angr 9.2.160__cp310-abi3-macosx_10_9_x86_64.whl → 9.2.162__cp310-abi3-macosx_10_9_x86_64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.160"
+__version__ = "9.2.162"
 
 if bytes is str:
     raise Exception(
@@ -192,6 +192,7 @@ from . import concretization_strategies
 from .distributed import Server
 from .knowledge_base import KnowledgeBase
 from .procedures.definitions import load_external_definitions
+from .emulator import Emulator, EmulatorStopReason
 
 # for compatibility reasons
 from . import sim_manager as manager
@@ -259,6 +260,8 @@ __all__ = (
     "AngrVaultError",
     "Blade",
     "Block",
+    "Emulator",
+    "EmulatorStopReason",
     "ExplorationTechnique",
     "KnowledgeBase",
     "PTChunk",

angr/analyses/analysis.py

@@ -1,4 +1,3 @@
-# ruff: noqa: F401
 from __future__ import annotations
 import functools
 import sys

angr/analyses/cfg/cfg_base.py

@@ -2566,7 +2566,11 @@ class CFGBase(Analysis):
         """
 
         if arch.name == "X86" or arch.name == "AMD64":
-            if set(block.bytes) == {0x90}:
+            block_bytes_set = set(block.bytes)
+            if block_bytes_set == {0x90}:
+                return True
+            if block_bytes_set == {0xCC}:
+                # technically this is not a no-op, but for our purposes we can settle for now
                 return True
         elif arch.name == "MIPS32":
             if arch.memory_endness == "Iend_BE":

angr/analyses/decompiler/ail_simplifier.py

@@ -10,7 +10,16 @@ import networkx
 
 from angr.ailment import AILBlockWalker
 from angr.ailment.block import Block
-from angr.ailment.statement import Statement, Assignment, Store, Call, ConditionalJump, DirtyStatement, WeakAssignment
+from angr.ailment.statement import (
+    Statement,
+    Assignment,
+    Store,
+    Call,
+    ConditionalJump,
+    DirtyStatement,
+    WeakAssignment,
+    Return,
+)
 from angr.ailment.expression import (
     Register,
     Convert,
@@ -226,6 +235,15 @@ class AILSimplifier(Analysis):
             # reaching definition analysis results are no longer reliable
             self._clear_cache()
 
+        _l.debug("Rewriting constant expressions with phi variables")
+        phi_const_rewritten = self._rewrite_phi_const_exprs()
+        self.simplified |= phi_const_rewritten
+        if phi_const_rewritten:
+            _l.debug("... constant expressions with phi variables rewritten")
+            self._rebuild_func_graph()
+            # reaching definition analysis results are no longer reliable
+            self._clear_cache()
+
         if self._only_consts:
             return
 
@@ -698,6 +716,11 @@ class AILSimplifier(Analysis):
         if not replacements_by_block_addrs_and_idx:
             return False
 
+        return self._replace_exprs_in_blocks(replacements_by_block_addrs_and_idx)
+
+    def _replace_exprs_in_blocks(
+        self, replacements: dict[tuple[int, int | None], dict[CodeLocation, dict[Expression, Expression]]]
+    ) -> bool:
         blocks_by_addr_and_idx = {(node.addr, node.idx): node for node in self.func_graph.nodes()}
 
         if self._stack_arg_offsets:
@@ -706,7 +729,7 @@ class AILSimplifier(Analysis):
             insn_addrs_using_stack_args = None
 
         replaced = False
-        for (block_addr, block_idx), reps in replacements_by_block_addrs_and_idx.items():
+        for (block_addr, block_idx), reps in replacements.items():
             block = blocks_by_addr_and_idx[(block_addr, block_idx)]
 
