angr 9.2.93__py3-none-macosx_10_9_x86_64.whl → 9.2.94__py3-none-macosx_10_9_x86_64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.93"
+__version__ = "9.2.94"
 
 if bytes is str:
     raise Exception(

angr/analyses/cfg/cfg_base.py

@@ -8,7 +8,7 @@ from sortedcontainers import SortedDict
 
 import pyvex
 from claripy.utils.orderedset import OrderedSet
-from cle import ELF, PE, Blob, TLSObject, MachO, ExternObject, KernelObject, FunctionHintSource, Hex, Coff
+from cle import ELF, PE, Blob, TLSObject, MachO, ExternObject, KernelObject, FunctionHintSource, Hex, Coff, SRec
 from cle.backends import NamedRegion
 import archinfo
 from archinfo.arch_soot import SootAddressDescriptor
@@ -748,19 +748,29 @@ class CFGBase(Analysis):
         for b in binaries:
             if isinstance(b, ELF):
                 # If we have sections, we get result from sections
+                sections = []
                 if not force_segment and b.sections:
                     # Get all executable sections
                     for section in b.sections:
                         if section.is_executable:
                             tpl = (section.min_addr, section.max_addr + 1)
-                            memory_regions.append(tpl)
-
-                else:
-                    # Get all executable segments
-                    for segment in b.segments:
-                        if segment.is_executable:
-                            tpl = (segment.min_addr, segment.max_addr + 1)
-                            memory_regions.append(tpl)
+                            sections.append(tpl)
+                    memory_regions += sections
+
+                segments = []
+                # Get all executable segments
+                for segment in b.segments:
+                    if segment.is_executable:
+                        tpl = (segment.min_addr, segment.max_addr + 1)
+                        segments.append(tpl)
+                if sections and segments:
+                    # are there executable segments with no sections inside?
+                    for segment in segments:
+                        for section in sections:
+                            if segment[0] <= section[0] < segment[1]:
+                                break
+                        else:
+                            memory_regions.append(segment)
 
             elif isinstance(b, (Coff, PE)):
                 for section in b.sections:
@@ -778,7 +788,7 @@ class CFGBase(Analysis):
                                 tpl = (section.min_addr, section.max_addr + 1)
                                 memory_regions.append(tpl)
 
-            elif isinstance(b, Hex):
+            elif isinstance(b, (Hex, SRec)):
                 if b.regions:
                     for region_addr, region_size in b.regions:
                         memory_regions.append((region_addr, region_addr + region_size))

angr/analyses/cfg/indirect_jump_resolvers/amd64_elf_got.py

@@ -18,7 +18,7 @@ class AMD64ElfGotResolver(IndirectJumpResolver):
         super().__init__(project, timeless=True)
 
     def filter(self, cfg, addr, func_addr, block, jumpkind):
-        if jumpkind != "Ijk_Call":
+        if not (jumpkind == "Ijk_Call" or (jumpkind == "Ijk_Boring" and addr == func_addr)):
             return False
         return True
 

angr/analyses/cfg/indirect_jump_resolvers/arm_elf_fast.py

@@ -12,11 +12,7 @@ _l = logging.getLogger(name=__name__)
 
 class ArmElfFastResolver(IndirectJumpResolver):
     """
-    Resolves the indirect jump in ARM ELF binaries where all internal function calls are performed in the following
-    manner::
-
-        ldr r3, [pc+#0x124]  ; load a constant from the constant_pool
-        blx r3
+    Resolves indirect jumps in ARM ELF binaries
     """
 
     def __init__(self, project):
@@ -29,6 +25,89 @@ class ArmElfFastResolver(IndirectJumpResolver):
             return False
         return True
 
