angr 9.2.78__py3-none-win_amd64.whl → 9.2.80__py3-none-win_amd64.whl

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -6,6 +6,7 @@ import logging
 import ailment
 import cle
 
+from angr.utils.funcid import is_function_security_check_cookie
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
@@ -48,24 +49,24 @@ class WinStackCanarySimplifier(OptimizationPass):
             return False, None
 
         # Check the first block and see if there is any statement reading data from _security_cookie
-        init_stmt = self._find_canary_init_stmt()
+        init_stmts = self._find_canary_init_stmt()
 
-        return init_stmt is not None, {"init_stmt": init_stmt}
+        return init_stmts is not None, {"init_stmts": init_stmts}
 
     def _analyze(self, cache=None):
-        init_stmt = None
+        init_stmts = None
         if cache is not None:
-            init_stmt = cache.get("init_stmt", None)
+            init_stmts = cache.get("init_stmts", None)
 
-        if init_stmt is None:
-            init_stmt = self._find_canary_init_stmt()
+        if init_stmts is None:
+            init_stmts = self._find_canary_init_stmt()
 
-        if init_stmt is None:
+        if init_stmts is None:
             return
 
         # Look for the statement that loads back canary value from the stack
-        first_block, canary_init_stmt_idx = init_stmt
-        canary_init_stmt = first_block.statements[canary_init_stmt_idx]
+        first_block, canary_init_stmt_ids = init_stmts
+        canary_init_stmt = first_block.statements[canary_init_stmt_ids[-1]]
         # where is the stack canary stored?
         if not isinstance(canary_init_stmt.addr, ailment.Expr.StackBaseOffset):
             _l.debug(
@@ -142,7 +143,8 @@ class WinStackCanarySimplifier(OptimizationPass):
         if found_endpoints:
             # Remove the statement that loads the stack canary from fs
             first_block_copy = first_block.copy()
-            first_block_copy.statements.pop(canary_init_stmt_idx)
+            for stmt_idx in sorted(canary_init_stmt_ids, reverse=True):
+                first_block_copy.statements.pop(stmt_idx)
             self._update_block(first_block, first_block_copy)
 
     def _find_canary_init_stmt(self):
@@ -150,7 +152,13 @@ class WinStackCanarySimplifier(OptimizationPass):
         if first_block is None:
             return None
 
+        load_stmt_idx = None
+        load_reg = None
+        xor_stmt_idx = None
+        xored_reg = None
+
         for idx, stmt in enumerate(first_block.statements):
+            # if we are lucky and things get folded into one statement:
             if (
                 isinstance(stmt, ailment.Stmt.Store)
                 and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
@@ -163,13 +171,51 @@ class WinStackCanarySimplifier(OptimizationPass):
                 # Check addr: must be __security_cookie
                 load_addr = stmt.data.operands[0].addr.value
                 if load_addr == self._security_cookie_addr:
-                    return first_block, idx
+                    return first_block, [idx]
+            # or if we are unlucky and the load and the xor are two different statements
+            if (
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.Register)
+                and isinstance(stmt.src, ailment.Expr.Load)
+                and isinstance(stmt.src.addr, ailment.Expr.Const)
+            ):
+                load_addr = stmt.src.addr.value
+                if load_addr == self._security_cookie_addr:
+                    load_stmt_idx = idx
+                    load_reg = stmt.dst.reg_offset
+            if load_stmt_idx is not None and idx == load_stmt_idx + 1:
+                if (
+                    isinstance(stmt, ailment.Stmt.Assignment)
+                    and isinstance(stmt.dst, ailment.Expr.Register)
+                    and isinstance(stmt.src, ailment.Expr.BinaryOp)
+                    and stmt.src.op == "Xor"
+                    and isinstance(stmt.src.operands[0], ailment.Expr.Register)
+                    and stmt.src.operands[0].reg_offset == load_reg
+                    and isinstance(stmt.src.operands[1], ailment.Expr.StackBaseOffset)
+                ):
+                    xor_stmt_idx = idx
+                    xored_reg = stmt.dst.reg_offset
+                else:
+                    break
+            if xor_stmt_idx is not None and idx == xor_stmt_idx + 1:
+                if (
+                    isinstance(stmt, ailment.Stmt.Store)
+                    and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
+                    and isinstance(stmt.data, ailment.Expr.Register)
+                    and stmt.data.reg_offset == xored_reg
+                ):
+                    return first_block, [load_stmt_idx, xor_stmt_idx, idx]
+                else:
+                    break
 