             # only replace loads if there are stack arguments in this block
@@ -787,6 +810,72 @@ class AILSimplifier(Analysis):
 
         return changed
 
+    #
+    # Rewriting constant expressions with phi variables
+    #
+
+    def _rewrite_phi_const_exprs(self) -> bool:
+        """
+        Rewrite phi variables that are definitely constant expressions to constants.
+        """
+
+        # gather constant assignments
+
+        vvar_values: dict[int, tuple[int, int]] = {}
+        for block in self.func_graph:
+            for stmt in block.statements:
+                if (
+                    isinstance(stmt, Assignment)
+                    and isinstance(stmt.dst, VirtualVariable)
+                    and isinstance(stmt.src, Const)
+                    and isinstance(stmt.src.value, int)
+                ):
+                    vvar_values[stmt.dst.varid] = stmt.src.value, stmt.src.bits
+
+        srda = self._compute_reaching_definitions()
+        # compute vvar reachability for phi variables
+        # ensure that each phi variable is fully defined, i.e., all its source variables are defined
+        g = networkx.Graph()
+        for phi_vvar_id, vvar_ids in srda.phivarid_to_varids_with_unknown.items():
+            for vvar_id in vvar_ids:
+                # we cannot store None to networkx graph, so we use -1 to represent unknown source vvars
+                g.add_edge(phi_vvar_id, vvar_id if vvar_id is not None else -1)
+
+        phi_vvar_ids = srda.phi_vvar_ids
+        to_replace = {}
+        for cc in networkx.algorithms.connected_components(g):
+            if -1 in cc:
+                continue
+            normal_vvar_ids = cc.difference(phi_vvar_ids)
+            # ensure there is at least one phi variable and all remaining vvars are constant non-phi variables
+            if len(normal_vvar_ids) < len(cc) and len(normal_vvar_ids.intersection(vvar_values)) == len(
+                normal_vvar_ids
+            ):
+                all_values = {vvar_values[vvar_id] for vvar_id in normal_vvar_ids}
+                if len(all_values) == 1:
+                    # found it!
+                    value, bits = next(iter(all_values))
+                    for var_id in cc:
+                        to_replace[var_id] = value, bits
+
+        # build the replacement dictionary
+        blocks_dict = {(node.addr, node.idx): node for node in self.func_graph.nodes()}
+        replacements: dict[tuple[int, int | None], dict[CodeLocation, dict[Expression, Expression]]] = defaultdict(dict)
+        for vvar_id, (value, bits) in to_replace.items():
+            for expr, use_loc in srda.all_vvar_uses[vvar_id]:
+                if expr is None:
+                    continue
+                assert use_loc.block_addr is not None
+                key = use_loc.block_addr, use_loc.block_idx
+                stmt = blocks_dict[key].statements[use_loc.stmt_idx]
+                if is_phi_assignment(stmt):
+                    continue
+                if use_loc not in replacements[key]:
+                    replacements[key][use_loc] = {}
+                replacements[key][use_loc][expr] = Const(None, None, value, bits, **expr.tags)
+
+        return self._replace_exprs_in_blocks(replacements) if replacements else False
+
     #
     # Unifying local variables
     #
@@ -1563,6 +1652,11 @@ class AILSimplifier(Analysis):
         stackarg_offsets = (
             {(tpl[1] & mask) for tpl in self._stack_arg_offsets} if self._stack_arg_offsets is not None else None
         )
+        retpoints: set[tuple[int, int]] = {
+            (node.addr, node.idx)
+            for node in self.func_graph
+            if node.statements and isinstance(node.statements[-1], Return) and self.func_graph.out_degree[node] == 0
+        }
 
         while True:
             new_dead_vars_found = False
@@ -1596,6 +1690,11 @@ class AILSimplifier(Analysis):
                             elif vvar_id in self._secondary_stackvars:
                                 # secondary stack variables are potentially removable
                                 pass
+                            elif (def_codeloc.block_addr, def_codeloc.block_idx) in retpoints:
+                                # slack variable assignments in endpoint blocks are potentially removable.
+                                # note that this is a hack! we should rely on more reliable stack variable
+                                # eliminatability detection.
+                                pass
                             elif stackarg_offsets is not None:
                                 # we always remove definitions for stack arguments
                                 assert vvar.stack_offset is not None

angr/analyses/decompiler/block_simplifier.py

@@ -5,15 +5,14 @@ from typing import TYPE_CHECKING
 from collections.abc import Iterable, Mapping
 
