angr 9.2.177__cp310-abi3-manylinux_2_28_x86_64.whl → 9.2.178__cp310-abi3-manylinux_2_28_x86_64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.177"
+__version__ = "9.2.178"
 
 if bytes is str:
     raise Exception(

angr/analyses/cfg/cfg_fast.py

@@ -40,6 +40,7 @@ from angr.errors import (
 from angr.utils.constants import DEFAULT_STATEMENT
 from angr.utils.funcid import (
     is_function_security_check_cookie,
+    is_function_security_check_cookie_strict,
     is_function_security_init_cookie,
     is_function_security_init_cookie_win8,
     is_function_likely_security_init_cookie,
@@ -2029,6 +2030,20 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                         # both are found. exit from the loop
                         break
 
+            else:
+                # security_cookie_addr is None; let's invoke the stricter version to find _security_check_cookie
+                for func in self.kb.functions.values():
+                    if len(func.block_addrs_set) in {5, 6}:
+                        r, cookie_addr = is_function_security_check_cookie_strict(func, self.project)
+                        if r:
+                            security_cookie_addr = cookie_addr
+                            if security_cookie_addr not in self.kb.labels:
+                                self.kb.labels[security_cookie_addr] = "_security_cookie"
+                            security_check_cookie_found = True
+                            func.is_default_name = False
+                            func.name = "_security_check_cookie"
+                            break
+
             # special handling: some binaries do not have SecurityCookie set, but still contain _security_init_cookie
             if security_init_cookie_found is False and self.functions.contains_addr(self.project.entry):
                 start_func = self.functions.get_by_addr(self.project.entry)

angr/analyses/decompiler/ail_simplifier.py

@@ -57,6 +57,7 @@ from .ailgraph_walker import AILGraphWalker
 from .expression_narrower import ExprNarrowingInfo, NarrowingInfoExtractor, ExpressionNarrower
 from .block_simplifier import BlockSimplifier
 from .ccall_rewriters import CCALL_REWRITERS
+from .dirty_rewriters import DIRTY_REWRITERS
 from .counters.expression_counters import SingleExpressionCounter
 
 if TYPE_CHECKING:
@@ -169,6 +170,7 @@ class AILSimplifier(Analysis):
         use_callee_saved_regs_at_return=True,
         rewrite_ccalls=True,
         rename_ccalls=True,
+        rewrite_dirty=True,
         removed_vvar_ids: set[int] | None = None,
         arg_vvars: dict[int, tuple[VirtualVariable, SimVariable]] | None = None,
         avoid_vvar_ids: set[int] | None = None,
@@ -190,6 +192,7 @@ class AILSimplifier(Analysis):
         self._use_callee_saved_regs_at_return = use_callee_saved_regs_at_return
         self._should_rewrite_ccalls = rewrite_ccalls
         self._should_rename_ccalls = rename_ccalls
+        self._should_rewrite_dirty = rewrite_dirty
         self._removed_vvar_ids = removed_vvar_ids if removed_vvar_ids is not None else set()
         self._arg_vvars = arg_vvars
         self._avoid_vvar_ids = avoid_vvar_ids if avoid_vvar_ids is not None else set()
@@ -258,6 +261,15 @@ class AILSimplifier(Analysis):
                 self._rebuild_func_graph()
                 self._clear_cache()
 
+        if self._should_rewrite_dirty:
+            _l.debug("Rewriting dirty expressions/statements")
+            dirty_rewritten = self._rewrite_dirty_calls()
+            self.simplified |= dirty_rewritten
+            if dirty_rewritten:
+                _l.debug("... dirty expressions/statements rewritten")
+                self._rebuild_func_graph()
+                self._clear_cache()
+
         if self._unify_vars:
             _l.debug("Removing dead assignments")
             r = self._iteratively_remove_dead_assignments()
@@ -841,6 +853,7 @@ class AILSimplifier(Analysis):
                 if (
                     isinstance(stmt, Assignment)
                     and isinstance(stmt.dst, VirtualVariable)
+                    and stmt.dst.was_reg  # values of stack variables might be updated in callees or via pointers
                     and isinstance(stmt.src, Const)
                     and isinstance(stmt.src.value, int)
                 ):
@@ -2020,6 +2033,61 @@ class AILSimplifier(Analysis):
 
