angr 9.2.78__py3-none-win_amd64.whl → 9.2.80__py3-none-win_amd64.whl

angr/analyses/decompiler/utils.py

@@ -1,9 +1,13 @@
-# pylint:disable=wrong-import-position
-from typing import Optional, Tuple, Any, Union, List
+import pathlib
+from typing import Optional, Tuple, Any, Union, List, Iterable
+import logging
 
 import networkx
 
 import ailment
+import angr
+
+_l = logging.getLogger(__name__)
 
 
 def remove_last_statement(node):
@@ -533,6 +537,131 @@ def peephole_optimize_stmts(block, stmt_opts):
     return statements, any_update
 
 
+def match_stmt_classes(all_stmts: List, idx: int, stmt_class_seq: Iterable[type]) -> bool:
+    for i, cls in enumerate(stmt_class_seq):
+        if idx + i >= len(all_stmts):
+            return False
+        if not isinstance(all_stmts[idx + i], cls):
+            return False
+    return True
+
+
+def peephole_optimize_multistmts(block, stmt_opts):
+    any_update = False
+    statements = block.statements[::]
+
+    # run multi-statement optimizers
+    stmt_idx = 0
+    while stmt_idx < len(statements):
+        redo = True
+        while redo and stmt_idx < len(statements):
+            redo = False
+            for opt in stmt_opts:
+                matched = False
+                stmt_seq_len = None
+                for stmt_class_seq in opt.stmt_classes:
+                    if match_stmt_classes(statements, stmt_idx, stmt_class_seq):
+                        stmt_seq_len = len(stmt_class_seq)
+                        matched = True
+                        break
+
+                if matched:
+                    matched_stmts = statements[stmt_idx : stmt_idx + stmt_seq_len]
+                    r = opt.optimize(matched_stmts, stmt_idx=stmt_idx, block=block)
+                    if r is not None:
+                        # update statements
+                        statements = statements[:stmt_idx] + r + statements[stmt_idx + stmt_seq_len :]
+                        any_update = True
+                        redo = True
+                        break
+
+        # move on to the next statement
+        stmt_idx += 1
+
+    return statements, any_update
+
+
+def decompile_functions(path, functions=None, structurer=None, catch_errors=False) -> Optional[str]:
+    """
+    Decompile a binary into a set of functions.
+
+    :param path:            The path to the binary to decompile.
+    :param functions:       The functions to decompile. If None, all functions will be decompiled.
+    :param structurer:      The structuring algorithms to use.
+    :param catch_errors:    The structuring algorithms to use.
+    :return:                The decompilation of all functions appended in order.
+    """
+    # delayed imports to avoid circular imports
+    from angr.analyses.decompiler.decompilation_options import PARAM_TO_OPTION
+
+    structurer = structurer or "phoenix"
+    path = pathlib.Path(path).resolve().absolute()
+    proj = angr.Project(path, auto_load_libs=False)
+    cfg = proj.analyses.CFG(normalize=True, data_references=True)
+    proj.analyses.CompleteCallingConventions(recover_variables=True, analyze_callsites=True)
+
+    # collect all functions when None are provided
+    if functions is None:
+        functions = cfg.functions.values()
+
+    # normalize the functions that could be ints as names
+    normalized_functions = []
+    for func in functions:
+        try:
+            normalized_name = int(func, 0)
+        except ValueError:
+            normalized_name = func
+        normalized_functions.append(normalized_name)
+    functions = normalized_functions
+
+    # verify that all functions exist
+    for func in list(functions):
+        if func not in cfg.functions:
+            if catch_errors:
+                _l.warning("Function %s does not exist in the CFG.", str(func))
+                functions.remove(func)
+            else:
+                raise ValueError(f"Function {func} does not exist in the CFG.")
+
+    # decompile all functions
+    decompilation = ""
+    dec_options = [
+        (PARAM_TO_OPTION["structurer_cls"], structurer),
+    ]
+    for func in functions:
+        f = cfg.functions[func]
+        if f is None or f.is_plt:
+            continue
+
+        exception_string = ""
+        if not catch_errors:
+            dec = proj.analyses.Decompiler(f, cfg=cfg, options=dec_options)
+        else:
+            try:
+                # TODO: add a timeout
+                dec = proj.analyses.Decompiler(f, cfg=cfg, options=dec_options)
+            except Exception as e:
+                exception_string = str(e).replace("\n", " ")
+                dec = None
+
+        # do sanity checks on decompilation, skip checks if we already errored
+        if not exception_string:
+            if dec is None or not dec.codegen or not dec.codegen.text:
+                exception_string = "Decompilation had no code output (failed in Dec)"
+            elif "{\n}" in dec.codegen.text:
+                exception_string = "Decompilation outputted an empty function (failed in structuring)"
+            elif structurer in ["dream", "combing"] and "goto" in dec.codegen.text:
+                exception_string = "Decompilation outputted a goto for a Gotoless algorithm (failed in structuring)"
+
+        if exception_string:
+            _l.critical("Failed to decompile %s because %s", str(func), exception_string)
+            decompilation += f"// [error: {func} | {exception_string}]\n"
+        else:
+            decompilation += dec.codegen.text + "\n"
+
+    return decompilation
+
+
 # delayed import
 from .structuring.structurer_nodes import (
     MultiNode,

