PyPI - angr - Versions diffs - 9.2.178__cp310-abi3-macosx_11_0_arm64.whl → 9.2.180__cp310-abi3-macosx_11_0_arm64.whl - Mend

angr 9.2.178__cp310-abi3-macosx_11_0_arm64.whl → 9.2.180__cp310-abi3-macosx_11_0_arm64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (25) hide show

angr/__init__.py +1 -1
angr/ailment/converter_vex.py +35 -4
angr/analyses/cfg/cfb.py +11 -0
angr/analyses/decompiler/ail_simplifier.py +1 -1
angr/analyses/decompiler/clinic.py +9 -3
angr/analyses/decompiler/peephole_optimizations/cas_intrinsics.py +2 -2
angr/analyses/decompiler/region_simplifiers/expr_folding.py +38 -18
angr/analyses/decompiler/region_simplifiers/region_simplifier.py +10 -4
angr/analyses/decompiler/ssailification/rewriting.py +1 -1
angr/analyses/decompiler/structured_codegen/c.py +54 -12
angr/analyses/decompiler/structuring/phoenix.py +129 -64
angr/analyses/decompiler/utils.py +26 -8
angr/analyses/disassembly.py +108 -52
angr/analyses/proximity_graph.py +20 -19
angr/flirt/__init__.py +69 -42
angr/knowledge_plugins/key_definitions/live_definitions.py +2 -1
angr/rustylib.abi3.so +0 -0
angr/unicornlib.dylib +0 -0
angr/utils/types.py +2 -0
{angr-9.2.178.dist-info → angr-9.2.180.dist-info}/METADATA +8 -8
{angr-9.2.178.dist-info → angr-9.2.180.dist-info}/RECORD +25 -25
{angr-9.2.178.dist-info → angr-9.2.180.dist-info}/WHEEL +0 -0
{angr-9.2.178.dist-info → angr-9.2.180.dist-info}/entry_points.txt +0 -0
{angr-9.2.178.dist-info → angr-9.2.180.dist-info}/licenses/LICENSE +0 -0
{angr-9.2.178.dist-info → angr-9.2.180.dist-info}/top_level.txt +0 -0

angr/analyses/decompiler/structuring/phoenix.py CHANGED Viewed

@@ -1464,6 +1464,8 @@ class PhoenixStructurer(StructurerBase):
         switch_head_addr: int = 0
         # case 1: the last block is a ConditionNode with two goto statements
+        cond_expr_or_stmt = None
+        cond_case = None
         if isinstance(node, SequenceNode) and node.nodes and isinstance(node.nodes[-1], ConditionNode):
             cond_node = node.nodes[-1]
             assert isinstance(cond_node, ConditionNode)
@@ -1480,14 +1482,8 @@ class PhoenixStructurer(StructurerBase):
                 if len(successor_addrs) != 2 or None in successor_addrs:
                     return False
-                # extract the comparison expression, lower-, and upper-bounds from the last statement
-                cmp = switch_extract_cmp_bounds_from_condition(
-                    self.cond_proc.convert_claripy_bool_ast(cond_node.condition)
-                )
-                if not cmp:
-                    return False
-                cmp_expr, cmp_lb, _cmp_ub = cmp
+                cond_expr_or_stmt = cond_node.condition
+                cond_case = 1
                 assert cond_node.addr is not None
                 switch_head_addr = cond_node.addr
@@ -1505,14 +1501,22 @@ class PhoenixStructurer(StructurerBase):
             if len(successor_addrs) != 2:
                 return False
-            # extract the comparison expression, lower-, and upper-bounds from the last statement
-            cmp = switch_extract_cmp_bounds(last_stmt)
-            if not cmp:
-                return False
-            cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
+            cond_expr_or_stmt = last_stmt
+            cond_case = 2
             switch_head_addr = last_stmt.ins_addr
+        graph = _f(graph_raw)
+        full_graph = _f(full_graph_raw)
+        # special fix
+        if (
+            len(successor_addrs) == 2
+            and graph.out_degree[node] == 2
+            and len(set(successor_addrs).intersection({succ.addr for succ in graph.successors(node)})) == 1
+        ):
+            # there is an unmatched successor addr! fix it
+            successor_addrs = [succ.addr for succ in graph.successors(node)]
         for t in successor_addrs:
             if t in self.jump_tables:
                 # this is a candidate!
@@ -1521,13 +1525,29 @@ class PhoenixStructurer(StructurerBase):
         else:
             return False
+        # extract the comparison expression, lower-, and upper-bounds from the last statement
+        match cond_case:
+            case 1:
+                cmp = switch_extract_cmp_bounds_from_condition(
+                    self.cond_proc.convert_claripy_bool_ast(cond_expr_or_stmt)
+                )
+                if not cmp:
+                    return False
+            case 2:
+                # extract the comparison expression, lower-, and upper-bounds from the last statement
+                cmp = switch_extract_cmp_bounds(cond_expr_or_stmt)
+                if not cmp:
+                    return False
+            case _:
+                # unreachable!
+                return False
+        cmp_expr, cmp_lb, _cmp_ub = cmp  # pylint:disable=unused-variable
         jump_table = self.jump_tables[target]
         if jump_table.type != IndirectJumpType.Jumptable_AddressLoadedFromMemory:
             return False
-        graph = _f(graph_raw)
-        full_graph = _f(full_graph_raw)
         node_a = next(iter(nn for nn in graph.nodes if nn.addr == target), None)
         if node_a is None:
             return False
@@ -1585,10 +1605,24 @@ class PhoenixStructurer(StructurerBase):
             # update node_a
             node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
         if isinstance(node_a, IncompleteSwitchCaseNode):
-            r = self._unpack_incompleteswitchcasenode(graph_raw, node_a)
+            # special case: if node_default is None, node_a has a missing case, and node_a has a successor in the full
+            # graph that is not the default node, then we know
+            # 1. there is a default node (instead of the successor of the entire switch-case construct).
+            # 2. the default node is in a parent region.
+            # as a result, we cannot structure this switch-case right now
+            if (
+                len(node_a.cases) == len(set(jump_table.jumptable_entries)) - 1
+                and node_default is None
+                and len([succ for succ in full_graph.successors(node_a) if succ.addr != node_b_addr]) > 0
+            ):
+                return False
+            r = self._unpack_incompleteswitchcasenode(graph_raw, node_a, jump_table.jumptable_entries)
             if not r:
                 return False
-            self._unpack_incompleteswitchcasenode(full_graph_raw, node_a)  # this shall not fail
+            self._unpack_incompleteswitchcasenode(
+                full_graph_raw, node_a, jump_table.jumptable_entries
+            )  # this shall not fail
             # update node_a
             node_a = next(iter(nn for nn in graph.nodes if nn.addr == target))
             if self._node_order is not None:
@@ -1721,10 +1755,16 @@ class PhoenixStructurer(StructurerBase):
         # un-structure IncompleteSwitchCaseNode
         if isinstance(node, IncompleteSwitchCaseNode):
-            r = self._unpack_incompleteswitchcasenode(graph_raw, node)
+            if len(set(jump_table.jumptable_entries)) > len(node.cases):
+                # it has a missing default case node! we cannot structure it as a no-default switch-case
+                return False
+            r = self._unpack_incompleteswitchcasenode(graph_raw, node, jump_table.jumptable_entries)
             if not r:
                 return False
-            self._unpack_incompleteswitchcasenode(full_graph_raw, node)  # this shall not fail
+            self._unpack_incompleteswitchcasenode(
+                full_graph_raw, node, jump_table.jumptable_entries
+            )  # this shall not fail
             # update node
             node = next(iter(nn for nn in graph.nodes if nn.addr == jump_table.addr))
@@ -1934,31 +1974,35 @@ class PhoenixStructurer(StructurerBase):
         jump_table = self.jump_tables[node.addr]
         assert jump_table.jumptable_entries is not None
-        if (
-            successors
-            and {succ.addr for succ in successors} == set(jump_table.jumptable_entries)
-            and all(graph.in_degree[succ] == 1 for succ in successors)
-        ):
-            out_nodes = set()
-            for succ in successors:
-                out_nodes |= {
-                    succ for succ in full_graph.successors(succ) if succ is not node and succ not in successors
-                }
-            out_nodes = list(out_nodes)
-            if len(out_nodes) <= 1 and node.addr not in self._matched_incomplete_switch_case_addrs:
-                self._matched_incomplete_switch_case_addrs.add(node.addr)
-                new_node = IncompleteSwitchCaseNode(node.addr, node, successors)
-                graph_raw.remove_nodes_from(successors)
-                self.replace_nodes(graph_raw, node, new_node)
-                if out_nodes and out_nodes[0] in graph:
-                    graph_raw.add_edge(new_node, out_nodes[0])
-                full_graph_raw.remove_nodes_from(successors)
-                self.replace_nodes(full_graph_raw, node, new_node, update_node_order=True)
-                if out_nodes:
-                    full_graph_raw.add_edge(new_node, out_nodes[0])
-                if self._node_order:
-                    self._node_order[new_node] = self._node_order[node]
-                return True
+        if successors and all(graph.in_degree[succ] == 1 for succ in successors):
+            succ_addrs = {succ.addr for succ in successors}
+            expected_entry_addrs = set(jump_table.jumptable_entries)
+            # test if we have found all entries or all but one entry (where the one missing entry is likely the default
+            # case).
