fix the endianness issue in mem_changer

angrop/chain_builder/mem_changer.py

@@ -24,12 +24,15 @@ def update(self):
         self._mem_add_gadgets = self._get_all_mem_add_gadgets()
 
     def verify(self, chain, addr, value, _):
+        arch_bytes = self.project.arch.bytes
+        endness = self.project.arch.memory_endness
+
         # verify the chain actually works
         chain2 = chain.copy()
-        chain2._blank_state.memory.store(addr.data, 0x42424242, self.project.arch.bytes)
+        chain2._blank_state.memory.store(addr.data, 0x41424344, arch_bytes, endness=endness)
         state = chain2.exec()
-        sim_data = state.memory.load(addr.data, self.project.arch.bytes, endness=self.project.arch.memory_endness)
-        if not state.solver.eval(sim_data == 0x42424242 + value.data):
+        sim_data = state.memory.load(addr.data, arch_bytes, endness=endness)
+        if not state.solver.eval(sim_data == 0x41424344 + value.data):
             raise RopException("memory add fails - 1")
         # the next pc must come from the stack
         if len(state.regs.pc.variables) != 1:

tests/test_chainbuilder.py

@@ -207,6 +207,18 @@ def test_add_to_mem():
 
     rop.add_to_mem(0x41414140, 0x42424242)
 
+    cache_path = os.path.join(CACHE_DIR, "amd64_glibc_2.19")
+    proj = angr.Project(os.path.join(BIN_DIR, "tests", "x86_64", "libc.so.6"), auto_load_libs=False)
+    rop = proj.analyses.ROP()
+
+    if os.path.exists(cache_path):
+        rop.load_gadgets(cache_path)
+    else:
+        rop.find_gadgets()
+        rop.save_gadgets(cache_path)
+
+    rop.add_to_mem(0x41414140, 0x42424242)
+
 def test_pivot():
     cache_path = os.path.join(CACHE_DIR, "i386_glibc_2.35")
     proj = angr.Project(os.path.join(BIN_DIR, "tests", "i386", "i386_glibc_2.35"), auto_load_libs=False)