angr 9.2.163__cp310-abi3-win_amd64.whl → 9.2.165__cp310-abi3-win_amd64.whl

angr/analyses/decompiler/structuring/phoenix.py

@@ -13,7 +13,7 @@ from angr.ailment.block import Block
 from angr.ailment.statement import Statement, ConditionalJump, Jump, Label, Return
 from angr.ailment.expression import Const, UnaryOp, MultiStatementExpression, BinaryOp
 
-from angr.utils.graph import GraphUtils
+from angr.utils.graph import GraphUtils, Dominators, compute_dominance_frontier
 from angr.utils.ail import is_phi_assignment, is_head_controlled_loop_block
 from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
 from angr.utils.constants import SWITCH_MISSING_DEFAULT_NODE_ADDR
@@ -669,7 +669,7 @@ class PhoenixStructurer(StructurerBase):
         continue_node = loop_head
 
         is_while, result_while = self._refine_cyclic_is_while_loop(graph, fullgraph, loop_head, head_succs)
-        is_dowhile, result_dowhile = self._refine_cyclic_is_dowhile_loop(graph, fullgraph, loop_head, head_succs)
+        is_dowhile, result_dowhile = self._refine_cyclic_is_dowhile_loop(graph, fullgraph, loop_head)
 
         continue_edges: list[tuple[BaseNode, BaseNode]] = []
         outgoing_edges: list = []
@@ -702,22 +702,12 @@ class PhoenixStructurer(StructurerBase):
 
         if loop_type is None:
             # natural loop. select *any* exit edge to determine the successor
-            # well actually, to maintain determinism, we select the successor with the highest address
-            successor_candidates = set()
-            for node in networkx.descendants(graph, loop_head):
-                for succ in fullgraph.successors(node):
-                    if succ not in graph:
-                        successor_candidates.add(succ)
-                    if loop_head is succ:
-                        continue_edges.append((node, succ))
-            if successor_candidates:
-                successor_candidates = sorted(successor_candidates, key=lambda x: x.addr)
-                successor = successor_candidates[0]
-                # virtualize all other edges
-                for succ in successor_candidates:
-                    for pred in fullgraph.predecessors(succ):
-                        if pred in graph:
-                            outgoing_edges.append((pred, succ))
+            is_natural, result_natural = self._refine_cyclic_make_natural_loop(graph, fullgraph, loop_head)
+            if not is_natural:
+                # cannot refine this loop
+                return False
+            assert result_natural is not None
+            continue_edges, outgoing_edges, successor = result_natural
 
         if outgoing_edges:
             # if there is a single successor, we convert all out-going edges into breaks;
@@ -963,8 +953,8 @@ class PhoenixStructurer(StructurerBase):
                 return True, (continue_edges, outgoing_edges, loop_head, successor)
         return False, None
 
-    def _refine_cyclic_is_dowhile_loop(  # pylint:disable=unused-argument
-        self, graph, fullgraph, loop_head, head_succs
+    def _refine_cyclic_is_dowhile_loop(
+        self, graph, fullgraph, loop_head
     ) -> tuple[bool, tuple[list, list, BaseNode, BaseNode] | None]:
         # check if there is an out-going edge from the loop tail
         head_preds = list(fullgraph.predecessors(loop_head))
@@ -996,6 +986,64 @@ class PhoenixStructurer(StructurerBase):
                     return True, (continue_edges, outgoing_edges, continue_node, successor)
         return False, None
 
