angr 9.2.84__py3-none-win_amd64.whl → 9.2.85__py3-none-win_amd64.whl

angr/engines/pcode/lifter.py

@@ -5,13 +5,11 @@
 #     - Fix default_exit_target
 #     - Fix/remove NotImplementedError's
 
-import copy
 import logging
-from typing import Union, Optional, Iterable, Sequence, Tuple, List
+from typing import Union, Optional, Iterable, Sequence, Tuple
 
 import archinfo
 from archinfo import ArchARM, ArchPcode
-import pypcode
 import cle
 from cachetools import LRUCache
 
@@ -28,6 +26,13 @@ from ...errors import SimEngineError, SimTranslationError, SimError
 from ... import sim_options as o
 from ...block import DisassemblerBlock, DisassemblerInsn
 
+
+try:
+    import pypcode
+except ImportError:
+    pypcode = None
+
+
 l = logging.getLogger(__name__)
 
 IRSB_MAX_SIZE = 400
@@ -54,7 +59,7 @@ class ExitStatement:
 
 class PcodeDisassemblerBlock(DisassemblerBlock):
     """
-    Helper class to represent a block of dissassembled target architecture
+    Helper class to represent a block of disassembled target architecture
     instructions
     """
 
@@ -73,15 +78,15 @@ class PcodeDisassemblerInsn(DisassemblerInsn):
 
     @property
     def address(self) -> int:
-        return self.insn.address.offset
+        return self.insn.addr.offset
 
     @property
     def mnemonic(self) -> str:
-        return self.insn.asm_mnem
+        return self.insn.mnem
 
     @property
     def op_str(self) -> str:
-        return self.insn.asm_body
+        return self.insn.body
 
 
 class IRSB:
@@ -107,7 +112,7 @@ class IRSB:
         "_direct_next",
         "_exit_statements",
         "_instruction_addresses",
-        "_instructions",
+        "_ops",
         "_size",
         "_statements",
         "_disassembly",
@@ -122,8 +127,8 @@ class IRSB:
 
     _direct_next: Optional[bool]
     _exit_statements: Sequence[Tuple[int, int, ExitStatement]]
-    _instruction_addresses: Sequence[int]
-    _instructions: Sequence[pypcode.Translation]
+    _instruction_addresses: Optional[Sequence[int]]
+    _ops: Sequence["pypcode.PcodeOp"]  # FIXME: Merge into _statements
     _size: Optional[int]
     _statements: Iterable  # Note: currently unused
     _disassembly: Optional[PcodeDisassemblerBlock]
@@ -189,8 +194,8 @@ class IRSB:
 
         self._direct_next = None
         self._exit_statements = []
-        self._instruction_addresses = ()
-        self._instructions: List["pypcode.Translation"] = []
+        self._instruction_addresses = None
+        self._ops = []
         self._size = None
         self._statements = []
         self.addr = mem_addr
@@ -258,15 +263,7 @@ class IRSB:
             nxt=self.next,
             jumpkind=self.jumpkind,
             direct_next=self.direct_next,
-            # deepcopy call to 'pickle' fails.
-            # shallow copy should work since _instructions shouldn't mutate
-            instructions=copy.copy(self._instructions),
-            # statements = None, #unused
-            # instruction_addresses = None # computed
-            # tyenv = None # unused
-            # exit_statements = None # currently unused
-            # default_exit_target = None # currently unused
-            # size = None # computed
+            ops=self._ops[:],
         )
 
         return new
@@ -277,22 +274,14 @@ class IRSB:
         The appended irsb's jumpkind and default exit are used.
         :param extendwith: The IRSB to append to this IRSB
         """
-        # see _set_attributes call in 'copy' def for notes on other attributes
         self._set_attributes(
             nxt=extendwith.next,
             jumpkind=extendwith.jumpkind,
             direct_next=extendwith.direct_next,
-            instructions=copy.copy(self._instructions),
+            ops=self._ops + extendwith._ops,
         )
 
-        # append instructions if new
-        addrs = self.instruction_addresses
-        newinsns = [insn for insn in extendwith._instructions if insn.address not in addrs]
-        self._instructions.extend(newinsns)
-
-        # reset disassem. now disassem will be recomputed if irsb.disassembly is called
         self._disassembly = None
-
         return self
 
     def invalidate_direct_next(self) -> None:
@@ -353,21 +342,28 @@ class IRSB:
         """
         The number of instructions in this block
         """
-        return len(self._instructions)
+        return len(self.instruction_addresses)
 