+    def _resolve_default(self, stmt, block, source, cfg, blade):
+        """
+        Resolves the indirect jump in ARM ELF binaries where all internal function calls are performed in the following
+        manner::
+
+        ldr r3, [pc+#0x124]  ; load a constant from the constant_pool
+        blx r3
+        """
+
+        if not isinstance(stmt.data, pyvex.IRExpr.Load):
+            return False, []
+        if not isinstance(stmt.data.addr, pyvex.IRExpr.Const):
+            return False, []
+        load_addr = stmt.data.addr.con.value
+        load_size = stmt.data.result_size(block.tyenv) // 8
+        endness = archinfo.Endness.BE if stmt.data.endness == "Iend_BE" else archinfo.Endness.LE
+
+        # the next statement should be the default exit
+        next_target = next(iter(blade.slice.successors(source)))
+
+        if not (next_target[0] == block.addr and next_target[1] == DEFAULT_STATEMENT):
+            return False, []
+        next_tmp = block.next
+        if next_tmp.tmp != stmt.tmp:
+            return False, []
+
+        # load the address to jump to
+        try:
+            target_addr = self.project.loader.memory.unpack_word(load_addr, size=load_size, endness=endness)
+            if cfg.tag == "CFGFast":
+                cfg._seg_list.occupy(load_addr, load_size, "pointer-array")
+        except KeyError:
+            return False, []
+
+        return True, [target_addr]
+
+    def _resolve_put(self, stmt, block, source, cfg, blade):
+        """
+        Resolves the indirect jump in ARM ELF binaries where all internal function calls are performed in the following
+        manner::
+
+        add     ip, pc, #0x100000
+        add     ip, ip, #0x1e000
+        ldr     pc, [ip,#0x884]!
+        """
+
+        # Get the value of r12 register
+        if not isinstance(stmt.data, pyvex.IRExpr.Const):
+            return False, []
+        if not self.project.arch.register_names[stmt.offset] == "r12":
+            return False, []
+        load_addr = stmt.data.con.value
+        load_size = stmt.data.result_size(block.tyenv) // 8
+        endness = self.project.arch.default_endness
+
+        count = 0
+        for next_stmt in block.statements:
+            if (
+                isinstance(next_stmt, pyvex.IRStmt.WrTmp)
+                and isinstance(next_stmt.data, pyvex.IRExpr.Binop)
+                and "Add" in next_stmt.data.op
+            ):
+                load_addr += next_stmt.constants[0].value
+                count += 1
+
+        if count != 2:
+            return False, []
+
+        next_target = next(iter(blade.slice.successors(source)))
+
+        if not next_target[0] == block.addr:
+            return False, []
+
+        # load the address to jump to
+        try:
+            target_addr = self.project.loader.memory.unpack_word(load_addr, size=load_size, endness=endness)
+            if cfg.tag == "CFGFast":
+                cfg._seg_list.occupy(load_addr, load_size, "pointer-array")
+        except KeyError:
+            return False, []
+
+        return True, [target_addr]
+
     def resolve(  # pylint:disable=unused-argument
         self, cfg, addr, func_addr, block, jumpkind, func_graph_complete: bool = True, **kwargs
     ):
@@ -64,31 +143,9 @@ class ArmElfFastResolver(IndirectJumpResolver):
             return False, []
 
         stmt = block.statements[stmt_idx]
-        if not isinstance(stmt, pyvex.IRStmt.WrTmp):
+        if isinstance(stmt, pyvex.IRStmt.WrTmp):
+            return self._resolve_default(stmt, block, source, cfg, b)
+        elif isinstance(stmt, pyvex.IRStmt.Put):
+            return self._resolve_put(stmt, block, source, cfg, b)
+        else:
             return False, []
-        if not isinstance(stmt.data, pyvex.IRExpr.Load):
-            return False, []
-        if not isinstance(stmt.data.addr, pyvex.IRExpr.Const):
-            return False, []
-        load_addr = stmt.data.addr.con.value
-        load_size = stmt.data.result_size(block.tyenv) // 8
-        endness = archinfo.Endness.BE if stmt.data.endness == "Iend_BE" else archinfo.Endness.LE
-
-        # the next statement should be the default exit
-        next_target = next(iter(b.slice.successors(source)))
-
-        if not (next_target[0] == block.addr and next_target[1] == DEFAULT_STATEMENT):
-            return False, []
-        next_tmp = block.next
-        if next_tmp.tmp != stmt.tmp:
-            return False, []
-
-        # load the address to jump to
-        try:
-            target_addr = self.project.loader.memory.unpack_word(load_addr, size=load_size, endness=endness)
-            if cfg.tag == "CFGFast":
-                cfg._seg_list.occupy(load_addr, load_size, "pointer-array")
-        except KeyError:
-            return False, []
-
-        return True, [target_addr]

