angr 9.2.93__py3-none-manylinux2014_x86_64.whl → 9.2.94__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/structured_codegen/c.py

@@ -3,7 +3,6 @@ from typing import Optional, Dict, List, Tuple, Set, Any, Union, TYPE_CHECKING,
 from collections import defaultdict
 import logging
 import struct
-from functools import reduce
 
 from ailment import Block, Expr, Stmt, Tmp
 from ailment.expression import StackBaseOffset, BinaryOp
@@ -587,7 +586,7 @@ class CFunction(CConstruct):  # pylint:disable=abstract-method
         yield " ", None
         # function name
         if self.demangled_name and self.show_demangled_name:
-            normalized_name = get_cpp_function_name(self.demangled_name, specialized=False, qualified=False)
+            normalized_name = get_cpp_function_name(self.demangled_name, specialized=False, qualified=True)
         else:
             normalized_name = self.name
         yield normalized_name, self
@@ -2184,29 +2183,24 @@ class CConstant(CExpression):
 
         if self.fmt_float:
             if 0 < value <= 0xFFFF_FFFF:
-                str_value = str(struct.unpack("f", struct.pack("I", value))[0])
-                return str_value
+                return str(struct.unpack("f", struct.pack("I", value))[0])
+
+        if self.fmt_char:
+            if value < 0:
+                value += 2**self._type.size
+            value &= 0xFF
+            return repr(chr(value)) if value < 0x80 else f"'\\x{value:x}'"
 
         if self.fmt_neg:
             if value > 0:
-                value = value - 2**self._type.size
+                value -= 2**self._type.size
             elif value < 0:
-                value = value + 2**self._type.size
-
-        str_value = None
-        if self.fmt_char:
-            try:
-                str_value = f"'{chr(value)}'"
-            except ValueError:
-                str_value = None
+                value += 2**self._type.size
 
-        if str_value is None:
-            if self.fmt_hex:
-                str_value = hex(value)
-            else:
-                str_value = str(value)
+        if self.fmt_hex:
+            return hex(value)
 
-        return str_value
+        return str(value)
 
 
 class CRegister(CExpression):
@@ -2609,6 +2603,15 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             if isinstance(var, CVariable):
                 var.variable_type = self._get_variable_type(var.variable, is_global=True)
 
+        for cvar in self.cfunc.arg_list:
+            vartype = self._get_variable_type(
+                cvar.variable,
+                is_global=isinstance(cvar.variable, SimMemoryVariable)
+                and not isinstance(cvar.variable, SimStackVariable),
+            )
+            if vartype is not None:
+                cvar.variable_type = vartype.with_arch(self.project.arch)
+
     #
     # Util methods
     #
@@ -2842,30 +2845,40 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             if len(o_terms) == 0:
                 # probably a plain integer, return as is
                 return expr
-            result = reduce(
-                lambda a1, a2: CBinaryOp("Add", a1, a2, codegen=self),
-                (
-                    (
-                        CBinaryOp(
-                            "Mul",
-                            CConstant(c, t.type, codegen=self),
-                            (
-                                t
-                                if not isinstance(t.type, SimTypePointer)
-                                else CTypeCast(t.type, SimTypePointer(SimTypeChar()), t, codegen=self)
-                            ),
-                            codegen=self,
-                        )
-                        if c != 1
-                        else (
+            result = None
+            pointer_length_int_type = (
+                SimTypeLongLong(signed=False) if self.project.arch.bits == 64 else SimTypeInt(signed=False)
+            )
+            for c, t in o_terms:
+                op = "Add"
+                if c == -1 and result is not None:
+                    op = "Sub"
+                    piece = (
+                        t
+                        if not isinstance(t.type, SimTypePointer)
+                        else CTypeCast(t.type, SimTypePointer(SimTypeChar()), t, codegen=self)
+                    )
+                elif c == 1:
+                    piece = (
+                        t
+                        if not isinstance(t.type, SimTypePointer)
+                        else CTypeCast(t.type, SimTypePointer(SimTypeChar()), t, codegen=self)
+                    )
+                else:
+                    piece = CBinaryOp(
+                        "Mul",
+                        CConstant(c, t.type, codegen=self),
+                        (
                             t
                             if not isinstance(t.type, SimTypePointer)
-                            else CTypeCast(t.type, SimTypePointer(SimTypeChar()), t, codegen=self)
-                        )
+                            else CTypeCast(t.type, pointer_length_int_type, t, codegen=self)
+                        ),
+                        codegen=self,
                     )
-                    for c, t in o_terms
-                ),
-            )
+                if result is None:
+                    result = piece
+                else:
+                    result = CBinaryOp(op, result, piece, codegen=self)
             if o_constant != 0:
                 result = CBinaryOp("Add", CConstant(o_constant, SimTypeInt(), codegen=self), result, codegen=self)
 