     @property
     def instruction_addresses(self) -> Sequence[int]:
         """
         Addresses of instructions in this block.
         """
-        return [ins.address.offset for ins in self._instructions]
+        if self._instruction_addresses is None:
+            self._instruction_addresses = []
+            for op in self._ops:
+                if op.opcode == pypcode.OpCode.IMARK:
+                    for vn in op.inputs:
+                        self._instruction_addresses.append(vn.offset)
+        return self._instruction_addresses
 
     @property
     def size(self) -> int:
         """
         The size of this block, in bytes
         """
-        return sum(ins.length for ins in self._instructions)
+        assert self._size is not None
+        return self._size
 
     @property
     def operations(self):
@@ -435,10 +431,12 @@ class IRSB:
         """
         sa = []
         sa.append("IRSB {")
-        for i, ins in enumerate(self._instructions):
-            sa.append("   %02d | ------ %08x, %d ------" % (i, ins.address.offset, ins.length))
-            for op in ins.ops:
-                sa.append("  +%02d | %s" % (op.seq.uniq, pypcode.PcodePrettyPrinter.fmt_op(op)))
+        for i, op in enumerate(self._ops):
+            if op.opcode == pypcode.OpCode.IMARK:
+                for vn in op.inputs[:]:
+                    sa.append(f"   {i:02d} | ------ {vn.offset:08x}, {vn.size} ------")
+            else:
+                sa.append(f"   {i:02d} | {pypcode.PcodePrettyPrinter.fmt_op(op)}")
 
         if isinstance(self.next, int):
             next_str = "%x" % self.next
@@ -464,7 +462,7 @@ class IRSB:
         jumpkind: Optional[str] = None,
         direct_next: Optional[bool] = None,
         size: Optional[int] = None,
-        instructions: Optional[Iterable[pypcode.Translation]] = None,
+        ops: Optional[Sequence["pypcode.PcodeOp"]] = None,
         instruction_addresses: Optional[Iterable[int]] = None,
         exit_statements: Sequence[Tuple[int, int, ExitStatement]] = None,
         default_exit_target: Optional = None,
@@ -475,7 +473,7 @@ class IRSB:
         self.jumpkind = jumpkind
         self._direct_next = direct_next
         self._size = size
-        self._instructions = instructions or []
+        self._ops = ops or []
         self._instruction_addresses = instruction_addresses
         self._exit_statements = exit_statements or []
         self.default_exit_target = default_exit_target
@@ -488,7 +486,7 @@ class IRSB:
             irsb.jumpkind,
             irsb.direct_next,
             irsb.size,
-            instructions=irsb._instructions,
+            ops=irsb._ops,
             instruction_addresses=irsb._instruction_addresses,
             exit_statements=irsb.exit_statements,
             default_exit_target=irsb.default_exit_target,
@@ -504,10 +502,6 @@ class IRSB:
 
     @property
     def disassembly(self) -> PcodeDisassemblerBlock:
-        if self._disassembly is None:
-            insns = [PcodeDisassemblerInsn(ins) for ins in self._instructions]
-            thumb = False  # FIXME
-            self._disassembly = PcodeDisassemblerBlock(self.addr, insns, thumb, self.arch)
         return self._disassembly
 
 
@@ -819,7 +813,7 @@ class PcodeBasicBlockLifter:
     Lifts basic blocks to P-code
     """
 
-    context: pypcode.Context
+    context: "pypcode.Context"
     behaviors: BehaviorFactory
 
     def __init__(self, arch: archinfo.Arch):
@@ -836,11 +830,7 @@ class PcodeBasicBlockLifter:
                 raise NotImplementedError()
             langid = archinfo_to_lang_map[arch.name]
 
-        langs = {l.id: l for a in pypcode.Arch.enumerate() for l in a.languages}
-
-        lang = langs[langid]
-
-        self.context = pypcode.Context(lang)
+        self.context = pypcode.Context(langid)
         self.behaviors = BehaviorFactory()
 
     def lift(
@@ -851,52 +841,121 @@ class PcodeBasicBlockLifter:
         bytes_offset: int = 0,
         max_bytes: Optional[int] = None,
         max_inst: Optional[int] = None,
+        branch_delay_slot: bool = False,
+        is_sparc32: bool = False,
     ) -> None:
+        assert irsb.addr == baseaddr
+        assert bytes_offset < len(data)
+
         if max_bytes is None or max_bytes > MAX_BYTES:
-            max_bytes = min(len(data), MAX_BYTES)
+            max_bytes = min(len(data) - bytes_offset, MAX_BYTES)
         if max_inst is None or max_inst > MAX_INSTRUCTIONS:
             max_inst = MAX_INSTRUCTIONS
 
