angr 9.2.160__cp310-abi3-macosx_11_0_arm64.whl → 9.2.162__cp310-abi3-macosx_11_0_arm64.whl

angr/analyses/decompiler/structuring/sailr.py

@@ -26,7 +26,9 @@ class SAILRStructurer(PhoenixStructurer):
 
     NAME = "sailr"
 
-    def __init__(self, region, improve_phoenix=True, **kwargs):
+    def __init__(self, region, improve_phoenix=True, postdom_max_edges=10, postdom_max_graph_size=50, **kwargs):
+        self._postdom_max_edges = postdom_max_edges
+        self._postdom_max_graph_size = postdom_max_graph_size
         super().__init__(
             region,
             improve_algorithm=improve_phoenix,
@@ -46,44 +48,50 @@ class SAILRStructurer(PhoenixStructurer):
         except StopIteration:
             entry_node = None
 
+        edges = sorted(edges, key=lambda edge: (edge[0].addr, edge[1].addr))
         best_edges = edges
         if entry_node is not None:
-            # the first few heuristics are based on the post-dominator count of the edge
-            # so we collect them for each candidate edge
-            edge_postdom_count = {}
+            # collect sibling counts for edges
             edge_sibling_count = {}
             for edge in edges:
                 _, dst = edge
-                graph_copy = networkx.DiGraph(graph)
-                graph_copy.remove_edge(*edge)
-                sibling_cnt = graph_copy.in_degree(dst)
+                sibling_cnt = graph.in_degree[dst] - 1
                 if sibling_cnt == 0:
                     continue
-
                 edge_sibling_count[edge] = sibling_cnt
-                post_dom_graph = PostDominators(graph_copy, entry_node).post_dom
-                post_doms = set()
-                for postdom_node, dominatee in post_dom_graph.edges():
-                    if not isinstance(postdom_node, TemporaryNode) and not isinstance(dominatee, TemporaryNode):
-                        post_doms.add((postdom_node, dominatee))
-                edge_postdom_count[edge] = len(post_doms)
-
-                # H1: the edge that has the least amount of sibling edges should be virtualized first
-                # this is believed to reduce the amount of virtualization needed in future rounds and increase
-                # the edges that enter a single outer-scope if-stmt
-                if edge_sibling_count:
-                    min_sibling_count = min(edge_sibling_count.values())
-                    best_edges = [edge for edge, cnt in edge_sibling_count.items() if cnt == min_sibling_count]
-                    if len(best_edges) == 1:
-                        return best_edges
 
-                    # create the next heuristic based on the best edges from the previous heuristic
-                    filtered_edge_postdom_count = edge_postdom_count.copy()
-                    for edge in list(edge_postdom_count.keys()):
-                        if edge not in best_edges:
-                            del filtered_edge_postdom_count[edge]
-                    if filtered_edge_postdom_count:
-                        edge_postdom_count = filtered_edge_postdom_count
+            # H1: the edge that has the least amount of sibling edges should be virtualized first
+            # this is believed to reduce the amount of virtualization needed in future rounds and increase
+            # the edges that enter a single outer-scope if-stmt
+            if edge_sibling_count:
+                min_sibling_count = min(edge_sibling_count.values())
+                best_edges = [edge for edge, cnt in edge_sibling_count.items() if cnt == min_sibling_count]
+                if len(best_edges) == 1:
+                    return best_edges
+
+            if len(edges) <= self._postdom_max_edges and len(graph) <= self._postdom_max_graph_size:
+                # dominator analysis is expensive, so we only do it for small graphs
+                edge_postdom_count = {}
+                graph_copy = networkx.DiGraph(graph)
+                for edge in edges:
+                    _, dst = edge
+                    graph_copy.remove_edge(*edge)
+                    post_dom_graph = PostDominators(graph_copy, entry_node).post_dom
+                    post_doms = set()
+                    for postdom_node, dominatee in post_dom_graph.edges():
+                        if not isinstance(postdom_node, TemporaryNode) and not isinstance(dominatee, TemporaryNode):
+                            post_doms.add((postdom_node, dominatee))
+                    edge_postdom_count[edge] = len(post_doms)
+                    # add back the edge
+                    graph_copy.add_edge(*edge)
+
+                # create the next heuristic based on the best edges from the previous heuristic
+                filtered_edge_postdom_count = edge_postdom_count.copy()
+                for edge in list(edge_postdom_count.keys()):
+                    if edge not in best_edges:
+                        del filtered_edge_postdom_count[edge]
+                if filtered_edge_postdom_count:
+                    edge_postdom_count = filtered_edge_postdom_count
 
