angr 9.2.95__py3-none-manylinux2014_x86_64.whl → 9.2.97__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/structured_codegen/c.py

@@ -1646,6 +1646,7 @@ class CUnaryOp(CExpression):
             "BitwiseNeg": self._c_repr_chunks_bitwiseneg,
             "Reference": self._c_repr_chunks_reference,
             "Dereference": self._c_repr_chunks_dereference,
+            "Clz": self._c_repr_chunks_clz,
         }
 
         handler = OP_MAP.get(self.op, None)
@@ -1690,6 +1691,13 @@ class CUnaryOp(CExpression):
         yield from CExpression._try_c_repr_chunks(self.operand)
         yield ")", paren
 
+    def _c_repr_chunks_clz(self):
+        paren = CClosingObject("(")
+        yield "Clz", self
+        yield "(", paren
+        yield from CExpression._try_c_repr_chunks(self.operand)
+        yield ")", paren
+
 
 class CBinaryOp(CExpression):
     """
@@ -2097,6 +2105,14 @@ class CConstant(CExpression):
     def fmt_float(self, v: bool):
         self._fmt_setter["float"] = v
 
+    @property
+    def fmt_double(self):
+        return self.fmt.get("double", False)
+
+    @fmt_double.setter
+    def fmt_double(self, v: bool):
+        self._fmt_setter["double"] = v
+
     @property
     def type(self):
         return self._type
@@ -2191,6 +2207,11 @@ class CConstant(CExpression):
             value &= 0xFF
             return repr(chr(value)) if value < 0x80 else f"'\\x{value:x}'"
 
+        if self.fmt_double:
+            if 0 < value <= 0xFFFF_FFFF_FFFF_FFFF:
+                str_value = str(struct.unpack("d", struct.pack("Q", value))[0])
+                return str_value
+
         if self.fmt_neg:
             if value > 0:
                 value -= 2**self._type.size

angr/analyses/decompiler/structuring/phoenix.py

@@ -873,7 +873,6 @@ class PhoenixStructurer(StructurerBase):
     def _refine_cyclic_is_while_loop(
         self, graph, fullgraph, loop_head, head_succs
     ) -> Tuple[bool, Optional[Tuple[List, List, BaseNode, BaseNode]]]:
-
         if len(head_succs) == 2 and any(head_succ not in graph for head_succ in head_succs):
             # make sure the head_pred is not already structured
             _, _, head_block_0 = self._find_node_going_to_dst(loop_head, head_succs[0])
@@ -1081,6 +1080,7 @@ class PhoenixStructurer(StructurerBase):
             node,
             self.cond_proc.claripy_ast_from_ail_condition(last_stmt.switch_variable),
             cases,
+            node_default_addr,
             node_default,
             last_stmt.ins_addr,
             to_remove,
@@ -1191,7 +1191,16 @@ class PhoenixStructurer(StructurerBase):
 
         to_remove.add(node_a)  # add node_a
         self._make_switch_cases_core(
-            node, cmp_expr, cases, node_default, last_stmt.ins_addr, to_remove, graph, full_graph, node_a=node_a
+            node,
+            cmp_expr,
+            cases,
+            node_b_addr,
+            node_default,
+            last_stmt.ins_addr,
+            to_remove,
+            graph,
+            full_graph,
+            node_a=node_a,
         )
 
         self._switch_handle_gotos(cases, node_default, switch_end_addr)
@@ -1243,7 +1252,9 @@ class PhoenixStructurer(StructurerBase):
             # there must be a default case
             return False
 
-        self._make_switch_cases_core(node, cmp_expr, cases, node_default, node.addr, to_remove, graph, full_graph)
+        self._make_switch_cases_core(
+            node, cmp_expr, cases, default_addr, node_default, node.addr, to_remove, graph, full_graph
+        )
 
         return True
 
@@ -1260,7 +1271,11 @@ class PhoenixStructurer(StructurerBase):
 
         successors = list(graph.successors(node))
 
