angr 9.2.177__cp310-abi3-win_amd64.whl → 9.2.179__cp310-abi3-win_amd64.whl

angr/analyses/decompiler/region_simplifiers/region_simplifier.py

@@ -125,10 +125,16 @@ class RegionSimplifier(Analysis):
         # before the definition site and the use site.
         var_with_loads = {}
         single_use_variables = []
-        for var, uses in expr_counter.uses.items():
-            if len(uses) == 1 and var in expr_counter.assignments and len(expr_counter.assignments[var]) == 1:
+        for var, outerscope_uses in expr_counter.outerscope_uses.items():
+            all_uses = expr_counter.all_uses[var]
+            if (
+                len(outerscope_uses) == 1
+                and len(all_uses) == 1
+                and var in expr_counter.assignments
+                and len(expr_counter.assignments[var]) == 1
+            ):
                 definition, deps, loc, has_loads = next(iter(expr_counter.assignments[var]))
-                _, use_expr_loc = next(iter(uses))
+                _, use_expr_loc = next(iter(outerscope_uses))
                 if isinstance(use_expr_loc, ExpressionLocation) and use_expr_loc.phi_stmt:
                     # we cannot fold expressions that are used in phi statements
                     continue
@@ -169,7 +175,7 @@ class RegionSimplifier(Analysis):
                     definition.ret_expr = definition.ret_expr.copy()
                     definition.ret_expr.variable = None
             variable_assignments[var] = definition, loc
-            variable_uses[var] = next(iter(expr_counter.uses[var]))
+            variable_uses[var] = next(iter(expr_counter.outerscope_uses[var]))
             variable_assignment_dependencies[var] = deps
 
         # any variable definition that uses an existing to-be-removed variable cannot be folded

angr/analyses/decompiler/structured_codegen/c.py

@@ -561,7 +561,10 @@ class CFunction(CConstruct):  # pylint:disable=abstract-method
                     continue
                 varname = v.c_repr() if v.type is None else v.variable.name
                 yield "extern ", None
-                yield from type_to_c_repr_chunks(v.type, name=varname, name_type=v, full=False)
+                if v.type is None:
+                    yield "<unknown-type>", None
+                else:
+                    yield from type_to_c_repr_chunks(v.type, name=varname, name_type=v, full=False)
                 yield ";\n", None
             yield "\n", None
 
@@ -1327,9 +1330,10 @@ class CFunctionCall(CStatement, CExpression):
                 return True
 
         # FIXME: Handle name mangle
-        for func in self.codegen.kb.functions.get_by_name(callee.name):
-            if func is not callee and (caller.binary is not callee.binary or func.binary is callee.binary):
-                return True
+        if callee is not None:
+            for func in self.codegen.kb.functions.get_by_name(callee.name):
+                if func is not callee and (caller.binary is not callee.binary or func.binary is callee.binary):
+                    return True
 
         return False
 
@@ -3194,7 +3198,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
     # Handlers
     #
 
-    def _handle(self, node, is_expr: bool = True, lvalue: bool = False, likely_signed=False):
+    def _handle(
+        self, node, is_expr: bool = True, lvalue: bool = False, likely_signed=False, type_: SimType | None = None
+    ):
         if (node, is_expr) in self.ailexpr2cnode:
             return self.ailexpr2cnode[(node, is_expr)]
 
@@ -3204,7 +3210,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             converted = (
                 handler(node, is_expr=is_expr)
                 if isinstance(node, Stmt.Call)
-                else handler(node, lvalue=lvalue, likely_signed=likely_signed)
+                else handler(node, lvalue=lvalue, likely_signed=likely_signed, type_=type_)
             )
             self.ailexpr2cnode[(node, is_expr)] = converted
             return converted
@@ -3483,6 +3489,8 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                     and i < len(target_func.prototype.args)
                 ):
                     type_ = target_func.prototype.args[i].with_arch(self.project.arch)
+                    if target_func.prototype_libname is not None:
+                        type_ = dereference_simtype_by_lib(type_, target_func.prototype_libname)
 
