angr 9.2.163__cp310-abi3-macosx_11_0_arm64.whl → 9.2.165__cp310-abi3-macosx_11_0_arm64.whl

angr/analyses/decompiler/ail_simplifier.py

@@ -397,9 +397,11 @@ class AILSimplifier(Analysis):
             if isinstance(def_.atom, atoms.VirtualVariable) and (def_.atom.was_reg or def_.atom.was_parameter):
                 # only do this for general purpose register
                 skip_def = False
+                reg = None
                 for reg in self.project.arch.register_list:
-                    if not reg.artificial and reg.vex_offset == def_.atom.reg_offset and not reg.general_purpose:
-                        skip_def = True
+                    if reg.vex_offset == def_.atom.reg_offset:
+                        if not reg.artificial and not reg.general_purpose and not reg.vector:
+                            skip_def = True
                         break
 
                 if skip_def:
@@ -659,6 +661,16 @@ class AILSimplifier(Analysis):
             first_op = ops[0]
         if isinstance(first_op, Convert) and first_op.to_bits >= self.project.arch.byte_width:
             # we need at least one byte!
+            if (
+                len({(op.from_bits, op.to_bits) for op in ops if isinstance(op, Convert) and op.operand.likes(expr)})
+                > 1
+            ):
+                # there are more Convert operations; it's probably because there are multiple expressions involving the
+                # same core expr. just give up (for now)
+                return None, None
+            if any(op for op in ops if isinstance(op, BinaryOp) and op.op == "Shr" and op.operands[0].likes(expr)):
+                # the expression is right-shifted, which means higher bits might be used.
+                return None, None
             return first_op.to_bits // self.project.arch.byte_width, ("convert", (first_op,))
         if isinstance(first_op, BinaryOp):
             second_op = None
@@ -1816,13 +1828,11 @@ class AILSimplifier(Analysis):
                         if codeloc in self._assignments_to_remove:
                             # it should be removed
                             simplified = True
-                            self._assignments_to_remove.discard(codeloc)
                             continue
 
                         if self._statement_has_call_exprs(stmt):
                             if codeloc in self._calls_to_remove:
                                 # it has a call and must be removed
-                                self._calls_to_remove.discard(codeloc)
                                 simplified = True
                                 continue
                             if isinstance(stmt, Assignment) and isinstance(stmt.dst, VirtualVariable):
@@ -1845,7 +1855,6 @@ class AILSimplifier(Analysis):
                         codeloc = CodeLocation(block.addr, idx, ins_addr=stmt.ins_addr, block_idx=block.idx)
                         if codeloc in self._calls_to_remove:
                             # this call can be removed
-                            self._calls_to_remove.discard(codeloc)
                             simplified = True
                             continue
 
@@ -1865,6 +1874,11 @@ class AILSimplifier(Analysis):
             new_block.statements = new_statements
             self.blocks[old_block] = new_block
 
+        # we can only use calls_to_remove and assignments_to_remove once; if any statements in blocks are removed, then
+        # the statement IDs in calls_to_remove and assignments_to_remove no longer match!
+        self._calls_to_remove.clear()
+        self._assignments_to_remove.clear()
+
         return simplified
 
     @staticmethod

angr/analyses/decompiler/callsite_maker.py

@@ -17,7 +17,15 @@ from angr.sim_type import (
     SimTypeFunction,
     SimTypeLongLong,
 )
-from angr.calling_conventions import SimReferenceArgument, SimRegArg, SimStackArg, SimCC, SimStructArg, SimComboArg
+from angr.calling_conventions import (
+    SimReferenceArgument,
+    SimRegArg,
+    SimStackArg,
+    SimCC,
+    SimStructArg,
+    SimComboArg,
+    SimFunctionArgument,
+)
 from angr.knowledge_plugins.key_definitions.constants import OP_BEFORE
 from angr.analyses import Analysis, register_analysis
 from angr.analyses.s_reaching_definitions import SRDAView
@@ -137,22 +145,7 @@ class CallSiteMaker(Analysis):
                         arg_locs = cc.arg_locs(callsite_ty)
 