+    def _refine_cyclic_make_natural_loop(
+        self, graph, fullgraph, loop_head
+    ) -> tuple[bool, tuple[list, list, Any] | None]:
+        continue_edges = []
+        outgoing_edges = []
+
+        # find dominance frontier
+        doms = Dominators(fullgraph, self._region.head)
+        dom_frontiers = compute_dominance_frontier(fullgraph, doms.dom)
+
+        if loop_head not in dom_frontiers:
+            return False, None
+        dom_frontier = dom_frontiers[loop_head]
+
+        # now this is a little complex
+        dom_frontier = {node for node in dom_frontier if node is not loop_head}
+        if len(dom_frontier) == 0:
+            # the dominance frontier is empty (the loop head dominates all nodes in the full graph). however, this does
+            # not mean that the loop head must dominate all the nodes, because we only have a limited view of the full
+            # graph (e.g., some predecessors of the successor may not be in this full graph). as such, successors are
+            # the ones that are in the fullgraph but not in the graph.
+            successor_candidates = set()
+            for node in networkx.descendants(graph, loop_head):
+                for succ in fullgraph.successors(node):
+                    if succ not in graph:
+                        successor_candidates.add(succ)
+                    if loop_head is succ:
+                        continue_edges.append((node, succ))
+
+        else:
+            # this loop has a single successor
+            successor_candidates = dom_frontier
+            # traverse the loop body to find all continue edges
+            tmp_graph = networkx.DiGraph(graph)
+            tmp_graph.remove_nodes_from(successor_candidates)
+            for node in networkx.descendants(tmp_graph, loop_head):
+                if tmp_graph.has_edge(node, loop_head):
+                    continue_edges.append((node, loop_head))
+
+        if len(successor_candidates) == 0:
+            successor = None
+        else:
+            # one or multiple successors; try to pick a successor in graph, and prioritize the one with the lowest
+            # address
+            successor_candidates_in_graph = {nn for nn in successor_candidates if nn in graph}
+            if successor_candidates_in_graph:
+                # pick the one with the lowest address
+                successor = next(iter(sorted(successor_candidates_in_graph, key=lambda x: x.addr)))
+            else:
+                successor = next(iter(sorted(successor_candidates, key=lambda x: x.addr)))
+            # mark all edges as outgoing edges so they will be virtualized if they don't lead to the successor
+            for node in successor_candidates:
+                for pred in fullgraph.predecessors(node):
+                    if networkx.has_path(doms.dom, loop_head, pred):
+                        outgoing_edges.append((pred, node))
+
+        return True, (continue_edges, outgoing_edges, successor)
+
     def _analyze_acyclic(self) -> bool:
         # match against known schemas
         l.debug("Matching acyclic schemas for region %r.", self._region)
@@ -1219,6 +1267,10 @@ class PhoenixStructurer(StructurerBase):
         node_a = next(iter(nn for nn in graph.nodes if nn.addr == target), None)
         if node_a is None:
             return False
+        if node_a is self._region.head:
+            # avoid structuring if node_a is the region head; this means the current node is a duplicated switch-case
+            # head (instead of the original one), which is not something we want to structure
+            return False
 
         # the default case
         node_b_addr = next(iter(t for t in successor_addrs if t != target), None)

angr/analyses/decompiler/structuring/recursive_structurer.py

@@ -3,8 +3,6 @@ import itertools
 from typing import TYPE_CHECKING
 import logging
 
-import networkx
-
 from angr.analyses import Analysis, register_analysis
 from angr.analyses.decompiler.condition_processor import ConditionProcessor
 from angr.analyses.decompiler.graph_region import GraphRegion
@@ -12,6 +10,7 @@ from angr.analyses.decompiler.jumptable_entry_condition_rewriter import JumpTabl
 from angr.analyses.decompiler.empty_node_remover import EmptyNodeRemover
 from angr.analyses.decompiler.jump_target_collector import JumpTargetCollector
 from angr.analyses.decompiler.redundant_label_remover import RedundantLabelRemover
+from angr.utils.graph import GraphUtils
 from .structurer_nodes import BaseNode
 from .structurer_base import StructurerBase
 from .dream import DreamStructurer
@@ -61,7 +60,7 @@ class RecursiveStructurer(Analysis):
             current_region = stack[-1]
 
             has_region = False
-            for node in networkx.dfs_postorder_nodes(current_region.graph, current_region.head):
+            for node in GraphUtils.dfs_postorder_nodes_deterministic(current_region.graph, current_region.head):
                 subnodes = []
                 if type(node) is GraphRegion:
                     if node.cyclic:
@@ -177,7 +176,7 @@ class RecursiveStructurer(Analysis):
         for node in region.graph.nodes:
             if not isinstance(node, BaseNode):
                 continue
-            if node.addr == self.function.addr:
+            if self.function is not None and node.addr == self.function.addr:
                 return node
             if min_node is None or (min_node.addr is not None and node.addr is not None and min_node.addr < node.addr):
                 min_node = node

angr/analyses/decompiler/structuring/structurer_nodes.py

@@ -392,6 +392,9 @@ class IncompleteSwitchCaseNode(BaseNode):
         self.head = head
         self.cases: list = cases
 
