angr 9.2.97__py3-none-manylinux2014_x86_64.whl → 9.2.98__py3-none-manylinux2014_x86_64.whl

angr/analyses/decompiler/peephole_optimizations/inlined_wstrcpy.py

@@ -0,0 +1,162 @@
+# pylint:disable=arguments-differ
+from typing import Tuple, Optional, Dict, List
+import string
+
+from archinfo import Endness
+
+from ailment.expression import Const, StackBaseOffset
+from ailment.statement import Call, Store
+
+from .base import PeepholeOptimizationStmtBase
+
+
+ASCII_PRINTABLES = set(string.printable)
+ASCII_DIGITS = set(string.digits)
+
+
+class InlinedWstrcpy(PeepholeOptimizationStmtBase):
+    """
+    Simplifies inlined wide string copying logic into calls to wstrcpy.
+    """
+
+    __slots__ = ()
+
+    NAME = "Simplifying inlined wstrcpy"
+    stmt_classes = (Store,)
+
+    def optimize(self, stmt: Store, stmt_idx: int = None, block=None, **kwargs):
+        if isinstance(stmt.data, Const):
+            r, s = self.is_integer_likely_a_wide_string(stmt.data.value, stmt.data.size, stmt.endness)
+            if r:
+                # replace it with a call to strncpy
+                str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
+                return Call(
+                    stmt.idx,
+                    "wstrncpy",
+                    args=[
+                        stmt.addr,
+                        Const(None, None, str_id, stmt.addr.bits, custom_string=True),
+                        Const(None, None, len(s), self.project.arch.bits),
+                    ],
+                    **stmt.tags,
+                )
+
+            # scan forward in the current block to find all consecutive constant stores
+            if block is not None and stmt_idx is not None:
+                all_constant_stores: Dict[int, Tuple[int, Optional[Const]]] = self.collect_constant_stores(
+                    block, stmt_idx
+                )
+                if all_constant_stores:
+                    offsets = sorted(all_constant_stores.keys())
+                    next_offset = min(offsets)
+                    stride = []
+                    for offset in offsets:
+                        if next_offset is not None and offset != next_offset:
+                            next_offset = None
+                            stride = []
+                        stmt_idx_, v = all_constant_stores[offset]
+                        if v is not None:
+                            stride.append((offset, stmt_idx_, v))
+                            next_offset = offset + v.size
+                        else:
+                            next_offset = None
+                            stride = []
+
+                    integer, size = self.stride_to_int(stride)
+                    r, s = self.is_integer_likely_a_wide_string(integer, size, Endness.BE)
+                    if r:
+                        # we remove all involved statements whose statement IDs are greater than the current one
+                        for _, stmt_idx_, _ in reversed(stride):
+                            if stmt_idx_ <= stmt_idx:
+                                continue
+                            block.statements[stmt_idx_] = None
+                        block.statements = [ss for ss in block.statements if ss is not None]
+
+                        str_id = self.kb.custom_strings.allocate(s.encode("ascii"))
+                        return Call(
+                            stmt.idx,
+                            "wstrncpy",
+                            args=[
+                                stmt.addr,
+                                Const(None, None, str_id, stmt.addr.bits, custom_string=True),
+                                Const(None, None, len(s), self.project.arch.bits),
+                            ],
+                            **stmt.tags,
+                        )
+
+        return None
+
+    @staticmethod
+    def stride_to_int(stride: List[Tuple[int, int, Const]]) -> Tuple[int, int]:
+        stride = sorted(stride, key=lambda x: x[0])
+        n = 0
+        size = 0
+        for _, _, v in stride:
+            size += v.size
+            n <<= v.bits
+            n |= v.value
+        return n, size
+
+    @staticmethod
+    def collect_constant_stores(block, starting_stmt_idx: int) -> Dict[int, Tuple[int, Optional[Const]]]:
+        r = {}
+        for idx, stmt in enumerate(block.statements):
+            if idx < starting_stmt_idx:
+                continue
+            if isinstance(stmt, Store) and isinstance(stmt.addr, StackBaseOffset) and isinstance(stmt.addr.offset, int):
+                if isinstance(stmt.data, Const):
+                    r[stmt.addr.offset] = idx, stmt.data
+                else:
+                    r[stmt.addr.offset] = idx, None
+
+        return r
+
+    @staticmethod
+    def even_offsets_are_zero(lst: List[str]) -> bool:
+        return all(ch == "\x00" for i, ch in enumerate(lst) if i % 2 == 0)
+
+    @staticmethod
+    def odd_offsets_are_zero(lst: List[str]) -> bool:
+        return all(ch == "\x00" for i, ch in enumerate(lst) if i % 2 == 1)
+
+    @staticmethod
+    def is_integer_likely_a_wide_string(
+        v: int, size: int, endness: Endness, min_length: int = 4
+    ) -> Tuple[bool, Optional[str]]:
+        # we need at least four bytes of printable characters
+
+        chars = []
+        if endness == Endness.LE:
+            while v != 0:
+                byt = v & 0xFF
+                if byt != 0 and chr(byt) not in ASCII_PRINTABLES:
+                    return False, None
+                chars.append(chr(byt))
+                v >>= 8
+
+        elif endness == Endness.BE:
+            for _ in range(size):
+                byt = v & 0xFF
+                v >>= 8
+                if byt != 0 and chr(byt) not in ASCII_PRINTABLES:
+                    return False, None
+                chars.append(chr(byt))
+            chars = chars[::-1]
+        else:
+            # unsupported endness
+            return False, None
+
+        if InlinedWstrcpy.even_offsets_are_zero(chars):
+            chars = [ch for i, ch in enumerate(chars) if i % 2 == 1]
+        elif InlinedWstrcpy.odd_offsets_are_zero(chars):
+            chars = [ch for i, ch in enumerate(chars) if i % 2 == 0]
+        else:
+            return False, None
+
+        if chars and chars[-1] == "\x00":
+            chars = chars[:-1]
+        if len(chars) >= min_length and all(ch in ASCII_PRINTABLES for ch in chars):
+            if len(chars) <= 4 and all(ch in ASCII_DIGITS for ch in chars):
+                return False, None
+            return True, "".join(chars)
+        return False, None