         if arg_locs is not None and cc is not None:
-            expanded_arg_locs: list[SimStackArg | SimRegArg | SimReferenceArgument] = []
-            for arg_loc in arg_locs:
-                if isinstance(arg_loc, SimComboArg):
-                    # a ComboArg spans across multiple locations (mostly stack but *in theory* can also be spanning
-                    # across registers). most importantly, a ComboArg represents one variable, not multiple, but we
-                    # have no way to know that until later down the pipeline.
-                    expanded_arg_locs += arg_loc.locations
-                elif isinstance(arg_loc, SimStructArg):
-                    expanded_arg_locs += [  # type: ignore
-                        arg_loc.locs[field_name] for field_name in arg_loc.struct.fields if field_name in arg_loc.locs
-                    ]
-                elif isinstance(arg_loc, (SimRegArg, SimStackArg, SimReferenceArgument)):
-                    expanded_arg_locs.append(arg_loc)
-                else:
-                    raise NotImplementedError("Not implemented yet.")
-
+            expanded_arg_locs = self._expand_arglocs(arg_locs)
             for arg_loc in expanded_arg_locs:
                 if isinstance(arg_loc, SimReferenceArgument):
                     if not isinstance(arg_loc.ptr_loc, (SimRegArg, SimStackArg)):
@@ -548,6 +541,29 @@ class CallSiteMaker(Analysis):
             return None
         return len(specifiers)
 
+    def _expand_arglocs(
+        self, arg_locs: list[SimFunctionArgument]
+    ) -> list[SimStackArg | SimRegArg | SimReferenceArgument]:
+        expanded_arg_locs: list[SimStackArg | SimRegArg | SimReferenceArgument] = []
+
+        for arg_loc in arg_locs:
+            if isinstance(arg_loc, SimComboArg):
+                # a ComboArg spans across multiple locations (mostly stack but *in theory* can also be spanning
+                # across registers). most importantly, a ComboArg represents one variable, not multiple, but we
+                # have no way to know that until later down the pipeline.
+                expanded_arg_locs += arg_loc.locations
+            elif isinstance(arg_loc, SimStructArg):
+                for field_name in arg_loc.struct.fields:
+                    if field_name not in arg_loc.locs:
+                        continue
+                    expanded_arg_locs += self._expand_arglocs([arg_loc.locs[field_name]])
+            elif isinstance(arg_loc, (SimRegArg, SimStackArg, SimReferenceArgument)):
+                expanded_arg_locs.append(arg_loc)
+            else:
+                raise NotImplementedError("Not implemented yet.")
+
+        return expanded_arg_locs
+
     def _atom_idx(self) -> int | None:
         return self._ail_manager.next_atom() if self._ail_manager is not None else None
 

angr/analyses/decompiler/condition_processor.py

@@ -13,8 +13,6 @@ from unique_log_filter import UniqueLogFilter
 
 
 from angr.utils.graph import GraphUtils
-from angr.utils.lazy_import import lazy_import
-from angr.utils import is_pyinstaller
 from angr.utils.graph import dominates, inverted_idoms
 from angr.utils.ail import is_head_controlled_loop_block
 from angr.block import Block, BlockNode
@@ -37,12 +35,6 @@ from .structuring.structurer_nodes import (
 from .graph_region import GraphRegion
 from .utils import peephole_optimize_expr
 
-if is_pyinstaller():
-    # PyInstaller is not happy with lazy import
-    import sympy
-else:
-    sympy = lazy_import("sympy")
-
 
 l = logging.getLogger(__name__)
 l.addFilter(UniqueLogFilter())
@@ -953,6 +945,9 @@ class ConditionProcessor:
 
     @staticmethod
     def claripy_ast_to_sympy_expr(ast, memo=None):
+
+        import sympy  # pylint:disable=import-outside-toplevel
+
         if ast.op == "And":
             return sympy.And(*(ConditionProcessor.claripy_ast_to_sympy_expr(arg, memo=memo) for arg in ast.args))
         if ast.op == "Or":
@@ -974,6 +969,9 @@ class ConditionProcessor:
 