+    def __repr__(self):
+        return f"<IncompleteSwitchCase {self.addr:#x} with {len(self.cases)} cases>"
+
 
 #
 # The following classes are custom AIL statements (not nodes, unfortunately)

angr/analyses/decompiler/utils.py

@@ -158,10 +158,14 @@ def switch_extract_cmp_bounds(
         return None
 
     # TODO: Add more operations
-    if isinstance(last_stmt.condition, ailment.Expr.BinaryOp) and last_stmt.condition.op == "CmpLE":
+    if isinstance(last_stmt.condition, ailment.Expr.BinaryOp) and last_stmt.condition.op in {"CmpLE", "CmpLT"}:
         if not isinstance(last_stmt.condition.operands[1], ailment.Expr.Const):
             return None
-        cmp_ub = last_stmt.condition.operands[1].value
+        cmp_ub = (
+            last_stmt.condition.operands[1].value
+            if last_stmt.condition.op == "CmpLE"
+            else last_stmt.condition.operands[1].value - 1
+        )
         cmp_lb = 0
         cmp = last_stmt.condition.operands[0]
         if (
@@ -250,6 +254,10 @@ def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tu
              size=4, endness=Iend_LE) + 0x4530e4<32>))
     )
 
+    Another example:
+
+    Load(addr=(((vvar_9{reg 36} & 0x3<32>) * 0x4<32>) + 0x42cd28<32>), size=4, endness=Iend_LE)
+
     :param last_stmt:   The last statement of the switch-case header node.
     :return:            A tuple of (index expression, lower bound, upper bound), or None
     """
@@ -269,16 +277,20 @@ def switch_extract_bitwiseand_jumptable_info(last_stmt: ailment.Stmt.Jump) -> tu
             continue
         if isinstance(target, ailment.Expr.BinaryOp) and target.op == "Add":
             if isinstance(target.operands[0], ailment.Expr.Const) and isinstance(target.operands[1], ailment.Expr.Load):
-                jump_addr_offset = target.operands[0]
+                jump_addr_offset = target.operands[0].value
                 jumptable_load_addr = target.operands[1].addr
                 break
             if isinstance(target.operands[1], ailment.Expr.Const) and isinstance(target.operands[0], ailment.Expr.Load):
-                jump_addr_offset = target.operands[1]
+                jump_addr_offset = target.operands[1].value
                 jumptable_load_addr = target.operands[0].addr
                 break
             return None
         if isinstance(target, ailment.Expr.Const):
             return None
+        if isinstance(target, ailment.Expr.Load):
+            jumptable_load_addr = target.addr
+            jump_addr_offset = 0
+            break
         break
 
     if jump_addr_offset is None or jumptable_load_addr is None:
@@ -655,7 +667,7 @@ def _flatten_structured_node(packed_node: SequenceNode | MultiNode) -> list[ailm
 
 def _find_node_in_graph(node: ailment.Block, graph: networkx.DiGraph) -> ailment.Block | None:
     for bb in graph:
-        if bb.addr == node.addr and bb.idx == node.idx:
+        if isinstance(bb, ailment.Block) and bb.addr == node.addr and bb.idx == node.idx:
             return bb
     return None
 

