angr 9.2.96__py3-none-win_amd64.whl → 9.2.98__py3-none-win_amd64.whl

angr/__init__.py

@@ -1,7 +1,7 @@
 # pylint: disable=wildcard-import
 # pylint: disable=wrong-import-position
 
-__version__ = "9.2.96"
+__version__ = "9.2.98"
 
 if bytes is str:
     raise Exception(

angr/analyses/cfg/cfg_base.py

@@ -8,7 +8,7 @@ from sortedcontainers import SortedDict
 
 import pyvex
 from claripy.utils.orderedset import OrderedSet
-from cle import ELF, PE, Blob, TLSObject, MachO, ExternObject, KernelObject, FunctionHintSource, Hex, Coff, SRec
+from cle import ELF, PE, Blob, TLSObject, MachO, ExternObject, KernelObject, FunctionHintSource, Hex, Coff, SRec, XBE
 from cle.backends import NamedRegion
 import archinfo
 from archinfo.arch_soot import SootAddressDescriptor
@@ -778,6 +778,17 @@ class CFGBase(Analysis):
                         tpl = (section.min_addr, section.max_addr + 1)
                         memory_regions.append(tpl)
 
+            elif isinstance(b, XBE):
+                # some XBE files will mark the data sections as executable
+                for section in b.sections:
+                    if (
+                        section.is_executable
+                        and not section.is_writable
+                        and section.name not in {".data", ".rdata", ".rodata"}
+                    ):
+                        tpl = (section.min_addr, section.max_addr + 1)
+                        memory_regions.append(tpl)
+
             elif isinstance(b, MachO):
                 if b.segments:
                     # Get all executable segments
@@ -797,9 +808,11 @@ class CFGBase(Analysis):
                 # a blob is entirely executable
                 tpl = (b.min_addr, b.max_addr + 1)
                 memory_regions.append(tpl)
+
             elif isinstance(b, NamedRegion):
                 # NamedRegions have no content! Ignore
                 pass
+
             elif isinstance(b, self._cle_pseudo_objects):
                 pass
 

angr/analyses/cfg/indirect_jump_resolvers/propagator_utils.py

@@ -13,10 +13,14 @@ class PropagatorLoadCallback:
         # only allow loading if the address falls into a read-only region
         if isinstance(addr, claripy.ast.BV) and addr.op == "BVV":
             addr_v = addr.args[0]
-            section = self.project.loader.find_section_containing(addr_v)
-            if section is not None:
-                return section.is_readable and not section.is_writable
-            segment = self.project.loader.find_segment_containing(addr_v)
-            if segment is not None:
-                return segment.is_readable and not segment.is_writable
+        elif isinstance(addr, int):
+            addr_v = addr
+        else:
+            return False
+        section = self.project.loader.find_section_containing(addr_v)
+        if section is not None:
+            return section.is_readable and not section.is_writable
+        segment = self.project.loader.find_segment_containing(addr_v)
+        if segment is not None:
+            return segment.is_readable and not segment.is_writable
         return False

angr/analyses/complete_calling_conventions.py

@@ -1,3 +1,4 @@
+# pylint:disable=import-outside-toplevel
 from typing import Tuple, Optional, Callable, Iterable, Dict, Set, TYPE_CHECKING
 import queue
 import threading
@@ -10,6 +11,7 @@ import networkx
 import claripy
 
 from angr.utils.graph import GraphUtils
+from angr.simos import SimWindows
 from ..utils.mp import mp_context, Initializer
 from ..knowledge_plugins.cfg import CFGModel
 from . import Analysis, register_analysis, VariableRecoveryFast, CallingConventionAnalysis
@@ -88,11 +90,13 @@ class CompleteCallingConventionsAnalysis(Analysis):
         self._results = []
         if workers > 0:
             self._remaining_funcs = _mp_context.Value("i", 0)
-            self._func_queue = _mp_context.Queue()
             self._results = _mp_context.Queue()
+            self._results_lock = _mp_context.Lock()
+            self._func_queue = _mp_context.Queue()
             self._func_queue_lock = _mp_context.Lock()
         else:
             self._remaining_funcs = None  # not needed
+            self._results_lock = None  # not needed
             self._func_queue = None  # not needed
             self._func_queue_lock = threading.Lock()
 