     @staticmethod
     def sympy_expr_to_claripy_ast(expr, memo: dict):
+
+        import sympy  # pylint:disable=import-outside-toplevel
+
         if expr.is_Symbol:
             return memo[expr]
         if isinstance(expr, sympy.Or):
@@ -990,6 +988,9 @@ class ConditionProcessor:
 
     @staticmethod
     def simplify_condition(cond, depth_limit=8, variables_limit=8):
+
+        import sympy  # pylint:disable=import-outside-toplevel
+
         memo = {}
         if cond.depth > depth_limit or len(cond.variables) > variables_limit:
             return cond

angr/analyses/decompiler/graph_region.py

@@ -271,6 +271,13 @@ class GraphRegion:
         else:
             replace_with_graph_with_successors = replace_with.graph_with_successors
 
+        # if complete_successors is True for RegionIdentifier, replace_with.graph_with_successors may include nodes
+        # and edges that are *only* reachable from immediate successors. we will want to remove these nodes and edges,
+        # otherwise we may end up structuring the same region twice!
+        replace_with_graph_with_successors = self._cleanup_graph_with_successors(
+            replace_with.graph, replace_with_graph_with_successors
+        )
+
         self._replace_node_in_graph_with_subgraph(
             self.graph,
             self.successors,
@@ -289,6 +296,18 @@ class GraphRegion:
                 replace_with.head,
             )
 
+    @staticmethod
+    def _cleanup_graph_with_successors(
+        graph: networkx.DiGraph, graph_with_successors: networkx.DiGraph
+    ) -> networkx.DiGraph:
+        expected_nodes = set(graph)
+        for n in list(expected_nodes):
+            for succ in graph_with_successors.successors(n):
+                expected_nodes.add(succ)
+        if all(n in expected_nodes for n in graph_with_successors):
+            return graph_with_successors
+        return graph_with_successors.subgraph(expected_nodes).to_directed()
+
     @staticmethod
     def _replace_node_in_graph(graph: networkx.DiGraph, node, replace_with, removed_edges: set):
         in_edges = [(src, dst) for src, dst in graph.in_edges(node) if (src, dst) not in removed_edges]

angr/analyses/decompiler/optimization_passes/deadblock_remover.py

@@ -60,7 +60,7 @@ class DeadblockRemover(OptimizationPass):
             blk
             for blk in self._graph.nodes()
             if (blk.addr != self._func.addr and self._graph.in_degree(blk) == 0)
-            or claripy.is_false(cond_proc.reaching_conditions[blk])
+            or claripy.is_false(cond_proc.reaching_conditions.get(blk, claripy.true()))
         }
 
         # fix up predecessors

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -43,6 +43,7 @@ from .sar_to_signed_div import SarToSignedDiv
 from .tidy_stack_addr import TidyStackAddr
 from .invert_negated_logical_conjuction_disjunction import InvertNegatedLogicalConjunctionsAndDisjunctions
 from .rol_ror import RolRorRewriter
+from .inlined_memcpy import InlinedMemcpy
 from .inlined_strcpy import InlinedStrcpy
 from .inlined_strcpy_consolidation import InlinedStrcpyConsolidation
 from .inlined_wstrcpy import InlinedWstrcpy
@@ -99,6 +100,7 @@ ALL_PEEPHOLE_OPTS: list[type[PeepholeOptimizationExprBase]] = [
     TidyStackAddr,
     InvertNegatedLogicalConjunctionsAndDisjunctions,
     RolRorRewriter,
+    InlinedMemcpy,
     InlinedStrcpy,
     InlinedStrcpyConsolidation,
     InlinedWstrcpy,