         return updated
 
+    #
+    # Rewriting dirty calls
+    #
+
+    def _rewrite_dirty_calls(self):
+        rewriter_cls = DIRTY_REWRITERS.get(self.project.arch.name, None)
+        if rewriter_cls is None:
+            return False
+
+        walker = AILBlockWalker()
+
+        class _any_update:
+            """
+            Dummy class for storing if any result has been updated.
+            """
+
+            v = False
+
+        def _handle_DirtyStatement(  # pylint:disable=unused-argument
+            stmt_idx: int, stmt: DirtyStatement, block: Block | None
+        ) -> Expression | None:
+            # we do not want to trigger _handle_DirtyExpression, which is why we do not call the superclass method
+            rewriter = rewriter_cls(stmt, self.project.arch)
+            if rewriter.result is not None:
+                _any_update.v = True
+                return rewriter.result  # type:ignore
+            return None
+
+        def _handle_DirtyExpression(
+            expr_idx: int, expr: DirtyExpression, stmt_idx: int, stmt: Statement, block: Block | None
+        ):
+            r_expr = AILBlockWalker._handle_DirtyExpression(walker, expr_idx, expr, stmt_idx, stmt, block)
+            if r_expr is None:
+                r_expr = expr
+            rewriter = rewriter_cls(r_expr, self.project.arch)
+            if rewriter.result is not None:
+                _any_update.v = True
+                return rewriter.result
+            return r_expr if r_expr is not expr else None
+
+        blocks_by_addr_and_idx = {(node.addr, node.idx): node for node in self.func_graph.nodes()}
+        walker.expr_handlers[DirtyExpression] = _handle_DirtyExpression
+        walker.stmt_handlers[DirtyStatement] = _handle_DirtyStatement
+
+        updated = False
+        for block in blocks_by_addr_and_idx.values():
+            _any_update.v = False
+            old_block = block.copy()
+            walker.walk(block)
+            if _any_update.v:
+                self.blocks[old_block] = block
+                updated = True
+
+        return updated
+
     #
     # Util functions
     #

angr/analyses/decompiler/ccall_rewriters/amd64_ccalls.py

@@ -26,8 +26,8 @@ class AMD64CCallRewriter(CCallRewriterBase):
             dep_1 = ccall.operands[2]
             dep_2 = ccall.operands[3]
             if isinstance(cond, Expr.Const) and isinstance(op, Expr.Const):
-                cond_v = cond.value
-                op_v = op.value
+                cond_v = cond.value_int
+                op_v = op.value_int
                 if cond_v == AMD64_CondTypes["CondLE"]:
                     if op_v in {
                         AMD64_OpTypes["G_CC_OP_SUBB"],
@@ -233,7 +233,9 @@ class AMD64CCallRewriter(CCallRewriterBase):
                     if op_v == AMD64_OpTypes["G_CC_OP_COPY"]:
                         # dep_1 & G_CC_MASK_Z == 0 or dep_1 & G_CC_MASK_Z != 0
 