-        if successors and all(graph.in_degree[succ] == 1 for succ in successors):
+        if (
+            successors
+            and {succ.addr for succ in successors} == set(jump_tables[node.addr].jumptable_entries)
+            and all(graph.in_degree[succ] == 1 for succ in successors)
+        ):
             out_nodes = set()
             for succ in successors:
                 out_nodes |= set(full_graph.successors(succ))
@@ -1397,6 +1412,7 @@ class PhoenixStructurer(StructurerBase):
         head,
         cmp_expr,
         cases: ODict,
+        node_default_addr: int,
         node_default,
         addr,
         to_remove: Set,
@@ -1435,6 +1451,12 @@ class PhoenixStructurer(StructurerBase):
             # the head no longer goes to the default case
             graph.remove_edge(head, node_default)
             full_graph.remove_edge(head, node_default)
+        else:
+            # the default node is not in the current graph, but it might be in the full graph
+            node_default_in_full_graph = next(iter(nn for nn in full_graph if nn.addr == node_default_addr), None)
+            if node_default_in_full_graph is not None and full_graph.has_edge(head, node_default_in_full_graph):
+                # the head no longer jumps to the default node - the switch jumps to it
+                full_graph.remove_edge(head, node_default_in_full_graph)
 
         for nn in to_remove:
             graph.remove_node(nn)
@@ -2102,6 +2124,8 @@ class PhoenixStructurer(StructurerBase):
         for src, dst in acyclic_graph.edges:
             if src is dst:
                 continue
+            if src not in graph:
+                continue
             if not dominates(idoms, src, dst) and not dominates(idoms, dst, src):
                 if (src.addr, dst.addr) not in self.whitelist_edges:
                     all_edges_wo_dominance.append((src, dst))

angr/analyses/decompiler/structuring/recursive_structurer.py

@@ -1,7 +1,9 @@
 import itertools
 from typing import Optional, Type, Dict, TYPE_CHECKING
+import logging
 
 import networkx
+
 from ... import Analysis, register_analysis
 from ..condition_processor import ConditionProcessor
 from ..graph_region import GraphRegion
@@ -9,6 +11,7 @@ from ..jumptable_entry_condition_rewriter import JumpTableEntryConditionRewriter
 from ..empty_node_remover import EmptyNodeRemover
 from ..jump_target_collector import JumpTargetCollector
 from ..redundant_label_remover import RedundantLabelRemover
+from .structurer_nodes import BaseNode
 from .structurer_base import StructurerBase
 from .dream import DreamStructurer
 
@@ -17,6 +20,9 @@ if TYPE_CHECKING:
     from angr.knowledge_plugins.functions import Function
 
 
+_l = logging.getLogger(__name__)
+
+
 class RecursiveStructurer(Analysis):
     """
     Recursively structure a region and all of its subregions.
@@ -39,12 +45,14 @@ class RecursiveStructurer(Analysis):
         self.structurer_options = kwargs
 
         self.result = None
+        self.result_incomplete: bool = False
 
         self._analyze()
 
     def _analyze(self):
         region = self._region.recursive_copy()
         self._case_entry_to_switch_head: Dict[int, int] = self._get_switch_case_entries()
+        self.result_incomplete = False
 
         # visit the region in post-order DFS
         parent_map = {}
@@ -89,7 +97,16 @@ class RecursiveStructurer(Analysis):
                 # replace this region with the resulting node in its parent region... if it's not an orphan
                 if not parent_region:
                     # this is the top-level region. we are done!
-                    self.result = st.result
+                    if st.result is None:
+                        # take the partial result out of the graph
+                        _l.warning(
+                            "Structuring failed to complete (most likely due to bugs in structuring). The "
+                            "output will miss code blocks."
+                        )
+                        self.result = self._pick_incomplete_result_from_region(st._region)
+                        self.result_incomplete = True
+                    else:
+                        self.result = st.result
                     break
 
                 if st.result is None:
@@ -148,5 +165,22 @@ class RecursiveStructurer(Analysis):
 
         return entries
 
+    def _pick_incomplete_result_from_region(self, region):
+        """
+        Parse the region graph and get (a) the node with address equal to the function address, or (b) the node with
+        the lowest address.
+        """
+
+        min_node = None
+        for node in region.graph.nodes:
+            if not isinstance(node, BaseNode):
+                continue
+            if node.addr == self.function.addr:
+                return node
+            if min_node is None or min_node.addr < node.addr:
+                min_node = node
+
+        return min_node
+
 
