_stmts <= self._multistmtexpr_stmt_threshold
         l.warning("Unsupported enum value for _use_multistmtexprs: %s", self._use_multistmtexprs)
         return False
 

angr/analyses/deobfuscator/api_obf_finder.py

@@ -315,7 +315,11 @@ class APIObfuscationFinder(Analysis):
 
     @staticmethod
     def is_apiname(name: str) -> bool:
-        return any(not isinstance(lib, SimSyscallLibrary) and lib.has_prototype(name) for lib in SIM_LIBRARIES.values())
+        return any(
+            not isinstance(lib, SimSyscallLibrary) and lib.has_prototype(name)
+            for libs in SIM_LIBRARIES.values()
+            for lib in libs
+        )
 
 
 AnalysesHub.register_default("APIObfuscationFinder", APIObfuscationFinder)

angr/analyses/deobfuscator/api_obf_peephole_optimizer.py

@@ -30,7 +30,7 @@ class APIObfType1PeepholeOptimizer(PeepholeOptimizationExprBase):
                 # assign a new function on-demand
                 symbol = self.project.loader.extern_object.make_extern(funcname)
                 hook_addr = self.project.hook_symbol(
-                    symbol.rebased_addr, SIM_LIBRARIES["linux"].get_stub(funcname, self.project.arch)
+                    symbol.rebased_addr, SIM_LIBRARIES["linux"][0].get_stub(funcname, self.project.arch)
                 )
                 func = self.kb.functions.function(addr=hook_addr, name=funcname, create=True)
                 func.is_simprocedure = True