 from angr.ailment.statement import Statement, Assignment, Call, Store, Jump
-from angr.ailment.expression import Tmp, Load, Const, Register, Convert, Expression
+from angr.ailment.expression import Tmp, Load, Const, Register, Convert, Expression, VirtualVariable
 from angr.ailment import AILBlockWalkerBase
-
 from angr.code_location import ExternalCodeLocation, CodeLocation
-
 from angr.knowledge_plugins.key_definitions import atoms
 from angr.analyses.s_propagator import SPropagatorAnalysis
 from angr.analyses.s_reaching_definitions import SReachingDefinitionsAnalysis, SRDAModel
 from angr.analyses import Analysis, register_analysis
+from angr.utils.ssa import has_reference_to_vvar
 from .peephole_optimizations import (
     MULTI_STMT_OPTS,
     STMT_OPTS,
@@ -247,6 +246,10 @@ class BlockSimplifier(Analysis):
                         # don't replace
                         r = False
                         new_stmt = None
+                    elif isinstance(old, VirtualVariable) and has_reference_to_vvar(stmt, old.varid):
+                        # never replace an l-value with an r-value
+                        r = False
+                        new_stmt = None
                     elif isinstance(stmt, Call) and isinstance(new, Call) and old == stmt.ret_expr:
                         # special case: do not replace the ret_expr of a call statement to another call statement
                         r = False
@@ -330,18 +333,20 @@ class BlockSimplifier(Analysis):
         for idx, stmt in enumerate(block.statements):
             if type(stmt) is Assignment:
                 # tmps can't execute new code
-                if type(stmt.dst) is Tmp and stmt.dst.tmp_idx not in used_tmps:
-                    continue
+                if (type(stmt.dst) is Tmp and stmt.dst.tmp_idx not in used_tmps) or idx in dead_defs_stmt_idx:
+                    # is it assigning to an unused tmp or a dead virgin?
 
-                # is it a dead virgin?
-                if idx in dead_defs_stmt_idx:
                     # does .src involve any Call expressions? if so, we cannot remove it
                     walker = HasCallExprWalker()
                     walker.walk_expression(stmt.src)
                     if not walker.has_call_expr:
                         continue
 
-                if stmt.src == stmt.dst:
+                    if type(stmt.dst) is Tmp and isinstance(stmt.src, Call):
+                        # eliminate the assignment and replace it with the call
+                        stmt = stmt.src
+
+                if isinstance(stmt, Assignment) and stmt.src == stmt.dst:
                     continue
 
             new_statements.append(stmt)

angr/analyses/decompiler/clinic.py

@@ -1816,6 +1816,7 @@ class Clinic(Analysis):
             self.function,  # pylint:disable=unused-variable
             fail_fast=self._fail_fast,  # type:ignore
             func_graph=ail_graph,
+            entry_node_addr=self.entry_node_addr,
             kb=tmp_kb,  # type:ignore
             track_sp=False,
             func_args=arg_list,

angr/analyses/decompiler/condition_processor.py

@@ -241,6 +241,30 @@ class ConditionProcessor:
         self.guarding_conditions = {}
         self._ast2annotations = {}
 
+    def have_opposite_edge_conditions(self, graph: networkx.DiGraph, src, dst0, dst1) -> bool:
+        """
+        Check if the edge conditions of two edges (src, dst0) and (src, dst1) are opposite to each other. Try to avoid
+        condition translation if possible.
+        """
+
+        if src in graph and graph.out_degree[src] == 2 and graph.has_edge(src, dst0) and graph.has_edge(src, dst1):
+            # sometimes the last statement is the conditional jump. sometimes it's the first statement of the block
+            if isinstance(src, ailment.Block) and src.statements and is_head_controlled_loop_block(src):
+                last_stmt = next(
+                    iter(stmt for stmt in src.statements[:-1] if isinstance(stmt, ailment.Stmt.ConditionalJump)), None
+                )
+                assert last_stmt is not None
+            else:
+                last_stmt = self.get_last_statement(src)
+
+            if isinstance(last_stmt, ailment.Stmt.ConditionalJump):
+                return True
+
+        # fallback
+        edge_cond_left = self.recover_edge_condition(graph, src, dst0)
+        edge_cond_right = self.recover_edge_condition(graph, src, dst1)
+        return claripy.is_true(claripy.Not(edge_cond_left) == edge_cond_right)  # type: ignore
+
     def recover_edge_condition(self, graph: networkx.DiGraph, src, dst):
         edge = src, dst
         edge_data = graph.get_edge_data(*edge)

