PyPI - angr - Versions diffs - 9.2.176__cp310-abi3-macosx_11_0_arm64.whl → 9.2.178__cp310-abi3-macosx_11_0_arm64.whl - Mend

angr 9.2.176__cp310-abi3-macosx_11_0_arm64.whl → 9.2.178__cp310-abi3-macosx_11_0_arm64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (42) hide show

angr/__init__.py +1 -1
angr/analyses/cfg/cfg_fast.py +15 -0
angr/analyses/decompiler/ail_simplifier.py +69 -1
angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py +45 -7
angr/analyses/decompiler/clinic.py +15 -7
angr/analyses/decompiler/dirty_rewriters/__init__.py +7 -0
angr/analyses/decompiler/dirty_rewriters/amd64_dirty.py +69 -0
angr/analyses/decompiler/dirty_rewriters/rewriter_base.py +27 -0
angr/analyses/decompiler/optimization_passes/__init__.py +3 -0
angr/analyses/decompiler/optimization_passes/optimization_pass.py +10 -8
angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py +44 -6
angr/analyses/decompiler/optimization_passes/register_save_area_simplifier_adv.py +198 -0
angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py +111 -55
angr/analyses/decompiler/peephole_optimizations/cas_intrinsics.py +69 -12
angr/analyses/decompiler/peephole_optimizations/inlined_wcscpy_consolidation.py +189 -6
angr/analyses/decompiler/peephole_optimizations/remove_redundant_shifts_around_comparators.py +72 -1
angr/analyses/decompiler/presets/basic.py +2 -0
angr/analyses/decompiler/presets/fast.py +2 -0
angr/analyses/decompiler/presets/full.py +2 -0
angr/analyses/decompiler/utils.py +10 -3
angr/analyses/flirt/flirt.py +5 -4
angr/analyses/s_propagator.py +23 -21
angr/analyses/smc.py +2 -3
angr/analyses/variable_recovery/engine_ail.py +39 -0
angr/emulator.py +2 -1
angr/engines/hook.py +1 -1
angr/engines/icicle.py +19 -3
angr/knowledge_plugins/functions/function.py +2 -2
angr/knowledge_plugins/labels.py +4 -4
angr/procedures/definitions/__init__.py +9 -0
angr/procedures/definitions/parse_win32json.py +11 -0
angr/procedures/definitions/wdk/ntoskrnl.json +4 -0
angr/rustylib.abi3.so +0 -0
angr/unicornlib.dylib +0 -0
angr/utils/funcid.py +85 -0
angr/utils/ssa/__init__.py +2 -6
{angr-9.2.176.dist-info → angr-9.2.178.dist-info}/METADATA +6 -5
{angr-9.2.176.dist-info → angr-9.2.178.dist-info}/RECORD +42 -38
{angr-9.2.176.dist-info → angr-9.2.178.dist-info}/WHEEL +0 -0
{angr-9.2.176.dist-info → angr-9.2.178.dist-info}/entry_points.txt +0 -0
{angr-9.2.176.dist-info → angr-9.2.178.dist-info}/licenses/LICENSE +0 -0
{angr-9.2.176.dist-info → angr-9.2.178.dist-info}/top_level.txt +0 -0

angr/analyses/decompiler/optimization_passes/register_save_area_simplifier_adv.py ADDED Viewed

@@ -0,0 +1,198 @@
+# pylint:disable=too-many-boolean-expressions
+from __future__ import annotations
+import logging
+from angr.ailment.statement import Assignment
+from angr.ailment.expression import VirtualVariable
+from angr.code_location import CodeLocation, ExternalCodeLocation
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
+from angr.utils.ail import is_phi_assignment
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+_l = logging.getLogger(name=__name__)
+class RegisterSaveAreaSimplifierAdvanced(OptimizationPass):
+    """
+    Optimizes away registers that are stored to or restored on the stack space.
+    This analysis is more complex than RegisterSaveAreaSimplifier because it handles:
+    (1) Registers that are stored in the stack shadow space (sp+N) according to the Windows x64 calling convention.
