angr Decompiler¶
Analysis Passes¶
Name |
Description |
Sub-analysis |
---|---|---|
CFG recovery |
Recover the control flow graph. |
Indirect branch resolving |
Indirect branch resolving |
Resolve the targets of indirect branches. |
Jump table resolving |
Removing alignment blocks |
||
Calling convention recovery |
||
Stack pointer analysis |
Determine values of stack pointer at each instruction. |
|
IR Lifting |
Lift the original representation to AIL, block by block. |
|
AIL graph building |
||
Rewriting single-target indirect branches |
Replace single-target indirect branches with direct branches. |
|
Making return statements |
Convert Ijk_Ret jump kinds into AIL Return statements. |
|
Simplifying AIL blocks |
Simplify each AIL block. |
Constant folding, copy propagation, dead assignment elimination, peephole optimizations |
Reaching definition analysis |
||
Constant folding |
||
Copy propagation |
||
Dead assignment elimination |
||
Peephole optimizations |
||
Simplifying AIL function |
Simplify the entire AIL function. |
Assignment expression folding, unifying local variables, call expression folding, reaching definition analysis |
Assignment expression folding |
Eliminate variables that are assigned to once and used once. |
Copy propagation |
Unifying local variables |
Find local variables that are always equivalent and eliminate redundant copies. |
Copy propagation |
Call expression folding |
Fold call expressions into the variable where its return value is stored. |
Copy propagation |
Call site building |
Apply calling conventions to each call site and rewrite call statements to ones with arguments |
Reaching definition analysis |
Variable recovery |
Identify local and global variables. |
|
Variable type inference |
Collect type constraints and infer variable types. |
|
Simplification passes |
||
Region identification |
Identify single-entry, single-exit regions. |
|
Structure analysis |
Structure each identified region to create high-level control flow structures. |
|
Code generation |