-                        flag = Expr.Const(None, None, AMD64_CondBitMasks["G_CC_MASK_Z"], dep_1.bits)
+                        bitmask = AMD64_CondBitMasks["G_CC_MASK_Z"]
+                        assert isinstance(bitmask, int)
+                        flag = Expr.Const(None, None, bitmask, dep_1.bits)
                         masked_dep = Expr.BinaryOp(None, "And", [dep_1, flag], False, **ccall.tags)
                         zero = Expr.Const(None, None, 0, dep_1.bits)
                         expr_op = "CmpEQ" if cond_v == AMD64_CondTypes["CondZ"] else "CmpNE"
@@ -372,6 +374,39 @@ class AMD64CCallRewriter(CCallRewriterBase):
                             bits=ccall.bits,
                             **ccall.tags,
                         )
+                    if op_v in {
+                        AMD64_OpTypes["G_CC_OP_SUBB"],
+                        AMD64_OpTypes["G_CC_OP_SUBW"],
+                        AMD64_OpTypes["G_CC_OP_SUBL"],
+                        AMD64_OpTypes["G_CC_OP_SUBQ"],
+                    }:
+                        # dep_1 <u dep_2
+
+                        dep_1 = self._fix_size(
+                            dep_1,
+                            op_v,
+                            AMD64_OpTypes["G_CC_OP_SUBB"],
+                            AMD64_OpTypes["G_CC_OP_SUBW"],
+                            AMD64_OpTypes["G_CC_OP_SUBL"],
+                            ccall.tags,
+                        )
+                        dep_2 = self._fix_size(
+                            dep_2,
+                            op_v,
+                            AMD64_OpTypes["G_CC_OP_SUBB"],
+                            AMD64_OpTypes["G_CC_OP_SUBW"],
+                            AMD64_OpTypes["G_CC_OP_SUBL"],
+                            ccall.tags,
+                        )
+
+                        r = Expr.BinaryOp(
+                            ccall.idx,
+                            "CmpLT",
+                            (dep_1, dep_2),
+                            False,
+                            **ccall.tags,
+                        )
+                        return Expr.Convert(None, r.bits, ccall.bits, False, r, **ccall.tags)
                 elif (
                     cond_v == AMD64_CondTypes["CondS"]
                     and op_v
@@ -458,7 +493,7 @@ class AMD64CCallRewriter(CCallRewriterBase):
             dep_2 = ccall.operands[2]
             ndep = ccall.operands[3]
             if isinstance(op, Expr.Const):
-                op_v = op.value
+                op_v = op.value_int
                 if op_v in {
                     AMD64_OpTypes["G_CC_OP_ADDB"],
                     AMD64_OpTypes["G_CC_OP_ADDW"],
@@ -545,6 +580,9 @@ class AMD64CCallRewriter(CCallRewriterBase):
                     AMD64_OpTypes["G_CC_OP_DECQ"],
                 }:
                     # pc_actions_DEC
+                    bitmask = AMD64_CondBitMasks["G_CC_MASK_C"]
+                    bitmask_1 = AMD64_CondBitOffsets["G_CC_SHIFT_C"]
+                    assert isinstance(bitmask, int) and isinstance(bitmask_1, int)
                     return Expr.BinaryOp(
                         None,
                         "Shr",
@@ -552,10 +590,10 @@ class AMD64CCallRewriter(CCallRewriterBase):
                             Expr.BinaryOp(
                                 None,
                                 "And",
-                                [ndep, Expr.Const(None, None, AMD64_CondBitMasks["G_CC_MASK_C"], 64)],
+                                [ndep, Expr.Const(None, None, bitmask, 64)],
                                 False,
                             ),
-                            Expr.Const(None, None, AMD64_CondBitOffsets["G_CC_SHIFT_C"], 64),
+                            Expr.Const(None, None, bitmask_1, 64),
                         ],
                         False,
                         **ccall.tags,
@@ -575,6 +613,6 @@ class AMD64CCallRewriter(CCallRewriterBase):
             bits = 64
         if bits < 64:
             if isinstance(expr, Expr.Const):
-                return Expr.Const(expr.idx, None, expr.value & ((1 << bits) - 1), bits, **tags)
+                return Expr.Const(expr.idx, None, expr.value_int & ((1 << bits) - 1), bits, **tags)
             return Expr.Convert(None, 64, bits, False, expr, **tags)
         return expr

angr/analyses/decompiler/clinic.py

@@ -46,7 +46,6 @@ from .return_maker import ReturnMaker
 from .ailgraph_walker import AILGraphWalker, RemoveNodeNotice
 from .optimization_passes import (
     OptimizationPassStage,
-    RegisterSaveAreaSimplifier,
     StackCanarySimplifier,
     TagSlicer,
     DUPLICATING_OPTS,
@@ -598,6 +597,17 @@ class Clinic(Analysis):
         assert self.func_args is not None
         self._ail_graph = self._transform_to_ssa_level1(self._ail_graph, self.func_args)
 