+    (2) Registers that are aliases of sp.
+    """
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_SSA_LEVEL1_TRANSFORMATION
+    NAME = "Simplify register save areas (advanced)"
+    DESCRIPTION = __doc__.strip()  # type:ignore
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+        self._srda = None
+        self.analyze()
+    def _check(self):
+        self._srda = self.project.analyses.SReachingDefinitions(
+            subject=self._func, func_graph=self._graph, func_args=self._arg_vvars
+        )
+        info = self._find_reg_store_and_restore_locations()
+        if not info:
+            return False, None
+        return True, {"info": info}
+    @staticmethod
+    def _modify_statement(
+        old_block, stmt_idx_: int, updated_blocks_, stack_offset: int | None = None
+    ):  # pylint:disable=unused-argument
+        if old_block not in updated_blocks_:
+            block = old_block.copy()
+            updated_blocks_[old_block] = block
+        else:
+            block = updated_blocks_[old_block]
+        block.statements[stmt_idx_] = None
+    def _analyze(self, cache=None):
+        if cache is None:
+            return
+        info: list[tuple[int, CodeLocation, int, CodeLocation, int]] = cache["info"]
+        updated_blocks = {}
+        for _regvar, regvar_loc, _stackvar, stackvar_loc, _ in info:
+            # remove storing statements
+            old_block = self._get_block(regvar_loc.block_addr, idx=regvar_loc.block_idx)
+            assert regvar_loc.stmt_idx is not None
+            self._modify_statement(old_block, regvar_loc.stmt_idx, updated_blocks)
+            old_block = self._get_block(stackvar_loc.block_addr, idx=stackvar_loc.block_idx)
+            assert stackvar_loc.stmt_idx is not None
+            self._modify_statement(old_block, stackvar_loc.stmt_idx, updated_blocks)
+        for old_block, new_block in updated_blocks.items():
+            # remove all statements that are None
+            new_block.statements = [stmt for stmt in new_block.statements if stmt is not None]
+            # update it
+            self._update_block(old_block, new_block)
+        if updated_blocks:
+            # update stack_items
+            for _, _, _, _, stack_offset in info:
+                self.stack_items[stack_offset] = StackItem(
+                    stack_offset, self.project.arch.bytes, "regs", StackItemType.SAVED_REGS
+                )
+    def _find_reg_store_and_restore_locations(self) -> list[tuple[int, CodeLocation, int, CodeLocation, int]]:
+        results = []
+        assert self._srda is not None
+        srda_model = self._srda.model
+        # find all registers that are defined externally and used exactly once
+        saved_vvars: set[tuple[int, CodeLocation]] = set()
+        for vvar_id, loc in srda_model.all_vvar_definitions.items():
+            if isinstance(loc, ExternalCodeLocation):
+                uses = srda_model.all_vvar_uses.get(vvar_id, [])
+                if len(uses) == 1:
+                    vvar, used_loc = next(iter(uses))
+                    if vvar is not None and vvar.was_reg:
+                        saved_vvars.add((vvar_id, used_loc))
+        if not saved_vvars:
+            return results
+        # for each candidate, we check to ensure:
+        # - it is stored onto the stack (into a stack virtual variable)
+        # - the stack virtual variable is only used once and restores the value to the same register
+        # - the restore location is in the dominance frontier of the store location
+        for vvar_id, used_loc in saved_vvars:
+            def_block = self._get_block(used_loc.block_addr, idx=used_loc.block_idx)
+            assert def_block is not None and used_loc.stmt_idx is not None
+            stmt = def_block.statements[used_loc.stmt_idx]
+            if not (
+                isinstance(stmt, Assignment)
+                and isinstance(stmt.dst, VirtualVariable)
+                and stmt.dst.was_stack
+                and isinstance(stmt.src, VirtualVariable)
+                and stmt.src.was_reg
+                and stmt.src.varid == vvar_id
+            ):
+                continue
+            stack_vvar = stmt.dst
+            all_stack_vvar_uses = srda_model.all_vvar_uses.get(stack_vvar.varid, [])
