remove jump_reg, now there is only pc_reg

angr · Jan 23, 2025 · 358dad0 · 358dad0
1 parent 33a026e
commit 358dad0
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 13 deletions.
diff --git a/angrop/chain_builder/reg_setter.py b/angrop/chain_builder/reg_setter.py
@@ -610,11 +610,9 @@ def _get_remaining_regs(self, gadget: RopGadget, registers: set[str]) -> set[str
             remaining_regs.add(new_reg)
 
         if gadget.transit_type == 'jmp_reg':
-            # I don't know what's the difference between these two so just error if they're different.
-            assert gadget.jump_reg == gadget.pc_reg
-            if gadget.jump_reg in remaining_regs:
+            if gadget.pc_reg in remaining_regs:
                 return None
-            remaining_regs.add(gadget.jump_reg)
+            remaining_regs.add(gadget.pc_reg)
 
         if not gadget.constraint_regs.isdisjoint(remaining_regs):
             return None

diff --git a/angrop/gadget_finder/gadget_analyzer.py b/angrop/gadget_finder/gadget_analyzer.py
@@ -109,10 +109,6 @@ def filter(state):
 
         final_states = list(simgr.unconstrained)
         if "syscall" in simgr.stashes:
-            # for syscallgadget, the syscall number needs to be controlled, or there is no point
-            cc = angr.SYSCALL_CC[self.project.arch.name]["default"](self.project.arch)
-            sysnum_is_constrained = lambda s: not cc.syscall_num(s).symbolic or not rop_utils.fast_unconstrained_check(s, cc.syscall_num(s))
-            simgr.move(from_stash='syscall', to_stash='deadended', filter_func=sysnum_is_constrained)
             final_states.extend(self._try_stepping_past_syscall(state) for state in simgr.syscall)
 
         bad_states = simgr.active + simgr.deadended
@@ -349,7 +345,7 @@ def _create_gadget(self, addr, init_state, final_state, ctrl_type):
 
         # for jmp_reg gadget, record the jump target register
         if transit_type == "jmp_reg":
-            gadget.pc_reg = gadget.jump_reg = list(final_state.ip.variables)[0].split('_', 1)[1].rsplit('-')[0]
+            gadget.pc_reg = list(final_state.ip.variables)[0].split('_', 1)[1].rsplit('-')[0]
 
         # compute sp change
         l.debug("... computing sp change")

diff --git a/angrop/rop_gadget.py b/angrop/rop_gadget.py
@@ -121,8 +121,6 @@ def __init__(self, addr):
         # utilize gadgets like `call qword ptr [rax+rbx]` because we have the dependency information.
         # transition information, i.e. how to pass the control flow to the next gadget
         self.transit_type = None
-        # TODO: what's the difference between jump_reg and pc_reg?
-        self.jump_reg = None
         self.pc_reg = None
         # pc_offset is exclusively used when transit_type is "pop_pc",
         # when pc_offset==stack_change-arch_bytes, transit_type is basically ret
@@ -221,7 +219,6 @@ def copy(self):
         out.reg_moves = list(self.reg_moves)
         out.block_length = self.block_length
         out.transit_type = self.transit_type
-        out.jump_reg = self.jump_reg
         out.pc_reg = self.pc_reg
         return out
 

diff --git a/tests/test_gadgets.py b/tests/test_gadgets.py
@@ -40,7 +40,7 @@ def test_jump_gadget():
     jump_gadgets = [x for x in rop._all_gadgets if x.transit_type == "jmp_reg"]
     assert len(jump_gadgets) > 0
 
-    jump_regs = [x.jump_reg for x in jump_gadgets]
+    jump_regs = [x.pc_reg for x in jump_gadgets]
     assert 't9' in jump_regs
     assert 'ra' in jump_regs