-
Splitting this off from Dominik Czarnota's extensive feedback in #330.
The `-mmitigate-rop` option was introduced around GCC 6 and later deprecated in 2018 in favor of control-flow protection.
T…
-
It seems the signatures rely on modifications to cuckoomon, including presumably some basic checks on some APIs to flag on whether the stack pointer lies outside the range specified by the TEB, etc. …
-
### Description
It looks like angrop discards gadgets that have a stack shift > 0x100 bytes (MAX_PIVOT_BYTES).
In two recent projects, I have found it necessary to jump to a distant portion of the…
-
### Description
While using angrop on x86, a syscall gadget containing the x86_64 syscall instruction was identified for use in an example rop chain. This the x86_64 syscall instruction is not valid …
-
### Description
angrop assumes that "pop ds; ret;" gadgets are acceptable for shifting 8 bytes on the stack. This is a bad assumption, and causes failed chains.
The below is the output of the incl…
-
### Description
I have run into an issue with long rop chains where calling chain.payload_str() receives a timeout.
```
[angrop] Timeout
```
This is due to the hard coded timeout [here](https:/…
-
### Description
A recent change to the RopValue object seems to have broken the rop.add_to_mem() function.
### Steps to reproduce the bug
Included is a zip file. Extract the zip file and ru…
-
### Description
Take the following chain for example:
```
chain1 = rop.func_call("realloc", [0xcafebabe, 0xa])
print(chain1)
code_base = 0x0
chain = b""
chain += p32(code_base + 0x93be8) …
-
### Description
As of [this commit](https://github.com/angr/angrop/commit/e4bc0c1496929f7d89242513078d943d7b72a8fa) rop.write_to_mem does not work properly for 32 bit binaries. The target write addre…
-
### Description
I found a bad assumption [here.](https://github.com/angr/angrop/blob/b06e817ddae59a7e7b693ecf5b1be51652831bba/angrop/chain_builder/mem_writer.py#L383)
It assumes if a binary is b…