         irsb.behaviors = self.behaviors  # FIXME
 
         # Translate
-        addr = baseaddr + bytes_offset
-        result = self.context.translate(data[bytes_offset : bytes_offset + max_bytes], addr, max_inst, max_bytes, True)
-        irsb._instructions = result.instructions
+        sliced_data = bytes(data[bytes_offset : bytes_offset + max_bytes])
+
+        if is_sparc32:
+            # workaround to handle SPARC V8 decoding before having a SPARC V8 Sleigh file
+            # replace all  jmpl xxx; rett xxx sequences with rett xxx; nop;
+            nop_seq = b"\x01\x00\x00\x00"
+            jmpl_seqs = [
+                b"\x81\xc4\x40\x00",
+                b"\x81\xc4\x80\x00",
+            ]
+            rett_seqs = [b"\x81\xcc\x80\x00", b"\x81\xcc\xa0\x04"]
+            for jmpl_seq in jmpl_seqs:
+                for rett_seq in rett_seqs:
+                    seq = jmpl_seq + rett_seq
+                    index = sliced_data.find(seq)
+                    while index >= 0:
+                        sliced_data = sliced_data[:index] + rett_seq + nop_seq + sliced_data[index + 8 :]
+                        index = sliced_data.find(seq)
+
+        sliced_data = bytes(sliced_data)
 
         # Post-process block to mark exits and next block
         next_block = None
-        for insn in irsb._instructions:
-            for op in insn.ops:
-                if op.opcode in [pypcode.OpCode.BRANCH, pypcode.OpCode.CBRANCH] and op.inputs[0].get_addr().is_constant:
-                    # P-code relative branch (op.seq.pc.offset + op.seq.uniq + op.inputs[0].offset)
+        irsb._instruction_addresses = []
+        fallthru_addr = irsb.addr
+
+        try:
+            translation = self.context.translate(
+                sliced_data,
+                irsb.addr,
+                max_instructions=max_inst,
+                max_bytes=max_bytes,
+                flags=pypcode.TranslateFlags.BB_TERMINATING,
+            )
+            irsb._ops = translation.ops
+
+            last_decode_addr = irsb.addr
+            last_imark_idx = 0
+            for op_idx, op in enumerate(irsb._ops):
+                # OpCode space begins with control ops ending with RETURN. Quickly filter non-control instructions.
+                if op.opcode > pypcode.OpCode.RETURN:
+                    continue
+
+                if op.opcode == pypcode.OpCode.IMARK:
+                    irsb._instruction_addresses.extend([vn.offset for vn in op.inputs])
+                    last_decode_addr = op.inputs[0].offset
+                    fallthru_addr = op.inputs[-1].offset + op.inputs[-1].size
+                    last_imark_idx = op_idx
+                    continue
+
+                if op.opcode in {pypcode.OpCode.BRANCH, pypcode.OpCode.CBRANCH} and op.inputs[0].space.name == "const":
+                    # P-code relative branch (op_idx + op.inputs[0].offset)
+                    # Note: We only model these in execution
                     continue
+
                 if op.opcode == pypcode.OpCode.CBRANCH:
                     irsb._exit_statements.append(
-                        (op.seq.pc.offset, op.seq.uniq, ExitStatement(op.inputs[0].offset, "Ijk_Boring"))
+                        (last_decode_addr, op_idx - last_imark_idx, ExitStatement(op.inputs[0].offset, "Ijk_Boring"))
                     )
                 elif op.opcode == pypcode.OpCode.BRANCH:
-                    next_block = (op.inputs[0].offset, "Ijk_Boring")
+                    if next_block is None:
+                        next_block = (op.inputs[0].offset, "Ijk_Boring")
                 elif op.opcode == pypcode.OpCode.BRANCHIND:
-                    next_block = (None, "Ijk_Boring")
+                    if next_block is None:
+                        next_block = (None, "Ijk_Boring")
                 elif op.opcode == pypcode.OpCode.CALL:
-                    next_block = (op.inputs[0].offset, "Ijk_Call")
+                    if next_block is None:
+                        next_block = (op.inputs[0].offset, "Ijk_Call")
                 elif op.opcode == pypcode.OpCode.CALLIND:
-                    next_block = (None, "Ijk_Call")
+                    if next_block is None:
+                        next_block = (None, "Ijk_Call")
                 elif op.opcode == pypcode.OpCode.RETURN:
-                    next_block = (None, "Ijk_Ret")
-
-        if len(irsb._instructions) > 0:
-            last_insn = irsb._instructions[-1]
-            fallthru_addr = last_insn.address.offset + last_insn.length
-        else:
-            fallthru_addr = addr
+                    if next_block is None:
+                        next_block = (None, "Ijk_Ret")
+
+            # FIXME: Do this lazily
+            disasm = self.context.disassemble(
+                sliced_data,
+                irsb.addr,
+                max_instructions=max_inst,
+                max_bytes=fallthru_addr - irsb.addr,
+            )
+            irsb._disassembly = PcodeDisassemblerBlock(
+                addr=irsb.addr,
+                insns=[PcodeDisassemblerInsn(ins) for ins in disasm.instructions],
+                thumb=False,
+                arch=irsb.arch,
+            )
 