                 # H2: the edge, when removed, that causes the most post-dominators of the graph should be virtualized
                 # first. this is believed to make the code more linear looking be reducing the amount of scopes.
@@ -94,19 +102,19 @@ class SAILRStructurer(PhoenixStructurer):
                     if len(best_edges) == 1:
                         return best_edges
 
-                # H3: the edge that goes directly to a return statement should be virtualized first
-                # this is believed to be good because it can be corrected in later optimization by duplicating
-                # the return
-                candidate_edges = best_edges
-                best_edges = []
-                for src, dst in candidate_edges:
-                    if graph.has_node(dst) and structured_node_is_simple_return(dst, graph):
-                        best_edges.append((src, dst))
-
-                if len(best_edges) == 1:
-                    return best_edges
-                if not best_edges:
-                    best_edges = candidate_edges
+            # H3: the edge that goes directly to a return statement should be virtualized first
+            # this is believed to be good because it can be corrected in later optimization by duplicating
+            # the return
+            candidate_edges = best_edges
+            best_edges = []
+            for src, dst in candidate_edges:
+                if graph.has_node(dst) and structured_node_is_simple_return(dst, graph):
+                    best_edges.append((src, dst))
+
+            if len(best_edges) == 1:
+                return best_edges
+            if not best_edges:
+                best_edges = candidate_edges
 
         # if we have another tie, or we never used improved heuristics, then we do the default ordering.
         return super()._order_virtualizable_edges(graph, best_edges, node_seq)

angr/analyses/decompiler/structuring/structurer_base.py

@@ -6,9 +6,9 @@ import logging
 
 import networkx
 
-import angr.ailment as ailment
 import claripy
 
+from angr import ailment
 from angr.analyses import Analysis
 from angr.analyses.decompiler.condition_processor import ConditionProcessor
 from angr.analyses.decompiler.sequence_walker import SequenceWalker
@@ -971,8 +971,7 @@ class StructurerBase(Analysis):
                     new_sequences.append(new_seq_)
         self._new_sequences = new_sequences
 
-    @staticmethod
-    def replace_nodes(graph, old_node_0, new_node, old_node_1=None, self_loop=True):
+    def replace_nodes(self, graph, old_node_0, new_node, old_node_1=None, self_loop=True):  # pylint:disable=no-self-use
         in_edges = list(graph.in_edges(old_node_0, data=True))
         out_edges = list(graph.out_edges(old_node_0, data=True))
         if old_node_1 is not None:

angr/analyses/deobfuscator/string_obf_opt_passes.py

@@ -90,7 +90,7 @@ class StringObfType3Rewriter(OptimizationPass):
         else:
             new_stmt = new_call
 
-        statements = block.statements[:-1] + [new_stmt]
+        statements = [*block.statements[:-1], new_stmt]
 