         return None
 
     @staticmethod
     def _find_amd64_canary_storing_stmt(block, canary_value_stack_offset):
+        load_stmt_idx = None
+
         for idx, stmt in enumerate(block.statements):
+            # when we are lucky, we have one instruction
             if (
                 isinstance(stmt, ailment.Stmt.Assignment)
                 and isinstance(stmt.dst, ailment.Expr.Register)
@@ -185,7 +231,29 @@ class WinStackCanarySimplifier(OptimizationPass):
                         if isinstance(op1, ailment.Expr.StackBaseOffset):
                             # found it
                             return idx
-
+            # or when we are unlucky, we have two instructions...
+            if (
+                isinstance(stmt, ailment.Stmt.Assignment)
+                and isinstance(stmt.dst, ailment.Expr.Register)
+                and stmt.dst.reg_name == "rcx"
+                and isinstance(stmt.src, ailment.Expr.Load)
+                and isinstance(stmt.src.addr, ailment.Expr.StackBaseOffset)
+                and stmt.src.addr.offset == canary_value_stack_offset
+            ):
+                load_stmt_idx = idx
+            if load_stmt_idx is not None and idx == load_stmt_idx + 1:
+                if (
+                    isinstance(stmt, ailment.Stmt.Assignment)
+                    and isinstance(stmt.dst, ailment.Expr.Register)
+                    and isinstance(stmt.src, ailment.Expr.BinaryOp)
+                    and stmt.src.op == "Xor"
+                ):
+                    if (
+                        isinstance(stmt.src.operands[0], ailment.Expr.Register)
+                        and stmt.src.operands[0].reg_name == "rcx"
+                        and isinstance(stmt.src.operands[1], ailment.Expr.StackBaseOffset)
+                    ):
+                        return idx
         return None
 
     @staticmethod
@@ -208,5 +276,7 @@ class WinStackCanarySimplifier(OptimizationPass):
                     func = self.kb.functions.function(addr=const_target)
                     if func.name == "_security_check_cookie":
                         return idx
+                    elif is_function_security_check_cookie(func, self.project, self._security_cookie_addr):
+                        return idx
 
         return None

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -40,10 +40,12 @@ from .sar_to_signed_div import SarToSignedDiv
 from .tidy_stack_addr import TidyStackAddr
 from .invert_negated_logical_conjuction_disjunction import InvertNegatedLogicalConjunctionsAndDisjunctions
 from .rol_ror import RolRorRewriter
+from .inlined_strcpy import InlinedStrcpy
+from .inlined_strcpy_consolidation import InlinedStrcpyConsolidation
 
-from .base import PeepholeOptimizationExprBase, PeepholeOptimizationStmtBase
-
+from .base import PeepholeOptimizationExprBase, PeepholeOptimizationStmtBase, PeepholeOptimizationMultiStmtBase
 
+MULTI_STMT_OPTS: List[Type[PeepholeOptimizationMultiStmtBase]] = []
 STMT_OPTS: List[Type[PeepholeOptimizationStmtBase]] = []
 EXPR_OPTS: List[Type[PeepholeOptimizationExprBase]] = []
 
@@ -55,4 +57,11 @@ for v in _g.values():
     if isinstance(v, type) and issubclass(v, PeepholeOptimizationStmtBase) and v is not PeepholeOptimizationStmtBase:
         STMT_OPTS.append(v)
 