-        if result.error:
+        except (pypcode.BadDataError, pypcode.UnimplError):
             next_block = (fallthru_addr, "Ijk_NoDecode")
-        elif next_block is None:
+        except (pypcode.LowlevelError, IndexError):
+            # FIXME:
+            # - IndexError: Give more data
+            # - pypcode.LowlevelError: Sometimes a decoding failure
+            next_block = (irsb.addr, "Ijk_NoDecode")
+
+        if next_block is None:
             next_block = (fallthru_addr, "Ijk_Boring")
 
+        irsb._size = fallthru_addr - irsb.addr
         irsb.next, irsb.jumpkind = next_block
 
 
@@ -918,6 +977,8 @@ class PcodeLifter(Lifter):
             bytes_offset=self.bytes_offset,
             max_inst=self.max_inst,
             max_bytes=self.max_bytes,
+            branch_delay_slot=self.arch.branch_delay_slot,
+            is_sparc32="sparc:" in self.arch.name and self.arch.bits == 32,
         )
 
         if self.irsb.size == 0:
@@ -932,7 +993,7 @@ class PcodeLifterEngineMixin(SimEngineBase):
 
     def __init__(
         self,
-        project,
+        project=None,
         use_cache: Optional[bool] = None,
         cache_size: int = 50000,
         default_opt_level: int = 1,
@@ -1231,12 +1292,7 @@ class PcodeLifterEngineMixin(SimEngineBase):
 
         # phase x: error handling
         except PyVEXError as e:
-            l.debug("VEX translation error at %#x", addr)
-            # FIXME
-            # if isinstance(buff, bytes):
-            #     l.debug("Using bytes: %r", buff)
-            # else:
-            #     l.debug("Using bytes: %r", pyvex.ffi.buffer(buff, size))
+            l.debug("Translation error at %#x", addr)
             raise SimTranslationError("Unable to translate bytecode") from e
 
     def _load_bytes(

angr/knowledge_plugins/functions/function_manager.py

@@ -1,5 +1,5 @@
 # pylint:disable=raise-missing-from
-from typing import Dict, Set, Optional
+from typing import Dict, Generator, Optional, Set
 import logging
 import collections.abc
 import re
@@ -351,8 +351,10 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
     def get_by_addr(self, addr) -> Function:
         return self._function_map.get(addr)
 
-    def get_by_name(self, name: str) -> Set[Function]:
-        return {f for f in self._function_map.values() if f.name == name}
+    def get_by_name(self, name: str) -> Generator[Function, None, None]:
+        for f in self._function_map.values():
+            if f.name == name:
+                yield f
 
     def _function_added(self, func: Function):
         """

angr/knowledge_plugins/propagations/states.py

@@ -692,6 +692,20 @@ class PropagatorAILState(PropagatorState):
                 PropValue(claripy.BVV(0, 32), offset_and_details={0: Detail(4, reg_value, initial_codeloc)}),
             )
 
