angr 9.2.147__py3-none-manylinux2014_x86_64.whl → 9.2.149__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -29,7 +29,7 @@ class WinStackCanarySimplifier(OptimizationPass):
     PLATFORMS = ["windows"]
     STAGE = OptimizationPassStage.AFTER_SINGLE_BLOCK_SIMPLIFICATION
     NAME = "Simplify stack canaries in Windows PE files"
-    DESCRIPTION = __doc__.strip()
+    DESCRIPTION = __doc__.strip()  # type:ignore
 
     def __init__(self, func, **kwargs):
         super().__init__(func, **kwargs)
@@ -63,19 +63,16 @@ class WinStackCanarySimplifier(OptimizationPass):
         first_block, canary_init_stmt_ids = init_stmts
         canary_init_stmt = first_block.statements[canary_init_stmt_ids[-1]]
         # where is the stack canary stored?
-        if not isinstance(canary_init_stmt, ailment.Stmt.Store) or not isinstance(
-            canary_init_stmt.addr, ailment.Expr.StackBaseOffset
-        ):
+        if not isinstance(canary_init_stmt, ailment.Stmt.Store):
+            return
+        store_offset = self._get_bp_offset(canary_init_stmt.addr, canary_init_stmt.ins_addr)
+        if store_offset is None:
             _l.debug(
-                "Unsupported canary storing location %s. Expects an ailment.Expr.StackBaseOffset.",
+                "Unsupported canary storing location %s. Expects a StackBaseOffset or (bp - Const).",
                 canary_init_stmt.addr,
             )
             return
 
-        store_offset = canary_init_stmt.addr.offset
-        if not isinstance(store_offset, int):
-            _l.debug("Unsupported canary storing offset %s. Expects an int.", store_offset)
-
         # The function should have at least one end point calling _security_check_cookie
         # note that (at least for now) we rely on FLIRT to identify the _security_check_cookie function inside the
         # binary.
@@ -154,17 +151,42 @@ class WinStackCanarySimplifier(OptimizationPass):
                 store_offset, canary_init_stmt.size, "canary", StackItemType.STACK_CANARY
             )
 
-    def _find_canary_init_stmt(self):
+    def _find_canary_init_stmt(self) -> tuple[ailment.Block, list[int]] | None:
         first_block = self._get_block(self._func.addr)
         if first_block is None:
             return None
 
+        r = self._extract_canary_init_stmt_from_block(first_block)
+        if r is not None:
+            return first_block, r
+
+        # if the first block is calling alloca_probe, we may want to take the second block instead
+        if (
+            first_block.statements
+            and first_block.original_size > 0
+            and isinstance(first_block.statements[-1], ailment.statement.Call)
+            and isinstance(first_block.statements[-1].target, ailment.expression.Const)
+        ):
+            # check if the target is alloca_probe
+            callee_addr = first_block.statements[-1].target.value
+            if (
+                self.kb.functions.contains_addr(callee_addr)
+                and self.kb.functions.get_by_addr(callee_addr).info.get("is_alloca_probe", False) is True
+            ):
+                second_block = self._get_block(first_block.addr + first_block.original_size)
+                if second_block is not None:
+                    r = self._extract_canary_init_stmt_from_block(second_block)
+                    if r is not None:
+                        return second_block, r
+        return None
+
+    def _extract_canary_init_stmt_from_block(self, block: ailment.Block) -> list[int] | None:
         load_stmt_idx = None
         load_reg = None
         xor_stmt_idx = None
         xored_reg = None
 