@@ -2888,6 +2901,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
                 if kernel is not None:
                     l.warning("Summing two different pointers together. Uh oh!")
                     return bail_out()
+                if c == -1:
+                    # legit case: you can deduct a pointer from another pointer and get an integer as result in C
+                    return bail_out()
                 if c != 1:
                     l.warning("Multiplying a pointer by a constant??")
                     return bail_out()

angr/analyses/propagator/engine_ail.py

@@ -1148,6 +1148,9 @@ class SimEnginePropagatorAIL(
             )
         return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
 
+    _ail_handle_AddV = _ail_handle_Add
+    _ail_handle_MulV = _ail_handle_Mul
+
     def _ail_handle_Mull(self, expr):
         o0_value = self._expr(expr.operands[0])
         o1_value = self._expr(expr.operands[1])

angr/analyses/reaching_definitions/engine_ail.py

@@ -728,6 +728,9 @@ class SimEngineRDAIL(
         r = MultiValues(self.state.top(bits))
         return r
 
+    _ail_handle_AddV = _ail_handle_Add
+    _ail_handle_MulV = _ail_handle_Mul
+
     def _ail_handle_Mull(self, expr):
         arg0, arg1 = expr.operands
 

angr/analyses/reaching_definitions/reaching_definitions.py

@@ -539,6 +539,13 @@ class ReachingDefinitionsAnalysis(
         for use in [state.stack_uses, state.heap_uses, state.register_uses, state.memory_uses]:
             self.all_uses.merge(use)
 
+        if self._track_tmps:
+            # merge tmp uses to all_uses
+            for tmp_idx, locs in state.tmp_uses.items():
+                tmp_def = next(iter(state.tmps[tmp_idx]))
+                for loc in locs:
+                    self.all_uses.add_use(tmp_def, loc)
+
         # drop definitions and uses because we will not need them anymore
         state.downsize()
 

angr/analyses/stack_pointer_tracker.py

@@ -3,6 +3,7 @@
 from typing import Set, List, Optional, TYPE_CHECKING
 import re
 import logging
+from collections import defaultdict
 
 import pyvex
 
@@ -148,6 +149,21 @@ class OffsetVal:
         return f"reg({self.reg}){(self.offset - 2**self.reg.bitlen) if self.offset != 0 else 0:+}"
 
 
+class Eq:
+    """
+    Represent an equivalence condition.
+    """
+
+    __slots__ = ("val0", "val1")
+
+    def __init__(self, val0, val1):
+        self.val0 = val0
+        self.val1 = val1
+
+    def __hash__(self):
+        return hash((type(self), self.val0, self.val1))
+
+
 class FrozenStackPointerTrackerState:
     """
     Abstract state for StackPointerTracker analysis with registers and memory values being in frozensets.
@@ -296,7 +312,12 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
     """
 
     def __init__(
-        self, func: Optional[Function], reg_offsets: Set[int], block: Optional["Block"] = None, track_memory=True
+        self,
+        func: Optional[Function],
+        reg_offsets: Set[int],
+        block: Optional["Block"] = None,
+        track_memory=True,
+        cross_insn_opt=True,
     ):
         if func is not None:
             if not func.normalized:
@@ -316,6 +337,8 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
         self.reg_offsets = reg_offsets
         self.states = {}
         self._blocks = {}
+        self._reg_value_at_block_start = defaultdict(dict)
+        self.cross_insn_opt = cross_insn_opt
 
         _l.debug("Running on function %r", self._func)
         self._analyze()
@@ -468,7 +491,7 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
         self._set_state(addr, new_val, "pre")
 
     def _run_on_node(self, node: BlockNode, state):
-        block = self.project.factory.block(node.addr, size=node.size)
+        block = self.project.factory.block(node.addr, size=node.size, cross_insn_opt=self.cross_insn_opt)
         self._blocks[node.addr] = block
 
         state = state.unfreeze()
@@ -483,6 +506,10 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
         except SimTranslationError:
             pass
 