angr/analyses/propagator/engine_ail.py

@@ -233,7 +233,9 @@ class SimEnginePropagatorAIL(
                             sp_expr_new = sp_expr.copy()
                             sp_expr_new.offset += self.arch.bytes
                         else:
-                            sp_expr_new = sp_expr + self.arch.bytes
+                            sp_expr_new = Expr.BinaryOp(
+                                None, "Add", [sp_expr, Expr.Const(None, None, self.arch.bytes, sp_expr.bits)], False
+                            )
                         sp_value_new = PropValue(
                             sp_value.value + self.arch.bytes,
                             offset_and_details={

angr/analyses/propagator/engine_vex.py

@@ -5,6 +5,7 @@ import claripy
 import pyvex
 import archinfo
 
+from angr.knowledge_plugins.propagations.states import RegisterAnnotation, RegisterComparisonAnnotation
 from ...engines.light import SimEngineLightVEXMixin
 from ...calling_conventions import DEFAULT_CC, default_cc, SimRegArg
 from .values import Top, Bottom
@@ -234,6 +235,16 @@ class SimEnginePropagatorVEX(
             self.tmps[stmt.result] = 1
             self.state.add_replacement(self._codeloc(block_only=True), VEXTmp(stmt.result), self.tmps[stmt.result])
 
+    def _handle_CmpEQ(self, expr):
+        arg0, arg1 = self._expr(expr.args[0]), self._expr(expr.args[1])
+        if arg1 is not None and arg1.concrete and arg0 is not None and len(arg0.annotations) == 1:
+            anno = arg0.annotations[0]
+            if isinstance(anno, RegisterAnnotation):
+                cmp_anno = RegisterComparisonAnnotation(anno.offset, anno.size, "eq", arg1.concrete_value)
+                bits = expr.result_size(self.tyenv)
+                return self.state.top(bits).annotate(cmp_anno)
+        return super()._handle_CmpEQ(expr)
+
     #
     # Expression handlers
     #
@@ -259,3 +270,37 @@ class SimEnginePropagatorVEX(
         r = super()._handle_Binop(expr)
         # print(expr.op, r)
         return r
+
+    def _handle_Conversion(self, expr):
+        expr_ = self._expr(expr.args[0])
+        to_size = expr.result_size(self.tyenv)
+        if expr_ is None:
+            return self._top(to_size)
+        if self._is_top(expr_):
+            return self._top(to_size).annotate(*expr_.annotations)
+
+        if isinstance(expr_, claripy.ast.Base) and expr_.op == "BVV":
+            if expr_.size() > to_size:
+                # truncation
+                return expr_[to_size - 1 : 0]
+            elif expr_.size() < to_size:
+                # extension
+                return claripy.ZeroExt(to_size - expr_.size(), expr_)
+            else:
+                return expr_
+
+        return self._top(to_size)
+
+    def _handle_Exit(self, stmt):
+        guard = self._expr(stmt.guard)
+        if guard is not None and len(guard.annotations) == 1:
+            dst = self._expr(stmt.dst)
+            if dst is not None and dst.concrete:
+                anno = guard.annotations[0]
+                if isinstance(anno, RegisterComparisonAnnotation):
+                    if anno.cmp_op == "eq":
+                        v = (anno.offset, anno.size, anno.value)
+                        if v not in self.state.block_initial_reg_values[self.block.addr, dst.concrete_value]:
+                            self.state.block_initial_reg_values[self.block.addr, dst.concrete_value].append(v)
+
+        super()._handle_Exit(stmt)

