angr 9.2.147__py3-none-win_amd64.whl → 9.2.149__py3-none-win_amd64.whl

angr/analyses/decompiler/counters/call_counter.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 from typing import TYPE_CHECKING
 
 from ailment import Block
+from ailment.statement import Label
 from ailment.block_walker import AILBlockWalkerBase
 
 from angr.analyses.decompiler.sequence_walker import SequenceWalker
@@ -37,8 +38,10 @@ class AILCallCounter(SequenceWalker):
         }
         super().__init__(handlers)
         self.calls = 0
+        self.non_label_stmts = 0
 
     def _handle_Block(self, node: Block, **kwargs):  # pylint:disable=unused-argument
         ctr = AILBlockCallCounter()
         ctr.walk(node)
         self.calls += ctr.calls
+        self.non_label_stmts += sum(1 for stmt in node.statements if not isinstance(stmt, Label))

angr/analyses/decompiler/dephication/rewriting_engine.py

@@ -3,7 +3,16 @@ from __future__ import annotations
 import logging
 
 from ailment.block import Block
-from ailment.statement import Statement, Assignment, Store, Call, Return, ConditionalJump, DirtyStatement
+from ailment.statement import (
+    Statement,
+    Assignment,
+    Store,
+    Call,
+    Return,
+    ConditionalJump,
+    DirtyStatement,
+    WeakAssignment,
+)
 from ailment.expression import (
     Expression,
     VirtualVariable,
@@ -99,6 +108,19 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             return Assignment(stmt.idx, dst, src, **stmt.tags)
         return None
 
+    def _handle_stmt_WeakAssignment(self, stmt) -> WeakAssignment | None:
+        new_src = self._expr(stmt.src)
+        new_dst = self._expr(stmt.dst)
+
+        if new_dst is not None or new_src is not None:
+            return WeakAssignment(
+                stmt.idx,
+                stmt.dst if new_dst is None else new_dst,  # type: ignore
+                stmt.src if new_src is None else new_src,
+                **stmt.tags,
+            )
+        return None
+
     def _handle_stmt_Store(self, stmt):
         new_addr = self._expr(stmt.addr)
         new_data = self._expr(stmt.data)
@@ -299,7 +321,7 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             return VEXCCallExpression(
                 expr.idx,
                 expr.callee,
-                new_operands,
+                tuple(new_operands),
                 bits=expr.bits,
                 **expr.tags,
             )

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -33,6 +33,8 @@ from .call_stmt_rewriter import CallStatementRewriter
 from .duplication_reverter import DuplicationReverter
 from .switch_reused_entry_rewriter import SwitchReusedEntryRewriter
 from .condition_constprop import ConditionConstantPropagation
+from .determine_load_sizes import DetermineLoadSizes
+from .eager_std_string_concatenation import EagerStdStringConcatenationPass
 
 if TYPE_CHECKING:
     from angr.analyses.decompiler.presets import DecompilationPreset
@@ -68,6 +70,8 @@ ALL_OPTIMIZATION_PASSES = [
     CallStatementRewriter,
     TagSlicer,
     ConditionConstantPropagation,
+    DetermineLoadSizes,
+    EagerStdStringConcatenationPass,
 ]
 
 # these passes may duplicate code to remove gotos or improve the structure of the graph
@@ -122,6 +126,7 @@ __all__ = (
     "DeadblockRemover",
     "DivSimplifier",
     "DuplicationReverter",
+    "EagerStdStringConcatenationPass",
     "ExprOpSwapper",
     "FlipBooleanCmp",
     "ITEExprConverter",

angr/analyses/decompiler/optimization_passes/base_ptr_save_simplifier.py

@@ -98,20 +98,22 @@ class BasePointerSaveSimplifier(OptimizationPass):
                 and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
                 and stmt.dst.was_stack
                 and stmt.dst.stack_offset < 0
-                and isinstance(stmt.src, ailment.Expr.VirtualVariable)
-                and stmt.src.was_reg
-                and stmt.src.reg_offset == self.project.arch.bp_offset
             ):
-                return first_block, idx, stmt.dst
-            if (
-                isinstance(stmt, ailment.Stmt.Assignment)
-                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                and stmt.dst.was_stack
-                and stmt.dst.stack_offset < 0
-                and isinstance(stmt.src, ailment.Expr.StackBaseOffset)
-                and stmt.src.offset == 0
-            ):
-                return first_block, idx, stmt.dst
+                if (
+                    isinstance(stmt.src, ailment.Expr.VirtualVariable)
+                    and stmt.src.was_reg
+                    and stmt.src.reg_offset == self.project.arch.bp_offset
+                ):
+                    return first_block, idx, stmt.dst
+                if isinstance(stmt.src, ailment.Expr.StackBaseOffset) and stmt.src.offset == 0:
+                    return first_block, idx, stmt.dst
+                if (
+                    isinstance(stmt.src, ailment.Expr.UnaryOp)
+                    and isinstance(stmt.src.operand, ailment.Expr.VirtualVariable)
+                    and stmt.src.operand.was_stack
+                    and stmt.src.operand.stack_offset == 0
+                ):
+                    return first_block, idx, stmt.dst
 