 register_analysis(RecursiveStructurer, "RecursiveStructurer")

angr/analyses/decompiler/structuring/structurer_base.py

@@ -145,6 +145,9 @@ class StructurerBase(Analysis):
                 if isinstance(stmt, ailment.Stmt.Jump):
                     targets = extract_jump_targets(stmt)
                     for t in targets:
+                        if t in cases or default is not None and t == default.addr:
+                            # the node after switch cannot be one of the nodes in the switch-case construct
+                            continue
                         goto_addrs[t] += 1
 
         if switch_end_addr is None:

angr/analyses/decompiler/utils.py

@@ -9,6 +9,7 @@ import ailment
 
 import angr
 from .call_counter import AILBlockCallCounter
+from .seq_to_blocks import SequenceToBlocks
 
 _l = logging.getLogger(__name__)
 
@@ -655,13 +656,16 @@ def decompile_functions(path, functions=None, structurer=None, catch_errors=Fals
 
     # collect all functions when None are provided
     if functions is None:
-        functions = cfg.functions.values()
+        functions = list(sorted(cfg.kb.functions))
 
     # normalize the functions that could be ints as names
-    normalized_functions = []
+    normalized_functions: List[Union[int, str]] = []
     for func in functions:
         try:
-            normalized_name = int(func, 0)
+            if isinstance(func, str):
+                normalized_name = int(func, 0)
+            else:
+                normalized_name = func
         except ValueError:
             normalized_name = func
         normalized_functions.append(normalized_name)
@@ -683,7 +687,7 @@ def decompile_functions(path, functions=None, structurer=None, catch_errors=Fals
     ]
     for func in functions:
         f = cfg.functions[func]
-        if f is None or f.is_plt:
+        if f is None or f.is_plt or f.is_syscall or f.is_alignment or f.is_simprocedure:
             continue
 
         exception_string = ""
@@ -700,14 +704,14 @@ def decompile_functions(path, functions=None, structurer=None, catch_errors=Fals
         # do sanity checks on decompilation, skip checks if we already errored
         if not exception_string:
             if dec is None or not dec.codegen or not dec.codegen.text:
-                exception_string = "Decompilation had no code output (failed in Dec)"
+                exception_string = "Decompilation had no code output (failed in decompilation)"
             elif "{\n}" in dec.codegen.text:
                 exception_string = "Decompilation outputted an empty function (failed in structuring)"
             elif structurer in ["dream", "combing"] and "goto" in dec.codegen.text:
                 exception_string = "Decompilation outputted a goto for a Gotoless algorithm (failed in structuring)"
 
         if exception_string:
-            _l.critical("Failed to decompile %s because %s", str(func), exception_string)
+            _l.critical("Failed to decompile %s because %s", repr(f), exception_string)
             decompilation += f"// [error: {func} | {exception_string}]\n"
         else:
             decompilation += dec.codegen.text + "\n"
@@ -734,6 +738,37 @@ def find_block_by_addr(graph: networkx.DiGraph, addr: int):
     raise KeyError("The block is not in the graph!")
 
 
+def sequence_to_blocks(seq: "BaseNode") -> List[ailment.Block]:
+    """
+    Converts a sequence node (BaseNode) to a list of ailment blocks contained in it and all its children.
+    """
+    walker = SequenceToBlocks()
+    walker.walk(seq)
+    return walker.blocks
+
+
+def sequence_to_statements(
+    seq: "BaseNode", exclude=(ailment.statement.Jump, ailment.statement.Jump)
+) -> List[ailment.statement.Statement]:
+    """
+    Converts a sequence node (BaseNode) to a list of ailment Statements contained in it and all its children.
+    May exclude certain types of statements.
+    """
+    statements = []
+    blocks = sequence_to_blocks(seq)
+    block: ailment.Block
+    for block in blocks:
+        if not block.statements:
+            continue
+
+        for stmt in block.statements:
+            if isinstance(stmt, exclude):
+                continue
+            statements.append(stmt)
+
+    return statements
+
+
 # delayed import
 from .structuring.structurer_nodes import (
     MultiNode,