-        for idx, stmt in enumerate(first_block.statements):
+        for idx, stmt in enumerate(block.statements):
             # if we are lucky and things get folded into one statement:
             if (
                 isinstance(stmt, ailment.Stmt.Store)
@@ -178,7 +200,7 @@ class WinStackCanarySimplifier(OptimizationPass):
                 # Check addr: must be __security_cookie
                 load_addr = stmt.data.operands[0].addr.value
                 if load_addr == self._security_cookie_addr:
-                    return first_block, [idx]
+                    return [idx]
             # or if we are unlucky and the load and the xor are two different statements
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
@@ -191,33 +213,48 @@ class WinStackCanarySimplifier(OptimizationPass):
                 if load_addr == self._security_cookie_addr:
                     load_stmt_idx = idx
                     load_reg = stmt.dst.reg_offset
-            if load_stmt_idx is not None and idx == load_stmt_idx + 1:
+            if load_stmt_idx is not None and xor_stmt_idx is None and idx >= load_stmt_idx + 1:  # noqa:SIM102
                 if (
                     isinstance(stmt, ailment.Stmt.Assignment)
                     and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
                     and stmt.dst.was_reg
+                    and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
                     and isinstance(stmt.src, ailment.Expr.BinaryOp)
                     and stmt.src.op == "Xor"
                     and isinstance(stmt.src.operands[0], ailment.Expr.VirtualVariable)
                     and stmt.src.operands[0].was_reg
                     and stmt.src.operands[0].reg_offset == load_reg
-                    and isinstance(stmt.src.operands[1], ailment.Expr.StackBaseOffset)
+                    and (
+                        isinstance(stmt.src.operands[1], ailment.Expr.StackBaseOffset)
+                        or (
+                            isinstance(stmt.src.operands[1], ailment.Expr.VirtualVariable)
+                            and stmt.src.operands[1].was_reg
+                            and stmt.src.operands[1].reg_offset == self.project.arch.registers["ebp"][0]
+                        )
+                    )
                 ):
                     xor_stmt_idx = idx
                     xored_reg = stmt.dst.reg_offset
-                else:
-                    break
-            if xor_stmt_idx is not None and idx == xor_stmt_idx + 1:
+            if load_stmt_idx is not None and xor_stmt_idx is not None and idx == xor_stmt_idx + 1:
                 if (
                     isinstance(stmt, ailment.Stmt.Store)
-                    and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
+                    and (
+                        isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
+                        or (
+                            isinstance(stmt.addr, ailment.Expr.BinaryOp)
+                            and stmt.addr.op == "Sub"
+                            and isinstance(stmt.addr.operands[0], ailment.Expr.VirtualVariable)
+                            and stmt.addr.operands[0].was_reg
+                            and stmt.addr.operands[0].reg_offset == self.project.arch.registers["ebp"][0]
+                            and isinstance(stmt.addr.operands[1], ailment.Expr.Const)
+                        )
+                    )
                     and isinstance(stmt.data, ailment.Expr.VirtualVariable)
                     and stmt.data.was_reg
                     and stmt.data.reg_offset == xored_reg
                 ):
-                    return first_block, [load_stmt_idx, xor_stmt_idx, idx]
+                    return [load_stmt_idx, xor_stmt_idx, idx]
                 break
-
         return None
 
     def _find_amd64_canary_storing_stmt(self, block, canary_value_stack_offset):
@@ -275,6 +312,7 @@ class WinStackCanarySimplifier(OptimizationPass):
 
     def _find_x86_canary_storing_stmt(self, block, canary_value_stack_offset):
         load_stmt_idx = None
+        canary_reg_dst_offset = None
 