angr/analyses/decompiler/ail_simplifier.py

@@ -23,6 +23,7 @@ from ...code_location import CodeLocation, ExternalCodeLocation
 from ...sim_variable import SimStackVariable, SimMemoryVariable
 from ...knowledge_plugins.propagations.states import Equivalence
 from ...knowledge_plugins.key_definitions import atoms
+from ...knowledge_plugins.key_definitions.atoms import Register as RegisterAtom
 from ...knowledge_plugins.key_definitions.definition import Definition
 from ...knowledge_plugins.key_definitions.constants import OP_BEFORE
 from .. import Analysis, AnalysesHub
@@ -856,6 +857,25 @@ class AILSimplifier(Analysis):
             all_uses_replaced = True
             for def_, use_and_expr in all_uses_with_def:
                 u, used_expr = use_and_expr
+
+                use_expr_defns = []
+                for d in rd.all_uses.get_uses_by_location(u):
+                    if (
+                        isinstance(d.atom, RegisterAtom)
+                        and isinstance(def_.atom, RegisterAtom)
+                        and d.atom.reg_offset == def_.atom.reg_offset
+                    ):
+                        use_expr_defns.append(d)
+                    elif d.atom == def_.atom:
+                        use_expr_defns.append(d)
+                # you can never replace a use with dependencies from outside the checked defn
+                if len(use_expr_defns) != 1 or list(use_expr_defns)[0] != def_:
+                    if not use_expr_defns:
+                        _l.warning("There was no use_expr_defns for %s, this is likely a bug", u)
+                    # TODO: can you have multiple definitions which can all be eliminated?
+                    all_uses_replaced = False
+                    continue
+
                 if u == eq.codeloc:
                     # skip the very initial assignment location
                     continue

angr/analyses/decompiler/callsite_maker.py

@@ -49,6 +49,11 @@ class CallSiteMaker(Analysis):
             self.result_block = self.block
             return
 
+        if isinstance(last_stmt.target, str):
+            # custom function calls
+            self.result_block = self.block
+            return
+
         cc = None
         prototype = None
         func = None

angr/analyses/decompiler/clinic.py

@@ -6,6 +6,7 @@ from dataclasses import dataclass
 from typing import Dict, List, Tuple, Set, Optional, Iterable, Union, Type, Any, NamedTuple, TYPE_CHECKING
 
 import networkx
+import capstone
 
 import ailment
 
@@ -262,6 +263,7 @@ class Clinic(Analysis):
         ail_graph = self._simplify_blocks(
             ail_graph, stack_pointer_tracker=spt, remove_dead_memdefs=False, cache=block_simplification_cache
         )
+        self._rewrite_alloca(ail_graph)
 
         # Run simplification passes
         self._update_progress(40.0, text="Running simplifications 1")
@@ -606,7 +608,12 @@ class Clinic(Analysis):
         regs = {self.project.arch.sp_offset}
         if hasattr(self.project.arch, "bp_offset") and self.project.arch.bp_offset is not None:
             regs.add(self.project.arch.bp_offset)
-        spt = self.project.analyses.StackPointerTracker(self.function, regs, track_memory=self._sp_tracker_track_memory)
+
+        regs |= self._find_regs_compared_against_sp(self._func_graph)
+
+        spt = self.project.analyses.StackPointerTracker(
+            self.function, regs, track_memory=self._sp_tracker_track_memory, cross_insn_opt=False
+        )
         if spt.inconsistent_for(self.project.arch.sp_offset):
             l.warning("Inconsistency found during stack pointer tracking. Decompilation results might be incorrect.")
         return spt
@@ -1201,6 +1208,7 @@ class Clinic(Analysis):
 
         if self._cache is not None:
             self._cache.type_constraints = vr.type_constraints
+            self._cache.func_typevar = vr.func_typevar
             self._cache.var_to_typevar = vr.var_to_typevars
 
         return tmp_kb
@@ -1877,5 +1885,99 @@ class Clinic(Analysis):
         AILGraphWalker(graph, handle_node, replace_nodes=True).walk()
         return graph
 
