angr 9.2.159__cp310-abi3-macosx_11_0_arm64.whl → 9.2.161__cp310-abi3-macosx_11_0_arm64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.159"
+__version__ = "9.2.161"
 
 if bytes is str:
     raise Exception(
@@ -192,6 +192,7 @@ from . import concretization_strategies
 from .distributed import Server
 from .knowledge_base import KnowledgeBase
 from .procedures.definitions import load_external_definitions
+from .emulator import Emulator, EmulatorStopReason
 
 # for compatibility reasons
 from . import sim_manager as manager
@@ -259,6 +260,8 @@ __all__ = (
     "AngrVaultError",
     "Blade",
     "Block",
+    "Emulator",
+    "EmulatorStopReason",
     "ExplorationTechnique",
     "KnowledgeBase",
     "PTChunk",

angr/analyses/decompiler/ail_simplifier.py

@@ -226,6 +226,15 @@ class AILSimplifier(Analysis):
             # reaching definition analysis results are no longer reliable
             self._clear_cache()
 
+        _l.debug("Rewriting constant expressions with phi variables")
+        phi_const_rewritten = self._rewrite_phi_const_exprs()
+        self.simplified |= phi_const_rewritten
+        if phi_const_rewritten:
+            _l.debug("... constant expressions with phi variables rewritten")
+            self._rebuild_func_graph()
+            # reaching definition analysis results are no longer reliable
+            self._clear_cache()
+
         if self._only_consts:
             return
 
@@ -698,6 +707,11 @@ class AILSimplifier(Analysis):
         if not replacements_by_block_addrs_and_idx:
             return False
 
+        return self._replace_exprs_in_blocks(replacements_by_block_addrs_and_idx)
+
+    def _replace_exprs_in_blocks(
+        self, replacements: dict[tuple[int, int | None], dict[CodeLocation, dict[Expression, Expression]]]
+    ) -> bool:
         blocks_by_addr_and_idx = {(node.addr, node.idx): node for node in self.func_graph.nodes()}
 
         if self._stack_arg_offsets:
@@ -706,7 +720,7 @@ class AILSimplifier(Analysis):
             insn_addrs_using_stack_args = None
 
         replaced = False
-        for (block_addr, block_idx), reps in replacements_by_block_addrs_and_idx.items():
+        for (block_addr, block_idx), reps in replacements.items():
             block = blocks_by_addr_and_idx[(block_addr, block_idx)]
 
             # only replace loads if there are stack arguments in this block
@@ -787,6 +801,72 @@ class AILSimplifier(Analysis):
 
         return changed
 
+    #
+    # Rewriting constant expressions with phi variables
+    #
+
+    def _rewrite_phi_const_exprs(self) -> bool:
+        """
+        Rewrite phi variables that are definitely constant expressions to constants.
+        """
+
+        # gather constant assignments
+
+        vvar_values: dict[int, tuple[int, int]] = {}
+        for block in self.func_graph:
+            for stmt in block.statements:
+                if (
+                    isinstance(stmt, Assignment)
+                    and isinstance(stmt.dst, VirtualVariable)
+                    and isinstance(stmt.src, Const)
+                    and isinstance(stmt.src.value, int)
+                ):
+                    vvar_values[stmt.dst.varid] = stmt.src.value, stmt.src.bits
+
+        srda = self._compute_reaching_definitions()
+        # compute vvar reachability for phi variables
+        # ensure that each phi variable is fully defined, i.e., all its source variables are defined
+        g = networkx.Graph()
+        for phi_vvar_id, vvar_ids in srda.phivarid_to_varids_with_unknown.items():
+            for vvar_id in vvar_ids:
+                # we cannot store None to networkx graph, so we use -1 to represent unknown source vvars
+                g.add_edge(phi_vvar_id, vvar_id if vvar_id is not None else -1)
+
+        phi_vvar_ids = srda.phi_vvar_ids
+        to_replace = {}
+        for cc in networkx.algorithms.connected_components(g):
+            if -1 in cc:
+                continue
+            normal_vvar_ids = cc.difference(phi_vvar_ids)
+            # ensure there is at least one phi variable and all remaining vvars are constant non-phi variables
+            if len(normal_vvar_ids) < len(cc) and len(normal_vvar_ids.intersection(vvar_values)) == len(
+                normal_vvar_ids
+            ):
+                all_values = {vvar_values[vvar_id] for vvar_id in normal_vvar_ids}
+                if len(all_values) == 1:
+                    # found it!
+                    value, bits = next(iter(all_values))
+                    for var_id in cc:
+                        to_replace[var_id] = value, bits
+
+        # build the replacement dictionary
+        blocks_dict = {(node.addr, node.idx): node for node in self.func_graph.nodes()}
+        replacements: dict[tuple[int, int | None], dict[CodeLocation, dict[Expression, Expression]]] = defaultdict(dict)
+        for vvar_id, (value, bits) in to_replace.items():
+            for expr, use_loc in srda.all_vvar_uses[vvar_id]:
+                if expr is None:
+                    continue
+                assert use_loc.block_addr is not None
+                key = use_loc.block_addr, use_loc.block_idx
+                stmt = blocks_dict[key].statements[use_loc.stmt_idx]
+                if is_phi_assignment(stmt):
+                    continue
+                if use_loc not in replacements[key]:
+                    replacements[key][use_loc] = {}
+                replacements[key][use_loc][expr] = Const(None, None, value, bits, **expr.tags)
+
+        return self._replace_exprs_in_blocks(replacements) if replacements else False
+
     #
     # Unifying local variables
     #

