angr
diff --git a/‎angrop/chain_builder/__init__.py
+9-4 b/‎angrop/chain_builder/__init__.py
+9-4
diff --git a/‎angrop/chain_builder/mem_writer.py
+38-7 b/‎angrop/chain_builder/mem_writer.py
+38-7
diff --git a/‎angrop/chain_builder/reg_setter.py
+45-13 b/‎angrop/chain_builder/reg_setter.py
+45-13
diff --git a/‎angrop/rop_chain.py
+16-26 b/‎angrop/rop_chain.py
+16-26
@@ -12,8 +12,8 @@
 from .. import rop_utils
 from .. import common
 from ..errors import RopException
-from ..rop_chain import RopChain
 from ..rop_gadget import RopGadget
+from ..rop_value import RopValue
 
 l = logging.getLogger("angrop.chain_builder")
 
@@ -75,6 +75,11 @@ def _contain_badbyte(self, ptr):
         """
         check if a pointer contains any bad byte
         """
+        if isinstance(ptr, RopValue):
+            if ptr.symbolic:
+                return False
+            else:
+                ptr = ptr.concreted
         raw_bytes = struct.pack(self.project.arch.struct_fmt(), ptr)
         if any(x in raw_bytes for x in self.badbytes):
             return True
@@ -236,15 +241,15 @@ def add_to_mem(self, addr, value, data_size=None):
         Example:
         chain = rop.add_to_mem(0x8048f124, 0x41414141)
         """
+        addr = rop_utils.cast_rop_value(addr, self.project)
+        value = rop_utils.cast_rop_value(value, self.project)
         return self._mem_writer.add_to_mem(addr, value, data_size=data_size)
 
     def write_to_mem(self, addr, data, fill_byte=b"\xff"):
+        addr = rop_utils.cast_rop_value(addr, self.project)
         return self._mem_writer.write_to_mem(addr, data, fill_byte=fill_byte)
 
     def _try_invoke_execve(self, path_addr):
-        cc = angr.SYSCALL_CC[self.project.arch.name]["default"](self.project.arch)
-        arg_regs = cc.ARG_REGS
-
         # next, try to invoke execve(path, ptr, ptr), where ptr points is either NULL or nullptr
         if 0 not in self.badbytes:
             ptr = 0
 
@@ -7,6 +7,7 @@
 from .. import rop_utils
 from ..errors import RopException
 from ..rop_chain import RopChain
+from ..rop_value import RopValue
 
 l = logging.getLogger("angrop.chain_builder.mem_writer")
 
@@ -66,6 +67,11 @@ def _contain_badbyte(self, ptr):
         """
         check if a pointer contains any bad byte
         """
+        if isinstance(ptr, RopValue):
+            if ptr.symbolic:
+                return False
+            else:
+                ptr = ptr.concreted
         raw_bytes = struct.pack(self.project.arch.struct_fmt(), ptr)
         if any(x in raw_bytes for x in self.badbytes):
             return True
@@ -160,7 +166,6 @@ def _write_to_mem(self, addr, string_data, fill_byte=b"\xff"):# pylint:disable=i
 
         gen = self._gen_mem_write_gadgets(string_data)
         gadget, use_partial_controllers = next(gen, (None, None))
-
         while gadget:
             try:
                 return self._try_write_to_mem(gadget, use_partial_controllers, addr, string_data, fill_byte)
@@ -263,7 +268,7 @@ def write_to_mem(self, addr, data, fill_byte=b"\xff"):
 
         # do the write
         offset = 0
-        chain = RopChain(self.project, self,  badbytes=self.badbytes)
+        chain = RopChain(self.project, self, badbytes=self.badbytes)
         for elem in elems:
             ptr = addr + offset
             if self._contain_badbyte(ptr):
@@ -314,8 +319,12 @@ def add_to_mem(self, addr, value, data_size=None):
         chain = self._change_mem_with_gadget(best_gadget, addr, data_size, difference=value)
         return chain
 
