angr 9.2.166__cp310-abi3-manylinux_2_28_aarch64.whl → 9.2.168__cp310-abi3-manylinux_2_28_aarch64.whl

angr/analyses/decompiler/region_identifier.py

@@ -43,6 +43,7 @@ class RegionIdentifier(Analysis):
         update_graph=True,
         largest_successor_tree_outside_loop=True,
         force_loop_single_exit=True,
+        refine_loops_with_single_successor=False,
         complete_successors=False,
         entry_node_addr: tuple[int, int | None] | None = None,
     ):
@@ -70,6 +71,7 @@ class RegionIdentifier(Analysis):
         self.regions_by_block_addrs = []
         self._largest_successor_tree_outside_loop = largest_successor_tree_outside_loop
         self._force_loop_single_exit = force_loop_single_exit
+        self._refine_loops_with_single_successor = refine_loops_with_single_successor
         self._complete_successors = complete_successors
         # we keep a dictionary of node and their traversal order in a quasi-topological traversal and update this
         # dictionary as we update the graph
@@ -265,13 +267,18 @@ class RegionIdentifier(Analysis):
 
         # special case: any node with more than two non-self successors are probably the head of a switch-case. we
         # should include all successors into the loop subgraph.
+        # we must be extra careful here to not include nodes that are reachable from outside the loop subgraph. an
+        # example is in binary 064e1d62c8542d658d83f7e231cc3b935a1f18153b8aea809dcccfd446a91c93, loop 0x40d7b0 should
+        # not include block 0x40d9d5 because this node has a out-of-loop-body predecessor (block 0x40d795).
         while True:
             updated = False
             for node in list(loop_subgraph):
                 nonself_successors = [succ for succ in graph.successors(node) if succ is not node]
                 if len(nonself_successors) > 2:
                     for succ in nonself_successors:
-                        if not loop_subgraph.has_edge(node, succ):
+                        if not loop_subgraph.has_edge(node, succ) and all(
+                            pred in loop_subgraph for pred in graph.predecessors(succ)
+                        ):
                             updated = True
                             loop_subgraph.add_edge(node, succ)
             if not updated:
@@ -280,7 +287,9 @@ class RegionIdentifier(Analysis):
         return set(loop_subgraph)
 
     def _refine_loop(self, graph: networkx.DiGraph, head, initial_loop_nodes, initial_exit_nodes):
-        if len(initial_exit_nodes) <= 1:
+        if (self._refine_loops_with_single_successor and len(initial_exit_nodes) == 0) or (
+            not self._refine_loops_with_single_successor and len(initial_exit_nodes) <= 1
+        ):
             return initial_loop_nodes, initial_exit_nodes
 
         refined_loop_nodes = initial_loop_nodes.copy()
@@ -713,7 +722,7 @@ class RegionIdentifier(Analysis):
 
         # visit the nodes in post-order
         region_created = False
-        for node in list(networkx.dfs_postorder_nodes(graph_copy, source=head)):
+        for node in list(GraphUtils.dfs_postorder_nodes_deterministic(graph_copy, head)):
             if node is dummy_endnode:
                 # skip the dummy endnode
                 continue

angr/analyses/decompiler/sequence_walker.py

@@ -110,24 +110,28 @@ class SequenceWalker:
 
     def _handle_MultiNode(self, node, **kwargs):
         changed = False
-        nodes_copy = list(node.nodes)
+        nodes = node.nodes if self._update_seqnode_in_place else list(node.nodes)
 
         if self._force_forward_scan:
-            for i, node_ in enumerate(nodes_copy):
+            for i, node_ in enumerate(nodes):
                 new_node = self._handle(node_, parent=node, index=i)
                 if new_node is not None:
                     changed = True
-                    node.nodes[i] = new_node
+                    nodes[i] = new_node
         else:
-            i = len(nodes_copy) - 1
+            i = len(nodes) - 1
             while i > -1:
-                node_ = nodes_copy[i]
+                node_ = nodes[i]
                 new_node = self._handle(node_, parent=node, index=i)
                 if new_node is not None:
                     changed = True
-                    node.nodes[i] = new_node
+                    nodes[i] = new_node
                 i -= 1
-        return None if not changed else node
+        if not changed:
+            return None
+        if self._update_seqnode_in_place:
+            return node
+        return MultiNode(nodes, addr=node.addr, idx=node.idx)
 