         # Not found
         return None

angr/analyses/decompiler/optimization_passes/const_prop_reverter.py

@@ -66,7 +66,7 @@ class PairAILBlockWalker:
         def _handle_call_expr(expr_idx: int, expr: Call, stmt_idx: int, stmt: Statement, block_):
             walked_objs[Call].add(expr)
 
-        _stmt_handlers = {typ: _handle_ail_obj for typ in walked_objs}
+        _stmt_handlers = dict.fromkeys(walked_objs, _handle_ail_obj)
         walker.stmt_handlers = _stmt_handlers
         walker.expr_handlers[Call] = _handle_call_expr
 

angr/analyses/decompiler/optimization_passes/determine_load_sizes.py

@@ -0,0 +1,64 @@
+from __future__ import annotations
+import logging
+
+from ailment.constant import UNDETERMINED_SIZE
+from ailment.expression import BinaryOp, Load, Const
+from ailment.statement import Assignment, WeakAssignment
+
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+
+
+_l = logging.getLogger(name=__name__)
+
+
+class DetermineLoadSizes(OptimizationPass):
+    """
+    Determine the sizes of Load expressions whose sizes are undetermined.
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
+    NAME = "Determine sizes of loads whose sizes are undetermined"
+    DESCRIPTION = __doc__.strip()  # type: ignore
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+
+        self.analyze()
+
+    def _check(self):
+        return True, None
+
+    def _analyze(self, cache=None):
+
+        changed = False
+
+        for block in self._graph.nodes:
+            for idx in range(len(block.statements)):  # pylint:disable=consider-using-enumerate
+                stmt = block.statements[idx]
+                if isinstance(stmt, (Assignment, WeakAssignment)):
+                    if isinstance(stmt.src, BinaryOp) and stmt.src.op == "Add" and stmt.src.operands:
+                        operands = stmt.src.operands
+                    elif isinstance(stmt.src, Load):
+                        operands = [stmt.src]
+                    else:
+                        continue
+
+                    for operand in operands:
+                        if (
+                            isinstance(operand, Load)
+                            and isinstance(operand.addr, Const)
+                            and operand.size == UNDETERMINED_SIZE
+                        ):
+                            # probably a string!
+                            bs = self.project.loader.memory.load_null_terminated_bytes(
+                                operand.addr.value, max_size=4096
+                            )
+                            if bs is not None:
+                                operand.size = len(bs)
+                                operand.bits = len(bs) * 8
+                    changed = True
+
+        if changed:
+            self.out_graph = self._graph

