angr.analyses.variable_recovery.variable_recovery_fast

class angr.analyses.variable_recovery.variable_recovery_fast.VariableRecoveryFastState

Bases: VariableRecoveryStateBase

The abstract state of variable recovery analysis.

Variables:

• stack_region (KeyedRegion) – The stack store.

• register_region (KeyedRegion) – The register store.

__init__(block_addr, analysis, arch, func, project, stack_region=None, register_region=None, global_region=None, typevars=None, type_constraints=None, func_typevar=None, delayed_type_constraints=None, stack_offset_typevars=None, ret_val_size=None, *, tv_manager)

Parameters:

tv_manager (TypeVariableManager)

copy()

merge(others, successor=None)

Merge two abstract states.

For any node A whose dominance frontier that the current node (at the current program location) belongs to, we create a phi variable V’ for each variable V that is defined in A, and then replace all existence of V with V’ in the merged abstract state.

Parameters:

others (tuple[VariableRecoveryFastState, ...]) – Other abstract states to merge.

Return type:

tuple[VariableRecoveryFastState, bool]

Returns:

The merged abstract state.

class angr.analyses.variable_recovery.variable_recovery_fast.VariableRecoveryFast

Bases: ForwardAnalysis, VariableRecoveryBase

Recover “variables” from a function by keeping track of stack pointer offsets and pattern matching VEX statements.

If calling conventions are recovered prior to running VariableRecoveryFast, variables can be recognized more accurately. However, it is not a requirement. In this case, the function graph you pass must contain information indicating the call-out sites inside the analyzed function. These graph edges must be annotated with either "type": "call" or "outside": True.