angr/analyses/deobfuscator/string_obf_finder.py

@@ -27,6 +27,42 @@ STEP_LIMIT_FIND = 500
 STEP_LIMIT_ANALYSIS = 5000
 
 
+ALL_X64_XMM_REGS = {
+    capstone.x86.X86_REG_XMM0,
+    capstone.x86.X86_REG_XMM1,
+    capstone.x86.X86_REG_XMM2,
+    capstone.x86.X86_REG_XMM3,
+    capstone.x86.X86_REG_XMM4,
+    capstone.x86.X86_REG_XMM5,
+    capstone.x86.X86_REG_XMM6,
+    capstone.x86.X86_REG_XMM7,
+    capstone.x86.X86_REG_XMM8,
+    capstone.x86.X86_REG_XMM9,
+    capstone.x86.X86_REG_XMM10,
+    capstone.x86.X86_REG_XMM11,
+    capstone.x86.X86_REG_XMM12,
+    capstone.x86.X86_REG_XMM13,
+    capstone.x86.X86_REG_XMM14,
+    capstone.x86.X86_REG_XMM15,
+    capstone.x86.X86_REG_XMM16,
+    capstone.x86.X86_REG_XMM17,
+    capstone.x86.X86_REG_XMM18,
+    capstone.x86.X86_REG_XMM19,
+    capstone.x86.X86_REG_XMM20,
+    capstone.x86.X86_REG_XMM21,
+    capstone.x86.X86_REG_XMM22,
+    capstone.x86.X86_REG_XMM23,
+    capstone.x86.X86_REG_XMM24,
+    capstone.x86.X86_REG_XMM25,
+    capstone.x86.X86_REG_XMM26,
+    capstone.x86.X86_REG_XMM27,
+    capstone.x86.X86_REG_XMM28,
+    capstone.x86.X86_REG_XMM29,
+    capstone.x86.X86_REG_XMM30,
+    capstone.x86.X86_REG_XMM31,
+}
+
+
 class StringDeobFuncDescriptor:
     """
     Describes a string deobfuscation function.
@@ -478,10 +514,12 @@ class StringObfuscationFinder(Analysis):
                     actual_addrs = action.actual_addrs
                 if action.type == "mem":
                     if action.action == "read":
+                        assert action.size is not None
                         for a in actual_addrs:
                             for size in range(action.size.ast // 8):
                                 all_global_reads.append(a + size)
                     elif action.action == "write":
+                        assert action.size is not None
                         for a in actual_addrs:
                             for size in range(action.size.ast // 8):
                                 all_global_writes.append(a + size)
@@ -598,16 +636,16 @@ class StringObfuscationFinder(Analysis):
         type3_functions = []
 
         for func in function_candidates:
-            if not 8 <= len(func.block_addrs_set) < 14:
+            if not 1 <= len(func.block_addrs_set) < 14:
                 continue
 
             # if it has a prototype recovered, it must have four arguments
-            if func.prototype is not None and len(func.prototype.args) != 4:
+            if func.prototype is not None and len(func.prototype.args) not in {3, 4}:
                 continue
 
             # the function must call some other functions
-            if callgraph_digraph.out_degree[func.addr] == 0:
-                continue
+            # if callgraph_digraph.out_degree[func.addr] == 0:
+            #     continue
 
             # take a look at its call sites
             func_node = cfg.get_any_node(func.addr)
@@ -635,30 +673,34 @@ class StringObfuscationFinder(Analysis):
                 continue
             if dec.codegen is None or not dec.codegen.text:
                 continue
+
             if not self._like_type3_deobfuscation_function(dec.codegen.text):
                 continue
 
             # examine the first 100 call sites and see if any of them returns a valid string
             valid = False
+            guessed_size = False
             for i in range(min(100, len(call_sites))):
                 call_site_block = self.project.factory.block(call_sites[i].addr)
                 if not self._is_block_setting_constants_to_stack(call_site_block):
                     continue
 
                 # simulate an execution to see if it really works
-                data = self._type3_prepare_and_execute(
-                    func.addr, call_sites[i].addr, call_sites[i].function_address, cfg
+                data, guessed_size = self._type3_prepare_and_execute(
+                    func.addr, call_sites[i].addr, call_sites[i].function_address, cfg  # type:ignore
                 )
                 if data is None:
                     continue
-                if len(data) > 3 and all(chr(x) in string.printable for x in data):
-                    valid = True
-                    break
+                if len(data) > 3:
+                    consecutive_printable_strs = self._consecutive_printable_substrings(data, min_length=4)
+                    if consecutive_printable_strs:
+                        valid = True
+                        break
 
             if valid:
                 desc = StringDeobFuncDescriptor()
                 desc.string_output_arg_idx = 0
-                desc.string_length_arg_idx = 1
+                desc.string_length_arg_idx = 1 if not guessed_size else None
                 desc.string_null_terminating = False
                 type3_functions.append((func.addr, desc))
 
@@ -687,11 +729,15 @@ class StringObfuscationFinder(Analysis):
         if cfg is None:
             raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
-        call_sites = cfg.get_predecessors(cfg.get_any_node(func_addr))
+        cfg_node = cfg.get_any_node(func_addr)
+        if cfg_node is None:
+            raise AngrAnalysisError(f"Cannot find the CFG node for function {func_addr:#x}")
+        call_sites = cfg.get_predecessors(cfg_node)
         callinsn2content = {}
         for idx, call_site in enumerate(call_sites):
             _l.debug("Analyzing type 3 candidate call site %#x (%d/%d)...", call_site.addr, idx + 1, len(call_sites))
-            data = self._type3_prepare_and_execute(func_addr, call_site.addr, call_site.function_address, cfg)
+            assert call_site.function_address is not None
+            data, _ = self._type3_prepare_and_execute(func_addr, call_site.addr, call_site.function_address, cfg)
             if data:
                 callinsn2content[call_site.instruction_addrs[-1]] = data
             # print(hex(call_site.addr), data)
@@ -722,12 +768,14 @@ class StringObfuscationFinder(Analysis):
 
