angr 9.2.149__py3-none-win_amd64.whl → 9.2.152__py3-none-win_amd64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.149"
+__version__ = "9.2.152"
 
 if bytes is str:
     raise Exception(

angr/__main__.py

@@ -1,38 +1,93 @@
 from __future__ import annotations
 
 import argparse
-import sys
+import logging
+import re
+from typing import TYPE_CHECKING
+from collections.abc import Generator
 
+import angr
 from angr.analyses.decompiler import DECOMPILATION_PRESETS
 from angr.analyses.decompiler.structuring import STRUCTURER_CLASSES, DEFAULT_STRUCTURER
 from angr.analyses.decompiler.utils import decompile_functions
 
 
-class COMMANDS:
+if TYPE_CHECKING:
+    from angr.knowledge_plugins.functions import Function
+
+
+log = logging.getLogger(__name__)
+
+
+NUMERIC_ARG_RE = re.compile(r"^(0x)?[a-fA-F0-9]+$")
+
+
+def parse_function_args(proj: angr.Project, func_args: list[str] | None) -> Generator[Function]:
     """
-    The commands that the angr CLI supports.
+    Generate a sequence of functions in the project kb by their identifier in func_args.
+
+    :param proj:      Project to query.
+    :param func_args: Sequence of function identifiers to query. None for all functions.
     """
+    if func_args is None:
+        yield from sorted(proj.kb.functions.values(), key=lambda f: f.addr)
+        return
 
-    DECOMPILE = "decompile"
-    ALL_COMMANDS = [DECOMPILE]
+    for func_arg in func_args:
+        if func_arg in proj.kb.functions:
+            yield proj.kb.functions[func_arg]
+            continue
 
+        if NUMERIC_ARG_RE.match(func_arg):
+            func_addr = int(func_arg, 0)
+            if func_addr in proj.kb.functions:
+                yield proj.kb.functions[func_addr]
+                continue
 
-def main(args=sys.argv[1:], out=sys.stdout):
-    parser = argparse.ArgumentParser(description="The angr CLI allows you to decompile and analyze binaries.")
-    parser.add_argument(
-        "command",
-        help="""
-        The analysis type to run on the binary. All analysis is output to stdout.""",
-        choices=COMMANDS.ALL_COMMANDS,
+        log.error('Function "%s" not found', func_arg)
+
+
+def disassemble(args):
+    """
+    Disassemble functions.
+    """
+    loader_main_opts_kwargs = {}
+    if args.base_addr is not None:
+        loader_main_opts_kwargs["base_addr"] = args.base_addr
+
+    proj = angr.Project(args.binary, auto_load_libs=False, main_opts=loader_main_opts_kwargs)
+    proj.analyses.CFG(normalize=True, data_references=True)
+
+    for func in parse_function_args(proj, args.functions):
+        try:
+            if func.is_plt or func.is_syscall or func.is_alignment or func.is_simprocedure:
+                continue
+            func.pp(show_bytes=True, min_edge_depth=10)
+        except Exception as e:  # pylint:disable=broad-exception-caught
+            if not args.catch_exceptions:
+                raise
+            log.exception(e)
+
+
+def decompile(args):
+    """
+    Decompile functions.
+    """
+    decompilation = decompile_functions(
+        args.binary,
+        functions=args.functions,
+        structurer=args.structurer,
+        catch_errors=args.catch_exceptions,
+        show_casts=not args.no_casts,
+        base_address=args.base_addr,
+        preset=args.preset,
     )
+    print(decompilation)
+
+
+def main():
+    parser = argparse.ArgumentParser(description="The angr CLI allows you to decompile and analyze binaries.")
     parser.add_argument("binary", help="The path to the binary to analyze.")
-    parser.add_argument(
-        "--functions",
-        help="""
-        The functions to analyze under the current command. Functions can either be expressed as names found in the
-        symbols of the binary or as addresses like: 0x401000.""",
-        nargs="+",
-    )
     parser.add_argument(
         "--catch-exceptions",
         help="""
@@ -49,40 +104,48 @@ def main(args=sys.argv[1:], out=sys.stdout):
         type=lambda x: int(x, 0),
         default=None,
     )
-    # decompilation-specific arguments
-    parser.add_argument(
+    subparsers = parser.add_subparsers(metavar="command", required=True)
+
+    decompile_cmd_parser = subparsers.add_parser("decompile", aliases=["dec"], help=decompile.__doc__)
+    decompile_cmd_parser.set_defaults(func=decompile)
+    decompile_cmd_parser.add_argument(
         "--structurer",
         help="The structuring algorithm to use for decompilation.",
         choices=STRUCTURER_CLASSES.keys(),
         default=DEFAULT_STRUCTURER.NAME,
     )
-    parser.add_argument(
+    decompile_cmd_parser.add_argument(
         "--no-casts",
         help="Do not show type casts in the decompiled output.",
         action="store_true",
         default=False,
     )
-    parser.add_argument(
+    decompile_cmd_parser.add_argument(
         "--preset",
         help="The configuration preset to use for decompilation.",
         choices=DECOMPILATION_PRESETS,
         default="default",
     )
+    decompile_cmd_parser.add_argument(
+        "--functions",
+        help="""
+        The functions to decompile. Functions can either be expressed as names found in the
+        symbols of the binary or as addresses like: 0x401000.""",
+        nargs="+",
+    )
+
+    disassemble_cmd_parser = subparsers.add_parser("disassemble", aliases=["dis"], help=disassemble.__doc__)
+    disassemble_cmd_parser.set_defaults(func=disassemble)
+    disassemble_cmd_parser.add_argument(
+        "--functions",
+        help="""
+        The functions to disassemble. Functions can either be expressed as names found in the
+        symbols of the binary or as addresses like: 0x401000.""",
+        nargs="+",
+    )
 