+        if node.addr in self._reg_value_at_block_start:
+            for reg, val in self._reg_value_at_block_start[node.addr].items():
+                state.put(reg, val)
+
         if vex_block is not None:
             if isinstance(vex_block, pyvex.IRSB):
                 curr_stmt_start_addr = self._process_vex_irsb(node, vex_block, state)
@@ -548,7 +575,12 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                         and is_alignment_mask(arg1_expr.val)
                     ):
                         return arg0_expr
-                    raise CouldNotResolveException()
+                elif expr.op.startswith("Iop_CmpEQ"):
+                    arg0_expr = _resolve_expr(arg0)
+                    arg1_expr = _resolve_expr(arg1)
+                    if isinstance(arg0_expr, (Register, OffsetVal)) and isinstance(arg1_expr, (Register, OffsetVal)):
+                        return Eq(arg0_expr, arg1_expr)
+                raise CouldNotResolveException()
             elif type(expr) is pyvex.IRExpr.RdTmp and expr.tmp in tmps and tmps[expr.tmp] is not None:
                 return tmps[expr.tmp]
             elif type(expr) is pyvex.IRExpr.Const:
@@ -563,13 +595,15 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                     to_bits = int(m.group(3))
                     # to_unsigned = m.group(4) == "U"
                     v = resolve_expr(expr.args[0])
-                    if not isinstance(v, Constant):
-                        return TOP
-                    if from_bits > to_bits:
-                        # truncation
-                        mask = (1 << to_bits) - 1
-                        return Constant(v.val & mask)
-                    return v
+                    if isinstance(v, Constant):
+                        if from_bits > to_bits:
+                            # truncation
+                            mask = (1 << to_bits) - 1
+                            return Constant(v.val & mask)
+                        return v
+                    elif isinstance(v, Eq):
+                        return v
+                    return TOP
             elif self.track_mem and type(expr) is pyvex.IRExpr.Load:
                 return state.load(_resolve_expr(expr.addr))
             raise CouldNotResolveException()
@@ -606,6 +640,22 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                 and vex_block.instruction_addresses.index(curr_stmt_start_addr) == vex_block.instructions - 1
             ):
                 exit_observed = True
+                if (
+                    type(stmt.guard) is pyvex.IRExpr.RdTmp
+                    and stmt.guard.tmp in tmps
+                    and isinstance(stmt.dst, pyvex.IRConst.IRConst)
+                ):
+                    guard = tmps[stmt.guard.tmp]
+                    if isinstance(guard, Eq):
+                        for reg, val in state.regs.items():
+                            if reg in {self.project.arch.sp_offset, self.project.arch.bp_offset}:
+                                cond = None
+                                if val == guard.val0:
+                                    cond = guard.val1
+                                elif val == guard.val1:
+                                    cond = guard.val0
+                                if cond is not None:
+                                    self._reg_value_at_block_start[stmt.dst.value][reg] = cond
             else:
                 try:
                     resolve_stmt(stmt)

angr/analyses/typehoon/simple_solver.py

@@ -1079,6 +1079,8 @@ class SimpleSolver:
                 last_labels.append(labels[-1])
 
         # now, what is this variable?
+        result = None
+
         if last_labels and all(isinstance(label, (FuncIn, FuncOut)) for label in last_labels):
             # create a dummy result and dump it to the cache
             func_type = Function([], [])
@@ -1117,22 +1119,8 @@ class SimpleSolver:
             for node in nodes:
                 solution[node.typevar] = result
 
-        elif not path_and_successors:
-            # this is a primitive variable
-            lower_bound = Bottom_
-            upper_bound = Top_
-
-            for node in nodes:
-                lower_bound = self.join(lower_bound, node.lower_bound)
-                upper_bound = self.meet(upper_bound, node.upper_bound)
-                # TODO: Support variables that are accessed via differently sized pointers
-
-            result = lower_bound if not isinstance(lower_bound, BottomType) else upper_bound
-            for node in nodes:
-                solution[node.typevar] = result
-                self._solution_cache[node.typevar] = result
-
-        else:
+        elif path_and_successors:
+            # maybe this is a pointer to a struct?
             if len(nodes) == 1:
                 the_node = next(iter(nodes))
                 if (
@@ -1204,6 +1192,21 @@ class SimpleSolver:
                 for node in nodes:
                     solution[node.typevar] = result
 
+        if not path_and_successors or result in {Top_, None}:
+            # this is probably a primitive variable
+            lower_bound = Bottom_
+            upper_bound = Top_
+
+            for node in nodes:
+                lower_bound = self.join(lower_bound, node.lower_bound)
+                upper_bound = self.meet(upper_bound, node.upper_bound)
+                # TODO: Support variables that are accessed via differently sized pointers
+
+            result = lower_bound if not isinstance(lower_bound, BottomType) else upper_bound
+            for node in nodes:
+                solution[node.typevar] = result
+                self._solution_cache[node.typevar] = result
+
         # import pprint
 
         # print("Solution")

angr/calling_conventions.py

@@ -1774,9 +1774,6 @@ class SimCCARMHF(SimCCARM):
     RETURN_VAL = SimRegArg("r0", 4)  # TODO Return val can also include reg r1
     ARCH = archinfo.ArchARMHF
 
-    def next_arg(self, session, arg_type):
-        return SimCC.next_arg(self, session, arg_type)
-
 
 class SimCCARMLinuxSyscall(SimCCSyscall):
     # TODO: Make sure all the information is correct

angr/engines/pcode/cc.py

@@ -43,7 +43,7 @@ class SimCCSPARC(SimCC):
     Default CC for SPARC
     """
 