         for idx, stmt in enumerate(block.statements):
             # when we are lucky, we have one instruction
@@ -283,7 +321,7 @@ class WinStackCanarySimplifier(OptimizationPass):
                     isinstance(stmt, ailment.Stmt.Assignment)
                     and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
                     and stmt.dst.was_reg
-                    and stmt.dst.reg_offset == self.project.arch.registers["eax"][0]
+                    and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
                 )
                 and isinstance(stmt.src, ailment.Expr.BinaryOp)
                 and stmt.src.op == "Xor"
@@ -291,8 +329,7 @@ class WinStackCanarySimplifier(OptimizationPass):
                 op0, op1 = stmt.src.operands
                 if (
                     isinstance(op0, ailment.Expr.Load)
-                    and isinstance(op0.addr, ailment.Expr.StackBaseOffset)
-                    and op0.addr.offset == canary_value_stack_offset
+                    and self._get_bp_offset(op0.addr, stmt.ins_addr) == canary_value_stack_offset
                 ) and isinstance(op1, ailment.Expr.StackBaseOffset):
                     # found it
                     return idx
@@ -300,12 +337,12 @@ class WinStackCanarySimplifier(OptimizationPass):
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
                 and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                and stmt.dst.reg_offset == self.project.arch.registers["eax"][0]
+                and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
                 and isinstance(stmt.src, ailment.Expr.Load)
-                and isinstance(stmt.src.addr, ailment.Expr.StackBaseOffset)
-                and stmt.src.addr.offset == canary_value_stack_offset
+                and self._get_bp_offset(stmt.src.addr, stmt.ins_addr) == canary_value_stack_offset
             ):
                 load_stmt_idx = idx
+                canary_reg_dst_offset = stmt.dst.reg_offset
             if (
                 load_stmt_idx is not None
                 and idx >= load_stmt_idx + 1
@@ -313,19 +350,49 @@ class WinStackCanarySimplifier(OptimizationPass):
                     isinstance(stmt, ailment.Stmt.Assignment)
                     and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
                     and stmt.dst.was_reg
+                    and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
                     and isinstance(stmt.src, ailment.Expr.BinaryOp)
                     and stmt.src.op == "Xor"
                 )
                 and (
                     isinstance(stmt.src.operands[0], ailment.Expr.VirtualVariable)
                     and stmt.src.operands[0].was_reg
-                    and stmt.src.operands[0].reg_offset == self.project.arch.registers["eax"][0]
-                    and isinstance(stmt.src.operands[1], ailment.Expr.StackBaseOffset)
+                    and stmt.src.operands[0].reg_offset == canary_reg_dst_offset
+                    and self._get_bp_offset(stmt.src.operands[1], stmt.ins_addr) is not None
                 )
             ):
                 return idx
         return None
 
+    def _get_bp_offset(self, expr: ailment.Expr.Expression, ins_addr: int) -> int | None:
+        if isinstance(expr, ailment.Expr.StackBaseOffset):
+            return expr.offset
+        if (
+            isinstance(expr, ailment.Expr.VirtualVariable)
+            and expr.was_reg
+            and expr.reg_offset == self.project.arch.bp_offset
+        ):
+            if self._stack_pointer_tracker is None:
+                return None
+            return self._stack_pointer_tracker.offset_before(ins_addr, self.project.arch.bp_offset)
+        if (
+            isinstance(expr, ailment.Expr.BinaryOp)
+            and expr.op == "Sub"
+            and isinstance(expr.operands[0], ailment.Expr.VirtualVariable)
+            and expr.operands[0].was_reg
+            and expr.operands[0].reg_offset == self.project.arch.bp_offset
+            and isinstance(expr.operands[1], ailment.Expr.Const)
+        ):
+            if self._stack_pointer_tracker is None:
+                return None
+            base_bp_offset = self._stack_pointer_tracker.offset_before(ins_addr, self.project.arch.bp_offset)
+            if base_bp_offset is None:
+                return None
+            bp_off = base_bp_offset - expr.operands[1].value
+            mask = 0xFFFF_FFFF if self.project.arch.bits == 32 else 0xFFFF_FFFF_FFFF_FFFF
+            return bp_off & mask
+        return None
+
     @staticmethod
     def _find_return_addr_storing_stmt(block):
         for idx, stmt in enumerate(block.statements):
@@ -339,11 +406,13 @@ class WinStackCanarySimplifier(OptimizationPass):
         return None
 
     def _find_stmt_calling_security_check_cookie(self, node):
+        assert self._security_cookie_addr is not None
         for idx, stmt in enumerate(node.statements):
             if isinstance(stmt, ailment.Stmt.Call) and isinstance(stmt.target, ailment.Expr.Const):
                 const_target = stmt.target.value
-                if const_target in self.kb.functions:
-                    func = self.kb.functions.function(addr=const_target)
+                if self.kb.functions.contains_addr(const_target):
+                    func = self.kb.functions.get_by_addr(const_target)
+                    assert func is not None
                     if func.name == "_security_check_cookie" or is_function_security_check_cookie(
                         func, self.project, self._security_cookie_addr
                     ):