-    args = parser.parse_args(args)
-    if args.command == COMMANDS.DECOMPILE:
-        decompilation = decompile_functions(
-            args.binary,
-            functions=args.functions,
-            structurer=args.structurer,
-            catch_errors=args.catch_exceptions,
-            show_casts=not args.no_casts,
-            base_address=args.base_addr,
-            preset=args.preset,
-        )
-        print(decompilation, file=out)
-    else:
-        parser.print_help(file=out)
+    args = parser.parse_args()
+    args.func(args)
 
 
 if __name__ == "__main__":

angr/analyses/calling_convention/calling_convention.py

@@ -21,6 +21,7 @@ from angr.calling_conventions import (
     default_cc,
     SimCCMicrosoftThiscall,
 )
+from angr.errors import SimTranslationError
 from angr.sim_type import (
     SimTypeCppFunction,
     SimTypeInt,
@@ -585,16 +586,23 @@ class CallingConventionAnalysis(Analysis):
             # include its successor.
 
             # Re-lift the target block
-            dst_bb = self.project.factory.block(dst.addr, func.get_block_size(dst.addr), opt_level=1)
+            dst_block_size = func.get_block_size(dst.addr)
+            if dst_block_size is not None and dst_block_size > 0:
+                dst_bb = self.project.factory.block(dst.addr, dst_block_size, opt_level=1)
+                try:
+                    vex_block = dst_bb.vex
+                except SimTranslationError:
+                    # failed to lift the block
+                    continue
 
-            # If there is only one 'IMark' statement in vex --> the target block contains only direct jump
-            if (
-                len(dst_bb.vex.statements) == 1
-                and dst_bb.vex.statements[0].tag == "Ist_IMark"
-                and func.graph.out_degree(dst) == 1
-            ):
-                for _, jmp_dst, jmp_data in func_graph.out_edges(dst, data=True):
-                    subgraph.add_edge(dst, jmp_dst, **jmp_data)
+                # If there is only one 'IMark' statement in vex --> the target block contains only direct jump
+                if (
+                    len(vex_block.statements) == 1
+                    and vex_block.statements[0].tag == "Ist_IMark"
+                    and func.graph.out_degree(dst) == 1
+                ):
+                    for _, jmp_dst, jmp_data in func_graph.out_edges(dst, data=True):
+                        subgraph.add_edge(dst, jmp_dst, **jmp_data)
 
         return subgraph
 

angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py

@@ -412,6 +412,45 @@ class AMD64CCallRewriter(CCallRewriterBase):
                     )
                     return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
 