         # remove N-2 continuous stack assignment
         if len(deobf_content) > 2:

angr/analyses/disassembly.py

@@ -922,7 +922,7 @@ class Value(OperandPiece):
             if func is not None and lbl == func.name and func.name != func.demangled_name:
                 # see if lbl == func.name and func.demangled_name != func.name. if so, we prioritize the
                 # demangled name
-                normalized_name = get_cpp_function_name(func.demangled_name, specialized=False, qualified=True)
+                normalized_name = get_cpp_function_name(func.demangled_name)
                 return [normalized_name]
             return [("+" if self.render_with_sign else "") + lbl]
         if func is not None:

angr/analyses/reaching_definitions/function_handler.py

@@ -584,6 +584,7 @@ class FunctionHandler:
         # migrate data from sub_rda to its parent
         state.analysis.function_calls.update(sub_rda.function_calls)
         state.analysis.model.observed_results.update(sub_rda.model.observed_results)
+        state.all_definitions |= sub_rda.all_definitions
 
         sub_ld = get_exit_livedefinitions(data.function, sub_rda.model)
         if sub_ld is not None:

angr/analyses/s_propagator.py

@@ -33,7 +33,7 @@ from angr.utils.ssa import (
     is_const_vvar_load_assignment,
     is_const_vvar_load_dirty_assignment,
     is_const_vvar_tmp_assignment,
-    is_vvar_eliminatable,
+    is_vvar_propagatable,
     get_tmp_uselocs,
     get_tmp_deflocs,
     phi_assignment_get_src,
@@ -246,7 +246,7 @@ class SPropagatorAnalysis(Analysis):
                         self.model.dead_vvar_ids.add(vvar.varid)
                         continue
 
-                if is_vvar_eliminatable(vvar, stmt):
+                if is_vvar_propagatable(vvar, stmt):
                     if len(vvar_uselocs_set) == 1:
                         vvar_used, vvar_useloc = next(iter(vvar_uselocs_set))
                         if (

angr/analyses/s_reaching_definitions/s_rda_model.py

@@ -25,6 +25,7 @@ class SRDAModel:
         self.all_tmp_definitions: dict[CodeLocation, dict[atoms.Tmp, int]] = defaultdict(dict)
         self.all_tmp_uses: dict[CodeLocation, dict[atoms.Tmp, set[tuple[Tmp, int]]]] = defaultdict(dict)
         self.phi_vvar_ids: set[int] = set()
+        self.phivarid_to_varids_with_unknown: dict[int, set[int | None]] = {}
         self.phivarid_to_varids: dict[int, set[int]] = {}
         self.vvar_uses_by_loc: dict[CodeLocation, list[int]] = {}
 

angr/analyses/s_reaching_definitions/s_reaching_definitions.py

@@ -63,7 +63,7 @@ class SReachingDefinitionsAnalysis(Analysis):
             case _:
                 raise NotImplementedError
 
-        phi_vvars: dict[int, set[int]] = {}
+        phi_vvars: dict[int, set[int | None]] = {}
         # find all vvar definitions
         vvar_deflocs = get_vvar_deflocs(blocks.values(), phi_vvars=phi_vvars)
         # find all explicit vvar uses
@@ -87,7 +87,10 @@ class SReachingDefinitionsAnalysis(Analysis):
         self.model.phi_vvar_ids = set(phi_vvars)
         self.model.phivarid_to_varids = {}
         for vvar_id, src_vvars in phi_vvars.items():
-            self.model.phivarid_to_varids[vvar_id] = src_vvars
+            self.model.phivarid_to_varids_with_unknown[vvar_id] = src_vvars
+            self.model.phivarid_to_varids[vvar_id] = (  # type: ignore
+                {vvar_id for vvar_id in src_vvars if vvar_id is not None} if None in src_vvars else src_vvars
+            )
 
         if self.mode == "function":
 

angr/analyses/variable_recovery/engine_base.py

@@ -178,6 +178,14 @@ class SimEngineVRBase(
                                 for var_stack_offset, var in self.state.extract_variables(v):
                                     existing_vars.append((var, var_stack_offset))
 