+            # eliminate the use location if it's a phi statement
+            stack_vvar_uses = set()
+            for vvar_, loc_ in all_stack_vvar_uses:
+                use_block = self._get_block(loc_.block_addr, idx=loc_.block_idx)
+                if use_block is None or loc_.stmt_idx is None:
+                    continue
+                use_stmt = use_block.statements[loc_.stmt_idx]
+                if is_phi_assignment(use_stmt):
+                    continue
+                stack_vvar_uses.add((vvar_, loc_))
+            if len(stack_vvar_uses) != 1:
+                continue
+            _, stack_vvar_use_loc = next(iter(stack_vvar_uses))
+            restore_block = self._get_block(stack_vvar_use_loc.block_addr, idx=stack_vvar_use_loc.block_idx)
+            assert restore_block is not None
+            restore_stmt = restore_block.statements[stack_vvar_use_loc.stmt_idx]
+            if not (
+                isinstance(restore_stmt, Assignment)
+                and isinstance(restore_stmt.src, VirtualVariable)
+                and restore_stmt.src.varid == stack_vvar.varid
+                and isinstance(restore_stmt.dst, VirtualVariable)
+                and restore_stmt.dst.was_reg
+                and restore_stmt.dst.reg_offset == stmt.src.reg_offset
+            ):
+                continue
+            # this is the dumb version of the dominance frontier check
+            if self._within_dominance_frontier(def_block, restore_block, True, True):
+                results.append(
+                    (stmt.src.varid, used_loc, stack_vvar.varid, stack_vvar_use_loc, stack_vvar.stack_offset)
+                )
+        return results
+    def _within_dominance_frontier(self, dom_node, node, use_preds: bool, use_succs: bool) -> bool:
+        if use_succs:
+            # scan forward
+            succs = [succ for succ in self._graph.successors(dom_node) if succ is not dom_node]
+            if len(succs) == 1:
+                succ = succs[0]
+                succ_preds = [pred for pred in self._graph.predecessors(succ) if pred is not succ]
+                if len(succ_preds) == 0:
+                    # the successor has no other predecessors
+                    r = self._within_dominance_frontier(succ, node, False, True)
+                    if r:
+                        return True
+                else:
+                    # the successor has other predecessors; gotta step back
+                    preds = [pred for pred in self._graph.predecessors(node) if pred is not node]
+                    if len(preds) == 1 and preds[0] is node:
+                        return True
+            elif len(succs) == 2:
+                return any(succ is node for succ in succs)
+        if use_preds:
+            # scan backward
+            preds = [pred for pred in self._graph.predecessors(dom_node) if pred is not dom_node]
+            if len(preds) == 1:
+                pred = preds[0]
+                pred_succs = [succ for succ in self._graph.successors(pred) if succ is not pred]
+                if len(pred_succs) == 0:
+                    # the predecessor has no other successors
+                    return self._within_dominance_frontier(pred, node, True, False)
+                # the predecessor has other successors; gotta step forward
+                succs = [succ for succ in self._graph.successors(node) if succ is not node]
+                if len(succs) == 1:
+                    return self._graph.has_edge(node, succs[0])
+            elif len(preds) == 2:
+                return False
+        return False

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py CHANGED Viewed

@@ -33,9 +33,12 @@ class WinStackCanarySimplifier(OptimizationPass):
     def __init__(self, func, **kwargs):
         super().__init__(func, **kwargs)
-        self._security_cookie_addr = None
+        self._security_cookie_addr: int | None = None
         if isinstance(self.project.loader.main_object, cle.PE):
             self._security_cookie_addr = self.project.loader.main_object.load_config.get("SecurityCookie", None)
+            if self._security_cookie_addr is None:
+                # maybe it's just not set - check labels
+                self._security_cookie_addr = self.project.kb.labels.lookup("_security_cookie")