angr/analyses/propagator/propagator.py

@@ -289,6 +289,9 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
         if self._base_state is not None:
             self._base_state.options.add(sim_options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS)
             self._base_state.options.add(sim_options.SYMBOL_FILL_UNCONSTRAINED_MEMORY)
+
+        self.model.input_states[block_key] = state.copy()
+
         state = engine.process(
             state,
             block=block,
@@ -305,8 +308,7 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
 
         self.model.node_iterations[block_key] += 1
         self.model.states[block_key] = state
-        if isinstance(state, PropagatorAILState):
-            self.model.block_initial_reg_values.update(state.block_initial_reg_values)
+        self.model.block_initial_reg_values.update(state.block_initial_reg_values)
 
         if self.model.replacements is None:
             self.model.replacements = state._replacements
@@ -325,19 +327,26 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
     def _process_input_state_for_successor(
         self, node, successor, input_state: Union[PropagatorAILState, PropagatorVEXState]
     ):
-        if self._only_consts and isinstance(input_state, PropagatorAILState):
-            key = node.addr, successor.addr
-            if key in self.model.block_initial_reg_values:
-                input_state: PropagatorAILState = input_state.copy()
-                for reg_atom, reg_value in self.model.block_initial_reg_values[key]:
-                    input_state.store_register(
-                        reg_atom,
-                        PropValue(
-                            claripy.BVV(reg_value.value, reg_value.bits),
-                            offset_and_details={0: Detail(reg_atom.size, reg_value, self._initial_codeloc)},
-                        ),
-                    )
-                return input_state
+        if self._only_consts:
+            if isinstance(input_state, PropagatorAILState):
+                key = node.addr, successor.addr
+                if key in self.model.block_initial_reg_values:
+                    input_state: PropagatorAILState = input_state.copy()
+                    for reg_atom, reg_value in self.model.block_initial_reg_values[key]:
+                        input_state.store_register(
+                            reg_atom,
+                            PropValue(
+                                claripy.BVV(reg_value.value, reg_value.bits),
+                                offset_and_details={0: Detail(reg_atom.size, reg_value, self._initial_codeloc)},
+                            ),
+                        )
+                    return input_state
+            elif isinstance(input_state, PropagatorVEXState):
+                key = node.addr, successor.addr
+                if key in self.model.block_initial_reg_values:
+                    input_state: PropagatorVEXState = input_state.copy()
+                    for reg_offset, reg_size, value in self.model.block_initial_reg_values[key]:
+                        input_state.store_register(reg_offset, reg_size, claripy.BVV(value, reg_size * 8))
         return input_state
 
     def _intra_analysis(self):

angr/analyses/proximity_graph.py

@@ -180,6 +180,33 @@ class ProximityGraphAnalysis(Analysis):
 
         self._work()
 
