diff --git a/angrop/gadget_finder/gadget_analyzer.py b/angrop/gadget_finder/gadget_analyzer.py index 00cfcc6..5d27a39 100644 --- a/angrop/gadget_finder/gadget_analyzer.py +++ b/angrop/gadget_finder/gadget_analyzer.py @@ -64,7 +64,7 @@ def analyze_gadget(self, addr): init_state, final_state = self._reach_unconstrained_or_syscall(addr) - if self._change_arch_state(init_state, final_state): + if not self._valid_state(init_state, final_state): return None ctrl_type = self._check_for_control_type(init_state, final_state) @@ -101,6 +101,15 @@ def analyze_gadget(self, addr): l.debug("... Appending gadget!") return gadget + def _valid_state(self, init_state, final_state): + if self._change_arch_state(init_state, final_state): + return False + for addr in final_state.history.bbl_addrs: + b = final_state.project.factory.block(addr) + if not self.arch.block_make_sense(b): + return False + return True + def _change_arch_state(self, init_state, final_state): if isinstance(self.arch, X86): for reg in self.arch.segment_regs: diff --git a/tests/test_find_gadgets.py b/tests/test_find_gadgets.py index 75435f1..7e564a7 100644 --- a/tests/test_find_gadgets.py +++ b/tests/test_find_gadgets.py @@ -153,6 +153,30 @@ def test_shift_gadget(): assert all(not gadget_exists(rop, x) for x in [0x438a91, 0x516fb2]) assert all(gadget_exists(rop, x) for x in [0x454e75, 0x5622d5, 0x490058]) +def test_i386_syscall(): + proj = angr.Project(os.path.join(tests_dir, "i386", "angrop_syscall_test"), auto_load_libs=False) + + rop = proj.analyses.ROP() + """ + 804918c int 0x80 + """ + """ + 8049195 mov esp, 0x804c038 + 804919a ret + """ + + assert all(gadget_exists(rop, x) for x in [0x804918c, 0x8049195]) + + """ + 8049189 syscall + """ + + """ + 804918f mov esp, 0x804c020 + 8049194 ret + """ + assert all(not gadget_exists(rop, x) for x in [0x8049189, 0x804918f]) + def run_all(): functions = globals() all_functions = {x:y for x, y in functions.items() if x.startswith('test_')}