+    if (
+        isinstance(v, type)
+        and issubclass(v, PeepholeOptimizationMultiStmtBase)
+        and v is not PeepholeOptimizationMultiStmtBase
+    ):
+        MULTI_STMT_OPTS.append(v)
+
 _g = None

angr/analyses/decompiler/peephole_optimizations/base.py

@@ -1,7 +1,7 @@
-from typing import Optional
+from typing import List, Optional
 
 from ailment.expression import BinaryOp, UnaryOp, Expression
-from ailment.statement import Assignment
+from ailment.statement import Statement, Assignment
 from ailment import Block
 from angr.project import Project
 from angr.knowledge_base import KnowledgeBase
@@ -34,6 +34,33 @@ class PeepholeOptimizationStmtBase:
         raise NotImplementedError("_optimize() is not implemented.")
 
 
+class PeepholeOptimizationMultiStmtBase:
+    """
+    The base class for all peephole optimizations that are applied on multiple AIL statements at once.
+    """
+
+    __slots__ = (
+        "project",
+        "kb",
+        "func_addr",
+    )
+    project: Optional[Project]
+    kb: Optional[KnowledgeBase]
+    func_addr: Optional[int]
+
+    NAME = "Peephole Optimization - Multi-statement"
+    DESCRIPTION = "Peephole Optimization - Multi-statement"
+    stmt_classes = None
+
+    def __init__(self, project: Optional[Project], kb: Optional[KnowledgeBase], func_addr: Optional[int] = None):
+        self.project = project
+        self.kb = kb
+        self.func_addr = func_addr
+
+    def optimize(self, stmts: List[Statement], stmt_idx: Optional[int] = None, block=None, **kwargs):
+        raise NotImplementedError("_optimize() is not implemented.")
+
+
 class PeepholeOptimizationExprBase:
     """
     The base class for all peephole optimizations that are applied on AIL expressions.

angr/analyses/decompiler/peephole_optimizations/constant_derefs.py

@@ -20,7 +20,7 @@ class ConstantDereferences(PeepholeOptimizationExprBase):
             if sec is not None and sec.is_readable and (not sec.is_writable or "got" in sec.name):
                 # do we know the value that it's reading?
                 try:
-                    val = self.project.loader.memory.unpack_word(expr.addr.value, size=self.project.arch.bytes)
+                    val = self.project.loader.memory.unpack_word(expr.addr.value, size=expr.size)
                 except KeyError:
                     return expr
 

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -1,6 +1,6 @@
 from math import gcd
 
-from ailment.expression import BinaryOp, UnaryOp, Const
+from ailment.expression import BinaryOp, UnaryOp, Const, Convert
 
 from .base import PeepholeOptimizationExprBase
 
@@ -13,11 +13,13 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
     __slots__ = ()
 
     NAME = "Eager expression evaluation"
-    expr_classes = (BinaryOp, UnaryOp)
+    expr_classes = (BinaryOp, UnaryOp, Convert)
 
     def optimize(self, expr, **kwargs):
         if isinstance(expr, BinaryOp):
             return self._optimize_binaryop(expr)
+        elif isinstance(expr, Convert):
+            return self._optimize_convert(expr)
         elif isinstance(expr, UnaryOp):
             return self._optimize_unaryop(expr)
         return None
@@ -192,3 +194,13 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             return new_expr
 
         return None
+
+    @staticmethod
+    def _optimize_convert(expr: Convert):
+        if isinstance(expr.operand, Const):
+            if expr.from_bits > expr.to_bits:
+                # truncation
+                mask = (1 << expr.to_bits) - 1
+                v = expr.operand.value & mask
+                return Const(expr.idx, expr.operand.variable, v, expr.to_bits, **expr.operand.tags)
+        return None