-    ARG_REGS = ["o0", "o1"]
+    ARG_REGS = ["o0", "o1", "o2", "o3", "o4", "o5"]
     RETURN_VAL = SimRegArg("o0", 8)
     RETURN_ADDR = SimRegArg("o7", 8)
 

angr/engines/successors.py

@@ -271,6 +271,12 @@ class SimSuccessors:
             self.unsat_successors.append(state)
         elif o.NO_SYMBOLIC_JUMP_RESOLUTION in state.options and state.solver.symbolic(target):
             self.unconstrained_successors.append(state)
+        elif o.CALLLESS in state.options and state.history.jumpkind == "Ijk_Call" and state.solver.symbolic(target):
+            # If CALLESS is set, even a symbolic call target is allowed, because we don't want to resolve the target
+            # anyway
+            # The actual state will be fixed up later during `VEXMixin.process_successors`
+            self.successors.append(state)
+            self.flat_successors.append(state)
         elif not state.solver.symbolic(target) and not state.history.jumpkind.startswith("Ijk_Sys"):
             # a successor with a concrete IP, and it's not a syscall
             self.successors.append(state)

angr/knowledge_plugins/propagations/states.py

@@ -899,7 +899,8 @@ class PropagatorAILState(PropagatorState):
                             def_ = next(iter(defs))
                     if def_ is not None:
                         self._expr_used_locs[def_].append(codeloc)
-                        prop_count = len(self._expr_used_locs[def_])
+                        # we must consider known future uses of this definition as well
+                        prop_count = max(len(self._expr_used_locs[def_]), len(self.rda.all_uses.get_uses(def_)))
                     else:
                         # multiple definitions or no definitions - do not propagate
                         return False

angr/procedures/definitions/glibc.py

@@ -43,7 +43,6 @@ libc.set_non_returning(
     "__longjmp_chk",
     "__siglongjmp_chk",
 )
-libc.add_alias("exit", "_exit", "_Exit")
 
 
 #
@@ -6849,6 +6848,9 @@ libc.add_alias("getc", "_IO_getc")
 libc.add_alias("putc", "_IO_putc")
 libc.add_alias("gets", "_IO_gets")
 libc.add_alias("puts", "_IO_puts")
+libc.add_alias("exit", "_exit", "_Exit")
+libc.add_alias("sprintf", "siprintf")
+libc.add_alias("snprintf", "sniprintf")
 
 
 #

angr/sim_type.py

@@ -60,6 +60,8 @@ class SimType:
             attr_self = getattr(self, attr)
             attr_other = getattr(other, attr)
             if isinstance(attr_self, SimType):
+                if attr_other is attr_self:
+                    return True
                 if avoid is not None and attr_self in avoid["self"] and attr_other in avoid["other"]:
                     continue
                 if not attr_self.__eq__(attr_other, avoid=avoid):

angr/utils/library.py

@@ -205,7 +205,7 @@ def get_cpp_function_name(demangled_name, specialized=True, qualified=True):
     if not qualified:
         # remove leading namespaces
         chunks = name.split("::")
-        name = "::".join(chunks[-2:])
+        name = "::".join(chunks[2:])
 
     # remove arguments
     if "(" in name:

{angr-9.2.93.dist-info → angr-9.2.94.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: angr
-Version: 9.2.93
+Version: 9.2.94
 Summary: A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
 Home-page: https://github.com/angr/angr
 License: BSD-2-Clause
@@ -17,13 +17,13 @@ Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: CppHeaderParser
 Requires-Dist: GitPython
-Requires-Dist: ailment ==9.2.93
-Requires-Dist: archinfo ==9.2.93
+Requires-Dist: ailment ==9.2.94
+Requires-Dist: archinfo ==9.2.94
 Requires-Dist: cachetools
 Requires-Dist: capstone ==5.0.0.post1
 Requires-Dist: cffi >=1.14.0
-Requires-Dist: claripy ==9.2.93
-Requires-Dist: cle ==9.2.93
+Requires-Dist: claripy ==9.2.94
+Requires-Dist: cle ==9.2.94
 Requires-Dist: dpkt
 Requires-Dist: itanium-demangler
 Requires-Dist: mulpyplexer
@@ -33,7 +33,7 @@ Requires-Dist: protobuf >=3.19.0
 Requires-Dist: psutil
 Requires-Dist: pycparser >=2.18
 Requires-Dist: pyformlang
-Requires-Dist: pyvex ==9.2.93
+Requires-Dist: pyvex ==9.2.94
 Requires-Dist: rich >=13.1.0
 Requires-Dist: rpyc
 Requires-Dist: sortedcontainers