angr/analyses/decompiler/structured_codegen/__init__.py

@@ -5,6 +5,6 @@ from .base import (
     PositionMappingElement,
     PositionMapping,
 )
-from .c import CStructuredCodeGenerator
+from .c import CStructuredCodeGenerator, CStructuredCodeWalker
 from .dwarf_import import ImportSourceCode
 from .dummy import DummyStructuredCodeGenerator

angr/analyses/decompiler/structured_codegen/c.py

@@ -1,4 +1,4 @@
-# pylint:disable=missing-class-docstring,too-many-boolean-expressions,unused-argument
+# pylint:disable=missing-class-docstring,too-many-boolean-expressions,unused-argument,no-self-use
 from typing import Optional, Dict, List, Tuple, Set, Any, Union, TYPE_CHECKING, Callable
 from collections import defaultdict
 import logging
@@ -2524,9 +2524,9 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
             codegen=self,
             omit_header=self.omit_func_header,
         )
-        self.cfunc = FieldReferenceCleanup.handle(self.cfunc)
-        self.cfunc = PointerArithmeticFixer.handle(self.cfunc)
-        self.cfunc = MakeTypecastsImplicit.handle(self.cfunc)
+        self.cfunc = FieldReferenceCleanup().handle(self.cfunc)
+        self.cfunc = PointerArithmeticFixer().handle(self.cfunc)
+        self.cfunc = MakeTypecastsImplicit().handle(self.cfunc)
 
         # TODO store extern fallback size somewhere lol
         self.cexterns = {
@@ -3554,120 +3554,100 @@ class CStructuredCodeGenerator(BaseStructuredCodeGenerator, Analysis):
 
 
 class CStructuredCodeWalker:
-    @classmethod
-    def handle(cls, obj):
-        handler = getattr(cls, "handle_" + type(obj).__name__, cls.handle_default)
+    def handle(self, obj):
+        handler = getattr(self, "handle_" + type(obj).__name__, self.handle_default)
         return handler(obj)
 
