angr 9.2.148__py3-none-manylinux2014_aarch64.whl → 9.2.149__py3-none-manylinux2014_aarch64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.148"
+__version__ = "9.2.149"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -13,8 +13,16 @@ import ailment
 
 from angr.code_location import ExternalCodeLocation
 
-from angr.calling_conventions import SimFunctionArgument, SimRegArg, SimStackArg, SimCC, default_cc
+from angr.calling_conventions import (
+    SimFunctionArgument,
+    SimRegArg,
+    SimStackArg,
+    SimCC,
+    default_cc,
+    SimCCMicrosoftThiscall,
+)
 from angr.sim_type import (
+    SimTypeCppFunction,
     SimTypeInt,
     SimTypeFunction,
     SimType,
@@ -24,6 +32,7 @@ from angr.sim_type import (
     SimTypeBottom,
     SimTypeFloat,
     SimTypeDouble,
+    parse_cpp_file,
 )
 from angr.sim_variable import SimStackVariable, SimRegisterVariable
 from angr.knowledge_plugins.key_definitions.atoms import Register, MemoryLocation, SpOffset
@@ -153,6 +162,13 @@ class CallingConventionAnalysis(Analysis):
 
         assert self._function is not None
 
+        demangled_name = self._function.demangled_name
+        if demangled_name != self._function.name:
+            r_demangled = self._analyze_demangled_name(demangled_name)
+            if r_demangled is not None:
+                self.cc, self.prototype, self.prototype_libname = r_demangled
+                return
+
         if self._function.is_simprocedure:
             hooker = self.project.hooked_by(self._function.addr)
             if isinstance(
@@ -348,6 +364,30 @@ class CallingConventionAnalysis(Analysis):
 
         return None
 
+    def _analyze_demangled_name(self, name: str) -> tuple[SimCC, SimTypeFunction, str | None] | None:
+        """
+        Analyze a function with a demangled name. Only C++ names are supported for now.
+
+        :param name:    The demangled name of the function.
+        :return:        A tuple of the calling convention, the function type, and the library name if available.
+        """
+        parsed, _ = parse_cpp_file(name)
+        if not parsed or len(parsed) != 1:
+            return None
+        proto = next(iter(parsed.values()))
+        if (
+            isinstance(proto, SimTypeCppFunction)
+            and self.project.simos.name == "Win32"
+            and self.project.arch.name == "X86"
+            and proto.convention == "__thiscall"
+        ):
+            cc_cls = SimCCMicrosoftThiscall
+        else:
+            cc_cls = default_cc(self.project.arch.name, self.project.simos.name)
+            assert cc_cls is not None
+        cc = cc_cls(self.project.arch)
+        return cc, proto, None
+
     def _analyze_function(self) -> tuple[SimCC, SimTypeFunction] | None:
         """
         Go over the variable information in variable manager for this function, and return all uninitialized
@@ -681,7 +721,7 @@ class CallingConventionAnalysis(Analysis):
                     # no more arguments
                     temp_args.append(None)
             elif isinstance(arg_loc, SimStackArg):
-                if arg_loc.stack_offset in defs_by_stack_offset:
+                if arg_loc.stack_offset - cc.STACKARG_SP_DIFF in defs_by_stack_offset:
                     temp_args.append(arg_loc)
                 else:
                     # no more arguments

angr/analyses/cfg/cfg_emulated.py

@@ -2967,10 +2967,13 @@ class CFGEmulated(ForwardAnalysis, CFGBase):  # pylint: disable=abstract-method
                 new_state.options.add(o.DO_RET_EMULATION)
                 # Remove bad constraints
                 # FIXME: This is so hackish...
-                new_state.solver._solver.constraints = [
+                preserved_constraints = [
                     c for c in new_state.solver.constraints if c.op != "BoolV" or c.args[0] is not False
                 ]
-                new_state.solver._solver._result = None
+                new_solver = new_state.solver._solver.blank_copy()
+                new_solver.add(preserved_constraints)
+                new_state.solver._stored_solver = new_solver
+
                 # Swap them
                 saved_state, job.state = job.state, new_state
                 sim_successors, exception_info, _ = self._get_simsuccessors(addr, job)