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -48,6 +48,9 @@ from .inlined_wstrcpy import InlinedWstrcpy
 from .cmpord_rewriter import CmpORDRewriter
 from .coalesce_adjacent_shrs import CoalesceAdjacentShiftRights
 from .a_mul_const_sub_a import AMulConstSubA
+from .rewrite_cxx_operator_calls import RewriteCxxOperatorCalls
+from .remove_cxx_destructor_calls import RemoveCxxDestructorCalls
+from .rewrite_conv_mul import RewriteConvMul
 from .base import PeepholeOptimizationExprBase, PeepholeOptimizationStmtBase, PeepholeOptimizationMultiStmtBase
 
 
@@ -100,6 +103,9 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     CmpORDRewriter,
     CoalesceAdjacentShiftRights,
     ShlToMul,
+    RewriteCxxOperatorCalls,
+    RemoveCxxDestructorCalls,
+    RewriteConvMul,
 ]
 
 MULTI_STMT_OPTS: list[type[PeepholeOptimizationMultiStmtBase]] = [

angr/analyses/decompiler/peephole_optimizations/base.py

@@ -4,6 +4,7 @@ from ailment.statement import Statement, Assignment
 from ailment import Block
 from angr.project import Project
 from angr.knowledge_base import KnowledgeBase
+from angr.knowledge_plugins.key_definitions import atoms
 
 
 class PeepholeOptimizationStmtBase:
@@ -14,20 +15,33 @@ class PeepholeOptimizationStmtBase:
     __slots__ = (
         "func_addr",
         "kb",
+        "preserve_vvar_ids",
         "project",
+        "type_hints",
     )
     project: Project | None
     kb: KnowledgeBase | None
     func_addr: int | None
+    preserve_vvar_ids: set[int]
+    type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]]
 
     NAME = "Peephole Optimization - Statement"
     DESCRIPTION = "Peephole Optimization - Statement"
     stmt_classes = None
 
-    def __init__(self, project: Project | None, kb: KnowledgeBase | None, func_addr: int | None = None):
+    def __init__(
+        self,
+        project: Project | None,
+        kb: KnowledgeBase | None,
+        func_addr: int | None = None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
+    ):
         self.project = project
         self.kb = kb
         self.func_addr = func_addr
+        self.preserve_vvar_ids = set() if preserve_vvar_ids is None else preserve_vvar_ids
+        self.type_hints = [] if type_hints is None else type_hints
 
     def optimize(self, stmt, stmt_idx: int | None = None, block=None, **kwargs):
         raise NotImplementedError("_optimize() is not implemented.")
@@ -41,20 +55,33 @@ class PeepholeOptimizationMultiStmtBase:
     __slots__ = (
         "func_addr",
         "kb",
+        "preserve_vvar_ids",
         "project",
+        "type_hints",
     )
     project: Project | None
     kb: KnowledgeBase | None
     func_addr: int | None
+    preserve_vvar_ids: set[int]
+    type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]]
 
     NAME = "Peephole Optimization - Multi-statement"
     DESCRIPTION = "Peephole Optimization - Multi-statement"
     stmt_classes = None
 
-    def __init__(self, project: Project | None, kb: KnowledgeBase | None, func_addr: int | None = None):
+    def __init__(
+        self,
+        project: Project | None,
+        kb: KnowledgeBase | None,
+        func_addr: int | None = None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
+    ):
         self.project = project
         self.kb = kb
         self.func_addr = func_addr
+        self.preserve_vvar_ids = set() if preserve_vvar_ids is None else preserve_vvar_ids
+        self.type_hints = [] if type_hints is None else type_hints
 
     def optimize(self, stmts: list[Statement], stmt_idx: int | None = None, block=None, **kwargs):
         raise NotImplementedError("_optimize() is not implemented.")
@@ -68,20 +95,33 @@ class PeepholeOptimizationExprBase:
     __slots__ = (
         "func_addr",
         "kb",
+        "preserve_vvar_ids",
         "project",
+        "type_hints",
     )
     project: Project | None
     kb: KnowledgeBase | None
     func_addr: int | None
+    preserve_vvar_ids: set[int]
+    type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]]
 