angr/analyses/decompiler/block_simplifier.py

@@ -330,18 +330,20 @@ class BlockSimplifier(Analysis):
         for idx, stmt in enumerate(block.statements):
             if type(stmt) is Assignment:
                 # tmps can't execute new code
-                if type(stmt.dst) is Tmp and stmt.dst.tmp_idx not in used_tmps:
-                    continue
+                if (type(stmt.dst) is Tmp and stmt.dst.tmp_idx not in used_tmps) or idx in dead_defs_stmt_idx:
+                    # is it assigning to an unused tmp or a dead virgin?
 
-                # is it a dead virgin?
-                if idx in dead_defs_stmt_idx:
                     # does .src involve any Call expressions? if so, we cannot remove it
                     walker = HasCallExprWalker()
                     walker.walk_expression(stmt.src)
                     if not walker.has_call_expr:
                         continue
 
-                if stmt.src == stmt.dst:
+                    if type(stmt.dst) is Tmp and isinstance(stmt.src, Call):
+                        # eliminate the assignment and replace it with the call
+                        stmt = stmt.src
+
+                if isinstance(stmt, Assignment) and stmt.src == stmt.dst:
                     continue
 
             new_statements.append(stmt)

angr/analyses/decompiler/clinic.py

@@ -143,7 +143,8 @@ class Clinic(Analysis):
         desired_variables: set[str] | None = None,
         force_loop_single_exit: bool = True,
         complete_successors: bool = False,
-        max_type_constraints: int = 4000,
+        max_type_constraints: int = 100_000,
+        type_constraint_set_degradation_threshold: int = 150,
         ail_graph: networkx.DiGraph | None = None,
         arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None,
         start_stage: ClinicStage | None = ClinicStage.INITIALIZATION,
@@ -185,6 +186,7 @@ class Clinic(Analysis):
         self._cache = cache
         self._mode = mode
         self._max_type_constraints = max_type_constraints
+        self._type_constraint_set_degradation_threshold = type_constraint_set_degradation_threshold
         self.vvar_id_start = vvar_id_start
         self.vvar_to_vvar: dict[int, int] | None = None
         # during SSA conversion, we create secondary stack variables because they overlap and are larger than the
@@ -1814,6 +1816,7 @@ class Clinic(Analysis):
             self.function,  # pylint:disable=unused-variable
             fail_fast=self._fail_fast,  # type:ignore
             func_graph=ail_graph,
+            entry_node_addr=self.entry_node_addr,
             kb=tmp_kb,  # type:ignore
             track_sp=False,
             func_args=arg_list,
@@ -1871,6 +1874,7 @@ class Clinic(Analysis):
                     must_struct=must_struct,
                     ground_truth=groundtruth,
                     stackvar_max_sizes=tv_max_sizes,
+                    constraint_set_degradation_threshold=self._type_constraint_set_degradation_threshold,
                 )
                 # tp.pp_constraints()
                 # tp.pp_solution()