angr/analyses/disassembly.py

@@ -8,6 +8,7 @@ from angr.knowledge_plugins import Function
 
 from . import Analysis
 
+from ..errors import AngrTypeError
 from ..utils.library import get_cpp_function_name
 from ..utils.formatting import ansi_color_enabled, ansi_color, add_edge_to_buffer
 from ..block import DisassemblerInsn, CapstoneInsn, SootBlockNode
@@ -1141,7 +1142,9 @@ class Disassembly(Analysis):
                 self.raw_result_map["instructions"][stmt.addr] = stmt
                 self.block_to_insn_addrs[block.addr].append(stmt.addr)
         else:
-            raise TypeError("")
+            raise AngrTypeError(
+                f"Cannot disassemble block with architecture {self.project.arch} for block type {type(block)}"
+            )
 
         if self._include_ir:
             b = self.project.factory.block(block.addr, size=block.size)

angr/analyses/find_objects_static.py

@@ -45,6 +45,7 @@ class NewFunctionHandler(FunctionHandler):
     """
 
     def __init__(self, max_addr=None, new_func_addr=None, project=None):
+        super().__init__()
         self.max_addr = max_addr
 
         # this is a map between an object addr outside the mapped binary and PossibleObject instance
@@ -104,16 +105,20 @@ class NewFunctionHandler(FunctionHandler):
             data.depends(memory_location, value=MultiValues(offset_to_values=offset_to_values))
             self.max_addr += size
 
-        elif "ctor" in self.project.kb.functions[function_address].demangled_name:
-            # check if rdi has a possible this pointer/ object address, if so then we can assign this object this class
-            # also if the func is a constructor(not stripped binaries)
-            for addr, possible_object in self.possible_objects_dict.items():
-                v1 = state.registers.load(72, state.arch.bits // state.arch.byte_width).one_value()
-                obj_addr = v1.concrete_value if v1 is not None and v1.concrete else None
-                if obj_addr is not None and addr == obj_addr:
-                    col_ind = self.project.kb.functions[function_address].demangled_name.rfind("::")
-                    class_name = self.project.kb.functions[function_address].demangled_name[:col_ind]
-                    possible_object.class_name = class_name
+        else:
+            if self.project.kb.functions.contains_addr(function_address):
+                func = self.project.kb.functions.get_by_addr(function_address)
+                if func is not None and "ctor" in func.demangled_name:
+                    # check if rdi has a possible this pointer/ object address, if so then we can assign this object
+                    # this class
+                    # also if the func is a constructor(not stripped binaries)
+                    for addr, possible_object in self.possible_objects_dict.items():
+                        v1 = state.registers.load(72, state.arch.bits // state.arch.byte_width).one_value()
+                        obj_addr = v1.concrete_value if v1 is not None and v1.concrete else None
+                        if obj_addr is not None and addr == obj_addr:
+                            col_ind = self.project.kb.functions[function_address].demangled_name.rfind("::")
+                            class_name = self.project.kb.functions[function_address].demangled_name[:col_ind]
+                            possible_object.class_name = class_name
 
 
 class StaticObjectFinder(Analysis):

angr/analyses/forward_analysis/forward_analysis.py

@@ -209,6 +209,20 @@ class ForwardAnalysis(Generic[AnalysisState, NodeType, JobType, JobKey]):
 
         raise NotImplementedError("_merge_states() is not implemented.")
 
+    def _compare_states(self, node: NodeType, old_state: AnalysisState, new_state: AnalysisState) -> bool:
+        """
+        Determine if the analysis has reached fixed point at `node`.
+
+        You can override this method to implement a faster _compare_states() method.
+
+        :param node:        The node that has been analyzed.
+        :param old_state:   The original output state out of node.
+        :param new_state:   The new output state out of node.
+        :return:            True if the analysis has reached fixed at node. False otherwise.
+        """
+        _, has_no_changes = self._merge_states(node, old_state, new_state)
+        return has_no_changes
+
     def _widen_states(self, *states: AnalysisState) -> AnalysisState:
         raise NotImplementedError("_widen_states() is not implemented.")
 