     NAME = "Peephole Optimization - Expression"
     DESCRIPTION = "Peephole Optimization - Expression"
     expr_classes = None
 
-    def __init__(self, project: Project | None, kb: KnowledgeBase | None, func_addr: int | None = None):
+    def __init__(
+        self,
+        project: Project | None,
+        kb: KnowledgeBase | None,
+        func_addr: int | None = None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
+    ):
         self.project = project
         self.kb = kb
         self.func_addr = func_addr
+        self.preserve_vvar_ids = set() if preserve_vvar_ids is None else preserve_vvar_ids
+        self.type_hints = [] if type_hints is None else type_hints
 
     def optimize(self, expr, **kwargs):
         raise NotImplementedError("_optimize() is not implemented.")

angr/analyses/decompiler/peephole_optimizations/constant_derefs.py

@@ -16,7 +16,7 @@ class ConstantDereferences(PeepholeOptimizationExprBase):
     expr_classes = (Load,)
 
     def optimize(self, expr: Load, **kwargs):
-        if isinstance(expr.addr, Const):
+        if isinstance(expr.addr, Const) and expr.size in {1, 2, 4, 8, 10, 16, 32, 64, 128, 256}:
             # is it loading from a read-only section?
             sec = self.project.loader.find_section_containing(expr.addr.value)
             if sec is not None and sec.is_readable and (not sec.is_writable or "got" in sec.name):

angr/analyses/decompiler/peephole_optimizations/inlined_strcpy.py

@@ -7,6 +7,7 @@ from archinfo import Endness
 from ailment.expression import Const, StackBaseOffset, VirtualVariable
 from ailment.statement import Call, Assignment
 
+from angr import SIM_LIBRARIES
 from angr.utils.endness import ail_const_to_be
 from .base import PeepholeOptimizationStmtBase
 
@@ -44,6 +45,7 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
                         Const(None, None, str_id, self.project.arch.bits, custom_string=True),
                         Const(None, None, len(s), self.project.arch.bits),
                     ],
+                    prototype=SIM_LIBRARIES["libc.so"][0].get_prototype("strncpy"),
                     **stmt.tags,
                 )
 
@@ -85,6 +87,7 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
                                 Const(None, None, str_id, self.project.arch.bits, custom_string=True),
                                 Const(None, None, len(s), self.project.arch.bits),
                             ],
+                            prototype=SIM_LIBRARIES["libc.so"][0].get_prototype("strncpy"),
                             **stmt.tags,
                         )
 

angr/analyses/decompiler/peephole_optimizations/inlined_strcpy_consolidation.py

@@ -4,6 +4,7 @@ from __future__ import annotations
 from ailment.expression import Expression, BinaryOp, Const, Register, StackBaseOffset
 from ailment.statement import Call, Store
 
+from angr import SIM_LIBRARIES
 from .base import PeepholeOptimizationMultiStmtBase
 from .inlined_strcpy import InlinedStrcpy
 
@@ -58,6 +59,7 @@ class InlinedStrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
                         last_stmt.args[0],
                         Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True),
                     ]
+                    prototype = SIM_LIBRARIES["libc.so"][0].get_prototype("strcpy")
                 else:
                     call_name = "strncpy"
                     new_str_idx = self.kb.custom_strings.allocate(new_str)
@@ -66,8 +68,9 @@ class InlinedStrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
                         Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True),
                         Const(None, None, len(new_str), self.project.arch.bits),
                     ]
+                    prototype = SIM_LIBRARIES["libc.so"][0].get_prototype("strncpy")
 