+            if succ_addrs == expected_entry_addrs or (
+                succ_addrs.issubset(expected_entry_addrs) and len(expected_entry_addrs - succ_addrs) == 1
+            ):
+                out_nodes = set()
+                for succ in successors:
+                    out_nodes |= {
+                        succ for succ in full_graph.successors(succ) if succ is not node and succ not in successors
+                    }
+                out_nodes = list(out_nodes)
+                if len(out_nodes) <= 1 and node.addr not in self._matched_incomplete_switch_case_addrs:
+                    self._matched_incomplete_switch_case_addrs.add(node.addr)
+                    new_node = IncompleteSwitchCaseNode(node.addr, node, successors)
+                    graph_raw.remove_nodes_from(successors)
+                    self.replace_nodes(graph_raw, node, new_node)
+                    if out_nodes and out_nodes[0] in graph:
+                        graph_raw.add_edge(new_node, out_nodes[0])
+                    full_graph_raw.remove_nodes_from(successors)
+                    self.replace_nodes(full_graph_raw, node, new_node, update_node_order=True)
+                    if out_nodes:
+                        full_graph_raw.add_edge(new_node, out_nodes[0])
+                    if self._node_order:
+                        self._node_order[new_node] = self._node_order[node]
+                    return True
         return False
     def _switch_build_cases(
@@ -2195,9 +2239,11 @@ class PhoenixStructurer(StructurerBase):
                 out_dst_succs_fullgraph = []
                 for _, o in other_out_edges:
                     if o in graph:
-                        out_dst_succs.append(o)
+                        if o not in out_dst_succs:
+                            out_dst_succs.append(o)
                     elif o in full_graph:
-                        out_dst_succs_fullgraph.append(o)
+                        if o not in out_dst_succs_fullgraph:
+                            out_dst_succs_fullgraph.append(o)
                 out_dst_succ = sorted(out_dst_succs, key=lambda o: o.addr)[0] if out_dst_succs else None
                 out_dst_succ_fullgraph = (
                     sorted(out_dst_succs_fullgraph, key=lambda o: o.addr)[0] if out_dst_succs_fullgraph else None
@@ -2283,6 +2329,8 @@ class PhoenixStructurer(StructurerBase):
     def _is_switch_cases_address_loaded_from_memory_head_or_jumpnode(self, graph, node) -> bool:
         if self._is_node_unstructured_switch_case_head(node):
             return True
+        if isinstance(node, IncompleteSwitchCaseNode):
+            return True
         for succ in graph.successors(node):
             if self._is_node_unstructured_switch_case_head(succ):
                 return True
@@ -2299,20 +2347,31 @@ class PhoenixStructurer(StructurerBase):
         graph = _f(graph_raw)
         succs = list(graph.successors(start_node))
-        if len(succs) == 1:
-            end_node = succs[0]
-            if (
-                full_graph.out_degree[start_node] == 1
-                and full_graph.in_degree[end_node] == 1
-                and not full_graph.has_edge(end_node, start_node)
-                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, end_node)
-                and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, start_node)
-                and end_node not in self.dowhile_known_tail_nodes
-                and not isinstance(end_node, IncompleteSwitchCaseNode)
-            ):
+        if len(succs) != 1:
+            return False
+        end_node = succs[0]
+        if (
+            full_graph.out_degree[start_node] == 1
+            and full_graph.in_degree[end_node] == 1
+            and not full_graph.has_edge(end_node, start_node)
+            and not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, start_node)
+            and end_node not in self.dowhile_known_tail_nodes
+        ):
+            new_seq = None
+            if not self._is_switch_cases_address_loaded_from_memory_head_or_jumpnode(full_graph, end_node):
                 # merge two blocks
                 new_seq = self._merge_nodes(start_node, end_node)
+            elif isinstance(end_node, IncompleteSwitchCaseNode):
+                # a special case where there is a node between the actual switch-case head and the jump table
+                # head
+                # binary 7995a0325b446c462bdb6ae10b692eee2ecadd8e888e9d7729befe4412007afb, function 0x1400326C0
+                # keep the IncompleteSwitchCaseNode, and merge two blocks into the head of the IncompleteSwitchCaseNode.