angr/analyses/decompiler/counters/call_counter.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 from typing import TYPE_CHECKING
 
 from angr.ailment import Block
-from angr.ailment.statement import Label
+from angr.ailment.statement import Label, ConditionalJump
 from angr.ailment.block_walker import AILBlockWalkerBase
 
 from angr.analyses.decompiler.sequence_walker import SequenceWalker
@@ -18,6 +18,9 @@ class AILBlockCallCounter(AILBlockWalkerBase):
 
     calls = 0
 
+    def _handle_ConditionalJump(self, stmt_idx: int, stmt: ConditionalJump, block: Block | None):
+        return
+
     def _handle_CallExpr(self, expr_idx: int, expr: Call, stmt_idx: int, stmt, block: Block | None):
         self.calls += 1
         super()._handle_CallExpr(expr_idx, expr, stmt_idx, stmt, block)
@@ -40,6 +43,13 @@ class AILCallCounter(SequenceWalker):
         self.calls = 0
         self.non_label_stmts = 0
 
+    def _handle_Condition(self, node, **kwargs):
+        # do not count calls in conditions
+        if node.true_node is not None:
+            super()._handle(node.true_node, **kwargs)
+        if node.false_node is not None:
+            super()._handle(node.false_node, **kwargs)
+
     def _handle_Block(self, node: Block, **kwargs):  # pylint:disable=unused-argument
         ctr = AILBlockCallCounter()
         ctr.walk(node)

angr/analyses/decompiler/decompiler.py

@@ -618,7 +618,9 @@ class Decompiler(Analysis):
                     new_type = var_manager.get_variable_type(var)
                     if new_type is not None:
                         self.func.prototype.args = (
-                            self.func.prototype.args[:i] + (new_type,) + self.func.prototype.args[i + 1 :]
+                            *self.func.prototype.args[:i],
+                            new_type,
+                            *self.func.prototype.args[i + 1 :],
                         )
         except Exception:  # pylint:disable=broad-except
             if self._fail_fast:

angr/analyses/decompiler/graph_region.py

@@ -324,6 +324,15 @@ class GraphRegion:
         out_edges = list(graph.out_edges(node))
 
         graph.remove_node(node)
+
+        # FIXME: this is a giant hack to work around the problem that the graph region might have been restructured
+        # but not updated in *all* other regions whose .graph_with_successors references this graph region (we only
+        # update the parent_region graph right now).
+        existing_graph_regions: dict[int, GraphRegion] = {r.addr: r for r in graph if isinstance(r, GraphRegion)}
+        for r in sub_graph:
+            if isinstance(r, GraphRegion) and r not in graph and r.addr in existing_graph_regions:
+                self._replaced_regions[r] = existing_graph_regions[r.addr]
+
         sub_graph_nodes = [self._replaced_regions.get(nn, nn) for nn in sub_graph.nodes]
         sub_graph_edges = [
             (self._replaced_regions.get(src, src), self._replaced_regions.get(dst, dst)) for src, dst in sub_graph.edges
@@ -376,11 +385,11 @@ class GraphRegion:
             else:
                 if dst_in_subgraph in sub_graph:
                     for src in sub_graph.predecessors(dst_in_subgraph):
-                        graph.add_edge(src, dst)
+                        graph.add_edge(self._replaced_regions.get(src, src), dst)
                 elif reference_full_graph is not None and dst_in_subgraph in reference_full_graph:
                     for src in reference_full_graph.predecessors(dst_in_subgraph):
                         if src in graph:
-                            graph.add_edge(src, dst)
+                            graph.add_edge(self._replaced_regions.get(src, src), dst)
                 else:
                     # it may happen that the dst node no longer exists in sub_graph or its successors
                     # this is because we have deemed that the dst node is no longer a valid successor for sub_graph

angr/analyses/decompiler/optimization_passes/const_prop_reverter.py

@@ -313,7 +313,7 @@ class ConstPropOptReverter(OptimizationPass):
 