angr/analyses/decompiler/optimization_passes/eager_std_string_concatenation.py

@@ -0,0 +1,165 @@
+# pylint:disable=too-many-boolean-expressions,unused-argument
+from __future__ import annotations
+from typing import TYPE_CHECKING
+import logging
+import re
+
+from archinfo import Endness
+
+from ailment.constant import UNDETERMINED_SIZE
+from ailment.statement import Assignment, WeakAssignment
+from ailment.expression import VirtualVariable, BinaryOp, Const, Load
+
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+
+if TYPE_CHECKING:
+    from angr.analyses.s_reaching_definitions import SRDAModel
+
+
+_l = logging.getLogger(name=__name__)
+
+
+class EagerStdStringConcatenationPass(OptimizationPass):
+    """
+    TODO: Unfinished
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.BEFORE_VARIABLE_RECOVERY
+    NAME = "Condense multiple constant std::string creation calls into one when possible"
+    DESCRIPTION = __doc__.strip()  # type: ignore
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+        self.analyze()
+
+    def _check(self):
+        # TODO: ensure func calls std::string::operator+ and std::string::operator=
+        return False, {}
+
+    def _analyze(self, cache=None):
+        rd = self.project.analyses.SReachingDefinitions(subject=self._func, func_graph=self._graph).model
+        cfg = self.kb.cfgs.get_most_accurate()
+        assert cfg is not None
+
+        # update each block
+        for key in list(self.blocks_by_addr_and_idx):
+            block = self.blocks_by_addr_and_idx[key]
+            new_block = None
+            for idx, stmt in enumerate(block.statements):
+                if (
+                    isinstance(stmt, Assignment)
+                    and hasattr(stmt, "type")
+                    and "dst" in stmt.type
+                    and "src" in stmt.type
+                    and isinstance(stmt.dst, VirtualVariable)
+                    and isinstance(stmt.src, BinaryOp)
+                    and stmt.src.op == "Add"
+                ):
+                    dst_ty, src_ty = stmt.type["dst"], stmt.type["src"]
+                    if self._is_std_string_type(dst_ty.c_repr()) and self._is_std_string_type(src_ty.c_repr()):
+                        op0, op1 = stmt.src.operands
+                        if isinstance(op1, VirtualVariable) and isinstance(op0, Load):
+                            op0, op1 = op1, op0
+                        if (
+                            isinstance(op0, VirtualVariable)
+                            and isinstance(op1, Load)
+                            and isinstance(op1.addr, Const)
+                            and isinstance(op1.addr.value, int)
+                            # is op1 a constant string?
+                            and op1.addr.value in cfg.memory_data
+                            and cfg.memory_data[op1.addr.value].sort == "string"
+                        ):
+                            op1_str = cfg.memory_data[op1.addr.value].content
+                            # is op0 also an std::string?
+                            op0_str = self._get_vvar_def_string(op0.varid, rd, cfg, block.addr, block.idx)
+                            if op0_str is not None and op1_str is not None:
+                                # let's create a new string
+                                final_str = op0_str + op1_str
+                                str_id = self.kb.custom_strings.allocate(final_str)
+                                # replace the assignment with a new assignment
+                                new_stmt = WeakAssignment(
+                                    stmt.idx,
+                                    stmt.dst,
+                                    Load(
+                                        None,
+                                        Const(None, None, str_id, self.project.arch.bits, custom_string=True),
+                                        UNDETERMINED_SIZE,
+                                        Endness.BE,
+                                    ),
+                                    **stmt.tags,
+                                )
+                                new_block = block.copy() if new_block is None else new_block
+                                new_block.statements[idx] = new_stmt
+            if new_block is not None:
+                self._update_block(block, new_block)
+
+    def _get_vvar_def_string(self, vvar_id: int, rd: SRDAModel, cfg, block_addr, block_idx) -> bytes | None:
+        # search for the closest weak definition of the specified variable
+        # TODO: Optimize this logic in the future
+
+        starting_block = self.blocks_by_addr_and_idx[(block_addr, block_idx)]
+        queue = [starting_block]
+        visited = set()
+        while queue:
+            block = queue.pop(0)
+            if block in visited:
+                continue
+            visited.add(block)
+
+            if not (block.addr == block_addr and block.idx == block_idx):
+                for stmt in block.statements:
+                    if (
+                        isinstance(stmt, WeakAssignment)
+                        and isinstance(stmt.dst, VirtualVariable)
+                        and stmt.dst.varid == vvar_id
+                    ):
+                        if (
+                            isinstance(stmt.src, Load)
+                            and isinstance(stmt.src.addr, Const)
+                            and stmt.src.addr.value in cfg.memory_data
+                        ):
+                            if cfg.memory_data[stmt.src.addr.value].sort == "string":
+                                return cfg.memory_data[stmt.src.addr.value].content
+                        elif (
+                            isinstance(stmt.src, Const)
+                            and hasattr(stmt.src, "custom_string")
+                            and stmt.src.custom_string
+                        ):
+                            return self.kb.custom_strings.get(stmt.src.value)
+
+            preds = list(self._graph.predecessors(block))
+            if len(preds) == 1:
+                queue.append(preds[0])
+
+        return None
+
+    @staticmethod
+    def _is_std_string_type(type_str: str) -> bool:
+        type_str = type_str.removeprefix("const ")
+        return (
+            re.match(
+                r"class std::basic_string<char a\d+, struct std::char_traits<char> a\d+, class std::allocator<char>>",
+                type_str,
+            )
+            is not None
+        )
+
+        # pcreg_offset = self.project.arch.registers[getpc_reg][0]
+
+
+#
+# old_block = self.blocks_by_addr_and_idx[block_key]
+# block = old_block.copy()
+# old_stmt = block.statements[stmt_idx]
+# block.statements[stmt_idx] = ailment.Stmt.Assignment(
+#     old_stmt.idx,
+#     ailment.Expr.Register(None, None, pcreg_offset, 32, reg_name=getpc_reg),
+#     ailment.Expr.Const(None, None, getpc_reg_value, 32),
+#     **old_stmt.tags,
+# )
+# # remove the statement that pushes return address onto the stack
+# if stmt_idx > 0 and isinstance(block.statements[stmt_idx - 1], ailment.Stmt.Store):
+#     block.statements = block.statements[: stmt_idx - 1] + block.statements[stmt_idx:]
+# self._update_block(old_block, block)