+                new_seq = self._merge_nodes(start_node, end_node.head)
+                new_seq.addr = end_node.addr
+                end_node.head = new_seq
+                new_seq = end_node
+            if new_seq is not None:
                 # on the original graph
                 self.replace_nodes(graph_raw, start_node, new_seq, old_node_1=end_node if end_node in graph else None)
                 # on the graph with successors
@@ -3267,17 +3326,23 @@ class PhoenixStructurer(StructurerBase):
         return True, new_seq
     @staticmethod
-    def _unpack_incompleteswitchcasenode(graph: networkx.DiGraph, incscnode: IncompleteSwitchCaseNode) -> bool:
+    def _unpack_incompleteswitchcasenode(
+        graph: networkx.DiGraph, incscnode: IncompleteSwitchCaseNode, jumptable_entries: list[int]
+    ) -> bool:
         preds = list(graph.predecessors(incscnode))
         succs = list(graph.successors(incscnode))
-        if len(succs) <= 1:
+        non_case_succs = [succ for succ in succs if succ.addr not in jumptable_entries]
+        if len(non_case_succs) <= 1:
             graph.remove_node(incscnode)
             for pred in preds:
                 graph.add_edge(pred, incscnode.head)
+            for succ in succs:
+                if succ not in non_case_succs:
+                    graph.add_edge(incscnode.head, succ)
             for case_node in incscnode.cases:
                 graph.add_edge(incscnode.head, case_node)
-                if succs:
-                    graph.add_edge(case_node, succs[0])
+                if non_case_succs:
+                    graph.add_edge(case_node, non_case_succs[0])
             return True
         return False

angr/analyses/decompiler/utils.py CHANGED Viewed

@@ -163,12 +163,30 @@ def switch_extract_cmp_bounds(
 def switch_extract_cmp_bounds_from_condition(cond: ailment.Expr.Expression) -> tuple[Any, int, int] | None:
     # TODO: Add more operations
     if isinstance(cond, ailment.Expr.BinaryOp):
-        if cond.op in {"CmpLE", "CmpLT"}:
-            if not (isinstance(cond.operands[1], ailment.Expr.Const) and isinstance(cond.operands[1].value, int)):
+        op = cond.op
+        op0, op1 = cond.operands
+        if not isinstance(op1, ailment.Expr.Const):
+            # swap them
+            match op:
+                case "CmpLE":
+                    op = "CmpGE"
+                case "CmpLT":
+                    op = "CmpGT"
+                case "CmpGE":
+                    op = "CmpLE"
+                case "CmpGT":
+                    op = "CmpLT"
+                case _:
+                    # unsupported
+                    return None
+            op0, op1 = op1, op0
+        if op in {"CmpLE", "CmpLT"}:
+            if not (isinstance(op1, ailment.Expr.Const) and isinstance(op1.value, int)):
                 return None
-            cmp_ub = cond.operands[1].value if cond.op == "CmpLE" else cond.operands[1].value - 1
+            cmp_ub = op1.value if op == "CmpLE" else op1.value - 1
             cmp_lb = 0
-            cmp = cond.operands[0]
+            cmp = op0
             if (
                 isinstance(cmp, ailment.Expr.BinaryOp)
                 and cmp.op == "Sub"
@@ -180,15 +198,15 @@ def switch_extract_cmp_bounds_from_condition(cond: ailment.Expr.Expression) -> t
                 cmp = cmp.operands[0]
             return cmp, cmp_lb, cmp_ub
-        if cond.op in {"CmpGE", "CmpGT"}:
+        if op in {"CmpGE", "CmpGT"}:
             # We got the negated condition here
             #  CmpGE -> CmpLT
             #  CmpGT -> CmpLE
-            if not (isinstance(cond.operands[1], ailment.Expr.Const) and isinstance(cond.operands[1].value, int)):
+            if not (isinstance(op1, ailment.Expr.Const) and isinstance(op1.value, int)):
                 return None
-            cmp_ub = cond.operands[1].value if cond.op == "CmpGT" else cond.operands[1].value - 1
+            cmp_ub = op1.value if op == "CmpGT" else op1.value - 1
             cmp_lb = 0
-            cmp = cond.operands[0]
+            cmp = op0
             if (
                 isinstance(cmp, ailment.Expr.BinaryOp)
                 and cmp.op == "Sub"

angr/analyses/disassembly.py CHANGED Viewed