+    def _condense_blank_nodes(self, graph: networkx.DiGraph) -> None:
+        nodes = list(graph.nodes)
+        blank_nodes: List[BaseProxiNode] = []
+
+        for node in nodes:
+            if isinstance(node, BaseProxiNode) and node.type_ == ProxiNodeTypes.Empty:
+                blank_nodes.append(node)
+            else:
+                if blank_nodes:
+                    self._merge_nodes(graph, blank_nodes)
+                    blank_nodes = []
+
+        if blank_nodes:
+            self._merge_nodes(graph, blank_nodes)
+
+    def _merge_nodes(self, graph: networkx.DiGraph, nodes: List[BaseProxiNode]) -> None:
+        for node in nodes:
+            predecessors = set(graph.predecessors(node))
+            successors = set(graph.successors(node))
+
+            for pred in predecessors:
+                for succ in successors:
+                    edge_data = graph.get_edge_data(pred, node) or {}
+                    graph.add_edge(pred, succ, **edge_data)
+
+            graph.remove_node(node)
+
     def _work(self):
         self.graph = networkx.DiGraph()
 
@@ -210,6 +237,9 @@ class ProximityGraphAnalysis(Analysis):
             self.graph.add_nodes_from(subgraph.nodes())
             self.graph.add_edges_from(subgraph.edges())
 
+        # condense blank nodes after the graph has been constructed
+        self._condense_blank_nodes(self.graph)
+
     def _endnode_connector(self, func: "Function", subgraph: networkx.DiGraph):
         """
         Properly connect expanded function call's to proximity graph.

angr/analyses/reaching_definitions/engine_ail.py

@@ -141,7 +141,7 @@ class SimEngineRDAIL(
             return handler(expr)
         else:
             self.l.warning("Unsupported expression type %s.", type(expr).__name__)
-            return None
+            return MultiValues(self.state.top(self.arch.bits))
 
     def _ail_handle_Assignment(self, stmt):
         """

angr/analyses/stack_pointer_tracker.py

@@ -1,6 +1,7 @@
 # pylint:disable=abstract-method,ungrouped-imports
 
 from typing import Set, List, Optional, TYPE_CHECKING
+import re
 import logging
 
 import pyvex
@@ -286,6 +287,9 @@ class CouldNotResolveException(Exception):
     """
 
 
+IROP_CONVERT_REGEX = re.compile(r"^Iop_(\d+)(U{0,1})to(\d+)(U{0,1})$")
+
+
 class StackPointerTracker(Analysis, ForwardAnalysis):
     """
     Track the offset of stack pointer at the end of each basic block of a function.
@@ -366,6 +370,42 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
         else:
             return self.offset_before(instr_addrs[0], reg)
 
+    def _constant_for(self, addr, pre_or_post, reg):
+        try:
+            s = self._state_for(addr, pre_or_post)
+            if s is None:
+                return TOP
+            regval = dict(s.regs)[reg]
+        except KeyError:
+            return TOP
+        if type(regval) is Constant:
+            return regval.val
+        return TOP
+
+    def constant_after(self, addr, reg):
+        return self._constant_for(addr, "post", reg)
+
+    def constant_before(self, addr, reg):
+        return self._constant_for(addr, "pre", reg)
+
+    def constant_after_block(self, block_addr, reg):
+        if block_addr not in self._blocks:
+            return TOP
+        instr_addrs = self._blocks[block_addr].instruction_addrs
+        if len(instr_addrs) == 0:
+            return TOP
+        else:
+            return self.constant_after(instr_addrs[-1], reg)
+
+    def constant_before_block(self, block_addr, reg):
+        if block_addr not in self._blocks:
+            return TOP
+        instr_addrs = self._blocks[block_addr].instruction_addrs
+        if len(instr_addrs) == 0:
+            return TOP
+        else:
+            return self.constant_before(instr_addrs[0], reg)
+
     @property
     def inconsistent(self):
         return any(self.inconsistent_for(r) for r in self.reg_offsets)
@@ -515,6 +555,21 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                 return Constant(expr.con.value)
             elif type(expr) is pyvex.IRExpr.Get:
                 return state.get(expr.offset)
+            elif type(expr) is pyvex.IRExpr.Unop:
+                m = IROP_CONVERT_REGEX.match(expr.op)
+                if m is not None:
+                    from_bits = int(m.group(1))
+                    # from_unsigned = m.group(2) == "U"
+                    to_bits = int(m.group(3))
+                    # to_unsigned = m.group(4) == "U"
+                    v = resolve_expr(expr.args[0])
+                    if not isinstance(v, Constant):
+                        return TOP
+                    if from_bits > to_bits:
+                        # truncation
+                        mask = (1 << to_bits) - 1
+                        return Constant(v.val & mask)
+                    return v
             elif self.track_mem and type(expr) is pyvex.IRExpr.Load:
                 return state.load(_resolve_expr(expr.addr))
             raise CouldNotResolveException()