         self.analyze()
@@ -186,21 +189,16 @@ class WinStackCanarySimplifier(OptimizationPass):
         xor_stmt_idx = None
         xored_reg = None
+        assert self._security_cookie_addr is not None
         for idx, stmt in enumerate(block.statements):
             # if we are lucky and things get folded into one statement:
             if (
                 isinstance(stmt, ailment.Stmt.Store)
                 and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
-                and isinstance(stmt.data, ailment.Expr.BinaryOp)
-                and stmt.data.op == "Xor"
-                and isinstance(stmt.data.operands[1], ailment.Expr.StackBaseOffset)
-                and isinstance(stmt.data.operands[0], ailment.Expr.Load)
-                and isinstance(stmt.data.operands[0].addr, ailment.Expr.Const)
+                and self._is_expr_loading_stack_cookie(stmt.data, self._security_cookie_addr)
             ):
-                # Check addr: must be __security_cookie
-                load_addr = stmt.data.operands[0].addr.value
-                if load_addr == self._security_cookie_addr:
-                    return [idx]
+                return [idx]
             # or if we are unlucky and the load and the xor are two different statements
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
@@ -213,25 +211,14 @@ class WinStackCanarySimplifier(OptimizationPass):
                 if load_addr == self._security_cookie_addr:
                     load_stmt_idx = idx
                     load_reg = stmt.dst.reg_offset
-            if load_stmt_idx is not None and xor_stmt_idx is None and idx >= load_stmt_idx + 1:  # noqa:SIM102
+            if load_stmt_idx is not None and load_reg is not None and xor_stmt_idx is None and idx >= load_stmt_idx + 1:
+                assert self.project.arch.bp_offset is not None
                 if (
                     isinstance(stmt, ailment.Stmt.Assignment)
                     and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
                     and stmt.dst.was_reg
                     and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
-                    and isinstance(stmt.src, ailment.Expr.BinaryOp)
-                    and stmt.src.op == "Xor"
-                    and isinstance(stmt.src.operands[0], ailment.Expr.VirtualVariable)
-                    and stmt.src.operands[0].was_reg
-                    and stmt.src.operands[0].reg_offset == load_reg
-                    and (
-                        isinstance(stmt.src.operands[1], ailment.Expr.StackBaseOffset)
-                        or (
-                            isinstance(stmt.src.operands[1], ailment.Expr.VirtualVariable)
-                            and stmt.src.operands[1].was_reg
-                            and stmt.src.operands[1].reg_offset == self.project.arch.registers["ebp"][0]
-                        )
-                    )
+                    and self._is_expr_xoring_stack_cookie_reg(stmt.src, load_reg, self.project.arch.bp_offset)
                 ):
                     xor_stmt_idx = idx
                     xored_reg = stmt.dst.reg_offset
@@ -255,6 +242,25 @@ class WinStackCanarySimplifier(OptimizationPass):
                 ):
                     return [load_stmt_idx, xor_stmt_idx, idx]
                 break
+            if load_stmt_idx is not None and xor_stmt_idx is None and idx >= load_stmt_idx + 1:  # noqa:SIM102
+                if isinstance(stmt, ailment.Stmt.Store) and (
+                    isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
+                    or (
+                        isinstance(stmt.addr, ailment.Expr.BinaryOp)
+                        and stmt.addr.op == "Sub"
+                        and isinstance(stmt.addr.operands[0], ailment.Expr.VirtualVariable)
+                        and stmt.addr.operands[0].was_reg
+                        and stmt.addr.operands[0].reg_offset == self.project.arch.registers["ebp"][0]
+                        and isinstance(stmt.addr.operands[1], ailment.Expr.Const)
+                    )
+                ):
+                    if (
+                        isinstance(stmt.data, ailment.Expr.VirtualVariable)
+                        and stmt.data.was_reg
+                        and stmt.data.reg_offset == load_reg