@@ -34,7 +34,7 @@ class DisassemblyPiece:
     addr = None
     ident = float("nan")
-    def render(self, formatting=None):
+    def render(self, formatting=None) -> list[str]:
         x = self._render(formatting)
         if len(x) == 1:
             return [self.highlight(x[0], formatting)]
@@ -73,7 +73,7 @@ class DisassemblyPiece:
             pass
         return string
-    def __eq__(self, other):
+    def __eq__(self, other) -> bool:
         return False
@@ -175,7 +175,7 @@ class Instruction(DisassemblyPiece):
         self.arch = self.project.arch
         self.format = ""
         self.components = ()
-        self.opcode = None
+        self.opcode: Opcode = None  # type:ignore
         self.operands = []
         # the following members will be filled in after dissecting the instruction
@@ -261,7 +261,11 @@ class Instruction(DisassemblyPiece):
                     if i > 0 and opr_pieces[i - 1] == "-":
                         v = -v
                         cur_operand.pop()
-                    cur_operand.append(Value(v, with_sign))
+                    with_pound_sign = False
+                    if i > 0 and opr_pieces[i - 1] == "#":
+                        with_pound_sign = True
+                        cur_operand.pop()
+                    cur_operand.append(Value(v, with_sign, render_with_pound_sign=with_pound_sign))
                 elif p[0].isalpha() and p in self.arch.registers:
                     cur_operand.append(Register(p))
                 else:
@@ -592,7 +596,7 @@ class Opcode(DisassemblyPiece):
 class Operand(DisassemblyPiece):
     def __init__(self, op_num, children, parentinsn):
         self.addr = parentinsn.addr
-        self.children = children
+        self.children: list = children
         self.parentinsn = parentinsn
         self.op_num = op_num
         self.ident = (self.addr, "operand", self.op_num)
@@ -639,14 +643,33 @@ class Operand(DisassemblyPiece):
         operand = cls(op_num, children, parentinsn)
         # Post-processing
-        if cls is MemoryOperand and parentinsn.arch.name in {"AMD64"} and len(operand.values) == 2:
+        if cls is MemoryOperand:
+            operand = Operand._post_process_memory_operand(parentinsn, operand)
+        return operand
+    @staticmethod
+    def _post_process_memory_operand(parentinsn: Instruction, operand: MemoryOperand) -> Operand:
+        archname = parentinsn.arch.name
+        if archname in {"AMD64", "ARM", "ARMEL", "ARMHF", "ARMCortexM"} and len(operand.values) == 2:
             op0, op1 = operand.values
             if type(op0) is Register and op0.is_ip and type(op1) is Value:
-                # Indirect addressing in x86_64
+                # Indirect addressing in x86-64 and ARM
                 # 400520  push [rip+0x200782] ==>  400520  push [0x600ca8]
-                absolute_addr = parentinsn.addr + parentinsn.size + op1.val
+                # 80410e6  ldr r1, [pc, #0x98]  ==>   80410e6  ldr r1, [0x8041182]
+                match archname:
+                    case "AMD64":
+                        absolute_addr = parentinsn.addr + parentinsn.size + op1.val
+                    case "ARM" | "ARMEL" | "ARMHF" | "ARMCortexM":
+                        if parentinsn.addr & 1:
+                            # thumb mode
+                            absolute_addr = (parentinsn.addr & 0xFFFF_FFFE) + 4 + op1.val
+                        else:
+                            # arm mode
+                            absolute_addr = parentinsn.addr + 8 + op1.val
+                    case _:
+                        raise AngrTypeError(f"Unsupported architecture {archname} for post-processing memory operand.")
                 return MemoryOperand(1, [*operand.prefix, "[", Value(absolute_addr, False), "]"], parentinsn)
         return operand
@@ -680,13 +703,15 @@ class MemoryOperand(Operand):
         # [ '[', Register, ']' ]
         # or
         # [ Value, '(', Register, ')' ]
+        # or
+        # [ Register, ",", Value]
         # it will be converted into more meaningful and Pythonic properties
         self.segment_selector = None
         self.prefix = []
         self.suffix_str = ""  # could be arm pre index mark "!"