@@ -205,9 +209,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
                         dependents[callee].add(func_addr)
 
             # enqueue all leaf functions
-            for func_addr in list(
-                k for k in depends_on if not depends_on[k]
-            ):  # pylint:disable=consider-using-dict-items
+            for func_addr in [k for k in depends_on if not depends_on[k]]:  # pylint:disable=consider-using-dict-items
                 self._func_queue.put((func_addr, None))
                 del depends_on[func_addr]
 
@@ -215,11 +217,17 @@ class CompleteCallingConventionsAnalysis(Analysis):
             cc_callback = self._cc_callback
             self._cc_callback = None
 
+            if self.project.simos is not None and isinstance(self.project.simos, SimWindows):
+                # delayed import
+                from angr.procedures.definitions import load_win32api_definitions
+
+                Initializer.get().register(load_win32api_definitions)
+
             # spawn workers to perform the analysis
             with self._func_queue_lock:
                 procs = [
-                    _mp_context.Process(target=self._worker_routine, args=(Initializer.get(),), daemon=True)
-                    for _ in range(self._workers)
+                    _mp_context.Process(target=self._worker_routine, args=(worker_id, Initializer.get()), daemon=True)
+                    for worker_id in range(self._workers)
                 ]
                 for proc_idx, proc in enumerate(procs):
                     self._update_progress(0, text=f"Spawning worker {proc_idx}...")
@@ -231,7 +239,13 @@ class CompleteCallingConventionsAnalysis(Analysis):
             self._update_progress(0)
             idx = 0
             while idx < total_funcs:
-                func_addr, cc, proto, proto_libname, varman = self._results.get(True)
+                try:
+                    with self._results_lock:
+                        func_addr, cc, proto, proto_libname, varman = self._results.get(True, timeout=0.01)
+                except queue.Empty:
+                    time.sleep(0.1)
+                    continue
+
                 func = self.kb.functions.get_by_addr(func_addr)
                 if cc is not None or proto is not None:
                     func.calling_convention = cc
@@ -260,13 +274,14 @@ class CompleteCallingConventionsAnalysis(Analysis):
                         depends_on[dependent].discard(func_addr)
                         if not depends_on[dependent]:
                             callee_prototypes = self._get_callees_cc_prototypes(dependent)
-                            self._func_queue.put((dependent, callee_prototypes))
+                            with self._func_queue_lock:
+                                self._func_queue.put((dependent, callee_prototypes))
                             del depends_on[dependent]
 
             for proc in procs:
                 proc.join()
 
-    def _worker_routine(self, initializer: Initializer):
+    def _worker_routine(self, worker_id: int, initializer: Initializer):
         initializer.initialize()
         idx = 0
         while self._remaining_funcs.value > 0:
@@ -293,9 +308,10 @@ class CompleteCallingConventionsAnalysis(Analysis):
             try:
                 cc, proto, proto_libname, varman = self._analyze_core(func_addr)
             except Exception:  # pylint:disable=broad-except
-                _l.error("Exception occurred during _analyze_core().", exc_info=True)
+                _l.error("Worker %d: Exception occurred during _analyze_core().", worker_id, exc_info=True)
                 cc, proto, proto_libname, varman = None, None, None, None
-            self._results.put((func_addr, cc, proto, proto_libname, varman))
+            with self._results_lock:
+                self._results.put((func_addr, cc, proto, proto_libname, varman))
 
     def _analyze_core(
         self, func_addr: int

angr/analyses/decompiler/ail_simplifier.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from typing import Set, Dict, List, Tuple, Any, Optional, TYPE_CHECKING
 from collections import defaultdict
 import logging
@@ -183,6 +184,7 @@ class AILSimplifier(Analysis):
             observe_all=False,
             use_callee_saved_regs_at_return=self._use_callee_saved_regs_at_return,
             track_tmps=True,
+            element_limit=1,
         ).model
         self._reaching_definitions = rd
         return rd
@@ -504,7 +506,9 @@ class AILSimplifier(Analysis):
 
