angr 9.2.78__py3-none-win_amd64.whl → 9.2.80__py3-none-win_amd64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.78"
+__version__ = "9.2.80"
 
 if bytes is str:
     raise Exception(

angr/__main__.py

@@ -0,0 +1,59 @@
+import argparse
+
+from angr.analyses.decompiler.structuring import STRUCTURER_CLASSES
+from angr.analyses.decompiler.utils import decompile_functions
+
+
+class COMMANDS:
+    """
+    The commands that the angr CLI supports.
+    """
+
+    DECOMPILE = "decompile"
+    ALL_COMMANDS = [DECOMPILE]
+
+
+def main():
+    parser = argparse.ArgumentParser(description="The angr CLI allows you to decompile and analyze binaries.")
+    parser.add_argument(
+        "command",
+        help="""
+        The analysis type to run on the binary. All analysis is output to stdout.""",
+        choices=COMMANDS.ALL_COMMANDS,
+    )
+    parser.add_argument("binary", help="The path to the binary to analyze.")
+    parser.add_argument(
+        "--functions",
+        help="""
+        The functions to analyze under the current command. Functions can either be expressed as names found in the
+        symbols of the binary or as addresses like: 0x401000.""",
+        nargs="+",
+    )
+    parser.add_argument(
+        "--catch-exceptions",
+        help="""
+        Catch exceptions during analysis. The scope of error handling may depend on the command used for analysis.
+        If multiple functions are specified for analysis, each function will be handled individually.""",
+        action="store_true",
+        default=False,
+    )
+    # decompilation-specific arguments
+    parser.add_argument(
+        "--structurer",
+        help="The structuring algorithm to use for decompilation.",
+        choices=STRUCTURER_CLASSES.keys(),
+        default="phoenix",
+    )
+
+    args = parser.parse_args()
+    if args.command == COMMANDS.DECOMPILE:
+        decompilation = decompile_functions(
+            args.binary, functions=args.functions, structurer=args.structurer, catch_errors=args.catch_exceptions
+        )
+        print(decompilation)
+    else:
+        parser.print_help()
+
+
+if __name__ == "__main__":
+    main()

angr/analyses/cfg/cfg_fast.py

@@ -40,6 +40,12 @@ from angr.errors import (
     SimIRSBNoDecodeError,
 )
 from angr.utils.constants import DEFAULT_STATEMENT
+from angr.utils.funcid import (
+    is_function_security_check_cookie,
+    is_function_security_init_cookie,
+    is_function_security_init_cookie_win8,
+    is_function_likely_security_init_cookie,
+)
 from angr.analyses import ForwardAnalysis
 from .cfg_arch_options import CFGArchOptions
 from .cfg_base import CFGBase
@@ -1617,6 +1623,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if self._collect_data_ref:
             self._post_process_string_references()
 
+        self._rename_common_functions_and_symbols()
+
         CFGBase._post_analysis(self)
 
         # Clean up
@@ -1653,6 +1661,69 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 else:
                     l.exception("Error collecting XRefs for function %#x.", f_addr, exc_info=True)
 