angr/callable.py

@@ -74,10 +74,10 @@ class Callable:
         self.perform_call(*args, prototype=prototype)
         if self.result_state is not None and prototype.returnty is not None:
             loc = self._cc.return_val(prototype.returnty)
-            val = loc.get_value(self.result_state, stack_base=self.result_state.regs.sp - self._cc.STACKARG_SP_DIFF)
-            return self.result_state.solver.simplify(val)
-        else:
-            return None
+            if loc is not None:
+                val = loc.get_value(self.result_state, stack_base=self.result_state.regs.sp - self._cc.STACKARG_SP_DIFF)
+                return self.result_state.solver.simplify(val)
+        return None
 
     def perform_call(self, *args, prototype=None):
         prototype = SimCC.guess_prototype(args, prototype or self._func_ty).with_arch(self._project.arch)

angr/engines/light/engine.py

@@ -177,12 +177,12 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
                 func_addr = (
                     self.block.vex.next if isinstance(self.block.vex.next, int) else self._expr(self.block.vex.next)
                 )
-                if func_addr is not None:
-                    getattr(self, handler)(func_addr)
-                else:
+                if func_addr is None and self.l is not None:
                     self.l.debug("Cannot determine the callee address at %#x.", self.block.addr)
+                getattr(self, handler)(func_addr)
             else:
-                self.l.warning("Function handler not implemented.")
+                if self.l is not None:
+                    self.l.warning("Function handler not implemented.")
 
     #
     # Statement handlers
@@ -193,7 +193,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if hasattr(self, handler):
             getattr(self, handler)(stmt)
         elif type(stmt).__name__ not in ("IMark", "AbiHint"):
-            self.l.error("Unsupported statement type %s.", type(stmt).__name__)
+            if self.l is not None:
+                self.l.error("Unsupported statement type %s.", type(stmt).__name__)
 
     # synchronize with function _handle_WrTmpData()
     def _handle_WrTmp(self, stmt):
@@ -210,7 +211,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         self.tmps[tmp] = data
 
     def _handle_Dirty(self, stmt):
-        self.l.error("Unimplemented Dirty node for current architecture.")
+        if self.l is not None:
+            self.l.error("Unimplemented Dirty node for current architecture.")
 
     def _handle_Put(self, stmt):
         raise NotImplementedError("Please implement the Put handler with your own logic.")
@@ -232,12 +234,13 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         handler = "_handle_%s" % type(expr).__name__
         if hasattr(self, handler):
             return getattr(self, handler)(expr)
-        else:
+        elif self.l is not None:
             self.l.error("Unsupported expression type %s.", type(expr).__name__)
         return None
 
     def _handle_Triop(self, expr: pyvex.IRExpr.Triop):  # pylint: disable=useless-return
-        self.l.error("Unsupported Triop %s.", expr.op)
+        if self.l is not None:
+            self.l.error("Unsupported Triop %s.", expr.op)
         return None
 