                 # construct new constant block
                 new_const_block = const_block.copy()
-                new_const_block.statements = new_const_block.statements[:-1] + [reg_assign] + [symb_return_stmt.copy()]
+                new_const_block.statements = [*new_const_block.statements[:-1], reg_assign, symb_return_stmt.copy()]
                 self._update_block(const_block, new_const_block)
                 self.resolution = True
         else:

angr/analyses/decompiler/optimization_passes/lowered_switch_simplifier.py

@@ -159,6 +159,7 @@ class LoweredSwitchSimplifier(StructuringOptimizationPass):
     def __init__(self, func, min_distinct_cases=2, **kwargs):
         super().__init__(
             func,
+            require_structurable_graph=False,
             require_gotos=False,
             prevent_new_gotos=False,
             simplify_ail=False,

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -15,7 +15,7 @@ from angr.analyses.decompiler.ailgraph_walker import AILGraphWalker
 from angr.analyses.decompiler.condition_processor import ConditionProcessor
 from angr.analyses.decompiler.goto_manager import Goto, GotoManager
 from angr.analyses.decompiler.structuring import RecursiveStructurer, SAILRStructurer
-from angr.analyses.decompiler.utils import add_labels, remove_edges_in_ailgraph
+from angr.analyses.decompiler.utils import add_labels, remove_edges_in_ailgraph, is_empty_node
 from angr.analyses.decompiler.counters import ControlFlowStructureCounter
 from angr.project import Project
 
@@ -432,12 +432,13 @@ class StructuringOptimizationPass(OptimizationPass):
     STAGE = OptimizationPassStage.DURING_REGION_IDENTIFICATION
 
     _initial_gotos: set[Goto]
-    _goto_manager: GotoManager
+    _goto_manager: GotoManager | None
     _prev_graph: networkx.DiGraph
 
     def __init__(
         self,
         func,
+        require_structurable_graph: bool = True,
         prevent_new_gotos: bool = True,
         strictly_less_gotos: bool = False,
         recover_structure_fails: bool = True,
@@ -450,6 +451,7 @@ class StructuringOptimizationPass(OptimizationPass):
         **kwargs,
     ):
         super().__init__(func, **kwargs)
+        self._require_structurable_graph = require_structurable_graph
         self._prevent_new_gotos = prevent_new_gotos
         self._strictly_less_gotos = strictly_less_gotos
         self._recover_structure_fails = recover_structure_fails
@@ -459,6 +461,8 @@ class StructuringOptimizationPass(OptimizationPass):
         self._must_improve_rel_quality = must_improve_rel_quality
         self._readd_labels = readd_labels
         self._edges_to_remove = edges_to_remove or []
+        self._goto_manager = None
+        self._initial_gotos = set()
 
         # relative quality metrics (excludes gotos)
         self._initial_structure_counter = None
@@ -476,13 +480,20 @@ class StructuringOptimizationPass(OptimizationPass):
         if not ret:
             return
 
-        if not self._graph_is_structurable(self._graph, initial=True):
-            return
+        # only initialize self._goto_manager if this optimization requires a structurable graph or gotos
+        initial_structurable: bool | None = None
+        if self._require_structurable_graph or self._require_gotos or self._prevent_new_gotos:
+            initial_structurable = self._graph_is_structurable(self._graph, initial=True)
 
-        self._initial_gotos = self._goto_manager.gotos.copy()
-        if self._require_gotos and not self._initial_gotos:
+        if self._require_structurable_graph and initial_structurable is False:
             return
 