-                return [Call(stmt.idx, call_name, args=args, **stmt.tags)]
+                return [Call(stmt.idx, call_name, args=args, prototype=prototype, **stmt.tags)]
 
         return None
 

angr/analyses/decompiler/peephole_optimizations/remove_cxx_destructor_calls.py

@@ -0,0 +1,32 @@
+# pylint:disable=arguments-differ
+from __future__ import annotations
+
+from ailment.expression import Const
+from ailment.statement import Call
+
+from .base import PeepholeOptimizationStmtBase
+
+
+class RemoveCxxDestructorCalls(PeepholeOptimizationStmtBase):
+    """
+    Rewrite C++ operator function calls into operations.
+    """
+
+    __slots__ = ()
+
+    NAME = "Remove C++ destructor function calls"
+    stmt_classes = (Call,)
+
+    def optimize(self, stmt: Call, **kwargs) -> tuple | None:  # type:ignore
+        # are we calling a function that we deem as a C++ destructor?
+        assert self.project is not None
+
+        if isinstance(stmt.target, Const):
+            func_addr = stmt.target.value
+            if not self.project.kb.functions.contains_addr(func_addr):
+                return None
+            func = self.project.kb.functions[func_addr]
+            if "::~" in func.demangled_name and stmt.args is not None:
+                # yes it is!
+                return ()
+        return None

angr/analyses/decompiler/peephole_optimizations/remove_redundant_bitmasks.py

@@ -20,10 +20,19 @@ class RemoveRedundantBitmasks(PeepholeOptimizationExprBase):
     __slots__ = ()
 
     NAME = "Remove redundant bitmasks"
-    expr_classes = (BinaryOp,)
+    expr_classes = (BinaryOp, Convert)
 
-    def optimize(self, expr: BinaryOp, **kwargs):
+    def optimize(self, expr: BinaryOp | Convert, **kwargs):
+
+        if isinstance(expr, BinaryOp):
+            return self._optimize_BinaryOp(expr)
+        if isinstance(expr, Convert):
+            return RemoveRedundantBitmasks._optimize_Convert(expr)
+        return None
+
+    def _optimize_BinaryOp(self, expr: BinaryOp):
         # And(expr, full_N_bitmask) ==> expr
+        # And(SHR(expr, N), bitmask)) ==> SHR(expr, N)
         # And(Conv(1->N, expr), bitmask) ==> Conv(1->N, expr)
         # And(Conv(1->N, bool_expr), bitmask) ==> Conv(1->N, bool_expr)
         # And(ITE(?, const_expr, const_expr), bitmask) ==> ITE(?, const_expr, const_expr)
@@ -31,6 +40,17 @@ class RemoveRedundantBitmasks(PeepholeOptimizationExprBase):
             inner_expr = expr.operands[0]
             if expr.operands[1].value == _MASKS.get(inner_expr.bits, None):
                 return inner_expr
+
+            if isinstance(inner_expr, BinaryOp) and inner_expr.op == "Shr":
+                mask = expr.operands[1]
+                shift_val = inner_expr.operands[1]
+                if (
+                    isinstance(shift_val, Const)
+                    and shift_val.value in _MASKS
+                    and mask.value == _MASKS.get(int(64 - shift_val.value), None)
+                ):
+                    return inner_expr
+
             if isinstance(inner_expr, Convert) and self.is_bool_expr(inner_expr.operand):
                 # useless masking
                 return inner_expr
@@ -47,3 +67,50 @@ class RemoveRedundantBitmasks(PeepholeOptimizationExprBase):
                     return ite
 