-        self.values = []
+        self.values: list[str | DisassemblyPiece] = []
         self.offset = []
         # offset_location
         # - prefix: -0xff00($gp)
@@ -698,6 +723,10 @@ class MemoryOperand(Operand):
         # - curly: {rax+0x10}
         # - paren: (rax+0x10)
         self.values_style = "square"
+        # separator (between register and value)
+        # - "": rax+0x10
+        # - "comma": r0, #0x10
+        self.separator = ""
         try:
             if "[" in self.children:
@@ -711,8 +740,8 @@ class MemoryOperand(Operand):
             l.error("Failed to parse operand children %s. Please report to Fish.", self.children)
             # setup all dummy properties
-            self.prefix = None
-            self.values = None
+            self.prefix = []
+            self.values = []
     def _parse_memop_squarebracket(self):
         if self.children[0] != "[":
@@ -746,6 +775,27 @@ class MemoryOperand(Operand):
                 raise ValueError
         self.values = self.children[square_bracket_pos + 1 : close_square_pos]
+        if len(self.values) >= 3 and self.values[1] == ",":
+            # arm style memory operand: [r0, #0x10], or [pc, r3, lsl #1]
+            self.separator = "comma"
+            # remove all commas and consolidate all remaining strings
+            new_values = []
+            last_item = None
+            for v in self.values:
+                if v == ",":
+                    if last_item is not None:
+                        new_values.append(last_item)
+                        last_item = None
+                elif isinstance(v, str):
+                    last_item = v if last_item is None else last_item + v
+                else:
+                    if last_item is not None:
+                        new_values.append(last_item)
+                        last_item = None
+                    new_values.append(v)
+            if last_item is not None:
+                new_values.append(last_item)
+            self.values = new_values
     def _parse_memop_paren(self):
         offset = []
@@ -801,7 +851,8 @@ class MemoryOperand(Operand):
         if custom_values_str is not None:
             value_str = custom_values_str
         else:
-            value_str = "".join(x.render(formatting)[0] if not isinstance(x, (bytes, str)) else x for x in self.values)
+            sep = "," if self.separator == "comma" else ""
+            value_str = sep.join(x.render(formatting)[0] if not isinstance(x, str) else x for x in self.values)
         if values_style == "curly":
             left_paren, right_paren = "{", "}"
@@ -811,7 +862,7 @@ class MemoryOperand(Operand):
             left_paren, right_paren = "[", "]"
         if self.offset:
-            offset_str = "".join(x.render(formatting)[0] if not isinstance(x, (bytes, str)) else x for x in self.offset)
+            offset_str = "".join(x.render(formatting)[0] if not isinstance(x, str) else x for x in self.offset)
             # combine values and offsets according to self.offset_location
             if self.offset_location == "prefix":
@@ -829,9 +880,7 @@ class MemoryOperand(Operand):
             prefix_str += " "
             if self.offset:
-                offset_str = "".join(
-                    x.render(formatting)[0] if not isinstance(x, (bytes, str)) else x for x in self.offset
-                )
+                offset_str = "".join(x.render(formatting)[0] if not isinstance(x, str) else x for x in self.offset)
                 # combine values and offsets according to self.offset_location
                 if self.offset_location == "prefix":
@@ -873,12 +922,14 @@ class Register(OperandPiece):
 class Value(OperandPiece):
-    def __init__(self, val, render_with_sign):
+    def __init__(self, val, render_with_sign, render_with_pound_sign: bool = False):
         self.val = val
         self.render_with_sign = render_with_sign
+        self.render_with_pound_sign = render_with_pound_sign
     @property
     def project(self):
+        assert self.parentop is not None
         return self.parentop.parentinsn.project
     def __eq__(self, other):
@@ -888,26 +939,26 @@ class Value(OperandPiece):
         if formatting is not None:
             try:
                 style = formatting["int_styles"][self.ident]
-                if style[0] == "hex":
-                    if self.render_with_sign:
-                        return [f"{self.val:+#x}"]
-                    return [f"{self.val:#x}"]
-                if style[0] == "dec":
-                    if self.render_with_sign:
-                        return [f"{self.val:+d}"]
-                    return [str(self.val)]
                 if style[0] == "label":
