angr 9.2.79__py3-none-win_amd64.whl → 9.2.80__py3-none-win_amd64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.79"
+__version__ = "9.2.80"
 
 if bytes is str:
     raise Exception(

angr/__main__.py

@@ -15,16 +15,41 @@ class COMMANDS:
 
 def main():
     parser = argparse.ArgumentParser(description="The angr CLI allows you to decompile and analyze binaries.")
-    parser.add_argument("command", help="The command to run", choices=COMMANDS.ALL_COMMANDS)
-    parser.add_argument("binary", help="The path to the binary to analyze")
-    parser.add_argument("--functions", help="The functions to analyze", nargs="+")
     parser.add_argument(
-        "--structurer", help="The structurer to use", choices=STRUCTURER_CLASSES.keys(), default="phoenix"
+        "command",
+        help="""
+        The analysis type to run on the binary. All analysis is output to stdout.""",
+        choices=COMMANDS.ALL_COMMANDS,
+    )
+    parser.add_argument("binary", help="The path to the binary to analyze.")
+    parser.add_argument(
+        "--functions",
+        help="""
+        The functions to analyze under the current command. Functions can either be expressed as names found in the
+        symbols of the binary or as addresses like: 0x401000.""",
+        nargs="+",
+    )
+    parser.add_argument(
+        "--catch-exceptions",
+        help="""
+        Catch exceptions during analysis. The scope of error handling may depend on the command used for analysis.
+        If multiple functions are specified for analysis, each function will be handled individually.""",
+        action="store_true",
+        default=False,
+    )
+    # decompilation-specific arguments
+    parser.add_argument(
+        "--structurer",
+        help="The structuring algorithm to use for decompilation.",
+        choices=STRUCTURER_CLASSES.keys(),
+        default="phoenix",
     )
 
     args = parser.parse_args()
     if args.command == COMMANDS.DECOMPILE:
-        decompilation = decompile_functions(args.binary, functions=args.functions, structurer=args.structurer)
+        decompilation = decompile_functions(
+            args.binary, functions=args.functions, structurer=args.structurer, catch_errors=args.catch_exceptions
+        )
         print(decompilation)
     else:
         parser.print_help()

angr/analyses/cfg/cfg_fast.py

@@ -40,6 +40,12 @@ from angr.errors import (
     SimIRSBNoDecodeError,
 )
 from angr.utils.constants import DEFAULT_STATEMENT
+from angr.utils.funcid import (
+    is_function_security_check_cookie,
+    is_function_security_init_cookie,
+    is_function_security_init_cookie_win8,
+    is_function_likely_security_init_cookie,
+)
 from angr.analyses import ForwardAnalysis
 from .cfg_arch_options import CFGArchOptions
 from .cfg_base import CFGBase
@@ -1617,6 +1623,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if self._collect_data_ref:
             self._post_process_string_references()
 
+        self._rename_common_functions_and_symbols()
+
         CFGBase._post_analysis(self)
 
         # Clean up
@@ -1653,6 +1661,69 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 else:
                     l.exception("Error collecting XRefs for function %#x.", f_addr, exc_info=True)
 