angr/analyses/cfg/cfg_fast.py

@@ -4841,66 +4841,68 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
 
             # determine if the function uses ebp as a general purpose register or not
             if addr == func_addr or 0 < addr - func_addr <= 0x20:
-                ebp_as_gpr = True
-                cap = self._lift(addr, size=cfg_node.size).capstone
-                for insn in cap.insns:
-                    if (
-                        insn.mnemonic == "mov"
-                        and len(insn.operands) == 2
-                        and insn.operands[0].type == capstone.x86.X86_OP_REG
-                        and insn.operands[1].type == capstone.x86.X86_OP_REG
-                    ):
+                func = self.kb.functions.get_by_addr(func_addr)
+                if "bp_as_gpr" not in func.info:
+                    ebp_as_gpr = True
+                    cap = self._lift(addr, size=cfg_node.size).capstone
+                    for insn in cap.insns:
                         if (
+                            insn.mnemonic == "mov"
+                            and len(insn.operands) == 2
+                            and insn.operands[0].type == capstone.x86.X86_OP_REG
+                            and insn.operands[1].type == capstone.x86.X86_OP_REG
+                        ):
+                            if (
+                                insn.operands[0].reg == capstone.x86.X86_REG_EBP
+                                and insn.operands[1].reg == capstone.x86.X86_REG_ESP
+                            ):
+                                ebp_as_gpr = False
+                                break
+                        elif (
+                            insn.mnemonic == "lea"
+                            and len(insn.operands) == 2
+                            and insn.operands[0].type == capstone.x86.X86_OP_REG
+                            and insn.operands[1].type == capstone.x86.X86_OP_MEM
+                        ) and (
                             insn.operands[0].reg == capstone.x86.X86_REG_EBP
-                            and insn.operands[1].reg == capstone.x86.X86_REG_ESP
+                            and insn.operands[1].mem.base == capstone.x86.X86_REG_ESP
                         ):
                             ebp_as_gpr = False
                             break
-                    elif (
-                        insn.mnemonic == "lea"
-                        and len(insn.operands) == 2
-                        and insn.operands[0].type == capstone.x86.X86_OP_REG
-                        and insn.operands[1].type == capstone.x86.X86_OP_MEM
-                    ) and (
-                        insn.operands[0].reg == capstone.x86.X86_REG_EBP
-                        and insn.operands[1].mem.base == capstone.x86.X86_REG_ESP
-                    ):
-                        ebp_as_gpr = False
-                        break
-                func = self.kb.functions.get_by_addr(func_addr)
-                func.info["bp_as_gpr"] = ebp_as_gpr
+                    func.info["bp_as_gpr"] = ebp_as_gpr
 