+    def _rename_common_functions_and_symbols(self):
+        """
+        This function implements logic for renaming some commonly seen functions in an architecture- and OS-specific
+        way.
+        """
+
+        if (
+            self.project.simos is not None
+            and self.project.arch.name == "AMD64"
+            and self.project.simos.name == "Win32"
+            and isinstance(self.project.loader.main_object, cle.PE)
+        ):
+            security_cookie_addr = self.project.loader.main_object.load_config.get("SecurityCookie", None)
+            security_check_cookie_found = False
+            security_init_cookie_found = False
+            if security_cookie_addr is not None:
+                if security_cookie_addr not in self.kb.labels:
+                    self.kb.labels[security_cookie_addr] = "_security_cookie"
+                # identify _security_init_cookie and _security_check_cookie
+                xrefs = self.kb.xrefs.get_xrefs_by_dst(security_cookie_addr)
+                tested_func_addrs = set()
+                for xref in xrefs:
+                    cfg_node = self.model.get_any_node(xref.block_addr)
+                    if cfg_node is None:
+                        continue
+                    func_addr = cfg_node.function_address
+                    if func_addr not in tested_func_addrs:
+                        func = self.kb.functions.get_by_addr(func_addr)
+                        if not security_check_cookie_found and is_function_security_check_cookie(
+                            func, self.project, security_cookie_addr
+                        ):
+                            security_check_cookie_found = True
+                            func.is_default_name = False
+                            func.name = "_security_check_cookie"
+                        elif not security_init_cookie_found and is_function_security_init_cookie(
+                            func, self.project, security_cookie_addr
+                        ):
+                            security_init_cookie_found = True
+                            func.is_default_name = False
+                            func.name = "_security_init_cookie"
+                        elif not security_init_cookie_found and is_function_security_init_cookie_win8(
+                            func, self.project, security_cookie_addr
+                        ):
+                            security_init_cookie_found = True
+                            func.is_default_name = False
+                            func.name = "_security_init_cookie"
+                        tested_func_addrs.add(func_addr)
+                    if security_init_cookie_found and security_check_cookie_found:
+                        # both are found. exit from the loop
+                        break
+
+            # special handling: some binaries do not have SecurityCookie set, but still contain _security_init_cookie
+            if security_init_cookie_found is False:
+                start_func = self.functions.get_by_addr(self.project.entry)
+                if start_func is not None:
+                    for callee in start_func.transition_graph:
+                        if isinstance(callee, Function):
+                            if not security_init_cookie_found and is_function_likely_security_init_cookie(callee):
+                                security_init_cookie_found = True
+                                callee.is_default_name = False
+                                callee.name = "_security_init_cookie"
+                                break
+
     def _post_process_string_references(self) -> None:
         """
         Finds overlapping string references and retrofit them so that we see full strings in memory data.
@@ -2008,9 +2079,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             ins_addr = addr
             for i, stmt in enumerate(irsb.statements):
                 if isinstance(stmt, pyvex.IRStmt.Exit):
-                    successors.append(
-                        (i, last_ins_addr if self.project.arch.branch_delay_slot else ins_addr, stmt.dst, stmt.jumpkind)
-                    )
+                    branch_ins_addr = last_ins_addr if self.project.arch.branch_delay_slot else ins_addr
+                    if self._is_branch_vex_artifact_only(irsb, branch_ins_addr, stmt):
+                        continue
+                    successors.append((i, branch_ins_addr, stmt.dst, stmt.jumpkind))
                 elif isinstance(stmt, pyvex.IRStmt.IMark):
                     last_ins_addr = ins_addr
                     ins_addr = stmt.addr + stmt.delta
@@ -2025,6 +2097,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     idx_ = irsb.instruction_addresses.index(ins_addr)
                     if idx_ > 0:
                         branch_ins_addr = irsb.instruction_addresses[idx_ - 1]
+                elif self._is_branch_vex_artifact_only(irsb, branch_ins_addr, exit_stmt):
+                    continue
                 successors.append((stmt_idx, branch_ins_addr, exit_stmt.dst, exit_stmt.jumpkind))
 
         # default statement
@@ -4586,6 +4660,18 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                         ):
                             rbp_as_gpr = False
                             break
+                    elif (
+                        insn.mnemonic == "lea"
+                        and len(insn.operands) == 2
+                        and insn.operands[0].type == capstone.x86.X86_OP_REG
+                        and insn.operands[1].type == capstone.x86.X86_OP_MEM
+                    ):
+                        if (
+                            insn.operands[0].reg == capstone.x86.X86_REG_RBP
+                            and insn.operands[1].mem.base == capstone.x86.X86_REG_RSP
+                        ):
+                            rbp_as_gpr = False
+                            break
                 func = self.kb.functions.get_by_addr(func_addr)
                 func.info["bp_as_gpr"] = rbp_as_gpr
 