     @staticmethod
     def _like_type3_deobfuscation_function(code: str) -> bool:
-        return bool(
-            ("^" in code or ">>" in code or "<<" in code or "~" in code)
-            and ("do" in code or "while" in code or "for" in code)
-        )
-
-    def _type3_prepare_and_execute(self, func_addr: int, call_site_addr: int, call_site_func_addr: int, cfg):
+        has_bitwise_ops = "^" in code or ">>" in code or "<<" in code or "~" in code
+        has_loops = "do" in code or "while" in code or "for" in code
+        has_many_bitwise_ops = code.count("^") + code.count(">>") + code.count("<<") + code.count("~") > 5
+        return has_bitwise_ops and (has_loops or has_many_bitwise_ops)
+
+    def _type3_prepare_and_execute(
+        self, func_addr: int, call_site_addr: int, call_site_func_addr: int, cfg
+    ) -> tuple[bytes | None, bool]:
         blocks_at_callsite = [call_site_addr]
 
         # backtrack from call site to include all previous consecutive blocks
@@ -773,6 +821,7 @@ class StringObfuscationFinder(Analysis):
         # setup sp and bp, just in case
         state.regs._sp = 0x7FFF0000
         bp_set = False
+        assert prop.model.input_states is not None
         prop_state = prop.model.input_states.get(call_site_addr, None)
         if prop_state is not None:
             for reg_offset, reg_width in reg_reads:
@@ -798,7 +847,7 @@ class StringObfuscationFinder(Analysis):
             else:
                 simgr.step()
             if not simgr.active:
-                return None
+                return None, False
 
         in_state = simgr.active[0]
 
@@ -821,33 +870,63 @@ class StringObfuscationFinder(Analysis):
         try:
             ret_value = callable_0()
         except (AngrCallableMultistateError, AngrCallableError):
-            return None
+            return None, False
 
         out_state = callable_0.result_state
 
         # figure out what was written
+        assert out_state is not None
         ptr = out_state.memory.load(ret_value, size=self.project.arch.bytes, endness=self.project.arch.memory_endness)
+        if out_state.memory.load(ptr, size=4).concrete_value == 0:
+            # fall back to using the return value as the pointer
+            ptr = ret_value
+        if out_state.memory.load(ptr, size=4).concrete_value == 0:
+            # can't find a valid pointer
+            return None, False
+
         size = out_state.memory.load(ret_value + 8, size=4, endness=self.project.arch.memory_endness)
+        guessed_size = False
+        if size.symbolic or size.concrete_value == 0 or size.concrete_value >= 1024:
+            size = 64
+            guessed_size = True
         # TODO: Support lists with varied-length elements
         data = out_state.memory.load(ptr, size=size, endness="Iend_BE")
         if data.symbolic:
-            return None
+            return None, False
 
-        return out_state.solver.eval(data, cast_to=bytes)
+        return out_state.solver.eval(data, cast_to=bytes), guessed_size
 