angr/analyses/decompiler/optimization_passes/engine_base.py

@@ -73,7 +73,16 @@ class SimplifierAILEngine(
             self.state.store_variable(dst, src)
 
         if (src, dst) != (stmt.src, stmt.dst):
-            return ailment.statement.Assignment(stmt.idx, dst, src, **stmt.tags)
+            return ailment.statement.Assignment(stmt.idx, dst, src, **stmt.tags)  # type:ignore
+
+        return stmt
+
+    def _handle_stmt_WeakAssignment(self, stmt: ailment.statement.WeakAssignment):
+        src = self._expr(stmt.src)
+        dst = self._expr(stmt.dst)
+
+        if (src, dst) != (stmt.src, stmt.dst):
+            return ailment.statement.WeakAssignment(stmt.idx, dst, src, **stmt.tags)  # type:ignore
 
         return stmt
 
@@ -150,7 +159,7 @@ class SimplifierAILEngine(
     def _handle_stmt_DirtyStatement(self, stmt):
         expr = self._expr(stmt.dirty)
         if expr != stmt.dirty:
-            return ailment.statement.DirtyStatement(stmt.idx, expr, **stmt.tags)
+            return ailment.statement.DirtyStatement(stmt.idx, expr, **stmt.tags)  # type:ignore
         return stmt
 
     def _handle_stmt_Label(self, stmt):

angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py

@@ -161,13 +161,28 @@ class InlinedStringTransformationAILEngine(
             return addr.value, "mem"
         if isinstance(addr, StackBaseOffset):
             return (addr.offset + self.STACK_BASE) & self.MASK, "stack"
-        if isinstance(addr, BinaryOp) and isinstance(addr.operands[0], StackBaseOffset):
+        if (
+            isinstance(addr, UnaryOp)
+            and addr.op == "Reference"
+            and isinstance(addr.operand, VirtualVariable)
+            and addr.operand.was_stack
+        ):
+            return (addr.operand.stack_offset + self.STACK_BASE) & self.MASK, "stack"
+        if (
+            isinstance(addr, BinaryOp)
+            and addr.op in {"Add", "Sub"}
+            and isinstance(addr.operands[0], (StackBaseOffset, UnaryOp, Const))
+        ):
             v0_and_type = self._process_address(addr.operands[0])
             if v0_and_type is not None:
                 v0 = v0_and_type[0]
                 v1 = self._expr(addr.operands[1])
                 if isinstance(v1, claripy.ast.Bits) and v1.concrete:
-                    return (v0 + v1.concrete_value) & self.MASK, "stack"
+                    if addr.op == "Add":
+                        return (v0 + v1.concrete_value) & self.MASK, "stack"
+                    if addr.op == "Sub":
+                        return (v0 - v1.concrete_value) & self.MASK, "stack"
+                    raise NotImplementedError("Unreachable")
         return None
 
     def _handle_stmt_Assignment(self, stmt):

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -53,12 +53,14 @@ class OptimizationPassStage(Enum):
     AFTER_AIL_GRAPH_CREATION = 0
     BEFORE_SSA_LEVEL0_TRANSFORMATION = 1
     AFTER_SINGLE_BLOCK_SIMPLIFICATION = 2
-    AFTER_MAKING_CALLSITES = 3
-    AFTER_GLOBAL_SIMPLIFICATION = 4
-    AFTER_VARIABLE_RECOVERY = 5
-    BEFORE_REGION_IDENTIFICATION = 6
-    DURING_REGION_IDENTIFICATION = 7
-    AFTER_STRUCTURING = 8
+    BEFORE_SSA_LEVEL1_TRANSFORMATION = 3
+    AFTER_MAKING_CALLSITES = 4
+    AFTER_GLOBAL_SIMPLIFICATION = 5
+    BEFORE_VARIABLE_RECOVERY = 6
+    AFTER_VARIABLE_RECOVERY = 7
+    BEFORE_REGION_IDENTIFICATION = 8
+    DURING_REGION_IDENTIFICATION = 9
+    AFTER_STRUCTURING = 10
 
 
 class BaseOptimizationPass:
@@ -137,6 +139,7 @@ class OptimizationPass(BaseOptimizationPass):
         avoid_vvar_ids: set[int] | None = None,
         arg_vvars: set[int] | None = None,
         peephole_optimizations=None,
+        stack_pointer_tracker=None,
         **kwargs,
     ):
         super().__init__(func)
@@ -158,6 +161,7 @@ class OptimizationPass(BaseOptimizationPass):
         self._complete_successors = complete_successors
         self._avoid_vvar_ids = avoid_vvar_ids or set()
         self._peephole_optimizations = peephole_optimizations
+        self._stack_pointer_tracker = stack_pointer_tracker
 
         # output
         self.out_graph: networkx.DiGraph | None = None