@@ -288,7 +302,7 @@ class ForwardAnalysis(Generic[AnalysisState, NodeType, JobType, JobKey]):
                     reached_fixedpoint = False
                 else:
                     # is the output state the same as the old one?
-                    _, reached_fixedpoint = self._merge_states(n, self._output_state[self._node_key(n)], output_state)
+                    reached_fixedpoint = self._compare_states(n, self._output_state[self._node_key(n)], output_state)
                 self._output_state[self._node_key(n)] = output_state
 
                 if not reached_fixedpoint:

angr/analyses/propagator/engine_ail.py

@@ -1221,6 +1221,8 @@ class SimEnginePropagatorAIL(
                 bits=expr.bits,
                 floating_point=expr.floating_point,
                 rounding_mode=expr.rounding_mode,
+                from_bits=expr.from_bits,
+                to_bits=expr.to_bits,
                 **expr.tags,
             )
         return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
@@ -1443,6 +1445,44 @@ class SimEnginePropagatorAIL(
             )
         return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
 
+    def _ail_handle_ExpCmpNE(self, expr):
+        o0_value = self._expr(expr.operands[0])
+        o1_value = self._expr(expr.operands[1])
+
+        value = self.state.top(expr.bits)
+        if o0_value is None or o1_value is None:
+            new_expr = expr
+        else:
+            o0_expr = o0_value.one_expr
+            o1_expr = o1_value.one_expr
+            new_expr = Expr.BinaryOp(
+                expr.idx,
+                "ExpCmpNE",
+                [
+                    o0_expr if o0_expr is not None else expr.operands[0],
+                    o1_expr if o1_expr is not None else expr.operands[1],
+                ],
+                expr.signed,
+                **expr.tags,
+            )
+        return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
+
+    def _ail_handle_Clz(self, expr):
+        o0_value = self._expr(expr.operand)
+
+        value = self.state.top(expr.bits)
+        if o0_value is None:
+            new_expr = expr
+        else:
+            o0_expr = o0_value.one_expr
+            new_expr = Expr.UnaryOp(
+                expr.idx,
+                "Clz",
+                o0_expr if o0_expr is not None else expr.operand,
+                **expr.tags,
+            )
+        return PropValue.from_value_and_details(value, expr.size, new_expr, self._codeloc())
+
     #
     # Util methods
     #

angr/analyses/propagator/propagator.py

@@ -53,7 +53,7 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
         block=None,
         func_graph=None,
         base_state=None,
-        max_iterations=3,
+        max_iterations=30,
         load_callback=None,
         stack_pointer_tracker=None,
         only_consts=False,
@@ -79,7 +79,10 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
         else:
             raise ValueError("Unsupported analysis target.")
 
-        start = time.perf_counter_ns() / 1000000
+        if profiling:
+            start = time.perf_counter_ns() / 1000000
+        else:
+            start = 0
 
         self._base_state = base_state
         self._function = func
@@ -320,7 +323,7 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
         # TODO: Clear registers according to calling conventions
 
         if self.model.node_iterations[block_key] < self._max_iterations:
-            return True, state
+            return None, state
         else:
             return False, state
 

angr/analyses/reaching_definitions/engine_ail.py

@@ -596,7 +596,7 @@ class SimEngineRDAIL(
         operand_v = operand.one_value()
 
         if operand_v is not None and operand_v.concrete:
-            r = MultiValues(~operand_v)
+            r = MultiValues(~operand_v)  # pylint:disable=invalid-unary-operand-type
         else:
             r = MultiValues(self.state.top(bits))
 
@@ -612,7 +612,7 @@ class SimEngineRDAIL(
         operand_v = operand.one_value()
 
         if operand_v is not None and operand_v.concrete:
-            r = MultiValues(-operand_v)
+            r = MultiValues(-operand_v)  # pylint:disable=invalid-unary-operand-type
         else:
             r = MultiValues(self.state.top(bits))
 
@@ -626,7 +626,7 @@ class SimEngineRDAIL(
         operand_v = operand.one_value()
 
         if operand_v is not None and operand_v.concrete:
-            r = MultiValues(offset_to_values={0: {~operand_v}})
+            r = MultiValues(offset_to_values={0: {~operand_v}})  # pylint:disable=invalid-unary-operand-type
         else:
             r = MultiValues(offset_to_values={0: {self.state.top(bits)}})
 