+    def _write_to_mem_with_gadget(self, gadget, addr_val, data, use_partial_controllers=False):
+        """
+        addr is a RopValue
+        """
+        addr_bvs = claripy.BVS("addr", self.project.arch.bits)
 
-    def _write_to_mem_with_gadget(self, gadget, addr, data, use_partial_controllers=False):
         # sanity check for simple gadget
         if len(gadget.mem_writes) != 1 or len(gadget.mem_reads) + len(gadget.mem_changes) > 0:
             raise RopException("too many memory accesses for my lazy implementation")
@@ -355,26 +364,48 @@ def _write_to_mem_with_gadget(self, gadget, addr, data, use_partial_controllers=
             raise RopException("Couldn't find the matching action")
 
         # constrain the addr
-        test_state.add_constraints(the_action.addr.ast == addr)
-        pre_gadget_state.add_constraints(the_action.addr.ast == addr)
+        test_state.add_constraints(the_action.addr.ast == addr_bvs, addr_bvs == addr_val.data)
+        pre_gadget_state.add_constraints(the_action.addr.ast == addr_bvs, addr_bvs = addr_val.data)
         pre_gadget_state.options.discard(angr.options.AVOID_MULTIVALUED_WRITES)
         state = rop_utils.step_to_unconstrained_successor(self.project, pre_gadget_state)
 
         # constrain the data
-        test_state.add_constraints(state.memory.load(addr, len(data)) == test_state.solver.BVV(data))
+        test_state.add_constraints(state.memory.load(addr_val.data, len(data)) == test_state.solver.BVV(data))
 
         # get the actual register values
         all_deps = list(mem_write.addr_dependencies) + list(mem_write.data_dependencies)
         reg_vals = {}
+        name = addr_bvs._encoded_name.decode()
         for reg in set(all_deps):
-            reg_vals[reg] = test_state.solver.eval(test_state.registers.load(reg))
+            var = test_state.solver.eval(test_state.registers.load(reg))
+            # check whether this reg will propagate to addr
+            # if yes, propagate its rebase value
+            for c in test_state.solver.constraints:
+                if len(c.variables) != 2: # xx == yy
+                    continue
+                if name not in c.variables:
+                    continue
+                var_names = set(c.variables)
+                var_names.remove(name)
+                if reg in var_names.pop():
+                    var = rop_utils.cast_rop_value(var, self.project)
+                    if addr_val._rebase:
+                        var.rebase_ptr()
+                    break
+            reg_vals[reg] = var
 
         chain = self._set_regs(use_partial_controllers=use_partial_controllers, **reg_vals)
         chain.add_gadget(gadget)
 
         bytes_per_pop = self.project.arch.bytes
         for _ in range(gadget.stack_change // bytes_per_pop - 1):
             chain.add_value(self._get_fill_val(), needs_rebase=False)
+
+        # verify the write actually works
+        state = chain.exec()
+        sim_data = state.memory.load(addr_val.data, len(data))
+        if not state.solver.eval(sim_data == data):
+            raise RopException("memory write fails")
         return chain
 
     def _change_mem_with_gadget(self, gadget, addr, data_size, final_val=None, difference=None):
 
@@ -4,12 +4,14 @@
 from collections import defaultdict
 from functools import cmp_to_key
 
+import claripy
 from angr.errors import SimUnsatError
 
 
 from .. import rop_utils
 from ..rop_chain import RopChain
 from ..errors import RopException
+from ..rop_value import RopValue
 
 l = logging.getLogger("angrop.chain_builder.reg_setter")
 