+    def _rename_common_functions_and_symbols(self):
+        """
+        This function implements logic for renaming some commonly seen functions in an architecture- and OS-specific
+        way.
+        """
+
+        if (
+            self.project.simos is not None
+            and self.project.arch.name == "AMD64"
+            and self.project.simos.name == "Win32"
+            and isinstance(self.project.loader.main_object, cle.PE)
+        ):
+            security_cookie_addr = self.project.loader.main_object.load_config.get("SecurityCookie", None)
+            security_check_cookie_found = False
+            security_init_cookie_found = False
+            if security_cookie_addr is not None:
+                if security_cookie_addr not in self.kb.labels:
+                    self.kb.labels[security_cookie_addr] = "_security_cookie"
+                # identify _security_init_cookie and _security_check_cookie
+                xrefs = self.kb.xrefs.get_xrefs_by_dst(security_cookie_addr)
+                tested_func_addrs = set()
+                for xref in xrefs:
+                    cfg_node = self.model.get_any_node(xref.block_addr)
+                    if cfg_node is None:
+                        continue
+                    func_addr = cfg_node.function_address
+                    if func_addr not in tested_func_addrs:
+                        func = self.kb.functions.get_by_addr(func_addr)
+                        if not security_check_cookie_found and is_function_security_check_cookie(
+                            func, self.project, security_cookie_addr
+                        ):
+                            security_check_cookie_found = True
+                            func.is_default_name = False
+                            func.name = "_security_check_cookie"
+                        elif not security_init_cookie_found and is_function_security_init_cookie(
+                            func, self.project, security_cookie_addr
+                        ):
+                            security_init_cookie_found = True
+                            func.is_default_name = False
+                            func.name = "_security_init_cookie"
+                        elif not security_init_cookie_found and is_function_security_init_cookie_win8(
+                            func, self.project, security_cookie_addr
+                        ):
+                            security_init_cookie_found = True
+                            func.is_default_name = False
+                            func.name = "_security_init_cookie"
+                        tested_func_addrs.add(func_addr)
+                    if security_init_cookie_found and security_check_cookie_found:
+                        # both are found. exit from the loop
+                        break
+
+            # special handling: some binaries do not have SecurityCookie set, but still contain _security_init_cookie
+            if security_init_cookie_found is False:
+                start_func = self.functions.get_by_addr(self.project.entry)
+                if start_func is not None:
+                    for callee in start_func.transition_graph:
+                        if isinstance(callee, Function):
+                            if not security_init_cookie_found and is_function_likely_security_init_cookie(callee):
+                                security_init_cookie_found = True
+                                callee.is_default_name = False
+                                callee.name = "_security_init_cookie"
+                                break
+
     def _post_process_string_references(self) -> None:
         """
         Finds overlapping string references and retrofit them so that we see full strings in memory data.
@@ -2008,9 +2079,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             ins_addr = addr
             for i, stmt in enumerate(irsb.statements):
                 if isinstance(stmt, pyvex.IRStmt.Exit):
-                    successors.append(
-                        (i, last_ins_addr if self.project.arch.branch_delay_slot else ins_addr, stmt.dst, stmt.jumpkind)
-                    )
+                    branch_ins_addr = last_ins_addr if self.project.arch.branch_delay_slot else ins_addr
+                    if self._is_branch_vex_artifact_only(irsb, branch_ins_addr, stmt):
+                        continue
+                    successors.append((i, branch_ins_addr, stmt.dst, stmt.jumpkind))
                 elif isinstance(stmt, pyvex.IRStmt.IMark):
                     last_ins_addr = ins_addr
                     ins_addr = stmt.addr + stmt.delta
@@ -2025,6 +2097,8 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                     idx_ = irsb.instruction_addresses.index(ins_addr)
                     if idx_ > 0:
                         branch_ins_addr = irsb.instruction_addresses[idx_ - 1]
+                elif self._is_branch_vex_artifact_only(irsb, branch_ins_addr, exit_stmt):
+                    continue
                 successors.append((stmt_idx, branch_ins_addr, exit_stmt.dst, exit_stmt.jumpkind))
 
         # default statement
@@ -4620,6 +4694,57 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                             queue.append(succ_addr)
         return to_remove
 
+    def _is_branch_vex_artifact_only(self, irsb, branch_ins_addr: int, exit_stmt) -> bool:
+        """
+        Check if an exit is merely the result of VEX lifting. We should drop these exits.
+        These exits point to the same instruction and do not terminate the block.
+
+        Example block:
+
+        1400061c2  lock or byte ptr [rsp], 0x0
+        1400061c7  mov     r9, r8
+        1400061ca  shr     r9, 0x5
+        1400061ce  jne     0x1400060dc
+
+        VEX block:
+
+        00 | ------ IMark(0x1400061c2, 5, 0) ------
+        01 | t3 = GET:I64(rsp)
+        02 | t2 = LDle:I8(t3)
+        03 | t(4,4294967295) = CASle(t3 :: (t2,None)->(t2,None))
+        04 | t13 = CasCmpNE8(t4,t2)
+        05 | if (t13) { PUT(rip) = 0x1400061c2; Ijk_Boring }
+        06 | ------ IMark(0x1400061c7, 3, 0) ------
+        07 | t15 = GET:I64(r8)
+        08 | ------ IMark(0x1400061ca, 4, 0) ------
+        09 | t9 = Shr64(t15,0x05)
+        10 | t16 = Shr64(t15,0x04)
+        11 | PUT(cc_op) = 0x0000000000000024
+        12 | PUT(cc_dep1) = t9
+        13 | PUT(cc_dep2) = t16
+        14 | PUT(r9) = t9
+        15 | PUT(rip) = 0x00000001400061ce
+        16 | ------ IMark(0x1400061ce, 6, 0) ------
+        17 | t29 = GET:I64(cc_ndep)
+        18 | t30 = amd64g_calculate_condition(0x0000000000000004,0x0000000000000024,t9,t16,t29):Ity_I64
+        19 | t25 = 64to1(t30)
+        20 | if (t25) { PUT(rip) = 0x1400061d4; Ijk_Boring }
+        NEXT: PUT(rip) = 0x00000001400060dc; Ijk_Boring
+
+        Statement 5 should not introduce a new exit in the CFG.
+        """
+
+        if (
+            not self.project.arch.branch_delay_slot
+            and irsb.instruction_addresses
+            and branch_ins_addr != irsb.instruction_addresses[-1]
+            and isinstance(exit_stmt.dst, pyvex.const.IRConst)
+            and exit_stmt.dst.value == branch_ins_addr
+            and exit_stmt.jumpkind == "Ijk_Boring"
+        ):
+            return True
+        return False
+
     def _remove_jobs_by_source_node_addr(self, addr: int):
         self._remove_job(lambda j: j.src_node is not None and j.src_node.addr == addr)
 