+                    ):
+                        return [load_stmt_idx, idx]
+                    break
         return None
     def _find_amd64_canary_storing_stmt(self, block, canary_value_stack_offset):
@@ -263,23 +269,27 @@ class WinStackCanarySimplifier(OptimizationPass):
         for idx, stmt in enumerate(block.statements):
             # when we are lucky, we have one instruction
             if (
-                (
-                    isinstance(stmt, ailment.Stmt.Assignment)
-                    and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                    and stmt.dst.was_reg
-                    and stmt.dst.reg_offset == self.project.arch.registers["rcx"][0]
-                )
-                and isinstance(stmt.src, ailment.Expr.BinaryOp)
-                and stmt.src.op == "Xor"
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                and stmt.dst.was_reg
+                and stmt.dst.reg_offset == self.project.arch.registers["rcx"][0]
             ):
-                op0, op1 = stmt.src.operands
-                if (
-                    isinstance(op0, ailment.Expr.Load)
-                    and isinstance(op0.addr, ailment.Expr.StackBaseOffset)
-                    and op0.addr.offset == canary_value_stack_offset
-                ) and isinstance(op1, ailment.Expr.StackBaseOffset):
-                    # found it
-                    return idx
+                if isinstance(stmt.src, ailment.Expr.BinaryOp) and stmt.src.op == "Xor":
+                    op0, op1 = stmt.src.operands
+                    if (
+                        isinstance(op0, ailment.Expr.Load)
+                        and isinstance(op0.addr, ailment.Expr.StackBaseOffset)
+                        and op0.addr.offset == canary_value_stack_offset
+                    ) and isinstance(op1, ailment.Expr.StackBaseOffset):
+                        # found it
+                        return idx
+                elif isinstance(stmt.src, ailment.Expr.Load):
+                    if (
+                        isinstance(stmt.src.addr, ailment.Expr.StackBaseOffset)
+                        and stmt.src.addr.offset == canary_value_stack_offset
+                    ):
+                        # found it
+                        return idx
             # or when we are unlucky, we have two instructions...
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
@@ -317,22 +327,26 @@ class WinStackCanarySimplifier(OptimizationPass):
         for idx, stmt in enumerate(block.statements):
             # when we are lucky, we have one instruction
             if (
-                (
-                    isinstance(stmt, ailment.Stmt.Assignment)
-                    and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                    and stmt.dst.was_reg
-                    and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
-                )
-                and isinstance(stmt.src, ailment.Expr.BinaryOp)
-                and stmt.src.op == "Xor"
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                and stmt.dst.was_reg
+                and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
             ):
-                op0, op1 = stmt.src.operands
-                if (
-                    isinstance(op0, ailment.Expr.Load)
-                    and self._get_bp_offset(op0.addr, stmt.ins_addr) == canary_value_stack_offset
-                ) and isinstance(op1, ailment.Expr.StackBaseOffset):
-                    # found it
-                    return idx
+                if isinstance(stmt.src, ailment.Expr.BinaryOp) and stmt.src.op == "Xor":
+                    op0, op1 = stmt.src.operands
+                    if (
+                        isinstance(op0, ailment.Expr.Load)
+                        and self._get_bp_offset(op0.addr, stmt.ins_addr) == canary_value_stack_offset
+                    ) and isinstance(op1, ailment.Expr.StackBaseOffset):
+                        # found it
+                        return idx
+                elif isinstance(stmt.src, ailment.Expr.Load):
+                    if (
+                        isinstance(stmt.src.addr, ailment.Expr.StackBaseOffset)
+                        and stmt.src.addr.offset == canary_value_stack_offset
+                    ):