+        if self._require_gotos:
+            assert self._goto_manager is not None
+            self._initial_gotos = self._goto_manager.gotos.copy()
+            if not self._initial_gotos:
+                return
+
         # setup for the very first analysis
         self.out_graph = networkx.DiGraph(self._graph)
         if self._max_opt_iters > 1:
@@ -500,7 +511,13 @@ class StructuringOptimizationPass(OptimizationPass):
         if self._readd_labels:
             self.out_graph = add_labels(self.out_graph)
 
-        if not self._graph_is_structurable(self.out_graph, readd_labels=False):
+        if (
+            self._require_structurable_graph
+            and self._max_opt_iters <= 1
+            and not self._graph_is_structurable(self.out_graph, readd_labels=False)
+        ):
+            # fixed-point analysis ensures that the output graph is always structurable, otherwise it clears the output
+            # graph. so we only check the structurability of the graph when fixed-point analysis did not run.
             self.out_graph = None
             return
 
@@ -523,13 +540,16 @@ class StructuringOptimizationPass(OptimizationPass):
             return
 
     def _get_new_gotos(self):
+        assert self._goto_manager is not None
         return self._goto_manager.gotos
 
     def _fixed_point_analyze(self, cache=None):
         had_any_changes = False
         for _ in range(self._max_opt_iters):
-            if self._require_gotos and not self._goto_manager.gotos:
-                break
+            if self._require_gotos:
+                assert self._goto_manager is not None
+                if not self._goto_manager.gotos:
+                    break
 
             # backup the graph before the optimization
             if self._recover_structure_fails and self.out_graph is not None:
@@ -590,7 +610,7 @@ class StructuringOptimizationPass(OptimizationPass):
             _l.warning("Internal structuring failed for OptimizationPass on %s", self._func.name)
             rs = None
 
-        if not rs or not rs.result or not rs.result.nodes or rs.result_incomplete:
+        if not rs or not rs.result or is_empty_node(rs.result) or rs.result_incomplete:
             return False
 
         rs = self.project.analyses.RegionSimplifier(self._func, rs.result, arg_vvars=self._arg_vvars, kb=self.kb)
@@ -648,7 +668,7 @@ class StructuringOptimizationPass(OptimizationPass):
         # Gotos play an important part in readability and control flow structure. We already count gotos in other parts
         # of the analysis, so we don't need to count them here. However, some gotos are worse than others. Much
         # like loops, trading gotos (keeping the same total, but getting worse types), is bad for decompilation.
-        if len(self._initial_gotos) == len(self._goto_manager.gotos) != 0:
+        if self._goto_manager is not None and len(self._initial_gotos) == len(self._goto_manager.gotos) != 0:
             prev_labels = self._initial_structure_counter.goto_targets
             curr_labels = self._current_structure_counter.goto_targets
 

angr/analyses/decompiler/optimization_passes/return_duplicator_low.py

@@ -55,6 +55,7 @@ class ReturnDuplicatorLow(StructuringOptimizationPass, ReturnDuplicatorBase):
         region_identifier=None,
         vvar_id_start: int | None = None,
         scratch: dict[str, Any] | None = None,
+        max_func_blocks: int = 500,
         **kwargs,
     ):
         StructuringOptimizationPass.__init__(
@@ -76,6 +77,7 @@ class ReturnDuplicatorLow(StructuringOptimizationPass, ReturnDuplicatorBase):
             ri=region_identifier,
             vvar_id_start=vvar_id_start,
             scratch=scratch,
+            max_func_blocks=max_func_blocks,
         )
         self.analyze()
 