angr/analyses/decompiler/ail_simplifier.py

@@ -1044,6 +1044,14 @@ class AILSimplifier(Analysis):
                 if u.block_addr not in {b.addr for b in super_node_blocks}:
                     continue
 
+                # check if the register has been overwritten by statements in between the def site and the use site
+                usesite_atom_defs = set(rd.get_defs(the_def.atom, u, OP_BEFORE))
+                if len(usesite_atom_defs) != 1:
+                    continue
+                usesite_atom_def = next(iter(usesite_atom_defs))
+                if usesite_atom_def != the_def:
+                    continue
+
                 # check if any atoms that the call relies on has been overwritten by statements in between the def site
                 # and the use site.
                 defsite_all_expr_uses = set(rd.all_uses.get_uses_by_location(the_def.codeloc))

angr/analyses/decompiler/clinic.py

@@ -260,6 +260,10 @@ class Clinic(Analysis):
         self._update_progress(50.0, text="Making callsites")
         _, stackarg_offsets = self._make_callsites(ail_graph, stack_pointer_tracker=spt)
 
+        # Run simplification passes
+        self._update_progress(65.0, text="Running simplifications 2")
+        ail_graph = self._run_simplification_passes(ail_graph, stage=OptimizationPassStage.AFTER_MAKING_CALLSITES)
+
         # Simplify the entire function for the second time
         self._update_progress(55.0, text="Simplifying function 2")
         self._simplify_function(
@@ -282,7 +286,7 @@ class Clinic(Analysis):
         )
 
         # Run simplification passes
-        self._update_progress(65.0, text="Running simplifications 2")
+        self._update_progress(65.0, text="Running simplifications 3 ")
         ail_graph = self._run_simplification_passes(ail_graph, stage=OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION)
 
         # Simplify the entire function for the third time
@@ -317,7 +321,7 @@ class Clinic(Analysis):
         self._make_function_prototype(arg_list, variable_kb)
 
         # Run simplification passes
-        self._update_progress(95.0, text="Running simplifications 3")
+        self._update_progress(95.0, text="Running simplifications 4")
         ail_graph = self._run_simplification_passes(
             ail_graph, stage=OptimizationPassStage.AFTER_VARIABLE_RECOVERY, variable_kb=variable_kb
         )

angr/analyses/decompiler/decompilation_options.py

@@ -97,6 +97,15 @@ options = [
         category="Graph",
         default_value=True,
     ),
+    O(
+        "Simplify if-else to remove terminating else scopes",
+        "Removes terminating else scopes to make the code appear more flat.",
+        bool,
+        "region_simplifier",
+        "simplify_ifelse",
+        category="Graph",
+        default_value=True,
+    ),
     O(
         "Show casts",
         "Disabling this option will blindly remove all C typecast constructs from pseudocode output.",

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -82,3 +82,7 @@ def get_default_optimization_passes(arch: Union[Arch, str], platform: Optional[s
             passes.append(pass_)
 
     return passes
+
+
+def register_optimization_pass(opt_pass, enable_by_default: bool):
+    _all_optimization_passes.append((opt_pass, enable_by_default))