+                elif (
+                    cond_v == AMD64_CondTypes["CondNS"]
+                    and op_v
+                    in {
+                        AMD64_OpTypes["G_CC_OP_LOGICB"],
+                        AMD64_OpTypes["G_CC_OP_LOGICW"],
+                        AMD64_OpTypes["G_CC_OP_LOGICL"],
+                        AMD64_OpTypes["G_CC_OP_LOGICQ"],
+                    }
+                    and isinstance(dep_2, Expr.Const)
+                    and dep_2.value == 0
+                ):
+                    # dep_1 >= 0
+                    dep_1 = self._fix_size(
+                        dep_1,
+                        op_v,
+                        AMD64_OpTypes["G_CC_OP_LOGICB"],
+                        AMD64_OpTypes["G_CC_OP_LOGICW"],
+                        AMD64_OpTypes["G_CC_OP_LOGICL"],
+                        ccall.tags,
+                    )
+                    dep_2 = self._fix_size(
+                        dep_2,
+                        op_v,
+                        AMD64_OpTypes["G_CC_OP_LOGICB"],
+                        AMD64_OpTypes["G_CC_OP_LOGICW"],
+                        AMD64_OpTypes["G_CC_OP_LOGICL"],
+                        ccall.tags,
+                    )
+
+                    r = Expr.BinaryOp(
+                        ccall.idx,
+                        "CmpGE",
+                        (dep_1, dep_2),
+                        True,
+                        **ccall.tags,
+                    )
+                    return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
+
         elif ccall.callee == "amd64g_calculate_rflags_c":
             # calculate the carry flag
             op = ccall.operands[0]

angr/analyses/decompiler/clinic.py

@@ -483,6 +483,9 @@ class Clinic(Analysis):
         arg_vvars = self._create_function_argument_vvars(arg_list)
         func_args = {arg_vvar for arg_vvar, _ in arg_vvars.values()}
 
+        # duplicate orphaned conditional jump blocks
+        ail_graph = self._duplicate_orphaned_cond_jumps(ail_graph)
+
         # Transform the graph into partial SSA form
         self._update_progress(35.0, text="Transforming to partial-SSA form")
         ail_graph = self._transform_to_ssa_level0(ail_graph, func_args)
@@ -1892,6 +1895,19 @@ class Clinic(Analysis):
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.dst)
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.src)
 
+            elif stmt_type is ailment.Stmt.CAS:
+                for expr in [
+                    stmt.addr,
+                    stmt.data_lo,
+                    stmt.data_hi,
+                    stmt.expd_lo,
+                    stmt.expd_hi,
+                    stmt.old_lo,
+                    stmt.old_hi,
+                ]:
+                    if expr is not None:
+                        self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, expr)
+
             elif stmt_type is ailment.Stmt.ConditionalJump:
                 self._link_variables_on_expr(variable_manager, global_variables, block, stmt_idx, stmt, stmt.condition)
 
@@ -2123,6 +2139,45 @@ class Clinic(Analysis):
 
         return graph
 
+    @staticmethod
+    def _duplicate_orphaned_cond_jumps(ail_graph) -> networkx.DiGraph:
+        """
+        Find conditional jumps that are orphaned (e.g., being the only instruction of the block). If these blocks have
+        multiple predecessors, duplicate them to all predecessors. This is a workaround for cases where these
+        conditional jumps rely on comparisons in more than one predecessor and we cannot resolve ccalls into
+        comparisons.
+
+        This pass runs before any SSA transformations.
+
+        # 140017162     jz      short 1400171e1
+        """
+
+        for block in list(ail_graph):
+            if len(block.statements) > 1 and block.statements[0].ins_addr == block.statements[-1].ins_addr:
+                preds = list(ail_graph.predecessors(block))
+                if len(preds) > 1 and block not in preds:
+                    has_ccall = any(
+                        isinstance(stmt, ailment.Stmt.Assignment)
+                        and isinstance(stmt.src, ailment.Expr.VEXCCallExpression)
+                        for stmt in block.statements
+                    )
+                    if has_ccall:
+                        # duplicate this block to its predecessors!
+                        preds = sorted(preds, key=lambda x: x.addr)
+                        succs = sorted(ail_graph.successors(block), key=lambda x: x.addr)
+                        # FIXME: We should track block IDs globally and ensure block IDs do not collide
+                        block_idx_start = block.idx + 1 if block.idx is not None else 1
+                        for pred in preds[1:]:
+                            ail_graph.remove_edge(pred, block)
+                            new_block = block.copy()
+                            new_block.idx = block_idx_start
+                            block_idx_start += 1
+                            ail_graph.add_edge(pred, new_block)
+                            for succ in succs:
+                                ail_graph.add_edge(new_block, succ if succ is not block else new_block)
+
+        return ail_graph
+
     def _rewrite_ite_expressions(self, ail_graph):
         cfg = self._cfg
         for block in list(ail_graph):
@@ -2130,11 +2185,16 @@ class Clinic(Analysis):
                 continue
 