         elif self.project.arch.name == "AMD64":
             # determine if the function uses rbp as a general purpose register or not
             if addr == func_addr or 0 < addr - func_addr <= 0x20:
-                rbp_as_gpr = True
-                cap = self._lift(addr, size=cfg_node.size).capstone
-                for insn in cap.insns:
-                    if (
-                        insn.mnemonic == "mov"
-                        and len(insn.operands) == 2
-                        and insn.operands[0].type == capstone.x86.X86_OP_REG
-                        and insn.operands[1].type == capstone.x86.X86_OP_REG
-                    ):
+                func = self.kb.functions.get_by_addr(func_addr)
+                if "bp_as_gpr" not in func.info:
+                    rbp_as_gpr = True
+                    cap = self._lift(addr, size=cfg_node.size).capstone
+                    for insn in cap.insns:
                         if (
+                            insn.mnemonic == "mov"
+                            and len(insn.operands) == 2
+                            and insn.operands[0].type == capstone.x86.X86_OP_REG
+                            and insn.operands[1].type == capstone.x86.X86_OP_REG
+                        ):
+                            if (
+                                insn.operands[0].reg == capstone.x86.X86_REG_RBP
+                                and insn.operands[1].reg == capstone.x86.X86_REG_RSP
+                            ):
+                                rbp_as_gpr = False
+                                break
+                        elif (
+                            insn.mnemonic == "lea"
+                            and len(insn.operands) == 2
+                            and insn.operands[0].type == capstone.x86.X86_OP_REG
+                            and insn.operands[1].type == capstone.x86.X86_OP_MEM
+                        ) and (
                             insn.operands[0].reg == capstone.x86.X86_REG_RBP
-                            and insn.operands[1].reg == capstone.x86.X86_REG_RSP
+                            and insn.operands[1].mem.base == capstone.x86.X86_REG_RSP
                         ):
                             rbp_as_gpr = False
                             break
-                    elif (
-                        insn.mnemonic == "lea"
-                        and len(insn.operands) == 2
-                        and insn.operands[0].type == capstone.x86.X86_OP_REG
-                        and insn.operands[1].type == capstone.x86.X86_OP_MEM
-                    ) and (
-                        insn.operands[0].reg == capstone.x86.X86_REG_RBP
-                        and insn.operands[1].mem.base == capstone.x86.X86_REG_RSP
-                    ):
-                        rbp_as_gpr = False
-                        break
-                func = self.kb.functions.get_by_addr(func_addr)
-                func.info["bp_as_gpr"] = rbp_as_gpr
+                    func.info["bp_as_gpr"] = rbp_as_gpr
 
     def _extract_node_cluster_by_dependency(self, addr, include_successors=False) -> set[int]:
         to_remove = {addr}

angr/analyses/decompiler/ail_simplifier.py

@@ -9,7 +9,7 @@ import networkx
 
 from ailment import AILBlockWalker
 from ailment.block import Block
-from ailment.statement import Statement, Assignment, Store, Call, ConditionalJump, DirtyStatement
+from ailment.statement import Statement, Assignment, Store, Call, ConditionalJump, DirtyStatement, WeakAssignment
 from ailment.expression import (
     Register,
     Convert,
@@ -247,6 +247,9 @@ class AILSimplifier(Analysis):
                     ):
                         codeloc = CodeLocation(block.addr, stmt_idx, block_idx=block.idx, ins_addr=stmt.ins_addr)
                         equivalence.add(Equivalence(codeloc, stmt.dst, stmt.src))
+                elif isinstance(stmt, WeakAssignment):
+                    codeloc = CodeLocation(block.addr, stmt_idx, block_idx=block.idx, ins_addr=stmt.ins_addr)
+                    equivalence.add(Equivalence(codeloc, stmt.dst, stmt.src, is_weakassignment=True))
                 elif isinstance(stmt, Call):
                     if isinstance(stmt.ret_expr, (VirtualVariable, Load)):
                         codeloc = CodeLocation(block.addr, stmt_idx, block_idx=block.idx, ins_addr=stmt.ins_addr)
@@ -1172,6 +1175,9 @@ class AILSimplifier(Analysis):
                     # register variable = Convert(Call)
                     call = eq.atom1
                     # call_addr = call.operand.target.value if isinstance(call.operand.target, Const) else None
+                elif eq.is_weakassignment:
+                    # variable =w something else
+                    call = eq.atom1
                 else:
                     continue
 
@@ -1196,6 +1202,9 @@ class AILSimplifier(Analysis):
                 assert the_def.codeloc.stmt_idx is not None
 
                 all_uses: set[tuple[Any, CodeLocation]] = rd.get_vvar_uses_with_expr(the_def.atom)
+                if eq.is_weakassignment:
+                    # eliminate the "use" at the weak assignment site
+                    all_uses = {use for use in all_uses if use[1] != eq.codeloc}
 
                 if len(all_uses) != 1:
                     continue
@@ -1218,10 +1227,13 @@ class AILSimplifier(Analysis):
                         continue
 