angr/analyses/decompiler/decompiler.py

@@ -23,7 +23,7 @@ from .ailgraph_walker import AILGraphWalker
 from .condition_processor import ConditionProcessor
 from .decompilation_options import DecompilationOption
 from .decompilation_cache import DecompilationCache
-from .utils import remove_labels, remove_edges_in_ailgraph
+from .utils import remove_edges_in_ailgraph
 from .sequence_walker import SequenceWalker
 from .structuring.structurer_nodes import SequenceNode
 from .presets import DECOMPILATION_PRESETS, DecompilationPreset
@@ -319,12 +319,8 @@ class Decompiler(Analysis):
         # removed!
         remove_edges_in_ailgraph(clinic.graph, clinic.edges_to_remove)
 
-        # Rewrite the graph to remove phi expressions
-        # this is probably optional if we do not pretty-print clinic.graph
-        clinic.graph = self._transform_graph_from_ssa(clinic.graph)
-
         # save the graph before structuring happens (for AIL view)
-        clinic.cc_graph = remove_labels(clinic.copy_graph())
+        clinic.cc_graph = clinic.copy_graph()
 
         codegen = None
         seq_node = None
@@ -357,7 +353,7 @@ class Decompiler(Analysis):
             )
 
             # rewrite the sequence node to remove phi expressions
-            seq_node = self._transform_seqnode_from_ssa(seq_node)
+            seq_node = self.transform_seqnode_from_ssa(seq_node)
 
             # update memory data
             if self._cfg is not None and self._update_memory_data:
@@ -670,14 +666,21 @@ class Decompiler(Analysis):
             memory_data_addrs=added_memory_data_addrs,
         )
 
-    def _transform_graph_from_ssa(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+    def transform_graph_from_ssa(self, ail_graph: networkx.DiGraph) -> networkx.DiGraph:
+        """
+        Translate an SSA AIL graph out of SSA form. This is useful for producing a non-SSA AIL graph for displaying in
+        angr management.
+
+        :param ail_graph:   The AIL graph to transform out of SSA form.
+        :return:            The translated AIL graph.
+        """
         variable_kb = self._variable_kb
         dephication = self.project.analyses.GraphDephication(
             self.func, ail_graph, rewrite=True, variable_kb=variable_kb, kb=self.kb, fail_fast=self._fail_fast
         )
         return dephication.output
 
-    def _transform_seqnode_from_ssa(self, seq_node: SequenceNode) -> SequenceNode:
+    def transform_seqnode_from_ssa(self, seq_node: SequenceNode) -> SequenceNode:
         variable_kb = self._variable_kb
         dephication = self.project.analyses.SeqNodeDephication(
             self.func, seq_node, rewrite=True, variable_kb=variable_kb, kb=self.kb, fail_fast=self._fail_fast

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -4,14 +4,14 @@ from .a_div_const_add_a_mul_n_div_const import ADivConstAddAMulNDivConst
 from .a_mul_const_div_shr_const import AMulConstDivShrConst
 from .a_shl_const_sub_a import AShlConstSubA
 from .a_sub_a_div import ASubADiv
-from .a_sub_a_div_const_mul_const import ASubADivConstMulConst
+from .modulo_simplifier import ModuloSimplifier
 from .a_sub_a_shr_const_shr_const import ASubAShrConstShrConst
 from .arm_cmpf import ARMCmpF
 from .bswap import Bswap
 from .cas_intrinsics import CASIntrinsics
 from .coalesce_same_cascading_ifs import CoalesceSameCascadingIfs
 from .constant_derefs import ConstantDereferences
-from .const_mull_a_shift import ConstMullAShift
+from .optimized_div_simplifier import OptimizedDivisionSimplifier
 from .extended_byte_and_mask import ExtendedByteAndMask
 from .remove_empty_if_body import RemoveEmptyIfBody
 from .remove_redundant_ite_branch import RemoveRedundantITEBranches
@@ -61,14 +61,14 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     AShlConstSubA,
     AMulConstSubA,
     ASubADiv,
-    ASubADivConstMulConst,
+    ModuloSimplifier,
     ASubAShrConstShrConst,
     ARMCmpF,
     Bswap,
     CASIntrinsics,
     CoalesceSameCascadingIfs,
     ConstantDereferences,
-    ConstMullAShift,
+    OptimizedDivisionSimplifier,
     ExtendedByteAndMask,
     RemoveEmptyIfBody,
     RemoveRedundantITEBranches,

