angr.analyses.cfg.indirect_jump_resolvers

class angr.analyses.cfg.indirect_jump_resolvers.AArch64MachOGotResolver

Bases: IndirectJumpResolver

A timeless indirect jump resolver that resolves GOT entries on AArch64 MachO binaries.

__init__(project)
resolve(cfg, addr, func_addr, block, jumpkind, func_graph_complete=True, **kwargs)

Resolves the GOT entries in AARCH64 Mach-O binaries, where plt stubs are of manner:

adrp    x16, #0x100000
ldr     x16, [x16,#0x10]
br      x16
Parameters:

func_graph_complete (bool)

class angr.analyses.cfg.indirect_jump_resolvers.AMD64ElfGotResolver

Bases: IndirectJumpResolver

A timeless indirect jump resolver that resolves GOT entries on AMD64 ELF binaries.

__init__(project)
class angr.analyses.cfg.indirect_jump_resolvers.AMD64PeIatResolver

Bases: IndirectJumpResolver

A timeless indirect call/jump resolver for IAT in amd64 PEs.

__init__(project)
class angr.analyses.cfg.indirect_jump_resolvers.ArmElfFastResolver

Bases: IndirectJumpResolver

Resolves indirect jumps in ARM ELF binaries

__init__(project)
resolve(cfg, addr, func_addr, block, jumpkind, func_graph_complete=True, **kwargs)

The main resolving function.

Parameters:

  • cfg – A CFG instance.

  • addr (int) – Address of the IRSB.

  • func_addr (int) – Address of the function.

  • block – The IRSB.

  • jumpkind (str) – The jumpkind.

  • func_graph_complete (bool)

Returns:

Return type:

tuple

class angr.analyses.cfg.indirect_jump_resolvers.ConstantResolver

Bases: IndirectJumpResolver

Resolve an indirect jump by running a constant propagation on the entire function and check if the indirect jump can be resolved to a constant value. This resolver must be run after all other more specific resolvers.

__init__(project, max_func_nodes=512)
Parameters:

max_func_nodes (int)

resolve(cfg, addr, func_addr, block, jumpkind, func_graph_complete=True, **kwargs)

This function does the actual resolve. Our process is easy: Propagate all values inside the function specified, then extract the tmp_var used for the indirect jump from the basic block. Use the tmp var to locate the constant value stored in the replacements. If not present, returns False tuple.

Parameters:

  • cfg – CFG with specified function

  • addr (int) – Address of indirect jump

  • func_addr (int) – Address of function of indirect jump

  • block (Block) – Block of indirect jump (Block object)

  • jumpkind (str) – VEX jumpkind (Ijk_Boring or Ijk_Call)

  • func_graph_complete (bool)

Returns:

Bool tuple with replacement address

class angr.analyses.cfg.indirect_jump_resolvers.JumpTableResolver

Bases: IndirectJumpResolver

A generic jump table resolver.

This is a fast jump table resolution. For performance concerns, we made the following assumptions:

  • The final jump target comes from the memory.

  • The final jump target must be directly read out of the memory, without any further modification or altering.

Progressively larger program slices will be analyzed to determine jump table location and size. If the size of the table cannot be determined, a guess will be made based on how many entries in the table appear valid.

__init__(project, resolve_calls=True)
Parameters:

resolve_calls (bool)

resolve(cfg, addr, func_addr, block, jumpkind, func_graph_complete=True, **kwargs)

Resolves jump tables.

Parameters:

  • cfg – A CFG instance.

  • addr (int) – IRSB address.

  • func_addr (int) – The function address.

  • block (pyvex.IRSB) – The IRSB.

  • func_graph_complete (bool)

Returns:

A bool indicating whether the indirect jump is resolved successfully, and a list of resolved targets

Return type:

tuple

class angr.analyses.cfg.indirect_jump_resolvers.MemoryLoadResolver

Bases: IndirectJumpResolver

Resolve an indirect jump that looks like the following:

.text:
                call    off_3314A8

.data:
off_3314A8      dd offset sub_1E426F

This indirect jump resolver may not be the best solution for all cases (e.g., when the .data section can be intentionally altered by the binary itself).

__init__(project)
resolve(cfg, addr, func_addr, block, jumpkind, func_graph_complete=True, **kwargs)
Parameters:

  • cfg – CFG with specified function

  • addr (int) – Address of indirect jump

  • func_addr (int) – Address of function of indirect jump

  • block (IRSB) – Block of indirect jump (Block object)

  • jumpkind (str) – VEX jumpkind (Ijk_Boring or Ijk_Call)

  • func_graph_complete (bool)

Returns:

Bool tuple with replacement address

class angr.analyses.cfg.indirect_jump_resolvers.MipsElfFastResolver

Bases: IndirectJumpResolver

A timeless indirect jump resolver for R9-based indirect function calls in MIPS ELFs.

__init__(project)
resolve(cfg, addr, func_addr, block, jumpkind, func_graph_complete=True, **kwargs)

Wrapper for _resolve that slowly increments the max_depth used by Blade for finding sources until we can resolve the addr or we reach the default max_depth

Parameters:

  • cfg – A CFG instance.

  • addr (int) – IRSB address.

  • func_addr (int) – The function address.

  • block (pyvex.IRSB) – The IRSB.

  • jumpkind (str) – The jumpkind.

  • func_graph_complete (bool)

Returns:

If it was resolved and targets alongside it

Return type:

tuple

class angr.analyses.cfg.indirect_jump_resolvers.MipsElfGotResolver

Bases: IndirectJumpResolver

A timeless indirect jump resolver that resolves GOT stub entries in MIPS ELF binaries.

Reference: MIPS Assembly Language Programmer’s Guide, Calling Position Independent Functions

__init__(project)
class angr.analyses.cfg.indirect_jump_resolvers.SyscallResolver

Bases: IndirectJumpResolver

Resolve syscalls to SimProcedures.

__init__(project)
class angr.analyses.cfg.indirect_jump_resolvers.X86ElfPicPltResolver

Bases: IndirectJumpResolver

In X86 ELF position-independent code, PLT stubs uses ebx to resolve library calls, where ebx stores the address to the beginning of the GOT. We resolve the target by forcing ebx to be the beginning of the GOT and simulate the execution in fast path mode.

__init__(project)
class angr.analyses.cfg.indirect_jump_resolvers.X86PeIatResolver

Bases: IndirectJumpResolver

A timeless indirect jump resolver for IAT in x86 PEs and xbes.

__init__(project)

Submodules

aarch64_macho_got

amd64_elf_got

amd64_pe_iat

arm_elf_fast

const_resolver

constant_value_manager

default_resolvers

jumptable

memload_resolver

mips_elf_fast

mips_elf_got

propagator_utils

resolver

syscall_resolver

x86_elf_pic_plt

x86_pe_iat