@@ -4608,6 +4694,57 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                             queue.append(succ_addr)
         return to_remove
 
+    def _is_branch_vex_artifact_only(self, irsb, branch_ins_addr: int, exit_stmt) -> bool:
+        """
+        Check if an exit is merely the result of VEX lifting. We should drop these exits.
+        These exits point to the same instruction and do not terminate the block.
+
+        Example block:
+
+        1400061c2  lock or byte ptr [rsp], 0x0
+        1400061c7  mov     r9, r8
+        1400061ca  shr     r9, 0x5
+        1400061ce  jne     0x1400060dc
+
+        VEX block:
+
+        00 | ------ IMark(0x1400061c2, 5, 0) ------
+        01 | t3 = GET:I64(rsp)
+        02 | t2 = LDle:I8(t3)
+        03 | t(4,4294967295) = CASle(t3 :: (t2,None)->(t2,None))
+        04 | t13 = CasCmpNE8(t4,t2)
+        05 | if (t13) { PUT(rip) = 0x1400061c2; Ijk_Boring }
+        06 | ------ IMark(0x1400061c7, 3, 0) ------
+        07 | t15 = GET:I64(r8)
+        08 | ------ IMark(0x1400061ca, 4, 0) ------
+        09 | t9 = Shr64(t15,0x05)
+        10 | t16 = Shr64(t15,0x04)
+        11 | PUT(cc_op) = 0x0000000000000024
+        12 | PUT(cc_dep1) = t9
+        13 | PUT(cc_dep2) = t16
+        14 | PUT(r9) = t9
+        15 | PUT(rip) = 0x00000001400061ce
+        16 | ------ IMark(0x1400061ce, 6, 0) ------
+        17 | t29 = GET:I64(cc_ndep)
+        18 | t30 = amd64g_calculate_condition(0x0000000000000004,0x0000000000000024,t9,t16,t29):Ity_I64
+        19 | t25 = 64to1(t30)
+        20 | if (t25) { PUT(rip) = 0x1400061d4; Ijk_Boring }
+        NEXT: PUT(rip) = 0x00000001400060dc; Ijk_Boring
+
+        Statement 5 should not introduce a new exit in the CFG.
+        """
+
+        if (
+            not self.project.arch.branch_delay_slot
+            and irsb.instruction_addresses
+            and branch_ins_addr != irsb.instruction_addresses[-1]
+            and isinstance(exit_stmt.dst, pyvex.const.IRConst)
+            and exit_stmt.dst.value == branch_ins_addr
+            and exit_stmt.jumpkind == "Ijk_Boring"
+        ):
+            return True
+        return False
+
     def _remove_jobs_by_source_node_addr(self, addr: int):
         self._remove_job(lambda j: j.src_node is not None and j.src_node.addr == addr)
 

angr/analyses/decompiler/ail_simplifier.py

@@ -1044,6 +1044,14 @@ class AILSimplifier(Analysis):
                 if u.block_addr not in {b.addr for b in super_node_blocks}:
                     continue
 
+                # check if the register has been overwritten by statements in between the def site and the use site
+                usesite_atom_defs = set(rd.get_defs(the_def.atom, u, OP_BEFORE))
+                if len(usesite_atom_defs) != 1:
+                    continue
+                usesite_atom_def = next(iter(usesite_atom_defs))
+                if usesite_atom_def != the_def:
+                    continue
+
                 # check if any atoms that the call relies on has been overwritten by statements in between the def site
                 # and the use site.
                 defsite_all_expr_uses = set(rd.all_uses.get_uses_by_location(the_def.codeloc))