                 # check if the use and the definition is within the same supernode
-                super_node_blocks = self._get_super_node_blocks(
-                    addr_and_idx_to_block[(the_def.codeloc.block_addr, the_def.codeloc.block_idx)]
-                )
-                if u.block_addr not in {b.addr for b in super_node_blocks}:
+                # also we do not allow any calls between the def site and the use site
+                if not self._loc_within_superblock(
+                    addr_and_idx_to_block[(the_def.codeloc.block_addr, the_def.codeloc.block_idx)],
+                    u.block_addr,
+                    u.block_idx,
+                    terminate_with_calls=True,
+                ):
                     continue
 
                 # ensure there are no other calls between the def site and the use site.
@@ -1247,10 +1259,6 @@ class AILSimplifier(Analysis):
                 ):
                     continue
 
-                # check if there are any calls in between the def site and the use site
-                if self._count_calls_in_supernodeblocks(super_node_blocks, the_def.codeloc, u) > 0:
-                    continue
-
                 # replace all uses
                 old_block = addr_and_idx_to_block.get((u.block_addr, u.block_idx), None)
                 if old_block is None:
@@ -1262,7 +1270,7 @@ class AILSimplifier(Analysis):
 
                 if isinstance(eq.atom0, VirtualVariable):
                     src = used_expr
-                    dst: Call | Convert = call.copy()
+                    dst: Expression = call.copy()
 
                     if isinstance(dst, Call) and dst.ret_expr is not None:
                         dst_bits = dst.ret_expr.bits
@@ -1272,7 +1280,7 @@ class AILSimplifier(Analysis):
                         dst.fp_ret_expr = None
                         dst.bits = dst_bits
 
-                    if src.bits != dst.bits:
+                    if src.bits != dst.bits and not eq.is_weakassignment:
                         dst = Convert(None, dst.bits, src.bits, False, dst)
                 else:
                     continue
@@ -1320,6 +1328,42 @@ class AILSimplifier(Analysis):
                 break
         return lst
 
+    def _loc_within_superblock(
+        self, start_node: Block, block_addr: int, block_idx: int | None, terminate_with_calls=False
+    ) -> bool:
+        b = start_node
+        if block_addr == b.addr and block_idx == b.idx:
+            return True
+
+        encountered_block_addrs: set[tuple[int, int | None]] = {(b.addr, b.idx)}
+        while True:
+            if terminate_with_calls and b.statements and isinstance(b.statements[-1], Call):
+                return False
+
+            encountered_block_addrs.add((b.addr, b.idx))
+            successors = list(self.func_graph.successors(b))
+            if len(successors) == 0:
+                # did not encounter the block before running out of successors
+                return False
+            if len(successors) == 1:
+                succ = successors[0]
+                # check its predecessors
+                succ_predecessors = list(self.func_graph.predecessors(succ))
+                if len(succ_predecessors) == 1:
+                    if (succ.addr, succ.idx) in encountered_block_addrs:
+                        # we are about to form a loop - bad!
+                        # example: binary ce1897b492c80bf94083dd783aefb413ab1f6d8d4981adce8420f6669d0cb3e1, block
+                        # 0x2976EF7.
+                        return False
+                    if block_addr == succ.addr and block_idx == succ.idx:
+                        return True
+                    b = succ
+                else:
+                    return False
+            else:
+                # too many successors
+                return False
+
     @staticmethod
     def _replace_expr_and_update_block(block, stmt_idx, stmt, src_expr, dst_expr) -> tuple[bool, Block | None]:
         replaced, new_stmt = stmt.replace(src_expr, dst_expr)
@@ -1492,9 +1536,18 @@ class AILSimplifier(Analysis):
                         simplified = True
 
                 if idx in stmts_to_remove and idx not in stmts_to_keep and not isinstance(stmt, DirtyStatement):
-                    if isinstance(stmt, (Assignment, Store)):
+                    if isinstance(stmt, (Assignment, WeakAssignment, Store)):
                         # Special logic for Assignment and Store statements
 