+    def _find_regs_compared_against_sp(self, func_graph):
+        # TODO: Implement this function for architectures beyond amd64
+        extra_regs = set()
+        if self.project.arch.name == "AMD64":
+            for node in func_graph.nodes:
+                block = self.project.factory.block(node.addr, size=node.size).capstone
+                for insn in block.insns:
+                    if insn.mnemonic == "cmp":
+                        capstone_reg_offset = None
+                        if (
+                            insn.operands[0].type == capstone.x86.X86_OP_REG
+                            and insn.operands[0].reg == capstone.x86.X86_REG_RSP
+                            and insn.operands[1].type == capstone.x86.X86_OP_REG
+                        ):
+                            capstone_reg_offset = insn.operands[1].reg
+                        elif (
+                            insn.operands[1].type == capstone.x86.X86_OP_REG
+                            and insn.operands[1].reg == capstone.x86.X86_REG_RSP
+                            and insn.operands[0].type == capstone.x86.X86_OP_REG
+                        ):
+                            capstone_reg_offset = insn.operands[0].reg
+
+                        if capstone_reg_offset is not None:
+                            reg_name = insn.reg_name(capstone_reg_offset)
+                            extra_regs.add(self.project.arch.registers[reg_name][0])
+
+        return extra_regs
+
+    def _rewrite_alloca(self, ail_graph):
+        # pylint:disable=too-many-boolean-expressions
+        alloca_node = None
+        sp_equal_to = None
+
+        for node in ail_graph:
+            if ail_graph.in_degree[node] == 2 and ail_graph.out_degree[node] == 2:
+                succs = ail_graph.successors(node)
+                if node in succs:
+                    # self loop!
+                    if len(node.statements) >= 6:
+                        stmt0 = node.statements[1]  # skip the LABEL statement
+                        stmt1 = node.statements[2]
+                        last_stmt = node.statements[-1]
+                        if (
+                            isinstance(stmt0, ailment.Stmt.Assignment)
+                            and isinstance(stmt0.dst, ailment.Expr.Register)
+                            and isinstance(stmt0.src, ailment.Expr.StackBaseOffset)
+                            and stmt0.src.offset == -0x1000
+                        ):
+                            if (
+                                isinstance(stmt1, ailment.Stmt.Store)
+                                and isinstance(stmt1.addr, ailment.Expr.StackBaseOffset)
+                                and stmt1.addr.offset == -0x1000
+                                and isinstance(stmt1.data, ailment.Expr.Load)
+                                and isinstance(stmt1.data.addr, ailment.Expr.StackBaseOffset)
+                                and stmt1.data.addr.offset == -0x1000
+                            ):
+                                if (
+                                    isinstance(last_stmt, ailment.Stmt.ConditionalJump)
+                                    and isinstance(last_stmt.condition, ailment.Expr.BinaryOp)
+                                    and last_stmt.condition.op == "CmpEQ"
+                                    and isinstance(last_stmt.condition.operands[0], ailment.Expr.StackBaseOffset)
+                                    and last_stmt.condition.operands[0].offset == -0x1000
+                                    and isinstance(last_stmt.condition.operands[1], ailment.Expr.Register)
+                                    and isinstance(last_stmt.false_target, ailment.Expr.Const)
+                                    and last_stmt.false_target.value == node.addr
+                                ):
+                                    # found it!
+                                    alloca_node = node
+                                    sp_equal_to = ailment.Expr.BinaryOp(
+                                        None,
+                                        "Sub",
+                                        [
+                                            ailment.Expr.Register(
+                                                None, None, self.project.arch.sp_offset, self.project.arch.bits
+                                            ),
+                                            last_stmt.condition.operands[1],
+                                        ],
+                                        False,
+                                    )
+                                    break
+
+        if alloca_node is not None:
+            stmt0 = alloca_node.statements[1]
+            statements = [ailment.Stmt.Call(stmt0.idx, "alloca", args=[sp_equal_to], **stmt0.tags)]
+            new_node = ailment.Block(alloca_node.addr, alloca_node.original_size, statements=statements)
+            # replace the node
+            preds = [pred for pred in ail_graph.predecessors(alloca_node) if pred is not alloca_node]
+            succs = [succ for succ in ail_graph.successors(alloca_node) if succ is not alloca_node]
+            ail_graph.remove_node(alloca_node)
+            for pred in preds:
+                ail_graph.add_edge(pred, new_node)
+            for succ in succs:
+                ail_graph.add_edge(new_node, succ)
+
 