angr/analyses/decompiler/block_simplifier.py

@@ -15,8 +15,15 @@ from ...analyses.propagator import PropagatorAnalysis
 from ...analyses.reaching_definitions import ReachingDefinitionsAnalysis
 from ...errors import SimMemoryMissingError
 from .. import Analysis, register_analysis
-from .peephole_optimizations import STMT_OPTS, EXPR_OPTS, PeepholeOptimizationStmtBase, PeepholeOptimizationExprBase
-from .utils import peephole_optimize_exprs, peephole_optimize_stmts
+from .peephole_optimizations import (
+    MULTI_STMT_OPTS,
+    STMT_OPTS,
+    EXPR_OPTS,
+    PeepholeOptimizationStmtBase,
+    PeepholeOptimizationExprBase,
+    PeepholeOptimizationMultiStmtBase,
+)
+from .utils import peephole_optimize_exprs, peephole_optimize_stmts, peephole_optimize_multistmts
 
 if TYPE_CHECKING:
     from angr.storage.memory_mixins.paged_memory.pages.multi_values import MultiValues
@@ -78,6 +85,7 @@ class BlockSimplifier(Analysis):
         if peephole_optimizations is None:
             self._expr_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in EXPR_OPTS]
             self._stmt_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in STMT_OPTS]
+            self._multistmt_peephole_opts = [cls(self.project, self.kb, self.func_addr) for cls in MULTI_STMT_OPTS]
         else:
             self._expr_peephole_opts = [
                 cls(self.project, self.kb, self.func_addr)
@@ -89,6 +97,11 @@ class BlockSimplifier(Analysis):
                 for cls in peephole_optimizations
                 if issubclass(cls, PeepholeOptimizationStmtBase)
             ]
+            self._multistmt_peephole_opts = [
+                cls(self.project, self.kb, self.func_addr)
+                for cls in peephole_optimizations
+                if issubclass(cls, PeepholeOptimizationMultiStmtBase)
+            ]
 
         self.result_block = None
 
@@ -404,9 +417,16 @@ class BlockSimplifier(Analysis):
         # run statement-level optimizations
         statements, stmts_updated = peephole_optimize_stmts(block, self._stmt_peephole_opts)
 
-        if not stmts_updated:
-            return block
-        new_block = block.copy(statements=statements)
+        if stmts_updated:
+            new_block = block.copy(statements=statements)
+        else:
+            new_block = block
+
+        statements, multi_stmts_updated = peephole_optimize_multistmts(new_block, self._multistmt_peephole_opts)
+
+        if not multi_stmts_updated:
+            return new_block
+        new_block = new_block.copy(statements=statements)
         return new_block
 
 

angr/analyses/decompiler/clinic.py

@@ -20,6 +20,7 @@ from ...sim_type import (
     SimTypeFunction,
     SimTypeBottom,
     SimTypeFloat,
+    SimTypePointer,
 )
 from ...sim_variable import SimVariable, SimStackVariable, SimRegisterVariable, SimMemoryVariable
 from ...knowledge_plugins.key_definitions.constants import OP_BEFORE
@@ -259,6 +260,10 @@ class Clinic(Analysis):
         self._update_progress(50.0, text="Making callsites")
         _, stackarg_offsets = self._make_callsites(ail_graph, stack_pointer_tracker=spt)
 
+        # Run simplification passes
+        self._update_progress(65.0, text="Running simplifications 2")
+        ail_graph = self._run_simplification_passes(ail_graph, stage=OptimizationPassStage.AFTER_MAKING_CALLSITES)
+
         # Simplify the entire function for the second time
         self._update_progress(55.0, text="Simplifying function 2")
         self._simplify_function(
@@ -281,7 +286,7 @@ class Clinic(Analysis):
         )
 
         # Run simplification passes
-        self._update_progress(65.0, text="Running simplifications 2")
+        self._update_progress(65.0, text="Running simplifications 3 ")
         ail_graph = self._run_simplification_passes(ail_graph, stage=OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION)
 
         # Simplify the entire function for the third time
@@ -316,7 +321,7 @@ class Clinic(Analysis):
         self._make_function_prototype(arg_list, variable_kb)
 