-    @classmethod
-    def handle_default(cls, obj):
+    def handle_default(self, obj):
         return obj
 
-    @classmethod
-    def handle_CFunction(cls, obj):
-        obj.statements = cls.handle(obj.statements)
+    def handle_CFunction(self, obj):
+        obj.statements = self.handle(obj.statements)
         return obj
 
-    @classmethod
-    def handle_CStatements(cls, obj):
-        obj.statements = [cls.handle(stmt) for stmt in obj.statements]
+    def handle_CStatements(self, obj):
+        obj.statements = [self.handle(stmt) for stmt in obj.statements]
         return obj
 
-    @classmethod
-    def handle_CWhileLoop(cls, obj):
-        obj.condition = cls.handle(obj.condition)
-        obj.body = cls.handle(obj.body)
+    def handle_CWhileLoop(self, obj):
+        obj.condition = self.handle(obj.condition)
+        obj.body = self.handle(obj.body)
         return obj
 
-    @classmethod
-    def handle_CDoWhileLoop(cls, obj):
-        obj.condition = cls.handle(obj.condition)
-        obj.body = cls.handle(obj.body)
+    def handle_CDoWhileLoop(self, obj):
+        obj.condition = self.handle(obj.condition)
+        obj.body = self.handle(obj.body)
         return obj
 
-    @classmethod
-    def handle_CForLoop(cls, obj):
-        obj.initializer = cls.handle(obj.initializer)
-        obj.condition = cls.handle(obj.condition)
-        obj.iterator = cls.handle(obj.iterator)
-        obj.body = cls.handle(obj.body)
+    def handle_CForLoop(self, obj):
+        obj.initializer = self.handle(obj.initializer)
+        obj.condition = self.handle(obj.condition)
+        obj.iterator = self.handle(obj.iterator)
+        obj.body = self.handle(obj.body)
         return obj
 
-    @classmethod
-    def handle_CIfElse(cls, obj):
+    def handle_CIfElse(self, obj):
         obj.condition_and_nodes = [
-            (cls.handle(condition), cls.handle(node)) for condition, node in obj.condition_and_nodes
+            (self.handle(condition), self.handle(node)) for condition, node in obj.condition_and_nodes
         ]
-        obj.else_node = cls.handle(obj.else_node)
+        obj.else_node = self.handle(obj.else_node)
         return obj
 
-    @classmethod
-    def handle_CIfBreak(cls, obj):
-        obj.condition = cls.handle(obj.condition)
+    def handle_CIfBreak(self, obj):
+        obj.condition = self.handle(obj.condition)
         return obj
 
-    @classmethod
-    def handle_CSwitchCase(cls, obj):
-        obj.switch = cls.handle(obj.switch)
-        obj.cases = [(case, cls.handle(body)) for case, body in obj.cases]
-        obj.default = cls.handle(obj.default)
+    def handle_CSwitchCase(self, obj):
+        obj.switch = self.handle(obj.switch)
+        obj.cases = [(case, self.handle(body)) for case, body in obj.cases]
+        obj.default = self.handle(obj.default)
         return obj
 
-    @classmethod
-    def handle_CAssignment(cls, obj):
-        obj.lhs = cls.handle(obj.lhs)
-        obj.rhs = cls.handle(obj.rhs)
+    def handle_CAssignment(self, obj):
+        obj.lhs = self.handle(obj.lhs)
+        obj.rhs = self.handle(obj.rhs)
         return obj
 
-    @classmethod
-    def handle_CFunctionCall(cls, obj):
-        obj.callee_target = cls.handle(obj.callee_target)
-        obj.args = [cls.handle(arg) for arg in obj.args]
-        obj.ret_expr = cls.handle(obj.ret_expr)
+    def handle_CFunctionCall(self, obj):
+        obj.callee_target = self.handle(obj.callee_target)
+        obj.args = [self.handle(arg) for arg in obj.args]
+        obj.ret_expr = self.handle(obj.ret_expr)
         return obj
 