angr/analyses/decompiler/optimization_passes/multi_simplifier.py

@@ -184,18 +184,6 @@ class MultiSimplifierAILEngine(SimplifierAILEngine):
                     new_const = Expr.Const(const_.idx, None, const_.value * const_x0.value, const_.bits)
                     new_expr = Expr.BinaryOp(expr.idx, "Mul", [x, new_const], expr.signed, **expr.tags)
                     return new_expr
-            elif (
-                isinstance(operand_0, Expr.Convert)
-                and isinstance(operand_0.operand, Expr.BinaryOp)
-                and operand_0.operand.op == "Mul"
-                and isinstance(operand_0.operand.operands[1], Expr.Const)
-            ):
-                x = operand_0.operand.operands[0]
-                new_const = Expr.Const(
-                    operand_1.idx, None, operand_1.value * operand_0.operand.operands[1].value, operand_1.bits
-                )
-                new_expr = Expr.BinaryOp(expr.idx, "Mul", [x, new_const], expr.signed, **expr.tags)
-                return new_expr
 
         if (operand_0, operand_1) != (expr.operands[0], expr.operands[1]):
             return Expr.BinaryOp(expr.idx, "Mul", [operand_0, operand_1], expr.signed, **expr.tags)

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -35,11 +35,12 @@ class OptimizationPassStage(Enum):
 
     AFTER_AIL_GRAPH_CREATION = 0
     AFTER_SINGLE_BLOCK_SIMPLIFICATION = 1
-    AFTER_GLOBAL_SIMPLIFICATION = 2
-    AFTER_VARIABLE_RECOVERY = 3
-    BEFORE_REGION_IDENTIFICATION = 4
-    DURING_REGION_IDENTIFICATION = 5
-    AFTER_STRUCTURING = 6
+    AFTER_MAKING_CALLSITES = 2
+    AFTER_GLOBAL_SIMPLIFICATION = 3
+    AFTER_VARIABLE_RECOVERY = 4
+    BEFORE_REGION_IDENTIFICATION = 5
+    DURING_REGION_IDENTIFICATION = 6
+    AFTER_STRUCTURING = 7
 
 
 class BaseOptimizationPass:
@@ -53,6 +54,8 @@ class BaseOptimizationPass:
     STRUCTURING: Optional[
         str
     ] = None  # specifies if this optimization pass is specific to a certain structuring algorithm
+    NAME = "N/A"
+    DESCRIPTION = "N/A"
 
     def __init__(self, func):
         self._func: "Function" = func

angr/analyses/decompiler/optimization_passes/win_stack_canary_simplifier.py

@@ -3,10 +3,10 @@ from typing import Set, Dict
 from collections import defaultdict
 import logging
 
-import capstone
 import ailment
 import cle
 
+from angr.utils.funcid import is_function_security_check_cookie
 from .optimization_pass import OptimizationPass, OptimizationPassStage
 
 
@@ -268,29 +268,6 @@ class WinStackCanarySimplifier(OptimizationPass):
                 return idx
         return None
 
-    def _is_function_likely_security_check_cookie(self, func) -> bool:
-        # disassemble the first instruction
-        if func.is_plt or func.is_syscall or func.is_simprocedure:
-            return False
-        block = self.project.factory.block(func.addr)
-        if block.instructions != 2:
-            return False
-        ins0 = block.capstone.insns[0]
-        if (
-            ins0.mnemonic == "cmp"
-            and len(ins0.operands) == 2
-            and ins0.operands[0].type == capstone.x86.X86_OP_REG
-            and ins0.operands[0].reg == capstone.x86.X86_REG_RCX
-            and ins0.operands[1].type == capstone.x86.X86_OP_MEM
-            and ins0.operands[1].mem.base == capstone.x86.X86_REG_RIP
-            and ins0.operands[1].mem.index == 0
-            and ins0.operands[1].mem.disp + ins0.address + ins0.size == self._security_cookie_addr
-        ):
-            ins1 = block.capstone.insns[1]
-            if ins1.mnemonic == "jne":
-                return True
-        return False
-
     def _find_stmt_calling_security_check_cookie(self, node):
         for idx, stmt in enumerate(node.statements):
             if isinstance(stmt, ailment.Stmt.Call) and isinstance(stmt.target, ailment.Expr.Const):
@@ -299,7 +276,7 @@ class WinStackCanarySimplifier(OptimizationPass):
                     func = self.kb.functions.function(addr=const_target)
                     if func.name == "_security_check_cookie":
                         return idx
-                    elif self._is_function_likely_security_check_cookie(func):
+                    elif is_function_security_check_cookie(func, self.project, self._security_cookie_addr):
                         return idx
 
         return None

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -1,6 +1,6 @@
 from math import gcd
 
