filter out 'repz ret' because angr does not handle it properly atm

angr · Feb 16, 2024 · 63b85cc · 63b85cc
1 parent ace8419
commit 63b85cc
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/angrop/arch.py b/angrop/arch.py
@@ -42,7 +42,8 @@ def __init__(self, project, kernel_mode=False):
 
     def block_make_sense(self, block):
         capstr = str(block.capstone).lower()
-        if 'cli' in capstr or 'rex' in capstr:
+        # currently, angrop does not handle "repz ret" correctly, we filter it
+        if any(x in capstr for x in ('cli', 'rex', 'repz ret')):
             return False
         if not self.kernel_mode:
             if "fs:" in capstr or "gs:" in capstr or "iret" in capstr:

diff --git a/tests/test_find_gadgets.py b/tests/test_find_gadgets.py
@@ -91,6 +91,18 @@ def test_pivot_gadget():
     gadget = rop.analyze_gadget(0x439ad3)
     assert gadget is None
 
+    cache_path = os.path.join(bin_path, "tests_data", "angrop_gadgets_cache", "amd64_glibc_2.19")
+    proj = angr.Project(os.path.join(tests_dir, "x86_64", "libc.so.6"), auto_load_libs=False)
+    rop = proj.analyses.ROP()
+
+    """
+    402bc8  leave
+    402bc9  clc
+    402bca  repz ret
+    """
+    gadget = rop.analyze_gadget(0x402bc8)
+    assert gadget is None
+
 def test_syscall_gadget():
     proj = angr.Project(os.path.join(tests_dir, "i386", "bronze_ropchain"), auto_load_libs=False)
     rop = proj.analyses.ROP()