@@ -766,27 +766,6 @@ class SimEngineRDAIL(
 
         return r
 
-    def _ail_handle_Div(self, expr: ailment.Expr.BinaryOp) -> MultiValues:
-        expr0: MultiValues = self._expr(expr.operands[0])
-        expr1: MultiValues = self._expr(expr.operands[1])
-        bits = expr.bits
-
-        expr0_v = expr0.one_value()
-        expr1_v = expr1.one_value()
-
-        if (
-            expr0_v is not None
-            and expr1_v is not None
-            and expr0_v.concrete
-            and expr1_v.concrete
-            and expr1_v.concrete_value != 0
-        ):
-            r = MultiValues(offset_to_values={0: {expr0_v / expr1_v}})
-        else:
-            r = MultiValues(offset_to_values={0: {self.state.top(bits)}})
-
-        return r
-
     def _ail_handle_Shr(self, expr: ailment.Expr.BinaryOp) -> MultiValues:
         expr0: MultiValues = self._expr(expr.operands[0])
         expr1: MultiValues = self._expr(expr.operands[1])
@@ -1143,6 +1122,19 @@ class SimEngineRDAIL(
         top = self.state.top(expr.bits)
         return MultiValues(offset_to_values={0: {top}})
 
+    def _ail_handle_ExpCmpNE(self, expr) -> MultiValues:
+        self._expr(expr.operands[0])
+        self._expr(expr.operands[1])
+
+        top = self.state.top(expr.bits)
+        return MultiValues(offset_to_values={0: {top}})
+
+    def _ail_handle_Clz(self, expr) -> MultiValues:
+        self._expr(expr.operand)
+
+        top = self.state.top(expr.bits)
+        return MultiValues(offset_to_values={0: {top}})
+
     def _ail_handle_Const(self, expr) -> MultiValues:
         self.state.mark_const(expr.value, expr.size)
         if isinstance(expr.value, float):

angr/analyses/reaching_definitions/rd_state.py

@@ -72,6 +72,7 @@ class ReachingDefinitionsState:
         "_track_consts",
         "_sp_adjusted",
         "exit_observed",
+        "_element_limit",
     )
 
     def __init__(
@@ -90,6 +91,7 @@ class ReachingDefinitionsState:
         sp_adjusted: bool = False,
         all_definitions: Optional[Set[Definition]] = None,
         initializer: Optional["RDAStateInitializer"] = None,
+        element_limit: int = 5,
     ):
         # handy short-hands
         self.codeloc = codeloc
@@ -100,6 +102,7 @@ class ReachingDefinitionsState:
         self.analysis = analysis
         self._canonical_size: int = canonical_size
         self._sp_adjusted: bool = sp_adjusted
+        self._element_limit: int = element_limit
 
         self.all_definitions: Set[Definition] = set() if all_definitions is None else all_definitions
 
@@ -122,7 +125,10 @@ class ReachingDefinitionsState:
         if live_definitions is None:
             # the first time this state is created. initialize it
             self.live_definitions = LiveDefinitions(
-                self.arch, track_tmps=self._track_tmps, canonical_size=canonical_size
+                self.arch,
+                track_tmps=self._track_tmps,
+                canonical_size=canonical_size,
+                element_limit=element_limit,
             )
             if self.analysis is not None:
                 self.live_definitions.project = self.analysis.project
@@ -310,6 +316,7 @@ class ReachingDefinitionsState:
             environment=self._environment,
             sp_adjusted=self._sp_adjusted,
             all_definitions=self.all_definitions.copy(),
+            element_limit=self._element_limit,
         )
 
         return rd
@@ -323,6 +330,12 @@ class ReachingDefinitionsState:
 
         return state, merged_0 or merged_1
 
+    def compare(self, other: "ReachingDefinitionsState") -> bool:
+        r0 = self.live_definitions.compare(other.live_definitions)
+        r1 = self.environment.compare(other.environment)
+
+        return r0 and r1
+
     def move_codelocs(self, new_codeloc: CodeLocation) -> None:
         if self.codeloc != new_codeloc:
             self.codeloc = new_codeloc