-    @classmethod
-    def handle_CReturn(cls, obj):
-        obj.retval = cls.handle(obj.retval)
+    def handle_CReturn(self, obj):
+        obj.retval = self.handle(obj.retval)
         return obj
 
-    @classmethod
-    def handle_CGoto(cls, obj):
-        obj.target = cls.handle(obj.target)
+    def handle_CGoto(self, obj):
+        obj.target = self.handle(obj.target)
         return obj
 
-    @classmethod
-    def handle_CIndexedVariable(cls, obj):
-        obj.variable = cls.handle(obj.variable)
-        obj.index = cls.handle(obj.index)
+    def handle_CIndexedVariable(self, obj):
+        obj.variable = self.handle(obj.variable)
+        obj.index = self.handle(obj.index)
         return obj
 
-    @classmethod
-    def handle_CVariableField(cls, obj):
-        obj.variable = cls.handle(obj.variable)
+    def handle_CVariableField(self, obj):
+        obj.variable = self.handle(obj.variable)
         return obj
 
-    @classmethod
-    def handle_CUnaryOp(cls, obj):
-        obj.operand = cls.handle(obj.operand)
+    def handle_CUnaryOp(self, obj):
+        obj.operand = self.handle(obj.operand)
         return obj
 
-    @classmethod
-    def handle_CBinaryOp(cls, obj):
-        obj.lhs = cls.handle(obj.lhs)
-        obj.rhs = cls.handle(obj.rhs)
+    def handle_CBinaryOp(self, obj):
+        obj.lhs = self.handle(obj.lhs)
+        obj.rhs = self.handle(obj.rhs)
         return obj
 
-    @classmethod
-    def handle_CTypeCast(cls, obj):
-        obj.expr = cls.handle(obj.expr)
+    def handle_CTypeCast(self, obj):
+        obj.expr = self.handle(obj.expr)
         return obj
 
-    @classmethod
-    def handle_CITE(cls, obj):
-        obj.cond = cls.handle(obj.cond)
-        obj.iftrue = cls.handle(obj.iftrue)
-        obj.iffalse = cls.handle(obj.iffalse)
+    def handle_CITE(self, obj):
+        obj.cond = self.handle(obj.cond)
+        obj.iftrue = self.handle(obj.iftrue)
+        obj.iffalse = self.handle(obj.iffalse)
         return obj
 
 
@@ -3702,34 +3682,30 @@ class MakeTypecastsImplicit(CStructuredCodeWalker):
             return cls.collapse(dst_ty, result)
         return result
 
-    @classmethod
-    def handle_CAssignment(cls, obj):
-        obj.rhs = cls.collapse(obj.lhs.type, obj.rhs)
+    def handle_CAssignment(self, obj):
+        obj.rhs = self.collapse(obj.lhs.type, obj.rhs)
         return super().handle_CAssignment(obj)
 
-    @classmethod
-    def handle_CFunctionCall(cls, obj: CFunctionCall):
+    def handle_CFunctionCall(self, obj: CFunctionCall):
         for i, (c_arg, arg_ty) in enumerate(zip(obj.args, obj.prototype.args)):
-            obj.args[i] = cls.collapse(arg_ty, c_arg)
+            obj.args[i] = self.collapse(arg_ty, c_arg)
         return super().handle_CFunctionCall(obj)
 
-    @classmethod
-    def handle_CReturn(cls, obj: CReturn):
-        obj.retval = cls.collapse(obj.codegen._func.prototype.returnty, obj.retval)
+    def handle_CReturn(self, obj: CReturn):
+        obj.retval = self.collapse(obj.codegen._func.prototype.returnty, obj.retval)
         return super().handle_CReturn(obj)
 