             ite_ins_addrs = []
+            cas_ins_addrs = set()
             for stmt in block.statements:
-                if (
+                if isinstance(stmt, ailment.Stmt.CAS):
+                    # we do not rewrite ITE statements that are caused by CAS statements
+                    cas_ins_addrs.add(stmt.ins_addr)
+                elif (
                     isinstance(stmt, ailment.Stmt.Assignment)
                     and isinstance(stmt.src, ailment.Expr.ITE)
                     and stmt.ins_addr not in ite_ins_addrs
+                    and stmt.ins_addr not in cas_ins_addrs
                 ):
                     ite_ins_addrs.append(stmt.ins_addr)
 
@@ -2998,6 +3058,12 @@ class Clinic(Analysis):
                             and last_stmt.addr.offset < 0
                             and isinstance(last_stmt.data, ailment.Expr.Const)
                             and last_stmt.data.value == succ.addr
+                        ) or (
+                            isinstance(last_stmt, ailment.Stmt.Assignment)
+                            and last_stmt.dst.was_stack
+                            and last_stmt.dst.stack_offset < 0
+                            and isinstance(last_stmt.src, ailment.Expr.Const)
+                            and last_stmt.src.value == succ.addr
                         ):
                             # remove the statement that pushes the return address
                             node.statements = node.statements[:-1]
@@ -3031,6 +3097,12 @@ class Clinic(Analysis):
                             and last_stmt.addr.offset < 0
                             and isinstance(last_stmt.data, ailment.Expr.Const)
                             and last_stmt.data.value == succ.addr
+                        ) or (
+                            isinstance(last_stmt, ailment.Stmt.Assignment)
+                            and last_stmt.dst.was_stack
+                            and last_stmt.dst.stack_offset < 0
+                            and isinstance(last_stmt.src, ailment.Expr.Const)
+                            and last_stmt.src.value == succ.addr
                         ):
                             # remove the statement that pushes the return address
                             node.statements = node.statements[:-1]

angr/analyses/decompiler/dephication/rewriting_engine.py

@@ -1,4 +1,4 @@
-# pylint:disable=unused-argument,no-self-use
+# pylint:disable=unused-argument,no-self-use,too-many-boolean-expressions
 from __future__ import annotations
 import logging
 
@@ -8,12 +8,14 @@ from ailment.statement import (
     Assignment,
     Store,
     Call,
+    CAS,
     Return,
     ConditionalJump,
     DirtyStatement,
     WeakAssignment,
 )
 from ailment.expression import (
+    Atom,
     Expression,
     VirtualVariable,
     Load,
@@ -121,6 +123,40 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
             )
         return None
 
+    def _handle_stmt_CAS(self, stmt: CAS) -> CAS | None:
+        new_addr = self._expr(stmt.addr)
+        new_data_lo = self._expr(stmt.data_lo)
+        new_data_hi = self._expr(stmt.data_hi) if stmt.data_hi is not None else None
+        new_expd_lo = self._expr(stmt.expd_lo)
+        new_expd_hi = self._expr(stmt.expd_hi) if stmt.expd_hi is not None else None
+        new_old_lo = self._expr(stmt.old_lo)
+        new_old_hi = self._expr(stmt.old_hi) if stmt.old_hi is not None else None
+        assert new_old_lo is None or isinstance(new_old_lo, Atom)
+        assert new_old_hi is None or isinstance(new_old_hi, Atom)
+
+        if (
+            new_addr is not None
+            or new_old_lo is not None
+            or new_old_hi is not None
+            or new_data_lo is not None
+            or new_data_hi is not None
+            or new_expd_lo is not None
+            or new_expd_hi is not None
+        ):
+            return CAS(
+                stmt.idx,
+                stmt.addr if new_addr is None else new_addr,
+                stmt.data_lo if new_data_lo is None else new_data_lo,
+                stmt.data_hi if new_data_hi is None else new_data_hi,
+                stmt.expd_lo if new_expd_lo is None else new_expd_lo,
+                stmt.expd_hi if new_expd_hi is None else new_expd_hi,
+                stmt.old_lo if new_old_lo is None else new_old_lo,
+                stmt.old_hi if new_old_hi is None else new_old_hi,
+                stmt.endness,
+                **stmt.tags,
+            )
+        return None
+
     def _handle_stmt_Store(self, stmt):
         new_addr = self._expr(stmt.addr)
         new_data = self._expr(stmt.data)
@@ -179,6 +215,7 @@ class SimEngineDephiRewriting(SimEngineNostmtAIL[None, Expression | None, Statem
         dirty = self._expr(stmt.dirty)
         if dirty is None or dirty is stmt.dirty:
             return None
+        assert isinstance(dirty, DirtyExpression)
         return DirtyStatement(stmt.idx, dirty, **stmt.tags)
 