+                    if not existing_vars:
+                        existing_vars = [
+                            (v, 0)
+                            for v in self.state.variable_manager[self.func_addr].find_variables_by_stack_offset(
+                                stack_offset
+                            )
+                        ]
+
                     if not existing_vars:
                         # no variables exist
                         lea_size = 1
@@ -525,6 +533,10 @@ class SimEngineVRBase(
     def _store_to_stack(
         self, stack_offset, data: RichR[claripy.ast.BV | claripy.ast.FP], size, offset=0, atom=None, endness=None
     ):
+        """
+        Store data to a stack location. We limit the size of the data to store to 256 bytes for performance reasons.
+        """
+
         if atom is None:
             existing_vars = self.state.variable_manager[self.func_addr].find_variables_by_stmt(
                 self.block.addr, self.stmt_idx, "memory"
@@ -550,7 +562,11 @@ class SimEngineVRBase(
             variable, variable_offset = next(iter(existing_vars))
 
         if isinstance(stack_offset, int):
-            expr = self.state.annotate_with_variables(data.data, [(variable_offset, variable)])
+            expr = data.data
+            if isinstance(expr, claripy.ast.Bits) and expr.size() > 1024:
+                # we don't write more than 256 bytes to the stack at a time for performance reasons
+                expr = expr[expr.size() - 1 : expr.size() - 1024]
+            expr = self.state.annotate_with_variables(expr, [(variable_offset, variable)])
             stack_addr = self.state.stack_addr_from_offset(stack_offset)
             self.state.stack_region.store(stack_addr, expr, endness=endness)
 

angr/analyses/variable_recovery/variable_recovery_base.py

@@ -5,6 +5,8 @@ from collections.abc import Generator, Iterable
 import logging
 from collections import defaultdict
 
+import networkx
+
 import archinfo
 import claripy
 from claripy.annotation import Annotation
@@ -86,8 +88,18 @@ class VariableRecoveryBase(Analysis):
     The base class for VariableRecovery and VariableRecoveryFast.
     """
 
-    def __init__(self, func, max_iterations, store_live_variables: bool, vvar_to_vvar: dict[int, int] | None = None):
+    def __init__(
+        self,
+        func,
+        max_iterations,
+        store_live_variables: bool,
+        vvar_to_vvar: dict[int, int] | None = None,
+        func_graph: networkx.DiGraph | None = None,
+        entry_node_addr: int | tuple[int, int | None] | None = None,
+    ):
         self.function = func
+        self.func_graph = func_graph
+        self.entry_node_addr = entry_node_addr
         self.variable_manager = self.kb.variables
 
         self._max_iterations = max_iterations
@@ -120,7 +132,23 @@ class VariableRecoveryBase(Analysis):
 
     def initialize_dominance_frontiers(self):
         # Computer the dominance frontier for each node in the graph
-        df = self.project.analyses.DominanceFrontier(self.function)
+        func_entry = None
+        if self.func_graph is not None:
+            entry_node_addr = self.entry_node_addr if self.entry_node_addr is not None else self.function.addr
+            assert entry_node_addr is not None
+            if isinstance(entry_node_addr, int):
+                func_entry = next(iter(node for node in self.func_graph if node.addr == entry_node_addr))
+            elif isinstance(entry_node_addr, tuple):
+                func_entry = next(
+                    iter(
+                        node
+                        for node in self.func_graph
+                        if node.addr == entry_node_addr[0] and node.idx == entry_node_addr[1]
+                    )
+                )
+            else:
+                raise TypeError(f"Unsupported entry node address type: {type(entry_node_addr)}")
+        df = self.project.analyses.DominanceFrontier(self.function, func_graph=self.func_graph, entry=func_entry)
         self._dominance_frontiers = defaultdict(set)
         for b0, domfront in df.frontiers.items():
             for d in domfront:

angr/analyses/variable_recovery/variable_recovery_fast.py

@@ -237,6 +237,7 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         self,
         func: Function | str | int,
         func_graph: networkx.DiGraph | None = None,
+        entry_node_addr: int | tuple[int, int | None] | None = None,
         max_iterations: int = 2,
         low_priority=False,
         track_sp=True,
@@ -259,10 +260,18 @@ class VariableRecoveryFast(ForwardAnalysis, VariableRecoveryBase):  # pylint:dis
         function_graph_visitor = visitors.FunctionGraphVisitor(func, graph=func_graph)
 
         # Make sure the function is not empty
-        if not func.block_addrs_set or func.startpoint is None:
+        if (not func.block_addrs_set or func.startpoint is None) and not func_graph:
             raise AngrVariableRecoveryError(f"Function {func!r} is empty.")
 