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -170,6 +170,10 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             if isinstance(expr.operands[0], Const) and expr.operands[0].value == 0:
                 return UnaryOp(expr.idx, "Neg", expr.operands[1], **expr.tags)
 
+            r = EagerEvaluation._combine_like_terms(expr)
+            if r is not None:
+                return r
+
             if isinstance(expr.operands[0], StackBaseOffset) and isinstance(expr.operands[1], StackBaseOffset):
                 assert isinstance(expr.operands[0].offset, int) and isinstance(expr.operands[1].offset, int)
                 return Const(expr.idx, None, expr.operands[0].offset - expr.operands[1].offset, expr.bits, **expr.tags)
@@ -354,6 +358,55 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
 
         return None
 
+    @staticmethod
+    def _combine_like_terms(expr: BinaryOp) -> BinaryOp | None:
+        """
+        Combine like terms for binary operations.
+        """
+
+        op = expr.op
+        assert op in {"Add", "Sub"}
+
+        expr0, expr1 = expr.operands
+
+        conv = None
+        if isinstance(expr0, Convert) and expr0.from_bits < expr0.to_bits:
+            conv = expr0.from_bits, expr0.to_bits, expr0.is_signed
+            expr0 = expr0.operand
+
+        if isinstance(expr0, BinaryOp) and expr0.op == "Mul" and isinstance(expr0.operands[1], Const):
+            n = expr0.operands[0]
+
+            if isinstance(n, Convert) and n.from_bits > n.to_bits:
+                if conv is not None and (n.to_bits, n.from_bits, n.is_signed) != conv:
+                    return None
+                n = n.operand
+
+            if n.likes(expr1):
+                # (n * C) - n  ==>  (C - 1) * n
+                coeff_0 = expr0.operands[1]
+                coeff = Const(coeff_0.idx, None, coeff_0.value - 1, expr.bits, **coeff_0.tags)
+                return BinaryOp(
+                    expr.idx, "Mul", [n, coeff], expr.signed, variable=expr.variable, bits=expr.bits, **expr.tags
+                )
+            if isinstance(expr1, BinaryOp) and expr1.op == "Mul" and isinstance(expr.operands[1].operands[1], Const):
+                n1 = expr.operands[1].operands[0]
+                if n.likes(n1):
+                    # (n * C) - (n1 * C1)  ==>  n * (C - C1)
+                    coeff_0 = expr0.operands[1]
+                    coeff_1 = expr1.operands[1]
+                    coeff = Const(coeff_0.idx, None, coeff_0.value - coeff_1.value, expr.bits, **coeff_0.tags)
+                    return BinaryOp(
+                        expr.idx,
+                        "Mul",
+                        [n, coeff],
+                        expr.signed,
+                        variable=expr.variable,
+                        bits=expr.bits,
+                        **expr.tags,
+                    )
+        return None
+
     @staticmethod
     def _optimize_unaryop(expr: UnaryOp):
         if expr.op == "Neg" and isinstance(expr.operand, Const) and isinstance(expr.operand.value, int):