     def _handle_expr_Load(self, expr):

angr/analyses/decompiler/optimization_passes/condition_constprop.py

@@ -107,6 +107,12 @@ class ConditionConstantPropagation(OptimizationPass):
                 cconds_by_src[src] = []
             cconds_by_src[src].append(ccond)
 
+        # eliminate sources with more than one in-edges; this is because the condition may not hold on all in-edges!
+        for src in list(cconds_by_src):
+            block = self._get_block(src[0], idx=src[1])
+            if block is not None and block in self._graph and self._graph.in_degree[block] > 1:
+                del cconds_by_src[src]
+
         # eliminate conflicting conditions
         for src in list(cconds_by_src):
             cconds = cconds_by_src[src]

angr/analyses/decompiler/optimization_passes/engine_base.py

@@ -86,6 +86,11 @@ class SimplifierAILEngine(
 
         return stmt
 
+    def _handle_stmt_CAS(self, stmt: ailment.statement.CAS) -> ailment.statement.CAS:
+        # we assume that we never have to deal with CAS statements at this point; they should have been rewritten to
+        # intrinsics
+        return stmt
+
     def _handle_stmt_Store(self, stmt):
         addr = self._expr(stmt.addr)
         data = self._expr(stmt.data)

angr/analyses/decompiler/optimization_passes/flip_boolean_cmp.py

@@ -8,6 +8,7 @@ from ailment.expression import Op
 from angr.analyses.decompiler.structuring.structurer_nodes import ConditionNode
 from angr.analyses.decompiler.utils import (
     structured_node_is_simple_return,
+    structured_node_is_simple_return_strict,
     sequence_to_statements,
     structured_node_has_multi_predecessors,
 )
@@ -44,7 +45,7 @@ class FlipBooleanWalker(SequenceWalker):
                 and node.true_node is not None
                 and node.false_node is None
                 and idx < len(seq_node.nodes) - 1
-                and structured_node_is_simple_return(seq_node.nodes[idx + 1], self._graph)
+                and structured_node_is_simple_return_strict(seq_node.nodes[idx + 1])
                 and node not in type1_condition_nodes
             ):
                 # Type 2: Special Filter:

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -8,6 +8,7 @@ from .a_sub_a_div_const_mul_const import ASubADivConstMulConst
 from .a_sub_a_shr_const_shr_const import ASubAShrConstShrConst
 from .arm_cmpf import ARMCmpF
 from .bswap import Bswap
+from .cas_intrinsics import CASIntrinsics
 from .coalesce_same_cascading_ifs import CoalesceSameCascadingIfs
 from .constant_derefs import ConstantDereferences
 from .const_mull_a_shift import ConstMullAShift
@@ -64,6 +65,7 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     ASubAShrConstShrConst,
     ARMCmpF,
     Bswap,
+    CASIntrinsics,
     CoalesceSameCascadingIfs,
     ConstantDereferences,
     ConstMullAShift,