     def _handle_RdTmp(self, expr):
@@ -295,7 +298,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if handler is not None and hasattr(self, handler):
             return getattr(self, handler)(expr)
         else:
-            self.l.error("Unsupported Unop %s.", expr.op)
+            if self.l is not None:
+                self.l.error("Unsupported Unop %s.", expr.op)
             return None
 
     def _handle_Binop(self, expr: pyvex.IRExpr.Binop):
@@ -372,13 +376,14 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
                 return getattr(self, handler)(expr, vector_size, vector_count)
             return getattr(self, handler)(expr)
         else:
-            if once(expr.op):
+            if once(expr.op) and self.l is not None:
                 self.l.warning("Unsupported Binop %s.", expr.op)
 
         return None
 
     def _handle_CCall(self, expr):  # pylint:disable=useless-return
-        self.l.warning("Unsupported expression type CCall with callee %s.", str(expr.cee))
+        if self.l is not None:
+            self.l.warning("Unsupported expression type CCall with callee %s.", str(expr.cee))
         return None
 
     #
@@ -479,7 +484,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         try:
             return ~expr_0  # pylint:disable=invalid-unary-operand-type
         except TypeError as e:
-            self.l.exception(e)
+            if self.l is not None:
+                self.l.exception(e)
             return None
 
     def _handle_Clz(self, expr):
@@ -602,7 +608,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         try:
             return expr_0 ^ expr_1
         except TypeError as e:
-            self.l.warning(e)
+            if self.l is not None:
+                self.l.warning(e)
             return None
 
     def _handle_Shl(self, expr):
@@ -834,7 +841,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
 
         if h is not None:
             return h(expr)
-        self.l.warning("Unsupported expression type %s.", type(expr).__name__)
+        if self.l is not None:
+            self.l.warning("Unsupported expression type %s.", type(expr).__name__)
         return None
 
     #
@@ -866,7 +874,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
             getattr(self, old_handler)(stmt)
             return
 
-        self.l.warning("Unsupported statement type %s.", type(stmt).__name__)
+        if self.l is not None:
+            self.l.warning("Unsupported statement type %s.", type(stmt).__name__)
 
     def _ail_handle_Label(self, stmt):
         pass
@@ -933,7 +942,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported UnaryOp %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported UnaryOp %s.", expr.op)
             return None
 
         return handler(expr)
@@ -943,7 +953,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported BinaryOp %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported BinaryOp %s.", expr.op)
             return None
 
         return handler(expr)
@@ -953,7 +964,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported Ternary %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported Ternary %s.", expr.op)
             return None
 
         return handler(expr)

angr/knowledge_plugins/__init__.py

@@ -15,3 +15,4 @@ from .propagations import PropagationManager
 from .structured_code import StructuredCodeManager
 from .types import TypesStore
 from .callsite_prototypes import CallsitePrototypes
+from .custom_strings import CustomStrings

angr/knowledge_plugins/custom_strings.py

@@ -0,0 +1,40 @@
+from typing import Dict
+
+from .plugin import KnowledgeBasePlugin
+
+
+class CustomStrings(KnowledgeBasePlugin):
+    """
+    Store new strings that are recovered during various analysis. Each string has a unique ID associated.
+    """
+
+    def __init__(self, kb):
+        super().__init__()
+        self._kb = kb
+
+        self.string_id = 0
+        self.strings: Dict[int, bytes] = {}
+
+    def allocate(self, s: bytes) -> int:
+        # de-duplication
+        # TODO: Use a reverse map if this becomes a bottle-neck in the future
+        for idx, string in self.strings.items():
+            if string == s:
+                return idx
+
+        string_id = self.string_id
+        self.strings[string_id] = s
+        self.string_id += 1
+        return string_id
+
+    def __getitem__(self, idx):
+        return self.strings[idx]
+
+    def copy(self):
+        o = CustomStrings(self._kb)
+        o.strings = self.strings.copy()
+        o.string_id = self.string_id
+        return o
+
+
+KnowledgeBasePlugin.register_default("custom_strings", CustomStrings)