From 4b20071f816f79eabff57a932cf974d4c7ec43f5 Mon Sep 17 00:00:00 2001
From: Kyle Zeng <zengyhkyle@gmail.com>
Date: Wed, 14 Feb 2024 12:01:39 -0700
Subject: [PATCH] fix the endianness issue in mem_changer

---
 angrop/chain_builder/mem_changer.py |  9 ++++++---
 tests/test_chainbuilder.py          | 12 ++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/angrop/chain_builder/mem_changer.py b/angrop/chain_builder/mem_changer.py
index 66d5e20..1d55f54 100644
--- a/angrop/chain_builder/mem_changer.py
+++ b/angrop/chain_builder/mem_changer.py
@@ -24,12 +24,15 @@ def update(self):
         self._mem_add_gadgets = self._get_all_mem_add_gadgets()
 
     def verify(self, chain, addr, value, _):
+        arch_bytes = self.project.arch.bytes
+        endness = self.project.arch.memory_endness
+
         # verify the chain actually works
         chain2 = chain.copy()
-        chain2._blank_state.memory.store(addr.data, 0x42424242, self.project.arch.bytes)
+        chain2._blank_state.memory.store(addr.data, 0x41424344, arch_bytes, endness=endness)
         state = chain2.exec()
-        sim_data = state.memory.load(addr.data, self.project.arch.bytes, endness=self.project.arch.memory_endness)
-        if not state.solver.eval(sim_data == 0x42424242 + value.data):
+        sim_data = state.memory.load(addr.data, arch_bytes, endness=endness)
+        if not state.solver.eval(sim_data == 0x41424344 + value.data):
             raise RopException("memory add fails - 1")
         # the next pc must come from the stack
         if len(state.regs.pc.variables) != 1:
diff --git a/tests/test_chainbuilder.py b/tests/test_chainbuilder.py
index a8fbe97..12ad216 100644
--- a/tests/test_chainbuilder.py
+++ b/tests/test_chainbuilder.py
@@ -207,6 +207,18 @@ def test_add_to_mem():
 
     rop.add_to_mem(0x41414140, 0x42424242)
 
+    cache_path = os.path.join(CACHE_DIR, "amd64_glibc_2.19")
+    proj = angr.Project(os.path.join(BIN_DIR, "tests", "x86_64", "libc.so.6"), auto_load_libs=False)
+    rop = proj.analyses.ROP()
+
+    if os.path.exists(cache_path):
+        rop.load_gadgets(cache_path)
+    else:
+        rop.find_gadgets()
+        rop.save_gadgets(cache_path)
+
+    rop.add_to_mem(0x41414140, 0x42424242)
+
 def test_pivot():
     cache_path = os.path.join(CACHE_DIR, "i386_glibc_2.35")
     proj = angr.Project(os.path.join(BIN_DIR, "tests", "i386", "i386_glibc_2.35"), auto_load_libs=False)