                 if isinstance(arg, Expr.Const):
                     if type_ is None or is_machine_word_size_type(type_, self.project.arch):
@@ -3490,7 +3498,7 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
                     new_arg = self._handle_Expr_Const(arg, type_=type_)
                 else:
-                    new_arg = self._handle(arg)
+                    new_arg = self._handle(arg, type_=type_)
                 args.append(new_arg)
 
         ret_expr = None
@@ -3737,10 +3745,19 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             reference_values["offset"] = var_access
         return CConstant(expr.value, type_, reference_values=reference_values, tags=expr.tags, codegen=self)
 
-    def _handle_Expr_UnaryOp(self, expr, **kwargs):
+    def _handle_Expr_UnaryOp(self, expr, type_: SimType | None = None, **kwargs):
+        data_type = None
+        if expr.op == "Reference" and isinstance(type_, SimTypePointer) and not isinstance(type_.pts_to, SimTypeBottom):
+            data_type = type_.pts_to
+
+        operand = self._handle(expr.operand, lvalue=expr.op == "Reference", type_=data_type)
+
+        if expr.op == "Reference" and isinstance(operand, CUnaryOp) and operand.op == "Dereference":
+            # cancel out
+            return operand.operand
         return CUnaryOp(
             expr.op,
-            self._handle(expr.operand),
+            operand,
             tags=expr.tags,
             codegen=self,
         )
@@ -3847,7 +3864,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         cexpr = self._handle(expr.expr)
         return CMultiStatementExpression(cstmts, cexpr, tags=expr.tags, codegen=self)
 
-    def _handle_VirtualVariable(self, expr: Expr.VirtualVariable, **kwargs):
+    def _handle_VirtualVariable(
+        self, expr: Expr.VirtualVariable, lvalue: bool = False, type_: SimType | None = None, **kwargs
+    ):
         def negotiate(old_ty: SimType, proposed_ty: SimType) -> SimType:
             # we do not allow returning a struct for a primitive type
             if old_ty.size == proposed_ty.size and (
@@ -3860,13 +3879,29 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             if "struct_member_info" in expr.tags:
                 offset, var, _ = expr.struct_member_info
                 cbasevar = self._variable(var, expr.size, vvar_id=expr.varid)
+                data_type = type_
+                if data_type is None:
+                    # try to determine the type of this variable read
+                    data_type = cbasevar.type
+                    if data_type.size // self.project.arch.byte_width > expr.size:
+                        # fallback to a more suitable type
+                        data_type = (
+                            {
+                                64: SimTypeLongLong(signed=False),
+                                32: SimTypeInt(signed=False),
+                                16: SimTypeShort(signed=False),
+                                8: SimTypeChar(signed=False),
+                            }
+                            .get(expr.bits, data_type)
+                            .with_arch(self.project.arch)
+                        )
                 cvar = self._access_constant_offset(
-                    self._get_variable_reference(cbasevar), offset, cbasevar.type, False, negotiate
+                    self._get_variable_reference(cbasevar), offset, data_type, lvalue, negotiate
                 )
             else:
                 cvar = self._variable(expr.variable, None, vvar_id=expr.varid)
 
-            if expr.variable.size != expr.size:
+            if not lvalue and expr.variable.size != expr.size:
                 l.warning(
                     "VirtualVariable size (%d) and variable size (%d) do not match. Force a type cast.",
                     expr.size,
@@ -4097,6 +4132,13 @@ class PointerArithmeticFixer(CStructuredCodeWalker):
     a_ptr = a_ptr + 1.
     """
 