         return None
+
+    @staticmethod
+    def _optimize_Convert(expr: Convert):
+        # Conv(64->32, (expr & bitmask) + expr)
+        # => Conv(64->32, (expr + expr))
+        if (
+            expr.op == "Convert"
+            and expr.from_bits > expr.to_bits
+            and isinstance(expr.operand, BinaryOp)
+            and expr.operand.op == "Add"
+        ):
+            operand_expr = expr.operand
+            op0, op1 = operand_expr.operands
+            if (
+                isinstance(op0, BinaryOp)
+                and op0.op == "And"
+                and isinstance(op0.operands[1], Const)
+                and op0.operands[1].value == _MASKS.get(expr.to_bits, None)
+            ):
+                new_op0 = op0.operands[0]
+                replaced, new_operand_expr = operand_expr.replace(op0, new_op0)
+                if replaced:
+                    expr.operand = new_operand_expr
+                    return expr
+        # Conv(64->32, (expr) - (expr) & 0xffffffff<64>)))
+        # => Conv(64->32, (expr - expr))
+        elif (
+            expr.op == "Convert"
+            and expr.from_bits > expr.to_bits
+            and isinstance(expr.operand, BinaryOp)
+            and expr.operand.op == "Sub"
+        ):
+            operand_expr = expr.operand
+            op0, op1 = operand_expr.operands
+            if (
+                isinstance(op1, BinaryOp)
+                and op1.op == "And"
+                and isinstance(op1.operands[1], Const)
+                and op1.operands[1].value == _MASKS.get(expr.to_bits, None)
+            ):
+                new_op1 = op1.operands[0]
+                replaced, new_operand_expr = operand_expr.replace(op1, new_op1)
+                if replaced:
+                    expr.operand = new_operand_expr
+                    return expr
+
+        return None

angr/analyses/decompiler/peephole_optimizations/remove_redundant_conversions.py

@@ -164,6 +164,20 @@ class RemoveRedundantConversions(PeepholeOptimizationExprBase):
                                 **expr.tags,
                             )
 
+        # simpler cases
+        # (A & mask) & mask  ==>  A & mask
+        if (
+            expr.op == "And"
+            and isinstance(expr.operands[1], Const)
+            and isinstance(expr.operands[0], BinaryOp)
+            and expr.operands[0].op == "And"
+        ):
+            inner_op0, inner_op1 = expr.operands[0].operands
+            if (isinstance(inner_op0, Const) and inner_op0.value == expr.operands[1].value) or (
+                isinstance(inner_op1, Const) and inner_op1.value == expr.operands[1].value
+            ):
+                return expr.operands[0]
+
         return None
 
     @staticmethod

angr/analyses/decompiler/peephole_optimizations/rewrite_conv_mul.py

@@ -0,0 +1,40 @@
+from __future__ import annotations
+from ailment.expression import BinaryOp, Const, Convert
+
+from .base import PeepholeOptimizationExprBase
+
+
+class RewriteConvMul(PeepholeOptimizationExprBase):
+    """
+    Rewrites multiplication to be inside conversion.
+    """
+
+    __slots__ = ()
+
+    NAME = "Rewrite Conv Mul"
+    expr_classes = (BinaryOp,)
+
+    # Conv(64->32, (Conv(32->64, expr) * N<64>)) * N<32>)
+    # => Conv(64->32, (Conv(32->64, expr) * N<64>) * Conv(32->64,N<32>))
+    def optimize(self, expr: BinaryOp, **kwargs):
+        if (
+            expr.op == "Mul"
+            and isinstance(expr.operands[1], Const)
+            and expr.operands[1].bits == 32
+            and isinstance(expr.operands[0], Convert)
+            and expr.operands[0].from_bits > expr.operands[0].to_bits
+        ):
+            op0, op1 = expr.operands
+            operand_expr = op0.operand
+            if (
+                isinstance(operand_expr, BinaryOp)
+                and operand_expr.op == "Mul"
+                and isinstance(operand_expr.operands[1], Const)
+                and operand_expr.operands[1].bits == 64
+            ):
+                new_op1 = Convert(op1.idx, op1.bits, op0.from_bits, False, op1, **op1.tags)
+                new_op0 = op0.operand
+                new_expr = BinaryOp(expr.idx, "Mul", [new_op0, new_op1], expr.signed, **expr.tags)
+                return Convert(new_expr.idx, op0.from_bits, op0.to_bits, False, new_expr, **expr.tags)
+
+        return None