angr/analyses/decompiler/peephole_optimizations/inlined_memcpy.py

@@ -0,0 +1,78 @@
+# pylint:disable=arguments-differ
+from __future__ import annotations
+
+from angr.ailment.expression import Const, StackBaseOffset, VirtualVariable, Load, UnaryOp
+from angr.ailment.statement import Call, Assignment, Store
+from angr import SIM_LIBRARIES
+from .base import PeepholeOptimizationStmtBase
+
+
+class InlinedMemcpy(PeepholeOptimizationStmtBase):
+    """
+    Simplifies inlined data copying logic into calls to memcpy.
+    """
+
+    __slots__ = ()
+
+    NAME = "Simplifying inlined strcpy"
+    stmt_classes = (Assignment, Store)
+
+    def optimize(self, stmt: Assignment | Store, stmt_idx: int | None = None, block=None, **kwargs):
+        should_replace = False
+        dst_offset, src_offset, store_size = None, None, None
+        if (
+            isinstance(stmt, Assignment)
+            and isinstance(stmt.dst, VirtualVariable)
+            and stmt.dst.was_stack
+            and stmt.dst.size == 16
+            and isinstance(stmt.src, Load)
+        ):
+            dst_offset = stmt.dst.stack_offset
+            store_size = stmt.dst.size
+            if (
+                isinstance(stmt.src.addr, UnaryOp)
+                and stmt.src.addr.op == "Reference"
+                and isinstance(stmt.src.addr.operand, VirtualVariable)
+            ):
+                should_replace = True
+                src_offset = stmt.src.addr.operand.stack_offset
+            elif isinstance(stmt.src.addr, StackBaseOffset):
+                should_replace = True
+                src_offset = stmt.src.addr.offset
+
+        if (
+            isinstance(stmt, Store)
+            and isinstance(stmt.addr, StackBaseOffset)
+            and stmt.size == 16
+            and isinstance(stmt.data, Load)
+        ):
+            dst_offset = stmt.addr.offset
+            store_size = stmt.size
+            if (
+                isinstance(stmt.data.addr, UnaryOp)
+                and stmt.data.addr.op == "Reference"
+                and isinstance(stmt.data.addr.operand, VirtualVariable)
+            ):
+                should_replace = True
+                src_offset = stmt.data.addr.operand.stack_offset
+            elif isinstance(stmt.data.addr, StackBaseOffset):
+                should_replace = True
+                src_offset = stmt.data.addr.offset
+
+        if should_replace:
+            assert dst_offset is not None and src_offset is not None and store_size is not None
+            # replace it with a call to memcpy
+            assert self.project is not None
+            return Call(
+                stmt.idx,
+                "memcpy",
+                args=[
+                    StackBaseOffset(None, self.project.arch.bits, dst_offset),
+                    StackBaseOffset(None, self.project.arch.bits, src_offset),
+                    Const(None, None, store_size, self.project.arch.bits),
+                ],
+                prototype=SIM_LIBRARIES["libc.so"][0].get_prototype("memcpy"),
+                **stmt.tags,
+            )
+
+        return None

angr/analyses/decompiler/peephole_optimizations/inlined_strcpy.py

@@ -1,11 +1,11 @@
-# pylint:disable=arguments-differ
+# pylint:disable=arguments-differ,too-many-boolean-expressions
 from __future__ import annotations
 import string
 
 from archinfo import Endness
 
-from angr.ailment.expression import Const, StackBaseOffset, VirtualVariable
-from angr.ailment.statement import Call, Assignment
+from angr.ailment.expression import Const, StackBaseOffset, VirtualVariable, UnaryOp
+from angr.ailment.statement import Call, Assignment, Store, Statement
 
 from angr import SIM_LIBRARIES
 from angr.utils.endness import ail_const_to_be
@@ -24,24 +24,54 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
     __slots__ = ()
 
     NAME = "Simplifying inlined strcpy"
-    stmt_classes = (Assignment,)
+    stmt_classes = (Assignment, Store)
+
+    def optimize(self, stmt: Assignment | Store, stmt_idx: int | None = None, block=None, **kwargs):
+        inlined_strcpy_candidate = False
+        src: Const | None = None
+        strcpy_dst: StackBaseOffset | UnaryOp | None = None
+
+        assert self.project is not None
 