+        # Run simplification passes
+        self._update_progress(49.0, text="Running simplifications 1.5")
+        self._ail_graph = self._run_simplification_passes(
+            self._ail_graph, stage=OptimizationPassStage.AFTER_SSA_LEVEL1_TRANSFORMATION
+        )
+
+        # register save area has been removed at this point - we should no longer use callee-saved registers in RDA
+        self._register_save_areas_removed = True
+        # clear the cached RDA result
+        self.reaching_definitions = None
+
     def _stage_pre_ssa_level1_simplifications(self) -> None:
         # Simplify blocks
         # we never remove dead memory definitions before making callsites. otherwise stack arguments may go missing
@@ -698,7 +708,10 @@ class Clinic(Analysis):
         # Run simplification passes
         self._update_progress(65.0, text="Running simplifications 3")
         self._ail_graph = self._run_simplification_passes(
-            self._ail_graph, stack_items=self.stack_items, stage=OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
+            self._ail_graph,
+            stack_items=self.stack_items,
+            stage=OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION,
+            arg_vvars=self.arg_vvars,
         )
 
         # Simplify the entire function for the third time
@@ -1579,11 +1592,6 @@ class Clinic(Analysis):
             if a.out_graph:
                 # use the new graph
                 ail_graph = a.out_graph
-                if isinstance(a, RegisterSaveAreaSimplifier):
-                    # register save area has been removed - we should no longer use callee-saved registers in RDA
-                    self._register_save_areas_removed = True
-                    # clear the cached RDA result
-                    self.reaching_definitions = None
                 self.vvar_id_start = a.vvar_id_start
             if stack_items is not None and a.stack_items:
                 stack_items.update(a.stack_items)

angr/analyses/decompiler/dirty_rewriters/__init__.py

@@ -0,0 +1,7 @@
+from __future__ import annotations
+from .amd64_dirty import AMD64DirtyRewriter
+
+
+DIRTY_REWRITERS = {
+    "AMD64": AMD64DirtyRewriter,
+}

angr/analyses/decompiler/dirty_rewriters/amd64_dirty.py

@@ -0,0 +1,69 @@
+from __future__ import annotations
+
+from angr.ailment import Const
+from angr.ailment.statement import DirtyStatement, Statement, Call
+from angr.ailment.expression import DirtyExpression, Expression
+from .rewriter_base import DirtyRewriterBase
+
+
+class AMD64DirtyRewriter(DirtyRewriterBase):
+    """
+    Rewrites AMD64 DirtyStatement and DirtyExpression.
+    """
+
+    __slots__ = ()
+
+    def _rewrite_stmt(self, dirty: DirtyStatement) -> Statement | None:
+        # TODO: Rewrite more dirty statements
+        return None
+
+    def _rewrite_expr(self, dirty: DirtyExpression) -> Expression | None:
+        match dirty.callee:
+            case "amd64g_dirtyhelper_IN":
+                # in
+                bits = (
+                    dirty.operands[1].value * self.arch.byte_width
+                    if len(dirty.operands) > 1 and isinstance(dirty.operands[1], Const)
+                    else None
+                )
+                func_name = "__in"
+                suffix = self._inout_intrinsic_suffix(bits) if bits is not None else None
+                if suffix is not None:
+                    func_name += f"{suffix}"
+                else:
+                    func_name += f"_{bits}"
+                return Call(
+                    dirty.idx, func_name, None, None, args=(dirty.operands[0],), ret_expr=None, bits=bits, **dirty.tags
+                )
+            case "amd64g_dirtyhelper_OUT":
+                # out
+                bits = (
+                    dirty.operands[1].value * self.arch.byte_width
+                    if len(dirty.operands) > 1 and isinstance(dirty.operands[1], Const)
+                    else None
+                )
+                func_name = "__out"
+                suffix = self._inout_intrinsic_suffix(bits) if bits is not None else None
+                if suffix is not None:
+                    func_name += f"{suffix}"
+                else:
+                    func_name += f"_{bits}"
+                return Call(
+                    dirty.idx, func_name, None, None, args=(dirty.operands[0],), ret_expr=None, bits=bits, **dirty.tags
+                )
+        return None
+
+    #
+    # in, out
+    #
+
+    @staticmethod
+    def _inout_intrinsic_suffix(bits: int) -> str | None:
+        match bits:
+            case 8:
+                return "byte"
+            case 16:
+                return "word"
+            case 32:
+                return "dword"
+        return None

angr/analyses/decompiler/dirty_rewriters/rewriter_base.py

@@ -0,0 +1,27 @@
+from __future__ import annotations
+
+from angr.ailment.statement import DirtyStatement, Statement
+from angr.ailment.expression import DirtyExpression, Expression
+
+
+class DirtyRewriterBase:
+    """
+    The base class for DirtyStatement and DirtyExpression rewriters.
+    """
+
+    __slots__ = (
+        "arch",
+        "result",
+    )
+
+    def __init__(self, dirty: DirtyExpression | DirtyStatement, arch):
+        self.arch = arch
+        self.result: Expression | Statement | None = (
+            self._rewrite_expr(dirty) if isinstance(dirty, DirtyExpression) else self._rewrite_stmt(dirty)
+        )
+
+    def _rewrite_stmt(self, dirty: DirtyStatement) -> Statement | None:
+        raise NotImplementedError
+
+    def _rewrite_expr(self, dirty: DirtyExpression) -> Expression | None:
+        raise NotImplementedError

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -36,6 +36,7 @@ from .condition_constprop import ConditionConstantPropagation
 from .determine_load_sizes import DetermineLoadSizes
 from .eager_std_string_concatenation import EagerStdStringConcatenationPass
 from .peephole_simplifier import PostStructuringPeepholeOptimizationPass
+from .register_save_area_simplifier_adv import RegisterSaveAreaSimplifierAdvanced
 
 if TYPE_CHECKING:
     from angr.analyses.decompiler.presets import DecompilationPreset
@@ -74,6 +75,7 @@ ALL_OPTIMIZATION_PASSES = [
     DetermineLoadSizes,
     EagerStdStringConcatenationPass,
     PostStructuringPeepholeOptimizationPass,
+    RegisterSaveAreaSimplifierAdvanced,
 ]
 
 # these passes may duplicate code to remove gotos or improve the structure of the graph
@@ -138,6 +140,7 @@ __all__ = (
     "ModSimplifier",
     "OptimizationPassStage",
     "RegisterSaveAreaSimplifier",
+    "RegisterSaveAreaSimplifierAdvanced",
     "RetAddrSaveSimplifier",
     "ReturnDeduplicator",
     "ReturnDuplicatorHigh",

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -21,6 +21,7 @@ from angr.project import Project
 
 if TYPE_CHECKING:
     from angr.knowledge_plugins.functions import Function
+    from angr.sim_variable import SimVariable
     from angr.analyses.decompiler.stack_item import StackItem
 
 
@@ -54,13 +55,14 @@ class OptimizationPassStage(Enum):
     BEFORE_SSA_LEVEL0_TRANSFORMATION = 1
     AFTER_SINGLE_BLOCK_SIMPLIFICATION = 2
     BEFORE_SSA_LEVEL1_TRANSFORMATION = 3
-    AFTER_MAKING_CALLSITES = 4
-    AFTER_GLOBAL_SIMPLIFICATION = 5
-    BEFORE_VARIABLE_RECOVERY = 6
-    AFTER_VARIABLE_RECOVERY = 7
-    BEFORE_REGION_IDENTIFICATION = 8
-    DURING_REGION_IDENTIFICATION = 9
-    AFTER_STRUCTURING = 10
+    AFTER_SSA_LEVEL1_TRANSFORMATION = 4
+    AFTER_MAKING_CALLSITES = 5
+    AFTER_GLOBAL_SIMPLIFICATION = 6
+    BEFORE_VARIABLE_RECOVERY = 7
+    AFTER_VARIABLE_RECOVERY = 8
+    BEFORE_REGION_IDENTIFICATION = 9
+    DURING_REGION_IDENTIFICATION = 10
+    AFTER_STRUCTURING = 11
 
 
 class BaseOptimizationPass:
@@ -138,7 +140,7 @@ class OptimizationPass(BaseOptimizationPass):
         refine_loops_with_single_successor: bool = False,
         complete_successors: bool = False,
         avoid_vvar_ids: set[int] | None = None,
-        arg_vvars: set[int] | None = None,
+        arg_vvars: dict[int, tuple[ailment.Expr.VirtualVariable, SimVariable]] | None = None,
         peephole_optimizations=None,
         stack_pointer_tracker=None,
         notes: dict | None = None,

angr/analyses/decompiler/optimization_passes/register_save_area_simplifier.py

@@ -99,18 +99,39 @@ class RegisterSaveAreaSimplifier(OptimizationPass):
 
         results = []
 
+        # there are cases where sp is moved to another register at the beginning of the function before it is
+        # subtracted, then it is used for stack accesses.
+        # for example:
+        # 132B0 mov     r11, rsp
+        # 132B3 sub     rsp, 88h
+        # 132BA ...
+        # 132C1 ...
+        # 132C6 mov     [r11-18h], r13
+        # 132CA mov     [r11-20h], r14
+        # we support such cases because we will have rewritten r11-18h to SpOffset(-N) when this optimization runs.
+
+        # identify which registers have been updated in this function; they are no longer saved
+        ignored_regs: set[int] = set()
+
         for idx, stmt in enumerate(first_block.statements):
+            if (
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                and stmt.dst.was_reg
+            ):
+                ignored_regs.add(stmt.dst.reg_offset)
             if (
                 isinstance(stmt, ailment.Stmt.Store)
                 and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
                 and isinstance(stmt.addr.offset, int)
             ):
                 if isinstance(stmt.data, ailment.Expr.VirtualVariable) and stmt.data.was_reg:
-                    # it's storing registers to the stack!
-                    stack_offset = stmt.addr.offset
-                    reg_offset = stmt.data.reg_offset
-                    codeloc = CodeLocation(first_block.addr, idx, block_idx=first_block.idx, ins_addr=stmt.ins_addr)
-                    results.append((reg_offset, stack_offset, codeloc))
+                    if stmt.data.reg_offset not in ignored_regs:
+                        # it's storing registers to the stack!
+                        stack_offset = stmt.addr.offset
+                        reg_offset = stmt.data.reg_offset
+                        codeloc = CodeLocation(first_block.addr, idx, block_idx=first_block.idx, ins_addr=stmt.ins_addr)
+                        results.append((reg_offset, stack_offset, codeloc))
                 elif (
                     self.project.arch.name == "AMD64"
                     and isinstance(stmt.data, ailment.Expr.Convert)
@@ -130,7 +151,24 @@ class RegisterSaveAreaSimplifier(OptimizationPass):
     def _find_registers_restored_from_stack(self) -> list[list[tuple[int, int, CodeLocation]]]:
         all_results = []
         for ret_site in self._func.ret_sites + self._func.jumpout_sites:
-            for block in self._get_blocks(ret_site.addr):
+
+            ret_blocks = list(self._get_blocks(ret_site.addr))
+            if len(ret_blocks) == 1 and self.project.simos is not None and self.project.simos.name == "Win32":
+                # PE files may call __security_check_cookie (which terminates the program if the stack canary is
+                # corrupted) before returning.
+                preds = list(self._graph.predecessors(ret_blocks[0]))
+                if len(preds) == 1:
+                    pred = preds[0]
+                    if pred.statements and isinstance(pred.statements[-1], ailment.Stmt.Call):
+                        last_stmt = pred.statements[-1]
+                        if isinstance(last_stmt.target, ailment.Expr.Const):
+                            callee_addr = last_stmt.target.value
+                            if self.project.kb.functions.contains_addr(callee_addr):
+                                callee_func = self.project.kb.functions.get_by_addr(callee_addr)
+                                if callee_func.name == "_security_check_cookie":
+                                    ret_blocks.append(pred)
+
+            for block in ret_blocks:
                 results = []
                 for idx, stmt in enumerate(block.statements):
                     if (