-from ailment.expression import BinaryOp, UnaryOp, Const
+from ailment.expression import BinaryOp, UnaryOp, Const, Convert
 
 from .base import PeepholeOptimizationExprBase
 
@@ -13,11 +13,13 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
     __slots__ = ()
 
     NAME = "Eager expression evaluation"
-    expr_classes = (BinaryOp, UnaryOp)
+    expr_classes = (BinaryOp, UnaryOp, Convert)
 
     def optimize(self, expr, **kwargs):
         if isinstance(expr, BinaryOp):
             return self._optimize_binaryop(expr)
+        elif isinstance(expr, Convert):
+            return self._optimize_convert(expr)
         elif isinstance(expr, UnaryOp):
             return self._optimize_unaryop(expr)
         return None
@@ -192,3 +194,13 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             return new_expr
 
         return None
+
+    @staticmethod
+    def _optimize_convert(expr: Convert):
+        if isinstance(expr.operand, Const):
+            if expr.from_bits > expr.to_bits:
+                # truncation
+                mask = (1 << expr.to_bits) - 1
+                v = expr.operand.value & mask
+                return Const(expr.idx, expr.operand.variable, v, expr.to_bits, **expr.operand.tags)
+        return None

angr/analyses/decompiler/region_simplifiers/ifelse.py

@@ -42,20 +42,29 @@ class IfElseFlattener(SequenceWalker):
 
         if node.true_node is not None and node.false_node is not None:
             try:
-                last_stmts = ConditionProcessor.get_last_statements(node.true_node)
+                true_last_stmts = ConditionProcessor.get_last_statements(node.true_node)
             except EmptyBlockNotice:
-                last_stmts = None
+                true_last_stmts = None
             if (
-                last_stmts is not None
-                and None not in last_stmts
-                and all(is_statement_terminating(stmt, self.functions) for stmt in last_stmts)
+                true_last_stmts is not None
+                and None not in true_last_stmts
+                and all(is_statement_terminating(stmt, self.functions) for stmt in true_last_stmts)
             ):
                 # all end points in the true node are returning
-
-                # remove the else node and make it a new node following node
-                else_node = node.false_node
-                node.false_node = None
-                insert_node(parent, "after", else_node, index, **kwargs)
+                try:
+                    false_last_stmts = ConditionProcessor.get_last_statements(node.false_node)
+                except EmptyBlockNotice:
+                    false_last_stmts = None
+                if (
+                    false_last_stmts is not None
+                    and None not in false_last_stmts
+                    and not all(is_statement_terminating(stmt, self.functions) for stmt in false_last_stmts)
+                ):
+                    # not all end points in the false node are returning. in this case, we remove the else node and
+                    # make it a new node following node
+                    else_node = node.false_node
+                    node.false_node = None
+                    insert_node(parent, "after", else_node, index, **kwargs)
 
     def _handle_CascadingCondition(self, node: CascadingConditionNode, parent=None, index=None, **kwargs):
         super()._handle_CascadingCondition(node, parent=parent, index=index, **kwargs)

angr/analyses/decompiler/region_simplifiers/region_simplifier.py

@@ -24,11 +24,12 @@ class RegionSimplifier(Analysis):
     Simplifies a given region.
     """
 
-    def __init__(self, func, region, variable_kb=None, simplify_switches: bool = True):
+    def __init__(self, func, region, variable_kb=None, simplify_switches: bool = True, simplify_ifelse: bool = True):
         self.func = func
         self.region = region
         self.variable_kb = variable_kb
         self._simplify_switches = simplify_switches
+        self._should_simplify_ifelses = simplify_ifelse
 
         self.goto_manager: Optional[GotoManager] = None
         self.result = None
@@ -70,7 +71,8 @@ class RegionSimplifier(Analysis):
         # Remove empty nodes
         r = self._remove_empty_nodes(r)
         # Remove unnecessary else branches if the if branch will always return
-        r = self._simplify_ifelses(r)
+        if self._should_simplify_ifelses:
+            r = self._simplify_ifelses(r)
         #
         r = self._simplify_cascading_ifs(r)
         #

angr/analyses/decompiler/utils.py

@@ -3,7 +3,6 @@ from typing import Optional, Tuple, Any, Union, List, Iterable
 import logging
 
 import networkx
-from rich.progress import track
 
 import ailment
 import angr
@@ -582,7 +581,7 @@ def peephole_optimize_multistmts(block, stmt_opts):
     return statements, any_update
 
 
-def decompile_functions(path, functions=None, structurer=None, catch_errors=True) -> Optional[str]:
+def decompile_functions(path, functions=None, structurer=None, catch_errors=False) -> Optional[str]:
     """
     Decompile a binary into a set of functions.
 