     @staticmethod
     def _is_block_setting_constants_to_stack(block, threshold: int = 5) -> bool:
-        insn_setting_consts = 0
+        insn_setting_const_bytes = 0
+        xmm_has_const = False
         for insn in block.capstone.insns:
-            if (
-                insn.mnemonic.startswith("mov")
-                and len(insn.operands) == 2
-                and insn.operands[0].type == capstone.x86.X86_OP_MEM
-                and insn.operands[0].mem.base in {capstone.x86.X86_REG_RSP, capstone.x86.X86_REG_RBP}
-                and insn.operands[1].type == capstone.x86.X86_OP_IMM
-            ):
-                insn_setting_consts += 1
-        return insn_setting_consts >= threshold
+            if insn.mnemonic.startswith("mov") and len(insn.operands) == 2:
+                if (
+                    insn.operands[0].type == capstone.x86.X86_OP_MEM
+                    and insn.operands[0].mem.base in {capstone.x86.X86_REG_RSP, capstone.x86.X86_REG_RBP}
+                    and insn.operands[1].type == capstone.x86.X86_OP_IMM
+                ):
+                    # mov [rsp|rbp + offset], imm
+                    insn_setting_const_bytes += 1  # FIXME: How to get the size of the mov in capstone?
+                if (
+                    insn.operands[0].type == capstone.x86.X86_OP_REG
+                    and insn.operands[0].reg in ALL_X64_XMM_REGS
+                    and insn.operands[1].type == capstone.x86.X86_OP_MEM
+                    and insn.operands[1].mem.base == capstone.x86.X86_REG_RIP
+                ):
+                    xmm_has_const = True
+                if (
+                    xmm_has_const
+                    and insn.operands[0].type == capstone.x86.X86_OP_MEM
+                    and insn.operands[0].mem.base in {capstone.x86.X86_REG_RSP, capstone.x86.X86_REG_RBP}
+                    and insn.operands[1].type == capstone.x86.X86_OP_REG
+                    and insn.operands[1].reg in ALL_X64_XMM_REGS
+                ):
+                    # mov [rsp|rbp + offset], xmm0 - 31
+                    insn_setting_const_bytes += 16
+
+        return insn_setting_const_bytes >= threshold
 
     @staticmethod
     def _is_string_reasonable(s: bytes) -> bool:
@@ -857,5 +936,24 @@ class StringObfuscationFinder(Analysis):
         s = s.replace(b"\x00", b"")
         return all(chr(ch) in string.printable for ch in s)
 
+    @staticmethod
+    def _consecutive_printable_substrings(s: bytes, min_length: int = 3) -> list[bytes]:
+        """
+        Find all consecutive printable substrings in a string.
+        """
+        substrings = []
+        current_substring = b""
+        for ch in s:
+            if chr(ch) in string.printable:
+                current_substring += bytes([ch])
+            else:
+                if current_substring:
+                    if len(current_substring) >= min_length:
+                        substrings.append(current_substring)
+                    current_substring = b""
+        if current_substring:
+            substrings.append(current_substring)
+        return substrings
+
 
 AnalysesHub.register_default("StringObfuscationFinder", StringObfuscationFinder)

angr/analyses/s_reaching_definitions/s_rda_view.py

@@ -37,7 +37,8 @@ class RegVVarPredicate:
         if cc is not None:
             reg_list = cc.CALLER_SAVED_REGS
             if isinstance(cc.RETURN_VAL, SimRegArg):
-                reg_list.append(cc.RETURN_VAL.reg_name)
+                # do not update reg_list directly, otherwise you may update cc.CALLER_SAVED_REGS!
+                reg_list = [*reg_list, cc.RETURN_VAL.reg_name]
             return {self.arch.registers[reg_name][0] for reg_name in reg_list}
         log.warning("Cannot determine registers that are clobbered by call statement %r.", stmt)
         return set()

angr/analyses/typehoon/typeconsts.py

@@ -245,7 +245,9 @@ class Struct(TypeConstant):
         if not self.fields:
             return 0
         max_field_off = max(self.fields.keys())
-        return max_field_off + self.fields[max_field_off].size
+        return max_field_off + (
+            self.fields[max_field_off].size if not isinstance(self.fields[max_field_off], BottomType) else 1
+        )
 
     @memoize
     def __repr__(self, memo=None):

angr/blade.py

@@ -40,6 +40,7 @@ class Blade:
         cross_insn_opt=False,
         max_predecessors: int = 10,
         include_imarks: bool = True,
+        control_dependence: bool = True,
     ):
         """
         :param graph:                   A graph representing the control flow graph. Note that it does not take
@@ -56,6 +57,8 @@ class Blade:
         :param stop_at_calls:           Limit slicing within a single function. Do not proceed when encounters a call
                                         edge.
         :param include_imarks:          Should IMarks (instruction boundaries) be included in the slice.
+        :param control_dependence:      Whether to consider control dependencies. If True, the temps controlling
+                                        conditional exits will be added to the tainting set.
         :return: None
         """
 
@@ -70,6 +73,7 @@ class Blade:
         self._cross_insn_opt = cross_insn_opt
         self._max_predecessors = max_predecessors
         self._include_imarks = include_imarks
+        self._control_dependence = control_dependence
 
         self._slice = networkx.DiGraph()
 