                     labeloffset = style[1]
                     if labeloffset == 0:
                         lbl = self.project.kb.labels[self.val]
                         return [lbl]
-                    return [
-                        "{}{}{:#+x}".format(
-                            "+" if self.render_with_sign else "",
-                            self.project.kb.labels[self.val + labeloffset],
-                            labeloffset,
-                        )
-                    ]
+                    s = "{}{}{:#+x}".format(
+                        "+" if self.render_with_sign else "",
+                        self.project.kb.labels[self.val + labeloffset],
+                        labeloffset,
+                    )
+                elif style[0] == "hex":
+                    s = f"{self.val:+#x}" if self.render_with_sign else f"{self.val:#x}"
+                    if self.render_with_pound_sign:
+                        s = "#" + s
+                else:  # "dec"
+                    s = f"{self.val:+d}" if self.render_with_sign else str(self.val)
+                if self.render_with_pound_sign:
+                    s = "#" + s
+                return [s]
             except KeyError:
                 pass
@@ -927,9 +978,10 @@ class Value(OperandPiece):
             return [("+" if self.render_with_sign else "") + lbl]
         if func is not None:
             return [func.demangled_name]
-        if self.render_with_sign:
-            return [f"{self.val:+#x}"]
-        return [f"{self.val:#x}"]
+        s = f"{self.val:+#x}" if self.render_with_sign else f"{self.val:#x}"
+        if self.render_with_pound_sign:
+            s = "#" + s
+        return [s]
 class Comment(DisassemblyPiece):
@@ -1079,10 +1131,11 @@ class Disassembly(Analysis):
         if irsb.statements is not None:
             if pcode is not None and isinstance(self.project.factory.default_engine, pcode.HeavyPcodeMixin):
                 addr = None
-                for stmt_idx, op in enumerate(irsb._ops):
+                for stmt_idx, op in enumerate(irsb._ops):  # type:ignore
                     if op.opcode == pypcode.OpCode.IMARK:
                         addr = op.inputs[0].offset
                     else:
+                        assert addr is not None
                         addr_to_ops_map[addr].append(IROp(addr, stmt_idx, op, irsb))
             else:
                 for seq, stmt in enumerate(irsb.statements):
@@ -1166,22 +1219,23 @@ class Disassembly(Analysis):
         buf = []
         if formatting is None:
+            colors = (
+                {
+                    "address": "gray",
+                    "bytes": "cyan",
+                    "edge": "yellow",
+                    Label: "bright_yellow",
+                    ConstantOperand: "cyan",
+                    MemoryOperand: "yellow",
+                    Comment: "gray",
+                    Hook: "green",
+                }
+                if ansi_color_enabled and color
+                else {}
+            )
             formatting = {
-                "colors": (
-                    {
-                        "address": "gray",
-                        "bytes": "cyan",
-                        "edge": "yellow",
-                        Label: "bright_yellow",
-                        ConstantOperand: "cyan",
-                        MemoryOperand: "yellow",
-                        Comment: "gray",
-                        Hook: "green",
-                    }
-                    if ansi_color_enabled and color
-                    else {}
-                ),
-                "format_callback": lambda item, s: ansi_color(s, formatting["colors"].get(type(item), None)),
+                "colors": colors,
+                "format_callback": lambda item, s: ansi_color(s, colors.get(type(item), None)),
             }
         def col(item: Any) -> str | None:
@@ -1234,12 +1288,14 @@ class Disassembly(Analysis):
                 # Format the instruction's address, bytes, disassembly, and comment
                 s_plain = format_address(item.addr, False)
                 s = format_address(item.addr)
+                bytes_column = 0
                 if show_bytes:
                     bytes_column = len(s_plain)
                     s_plain += format_bytes(insn_bytes[0], False)
                     s += format_bytes(insn_bytes[0])
                 s_plain += item.render()[0]
                 s += item.render(formatting)[0]
+                comment_column = 0
                 if comment is not None:
                     comment_column = len(s_plain)
                     s += format_comment(comment.text[0])