-    @classmethod
-    def handle_CBinaryOp(cls, obj: CBinaryOp):
+    def handle_CBinaryOp(self, obj: CBinaryOp):
         obj = super().handle_CBinaryOp(obj)
         while True:
-            new_lhs = cls.collapse(obj.common_type, obj.lhs)
+            new_lhs = self.collapse(obj.common_type, obj.lhs)
             if (
                 new_lhs is not obj.lhs
                 and CBinaryOp.compute_common_type(obj.op, new_lhs.type, obj.rhs.type) == obj.common_type
             ):
                 obj.lhs = new_lhs
             else:
-                new_rhs = cls.collapse(obj.common_type, obj.rhs)
+                new_rhs = self.collapse(obj.common_type, obj.rhs)
                 if (
                     new_rhs is not obj.rhs
                     and CBinaryOp.compute_common_type(obj.op, obj.lhs.type, new_rhs.type) == obj.common_type
@@ -3739,11 +3715,10 @@ class MakeTypecastsImplicit(CStructuredCodeWalker):
                     break
         return obj
 
-    @classmethod
-    def handle_CTypeCast(cls, obj: CTypeCast):
+    def handle_CTypeCast(self, obj: CTypeCast):
         # note that the expression that this method returns may no longer be a CTypeCast
         obj = super().handle_CTypeCast(obj)
-        inner = cls.collapse(obj.dst_type, obj.expr)
+        inner = self.collapse(obj.dst_type, obj.expr)
         if inner is not obj.expr:
             obj.src_type = inner.type
             obj.expr = inner
@@ -3753,12 +3728,11 @@ class MakeTypecastsImplicit(CStructuredCodeWalker):
 
 
 class FieldReferenceCleanup(CStructuredCodeWalker):
-    @classmethod
-    def handle_CTypeCast(cls, obj):
+    def handle_CTypeCast(self, obj):
         if isinstance(obj.dst_type, SimTypePointer) and not isinstance(obj.dst_type.pts_to, SimTypeBottom):
             obj = obj.codegen._access_reference(obj.expr, obj.dst_type.pts_to)
             if not isinstance(obj, CTypeCast):
-                return cls.handle(obj)
+                return self.handle(obj)
         return super().handle_CTypeCast(obj)
 
 
@@ -3776,8 +3750,7 @@ class PointerArithmeticFixer(CStructuredCodeWalker):
     a_ptr = a_ptr + 1.
     """
 
-    @classmethod
-    def handle_CBinaryOp(cls, obj):
+    def handle_CBinaryOp(self, obj):
         obj: CBinaryOp = super().handle_CBinaryOp(obj)
         if (
             obj.op in ("Add", "Sub")

angr/analyses/decompiler/utils.py

@@ -569,7 +569,10 @@ def peephole_optimize_stmts(block, stmt_opts):
     statements = []
 
     # run statement optimizers
-    for stmt_idx, stmt in enumerate(block.statements):
+    # note that an optimizer may optionally edit or remove statements whose statement IDs are greater than stmt_idx
+    stmt_idx = 0
+    while stmt_idx < len(block.statements):
+        stmt = block.statements[stmt_idx]
         old_stmt = stmt
         redo = True
         while redo:
@@ -587,6 +590,7 @@ def peephole_optimize_stmts(block, stmt_opts):
             any_update = True
         else:
             statements.append(old_stmt)
+        stmt_idx += 1
 
     return statements, any_update
 

angr/analyses/propagator/engine_vex.py

@@ -163,6 +163,9 @@ class SimEnginePropagatorVEX(
             self.state.store_register(stmt.offset, size, data)
             self.state.add_replacement(self._codeloc(block_only=False), VEXReg(stmt.offset, size), data)
 
+    def _handle_PutI(self, stmt):
+        self._expr(stmt.data)
+
     def _store_data(self, addr, data, size, endness):
         # pylint: disable=unused-argument,no-self-use
         if isinstance(addr, claripy.ast.Base):
@@ -260,6 +263,9 @@ class SimEnginePropagatorVEX(
         size = expr.result_size(self.tyenv) // self.arch.byte_width
         return self.state.load_register(expr.offset, size)
 
+    def _handle_GetI(self, expr):
+        return self.state.top(expr.result_size(self.tyenv))
+
     def _handle_Load(self, expr):
         addr = self._expr(expr.addr)
         if addr is None or type(addr) in (Top, Bottom):
@@ -278,6 +284,13 @@ class SimEnginePropagatorVEX(
         # print(expr.op, r)
         return r
 