     def _handle_SwitchCase(self, node, **kwargs):
         self._handle(node.switch_expr, parent=node, label="switch_expr")

angr/analyses/decompiler/structured_codegen/base.py

@@ -1,3 +1,4 @@
+# pylint:disable=missing-class-docstring
 from __future__ import annotations
 from sortedcontainers import SortedDict
 
@@ -114,13 +115,45 @@ class InstructionMapping:
 
 
 class BaseStructuredCodeGenerator:
-    def __init__(self, flavor=None):
+    def __init__(self, flavor=None, notes=None):
         self.flavor = flavor
         self.text = None
         self.map_pos_to_node = None
         self.map_pos_to_addr = None
         self.map_addr_to_pos = None
         self.map_ast_to_pos: dict[SimVariable, set[PositionMappingElement]] | None = None
+        self.notes = notes if notes is not None else {}
+
+    def adjust_mapping_positions(
+        self,
+        offset: int,
+        pos_to_node: PositionMapping,
+        pos_to_addr: PositionMapping,
+        addr_to_pos: InstructionMapping,
+    ) -> tuple[PositionMapping, PositionMapping, InstructionMapping]:
+        """
+        Adjust positions in the mappings to account for the notes that are prepended to the text.
+
+        :param offset:       The length of the notes to prepend.
+        :param pos_to_node:  The position to node mapping.
+        :param pos_to_addr:  The position to address mapping.
+        :param addr_to_pos:  The address to position mapping.
+        :return:             Adjusted mappings.
+        """
+        new_pos_to_node = PositionMapping()
+        new_pos_to_addr = PositionMapping()
+        new_addr_to_pos = InstructionMapping()
+
+        for pos, node in pos_to_node.items():
+            new_pos_to_node.add_mapping(pos + offset, node.length, node.obj)
+
+        for pos, node in pos_to_addr.items():
+            new_pos_to_addr.add_mapping(pos + offset, node.length, node.obj)
+
+        for addr, pos in addr_to_pos.items():
+            new_addr_to_pos.add_mapping(addr, pos.posmap_pos + offset)
+
+        return new_pos_to_node, new_pos_to_addr, new_addr_to_pos
 
     def reapply_options(self, options):
         pass

angr/analyses/decompiler/structured_codegen/c.py

@@ -43,6 +43,7 @@ from angr.utils.library import get_cpp_function_name
 from angr.utils.loader import is_in_readonly_segment, is_in_readonly_section
 from angr.utils.types import unpack_typeref, unpack_pointer_and_array, dereference_simtype_by_lib
 from angr.analyses.decompiler.utils import structured_node_is_simple_return
+from angr.analyses.decompiler.notes.deobfuscated_strings import DeobfuscatedStringsNote
 from angr.errors import UnsupportedNodeTypeError, AngrRuntimeError
 from angr.knowledge_plugins.cfg.memory_data import MemoryData, MemoryDataSort
 from angr.analyses import Analysis, register_analysis
@@ -254,7 +255,7 @@ class CConstruct:
         self.tags = tags or {}
         self.codegen: StructuredCodeGenerator = codegen
 