         first_op = walker.operations[0]
         if isinstance(first_op, Convert):
-            return first_op.to_bits // self.project.arch.byte_width, ("convert", (first_op,))
+            if first_op.to_bits >= self.project.arch.byte_width:
+                # we need at least one byte!
+                return first_op.to_bits // self.project.arch.byte_width, ("convert", (first_op,))
         if isinstance(first_op, BinaryOp):
             second_op = None
             if len(walker.operations) >= 2:
@@ -526,6 +530,7 @@ class AILSimplifier(Analysis):
                 and first_op.op not in {"Shr", "Sar"}
                 and isinstance(second_op, Convert)
                 and second_op.from_bits == expr.bits
+                and second_op.to_bits >= self.project.arch.byte_width  # we need at least one byte!
             ):
                 return min(expr.bits, second_op.to_bits) // self.project.arch.byte_width, (
                     "binop-convert",
@@ -721,13 +726,13 @@ class AILSimplifier(Analysis):
                             ):
                                 continue
 
-                            # Make sure the register is never updated across this function
-                            if any(
-                                (def_ != the_def and def_.atom == the_def.atom)
-                                for def_ in rd.all_definitions
-                                if isinstance(def_.atom, atoms.Register) and rd.all_uses.get_uses(def_)
-                            ):
-                                continue
+                        # Make sure the register is never updated across this function
+                        if any(
+                            (def_ != the_def and def_.atom == the_def.atom)
+                            for def_ in rd.all_definitions
+                            if isinstance(def_.atom, atoms.Register) and rd.all_uses.get_uses(def_)
+                        ):
+                            continue
 
                         # find all its uses
                         all_arg_copy_var_uses: Set[Tuple[CodeLocation, Any]] = set(
@@ -1214,6 +1219,13 @@ class AILSimplifier(Analysis):
                         continue
 
             uses = rd.all_uses.get_uses(def_)
+            if (
+                isinstance(def_.atom, atoms.Register)
+                and def_.atom.reg_offset in self.project.arch.artificial_registers_offsets
+            ):
+                if len(uses) == 1 and next(iter(uses)) == def_.codeloc:
+                    # cc_ndep = amd64g_calculate_condition(..., cc_ndep)
+                    uses = set()
 
             if not uses:
                 if not isinstance(def_.codeloc, ExternalCodeLocation):

angr/analyses/decompiler/condition_processor.py

@@ -766,6 +766,8 @@ class ConditionProcessor:
                 var = claripy.BoolV(condition.value)
             else:
                 var = claripy.BVV(condition.value, condition.bits)
+            if isinstance(var, claripy.Bits) and var.size() == 1:
+                var = claripy.true if var.concrete_value == 1 else claripy.false
             return var
         elif isinstance(condition, ailment.Expr.Tmp):
             l.warning("Left-over ailment.Tmp variable %s.", condition)

angr/analyses/decompiler/optimization_passes/__init__.py

@@ -25,6 +25,7 @@ from .win_stack_canary_simplifier import WinStackCanarySimplifier
 from .cross_jump_reverter import CrossJumpReverter
 from .code_motion import CodeMotionOptimization
 from .switch_default_case_duplicator import SwitchDefaultCaseDuplicator
+from .inlined_string_transformation_simplifier import InlinedStringTransformationSimplifier
 
 # order matters!
 _all_optimization_passes = [
@@ -49,6 +50,7 @@ _all_optimization_passes = [
     (CodeMotionOptimization, True),
     (CrossJumpReverter, True),
     (FlipBooleanCmp, True),
+    (InlinedStringTransformationSimplifier, True),
 ]
 
