angr.engines.pcode.lifter

class angr.engines.pcode.lifter.ExitStatement

Bases: object

This class exists to ease compatibility with CFGFast’s processing of exit_statements. See _scan_irsb method.

__init__(dst, jumpkind)

Parameters:

• dst (int | None)

• jumpkind (str)

dst: int | None

jumpkind: str

class angr.engines.pcode.lifter.PcodeDisassemblerBlock

Bases: DisassemblerBlock

Helper class to represent a block of disassembled target architecture instructions

addr

arch

insns

thumb

class angr.engines.pcode.lifter.PcodeDisassemblerInsn

Bases: DisassemblerInsn

Helper class to represent a disassembled target architecture instruction

__init__(pcode_insn)

property size: int

property address: int

property mnemonic: str

property op_str: str

class angr.engines.pcode.lifter.IRSB

Bases: object

IRSB stands for Intermediate Representation Super-Block. An IRSB in is a single-entry, multiple-exit code block.

Variables:

• arch (archinfo.Arch) – The architecture this block is lifted under

• statements (list of IRStmt) – The statements in this block

• next (IRExpr) – The expression for the default exit target of this block

• offsIP (int) – The offset of the instruction pointer in the VEX guest state

• stmts_used (int) – The number of statements in this IRSB

• jumpkind (str) – The type of this block’s default jump (call, boring, syscall, etc) as a VEX enum string

• direct_next (bool) – Whether this block ends with a direct (not indirect) jump or branch

• size (int) – The size of this block in bytes

• addr (int) – The address of this basic block, i.e. the address in the first IMark

MAX_EXITS = 400

MAX_DATA_REFS = 2000

__init__(data, mem_addr, arch, max_inst=None, max_bytes=None, bytes_offset=0, traceflags=0, opt_level=1, num_inst=None, num_bytes=None, strict_block_end=False, skip_stmts=False, collect_data_refs=False)

Parameters:

• data (str | bytes | None) – The bytes to lift. Can be either a string of bytes or a cffi buffer object. You may also pass None to initialize an empty IRSB.

• mem_addr (int) – The address to lift the data at.

• arch (Arch) – The architecture to lift the data as.

• max_inst (int | None) – The maximum number of instructions to lift. (See note below)

• max_bytes (int | None) – The maximum number of bytes to use.

• num_inst (int | None) – Replaces max_inst if max_inst is None. If set to None as well, no instruction limit is used.

• num_bytes (int | None) – Replaces max_bytes if max_bytes is None. If set to None as well, no byte limit is used.

• bytes_offset (int) – The offset into data to start lifting at. Note that for ARM THUMB mode, both mem_addr and bytes_offset must be odd (typically bytes_offset is set to 1).

• traceflags (int) – Unused by P-Code lifter

• opt_level (int) – Unused by P-Code lifter

• strict_block_end (bool) – Unused by P-Code lifter

• skip_stmts (bool)

• collect_data_refs (bool)

Return type:

None

Note

Explicitly specifying the number of instructions to lift (max_inst) may not always work exactly as expected. For example, on MIPS, it is meaningless to lift a branch or jump instruction without its delay slot. VEX attempts to Do The Right Thing by possibly decoding fewer instructions than requested. Specifically, this means that lifting a branch or jump on MIPS as a single instruction (max_inst=1) will result in an empty IRSB, and subsequent attempts to run this block will raise SimIRSBError(‘Empty IRSB passed to SimIRSB.’).

Note

If no instruction and byte limit is used, the lifter will continue lifting the block until the block ends properly or until it runs out of data to lift.

addr: int

arch: Arch

behaviors: BehaviorFactory | None

data_refs: Sequence

const_vals: Sequence

default_exit_target: Any

jumpkind: str | None

next: IRExpr | None

static empty_block(arch, addr, statements=None, nxt=None, tyenv=None, jumpkind=None, direct_next=None, size=None)

Return type:

IRSB

Parameters:

• arch (Arch)

• addr (int)

• statements (Sequence | None)

• nxt (int | None)

• jumpkind (str | None)

• direct_next (bool | None)

• size (int | None)

property has_statements: bool

property exit_statements: Sequence[tuple[int, int, ExitStatement]]

copy()

Copy by creating an empty IRSB and then filling in the leftover attributes. Copy is made as deep as possible

Return type:

IRSB

extend(extendwith)

Appends an irsb to the current irsb. The irsb that is appended is invalidated. The appended irsb’s jumpkind and default exit are used. :type extendwith: IRSB :param extendwith: The IRSB to append to this IRSB

Return type:

IRSB

Parameters:

extendwith (IRSB)

invalidate_direct_next()

Return type:

None

pp()

Pretty-print the IRSB to stdout.