-    def c_repr(self, indent=0, pos_to_node=None, pos_to_addr=None, addr_to_pos=None):
+    def c_repr(self, initial_pos=0, indent=0, pos_to_node=None, pos_to_addr=None, addr_to_pos=None):
         """
         Creates the C representation of the code and displays it by
         constructing a large string. This function is called by each program function that needs to be decompiled.
@@ -268,7 +269,7 @@ class CConstruct:
 
         def mapper(chunks):
             # start all positions at beginning of document
-            pos = 0
+            pos = initial_pos
 
             last_insn_addr = None
 
@@ -2520,8 +2521,10 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         display_block_addrs=False,
         display_vvar_ids=False,
         min_data_addr: int = 0x400_000,
+        notes=None,
+        display_notes: bool = True,
     ):
-        super().__init__(flavor=flavor)
+        super().__init__(flavor=flavor, notes=notes)
 
         self._handlers = {
             CodeNode: self._handle_Code,
@@ -2604,6 +2607,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         self.map_addr_to_label: dict[tuple[int, int | None], CLabel] = {}
         self.cfunc: CFunction | None = None
         self.cexterns: set[CVariable] | None = None
+        self.display_notes = display_notes
 
         self._analyze()
 
@@ -2700,9 +2704,20 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         ast_to_pos = defaultdict(set)
 
         text = cfunc.c_repr(
-            indent=self._indent, pos_to_node=pos_to_node, pos_to_addr=pos_to_addr, addr_to_pos=addr_to_pos
+            initial_pos=0,
+            indent=self._indent,
+            pos_to_node=pos_to_node,
+            pos_to_addr=pos_to_addr,
+            addr_to_pos=addr_to_pos,
         )
 
+        if self.display_notes:
+            notes = self.render_notes()
+            pos_to_node, pos_to_addr, addr_to_pos = self.adjust_mapping_positions(
+                len(notes), pos_to_node, pos_to_addr, addr_to_pos
+            )
+            text = notes + text
+
         for elem, node in pos_to_node.items():
             if isinstance(node.obj, CConstant):
                 ast_to_pos[node.obj.value].add(elem)
@@ -2726,6 +2741,21 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
         return text, pos_to_node, pos_to_addr, addr_to_pos, ast_to_pos
 
+    def render_notes(self) -> str:
+        """
+        Render decompilation notes.
+
+        :return: A string containing all notes.
+        """
+        if not self.notes:
+            return ""
+
+        lines = []
+        for note in self.notes.values():
+            note_lines = str(note).split("\n")
+            lines += [f"// {line}" for line in note_lines]
+        return "\n".join(lines) + "\n\n"
+
     def _get_variable_type(self, var, is_global=False):
         if is_global:
             return self._variable_kb.variables["global"].get_variable_type(var)
@@ -3601,14 +3631,18 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             reference_values = {}
             type_ = unpack_typeref(type_)
             if expr.value in self.kb.obfuscations.type1_deobfuscated_strings:
-                reference_values[SimTypePointer(SimTypeChar())] = self.kb.obfuscations.type1_deobfuscated_strings[
-                    expr.value
-                ]
+                deobf_str = self.kb.obfuscations.type1_deobfuscated_strings[expr.value]
+                reference_values[SimTypePointer(SimTypeChar())] = deobf_str
+                if "deobfuscated_strings" not in self.notes:
+                    self.notes["deobfuscated_strings"] = DeobfuscatedStringsNote()
+                self.notes["deobfuscated_strings"].add_string("1", deobf_str, ref_addr=expr.value)
                 inline_string = True
             elif expr.value in self.kb.obfuscations.type2_deobfuscated_strings:
-                reference_values[SimTypePointer(SimTypeChar())] = self.kb.obfuscations.type2_deobfuscated_strings[
-                    expr.value
-                ]
+                deobf_str = self.kb.obfuscations.type2_deobfuscated_strings[expr.value]
+                reference_values[SimTypePointer(SimTypeChar())] = deobf_str
+                if "deobfuscated_strings" not in self.notes:
+                    self.notes["deobfuscated_strings"] = DeobfuscatedStringsNote()
+                self.notes["deobfuscated_strings"].add_string("2", deobf_str, ref_addr=expr.value)
                 inline_string = True
             elif isinstance(type_, SimTypePointer) and isinstance(type_.pts_to, (SimTypeChar, SimTypeBottom)):
                 # char* or void*