angr/analyses/decompiler/peephole_optimizations/inlined_strcpy.py

@@ -0,0 +1,83 @@
+# pylint:disable=arguments-differ
+from typing import Tuple, Optional
+import string
+
+from archinfo import Endness
+
+from ailment.expression import Const
+from ailment.statement import Call, Store
+
+from .base import PeepholeOptimizationStmtBase
+
+
+ASCII_PRINTABLES = set(string.printable)
+ASCII_DIGITS = set(string.digits)
+
+
+class InlinedStrcpy(PeepholeOptimizationStmtBase):
+    """
+    Simplifies inlined string copying logic into calls to strcpy.
+    """
+
+    __slots__ = ()
+
+    NAME = "Simplifying inlined strcpy"
+    stmt_classes = (Store,)
+
+    def optimize(self, stmt: Store, **kwargs):
+        if isinstance(stmt.data, Const):
+            r, s = self.is_integer_likely_a_string(stmt.data.value, stmt.data.size, stmt.endness)
+            if r:
+                # replace it with a call to strncpy
+                str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
+                return Call(
+                    stmt.idx,
+                    "strncpy",
+                    args=[
+                        stmt.addr,
+                        Const(None, None, str_id, stmt.addr.bits, custom_string=True),
+                        Const(None, None, len(s), self.project.arch.bits),
+                    ],
+                    **stmt.tags,
+                )
+
+        return None
+
+    @staticmethod
+    def is_integer_likely_a_string(
+        v: int, size: int, endness: Endness, min_length: int = 4
+    ) -> Tuple[bool, Optional[str]]:
+        # we need at least four bytes of printable characters
+
+        chars = []
+        if endness == Endness.LE:
+            while v != 0:
+                byt = v & 0xFF
+                if chr(byt) not in ASCII_PRINTABLES:
+                    return False, None
+                chars.append(chr(byt))
+                v >>= 8
+
+        elif endness == Endness.BE:
+            first_non_zero = False
+            for _ in range(size):
+                byt = v & 0xFF
+                v >>= 8
+                if byt == 0:
+                    if first_non_zero:
+                        return False, None
+                    continue
+                first_non_zero = True  # this is the first non-zero byte
+                if chr(byt) not in ASCII_PRINTABLES:
+                    return False, None
+                chars.append(chr(byt))
+            chars = chars[::-1]
+        else:
+            # unsupported endness
+            return False, None
+
+        if len(chars) >= min_length:
+            if len(chars) <= 4 and all(ch in ASCII_DIGITS for ch in chars):
+                return False, None
+            return True, "".join(chars)
+        return False, None