+        if project is not None and project.simos is not None and project.simos.function_initial_registers:
+            if func_addr is not None:
+                for reg_name, reg_value in project.simos.function_initial_registers.items():
+                    reg_size = project.arch.registers[reg_name][1]
+                    reg_expr = ailment.Expr.Register(None, None, project.arch.registers[reg_name][0], reg_size)
+                    reg_value_expr = ailment.Expr.Const(None, None, reg_value, reg_size * 8)
+                    state.store_register(
+                        reg_expr,
+                        PropValue(
+                            claripy.BVV(reg_value, project.arch.bits),
+                            offset_and_details={0: Detail(reg_size, reg_value_expr, initial_codeloc)},
+                        ),
+                    )
+
         return state
 
     def copy(self) -> "PropagatorAILState":

angr/procedures/cgc/deallocate.py

@@ -1,8 +1,11 @@
-import angr
-
 import logging
 
+from unique_log_filter import UniqueLogFilter
+
+import angr
+
 l = logging.getLogger(name=__name__)
+l.addFilter(UniqueLogFilter())
 
 
 class deallocate(angr.SimProcedure):

angr/procedures/posix/gethostbyname.py

@@ -4,24 +4,39 @@ import angr
 class gethostbyname(angr.SimProcedure):
     def run(self, name):
         malloc = angr.SIM_PROCEDURES["libc"]["malloc"]
-        place = self.inline_call(malloc, 32).ret_expr
+        int_size_bits = self.arch.sizeof["int"]
+        int_size = int_size_bits // 8
+        ptr_size_bits = self.arch.bits
+        ptr_size = ptr_size_bits // 8
+        hostent_size = (2 * int_size) + (3 * ptr_size)
+        place = self.inline_call(malloc, hostent_size).ret_expr
         self.state.memory.store(
-            place, self.state.solver.BVS("h_name", 64, key=("api", "gethostbyname", "h_name")), endness="Iend_LE"
+            place,
+            self.state.solver.BVS("h_name", ptr_size_bits, key=("api", "gethostbyname", "h_name")),
+            endness="Iend_LE",
         )
+        next_addr = place + ptr_size
         self.state.memory.store(
-            place, self.state.solver.BVS("h_aliases", 64, key=("api", "gethostbyname", "h_aliases")), endness="Iend_LE"
+            next_addr,
+            self.state.solver.BVS("h_aliases", ptr_size_bits, key=("api", "gethostbyname", "h_aliases")),
+            endness="Iend_LE",
         )
+        next_addr += ptr_size
         self.state.memory.store(
-            place,
-            self.state.solver.BVS("h_addrtype", 64, key=("api", "gethostbyname", "h_addrtype")),
+            next_addr,
+            self.state.solver.BVS("h_addrtype", int_size_bits, key=("api", "gethostbyname", "h_addrtype")),
             endness="Iend_LE",
         )
+        next_addr += int_size
         self.state.memory.store(
-            place, self.state.solver.BVS("h_length", 64, key=("api", "gethostbyname", "h_length")), endness="Iend_LE"
+            next_addr,
+            self.state.solver.BVS("h_length", int_size_bits, key=("api", "gethostbyname", "h_length")),
+            endness="Iend_LE",
         )
+        next_addr += int_size
         self.state.memory.store(
-            place,
-            self.state.solver.BVS("h_addr_list", 64, key=("api", "gethostbyname", "h_addr_list")),
+            next_addr,
+            self.state.solver.BVS("h_addr_list", ptr_size_bits, key=("api", "gethostbyname", "h_addr_list")),
             endness="Iend_LE",
         )
         return place

angr/project.py

@@ -212,6 +212,10 @@ class Project:
         self.store_function = store_function or self._store
         self.load_function = load_function or self._load
 
+        # FIXME: BIG HACK
+        if isinstance(self.filename, str) and self.filename.endswith(".xcal") and not simos:
+            simos = "snimmuc_nxp"
+
         # Step 4: determine the guest OS
         if isinstance(simos, type) and issubclass(simos, SimOS):
             self.simos = simos(self)  # pylint:disable=invalid-name

angr/simos/__init__.py

@@ -11,6 +11,7 @@ from .linux import SimLinux
 from .cgc import SimCGC
 from .windows import SimWindows
 from .javavm import SimJavaVM
+from .snimmuc_nxp import SimSnimmucNxp
 
 os_mapping = defaultdict(lambda: SimOS)
 
@@ -27,3 +28,4 @@ register_simos("linux", SimLinux)
 register_simos("windows", SimWindows)
 register_simos("cgc", SimCGC)
 register_simos("javavm", SimJavaVM)
+register_simos("snimmuc_nxp", SimSnimmucNxp)

angr/simos/simos.py

@@ -35,6 +35,7 @@ class SimOS:
         self.return_deadend = None
         self.unresolvable_jump_target = None
         self.unresolvable_call_target = None
+        self.function_initial_registers = None
 
     def configure_project(self):
         """