-    def optimize(self, stmt: Assignment, stmt_idx: int | None = None, block=None, **kwargs):
         if (
-            isinstance(stmt.dst, VirtualVariable)
+            isinstance(stmt, Assignment)
+            and isinstance(stmt.dst, VirtualVariable)
             and stmt.dst.was_stack
             and isinstance(stmt.src, Const)
             and isinstance(stmt.src.value, int)
         ):
-            r, s = self.is_integer_likely_a_string(stmt.src.value, stmt.src.size, self.project.arch.memory_endness)
+            inlined_strcpy_candidate = True
+            src = stmt.src
+            strcpy_dst = StackBaseOffset(None, self.project.arch.bits, stmt.dst.stack_offset)
+        elif (
+            isinstance(stmt, Store)
+            and isinstance(stmt.addr, UnaryOp)
+            and stmt.addr.op == "Reference"
+            and isinstance(stmt.addr.operand, VirtualVariable)
+            and stmt.addr.operand.was_stack
+            and isinstance(stmt.data, Const)
+            and isinstance(stmt.data.value, int)
+        ):
+            inlined_strcpy_candidate = True
+            src = stmt.data
+            strcpy_dst = stmt.addr
+
+        if inlined_strcpy_candidate:
+            assert src is not None and strcpy_dst is not None
+            assert isinstance(src.value, int)
+            assert self.kb is not None
+
+            r, s = self.is_integer_likely_a_string(src.value, src.size, self.project.arch.memory_endness)
             if r:
+                assert s is not None
+
                 # replace it with a call to strncpy
                 str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
                 return Call(
                     stmt.idx,
                     "strncpy",
                     args=[
-                        StackBaseOffset(None, self.project.arch.bits, stmt.dst.stack_offset),
+                        strcpy_dst,
                         Const(None, None, str_id, self.project.arch.bits, custom_string=True),
                         Const(None, None, len(s), self.project.arch.bits),
                     ],
@@ -68,9 +98,21 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
                             next_offset = None
                             stride = []
 
+                    if not stride:
+                        return None
+                    min_stride_stmt_idx = min(stmt_idx_ for _, stmt_idx_, _ in stride)
+                    if min_stride_stmt_idx > stmt_idx:
+                        # the current statement is not involved in the stride. we can't simplify here, otherwise we
+                        # will incorrectly remove the current statement
+                        return None
+
                     integer, size = self.stride_to_int(stride)
-                    r, s = self.is_integer_likely_a_string(integer, size, Endness.BE)
+                    prev_stmt = None if stmt_idx == 0 else block.statements[stmt_idx - 1]
+                    min_str_length = 1 if prev_stmt is not None and self.is_inlined_strcpy(prev_stmt) else 4
+                    r, s = self.is_integer_likely_a_string(integer, size, Endness.BE, min_length=min_str_length)
                     if r:
+                        assert s is not None
+
                         # we remove all involved statements whose statement IDs are greater than the current one
                         for _, stmt_idx_, _ in reversed(stride):
                             if stmt_idx_ <= stmt_idx:
@@ -83,7 +125,7 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
                             stmt.idx,
                             "strncpy",
                             args=[
-                                StackBaseOffset(None, self.project.arch.bits, stmt.dst.stack_offset),
+                                strcpy_dst,
                                 Const(None, None, str_id, self.project.arch.bits, custom_string=True),
                                 Const(None, None, len(s), self.project.arch.bits),
                             ],
@@ -101,10 +143,13 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
         for _, _, v in stride:
             size += v.size
             n <<= v.bits
+            assert isinstance(v.value, int)
             n |= v.value
         return n, size
 
     def collect_constant_stores(self, block, starting_stmt_idx: int) -> dict[int, tuple[int, Const | None]]:
+        assert self.project is not None
+
         r = {}
         for idx, stmt in enumerate(block.statements):
             if idx < starting_stmt_idx:
@@ -158,3 +203,15 @@ class InlinedStrcpy(PeepholeOptimizationStmtBase):
                 return False, None
             return True, "".join(chars)
         return False, None
+
+    @staticmethod
+    def is_inlined_strcpy(stmt: Statement) -> bool:
+        return (
+            isinstance(stmt, Call)
+            and isinstance(stmt.target, str)
+            and stmt.target == "strncpy"
+            and stmt.args is not None
+            and len(stmt.args) == 3
+            and isinstance(stmt.args[1], Const)
+            and hasattr(stmt.args[1], "custom_string")
+        )

angr/analyses/decompiler/peephole_optimizations/inlined_strcpy_consolidation.py

@@ -1,7 +1,7 @@
 # pylint:disable=arguments-differ
 from __future__ import annotations
 