+                        # found it
+                        return idx
             # or when we are unlucky, we have two instructions...
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
@@ -419,3 +433,45 @@ class WinStackCanarySimplifier(OptimizationPass):
                         return idx
         return None
+    @staticmethod
+    def _is_expr_loading_stack_cookie(expr: ailment.Expr.Expression, security_cookie_addr: int) -> bool:
+        if (
+            isinstance(expr, ailment.Expr.BinaryOp)
+            and expr.op == "Xor"
+            and isinstance(expr.operands[1], ailment.Expr.StackBaseOffset)
+            and isinstance(expr.operands[0], ailment.Expr.Load)
+            and isinstance(expr.operands[0].addr, ailment.Expr.Const)
+        ):
+            # Check addr: must be __security_cookie
+            load_addr = expr.operands[0].addr.value
+            if load_addr == security_cookie_addr:
+                return True
+        if isinstance(expr, ailment.Expr.Load) and isinstance(expr.addr, ailment.Expr.Const):
+            load_addr = expr.addr.value
+            # Check addr: must be __security_cookie
+            if load_addr == security_cookie_addr:
+                return True
+        return False
+    @staticmethod
+    def _is_expr_xoring_stack_cookie_reg(
+        expr: ailment.Expr.Expression, security_cookie_reg: int, bp_offset: int
+    ) -> bool:
+        return (
+            isinstance(expr, ailment.Expr.BinaryOp)
+            and expr.op == "Xor"
+            and isinstance(expr.operands[0], ailment.Expr.VirtualVariable)
+            and expr.operands[0].was_reg
+            and expr.operands[0].reg_offset == security_cookie_reg
+            and (
+                isinstance(expr.operands[1], ailment.Expr.StackBaseOffset)
+                or (
+                    isinstance(expr.operands[1], ailment.Expr.VirtualVariable)
+                    and expr.operands[1].was_reg
+                    and expr.operands[1].reg_offset == bp_offset
+                )
+            )
+        )

angr/analyses/decompiler/peephole_optimizations/cas_intrinsics.py CHANGED Viewed

@@ -1,6 +1,7 @@
 # pylint:disable=arguments-differ,too-many-boolean-expressions
 from __future__ import annotations
+from angr.ailment import Const
 from angr.ailment.expression import BinaryOp, Load, Expression, Tmp
 from angr.ailment.statement import CAS, ConditionalJump, Statement, Assignment, Call
@@ -8,8 +9,22 @@ from .base import PeepholeOptimizationMultiStmtBase
 _INTRINSICS_NAMES = {
-    "xchg": {"Win32": "InterlockedExchange", "Linux": "atomic_exchange"},
-    "cmpxchg": {"Win32": "InterlockedCompareExchange", "Linux": "atomic_compare_exchange"},
+    "xchg8": {"Win32": "InterlockedExchange8", "Linux": "atomic_exchange"},
+    "xchg16": {"Win32": "InterlockedExchange16", "Linux": "atomic_exchange"},
+    "xchg32": {"Win32": "InterlockedExchange", "Linux": "atomic_exchange"},
+    "xchg64": {"Win32": "InterlockedExchange64", "Linux": "atomic_exchange"},
+    "cmpxchg16": {"Win32": "InterlockedCompareExchange16", "Linux": "atomic_compare_exchange"},
+    "cmpxchg32": {"Win32": "InterlockedCompareExchange", "Linux": "atomic_compare_exchange"},
+    "cmpxchg64": {"Win32": "InterlockedCompareExchange64", "Linux": "atomic_compare_exchange"},
+    "cmpxchg128": {"Win32": "InterlockedCompareExchange128", "Linux": "atomic_compare_exchange"},
+    "lock_inc16": {"Win32": "InterlockedIncrement16", "Linux": "atomic_fetch_add"},
+    "lock_inc32": {"Win32": "InterlockedIncrement", "Linux": "atomic_fetch_add"},
+    "lock_inc64": {"Win32": "InterlockedIncrement64", "Linux": "atomic_fetch_add"},
+    "lock_dec16": {"Win32": "InterlockedDecrement16", "Linux": "atomic_fetch_dec"},
+    "lock_dec32": {"Win32": "InterlockedDecrement", "Linux": "atomic_fetch_dec"},
+    "lock_dec64": {"Win32": "InterlockedDecrement64", "Linux": "atomic_fetch_dec"},
+    "lock_xadd32": {"Win32": "InterlockedExchangeAdd", "Linux": "atomic_exchange_add"},
+    "lock_xadd64": {"Win32": "InterlockedExchangeAdd64", "Linux": "atomic_exchange_add"},
 }