angr/analyses/decompiler/peephole_optimizations/modulo_simplifier.py

@@ -0,0 +1,89 @@
+# pylint:disable=too-many-boolean-expressions
+from __future__ import annotations
+from angr.ailment.expression import BinaryOp, Const, Convert
+
+from .base import PeepholeOptimizationExprBase
+
+
+class ModuloSimplifier(PeepholeOptimizationExprBase):
+    """
+    Simplify division and multiplication expressions that can be reduced to a modulo operation.
+    """
+
+    __slots__ = ()
+
+    NAME = "a - (a / N) * N => a % N"
+    expr_classes = (BinaryOp,)
+
+    def optimize(  # pylint:disable=unused-argument
+        self, expr: BinaryOp, stmt_idx: int | None = None, block=None, **kwargs
+    ):
+        if expr.op == "Sub" and len(expr.operands) == 2:
+            sub0, sub1 = expr.operands
+            # unpack Conversions
+            outer_conv_expr = None
+            if (
+                isinstance(sub0, Convert)
+                and isinstance(sub1, Convert)
+                and sub0.to_bits == sub1.to_bits
+                and sub0.from_bits == sub1.from_bits
+                and sub0.to_bits > sub0.from_bits
+                and sub0.is_signed == sub1.is_signed
+            ):
+                # Convert(a) - Convert(a / N * N)  ==> Convert(a % N)
+                outer_conv_expr = sub0
+                sub0 = sub0.operand
+                sub1 = sub1.operand
+
+            if isinstance(sub1, BinaryOp) and sub1.op == "Mul" and isinstance(sub1.operands[1], Const):
+                a0, op1 = sub0, sub1
+                op1_left = op1.operands[0]
+                mul_const = sub1.operands[1]
+
+                if (
+                    isinstance(op1_left, Convert)
+                    and isinstance(a0, Convert)
+                    and op1_left.to_bits == a0.to_bits
+                    and op1_left.from_bits == a0.from_bits
+                ):
+                    # Convert(a) - (Convert(a / N)) * N  ==>  Convert(a) % N
+                    inner_conv_expr = a0
+                    a0 = a0.operand
+                    op1_left = op1_left.operand
+                else:
+                    inner_conv_expr = None
+
+                if isinstance(op1_left, BinaryOp) and op1_left.op == "Div" and isinstance(op1_left.operands[1], Const):
+                    # a - (a / N) * N  ==>  a % N
+                    a1 = op1_left.operands[0]
+                    div_const = op1_left.operands[1]
+
+                    if a0.likes(a1) and mul_const.value == div_const.value:
+                        operands = [a0, div_const]
+                        mod = BinaryOp(expr.idx, "Mod", operands, False, bits=a0.bits, **expr.tags)
+                        if inner_conv_expr is not None:
+                            conv_from_bits = inner_conv_expr.from_bits
+                            conv_to_bits = (
+                                inner_conv_expr.to_bits if outer_conv_expr is None else outer_conv_expr.to_bits
+                            )
+                            conv_signed = inner_conv_expr.is_signed
+                            conv_expr = inner_conv_expr
+                        elif outer_conv_expr is not None:
+                            conv_from_bits = outer_conv_expr.from_bits
+                            conv_to_bits = outer_conv_expr.to_bits
+                            conv_signed = outer_conv_expr.is_signed
+                            conv_expr = outer_conv_expr
+                        else:
+                            # no conversion necessary
+                            return mod
+
+                        return Convert(
+                            conv_expr.idx,
+                            conv_from_bits,
+                            conv_to_bits,
+                            conv_signed,
+                            mod,
+                            **conv_expr.tags,
+                        )
+
+        return None

angr/analyses/decompiler/peephole_optimizations/{const_mull_a_shift.py → optimized_div_simplifier.py}

@@ -1,22 +1,25 @@
 # pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
+import math
 
 from angr.ailment.expression import Convert, BinaryOp, Const, Expression
 
 from .base import PeepholeOptimizationExprBase
 
 
-class ConstMullAShift(PeepholeOptimizationExprBase):
+class OptimizedDivisionSimplifier(PeepholeOptimizationExprBase):
     """
     Convert expressions with right shifts into expressions with divisions.
     """
 
     __slots__ = ()
 
-    NAME = "Conv(64->32, (N * a) >> M) => a / N1"
+    NAME = "Simplify optimized division expressions, e.g., (N * a) >> M => a / N1"
     expr_classes = (Convert, BinaryOp)
 