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -4,14 +4,14 @@ from .a_div_const_add_a_mul_n_div_const import ADivConstAddAMulNDivConst
 from .a_mul_const_div_shr_const import AMulConstDivShrConst
 from .a_shl_const_sub_a import AShlConstSubA
 from .a_sub_a_div import ASubADiv
-from .a_sub_a_div_const_mul_const import ASubADivConstMulConst
+from .modulo_simplifier import ModuloSimplifier
 from .a_sub_a_shr_const_shr_const import ASubAShrConstShrConst
 from .arm_cmpf import ARMCmpF
 from .bswap import Bswap
 from .cas_intrinsics import CASIntrinsics
 from .coalesce_same_cascading_ifs import CoalesceSameCascadingIfs
 from .constant_derefs import ConstantDereferences
-from .const_mull_a_shift import ConstMullAShift
+from .optimized_div_simplifier import OptimizedDivisionSimplifier
 from .extended_byte_and_mask import ExtendedByteAndMask
 from .remove_empty_if_body import RemoveEmptyIfBody
 from .remove_redundant_ite_branch import RemoveRedundantITEBranches
@@ -61,14 +61,14 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     AShlConstSubA,
     AMulConstSubA,
     ASubADiv,
-    ASubADivConstMulConst,
+    ModuloSimplifier,
     ASubAShrConstShrConst,
     ARMCmpF,
     Bswap,
     CASIntrinsics,
     CoalesceSameCascadingIfs,
     ConstantDereferences,
-    ConstMullAShift,
+    OptimizedDivisionSimplifier,
     ExtendedByteAndMask,
     RemoveEmptyIfBody,
     RemoveRedundantITEBranches,

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -170,6 +170,10 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             if isinstance(expr.operands[0], Const) and expr.operands[0].value == 0:
                 return UnaryOp(expr.idx, "Neg", expr.operands[1], **expr.tags)
 
+            r = EagerEvaluation._combine_like_terms(expr)
+            if r is not None:
+                return r
+
             if isinstance(expr.operands[0], StackBaseOffset) and isinstance(expr.operands[1], StackBaseOffset):
                 assert isinstance(expr.operands[0].offset, int) and isinstance(expr.operands[1].offset, int)
                 return Const(expr.idx, None, expr.operands[0].offset - expr.operands[1].offset, expr.bits, **expr.tags)
@@ -354,6 +358,55 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
 
         return None
 
+    @staticmethod
+    def _combine_like_terms(expr: BinaryOp) -> BinaryOp | None:
+        """
+        Combine like terms for binary operations.
+        """
+
+        op = expr.op
+        assert op in {"Add", "Sub"}
+
+        expr0, expr1 = expr.operands
+
+        conv = None
+        if isinstance(expr0, Convert) and expr0.from_bits < expr0.to_bits:
+            conv = expr0.from_bits, expr0.to_bits, expr0.is_signed
+            expr0 = expr0.operand
+
+        if isinstance(expr0, BinaryOp) and expr0.op == "Mul" and isinstance(expr0.operands[1], Const):
+            n = expr0.operands[0]
+
+            if isinstance(n, Convert) and n.from_bits > n.to_bits:
+                if conv is not None and (n.to_bits, n.from_bits, n.is_signed) != conv:
+                    return None
+                n = n.operand
+
+            if n.likes(expr1):
+                # (n * C) - n  ==>  (C - 1) * n
+                coeff_0 = expr0.operands[1]
+                coeff = Const(coeff_0.idx, None, coeff_0.value - 1, expr.bits, **coeff_0.tags)
+                return BinaryOp(
+                    expr.idx, "Mul", [n, coeff], expr.signed, variable=expr.variable, bits=expr.bits, **expr.tags
+                )
+            if isinstance(expr1, BinaryOp) and expr1.op == "Mul" and isinstance(expr.operands[1].operands[1], Const):
+                n1 = expr.operands[1].operands[0]
+                if n.likes(n1):
+                    # (n * C) - (n1 * C1)  ==>  n * (C - C1)
+                    coeff_0 = expr0.operands[1]
+                    coeff_1 = expr1.operands[1]
+                    coeff = Const(coeff_0.idx, None, coeff_0.value - coeff_1.value, expr.bits, **coeff_0.tags)
+                    return BinaryOp(
+                        expr.idx,
+                        "Mul",
+                        [n, coeff],
+                        expr.signed,
+                        variable=expr.variable,
+                        bits=expr.bits,
+                        **expr.tags,
+                    )
+        return None
+
     @staticmethod
     def _optimize_unaryop(expr: UnaryOp):
         if expr.op == "Neg" and isinstance(expr.operand, Const) and isinstance(expr.operand.value, int):