angr.analyses.cfg.indirect_jump_resolvers.jumptable

exception angr.analyses.cfg.indirect_jump_resolvers.jumptable.NotAJumpTableNotification

Bases: AngrError

Exception raised to indicate this is not (or does not appear to be) a jump table.

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.UninitReadMeta

Bases: object

Uninitialized read remapping details.

uninit_read_base = 201326592

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.AddressTransformationTypes

Bases: int, Enum

Address transformation operations.

Assignment = 0

SignedExtension = 1

UnsignedExtension = 2

Truncation = 3

Or1 = 4

ShiftLeft = 5

ShiftRight = 6

Add = 7

Load = 8

__new__(value)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.AddressTransformation

Bases: object

Describe and record an address transformation operation.

__init__(op, operands, first_load=False)

Parameters:

• op (AddressTransformationTypes)

• operands (list)

• first_load (bool)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.AddressOperand

Bases: object

The class for the singleton class AddressSingleton. It represents the address being transformed before using as an indirect jump target.

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.Tmp

Bases: object

For modeling Tmp variables.

__init__(tmp_idx)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTargetBaseAddr

Bases: object

Model for jump targets and their data origin.

__init__(stmt_loc, stmt, tmp, base_addr=None, tmp_1=None)

Parameters:

• stmt (IRStmt)

• tmp (int)

• base_addr (int | None)

• tmp_1 (int | None)

property base_addr_available

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTableProcessorState

Bases: object

The state used in JumpTableProcessor.

__init__(arch)

arch

is_jumptable: bool | None

stmts_to_instrument

regs_to_initialize

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.RegOffsetAnnotation

Bases: Annotation

Register Offset annotation.

__init__(reg_offset)

Parameters:

reg_offset (RegisterOffset)

reg_offset

property relocatable

Returns whether this annotation can be relocated in a simplification.

Returns:

True if it can be relocated, false otherwise.

property eliminatable

Returns whether this annotation can be eliminated in a simplification.

Returns:

True if eliminatable, False otherwise

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTableProcessor

Bases: SimEngineNostmtVEX[JumpTableProcessorState, BV, JumpTableProcessorState], ClaripyDataVEXEngineMixin[JumpTableProcessorState, BV, JumpTableProcessorState, None]

Implements a simple and stupid data dependency tracking for stack and register variables.

Also determines which statements to instrument during static execution of the slice later. For example, the following example is not uncommon in non-optimized binaries:

    mov  [rbp+var_54], 1
loc_4051a6:
    cmp  [rbp+var_54], 6
    ja   loc_405412 (default)
loc_4051b0:
    mov  eax, [rbp+var_54]
    mov  rax, qword [rax*8+0x223a01]
    jmp  rax

We want to instrument the first instruction and replace the constant 1 with a symbolic variable, otherwise we will not be able to recover all jump targets later in block 0x4051b0.

__init__(project, indirect_jump_node_pred_addrs, bp_sp_diff=256)

Parameters:

indirect_jump_node_pred_addrs (set[int])

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.StoreHook

Bases: object

Hook for memory stores.

static hook(state)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.LoadHook

Bases: object

Hook for memory loads.

__init__()

hook_before(state)

hook_after(state)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.PutHook

Bases: object

Hook for register writes.

static hook(state)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.RegisterInitializerHook

Bases: object

Hook for register init.

__init__(reg_offset, reg_bits, initial_value)

hook(state)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.BSSHook

Bases: object

Hook for BSS read/write.

__init__(project, bss_regions)

bss_memory_read_hook(state)

bss_memory_write_hook(state)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.MIPSGPHook

Bases: object

Hooks all reads from and writes into the gp register for MIPS32 binaries.

__init__(gp_offset, gp)

Parameters:

• gp_offset (int)

• gp (int)

gp_register_read_hook(state)

gp_register_write_hook(state)

class angr.analyses.cfg.indirect_jump_resolvers.jumptable.JumpTableResolver

Bases: IndirectJumpResolver

A generic jump table resolver.

This is a fast jump table resolution. For performance concerns, we made the following assumptions:

• The final jump target comes from the memory.

• The final jump target must be directly read out of the memory, without any further modification or altering.

Progressively larger program slices will be analyzed to determine jump table location and size. If the size of the table cannot be determined, a guess will be made based on how many entries in the table appear valid.

__init__(project, resolve_calls=True)

Parameters:

resolve_calls (bool)

resolve(cfg, addr, func_addr, block, jumpkind, func_graph_complete=True, **kwargs)

Resolves jump tables.

Parameters:

• cfg – A CFG instance.

• addr (int) – IRSB address.

• func_addr (int) – The function address.

• block (pyvex.IRSB) – The IRSB.

• func_graph_complete (bool)

Returns:

A bool indicating whether the indirect jump is resolved successfully, and a list of resolved targets

Return type:

tuple