@@ -32,6 +34,11 @@ def _contain_badbyte(self, ptr):
         """
         check if a pointer contains any bad byte
         """
+        if isinstance(ptr, RopValue):
+            if ptr.symbolic:
+                return False
+            else:
+                ptr = ptr.concreted
         raw_bytes = struct.pack(self.project.arch.struct_fmt(), ptr)
         if any(x in raw_bytes for x in self._badbytes):
             return True
@@ -46,7 +53,13 @@ def verify(self, chain, registers):
         for reg, val in registers.items():
             chain_str = '\n-----\n'.join([str(self.project.factory.block(g.addr).capstone)for g in chain._gadgets])
             bv = getattr(state.regs, reg)
-            if bv.symbolic or state.solver.eval(bv != val):
+            for act in state.history.actions.hardcopy:
+                if act.type != "mem":
+                    continue
+                if act.addr.ast.variables:
+                    l.exception("memory access outside stackframe\n%s\n", chain_str)
+                    return False
+            if bv.symbolic or state.solver.eval(bv != val.data):
                 l.exception("Somehow angrop thinks \n%s\n can be used for the chain generation.", chain_str)
                 return False
         return True
@@ -60,9 +73,10 @@ def run(self, modifiable_memory_range=None, use_partial_controllers=False,  **re
         if unknown_regs:
             raise RopException("unknown registers: %s" % unknown_regs)
 
-        # load from cache
-        #reg_tuple = tuple(sorted(registers.keys()))
-        #chains = self._chain_cache[reg_tuple]
+        # cast values to RopValue
+        for x in registers:
+            registers[x] = rop_utils.cast_rop_value(registers[x], self.project)
+
         chains = []
 
         gadgets = self._find_relevant_gadgets(**registers)
@@ -168,19 +182,20 @@ def _find_add_chain(self, gadgets, reg, val):
         """
         find one chain to set one single register to a specific value using concrete values only through add/dec
         """
+        val = rop_utils.cast_rop_value(val, self.project)
         concrete_setter_gadgets = [ x for x in gadgets if reg in x.concrete_regs ]
         delta_gadgets = [ x for x in gadgets if len(x.reg_dependencies) == 1 and reg in x.reg_dependencies\
                             and len(x.reg_dependencies[reg]) == 1 and reg in x.reg_dependencies[reg]]
         for g1 in concrete_setter_gadgets:
             for g2 in delta_gadgets:
                 try:
-                    chain = self._build_reg_setting_chain([g1, g2], False,
-                                                         {reg: val}, g1.stack_change+g2.stack_change, [])
+                    chain = self._build_reg_setting_chain([g1, g2], False, # pylint:disable=too-many-function-args
+                                                         {reg: val}, g1.stack_change+g2.stack_change)
                     state = chain.exec()
                     bv = state.registers.load(reg)
                     if bv.symbolic:
                         continue
-                    if state.solver.eval(bv == val):
+                    if state.solver.eval(bv == val.data):
                         return [g1, g2]
                 except Exception:# pylint:disable=broad-except
                     pass
@@ -193,16 +208,16 @@ def _find_all_candidate_chains(self, gadgets, **registers):
         TODO: handle moves
         """
         # get the list of regs that cannot be popped (call it hard_regs)
-        hard_regs = [reg for reg, val in registers.items() if type(val) == int and self._contain_badbyte(val)]
+        hard_regs = [reg for reg, val in registers.items() if self._contain_badbyte(val)]
         if len(hard_regs) > 1:
             l.error("too many registers contain bad bytes! bail out! %s", registers)
             return []
 
         # if hard_regs exists, try to use concrete values to craft the value
         hard_chain = []
-        if hard_regs:
+        if hard_regs and not registers[hard_regs[0]].symbolic:
             reg = hard_regs[0]
-            val = registers[reg]
+            val = registers[reg].concreted
             key = (reg, val)
             if key in self.hard_chain_cache:
                 hard_chain = self.hard_chain_cache[key]
@@ -294,8 +309,13 @@ def _build_reg_setting_chain(self, gadgets, modifiable_memory_range, register_di
 