-    def optimize(self, expr: Convert | BinaryOp, **kwargs):
+    def optimize(  # pylint:disable=unused-argument
+        self, expr: Convert | BinaryOp, stmt_idx: int | None = None, block=None, **kwargs
+    ):
         r = None
 
         if isinstance(expr, Convert):
@@ -37,28 +40,16 @@ class ConstMullAShift(PeepholeOptimizationExprBase):
             # try to unify if both operands are wrapped with Convert()
             conv_expr = self._unify_conversion(original_expr)
             expr = original_expr if conv_expr is None else conv_expr.operand
+            assert isinstance(expr, BinaryOp)
 
             if expr.op == "Shr" and isinstance(expr.operands[1], Const):
-                # (N * a) >> M  ==>  a / N1
-                inner = expr.operands[0]
-                if isinstance(inner, BinaryOp) and inner.op in {"Mull", "Mul"} and not inner.signed:
-                    if isinstance(inner.operands[0], Const) and not isinstance(inner.operands[1], Const):
-                        C = inner.operands[0].value
-                        X = inner.operands[1]
-                    elif isinstance(inner.operands[1], Const) and not isinstance(inner.operands[0], Const):
-                        C = inner.operands[1].value
-                        X = inner.operands[0]
-                    else:
-                        C = X = None
-
-                    if C is not None and X is not None:
-                        V = expr.operands[1].value
-                        ndigits = 5 if V == 32 else 6
-                        divisor = self._check_divisor(pow(2, V), C, ndigits)
-                        if divisor is not None:
-                            new_const = Const(None, None, divisor, X.bits)
-                            r = BinaryOp(inner.idx, "Div", [X, new_const], inner.signed, **inner.tags)
-                            return self._reconvert(r, conv_expr) if conv_expr is not None else r
+                r = self._match_case_b(expr)
+                if r is not None:
+                    return self._reconvert(r, conv_expr) if conv_expr is not None else r
+                assert isinstance(expr.operands[1].value, int)
+                r = self._match_case_c(expr.operands[0], expr.operands[1].value)
+                if r is not None:
+                    return self._reconvert(r, conv_expr) if conv_expr is not None else r
 
             elif expr.op in {"Add", "Sub"}:
                 expr0, expr1 = expr.operands
@@ -119,13 +110,13 @@ class ConstMullAShift(PeepholeOptimizationExprBase):
 
         return None
 
-    def _match_case_a(self, expr0: Expression, expr1_op: Convert) -> BinaryOp | None:
+    def _match_case_a(self, expr0: Expression, expr1: Convert) -> BinaryOp | None:
         # (
         #   (((Conv(32->64, vvar_44{reg 32}) * 0x4325c53f<64>) >>a 0x24<8>) & 0xffffffff<64>) -
         #   Conv(32->s64, (vvar_44{reg 32} >>a 0x1f<8>))
         # )
 
-        expr1_op = expr1_op.operand
+        expr1_op = expr1.operand
 
         if (
             isinstance(expr0, BinaryOp)
@@ -187,6 +178,129 @@ class ConstMullAShift(PeepholeOptimizationExprBase):
 