angr/analyses/decompiler/peephole_optimizations/cas_intrinsics.py

@@ -0,0 +1,115 @@
+# pylint:disable=arguments-differ,too-many-boolean-expressions
+from __future__ import annotations
+
+from ailment.expression import BinaryOp, Load
+from ailment.statement import CAS, ConditionalJump, Statement, Assignment, Call
+
+from .base import PeepholeOptimizationMultiStmtBase
+
+
+_INTRINSICS_NAMES = {
+    "xchg": {"Win32": "InterlockedExchange", "Linux": "atomic_exchange"},
+    "cmpxchg": {"Win32": "InterlockedCompareExchange", "Linux": "atomic_compare_exchange"},
+}
+
+
+class CASIntrinsics(PeepholeOptimizationMultiStmtBase):
+    """
+    Rewrite lock-prefixed instructions (or rather, their VEX/AIL forms) into intrinsic calls.
+
+    Case 1.
+
+                 mov eax, r12d
+    0x140014b57: xchg eax, [0x14000365f8]
+
+    LABEL_0x140014b57:
+    CAS(0x1400365f8<64>, Conv(64->32, vvar_365{reg 112}), Load(addr=0x1400365f8<64>, size=4, endness=Iend_LE),
+        vvar_27756)
+    if (CasCmpNE(vvar_27756, g_1400365f8))
+        goto LABEL_0x140014b57;
+
+    => vvar_27756 = _InterlockedExchange(0x1400365f8, vvar_365{reg 112})
+
+
+    Case 2.
+
+    lock cmpxchg cs:g_WarbirdSecureFunctionsLock, r14d
+
+    CAS(0x1400365f8<64>, 0x1<32>, 0x0<32>, vvar_27751)
+
+    => var_27751 = _InterlockedCompareExchange(0x1400365f8, 0x1<32>, 0x0<32>)
+    """
+
+    __slots__ = ()
+
+    NAME = "Rewrite compare-and-swap instructions into intrinsics."
+    stmt_classes = ((CAS, ConditionalJump), (CAS, Statement))
+
+    def optimize(self, stmts: list[Statement], stmt_idx: int | None = None, block=None, **kwargs):
+        assert len(stmts) == 2
+        cas_stmt = stmts[0]
+        next_stmt = stmts[1]
+        assert isinstance(cas_stmt, CAS)
+
+        # TODO: We ignored endianness. Are there cases where the endianness is different from the host's?
+
+        if (
+            isinstance(next_stmt, ConditionalJump)
+            and isinstance(next_stmt.condition, BinaryOp)
+            and next_stmt.condition.op == "CasCmpNE"
+            and next_stmt.ins_addr == cas_stmt.ins_addr
+        ):
+            addr = cas_stmt.addr
+            if (
+                isinstance(cas_stmt.expd_lo, Load)
+                and cas_stmt.expd_lo.addr.likes(addr)
+                and isinstance(next_stmt.condition.operands[1], Load)
+                and next_stmt.condition.operands[1].addr.likes(addr)
+                and cas_stmt.old_lo.likes(next_stmt.condition.operands[0])
+                and cas_stmt.old_hi is None
+            ):
+                # TODO: Support cases where cas_stmt.old_hi is not None
+                # Case 1
+                call_expr = Call(
+                    cas_stmt.idx,
+                    self._get_instrincs_name("xchg"),
+                    args=[addr, cas_stmt.data_lo],
+                    bits=cas_stmt.bits,
+                    ins_addr=cas_stmt.ins_addr,
+                )
+                stmt = Assignment(cas_stmt.idx, cas_stmt.old_lo, call_expr, **cas_stmt.tags)
+                return [stmt]
+
+        if next_stmt.ins_addr <= cas_stmt.ins_addr:
+            # avoid matching against statements prematurely
+            return None
+
+        if cas_stmt.old_hi is None:
+            # TODO: Support cases where cas_stmt.old_hi is not None
+            call_expr = Call(
+                cas_stmt.idx,
+                self._get_instrincs_name("cmpxchg"),
+                args=[
+                    cas_stmt.addr,
+                    cas_stmt.data_lo,
+                    cas_stmt.expd_lo,
+                ],
+                bits=cas_stmt.bits,
+                ins_addr=cas_stmt.ins_addr,
+            )
+            stmt = Assignment(cas_stmt.idx, cas_stmt.old_lo, call_expr, **cas_stmt.tags)
+            return [stmt, next_stmt]
+
+        return None
+
+    def _get_instrincs_name(self, mnemonic: str) -> str:
+        if mnemonic in _INTRINSICS_NAMES:
+            os = (
+                self.project.simos.name
+                if self.project is not None and self.project.simos is not None and self.project.simos.name is not None
+                else "Linux"
+            )
+            if os not in _INTRINSICS_NAMES[mnemonic]:
+                os = "Linux"
+            return _INTRINSICS_NAMES[mnemonic][os]
+        return mnemonic