angr/analyses/decompiler/peephole_optimizations/inlined_strcpy_consolidation.py

@@ -0,0 +1,103 @@
+# pylint:disable=arguments-differ
+from typing import List, Tuple, Optional
+
+from ailment.expression import Expression, BinaryOp, Const, Register, StackBaseOffset
+from ailment.statement import Call, Store
+
+from .base import PeepholeOptimizationMultiStmtBase
+from .inlined_strcpy import InlinedStrcpy
+
+
+class InlinedStrcpyConsolidation(PeepholeOptimizationMultiStmtBase):
+    """
+    Consolidate multiple inlined strcpy calls.
+    """
+
+    __slots__ = ()
+
+    NAME = "Consolidate multiple inlined strcpy calls"
+    stmt_classes = ((Call, Call), (Call, Store))
+
+    def optimize(self, stmts: List[Call], **kwargs):
+        last_stmt, stmt = stmts
+        if InlinedStrcpyConsolidation._is_inlined_strcpy(last_stmt):
+            s_last: bytes = self.kb.custom_strings[last_stmt.args[1].value]
+            addr_last = last_stmt.args[0]
+            new_str = None  # will be set if consolidation should happen
+
+            if isinstance(stmt, Call) and InlinedStrcpyConsolidation._is_inlined_strcpy(stmt):
+                # consolidating two calls
+                s_curr: bytes = self.kb.custom_strings[stmt.args[1].value]
+                addr_curr = stmt.args[0]
+                # determine if the two addresses are consecutive
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    # consolidate both calls!
+                    new_str = s_last + s_curr
+            elif isinstance(stmt, Store) and isinstance(stmt.data, Const):
+                # consolidating a call and a store, in case the store statement is storing the suffix of a string (but
+                # the suffix is too short to qualify an inlined strcpy optimization)
+                addr_curr = stmt.addr
+                delta = self._get_delta(addr_last, addr_curr)
+                if delta is not None and delta == len(s_last):
+                    if stmt.size == 1 and stmt.data.value == 0:
+                        # it's probably the terminating null byte
+                        r, s = True, "\x00"
+                    else:
+                        r, s = InlinedStrcpy.is_integer_likely_a_string(
+                            stmt.data.value, stmt.size, stmt.endness, min_length=1
+                        )
+                    if r:
+                        new_str = s_last + s.encode("ascii")
+
+            if new_str is not None:
+                if new_str.endswith(b"\x00"):
+                    call_name = "strcpy"
+                    new_str_idx = self.kb.custom_strings.allocate(new_str[:-1])
+                    args = [
+                        last_stmt.args[0],
+                        Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True),
+                    ]
+                else:
+                    call_name = "strncpy"
+                    new_str_idx = self.kb.custom_strings.allocate(new_str)
+                    args = [
+                        last_stmt.args[0],
+                        Const(None, None, new_str_idx, last_stmt.args[0].bits, custom_string=True),
+                        Const(None, None, len(new_str), self.project.arch.bits),
+                    ]
+
+                return [Call(stmt.idx, call_name, args=args, **stmt.tags)]
+
+        return None
+
+    @staticmethod
+    def _is_inlined_strcpy(stmt: Call):
+        if isinstance(stmt.target, str) and stmt.target == "strncpy":
+            if len(stmt.args) == 3 and isinstance(stmt.args[1], Const) and hasattr(stmt.args[1], "custom_string"):
+                return True
+        return False
+
+    @staticmethod
+    def _parse_addr(addr: Expression) -> Tuple[Expression, int]:
+        if isinstance(addr, Register):
+            return addr, 0
+        if isinstance(addr, StackBaseOffset):
+            return StackBaseOffset(None, addr.bits, 0), addr.offset
+        if isinstance(addr, BinaryOp):
+            if addr.op == "Add" and isinstance(addr.operands[1], Const):
+                base_0, offset_0 = InlinedStrcpyConsolidation._parse_addr(addr.operands[0])
+                return base_0, offset_0 + addr.operands[1].value
+            if addr.op == "Sub" and isinstance(addr.operands[1], Const):
+                base_0, offset_0 = InlinedStrcpyConsolidation._parse_addr(addr.operands[0])
+                return base_0, offset_0 - addr.operands[1].value
+
+        return addr, 0
+
+    @staticmethod
+    def _get_delta(addr_0: Expression, addr_1: Expression) -> Optional[int]:
+        base_0, offset_0 = InlinedStrcpyConsolidation._parse_addr(addr_0)
+        base_1, offset_1 = InlinedStrcpyConsolidation._parse_addr(addr_1)
+        if base_0.likes(base_1):
+            return offset_1 - offset_0
+        return None

angr/analyses/decompiler/region_simplifiers/ifelse.py

@@ -42,20 +42,29 @@ class IfElseFlattener(SequenceWalker):
 