+    def handle_CAssignment(self, obj: CAssignment):
+        if "type" in obj.tags and "dst" in obj.tags["type"] and "src" in obj.tags["type"]:
+            # HACK: do not attempt to fix pointer arithmetic if dst and src types are explicitly given
+            # FIXME: Properly propagate dst and src types to lhs and rhs
+            return obj
+        return super().handle_CAssignment(obj)
+
     def handle_CBinaryOp(self, obj: CBinaryOp):  # type: ignore
         obj: CBinaryOp = super().handle_CBinaryOp(obj)
         if (

angr/analyses/decompiler/structuring/phoenix.py

@@ -1464,6 +1464,8 @@ class PhoenixStructurer(StructurerBase):
         switch_head_addr: int = 0
 
         # case 1: the last block is a ConditionNode with two goto statements
+        cond_expr_or_stmt = None
+        cond_case = None
         if isinstance(node, SequenceNode) and node.nodes and isinstance(node.nodes[-1], ConditionNode):
             cond_node = node.nodes[-1]
             assert isinstance(cond_node, ConditionNode)
@@ -1480,14 +1482,8 @@ class PhoenixStructurer(StructurerBase):
                 if len(successor_addrs) != 2 or None in successor_addrs:
                     return False
 
-                # extract the comparison expression, lower-, and upper-bounds from the last statement
-                cmp = switch_extract_cmp_bounds_from_condition(
-                    self.cond_proc.convert_claripy_bool_ast(cond_node.condition)
-                )
-                if not cmp:
-                    return False
-                cmp_expr, cmp_lb, _cmp_ub = cmp
-
+                cond_expr_or_stmt = cond_node.condition
+                cond_case = 1
                 assert cond_node.addr is not None
                 switch_head_addr = cond_node.addr
 
@@ -1505,14 +1501,22 @@ class PhoenixStructurer(StructurerBase):
             if len(successor_addrs) != 2:
                 return False
 
-            # extract the comparison expression, lower-, and upper-bounds from the last statement
-            cmp = switch_extract_cmp_bounds(last_stmt)
-            if not cmp:
-                return False
-            cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
-
+            cond_expr_or_stmt = last_stmt
+            cond_case = 2
             switch_head_addr = last_stmt.ins_addr
 
+        graph = _f(graph_raw)
+        full_graph = _f(full_graph_raw)
+
+        # special fix
+        if (
+            len(successor_addrs) == 2
+            and graph.out_degree[node] == 2
+            and len(set(successor_addrs).intersection({succ.addr for succ in graph.successors(node)})) == 1
+        ):
+            # there is an unmatched successor addr! fix it
+            successor_addrs = [succ.addr for succ in graph.successors(node)]
+
         for t in successor_addrs:
             if t in self.jump_tables:
                 # this is a candidate!
@@ -1521,13 +1525,29 @@ class PhoenixStructurer(StructurerBase):
         else:
             return False
 
+        # extract the comparison expression, lower-, and upper-bounds from the last statement
+        match cond_case:
+            case 1:
+                cmp = switch_extract_cmp_bounds_from_condition(
+                    self.cond_proc.convert_claripy_bool_ast(cond_expr_or_stmt)
+                )
+                if not cmp:
+                    return False
+            case 2:
+                # extract the comparison expression, lower-, and upper-bounds from the last statement
+                cmp = switch_extract_cmp_bounds(cond_expr_or_stmt)
+                if not cmp:
+                    return False
+            case _:
+                # unreachable!
+                return False
+
+        cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
+
         jump_table = self.jump_tables[target]
         if jump_table.type != IndirectJumpType.Jumptable_AddressLoadedFromMemory:
             return False
 