         # Run simplification passes
-        self._update_progress(95.0, text="Running simplifications 3")
+        self._update_progress(95.0, text="Running simplifications 4")
         ail_graph = self._run_simplification_passes(
             ail_graph, stage=OptimizationPassStage.AFTER_VARIABLE_RECOVERY, variable_kb=variable_kb
         )
@@ -1247,23 +1252,32 @@ class Clinic(Analysis):
                 expr.variable_offset = offset
 
         elif isinstance(expr, ailment.Expr.Const):
-            # global variable?
-            global_vars = global_variables.get_global_variables(expr.value)
-            if not global_vars:
-                # detect if there is a related symbol
-                if self.project.loader.find_object_containing(expr.value):
-                    symbol = self.project.loader.find_symbol(expr.value)
-                    if symbol is not None:
-                        # Create a new global variable if there isn't one already
-                        global_vars = global_variables.get_global_variables(symbol.rebased_addr)
-                        if not global_vars:
-                            global_var = SimMemoryVariable(symbol.rebased_addr, symbol.size, name=symbol.name)
-                            global_variables.add_variable("global", global_var.addr, global_var)
-                            global_vars = {global_var}
-            if global_vars:
-                global_var = next(iter(global_vars))
-                expr.tags["reference_variable"] = global_var
-                expr.tags["reference_variable_offset"] = 0
+            # custom string?
+            if hasattr(expr, "custom_string") and expr.custom_string is True:
+                s = self.kb.custom_strings[expr.value]
+                expr.tags["reference_values"] = {
+                    SimTypePointer(SimTypeChar().with_arch(self.project.arch)).with_arch(self.project.arch): s.decode(
+                        "ascii"
+                    ),
+                }
+            else:
+                # global variable?
+                global_vars = global_variables.get_global_variables(expr.value)
+                if not global_vars:
+                    # detect if there is a related symbol
+                    if self.project.loader.find_object_containing(expr.value):
+                        symbol = self.project.loader.find_symbol(expr.value)
+                        if symbol is not None:
+                            # Create a new global variable if there isn't one already
+                            global_vars = global_variables.get_global_variables(symbol.rebased_addr)
+                            if not global_vars:
+                                global_var = SimMemoryVariable(symbol.rebased_addr, symbol.size, name=symbol.name)
+                                global_variables.add_variable("global", global_var.addr, global_var)
+                                global_vars = {global_var}
+                if global_vars:
+                    global_var = next(iter(global_vars))
+                    expr.tags["reference_variable"] = global_var
+                    expr.tags["reference_variable_offset"] = 0
 
         elif isinstance(expr, ailment.Stmt.Call):
             self._link_variables_on_call(variable_manager, global_variables, block, stmt_idx, expr, is_expr=True)

angr/analyses/decompiler/decompilation_options.py

@@ -97,6 +97,15 @@ options = [
         category="Graph",
         default_value=True,
     ),
+    O(
+        "Simplify if-else to remove terminating else scopes",
+        "Removes terminating else scopes to make the code appear more flat.",
+        bool,
+        "region_simplifier",
+        "simplify_ifelse",
+        category="Graph",
+        default_value=True,
+    ),
     O(
         "Show casts",
         "Disabling this option will blindly remove all C typecast constructs from pseudocode output.",

