Feat/aarch64 #125
Merged
Feat/aarch64 #125
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This makes angrop run on aarch64 binaries, but it's not able to do anything useful yet.
This fixes the handling of gadgets where the address of the next gadget has to be inserted in the middle instead of just concatenated to the end. angrop is now able to set registers if there is a gadget that loads into the register from the stack, and it can also chain gadgets together as long as each gadget ends with a jump to an address loaded from the stack.
Prioritize gadgets that result in fewer register dependencies and gadgets with less instructions.
There appears to be some kind of memory leak in angr that causes the memory usage to keep going up during gadget finding. This periodically restarts the worker processes to work around that.
We don't want to go into SimProcedures when finding gadgets since those are probably not useful.
Some timeouts are normal such as when finding gadgets, so we shouldn't always print a message. It's also not that useful to print a timeout message without more information about where it came from so it makes more sense to do this in exception handlers instead.
SimSolverModeError gets raised when there's a timeout in claripy.
If gadgets access memory outside of the stack, make sure the addresses are valid so that it doesn't crash.
Turns out that project.factory.blank_state() initializes the ip to the entry point instead of making it unconstrained.
gadget.block_length is only the size of the first block.
If a gadget pops a value into a register but the value is used in a branch condition or memory access address, we can't fully control it so we remove it from the set of popped registers. This also makes gadget.constraint_regs include registers that affect memory access addresses.
Backtrack if we've already seen an equivalent chain that is not longer than our current chain.
Estimate how hard it is to set a register by counting the number of gadgets that pop the register, and prioritize gadgets that result in target registers which are easier to set.
If two registers are popped from the same location on the stack, we can control either one of them but not both.
The gadget filtering code in RegSetter and RegMover tries to compare every gadget with every other gadget, so it doesn't scale well when there are a large number of gadgets. Things seem to work fine without the filtering so I'm removing it for now.
…ta so the mapping will lose track of those modifications
Merged
Kyle-Kyle
force-pushed
the
feat/aarch64
branch
from
a71f1b7 to
42e35ac
Compare
Kyle-Kyle
force-pushed
the
feat/aarch64
branch
6 times, most recently
from
4ae0ab9 to
a734ef5
Compare
Kyle-Kyle
force-pushed
the
feat/aarch64
branch
from
a734ef5 to
bd0b233
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
angr/binaries#133
angr/rex#114