@@ -347,7 +351,7 @@ class Blade:
         except (SimTranslationError, BadJumpkindNotification):
             return
 
-        if exit_stmt_idx is None or exit_stmt_idx == DEFAULT_STATEMENT:
+        if self._control_dependence and (exit_stmt_idx is None or exit_stmt_idx == DEFAULT_STATEMENT):
             # Initialize the temps set with whatever in the `next` attribute of this irsb
             next_expr = self._get_irsb(run).next
             if type(next_expr) is pyvex.IRExpr.RdTmp:
@@ -357,20 +361,21 @@ class Blade:
         self._inslice_callback(DEFAULT_STATEMENT, None, {"irsb_addr": irsb_addr, "prev": prev})
         prev = irsb_addr, DEFAULT_STATEMENT
 
-        # if there are conditional exits, we *always* add them into the slice (so if they should not be taken, we do not
-        # lose the condition)
-        for stmt_idx_, s_ in enumerate(self._get_irsb(run).statements):
-            if type(s_) is not pyvex.IRStmt.Exit:
-                continue
-            if s_.jumpkind != "Ijk_Boring":
-                continue
-
-            if type(s_.guard) is pyvex.IRExpr.RdTmp:
-                temps.add(s_.guard.tmp)
-
-            # Put it in our slice
-            self._inslice_callback(stmt_idx_, s_, {"irsb_addr": irsb_addr, "prev": prev})
-            prev = (irsb_addr, stmt_idx_)
+        if self._control_dependence:
+            # if there are conditional exits, we *always* add them into the slice (so if they should not be taken, we
+            # do not lose the condition)
+            for stmt_idx_, s_ in enumerate(self._get_irsb(run).statements):
+                if type(s_) is not pyvex.IRStmt.Exit:
+                    continue
+                if s_.jumpkind != "Ijk_Boring":
+                    continue
+
+                if type(s_.guard) is pyvex.IRExpr.RdTmp:
+                    temps.add(s_.guard.tmp)
+
+                # Put it in our slice
+                self._inslice_callback(stmt_idx_, s_, {"irsb_addr": irsb_addr, "prev": prev})
+                prev = (irsb_addr, stmt_idx_)
 
         infodict = {"irsb_addr": irsb_addr, "prev": prev, "has_statement": False}
 

angr/engines/icicle.py

@@ -123,7 +123,7 @@ class IcicleEngine(ConcreteEngine):
         if proj is None:
             raise ValueError("IcicleEngine requires a project to be set")
 
-        emu = Icicle(icicle_arch, PROCESSORS_DIR)
+        emu = Icicle(icicle_arch, PROCESSORS_DIR, True, True)
 
         copied_registers = set()
 
@@ -174,6 +174,11 @@ class IcicleEngine(ConcreteEngine):
             initial_cpu_icount=emu.cpu_icount,
         )
 
+        # 3. Copy edge hitmap
+        edge_hitmap = state.history.last_edge_hitmap
+        if edge_hitmap is not None:
+            emu.edge_hitmap = edge_hitmap
+
         return (emu, translation_data)
 
     @staticmethod
@@ -194,7 +199,8 @@ class IcicleEngine(ConcreteEngine):
             addr = page_num * state.memory.page_size
             state.memory.store(addr, emu.mem_read(addr, state.memory.page_size))
 
-        # 3. Set history.jumpkind
+        # 3. Set history
+        # 3.1 history.jumpkind
         exc = emu.exception_code
         if status == VmExit.UnhandledException:
             if exc in (
@@ -216,9 +222,16 @@ class IcicleEngine(ConcreteEngine):
         else:
             state.history.jumpkind = "Ijk_Boring"
 
-        # 4. Set history.recent_instruction_count
+        # 3.2 history.recent_bbl_addrs
+        # Skip the last block, because it will be added by Successors
+        state.history.recent_bbl_addrs.extend([b[0] for b in emu.recent_blocks][:-1])
+
+        # 3.3. Set history.recent_instruction_count
         state.history.recent_instruction_count = emu.cpu_icount - translation_data.initial_cpu_icount
 
+        # 3.4. Set edge hitmap
+        state.history.edge_hitmap = emu.edge_hitmap
+
         return state
 
     @override