-from angr.ailment.expression import Expression, BinaryOp, Const, Register, StackBaseOffset
+from angr.ailment.expression import Expression, BinaryOp, Const, Register, StackBaseOffset, UnaryOp, VirtualVariable
 from angr.ailment.statement import Call, Store
 
 from angr import SIM_LIBRARIES
@@ -21,12 +21,12 @@ class InlinedStrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
 
     def optimize(self, stmts: list[Call], **kwargs):
         last_stmt, stmt = stmts
-        if InlinedStrcpyConsolidation._is_inlined_strcpy(last_stmt):
+        if InlinedStrcpy.is_inlined_strcpy(last_stmt):
             s_last: bytes = self.kb.custom_strings[last_stmt.args[1].value]
             addr_last = last_stmt.args[0]
             new_str = None  # will be set if consolidation should happen
 
-            if isinstance(stmt, Call) and InlinedStrcpyConsolidation._is_inlined_strcpy(stmt):
+            if isinstance(stmt, Call) and InlinedStrcpy.is_inlined_strcpy(stmt):
                 # consolidating two calls
                 s_curr: bytes = self.kb.custom_strings[stmt.args[1].value]
                 addr_curr = stmt.args[0]
@@ -74,22 +74,19 @@ class InlinedStrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
 
         return None
 
-    @staticmethod
-    def _is_inlined_strcpy(stmt: Call):
-        return (
-            isinstance(stmt.target, str)
-            and stmt.target == "strncpy"
-            and len(stmt.args) == 3
-            and isinstance(stmt.args[1], Const)
-            and hasattr(stmt.args[1], "custom_string")
-        )
-
     @staticmethod
     def _parse_addr(addr: Expression) -> tuple[Expression, int]:
         if isinstance(addr, Register):
             return addr, 0
         if isinstance(addr, StackBaseOffset):
             return StackBaseOffset(None, addr.bits, 0), addr.offset
+        if (
+            isinstance(addr, UnaryOp)
+            and addr.op == "Reference"
+            and isinstance(addr.operand, VirtualVariable)
+            and addr.operand.was_stack
+        ):
+            return StackBaseOffset(None, addr.bits, 0), addr.operand.stack_offset
         if isinstance(addr, BinaryOp):
             if addr.op == "Add" and isinstance(addr.operands[1], Const):
                 base_0, offset_0 = InlinedStrcpyConsolidation._parse_addr(addr.operands[0])

angr/analyses/decompiler/region_identifier.py

@@ -99,7 +99,7 @@ class RegionIdentifier(Analysis):
 
     def _analyze(self):
         # make a copy of the graph
-        graph = networkx.DiGraph(self._graph)
+        graph = self._pick_one_connected_component(self._graph, as_copy=True)
 
         # preprocess: make it a super graph
         self._make_supergraph(graph)
@@ -113,6 +113,27 @@ class RegionIdentifier(Analysis):
         # make regions into block address lists
         self.regions_by_block_addrs = self._make_regions_by_block_addrs()
 
+    def _pick_one_connected_component(self, digraph: networkx.DiGraph, as_copy: bool = False) -> networkx.DiGraph:
+        g = networkx.Graph(digraph)
+        components = list(networkx.connected_components(g))
+        if len(components) <= 1:
+            return networkx.DiGraph(digraph) if as_copy else digraph
+
+        the_component = None
+        largest_component = None
+        for component in components:
+            if largest_component is None or len(component) > len(largest_component):
+                largest_component = component
+            if any((block.addr, block.idx) == self.entry_node_addr for block in component):
+                the_component = component
+                break
+
+        if the_component is None:
+            the_component = largest_component
+
+        assert the_component is not None
+        return digraph.subgraph(the_component).to_directed()
+
     @staticmethod
     def _compute_node_order(graph: networkx.DiGraph) -> dict[Any, tuple[int, int]]:
         sorted_nodes = GraphUtils.quasi_topological_sort_nodes(graph)