@@ -72,14 +87,54 @@ class CASIntrinsics(PeepholeOptimizationMultiStmtBase):
             ):
                 # TODO: Support cases where cas_stmt.old_hi is not None
                 # Case 1
-                call_expr = Call(
-                    cas_stmt.idx,
-                    self._get_instrincs_name("xchg"),
-                    args=[addr, cas_stmt.data_lo],
-                    bits=cas_stmt.bits,
-                    ins_addr=cas_stmt.ins_addr,
-                )
-                stmt = Assignment(cas_stmt.idx, cas_stmt.old_lo, call_expr, **cas_stmt.tags)
+                call_expr = None
+                if isinstance(cas_stmt.data_lo, BinaryOp):
+                    if cas_stmt.data_lo.op == "Add" and cas_stmt.data_lo.operands[0].likes(cas_stmt.expd_lo):
+                        if isinstance(cas_stmt.data_lo.operands[1], Const) and cas_stmt.data_lo.operands[1].value == 1:
+                            # lock inc
+                            call_expr = Call(
+                                cas_stmt.idx,
+                                self._get_instrincs_name(f"lock_inc{cas_stmt.bits}"),
+                                args=[cas_stmt.addr],
+                                bits=cas_stmt.bits,
+                                ins_addr=cas_stmt.ins_addr,
+                            )
+                        else:
+                            # lock xadd
+                            call_expr = Call(
+                                cas_stmt.idx,
+                                self._get_instrincs_name(f"lock_xadd{cas_stmt.bits}"),
+                                args=[cas_stmt.addr, cas_stmt.data_lo.operands[1]],
+                                bits=cas_stmt.bits,
+                                ins_addr=cas_stmt.ins_addr,
+                            )
+                    elif (
+                        cas_stmt.data_lo.op == "Sub"
+                        and cas_stmt.data_lo.operands[0].likes(cas_stmt.expd_lo)
+                        and isinstance(cas_stmt.data_lo.operands[1], Const)
+                        and cas_stmt.data_lo.operands[1].value == 1
+                    ):
+                        # lock dec
+                        call_expr = Call(
+                            cas_stmt.idx,
+                            self._get_instrincs_name(f"lock_dec{cas_stmt.bits}"),
+                            args=[cas_stmt.addr],
+                            bits=cas_stmt.bits,
+                            ins_addr=cas_stmt.ins_addr,
+                        )
+                if call_expr is None:
+                    call_expr = Call(
+                        cas_stmt.idx,
+                        self._get_instrincs_name(f"xchg{cas_stmt.bits}"),
+                        args=[addr, cas_stmt.data_lo],
+                        bits=cas_stmt.bits,
+                        ins_addr=cas_stmt.ins_addr,
+                    )
+                assignment_dst = cas_stmt.expd_lo
+                stmt = Assignment(cas_stmt.idx, assignment_dst, call_expr, **cas_stmt.tags)  # type:ignore
                 return [stmt]
         if next_stmt.ins_addr <= cas_stmt.ins_addr:
@@ -88,9 +143,10 @@ class CASIntrinsics(PeepholeOptimizationMultiStmtBase):
         if cas_stmt.old_hi is None:
             # TODO: Support cases where cas_stmt.old_hi is not None
+            # Case 2
             call_expr = Call(
                 cas_stmt.idx,
-                self._get_instrincs_name("cmpxchg"),
+                self._get_instrincs_name(f"cmpxchg{cas_stmt.bits}"),
                 args=[
                     cas_stmt.addr,
                     cas_stmt.data_lo,
@@ -99,7 +155,8 @@ class CASIntrinsics(PeepholeOptimizationMultiStmtBase):
                 bits=cas_stmt.bits,
                 ins_addr=cas_stmt.ins_addr,
             )
-            stmt = Assignment(cas_stmt.idx, cas_stmt.old_lo, call_expr, **cas_stmt.tags)
+            assignment_dst = cas_stmt.expd_lo
+            stmt = Assignment(cas_stmt.idx, assignment_dst, call_expr, **cas_stmt.tags)  # type:ignore
             return [stmt, next_stmt]
         return None