-        VariableRecoveryBase.__init__(self, func, max_iterations, store_live_variables, vvar_to_vvar=vvar_to_vvar)
+        VariableRecoveryBase.__init__(
+            self,
+            func,
+            max_iterations,
+            store_live_variables,
+            vvar_to_vvar=vvar_to_vvar,
+            func_graph=func_graph_with_calls,
+            entry_node_addr=entry_node_addr,
+        )
         ForwardAnalysis.__init__(
             self, order_jobs=True, allow_merging=True, allow_widening=False, graph_visitor=function_graph_visitor
         )

angr/emulator.py

@@ -0,0 +1,143 @@
+from __future__ import annotations
+
+import logging
+from enum import Enum
+
+from angr.engines.concrete import ConcreteEngine, HeavyConcreteState
+from angr.errors import AngrError
+
+
+log = logging.getLogger(name=__name__)
+
+
+class EmulatorException(AngrError):
+    """Base class for exceptions raised by the Emulator."""
+
+
+class EngineException(EmulatorException):
+    """Exception raised when the emulator encounters an unhandlable error in the engine."""
+
+
+class StateDivergedException(EmulatorException):
+    """Exception raised when an engine returns multiple successors."""
+
+
+class EmulatorStopReason(Enum):
+    """
+    Enum representing the reason for stopping the emulator.
+    """
+
+    INSTRUCTION_LIMIT = "instruction_limit"
+    BREAKPOINT = "breakpoint"
+    NO_SUCCESSORS = "no_successors"
+    MEMORY_ERROR = "memory_error"
+    FAILURE = "failure"
+    EXIT = "exit"
+
+
+class Emulator:
+    """
+    Emulator is a utility that adapts an angr `ConcreteEngine` to a more
+    user-friendly interface for concrete execution. It only supports concrete
+    execution and requires a ConcreteEngine.
+
+    Saftey: This class is not thread-safe. It should only be used in a
+    single-threaded context. It can be safely shared between multiple threads,
+    provided that only one thread is using it at a time.
+    """
+
+    _engine: ConcreteEngine
+    _state: HeavyConcreteState
+
+    def __init__(self, engine: ConcreteEngine, init_state: HeavyConcreteState):
+        """
+        :param engine: The `ConcreteEngine` to use for emulation.
+        :param init_state: The initial state to use for emulation.
+        """
+        self._engine = engine
+        self._state = init_state
+
+    @property
+    def state(self) -> HeavyConcreteState:
+        """
+        The current state of the emulator.
+        """
+        return self._state
+
+    @property
+    def breakpoints(self) -> set[int]:
+        """
+        The set of currently set breakpoints.
+        """
+        return self._engine.get_breakpoints()
+
+    def add_breakpoint(self, addr: int) -> None:
+        """
+        Add a breakpoint at the given address.
+
+        :param addr: The address to set the breakpoint at.
+        """
+        self._engine.add_breakpoint(addr)
+
+    def remove_breakpoint(self, addr: int) -> None:
+        """
+        Remove a breakpoint at the given address, if present.
+
+        :param addr: The address to remove the breakpoint from.
+        """
+        self._engine.remove_breakpoint(addr)
+
+    def run(self, num_inst: int | None = None) -> EmulatorStopReason:
+        """
+        Execute the emulator.
+        """
+        completed_engine_execs = 0
+        num_inst_executed: int = 0
+        while self._state.history.jumpkind != "Ijk_Exit":
+            # Check if there is a breakpoint at the current address
+            if completed_engine_execs > 0 and self._state.addr in self._engine.get_breakpoints():
+                return EmulatorStopReason.BREAKPOINT
+
+            # Check if we've already executed the requested number of instructions
+            if num_inst is not None and num_inst_executed >= num_inst:
+                return EmulatorStopReason.INSTRUCTION_LIMIT
+
+            # Calculate remaining instructions for this engine execution
+            remaining_inst: int | None = None
+            if num_inst is not None:
+                remaining_inst = num_inst - num_inst_executed
+
+            # Run the engine to get successors
+            try:
+                successors = self._engine.process(self._state, num_inst=remaining_inst)
+            except EngineException as e:
+                raise EngineException(f"Engine encountered an error: {e}") from e
+
+            # Handle cases with an unexpected number of successors
+            if len(successors.successors) == 0:
+                return EmulatorStopReason.NO_SUCCESSORS
+            if len(successors.successors) > 1:
+                log.warning("Concrete engine returned multiple successors")
+
+            # Set the state before raising further exceptions
+            self._state = successors.successors[0]
+
+            # Track the number of instructions executed using the state's history
+            if self._state.history.recent_instruction_count > 0:
+                num_inst_executed += self._state.history.recent_instruction_count
+
+            if successors.successors[0].history.jumpkind == "Ijk_SigSEGV":
+                return EmulatorStopReason.MEMORY_ERROR
+
+            completed_engine_execs += 1
+
+        return EmulatorStopReason.EXIT
+
+
+__all__ = (
+    "Emulator",
+    "EmulatorException",
+    "EmulatorStopReason",
+    "EngineException",
+    "StateDivergedException",
+)