Return type:

None

property tyenv

property stmts_used: int

property offsIP: int | None

property direct_next: bool

property expressions

Return an iterator of all expressions contained in the IRSB.

property instructions: int

The number of instructions in this block

property instruction_addresses: Sequence[int]

Addresses of instructions in this block.

property size: int

The size of this block, in bytes

property operations

A list of all operations done by the IRSB, as libVEX enum names

property all_constants

Returns all constants in the block (including incrementing of the program counter) as pyvex.const.IRConst.

property constants

The constants (excluding updates of the program counter) in the IRSB as pyvex.const.IRConst.

property constant_jump_targets

A set of the static jump targets of the basic block.

property constant_jump_targets_and_jumpkinds

A dict of the static jump targets of the basic block to their jumpkind.

property is_noop_block: bool

Returns True if this block is a no-op block (i.e. it has no instructions and no jumps).

property statements: list

property disassembly: PcodeDisassemblerBlock

class angr.engines.pcode.lifter.Lifter

Bases: object

A lifter is a class of methods for processing a block.

Variables:

• data – The bytes to lift as either a python string of bytes or a cffi buffer object.

• bytes_offset – The offset into data to start lifting at.

• max_bytes – The maximum number of bytes to lift. If set to None, no byte limit is used.

• max_inst – The maximum number of instructions to lift. If set to None, no instruction limit is used.

• opt_level – Unused by P-Code lifter

• traceflags – Unused by P-Code lifter

• allow_arch_optimizations – Unused by P-Code lifter

• strict_block_end – Unused by P-Code lifter

• skip_stmts – Unused by P-Code lifter

REQUIRE_DATA_C = False

REQUIRE_DATA_PY = False

__init__(arch, addr)

Parameters:

• arch (Arch)

• addr (int)

arch: Arch

addr: int

data: str | bytes | None

bytes_offset: int | None

opt_level: int

traceflags: int | None

allow_arch_optimizations: bool | None

strict_block_end: bool | None

collect_data_refs: bool

max_inst: int | None

max_bytes: int | None

skip_stmts: bool

irsb: IRSB

lift()

Lifts the data using the information passed into _lift. Should be overridden in child classes.

Should set the lifted IRSB to self.irsb. If a lifter raises a LiftingException on the data, this signals that the lifter cannot lift this data and arch and the lifter is skipped. If a lifter can lift any amount of data, it should lift it and return the lifted block with a jumpkind of Ijk_NoDecode, signalling to pyvex that other lifters should be used on the undecodable data.

Return type:

None

angr.engines.pcode.lifter.lift(data, addr, arch, max_bytes=None, max_inst=None, bytes_offset=0, opt_level=1, traceflags=0, strict_block_end=True, inner=False, skip_stmts=False, collect_data_refs=False)

Lift machine code in data to a P-code IRSB.

If a lifter raises a LiftingException on the data, it is skipped. If it succeeds and returns a block with a jumpkind of Ijk_NoDecode, all of the lifters are tried on the rest of the data and if they work, their output is appended to the first block.

Parameters:

• arch (Arch) – The arch to lift the data as.

• addr (int) – The starting address of the block. Effects the IMarks.

• data (str | bytes | None) – The bytes to lift as either a python string of bytes or a cffi buffer object.

• max_bytes (int | None) – The maximum number of bytes to lift. If set to None, no byte limit is used.

• max_inst (int | None) – The maximum number of instructions to lift. If set to None, no instruction limit is used.

• bytes_offset (int) – The offset into data to start lifting at.

• opt_level (int) – Unused by P-Code lifter

• traceflags (int) – Unused by P-Code lifter

• strict_block_end (bool)

• inner (bool)

• skip_stmts (bool)

• collect_data_refs (bool)

Return type:

IRSB

Note

Explicitly specifying the number of instructions to lift (max_inst) may not always work exactly as expected. For example, on MIPS, it is meaningless to lift a branch or jump instruction without its delay slot. VEX attempts to Do The Right Thing by possibly decoding fewer instructions than requested. Specifically, this means that lifting a branch or jump on MIPS as a single instruction (max_inst=1) will result in an empty IRSB, and subsequent attempts to run this block will raise SimIRSBError(‘Empty IRSB passed to SimIRSB.’).