-        graph = _f(graph_raw)
-        full_graph = _f(full_graph_raw)
-
         node_a = next(iter(nn for nn in graph.nodes if nn.addr == target), None)
         if node_a is None:
             return False
@@ -1585,10 +1605,24 @@ class PhoenixStructurer(StructurerBase):
             # update node_a
             node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
         if isinstance(node_a, IncompleteSwitchCaseNode):
-            r = self._unpack_incompleteswitchcasenode(graph_raw, node_a)
+            # special case: if node_default is None, node_a has a missing case, and node_a has a successor in the full
+            # graph that is not the default node, then we know
+            # 1. there is a default node (instead of the successor of the entire switch-case construct).
+            # 2. the default node is in a parent region.
+            # as a result, we cannot structure this switch-case right now
+            if (
+                len(node_a.cases) == len(set(jump_table.jumptable_entries)) - 1
+                and node_default is None
+                and len([succ for succ in full_graph.successors(node_a) if succ.addr != node_b_addr]) > 0
+            ):
+                return False
+
+            r = self._unpack_incompleteswitchcasenode(graph_raw, node_a, jump_table.jumptable_entries)
             if not r:
                 return False
-            self._unpack_incompleteswitchcasenode(full_graph_raw, node_a)  # this shall not fail
+            self._unpack_incompleteswitchcasenode(
+                full_graph_raw, node_a, jump_table.jumptable_entries
+            )  # this shall not fail
             # update node_a
             node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
             if self._node_order is not None:
@@ -1721,10 +1755,16 @@ class PhoenixStructurer(StructurerBase):
 
         # un-structure IncompleteSwitchCaseNode
         if isinstance(node, IncompleteSwitchCaseNode):
-            r = self._unpack_incompleteswitchcasenode(graph_raw, node)
+            if len(set(jump_table.jumptable_entries)) > len(node.cases):
+                # it has a missing default case node! we cannot structure it as a no-default switch-case
+                return False
+
+            r = self._unpack_incompleteswitchcasenode(graph_raw, node, jump_table.jumptable_entries)
             if not r:
                 return False
-            self._unpack_incompleteswitchcasenode(full_graph_raw, node)  # this shall not fail
+            self._unpack_incompleteswitchcasenode(
+                full_graph_raw, node, jump_table.jumptable_entries
+            )  # this shall not fail
             # update node
             node = next(iter(nn for nn in graph.nodes if nn.addr == jump_table.addr))
 
@@ -1934,31 +1974,35 @@ class PhoenixStructurer(StructurerBase):
 
         jump_table = self.jump_tables[node.addr]
         assert jump_table.jumptable_entries is not None
-        if (
-            successors
-            and {succ.addr for succ in successors} == set(jump_table.jumptable_entries)
-            and all(graph.in_degree[succ] == 1 for succ in successors)
-        ):
-            out_nodes = set()
-            for succ in successors:
-                out_nodes |= {
-                    succ for succ in full_graph.successors(succ) if succ is not node and succ not in successors
-                }
-            out_nodes = list(out_nodes)
-            if len(out_nodes) <= 1 and node.addr not in self._matched_incomplete_switch_case_addrs:
-                self._matched_incomplete_switch_case_addrs.add(node.addr)
-                new_node = IncompleteSwitchCaseNode(node.addr, node, successors)
-                graph_raw.remove_nodes_from(successors)
-                self.replace_nodes(graph_raw, node, new_node)
-                if out_nodes and out_nodes[0] in graph:
-                    graph_raw.add_edge(new_node, out_nodes[0])
-                full_graph_raw.remove_nodes_from(successors)
-                self.replace_nodes(full_graph_raw, node, new_node, update_node_order=True)
-                if out_nodes:
-                    full_graph_raw.add_edge(new_node, out_nodes[0])
-                if self._node_order:
-                    self._node_order[new_node] = self._node_order[node]
-                return True
+
+        if successors and all(graph.in_degree[succ] == 1 for succ in successors):
+            succ_addrs = {succ.addr for succ in successors}
+            expected_entry_addrs = set(jump_table.jumptable_entries)
+            # test if we have found all entries or all but one entry (where the one missing entry is likely the default
+            # case).
+            if succ_addrs == expected_entry_addrs or (
+                succ_addrs.issubset(expected_entry_addrs) and len(expected_entry_addrs - succ_addrs) == 1
+            ):
+                out_nodes = set()
+                for succ in successors:
+                    out_nodes |= {
+                        succ for succ in full_graph.successors(succ) if succ is not node and succ not in successors
+                    }
+                out_nodes = list(out_nodes)
+                if len(out_nodes) <= 1 and node.addr not in self._matched_incomplete_switch_case_addrs:
+                    self._matched_incomplete_switch_case_addrs.add(node.addr)
+                    new_node = IncompleteSwitchCaseNode(node.addr, node, successors)
+                    graph_raw.remove_nodes_from(successors)
+                    self.replace_nodes(graph_raw, node, new_node)
+                    if out_nodes and out_nodes[0] in graph:
+                        graph_raw.add_edge(new_node, out_nodes[0])
+                    full_graph_raw.remove_nodes_from(successors)
+                    self.replace_nodes(full_graph_raw, node, new_node, update_node_order=True)
+                    if out_nodes:
+                        full_graph_raw.add_edge(new_node, out_nodes[0])
+                    if self._node_order:
+                        self._node_order[new_node] = self._node_order[node]
+                    return True
         return False
 