+                        # if this statement writes to a virtual variable that must be preserved, we ignore it
+                        if (
+                            isinstance(stmt, Assignment)
+                            and isinstance(stmt.dst, VirtualVariable)
+                            and stmt.dst.varid in self._avoid_vvar_ids
+                        ):
+                            new_statements.append(stmt)
+                            continue
+
                         # if this statement triggers a call, it should only be removed if it's in self._calls_to_remove
                         codeloc = CodeLocation(block.addr, idx, ins_addr=stmt.ins_addr, block_idx=block.idx)
                         if codeloc in self._assignments_to_remove:
@@ -1716,26 +1769,6 @@ class AILSimplifier(Analysis):
 
         return False
 
-    @staticmethod
-    def _count_calls_in_supernodeblocks(blocks: list[Block], start: CodeLocation, end: CodeLocation) -> int:
-        """
-        Count the number of call statements in a list of blocks for a single super block between two given code
-        locations (exclusive).
-        """
-        calls = 0
-        started = False
-        for b in blocks:
-            if b.addr == start.block_addr:
-                started = True
-                continue
-            if b.addr == end.block_addr:
-                started = False
-                continue
-
-            if started and b.statements and isinstance(b.statements[-1], Call):
-                calls += 1
-        return calls
-
     @staticmethod
     def _exprs_contain_vvar(exprs: Iterable[Expression], vvar_ids: set[int]) -> bool:
         def _handle_VirtualVariable(expr_idx, expr, stmt_idx, stmt, block):  # pylint:disable=unused-argument

angr/analyses/decompiler/block_simplifier.py

@@ -10,6 +10,7 @@ from ailment import AILBlockWalkerBase
 
 from angr.code_location import ExternalCodeLocation, CodeLocation
 
+from angr.knowledge_plugins.key_definitions import atoms
 from angr.analyses.s_propagator import SPropagatorAnalysis
 from angr.analyses.s_reaching_definitions import SReachingDefinitionsAnalysis, SRDAModel
 from angr.analyses import Analysis, register_analysis
@@ -62,6 +63,8 @@ class BlockSimplifier(Analysis):
         peephole_optimizations: None | (
             Iterable[type[PeepholeOptimizationStmtBase] | type[PeepholeOptimizationExprBase]]
         ) = None,
+        preserve_vvar_ids: set[int] | None = None,
+        type_hints: list[tuple[atoms.VirtualVariable | atoms.MemoryLocation, str]] | None = None,
         cached_reaching_definitions=None,
         cached_propagator=None,
     ):
@@ -74,24 +77,35 @@ class BlockSimplifier(Analysis):
         self.func_addr = func_addr
 
         self._stack_pointer_tracker = stack_pointer_tracker
+        self._preserve_vvar_ids = preserve_vvar_ids
+        self._type_hints = type_hints
 
         if peephole_optimizations is None:
-            self._expr_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in EXPR_OPTS]
-            self._stmt_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in STMT_OPTS]
-            self._multistmt_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in MULTI_STMT_OPTS]
+            self._expr_peephole_opts = [
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
+                for cls in EXPR_OPTS
+            ]
+            self._stmt_peephole_opts = [
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
+                for cls in STMT_OPTS
+            ]
+            self._multistmt_peephole_opts = [
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
+                for cls in MULTI_STMT_OPTS
+            ]
         else:
             self._expr_peephole_opts = [
-                cls(self.project, self.kb, self.func_addr)
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
                 for cls in peephole_optimizations
                 if issubclass(cls, PeepholeOptimizationExprBase)
             ]
             self._stmt_peephole_opts = [
-                cls(self.project, self.kb, self.func_addr)
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
                 for cls in peephole_optimizations
                 if issubclass(cls, PeepholeOptimizationStmtBase)
             ]
             self._multistmt_peephole_opts = [
-                cls(self.project, self.kb, self.func_addr)
+                cls(self.project, self.kb, self.func_addr, self._preserve_vvar_ids, self._type_hints)
                 for cls in peephole_optimizations
                 if issubclass(cls, PeepholeOptimizationMultiStmtBase)
             ]