angr/engines/concrete.py

@@ -0,0 +1,66 @@
+from __future__ import annotations
+
+import logging
+import typing
+from abc import abstractmethod, ABCMeta
+from typing_extensions import override
+
+import claripy
+from angr.engines.successors import SimSuccessors, SuccessorsEngine
+from angr.sim_state import SimState
+
+log = logging.getLogger(__name__)
+
+
+HeavyConcreteState = SimState[int, int]
+
+
+class ConcreteEngine(SuccessorsEngine, metaclass=ABCMeta):
+    """
+    ConcreteEngine extends SuccessorsEngine and adds APIs for managing breakpoints.
+    """
+
+    @abstractmethod
+    def get_breakpoints(self) -> set[int]:
+        """Return the set of currently set breakpoints."""
+
+    @abstractmethod
+    def add_breakpoint(self, addr: int) -> None:
+        """Add a breakpoint at the given address."""
+
+    @abstractmethod
+    def remove_breakpoint(self, addr: int) -> None:
+        """Remove a breakpoint at the given address, if present."""
+
+    @abstractmethod
+    def process_concrete(self, state: HeavyConcreteState, num_inst: int | None = None) -> HeavyConcreteState:
+        """
+        Process the concrete state and return a HeavyState object.
+
+        :param state: The concrete state to process.
+        :return: A HeavyState object representing the processed state.
+        """
+
+    @override
+    def process_successors(
+        self, successors: SimSuccessors, *, num_inst: int | None = None, **kwargs: dict[str, typing.Any]
+    ):
+        if len(kwargs) > 0:
+            log.warning("ConcreteEngine.process_successors received unknown kwargs: %s", kwargs)
+
+        # TODO: Properly error here when the state is not a HeavyConcreteState
+        # Alternatively, we could make SimSuccessors generic over the state type too
+        concrete_state = typing.cast(HeavyConcreteState, self.state)
+
+        concrete_successor = self.process_concrete(concrete_state, num_inst=num_inst)
+        successors.add_successor(
+            concrete_successor,
+            concrete_successor.ip,
+            claripy.true(),
+            concrete_successor.history.jumpkind,
+            add_guard=False,
+        )
+        successors.processed = True
+
+
+__all__ = ["ConcreteEngine", "HeavyConcreteState"]