func_call gadget in mips

[yamazaki15]

Question

I'm looking for a func_call gadget in my mips binary. Using ropper tool I've found this valid gadget:

move    $a1, $s1
jalr    $s3
move    $a2, $s0
lw $ra, 0x48($sp)
lw $s1, 0x48+var_24($sp)
lw $s0, 0x48+var_28($sp)
jr $ra
addiu $sp, 0x48

Using this gadget I can jump to any function (I've control over s3 from previous gadget) with 2 args.

However, when I try to use anrop, it truncates the gadget to the first 3 instructions:

move    $a1, $s1
jalr    $s3
move    $a2, $s0

and therefore fails to find a valid func_call gadget. I guess that it happens because angr terminates the block after the jalr instruction... Any ideas on how to fix this?

Thanks!

[Kyle-Kyle]

Hi. Sorry for the late response. Due to some issues, I wasn't able to contribute to open-source projects in the past few months. So I wasn't able to respond.

I think this is an issue about the support of multi control-flow hijacking (in ROPGadget's term, multibr). Currently, we don't have any plans to support that yet, unfortunately. But this is definitely one of the TODOs in the future.

Also, it doesn't seem that this longer gadget provides the ability to call functions (you need to control a0 and a1 to call with 2 args, not a1 & a2)