 register_analysis(Clinic, "Clinic")

angr/analyses/decompiler/decompilation_cache.py

@@ -15,6 +15,7 @@ class DecompilationCache:
     __slots__ = (
         "addr",
         "type_constraints",
+        "func_typevar",
         "var_to_typevar",
         "codegen",
         "clinic",
@@ -25,6 +26,7 @@ class DecompilationCache:
     def __init__(self, addr):
         self.addr = addr
         self.type_constraints: Optional[Set] = None
+        self.func_typevar = None
         self.var_to_typevar: Optional[Dict] = None
         self.codegen: Optional[BaseStructuredCodeGenerator] = None
         self.clinic: Optional[Clinic] = None

angr/analyses/decompiler/decompiler.py

@@ -10,7 +10,7 @@ import ailment
 from angr.analyses.cfg import CFGFast
 from ...knowledge_plugins.functions.function import Function
 from ...knowledge_base import KnowledgeBase
-from ...sim_variable import SimMemoryVariable
+from ...sim_variable import SimMemoryVariable, SimRegisterVariable, SimStackVariable
 from ...utils import timethis
 from .. import Analysis, AnalysesHub
 from .structuring import RecursiveStructurer, PhoenixStructurer
@@ -403,7 +403,7 @@ class Decompiler(Analysis):
                     SimMemoryVariable(symbol.rebased_addr, 1, name=symbol.name, ident=ident),
                 )
 
-    def reflow_variable_types(self, type_constraints: Set, var_to_typevar: Dict, codegen):
+    def reflow_variable_types(self, type_constraints: Set, func_typevar, var_to_typevar: Dict, codegen):
         """
         Re-run type inference on an existing variable recovery result, then rerun codegen to generate new results.
 
@@ -439,13 +439,30 @@ class Decompiler(Analysis):
         try:
             tp = self.project.analyses.Typehoon(
                 type_constraints,
+                func_typevar,
                 kb=var_kb,
                 var_mapping=var_to_typevar,
                 must_struct=must_struct,
                 ground_truth=groundtruth,
             )
-            tp.update_variable_types(self.func.addr, var_to_typevar)
-            tp.update_variable_types("global", var_to_typevar)
+            tp.update_variable_types(
+                self.func.addr,
+                {v: t for v, t in var_to_typevar.items() if isinstance(v, (SimRegisterVariable, SimStackVariable))},
+            )
+            tp.update_variable_types(
+                "global",
+                {v: t for v, t in var_to_typevar.items() if isinstance(v, (SimRegisterVariable, SimStackVariable))},
+            )
+            # update the function prototype if needed
+            if self.func.prototype is not None and self.func.prototype.args:
+                var_manager = var_kb.variables[self.func.addr]
+                for i, arg in enumerate(codegen.cfunc.arg_list):
+                    if i >= len(self.func.prototype.args):
+                        break
+                    var = arg.variable
+                    new_type = var_manager.get_variable_type(var)
+                    if new_type is not None:
+                        self.func.prototype.args[i] = new_type
         except Exception:  # pylint:disable=broad-except
             l.warning(
                 "Typehoon analysis failed. Variables will not have types. Please report to GitHub.", exc_info=True

angr/analyses/decompiler/optimization_passes/code_motion.py

@@ -3,7 +3,7 @@ from typing import Tuple, List, Optional, Dict
 import logging
 
 from ailment import Block
-from ailment.statement import Jump, ConditionalJump, Statement
+from ailment.statement import Jump, ConditionalJump, Statement, DirtyStatement
 import networkx as nx
 
 from angr.analyses.decompiler.optimization_passes.optimization_pass import OptimizationPass, OptimizationPassStage
@@ -133,8 +133,13 @@ class CodeMotionOptimization(OptimizationPass):
         """
         # TODO: how can you handle an odd-numbered switch case? or many blocks with the same child?
         for b0, b1 in itertools.combinations(graph.nodes, 2):
-            # ignore exact copies
-            if b0 is b1 or not b0.statements or not b1.statements or is_similar(b0, b1):
+            if (
+                b0 is b1
+                or not b0.statements
+                or not b1.statements
+                or any(isinstance(stmt, DirtyStatement) for stmt in b0.statements + b1.statements)
+                or is_similar(b0, b1)
+            ):
                 continue
 