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -50,6 +50,8 @@ def get_optimization_passes(arch, platform):
 
     if platform is not None:
         platform = platform.lower()
+    if platform == "win32":
+        platform = "windows"  # sigh
 
     passes = []
     for pass_, _ in _all_optimization_passes:
@@ -80,3 +82,7 @@ def get_default_optimization_passes(arch: Union[Arch, str], platform: Optional[s
             passes.append(pass_)
 
     return passes
+
+
+def register_optimization_pass(opt_pass, enable_by_default: bool):
+    _all_optimization_passes.append((opt_pass, enable_by_default))

angr/analyses/decompiler/optimization_passes/engine_base.py

@@ -89,7 +89,7 @@ class SimplifierAILEngine(
         if hasattr(self, handler):
             return getattr(self, handler)(stmt)
         else:
-            _l.warning("Unsupported statement type %s.", type(stmt).__name__)
+            _l.debug("Unsupported statement type %s.", type(stmt).__name__)
             return stmt
 
     def _ail_handle_Assignment(self, stmt):
@@ -176,7 +176,7 @@ class SimplifierAILEngine(
             if v is None:
                 return expr
             return v
-        _l.warning("Unsupported expression type %s.", type(expr).__name__)
+        _l.debug("Unsupported expression type %s.", type(expr).__name__)
         return expr
 
     def _ail_handle_StackBaseOffset(self, expr):  # pylint:disable=no-self-use

angr/analyses/decompiler/optimization_passes/ite_region_converter.py

@@ -84,9 +84,9 @@ class ITERegionConverter(OptimizationPass):
 
             true_child, false_child = None, None
             for child in children:
-                if child.addr == if_stmt.true_target.value:
+                if if_stmt.true_target is not None and child.addr == if_stmt.true_target.value:
                     true_child = child
-                elif child.addr == if_stmt.false_target.value:
+                elif if_stmt.false_target is not None and child.addr == if_stmt.false_target.value:
                     false_child = child
 
             if (

angr/analyses/decompiler/optimization_passes/multi_simplifier.py

@@ -184,18 +184,6 @@ class MultiSimplifierAILEngine(SimplifierAILEngine):
                     new_const = Expr.Const(const_.idx, None, const_.value * const_x0.value, const_.bits)
                     new_expr = Expr.BinaryOp(expr.idx, "Mul", [x, new_const], expr.signed, **expr.tags)
                     return new_expr
-            elif (
-                isinstance(operand_0, Expr.Convert)
-                and isinstance(operand_0.operand, Expr.BinaryOp)
-                and operand_0.operand.op == "Mul"
-                and isinstance(operand_0.operand.operands[1], Expr.Const)
-            ):
-                x = operand_0.operand.operands[0]
-                new_const = Expr.Const(
-                    operand_1.idx, None, operand_1.value * operand_0.operand.operands[1].value, operand_1.bits
-                )
-                new_expr = Expr.BinaryOp(expr.idx, "Mul", [x, new_const], expr.signed, **expr.tags)
-                return new_expr
 
         if (operand_0, operand_1) != (expr.operands[0], expr.operands[1]):
             return Expr.BinaryOp(expr.idx, "Mul", [operand_0, operand_1], expr.signed, **expr.tags)

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -35,11 +35,12 @@ class OptimizationPassStage(Enum):
 
     AFTER_AIL_GRAPH_CREATION = 0
     AFTER_SINGLE_BLOCK_SIMPLIFICATION = 1
-    AFTER_GLOBAL_SIMPLIFICATION = 2
-    AFTER_VARIABLE_RECOVERY = 3
-    BEFORE_REGION_IDENTIFICATION = 4
-    DURING_REGION_IDENTIFICATION = 5
-    AFTER_STRUCTURING = 6
+    AFTER_MAKING_CALLSITES = 2
+    AFTER_GLOBAL_SIMPLIFICATION = 3
+    AFTER_VARIABLE_RECOVERY = 4
+    BEFORE_REGION_IDENTIFICATION = 5
+    DURING_REGION_IDENTIFICATION = 6
+    AFTER_STRUCTURING = 7
 
 
 class BaseOptimizationPass:
@@ -53,6 +54,8 @@ class BaseOptimizationPass:
     STRUCTURING: Optional[
         str
     ] = None  # specifies if this optimization pass is specific to a certain structuring algorithm
+    NAME = "N/A"
+    DESCRIPTION = "N/A"
 
     def __init__(self, func):
         self._func: "Function" = func