         return None
 
+    @staticmethod
+    def _match_case_b(expr: BinaryOp) -> BinaryOp | Convert | None:
+        """
+        A more complex (but general) case for unsigned 32-bit division by a constant integer.
+
+        Ref: https://ridiculousfish.com/blog/posts/labor-of-division-episode-i.html
+
+        Given n and d, n//d (unsigned) can be rewritten to t >> (p - 1) where
+        - p = ceiling(log2(d))
+        - m = ceiling((2 ** (32 + p) / d))
+        - q = (m * n) >> 32
+        - t = q + ((n - q) >> 1)
+
+        We can match the expression against  t >> (p - 1).
+        """
+
+        # t >> (p - 1)
+        if not (isinstance(expr, BinaryOp) and expr.op == "Shr"):
+            return None
+        if not (isinstance(expr.operands[1], Const) and expr.operands[1].value > 0):
+            return None
+        p_minus_1 = expr.operands[1].value
+        p = p_minus_1 + 1
+        t = expr.operands[0]
+
+        # unmask
+        if isinstance(t, BinaryOp) and t.op == "And":
+            if isinstance(t.operands[1], Const) and t.operands[1].value == 0xFFFFFFFF:
+                t = t.operands[0]
+            elif isinstance(t.operands[0], Const) and t.operands[0].value == 0xFFFFFFFF:
+                t = t.operands[1]
+            else:
+                return None
+
+        # t = q + ((n - q) >> 1)
+        if not (isinstance(t, BinaryOp) and t.op == "Add"):
+            return None
+
+        if (
+            isinstance(t.operands[0], BinaryOp)
+            and t.operands[0].op == "Shr"
+            and isinstance(t.operands[0].operands[1], Const)
+            and t.operands[0].operands[1].value == 1
+        ):
+            q = t.operands[1]
+            n_minus_q = t.operands[0].operands[0]
+        elif (
+            isinstance(t.operands[1], BinaryOp)
+            and t.operands[1].op == "Shr"
+            and isinstance(t.operands[1].operands[1], Const)
+            and t.operands[1].operands[1].value == 1
+        ):
+            q = t.operands[0]
+            n_minus_q = t.operands[1]
+        else:
+            return None
+        if isinstance(q, Convert) and q.from_bits == 64 and q.to_bits == 32:
+            q = q.operand
+        if isinstance(n_minus_q, Convert) and n_minus_q.from_bits == 64 and n_minus_q.to_bits == 32:
+            n_minus_q = n_minus_q.operand
+
+        # unmask
+        if isinstance(n_minus_q, BinaryOp) and n_minus_q.op == "And":
+            if isinstance(n_minus_q.operands[1], Const) and n_minus_q.operands[1].value == 0xFFFFFFFF:
+                n_minus_q = n_minus_q.operands[0]
+            elif isinstance(n_minus_q.operands[0], Const) and n_minus_q.operands[0].value == 0xFFFFFFFF:
+                n_minus_q = n_minus_q.operands[1]
+            else:
+                return None
+
+        if not (isinstance(n_minus_q, BinaryOp) and n_minus_q.op == "Sub"):
+            return None
+        if not q.likes(n_minus_q.operands[1]):
+            return None
+
+        # q = (m * n) >> 32
+        if not (
+            isinstance(q, BinaryOp) and q.op == "Shr" and isinstance(q.operands[1], Const) and q.operands[1].value == 32
+        ):
+            return None
+        if not (isinstance(q.operands[0], BinaryOp) and q.operands[0].op in {"Mull", "Mul"}):
+            return None
+        if isinstance(q.operands[0].operands[1], Const):
+            n = q.operands[0].operands[0]
+            m = q.operands[0].operands[1].value
+        elif isinstance(q.operands[0].operands[0], Const):
+            n = q.operands[0].operands[1]
+            m = q.operands[0].operands[0].value
+        else:
+            # this should never happen, because multiplication of two constants are eagerly evaluated
+            return None
+
+        assert isinstance(m, int) and isinstance(p, int)
+        divisor = math.ceil((2 ** (32 + p)) / (m + 0x1_0000_0000))
+        if divisor == 0:
+            return None
+        divisor_expr = Const(None, None, divisor, n.bits)
+        div = BinaryOp(expr.idx, "Div", [n, divisor_expr], signed=False, **expr.tags)
+        if expr.bits != div.bits:
+            div = Convert(expr.idx, div.bits, expr.bits, False, div, **expr.tags)
+        return div
+
+    def _match_case_c(self, inner, m: int) -> BinaryOp | None:
+        # (N * a) >> M  ==>  a / N1
+        if isinstance(inner, BinaryOp) and inner.op in {"Mull", "Mul"} and not inner.signed:
+            if isinstance(inner.operands[0], Const) and not isinstance(inner.operands[1], Const):
+                C = inner.operands[0].value
+                X = inner.operands[1]
+            elif isinstance(inner.operands[1], Const) and not isinstance(inner.operands[0], Const):
+                C = inner.operands[1].value
+                X = inner.operands[0]
+            else:
+                C = X = None
+
+            if C is not None and X is not None:
+                V = m
+                ndigits = 5 if V == 32 else 6
+                divisor = self._check_divisor(pow(2, V), C, ndigits)
+                if divisor is not None:
+                    new_const = Const(None, None, divisor, X.bits)
+                    return BinaryOp(inner.idx, "Div", [X, new_const], inner.signed, **inner.tags)
+        return None
+
     @staticmethod
     def _check_divisor(a, b, ndigits=6):
         if b == 0: