angr 9.2.177__cp310-abi3-win_amd64.whl → 9.2.179__cp310-abi3-win_amd64.whl

angr/analyses/decompiler/optimization_passes/register_save_area_simplifier_adv.py

@@ -0,0 +1,198 @@
+# pylint:disable=too-many-boolean-expressions
+from __future__ import annotations
+import logging
+
+
+from angr.ailment.statement import Assignment
+from angr.ailment.expression import VirtualVariable
+from angr.code_location import CodeLocation, ExternalCodeLocation
+from angr.analyses.decompiler.stack_item import StackItem, StackItemType
+from angr.utils.ail import is_phi_assignment
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+
+_l = logging.getLogger(name=__name__)
+
+
+class RegisterSaveAreaSimplifierAdvanced(OptimizationPass):
+    """
+    Optimizes away registers that are stored to or restored on the stack space.
+
+    This analysis is more complex than RegisterSaveAreaSimplifier because it handles:
+    (1) Registers that are stored in the stack shadow space (sp+N) according to the Windows x64 calling convention.
+    (2) Registers that are aliases of sp.
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_SSA_LEVEL1_TRANSFORMATION
+    NAME = "Simplify register save areas (advanced)"
+    DESCRIPTION = __doc__.strip()  # type:ignore
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+        self._srda = None
+
+        self.analyze()
+
+    def _check(self):
+
+        self._srda = self.project.analyses.SReachingDefinitions(
+            subject=self._func, func_graph=self._graph, func_args=self._arg_vvars
+        )
+        info = self._find_reg_store_and_restore_locations()
+        if not info:
+            return False, None
+
+        return True, {"info": info}
+
+    @staticmethod
+    def _modify_statement(
+        old_block, stmt_idx_: int, updated_blocks_, stack_offset: int | None = None
+    ):  # pylint:disable=unused-argument
+        if old_block not in updated_blocks_:
+            block = old_block.copy()
+            updated_blocks_[old_block] = block
+        else:
+            block = updated_blocks_[old_block]
+        block.statements[stmt_idx_] = None
+
+    def _analyze(self, cache=None):
+
+        if cache is None:
+            return
+
+        info: list[tuple[int, CodeLocation, int, CodeLocation, int]] = cache["info"]
+        updated_blocks = {}
+
+        for _regvar, regvar_loc, _stackvar, stackvar_loc, _ in info:
+            # remove storing statements
+            old_block = self._get_block(regvar_loc.block_addr, idx=regvar_loc.block_idx)
+            assert regvar_loc.stmt_idx is not None
+            self._modify_statement(old_block, regvar_loc.stmt_idx, updated_blocks)
+            old_block = self._get_block(stackvar_loc.block_addr, idx=stackvar_loc.block_idx)
+            assert stackvar_loc.stmt_idx is not None
+            self._modify_statement(old_block, stackvar_loc.stmt_idx, updated_blocks)
+
+        for old_block, new_block in updated_blocks.items():
+            # remove all statements that are None
+            new_block.statements = [stmt for stmt in new_block.statements if stmt is not None]
+            # update it
+            self._update_block(old_block, new_block)
+
+        if updated_blocks:
+            # update stack_items
+            for _, _, _, _, stack_offset in info:
+                self.stack_items[stack_offset] = StackItem(
+                    stack_offset, self.project.arch.bytes, "regs", StackItemType.SAVED_REGS
+                )
+
+    def _find_reg_store_and_restore_locations(self) -> list[tuple[int, CodeLocation, int, CodeLocation, int]]:
+        results = []
+
+        assert self._srda is not None
+        srda_model = self._srda.model
+        # find all registers that are defined externally and used exactly once
+        saved_vvars: set[tuple[int, CodeLocation]] = set()
+        for vvar_id, loc in srda_model.all_vvar_definitions.items():
+            if isinstance(loc, ExternalCodeLocation):
+                uses = srda_model.all_vvar_uses.get(vvar_id, [])
+                if len(uses) == 1:
+                    vvar, used_loc = next(iter(uses))
+                    if vvar is not None and vvar.was_reg:
+                        saved_vvars.add((vvar_id, used_loc))
+
+        if not saved_vvars:
+            return results
+
+        # for each candidate, we check to ensure:
+        # - it is stored onto the stack (into a stack virtual variable)
+        # - the stack virtual variable is only used once and restores the value to the same register
+        # - the restore location is in the dominance frontier of the store location
+        for vvar_id, used_loc in saved_vvars:
+            def_block = self._get_block(used_loc.block_addr, idx=used_loc.block_idx)
+            assert def_block is not None and used_loc.stmt_idx is not None
+            stmt = def_block.statements[used_loc.stmt_idx]
+            if not (
+                isinstance(stmt, Assignment)
+                and isinstance(stmt.dst, VirtualVariable)
+                and stmt.dst.was_stack
+                and isinstance(stmt.src, VirtualVariable)
+                and stmt.src.was_reg
+                and stmt.src.varid == vvar_id
+            ):
+                continue
+            stack_vvar = stmt.dst
+            all_stack_vvar_uses = srda_model.all_vvar_uses.get(stack_vvar.varid, [])
+            # eliminate the use location if it's a phi statement
+            stack_vvar_uses = set()
+            for vvar_, loc_ in all_stack_vvar_uses:
+                use_block = self._get_block(loc_.block_addr, idx=loc_.block_idx)
+                if use_block is None or loc_.stmt_idx is None:
+                    continue
+                use_stmt = use_block.statements[loc_.stmt_idx]
+                if is_phi_assignment(use_stmt):
+                    continue
+                stack_vvar_uses.add((vvar_, loc_))
+            if len(stack_vvar_uses) != 1:
+                continue
+            _, stack_vvar_use_loc = next(iter(stack_vvar_uses))
+            restore_block = self._get_block(stack_vvar_use_loc.block_addr, idx=stack_vvar_use_loc.block_idx)
+            assert restore_block is not None
+            restore_stmt = restore_block.statements[stack_vvar_use_loc.stmt_idx]
+
+            if not (
+                isinstance(restore_stmt, Assignment)
+                and isinstance(restore_stmt.src, VirtualVariable)
+                and restore_stmt.src.varid == stack_vvar.varid
+                and isinstance(restore_stmt.dst, VirtualVariable)
+                and restore_stmt.dst.was_reg
+                and restore_stmt.dst.reg_offset == stmt.src.reg_offset
+            ):
+                continue
+            # this is the dumb version of the dominance frontier check
+            if self._within_dominance_frontier(def_block, restore_block, True, True):
+                results.append(
+                    (stmt.src.varid, used_loc, stack_vvar.varid, stack_vvar_use_loc, stack_vvar.stack_offset)
+                )
+
+        return results
+
+    def _within_dominance_frontier(self, dom_node, node, use_preds: bool, use_succs: bool) -> bool:
+        if use_succs:
+            # scan forward
+            succs = [succ for succ in self._graph.successors(dom_node) if succ is not dom_node]
+            if len(succs) == 1:
+                succ = succs[0]
+                succ_preds = [pred for pred in self._graph.predecessors(succ) if pred is not succ]
+                if len(succ_preds) == 0:
+                    # the successor has no other predecessors
+                    r = self._within_dominance_frontier(succ, node, False, True)
+                    if r:
+                        return True
+
+                else:
+                    # the successor has other predecessors; gotta step back
+                    preds = [pred for pred in self._graph.predecessors(node) if pred is not node]
+                    if len(preds) == 1 and preds[0] is node:
+                        return True
+            elif len(succs) == 2:
+                return any(succ is node for succ in succs)
+
+        if use_preds:
+            # scan backward
+            preds = [pred for pred in self._graph.predecessors(dom_node) if pred is not dom_node]
+            if len(preds) == 1:
+                pred = preds[0]
+                pred_succs = [succ for succ in self._graph.successors(pred) if succ is not pred]
+                if len(pred_succs) == 0:
+                    # the predecessor has no other successors
+                    return self._within_dominance_frontier(pred, node, True, False)
+
+                # the predecessor has other successors; gotta step forward
+                succs = [succ for succ in self._graph.successors(node) if succ is not node]
+                if len(succs) == 1:
+                    return self._graph.has_edge(node, succs[0])
+            elif len(preds) == 2:
+                return False
+
+        return False

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -33,9 +33,12 @@ class WinStackCanarySimplifier(OptimizationPass):
 
     def __init__(self, func, **kwargs):
         super().__init__(func, **kwargs)
-        self._security_cookie_addr = None
+        self._security_cookie_addr: int | None = None
         if isinstance(self.project.loader.main_object, cle.PE):
             self._security_cookie_addr = self.project.loader.main_object.load_config.get("SecurityCookie", None)
+            if self._security_cookie_addr is None:
+                # maybe it's just not set - check labels
+                self._security_cookie_addr = self.project.kb.labels.lookup("_security_cookie")
 
         self.analyze()
 
@@ -186,21 +189,16 @@ class WinStackCanarySimplifier(OptimizationPass):
         xor_stmt_idx = None
         xored_reg = None
 
+        assert self._security_cookie_addr is not None
+
         for idx, stmt in enumerate(block.statements):
             # if we are lucky and things get folded into one statement:
             if (
                 isinstance(stmt, ailment.Stmt.Store)
                 and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
-                and isinstance(stmt.data, ailment.Expr.BinaryOp)
-                and stmt.data.op == "Xor"
-                and isinstance(stmt.data.operands[1], ailment.Expr.StackBaseOffset)
-                and isinstance(stmt.data.operands[0], ailment.Expr.Load)
-                and isinstance(stmt.data.operands[0].addr, ailment.Expr.Const)
+                and self._is_expr_loading_stack_cookie(stmt.data, self._security_cookie_addr)
             ):
-                # Check addr: must be __security_cookie
-                load_addr = stmt.data.operands[0].addr.value
-                if load_addr == self._security_cookie_addr:
-                    return [idx]
+                return [idx]
             # or if we are unlucky and the load and the xor are two different statements
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
@@ -213,25 +211,14 @@ class WinStackCanarySimplifier(OptimizationPass):
                 if load_addr == self._security_cookie_addr:
                     load_stmt_idx = idx
                     load_reg = stmt.dst.reg_offset
-            if load_stmt_idx is not None and xor_stmt_idx is None and idx >= load_stmt_idx + 1:  # noqa:SIM102
+            if load_stmt_idx is not None and load_reg is not None and xor_stmt_idx is None and idx >= load_stmt_idx + 1:
+                assert self.project.arch.bp_offset is not None
                 if (
                     isinstance(stmt, ailment.Stmt.Assignment)
                     and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
                     and stmt.dst.was_reg
                     and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
-                    and isinstance(stmt.src, ailment.Expr.BinaryOp)
-                    and stmt.src.op == "Xor"
-                    and isinstance(stmt.src.operands[0], ailment.Expr.VirtualVariable)
-                    and stmt.src.operands[0].was_reg
-                    and stmt.src.operands[0].reg_offset == load_reg
-                    and (
-                        isinstance(stmt.src.operands[1], ailment.Expr.StackBaseOffset)
-                        or (
-                            isinstance(stmt.src.operands[1], ailment.Expr.VirtualVariable)
-                            and stmt.src.operands[1].was_reg
-                            and stmt.src.operands[1].reg_offset == self.project.arch.registers["ebp"][0]
-                        )
-                    )
+                    and self._is_expr_xoring_stack_cookie_reg(stmt.src, load_reg, self.project.arch.bp_offset)
                 ):
                     xor_stmt_idx = idx
                     xored_reg = stmt.dst.reg_offset
@@ -255,6 +242,25 @@ class WinStackCanarySimplifier(OptimizationPass):
                 ):
                     return [load_stmt_idx, xor_stmt_idx, idx]
                 break
+            if load_stmt_idx is not None and xor_stmt_idx is None and idx >= load_stmt_idx + 1:  # noqa:SIM102
+                if isinstance(stmt, ailment.Stmt.Store) and (
+                    isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
+                    or (
+                        isinstance(stmt.addr, ailment.Expr.BinaryOp)
+                        and stmt.addr.op == "Sub"
+                        and isinstance(stmt.addr.operands[0], ailment.Expr.VirtualVariable)
+                        and stmt.addr.operands[0].was_reg
+                        and stmt.addr.operands[0].reg_offset == self.project.arch.registers["ebp"][0]
+                        and isinstance(stmt.addr.operands[1], ailment.Expr.Const)
+                    )
+                ):
+                    if (
+                        isinstance(stmt.data, ailment.Expr.VirtualVariable)
+                        and stmt.data.was_reg
+                        and stmt.data.reg_offset == load_reg
+                    ):
+                        return [load_stmt_idx, idx]
+                    break
         return None
 
     def _find_amd64_canary_storing_stmt(self, block, canary_value_stack_offset):
@@ -263,23 +269,27 @@ class WinStackCanarySimplifier(OptimizationPass):
         for idx, stmt in enumerate(block.statements):
             # when we are lucky, we have one instruction
             if (
-                (
-                    isinstance(stmt, ailment.Stmt.Assignment)
-                    and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                    and stmt.dst.was_reg
-                    and stmt.dst.reg_offset == self.project.arch.registers["rcx"][0]
-                )
-                and isinstance(stmt.src, ailment.Expr.BinaryOp)
-                and stmt.src.op == "Xor"
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                and stmt.dst.was_reg
+                and stmt.dst.reg_offset == self.project.arch.registers["rcx"][0]
             ):
-                op0, op1 = stmt.src.operands
-                if (
-                    isinstance(op0, ailment.Expr.Load)
-                    and isinstance(op0.addr, ailment.Expr.StackBaseOffset)
-                    and op0.addr.offset == canary_value_stack_offset
-                ) and isinstance(op1, ailment.Expr.StackBaseOffset):
-                    # found it
-                    return idx
+                if isinstance(stmt.src, ailment.Expr.BinaryOp) and stmt.src.op == "Xor":
+                    op0, op1 = stmt.src.operands
+                    if (
+                        isinstance(op0, ailment.Expr.Load)
+                        and isinstance(op0.addr, ailment.Expr.StackBaseOffset)
+                        and op0.addr.offset == canary_value_stack_offset
+                    ) and isinstance(op1, ailment.Expr.StackBaseOffset):
+                        # found it
+                        return idx
+                elif isinstance(stmt.src, ailment.Expr.Load):
+                    if (
+                        isinstance(stmt.src.addr, ailment.Expr.StackBaseOffset)
+                        and stmt.src.addr.offset == canary_value_stack_offset
+                    ):
+                        # found it
+                        return idx
             # or when we are unlucky, we have two instructions...
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
@@ -317,22 +327,26 @@ class WinStackCanarySimplifier(OptimizationPass):
         for idx, stmt in enumerate(block.statements):
             # when we are lucky, we have one instruction
             if (
-                (
-                    isinstance(stmt, ailment.Stmt.Assignment)
-                    and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
-                    and stmt.dst.was_reg
-                    and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
-                )
-                and isinstance(stmt.src, ailment.Expr.BinaryOp)
-                and stmt.src.op == "Xor"
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.VirtualVariable)
+                and stmt.dst.was_reg
+                and not self.project.arch.is_artificial_register(stmt.dst.reg_offset, stmt.dst.size)
             ):
-                op0, op1 = stmt.src.operands
-                if (
-                    isinstance(op0, ailment.Expr.Load)
-                    and self._get_bp_offset(op0.addr, stmt.ins_addr) == canary_value_stack_offset
-                ) and isinstance(op1, ailment.Expr.StackBaseOffset):
-                    # found it
-                    return idx
+                if isinstance(stmt.src, ailment.Expr.BinaryOp) and stmt.src.op == "Xor":
+                    op0, op1 = stmt.src.operands
+                    if (
+                        isinstance(op0, ailment.Expr.Load)
+                        and self._get_bp_offset(op0.addr, stmt.ins_addr) == canary_value_stack_offset
+                    ) and isinstance(op1, ailment.Expr.StackBaseOffset):
+                        # found it
+                        return idx
+                elif isinstance(stmt.src, ailment.Expr.Load):
+                    if (
+                        isinstance(stmt.src.addr, ailment.Expr.StackBaseOffset)
+                        and stmt.src.addr.offset == canary_value_stack_offset
+                    ):
+                        # found it
+                        return idx
             # or when we are unlucky, we have two instructions...
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
@@ -419,3 +433,45 @@ class WinStackCanarySimplifier(OptimizationPass):
                         return idx
 
         return None
+
+    @staticmethod
+    def _is_expr_loading_stack_cookie(expr: ailment.Expr.Expression, security_cookie_addr: int) -> bool:
+        if (
+            isinstance(expr, ailment.Expr.BinaryOp)
+            and expr.op == "Xor"
+            and isinstance(expr.operands[1], ailment.Expr.StackBaseOffset)
+            and isinstance(expr.operands[0], ailment.Expr.Load)
+            and isinstance(expr.operands[0].addr, ailment.Expr.Const)
+        ):
+            # Check addr: must be __security_cookie
+            load_addr = expr.operands[0].addr.value
+            if load_addr == security_cookie_addr:
+                return True
+
+        if isinstance(expr, ailment.Expr.Load) and isinstance(expr.addr, ailment.Expr.Const):
+            load_addr = expr.addr.value
+            # Check addr: must be __security_cookie
+            if load_addr == security_cookie_addr:
+                return True
+
+        return False
+
+    @staticmethod
+    def _is_expr_xoring_stack_cookie_reg(
+        expr: ailment.Expr.Expression, security_cookie_reg: int, bp_offset: int
+    ) -> bool:
+        return (
+            isinstance(expr, ailment.Expr.BinaryOp)
+            and expr.op == "Xor"
+            and isinstance(expr.operands[0], ailment.Expr.VirtualVariable)
+            and expr.operands[0].was_reg
+            and expr.operands[0].reg_offset == security_cookie_reg
+            and (
+                isinstance(expr.operands[1], ailment.Expr.StackBaseOffset)
+                or (
+                    isinstance(expr.operands[1], ailment.Expr.VirtualVariable)
+                    and expr.operands[1].was_reg
+                    and expr.operands[1].reg_offset == bp_offset
+                )
+            )
+        )

angr/analyses/decompiler/peephole_optimizations/remove_redundant_shifts_around_comparators.py

@@ -16,7 +16,9 @@ class RemoveRedundantShiftsAroundComparators(PeepholeOptimizationExprBase):
     NAME = "Remove redundant bitshifts for operands around a comparator"
     expr_classes = (BinaryOp,)  # all expressions are allowed
 
-    def optimize(self, expr: BinaryOp, **kwargs):
+    def optimize(
+        self, expr: BinaryOp, stmt_idx: int | None = None, block=None, **kwargs
+    ):  # pylint:disable=unused-argument
         # (expr_0 << N) < (expr_1 << N)  ==> expr_0 << expr_1
         # FIXME: This optimization is unsafe but seems to work for all existing case
         if expr.op in {"CmpLE", "CmpLT", "CmpEQ", "CmpNE", "CmpGE", "CmpGT"}:
@@ -41,4 +43,73 @@ class RemoveRedundantShiftsAroundComparators(PeepholeOptimizationExprBase):
                     **expr.tags,
                 )
 
+            # might have been rewritten to multiplications
+            if (
+                isinstance(op0, BinaryOp)
+                and op0.op == "Mul"
+                and isinstance(op0.operands[1], Const)
+                and op0.operands[1].is_int
+            ):
+                op0_op = op0.operands[0]
+                mul_0 = op0.operands[1].value_int
+                mul_1 = None
+                op1_op = None
+                if (
+                    isinstance(op1, BinaryOp)
+                    and op1.op == "Mul"
+                    and isinstance(op1.operands[1], Const)
+                    and op1.operands[1].is_int
+                ):
+                    op1_op = op1.operands[0]
+                    mul_1 = op1.operands[1].value_int
+                elif isinstance(op1, Const):
+                    op1_op = None
+                    mul_1 = op1.value_int
+
+                if mul_1 is not None:
+                    common_shift_amount = self._get_common_shift_amount(mul_0, mul_1)
+                    if common_shift_amount > 0:
+                        new_mul_0 = Const(None, None, mul_0 >> common_shift_amount, expr.bits)
+                        new_mul_1 = Const(None, None, mul_1 >> common_shift_amount, expr.bits)
+                        new_cmp_0 = BinaryOp(op0.idx, "Mul", [op0_op, new_mul_0], op0.signed, bits=op0.bits, **op0.tags)
+                        new_cmp_1 = (
+                            BinaryOp(op1.idx, "Mul", [op1_op, new_mul_1], op1.signed, bits=op1.bits, **op1.tags)
+                            if op1_op is not None
+                            else new_mul_1
+                        )
+                        return BinaryOp(
+                            expr.idx,
+                            expr.op,
+                            [new_cmp_0, new_cmp_1],
+                            expr.signed,
+                            bits=expr.bits,
+                            floating_point=expr.floating_point,
+                            rounding_mode=expr.rounding_mode,
+                            **expr.tags,
+                        )
+
         return None
+
+    @staticmethod
+    def _get_common_shift_amount(v0: int, v1: int) -> int:
+        if v0 == 0 or v1 == 0:
+            return 0
+        shift_amount = 0
+        while (v0 & 1) == 0 and (v1 & 1) == 0:
+            if v0 & 0xFFFF == 0 and v1 & 0xFFFF == 0:
+                v0 >>= 16
+                v1 >>= 16
+                shift_amount += 16
+            elif v0 & 0xFF == 0 and v1 & 0xFF == 0:
+                v0 >>= 8
+                v1 >>= 8
+                shift_amount += 8
+            elif v0 & 0xF == 0 and v1 & 0xF == 0:
+                v0 >>= 4
+                v1 >>= 4
+                shift_amount += 4
+            else:
+                v0 >>= 1
+                v1 >>= 1
+                shift_amount += 1
+        return shift_amount

angr/analyses/decompiler/presets/basic.py

@@ -7,6 +7,7 @@ from angr.analyses.decompiler.optimization_passes import (
     BasePointerSaveSimplifier,
     ConstantDereferencesSimplifier,
     RetAddrSaveSimplifier,
+    RegisterSaveAreaSimplifierAdvanced,
     X86GccGetPcSimplifier,
     CallStatementRewriter,
     SwitchReusedEntryRewriter,
@@ -23,6 +24,7 @@ preset_basic = DecompilationPreset(
         BasePointerSaveSimplifier,
         ConstantDereferencesSimplifier,
         RetAddrSaveSimplifier,
+        RegisterSaveAreaSimplifierAdvanced,
         X86GccGetPcSimplifier,
         CallStatementRewriter,
         SwitchReusedEntryRewriter,

angr/analyses/decompiler/presets/fast.py

@@ -22,6 +22,7 @@ from angr.analyses.decompiler.optimization_passes import (
     DeadblockRemover,
     SwitchReusedEntryRewriter,
     ConditionConstantPropagation,
+    RegisterSaveAreaSimplifierAdvanced,
     DetermineLoadSizes,
     PostStructuringPeepholeOptimizationPass,
 )
@@ -33,6 +34,7 @@ preset_fast = DecompilationPreset(
         RegisterSaveAreaSimplifier,
         StackCanarySimplifier,
         WinStackCanarySimplifier,
+        RegisterSaveAreaSimplifierAdvanced,
         BasePointerSaveSimplifier,
         ConstantDereferencesSimplifier,
         RetAddrSaveSimplifier,

angr/analyses/decompiler/presets/full.py

@@ -4,6 +4,7 @@ from angr.analyses.decompiler.optimization_passes import (
     RegisterSaveAreaSimplifier,
     StackCanarySimplifier,
     WinStackCanarySimplifier,
+    RegisterSaveAreaSimplifierAdvanced,
     BasePointerSaveSimplifier,
     DivSimplifier,
     ModSimplifier,
@@ -38,6 +39,7 @@ preset_full = DecompilationPreset(
         RegisterSaveAreaSimplifier,
         StackCanarySimplifier,
         WinStackCanarySimplifier,
+        RegisterSaveAreaSimplifierAdvanced,
         BasePointerSaveSimplifier,
         DivSimplifier,
         ModSimplifier,

angr/analyses/decompiler/region_simplifiers/expr_folding.py

@@ -271,12 +271,19 @@ class ExpressionCounter(SequenceWalker):
         # the current assignment depends on, StatementLocation of the assignment statement, a Boolean variable that
         # indicates if ExpressionUseFinder has succeeded or not)
         self.assignments: defaultdict[Any, set[tuple]] = defaultdict(set)
-        self.uses: dict[int, set[tuple[Expression, LocationBase | None]]] = {}
+        self.outerscope_uses: dict[int, set[tuple[Expression, LocationBase | None]]] = {}
+        self.all_uses: dict[int, set[tuple[Expression, LocationBase | None]]] = {}
+        # inner_scope indicates if we are currently within one of the inner scopes (e.g., a loop). we only collect
+        # assignments in the outermost level and stop collecting assignments when we enter inner scopes.
+        # we always collect uses, but uses in the outmost scope will be recorded in self.outerscope_uses
+        self._outer_scope: bool = True
 
         super().__init__(handlers)
         self.walk(node)
 
     def _handle_Statement(self, idx: int, stmt: Statement, node: ailment.Block | LoopNode):
+        if not self._outer_scope:
+            return
         if isinstance(stmt, ailment.Stmt.Assignment):
             if is_phi_assignment(stmt):
                 return
@@ -312,32 +319,40 @@ class ExpressionCounter(SequenceWalker):
 
     def _handle_Block(self, node: ailment.Block, **kwargs):
         # find assignments and uses of variables
-        use_finder = ExpressionUseFinder()
-        for idx, stmt in enumerate(node.statements):
-            self._handle_Statement(idx, stmt, node)
-            use_finder.walk_statement(stmt, block=node)
-
-        for varid, content in use_finder.uses.items():
-            if varid not in self.uses:
-                self.uses[varid] = set()
-            self.uses[varid] |= content
+        self._collect_uses(node, None)
 
     def _collect_assignments(self, expr: Expression, node) -> None:
+        if not self._outer_scope:
+            return
         finder = MultiStatementExpressionAssignmentFinder(self._handle_Statement)
         finder.walk_expression(expr, None, None, node)
 
-    def _collect_uses(self, expr: Expression | Statement, loc: LocationBase):
+    def _collect_uses(self, thing: Expression | Statement | ailment.Block, loc: LocationBase | None):
         use_finder = ExpressionUseFinder()
-        if isinstance(expr, Statement):
-            use_finder.walk_statement(expr)
+        if isinstance(thing, ailment.Block):
+            for idx, stmt in enumerate(thing.statements):
+                self._handle_Statement(idx, stmt, thing)
+                use_finder.walk_statement(stmt, block=thing)
+        elif isinstance(thing, Statement):
+            use_finder.walk_statement(thing)
         else:
-            use_finder.walk_expression(expr, stmt_idx=-1)
+            use_finder.walk_expression(thing, stmt_idx=-1)
 
         for varid, uses in use_finder.uses.items():
             for use in uses:
-                if varid not in self.uses:
-                    self.uses[varid] = set()
-                self.uses[varid].add((use[0], loc))
+                # overwrite the location if loc is specified
+                content = (use[0], loc) if loc is not None else use
+
+                # update all_uses
+                if varid not in self.all_uses:
+                    self.all_uses[varid] = set()
+                self.all_uses[varid].add(content)
+
+                # update outerscope_uses if we are in the outer scope
+                if self._outer_scope:
+                    if varid not in self.outerscope_uses:
+                        self.outerscope_uses[varid] = set()
+                    self.outerscope_uses[varid].add(content)
 
     def _handle_ConditionalBreak(self, node: ConditionalBreakNode, **kwargs):
         # collect uses on the condition expression
@@ -366,7 +381,12 @@ class ExpressionCounter(SequenceWalker):
         if node.condition is not None:
             self._collect_assignments(node.condition, node)
             self._collect_uses(node.condition, ConditionLocation(node.addr))
-        # we do not go ahead and collect into the loop body
+
+        outer_scope = self._outer_scope
+        self._outer_scope = False
+        super()._handle_Loop(node, **kwargs)
+        self._outer_scope = outer_scope
+
         return None
 
     def _handle_SwitchCase(self, node: SwitchCaseNode, **kwargs):