         if node.true_node is not None and node.false_node is not None:
             try:
-                last_stmts = ConditionProcessor.get_last_statements(node.true_node)
+                true_last_stmts = ConditionProcessor.get_last_statements(node.true_node)
             except EmptyBlockNotice:
-                last_stmts = None
+                true_last_stmts = None
             if (
-                last_stmts is not None
-                and None not in last_stmts
-                and all(is_statement_terminating(stmt, self.functions) for stmt in last_stmts)
+                true_last_stmts is not None
+                and None not in true_last_stmts
+                and all(is_statement_terminating(stmt, self.functions) for stmt in true_last_stmts)
             ):
                 # all end points in the true node are returning
-
-                # remove the else node and make it a new node following node
-                else_node = node.false_node
-                node.false_node = None
-                insert_node(parent, "after", else_node, index, **kwargs)
+                try:
+                    false_last_stmts = ConditionProcessor.get_last_statements(node.false_node)
+                except EmptyBlockNotice:
+                    false_last_stmts = None
+                if (
+                    false_last_stmts is not None
+                    and None not in false_last_stmts
+                    and not all(is_statement_terminating(stmt, self.functions) for stmt in false_last_stmts)
+                ):
+                    # not all end points in the false node are returning. in this case, we remove the else node and
+                    # make it a new node following node
+                    else_node = node.false_node
+                    node.false_node = None
+                    insert_node(parent, "after", else_node, index, **kwargs)
 
     def _handle_CascadingCondition(self, node: CascadingConditionNode, parent=None, index=None, **kwargs):
         super()._handle_CascadingCondition(node, parent=parent, index=index, **kwargs)

angr/analyses/decompiler/region_simplifiers/region_simplifier.py

@@ -24,11 +24,12 @@ class RegionSimplifier(Analysis):
     Simplifies a given region.
     """
 
-    def __init__(self, func, region, variable_kb=None, simplify_switches: bool = True):
+    def __init__(self, func, region, variable_kb=None, simplify_switches: bool = True, simplify_ifelse: bool = True):
         self.func = func
         self.region = region
         self.variable_kb = variable_kb
         self._simplify_switches = simplify_switches
+        self._should_simplify_ifelses = simplify_ifelse
 
         self.goto_manager: Optional[GotoManager] = None
         self.result = None
@@ -70,7 +71,8 @@ class RegionSimplifier(Analysis):
         # Remove empty nodes
         r = self._remove_empty_nodes(r)
         # Remove unnecessary else branches if the if branch will always return
-        r = self._simplify_ifelses(r)
+        if self._should_simplify_ifelses:
+            r = self._simplify_ifelses(r)
         #
         r = self._simplify_cascading_ifs(r)
         #

angr/analyses/decompiler/structured_codegen/c.py

@@ -2037,11 +2037,22 @@ class CConstant(CExpression):
                     return
                 yield hex(self.reference_values[self._type]), self
             elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeChar):
-                refval = self.reference_values[self._type]  # angr.knowledge_plugin.cfg.MemoryData
-                yield CConstant.str_to_c_str(refval.content.decode("utf-8")), self
+                refval = self.reference_values[self._type]
+                if isinstance(refval, MemoryData):
+                    v = refval.content.decode("utf-8")
+                else:
+                    # it's a string
+                    assert isinstance(v, str)
+                    v = refval
+                yield CConstant.str_to_c_str(v), self
             elif isinstance(self._type, SimTypePointer) and isinstance(self._type.pts_to, SimTypeWideChar):
-                refval = self.reference_values[self._type]  # angr.knowledge_plugin.cfg.MemoryData
-                yield CConstant.str_to_c_str(refval.content.decode("utf_16_le"), prefix="L"), self
+                refval = self.reference_values[self._type]
+                if isinstance(refval, MemoryData):
+                    v = refval.content.decode("utf_16_le")
+                else:
+                    # it's a string
+                    v = refval
+                yield CConstant.str_to_c_str(v, prefix="L"), self
             else:
                 if isinstance(self.reference_values[self._type], int):
                     yield self.fmt_int(self.reference_values[self._type]), self
@@ -3199,6 +3210,11 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
         inline_string = False
         function_pointer = False
 
+        if reference_values is None and hasattr(expr, "reference_values"):
+            reference_values = expr.reference_values.copy()
+            if reference_values:
+                type_ = next(iter(reference_values))
+
         if reference_values is None:
             reference_values = {}
             type_ = unpack_typeref(type_)