     def _switch_build_cases(
@@ -2195,9 +2239,11 @@ class PhoenixStructurer(StructurerBase):
                 out_dst_succs_fullgraph = []
                 for _, o in other_out_edges:
                     if o in graph:
-                        out_dst_succs.append(o)
+                        if o not in out_dst_succs:
+                            out_dst_succs.append(o)
                     elif o in full_graph:
-                        out_dst_succs_fullgraph.append(o)
+                        if o not in out_dst_succs_fullgraph:
+                            out_dst_succs_fullgraph.append(o)
                 out_dst_succ = sorted(out_dst_succs, key=lambda o: o.addr)[0] if out_dst_succs else None
                 out_dst_succ_fullgraph = (
                     sorted(out_dst_succs_fullgraph, key=lambda o: o.addr)[0] if out_dst_succs_fullgraph else None
@@ -2283,6 +2329,8 @@ class PhoenixStructurer(StructurerBase):
     def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
         if self._is_node_unstructured_switch_case_head(node):
             return True
+        if isinstance(node, IncompleteSwitchCaseNode):
+            return True
         for succ in graph.successors(node):
             if self._is_node_unstructured_switch_case_head(succ):
                 return True
@@ -2299,20 +2347,31 @@ class PhoenixStructurer(StructurerBase):
         graph = _f(graph_raw)
 
         succs = list(graph.successors(start_node))
-        if len(succs) == 1:
-            end_node = succs[0]
-            if (
-                full_graph.out_degree[start_node] == 1
-                and full_graph.in_degree[end_node] == 1
-                and not full_graph.has_edge(end_node, start_node)
-                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, end_node)
-                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, start_node)
-                and end_node not in self.dowhile_known_tail_nodes
-                and not isinstance(end_node, IncompleteSwitchCaseNode)
-            ):
+        if len(succs) != 1:
+            return False
+        end_node = succs[0]
+        if (
+            full_graph.out_degree[start_node] == 1
+            and full_graph.in_degree[end_node] == 1
+            and not full_graph.has_edge(end_node, start_node)
+            and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, start_node)
+            and end_node not in self.dowhile_known_tail_nodes
+        ):
+            new_seq = None
+            if not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, end_node):
                 # merge two blocks
                 new_seq = self._merge_nodes(start_node, end_node)
-
+            elif isinstance(end_node, IncompleteSwitchCaseNode):
+                # a special case where there is a node between the actual switch-case head and the jump table
+                # head
+                # binary 7995a0325b446c462bdb6ae10b692eee2ecadd8e888e9d7729befe4412007afb, function 0x1400326C0
+                # keep the IncompleteSwitchCaseNode, and merge two blocks into the head of the IncompleteSwitchCaseNode.
+                new_seq = self._merge_nodes(start_node, end_node.head)
+                new_seq.addr = end_node.addr
+                end_node.head = new_seq
+                new_seq = end_node
+
+            if new_seq is not None:
                 # on the original graph
                 self.replace_nodes(graph_raw, start_node, new_seq, old_node_1=end_node if end_node in graph else None)
                 # on the graph with successors
@@ -3267,17 +3326,23 @@ class PhoenixStructurer(StructurerBase):
         return True, new_seq
 