             # TODO: add support for moving code to a shared parent block, which requires that we figure out how to

angr/analyses/decompiler/optimization_passes/optimization_pass.py

@@ -335,6 +335,7 @@ class StructuringOptimizationPass(OptimizationPass):
         simp = self.project.analyses.AILSimplifier(
             self._func,
             func_graph=graph,
+            use_callee_saved_regs_at_return=False,
             gp=self._func.info.get("gp", None) if self.project.arch.name in {"MIPS32", "MIPS64"} else None,
         )
         return simp.func_graph if simp.simplified else graph

angr/analyses/decompiler/optimization_passes/stack_canary_simplifier.py

@@ -178,24 +178,36 @@ class StackCanarySimplifier(OptimizationPass):
         # Done!
 
     def _find_canary_init_stmt(self):
-        first_block = self._get_block(self._func.addr)
-        if first_block is None:
-            return None
-
-        for idx, stmt in enumerate(first_block.statements):
-            if (
-                isinstance(stmt, ailment.Stmt.Store)
-                and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
-                and isinstance(stmt.data, ailment.Expr.Load)
-                and self._is_add(stmt.data.addr)
-            ):
-                # Check addr: must be fs+0x28
-                op0, op1 = stmt.data.addr.operands
-                if isinstance(op1, ailment.Expr.Register):
-                    op0, op1 = op1, op0
-                if isinstance(op0, ailment.Expr.Register) and isinstance(op1, ailment.Expr.Const):
-                    if op0.reg_offset == self.project.arch.get_register_offset("fs") and op1.value == 0x28:
-                        return first_block, idx
+        block_addr = self._func.addr
+        traversed = set()
+
+        while True:
+            traversed.add(block_addr)
+            first_block = self._get_block(block_addr)
+            if first_block is None:
+                break
+
+            for idx, stmt in enumerate(first_block.statements):
+                if (
+                    isinstance(stmt, ailment.Stmt.Store)
+                    and isinstance(stmt.addr, ailment.Expr.StackBaseOffset)
+                    and isinstance(stmt.data, ailment.Expr.Load)
+                    and self._is_add(stmt.data.addr)
+                ):
+                    # Check addr: must be fs+0x28
+                    op0, op1 = stmt.data.addr.operands
+                    if isinstance(op1, ailment.Expr.Register):
+                        op0, op1 = op1, op0
+                    if isinstance(op0, ailment.Expr.Register) and isinstance(op1, ailment.Expr.Const):
+                        if op0.reg_offset == self.project.arch.get_register_offset("fs") and op1.value == 0x28:
+                            return first_block, idx
+
+            succs = list(self._graph.successors(first_block))
+            if len(succs) == 1:
+                block_addr = succs[0].addr
+                if block_addr not in traversed:
+                    continue
+            break
 
         return None
 

angr/analyses/decompiler/peephole_optimizations/bswap.py

@@ -9,8 +9,8 @@ from .base import PeepholeOptimizationExprBase
 class Bswap(PeepholeOptimizationExprBase):
     __slots__ = ()
 
-    NAME = "Simplifying bswap_16()"
-    expr_classes = (BinaryOp,)  # all expressions are allowed
+    NAME = "Simplifying bswap_16() and bswap_32()"
+    expr_classes = (BinaryOp, Convert)
 
     def optimize(self, expr: BinaryOp, **kwargs):
         # bswap_16
@@ -48,6 +48,57 @@ class Bswap(PeepholeOptimizationExprBase):
 