Note

If no instruction and byte limit is used, the lifter will continue lifting the block until the block ends properly or until it runs out of data to lift.

class angr.engines.pcode.lifter.PcodeBasicBlockLifter

Bases: object

Lifts basic blocks to P-code

__init__(arch)

Parameters:

arch (Arch)

context: Context

behaviors: BehaviorFactory

lift(irsb, baseaddr, data, bytes_offset=0, max_bytes=None, max_inst=None, branch_delay_slot=False, is_sparc32=False)

Return type:

None

Parameters:

• irsb (IRSB)

• baseaddr (int)

• data (bytes | bytearray)

• bytes_offset (int)

• max_bytes (int | None)

• max_inst (int | None)

• branch_delay_slot (bool)

• is_sparc32 (bool)

class angr.engines.pcode.lifter.PcodeLifter

Bases: Lifter

Handles calling into pypcode to lift a block

addr: int

allow_arch_optimizations: bool | None

arch: Arch

bytes_offset: int | None

collect_data_refs: bool

data: str | bytes | None

irsb: IRSB

max_bytes: int | None

max_inst: int | None

opt_level: int

skip_stmts: bool

strict_block_end: bool | None

traceflags: int | None

classmethod get_lifter(arch)

class angr.engines.pcode.lifter.PcodeLifterEngineMixin

Bases: SimEngine

Lifter mixin to lift from machine code to P-Code.

__init__(project=None, use_cache=None, cache_size=50000, default_opt_level=1, selfmodifying_code=None, single_step=False, default_strict_block_end=False, **kwargs)

Parameters:

• use_cache (bool | None)

• cache_size (int)

• default_opt_level (int)

• selfmodifying_code (bool | None)

• single_step (bool)

• default_strict_block_end (bool)

clear_cache()

Return type:

None

lift_vex(addr=None, state=None, clemory=None, insn_bytes=None, arch=None, size=None, num_inst=None, traceflags=0, thumb=False, extra_stop_points=None, opt_level=None, strict_block_end=None, skip_stmts=False, collect_data_refs=False, load_from_ro_regions=False, cross_insn_opt=None, const_prop=None)

Temporary compatibility interface for integration with block code.

Return type:

IRSB

Parameters:

• addr (int | None)

• state (SimState | None)

• clemory (Clemory | ClemoryReadOnlyView | None)

• insn_bytes (bytes | None)

• arch (Arch | None)

• size (int | None)

• num_inst (int | None)

• traceflags (int)

• thumb (bool)

• extra_stop_points (Iterable[int] | None)

• opt_level (int | None)

• strict_block_end (bool | None)

• skip_stmts (bool)

• collect_data_refs (bool)

• load_from_ro_regions (bool)

• cross_insn_opt (bool | None)

• const_prop (bool | None)

lift_pcode(addr=None, state=None, clemory=None, insn_bytes=None, arch=None, size=None, num_inst=None, traceflags=0, thumb=False, extra_stop_points=None, opt_level=None, strict_block_end=None, skip_stmts=False, collect_data_refs=False, load_from_ro_regions=False, cross_insn_opt=None, const_prop=None)

Lift an IRSB.

There are many possible valid sets of parameters. You at the very least must pass some source of data, some source of an architecture, and some source of an address.

Sources of data in order of priority: insn_bytes, clemory, state

Sources of an address, in order of priority: addr, state

Sources of an architecture, in order of priority: arch, clemory, state

Parameters:

• state (SimState | None) – A state to use as a data source.

• clemory (Clemory | ClemoryReadOnlyView | None) – A cle.memory.Clemory object to use as a data source.

• addr (int | None) – The address at which to start the block.

• thumb (bool) – Whether the block should be lifted in ARM’s THUMB mode.

• opt_level (int | None) – Unused for P-Code lifter

• insn_bytes (bytes | None) – A string of bytes to use as a data source.

• size (int | None) – The maximum size of the block, in bytes.

• num_inst (int | None) – The maximum number of instructions.

• traceflags (int) – Unused by P-Code lifter

• strict_block_end (bool | None) – Unused by P-Code lifter

• load_from_ro_regions (bool) – Unused by P-Code lifter

• arch (Arch | None)

• extra_stop_points (Iterable[int] | None)

• skip_stmts (bool)

• collect_data_refs (bool)

• cross_insn_opt (bool | None)

• const_prop (bool | None)

Return type:

IRSB