 # these passes may duplicate code to remove gotos or improve the structure of the graph

angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py

@@ -0,0 +1,380 @@
+# pylint:disable=arguments-renamed,too-many-boolean-expressions,no-self-use
+from __future__ import annotations
+from typing import Any, DefaultDict
+from collections import defaultdict
+
+from archinfo import Endness
+from ailment.expression import Const, Register, Load, StackBaseOffset, Convert, BinaryOp
+from ailment.statement import Store, ConditionalJump, Jump
+import claripy
+
+from angr.engines.light import SimEngineLightAILMixin
+from angr.storage.memory_mixins import (
+    SimpleInterfaceMixin,
+    DefaultFillerMixin,
+    PagedMemoryMixin,
+    UltraPagesMixin,
+)
+from angr.code_location import CodeLocation
+from angr.errors import SimMemoryMissingError
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+
+
+class FasterMemory(
+    SimpleInterfaceMixin,
+    DefaultFillerMixin,
+    UltraPagesMixin,
+    PagedMemoryMixin,
+):
+    """
+    A fast memory model used in InlinedStringTransformationState.
+    """
+
+
+class InlinedStringTransformationState:
+    """
+    The abstract state used in InlinedStringTransformationAILEngine.
+    """
+
+    def __init__(self, project):
+        self.arch = project.arch
+        self.project = project
+
+        self.registers = FasterMemory(memory_id="reg")
+        self.memory = FasterMemory(memory_id="mem")
+
+        self.registers.set_state(self)
+        self.memory.set_state(self)
+
+    def _get_weakref(self):
+        return self
+
+    def reg_store(self, reg: Register, value: claripy.Bits) -> None:
+        self.registers.store(
+            reg.reg_offset, value, size=value.size() // self.arch.byte_width, endness=str(self.arch.register_endness)
+        )
+
+    def reg_load(self, reg: Register) -> claripy.Bits | None:
+        try:
+            return self.registers.load(
+                reg.reg_offset, size=reg.size, endness=self.arch.register_endness, fill_missing=False
+            )
+        except SimMemoryMissingError:
+            return None
+
+    def mem_store(self, addr: int, value: claripy.Bits, endness: str) -> None:
+        self.memory.store(addr, value, size=value.size() // self.arch.byte_width, endness=endness)
+
+    def mem_load(self, addr: int, size: int, endness) -> claripy.Bits | None:
+        try:
+            return self.memory.load(addr, size=size, endness=str(endness), fill_missing=False)
+        except SimMemoryMissingError:
+            return None
+
+
+class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
+    """
+    A simple AIL execution engine
+    """
+
+    def __init__(self, project, nodes: dict[int, Any], start: int, end: int, step_limit: int):
+        super().__init__()
+
+        self.arch = project.arch
+        self.nodes: dict[int, Any] = nodes
+        self.start: int = start
+        self.end: int = end
+        self.step_limit: int = step_limit
+
+        self.STACK_BASE = 0x7FFF_FFF0 if self.arch.bits == 32 else 0x7FFF_FFFF_F000
+        self.MASK = 0xFFFF_FFFF if self.arch.bits == 32 else 0xFFFF_FFFF_FFFF_FFFF
+
+        state = InlinedStringTransformationState(project)
+        self.stack_accesses: DefaultDict[int, list[tuple[str, CodeLocation, claripy.Bits]]] = defaultdict(list)
+        self.finished: bool = False
+
+        i = 0
+        self.pc = self.start
+        while i < self.step_limit:
+            if self.pc not in self.nodes:
+                # jumped to a node that we do not know about
+                break
+            block = self.nodes[self.pc]
+            self._process(state, None, block=block)
+            if self.pc is None:
+                # not sure where to jump...
+                break
+            if self.pc == self.end:
+                # we reach the end of execution!
+                self.finished = True
+                break
+            i += 1
+
+    def _process_address(self, addr: Const | StackBaseOffset) -> tuple[int, str] | None:
+        if isinstance(addr, Const):
+            return addr.value, "mem"
+        if isinstance(addr, StackBaseOffset):
+            return (addr.offset + self.STACK_BASE) & self.MASK, "stack"
+        if isinstance(addr, BinaryOp) and isinstance(addr.operands[0], StackBaseOffset):
+            v0_and_type = self._process_address(addr.operands[0])
+            if v0_and_type is not None:
+                v0 = v0_and_type[0]
+                v1 = self._expr(addr.operands[1])
+                if isinstance(v1, claripy.Bits) and v1.concrete:
+                    return (v0 + v1.concrete_value) & self.MASK, "stack"
+        return None
+
+    def _handle_Assignment(self, stmt):
+        if isinstance(stmt.dst, Register):
+            val = self._expr(stmt.src)
+            if isinstance(val, claripy.Bits):
+                self.state.reg_store(stmt.dst, val)
+
+    def _handle_Store(self, stmt):
+        addr_and_type = self._process_address(stmt.addr)
+        if addr_and_type is not None:
+            addr, addr_type = addr_and_type
+            val = self._expr(stmt.data)
+            if isinstance(val, claripy.ast.BV):
+                self.state.mem_store(addr, val, stmt.endness)
+                # log it
+                if addr_type == "stack":
+                    for i in range(0, val.size() // self.arch.byte_width):
+                        byte_off = i
+                        if self.arch.memory_endness == Endness.LE:
+                            byte_off = val.size() // self.arch.byte_width - i - 1
+                        self.stack_accesses[addr + i].append(("store", self._codeloc(), val.get_byte(byte_off)))
+
+    def _handle_Jump(self, stmt):
+        if isinstance(stmt.target, Const):
+            self.pc = stmt.target.value
+        else:
+            self.pc = None
+
+    def _handle_ConditionalJump(self, stmt):
+        self.pc = None
+        if isinstance(stmt.true_target, Const) and isinstance(stmt.false_target, Const):
+            cond = self._expr(stmt.condition)
+            if cond is not None:
+                if isinstance(cond, claripy.Bits) and cond.concrete_value == 1:
+                    self.pc = stmt.true_target.value
+                elif isinstance(cond, claripy.Bits) and cond.concrete_value == 0:
+                    self.pc = stmt.false_target.value
+
+    def _handle_Const(self, expr):
+        return claripy.BVV(expr.value, expr.bits)
+
+    def _handle_Load(self, expr: Load):
+        addr_and_type = self._process_address(expr.addr)
+        if addr_and_type is not None:
+            addr, addr_type = addr_and_type
+            v = self.state.mem_load(addr, expr.size, expr.endness)
+            # log it
+            if addr_type == "stack" and isinstance(v, claripy.ast.BV):
+                for i in range(0, expr.size):
+                    byte_off = i
+                    if self.arch.memory_endness == Endness.LE:
+                        byte_off = expr.size - i - 1
+                    self.stack_accesses[addr + i].append(("load", self._codeloc(), v.get_byte(byte_off)))
+            return v
+        return None
+
+    def _handle_Register(self, expr: Register):
+        return self.state.reg_load(expr)
+
+    def _handle_Convert(self, expr: Convert):
+        v = self._expr(expr.operand)
+        if isinstance(v, claripy.Bits):
+            if expr.to_bits > expr.from_bits:
+                if not expr.is_signed:
+                    return claripy.ZeroExt(expr.to_bits - expr.from_bits, v)
+                return claripy.SignExt(expr.to_bits - expr.from_bits, v)
+            elif expr.to_bits < expr.from_bits:
+                return claripy.Extract(expr.to_bits - 1, 0, v)
+            else:
+                return v
+        return None
+
+    def _handle_CmpEQ(self, expr):
+        op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
+        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+            return claripy.BVV(1, 1) if op0.concrete_value == op1.concrete_value else claripy.BVV(0, 1)
+        return None
+
+    def _handle_CmpNE(self, expr):
+        op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
+        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+            return claripy.BVV(1, 1) if op0.concrete_value != op1.concrete_value else claripy.BVV(0, 1)
+        return None
+
+    def _handle_CmpLT(self, expr):
+        op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
+        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+            return claripy.BVV(1, 1) if op0.concrete_value < op1.concrete_value else claripy.BVV(0, 1)
+        return None
+
+    def _handle_CmpLE(self, expr):
+        op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