                     return None
 
+        # bswap_32
+        #   (Conv(64->32, rax<8>) << 0x18<8>) |
+        #   (((Conv(64->32, rax<8>) << 0x8<8>) & 0xff0000<32>) |
+        #   (((Conv(64->32, rax<8>) >> 0x8<8>) & 0xff00<32>) |
+        #   ((Conv(64->32, rax<8>) >> 0x18<8>) & 0xff<32>))))
+        if expr.op == "Or":
+            # fully flatten the expression
+            or_pieces = []
+            queue = [expr]
+            while queue:
+                operand = queue.pop(0)
+                if isinstance(operand, BinaryOp) and operand.op == "Or":
+                    queue.append(operand.operands[0])
+                    queue.append(operand.operands[1])
+                else:
+                    or_pieces.append(operand)
+            if len(or_pieces) == 4:
+                # parse pieces
+                shifts = set()
+                cores = set()
+                for piece in or_pieces:
+                    if isinstance(piece, BinaryOp):
+                        if piece.op == "Shl" and isinstance(piece.operands[1], Const):
+                            cores.add(piece.operands[0])
+                            shifts.add(("<<", piece.operands[1].value, 0xFFFFFFFF))
+                        elif piece.op == "And" and isinstance(piece.operands[1], Const):
+                            and_amount = piece.operands[1].value
+                            and_core = piece.operands[0]
+                            if (
+                                isinstance(and_core, BinaryOp)
+                                and and_core.op == "Shl"
+                                and isinstance(and_core.operands[1], Const)
+                            ):
+                                cores.add(and_core.operands[0])
+                                shifts.add(("<<", and_core.operands[1].value, and_amount))
+                            elif (
+                                isinstance(and_core, BinaryOp)
+                                and and_core.op == "Shr"
+                                and isinstance(and_core.operands[1], Const)
+                            ):
+                                cores.add(and_core.operands[0])
+                                shifts.add((">>", and_core.operands[1].value, and_amount))
+                if len(cores) == 1 and shifts == {
+                    ("<<", 0x18, 0xFFFFFFFF),
+                    ("<<", 8, 0xFF0000),
+                    (">>", 0x18, 0xFF),
+                    (">>", 8, 0xFF00),
+                }:
+                    core_expr = next(iter(cores))
+                    return Call(expr.idx, "__buildin_bswap32", args=[core_expr], bits=expr.bits, **expr.tags)
+
         return None
 
     def _match_inner(self, or_first: BinaryOp, or_second: BinaryOp) -> Tuple[bool, Optional[Expression]]:

angr/analyses/decompiler/peephole_optimizations/eager_eval.py

@@ -1,6 +1,6 @@
 from math import gcd
 
-from ailment.expression import BinaryOp, UnaryOp, Const, Convert
+from ailment.expression import BinaryOp, UnaryOp, Const, Convert, StackBaseOffset
 
 from .base import PeepholeOptimizationExprBase
 
@@ -59,6 +59,22 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
                         expr.signed,
                         **expr.tags,
                     )
+            if (
+                isinstance(expr.operands[0], BinaryOp)
+                and expr.operands[0].op == "Mul"
+                and isinstance(expr.operands[0].operands[1], Const)
+                and expr.operands[0].operands[0].likes(expr.operands[1])
+            ):
+                # A * x + x => (A + 1) * x
+                coeff_expr = expr.operands[0].operands[1]
+                new_coeff = coeff_expr.value + 1
+                return BinaryOp(
+                    expr.idx,
+                    "Mul",
+                    [Const(coeff_expr.idx, None, new_coeff, coeff_expr.bits), expr.operands[1]],
+                    expr.signed,
+                    **expr.tags,
+                )
         elif expr.op == "Sub":
             if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
                 mask = (1 << expr.bits) - 1
@@ -93,6 +109,9 @@ class EagerEvaluation(PeepholeOptimizationExprBase):
             if isinstance(expr.operands[0], Const) and expr.operands[0].value == 0:
                 return UnaryOp(expr.idx, "Neg", expr.operands[1], **expr.tags)
 
+            if isinstance(expr.operands[0], StackBaseOffset) and isinstance(expr.operands[1], StackBaseOffset):
+                return Const(expr.idx, None, expr.operands[0].offset - expr.operands[1].offset, expr.bits, **expr.tags)
+
         elif expr.op == "And":
             if isinstance(expr.operands[0], Const) and isinstance(expr.operands[1], Const):
                 new_expr = Const(