@@ -616,16 +615,20 @@ def decompile_functions(path, functions=None, structurer=None, catch_errors=True
     functions = normalized_functions
 
     # verify that all functions exist
-    for func in functions:
+    for func in list(functions):
         if func not in cfg.functions:
-            raise ValueError(f"Function {func} does not exist in the CFG.")
+            if catch_errors:
+                _l.warning("Function %s does not exist in the CFG.", str(func))
+                functions.remove(func)
+            else:
+                raise ValueError(f"Function {func} does not exist in the CFG.")
 
     # decompile all functions
     decompilation = ""
     dec_options = [
         (PARAM_TO_OPTION["structurer_cls"], structurer),
     ]
-    for func in track(functions, description="Decompiling functions", transient=True):
+    for func in functions:
         f = cfg.functions[func]
         if f is None or f.is_plt:
             continue

angr/analyses/propagator/engine_ail.py

@@ -233,7 +233,9 @@ class SimEnginePropagatorAIL(
                             sp_expr_new = sp_expr.copy()
                             sp_expr_new.offset += self.arch.bytes
                         else:
-                            sp_expr_new = sp_expr + self.arch.bytes
+                            sp_expr_new = Expr.BinaryOp(
+                                None, "Add", [sp_expr, Expr.Const(None, None, self.arch.bytes, sp_expr.bits)], False
+                            )
                         sp_value_new = PropValue(
                             sp_value.value + self.arch.bytes,
                             offset_and_details={

angr/analyses/propagator/engine_vex.py

@@ -5,6 +5,7 @@ import claripy
 import pyvex
 import archinfo
 
+from angr.knowledge_plugins.propagations.states import RegisterAnnotation, RegisterComparisonAnnotation
 from ...engines.light import SimEngineLightVEXMixin
 from ...calling_conventions import DEFAULT_CC, default_cc, SimRegArg
 from .values import Top, Bottom
@@ -234,6 +235,16 @@ class SimEnginePropagatorVEX(
             self.tmps[stmt.result] = 1
             self.state.add_replacement(self._codeloc(block_only=True), VEXTmp(stmt.result), self.tmps[stmt.result])
 
+    def _handle_CmpEQ(self, expr):
+        arg0, arg1 = self._expr(expr.args[0]), self._expr(expr.args[1])
+        if arg1 is not None and arg1.concrete and arg0 is not None and len(arg0.annotations) == 1:
+            anno = arg0.annotations[0]
+            if isinstance(anno, RegisterAnnotation):
+                cmp_anno = RegisterComparisonAnnotation(anno.offset, anno.size, "eq", arg1.concrete_value)
+                bits = expr.result_size(self.tyenv)
+                return self.state.top(bits).annotate(cmp_anno)
+        return super()._handle_CmpEQ(expr)
+
     #
     # Expression handlers
     #
@@ -259,3 +270,37 @@ class SimEnginePropagatorVEX(
         r = super()._handle_Binop(expr)
         # print(expr.op, r)
         return r
+
+    def _handle_Conversion(self, expr):
+        expr_ = self._expr(expr.args[0])
+        to_size = expr.result_size(self.tyenv)
+        if expr_ is None:
+            return self._top(to_size)
+        if self._is_top(expr_):
+            return self._top(to_size).annotate(*expr_.annotations)
+
+        if isinstance(expr_, claripy.ast.Base) and expr_.op == "BVV":
+            if expr_.size() > to_size:
+                # truncation
+                return expr_[to_size - 1 : 0]
+            elif expr_.size() < to_size:
+                # extension
+                return claripy.ZeroExt(to_size - expr_.size(), expr_)
+            else:
+                return expr_
+
+        return self._top(to_size)
+
+    def _handle_Exit(self, stmt):
+        guard = self._expr(stmt.guard)
+        if guard is not None and len(guard.annotations) == 1:
+            dst = self._expr(stmt.dst)
+            if dst is not None and dst.concrete:
+                anno = guard.annotations[0]
+                if isinstance(anno, RegisterComparisonAnnotation):
+                    if anno.cmp_op == "eq":
+                        v = (anno.offset, anno.size, anno.value)
+                        if v not in self.state.block_initial_reg_values[self.block.addr, dst.concrete_value]:
+                            self.state.block_initial_reg_values[self.block.addr, dst.concrete_value].append(v)
+
+        super()._handle_Exit(stmt)