+        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+            return claripy.BVV(1, 1) if op0.concrete_value <= op1.concrete_value else claripy.BVV(0, 1)
+        return None
+
+    def _handle_CmpGT(self, expr):
+        op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
+        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+            return claripy.BVV(1, 1) if op0.concrete_value > op1.concrete_value else claripy.BVV(0, 1)
+        return None
+
+    def _handle_CmpGE(self, expr):
+        op0, op1 = self._expr(expr.operands[0]), self._expr(expr.operands[1])
+        if isinstance(op0, claripy.Bits) and isinstance(op1, claripy.Bits) and op0.concrete and op1.concrete:
+            return claripy.BVV(1, 1) if op0.concrete_value >= op1.concrete_value else claripy.BVV(0, 1)
+        return None
+
+
+class InlineStringTransformationDescriptor:
+    """
+    Describes an instance of inline string transformation.
+    """
+
+    def __init__(self, store_block, loop_body, stack_accesses, beginning_stack_offset):
+        self.store_block = store_block
+        self.loop_body = loop_body
+        self.stack_accesses = stack_accesses
+        self.beginning_stack_offset = beginning_stack_offset
+
+
+class InlinedStringTransformationSimplifier(OptimizationPass):
+    """
+    Simplifies inlined string transformation routines.
+    """
+
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_GLOBAL_SIMPLIFICATION
+    NAME = "Simplify string transformations"
+    DESCRIPTION = "Simplify string transformations that are commonly used in obfuscated functions."
+
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+        self.analyze()
+
+    def _check(self):
+        string_transformation_descs = self._find_string_transformation_loops()
+
+        return bool(string_transformation_descs), {"descs": string_transformation_descs}
+
+    def _analyze(self, cache=None):
+        if not cache or "descs" not in cache:
+            return
+
+        for desc in cache["descs"]:
+            desc: InlineStringTransformationDescriptor
+
+            # remove the original statements
+            skip_stmt_indices = set()
+            for stack_accesses in desc.stack_accesses:
+                # the first element is the initial storing statement
+                codeloc = stack_accesses[0][1]
+                assert codeloc.block_addr == desc.store_block.addr
+                skip_stmt_indices.add(codeloc.stmt_idx)
+            new_statements = [
+                stmt for idx, stmt in enumerate(desc.store_block.statements) if idx not in skip_stmt_indices
+            ]
+
+            # add new statements
+            store_statements = []
+            for off, stack_accesses in enumerate(desc.stack_accesses):
+                # the last element is the final storing statement
+                stack_addr = StackBaseOffset(None, self.project.arch.bits, desc.beginning_stack_offset + off)
+                new_value_ast = stack_accesses[-1][2]
+                new_value = Const(None, None, new_value_ast.concrete_value, self.project.arch.byte_width)
+                stmt = Store(
+                    None,
+                    stack_addr,
+                    new_value,
+                    1,
+                    "Iend_LE",
+                    ins_addr=desc.store_block.addr + desc.store_block.original_size - 1,
+                )
+                store_statements.append(stmt)
+            if new_statements and isinstance(new_statements[-1], (ConditionalJump, Jump)):
+                new_statements = new_statements[:-1] + store_statements + new_statements[-1:]
+            else:
+                new_statements += store_statements
+
+            new_store_block = desc.store_block.copy(statements=new_statements)
+            self._update_block(desc.store_block, new_store_block)
+
+            # remote the loop node
+            # since the loop node has exactly one external predecessor and one external successor, we can get rid of it
+            pred = next(iter(nn for nn in self.out_graph.predecessors(desc.loop_body) if nn is not desc.loop_body))
+            succ = next(iter(nn for nn in self.out_graph.successors(desc.loop_body) if nn is not desc.loop_body))
+
+            self.out_graph.remove_node(desc.loop_body)
+            self.out_graph.add_edge(pred, succ)
+
+            if pred.statements and isinstance(pred.statements[-1], ConditionalJump):
+                pred.statements[-1] = Jump(