     @staticmethod
-    def _unpack_incompleteswitchcasenode(graph: networkx.DiGraph, incscnode: IncompleteSwitchCaseNode) -> bool:
+    def _unpack_incompleteswitchcasenode(
+        graph: networkx.DiGraph, incscnode: IncompleteSwitchCaseNode, jumptable_entries: list[int]
+    ) -> bool:
         preds = list(graph.predecessors(incscnode))
         succs = list(graph.successors(incscnode))
-        if len(succs) <= 1:
+        non_case_succs = [succ for succ in succs if succ.addr not in jumptable_entries]
+        if len(non_case_succs) <= 1:
             graph.remove_node(incscnode)
             for pred in preds:
                 graph.add_edge(pred, incscnode.head)
+            for succ in succs:
+                if succ not in non_case_succs:
+                    graph.add_edge(incscnode.head, succ)
             for case_node in incscnode.cases:
                 graph.add_edge(incscnode.head, case_node)
-                if succs:
-                    graph.add_edge(case_node, succs[0])
+                if non_case_succs:
+                    graph.add_edge(case_node, non_case_succs[0])
             return True
         return False
 

angr/analyses/decompiler/utils.py

@@ -163,12 +163,30 @@ def switch_extract_cmp_bounds(
 def switch_extract_cmp_bounds_from_condition(cond: ailment.Expr.Expression) -> tuple[Any, int, int] | None:
     # TODO: Add more operations
     if isinstance(cond, ailment.Expr.BinaryOp):
-        if cond.op in {"CmpLE", "CmpLT"}:
-            if not (isinstance(cond.operands[1], ailment.Expr.Const) and isinstance(cond.operands[1].value, int)):
+        op = cond.op
+        op0, op1 = cond.operands
+        if not isinstance(op1, ailment.Expr.Const):
+            # swap them
+            match op:
+                case "CmpLE":
+                    op = "CmpGE"
+                case "CmpLT":
+                    op = "CmpGT"
+                case "CmpGE":
+                    op = "CmpLE"
+                case "CmpGT":
+                    op = "CmpLT"
+                case _:
+                    # unsupported
+                    return None
+            op0, op1 = op1, op0
+
+        if op in {"CmpLE", "CmpLT"}:
+            if not (isinstance(op1, ailment.Expr.Const) and isinstance(op1.value, int)):
                 return None
-            cmp_ub = cond.operands[1].value if cond.op == "CmpLE" else cond.operands[1].value - 1
+            cmp_ub = op1.value if op == "CmpLE" else op1.value - 1
             cmp_lb = 0
-            cmp = cond.operands[0]
+            cmp = op0
             if (
                 isinstance(cmp, ailment.Expr.BinaryOp)
                 and cmp.op == "Sub"
@@ -180,15 +198,15 @@ def switch_extract_cmp_bounds_from_condition(cond: ailment.Expr.Expression) -> t
                 cmp = cmp.operands[0]
             return cmp, cmp_lb, cmp_ub
 
-        if cond.op in {"CmpGE", "CmpGT"}:
+        if op in {"CmpGE", "CmpGT"}:
             # We got the negated condition here
             #  CmpGE -> CmpLT
             #  CmpGT -> CmpLE
-            if not (isinstance(cond.operands[1], ailment.Expr.Const) and isinstance(cond.operands[1].value, int)):
+            if not (isinstance(op1, ailment.Expr.Const) and isinstance(op1.value, int)):
                 return None
-            cmp_ub = cond.operands[1].value if cond.op == "CmpGT" else cond.operands[1].value - 1
+            cmp_ub = op1.value if op == "CmpGT" else op1.value - 1
             cmp_lb = 0
-            cmp = cond.operands[0]
+            cmp = op0
             if (
                 isinstance(cmp, ailment.Expr.BinaryOp)
                 and cmp.op == "Sub"