+    def _handle_Triop(self, expr: pyvex.IRExpr.Triop):
+        if not self.state.do_binops:
+            return self.state.top(expr.result_size(self.tyenv))
+
+        r = super()._handle_Triop(expr)
+        return r
+
     def _handle_Conversion(self, expr):
         expr_ = self._expr(expr.args[0])
         to_size = expr.result_size(self.tyenv)
@@ -311,3 +324,5 @@ class SimEnginePropagatorVEX(
                             self.state.block_initial_reg_values[self.block.addr, dst.concrete_value].append(v)
 
         super()._handle_Exit(stmt)
+
+    _handle_CmpF = _handle_CmpEQ

angr/analyses/reaching_definitions/engine_vex.py

@@ -176,6 +176,9 @@ class SimEngineRDVEX(
             return
         self.state.kill_and_add_definition(reg, data)
 
+    def _handle_PutI(self, stmt):
+        pass
+
     # e.g. STle(t6) = t21, t6 and/or t21 might include multiple values
     def _handle_Store(self, stmt):
         addr = self._expr(stmt.addr)
@@ -404,6 +407,9 @@ class SimEngineRDVEX(
 
         return values
 
+    def _handle_GetI(self, expr: pyvex.IRExpr.GetI) -> MultiValues:
+        return MultiValues(self.state.top(expr.result_size(self.tyenv)))
+
     # e.g. t27 = LDle:I64(t9), t9 might include multiple values
     # caution: Is also called from StoreG
     def _handle_Load(self, expr) -> MultiValues:

angr/analyses/variable_recovery/engine_vex.py

@@ -61,6 +61,9 @@ class SimEngineVRVEX(
             return
         self._assign_to_register(offset, r, size)
 
+    def _handle_PutI(self, stmt):
+        pass
+
     def _handle_Store(self, stmt):
         addr_r = self._expr(stmt.addr)
         size = stmt.data.result_size(self.tyenv) // 8
@@ -159,6 +162,9 @@ class SimEngineVRVEX(
             create_variable=self.stmt_idx not in self.reg_read_stmts_to_ignore,
         )
 
+    def _handle_GetI(self, expr: pyvex.IRExpr.GetI):
+        return RichR(self.state.top(expr.result_size(self.tyenv)))
+
     def _handle_Load(self, expr: pyvex.IRExpr.Load) -> RichR:
         addr = self._expr(expr.addr)
         size = expr.result_size(self.tyenv) // 8

angr/analyses/variable_recovery/irsb_scanner.py

@@ -33,6 +33,12 @@ class VEXIRSBScanner(SimEngineLightVEXMixin):
         self.reg_read_stmt_id: Dict[int, int] = {}
         self.reg_read_stmts_to_ignore: Set[int] = set()
 
+    def _top(self, size: int):
+        return None
+
+    def _is_top(self, expr) -> bool:
+        return True
+
     def _process_Stmt(self, whitelist=None):
         self.tmps_with_64bit_regs = set()
         self.tmps_assignment_stmtidx = {}
@@ -55,6 +61,9 @@ class VEXIRSBScanner(SimEngineLightVEXMixin):
                 self.reg_read_stmts_to_ignore.add(self.reg_read_stmt_id[old_reg_offset])
             self.reg_with_reg_as_value[stmt.offset] = self.tmp_with_reg_as_value[stmt.data.tmp]
 
+    def _handle_PutI(self, stmt):
+        pass
+
     def _handle_Load(self, expr):
         pass
 
@@ -85,6 +94,9 @@ class VEXIRSBScanner(SimEngineLightVEXMixin):
         if expr.offset in self.reg_with_reg_as_value:
             del self.reg_with_reg_as_value[expr.offset]
 
+    def _handle_GetI(self, expr):
+        pass
+
     def _handle_RdTmp(self, expr):
         if expr.tmp in self.tmps_converted_to_32bit:
             self.tmps_converted_to_32bit.remove(expr.tmp)