angr Decompiler#

Analysis Passes#




CFG recovery

Recover the control flow graph.

Indirect branch resolving

Indirect branch resolving

Resolve the targets of indirect branches.

Jump table resolving

Removing alignment blocks

Calling convention recovery

Stack pointer analysis

Determine values of stack pointer at each instruction.

IR Lifting

Lift the original representation to AIL, block by block.

AIL graph building

Rewriting single-target indirect branches

Replace single-target indirect branches with direct branches.

Making return statements

Convert Ijk_Ret jump kinds into AIL Return statements.

Simplifying AIL blocks

Simplify each AIL block.

Constant folding, copy propagation, dead assignment elimination, peephole optimizations

Reaching definition analysis

Constant folding

Copy propagation

Dead assignment elimination

Peephole optimizations

Simplifying AIL function

Simplify the entire AIL function.

Assignment expression folding, unifying local variables, call expression folding, reaching definition analysis

Assignment expression folding

Eliminate variables that are assigned to once and used once.

Copy propagation

Unifying local variables

Find local variables that are always equivalent and eliminate redundant copies.

Copy propagation

Call expression folding

Fold call expressions into the variable where its return value is stored.

Copy propagation

Call site building

Apply calling conventions to each call site and rewrite call statements to ones with arguments

Reaching definition analysis

Variable recovery

Identify local and global variables.

Variable type inference

Collect type constraints and infer variable types.

Simplification passes

Region identification

Identify single-entry, single-exit regions.

Structure analysis

Structure each identified region to create high-level control flow structures.

Code generation