+                    None,
+                    Const(None, None, succ.addr, self.project.arch.bits),
+                    succ.idx,
+                    **pred.statements[-1].tags,
+                )
+
+    def _find_string_transformation_loops(self):
+        # find self loops
+        self_loops = []
+        for node in self._graph.nodes:
+            preds = list(self._graph.predecessors(node))
+            succs = list(self._graph.successors(node))
+            if len(preds) == 2 and len(succs) == 2 and node in preds and node in succs:
+                pred = next(iter(nn for nn in preds if nn is not node))
+                succ = next(iter(nn for nn in succs if nn is not node))
+                if (
+                    self._graph.out_degree[pred] == 1
+                    and self._graph.in_degree[succ] == 1
+                    or self._graph.out_degree[pred] == 2
+                    and self._graph.in_degree[succ] == 2
+                    and self._graph.has_edge(pred, succ)
+                ):
+                    # found it
+                    self_loops.append(node)
+
+        if not self_loops:
+            return []
+
+        descs = []
+        for loop_node in self_loops:
+            pred = next(iter(nn for nn in self._graph.predecessors(loop_node) if nn is not loop_node))
+            succ = next(iter(nn for nn in self._graph.successors(loop_node) if nn is not loop_node))
+            engine = InlinedStringTransformationAILEngine(
+                self.project, {pred.addr: pred, loop_node.addr: loop_node}, pred.addr, succ.addr, 1024
+            )
+            if engine.finished:
+                # find the longest slide where the stack accesses are like the following:
+                #   "store", code_location_a, value_a
+                #   "load", code_location_b, value_a
+                #   "store", code_location_b, value_b
+                # where value_a and value_b may be the same
+                candidate_stack_addrs = []
+                for stack_addr in sorted(engine.stack_accesses.keys()):
+                    stack_accesses = engine.stack_accesses[stack_addr]
+                    if len(stack_accesses) == 3:
+                        item0, item1, item2 = stack_accesses
+                        if item0[0] == "store" and item1[0] == "load" and item2[0] == "store":
+                            if item0[1] != item1[1] and item1[1] == item2[1]:
+                                if item0[2] is item1[2]:
+                                    # found one!
+                                    candidate_stack_addrs.append(stack_addr)
+
+                if (
+                    len(candidate_stack_addrs) >= 2
+                    and candidate_stack_addrs[-1] == candidate_stack_addrs[0] + len(candidate_stack_addrs) - 1
+                ):
+                    filtered_stack_accesses = [engine.stack_accesses[a] for a in candidate_stack_addrs]
+                    stack_offset = candidate_stack_addrs[0] - engine.STACK_BASE
+                    info = InlineStringTransformationDescriptor(pred, loop_node, filtered_stack_accesses, stack_offset)
+                    descs.append(info)
+
+        return descs

angr/analyses/decompiler/optimization_passes/x86_gcc_getpc_simplifier.py

@@ -76,7 +76,10 @@ class X86GccGetPcSimplifier(OptimizationPass):
                 and isinstance(block.statements[-1].target, ailment.Expr.Const)
             ):
                 call_func_addr = block.statements[-1].target.value
-                call_func = self.kb.functions.get_by_addr(call_func_addr)
+                try:
+                    call_func = self.kb.functions.get_by_addr(call_func_addr)
+                except KeyError:
+                    continue
                 if "get_pc" in call_func.info:
                     results.append(
                         (key, len(block.statements) - 1, call_func.info["get_pc"], block.addr + block.original_size),

angr/analyses/decompiler/peephole_optimizations/__init__.py

@@ -42,6 +42,7 @@ from .invert_negated_logical_conjuction_disjunction import InvertNegatedLogicalC
 from .rol_ror import RolRorRewriter
 from .inlined_strcpy import InlinedStrcpy
 from .inlined_strcpy_consolidation import InlinedStrcpyConsolidation
+from .inlined_wstrcpy import InlinedWstrcpy
 
 from .base import PeepholeOptimizationExprBase, PeepholeOptimizationStmtBase, PeepholeOptimizationMultiStmtBase