         # constrain the final registers
         rebase_state = test_symbolic_state.copy()
+        var_dict = {}
         for r, v in register_dict.items():
-            test_symbolic_state.add_constraints(state.registers.load(r) == v)
+            var = claripy.BVS(r, self.project.arch.bits)
+            var_name = var._encoded_name.decode()
+            var_dict[var_name] = v
+            test_symbolic_state.add_constraints(state.registers.load(r) == var)
+            test_symbolic_state.add_constraints(var == v.data)
 
         # constrain the "filler" values
         if self._roparg_filler is not None:
@@ -323,7 +343,19 @@ def _build_reg_setting_chain(self, gadgets, modifiable_memory_range, register_di
                 chain.add_gadget(gadgets[0])
                 gadgets = gadgets[1:]
             else:
-                chain.add_value(sym_word, needs_rebase=False)
+                # propagate the initial RopValue provided by users to preserve info like rebase
+                var = sym_word
+                for c in test_symbolic_state.solver.constraints:
+                    if len(c.variables) != 2: # it is always xx == yy
+                        continue
+                    if not sym_word.variables.intersection(c.variables):
+                        continue
+                    var_name = set(c.variables - sym_word.variables).pop()
+                    if var_name not in var_dict:
+                        continue
+                    var = var_dict[var_name]
+                    break
+                chain.add_value(var, needs_rebase=False)
 
         if len(gadgets) > 0:
             raise RopException("Didnt find all gadget addresses, something must've broke")
@@ -377,7 +409,7 @@ def _find_reg_setting_gadgets(self, modifiable_memory_range=None, use_partial_co
         search_regs = set(registers)
 
         if modifiable_memory_range is not None and len(modifiable_memory_range) != 2:
-            raise Exception("modifiable_memory_range should be a tuple (low, high)")
+            raise RopException("modifiable_memory_range should be a tuple (low, high)")
 
         # find gadgets with sufficient partial control
         partial_controllers = {}
 
@@ -1,8 +1,6 @@
 from . import rop_utils
 from .errors import RopException
-from .value import ROPValue
-
-from cle.address_translator import AT
+from .rop_value import RopValue
 
 class RopChain:
     """
@@ -38,12 +36,9 @@ def __add__(self, other):
         return result
 
     def add_value(self, value, needs_rebase=False):
-        if type(value) is not ROPValue:
-            value = ROPValue(value)
-            value.set_project(self._p)
-            value.rebase_analysis()
-        else:
-            value.set_project(self._p)
+        if type(value) is not RopValue:
+            value = RopValue(value, self._p)
+            value.rebase_analysis(chain=self)
         self._values.append(value)
         self.payload_len += self._p.arch.bytes
 
@@ -53,8 +48,9 @@ def add_gadget(self, gadget):
         value = gadget.addr
         if self._pie:
             value -= self._p.loader.main_object.mapped_base
-        value = ROPValue(value, project=self._p)
-        value.set_rebase(True)
+        value = RopValue(value, self._p)
+        if self._pie:
+            value._rebase = True
         self.add_value(value)
 
     def add_constraint(self, cons):
@@ -71,7 +67,6 @@ def _concretize_chain_values(self, constraints=None):
         :param constraints: constraints to use when concretizing values
         :return: a list of tuples of type (int, needs_rebase)
         """
-
         solver_state = self._blank_state.copy()
         if constraints is not None:
             if isinstance(constraints, (list, tuple)):
@@ -82,12 +77,8 @@ def _concretize_chain_values(self, constraints=None):
 
         concrete_vals = []
         for value in self._values:
-            if not value.symbolic:
-                concrete_vals.append((value.concreted, value.rebase))
-                continue
-
-            # if it is symbolic, make sure it does not have badbytes in it
-            ast = value.ast
+            # make sure it does not have badbytes in it
+            ast = value.data
             constraints = []
             # for each byte, it should not be equal to any bad bytes
             # TODO: we should do the badbyte verification when adding values
@@ -98,6 +89,8 @@ def _concretize_chain_values(self, constraints=None):
             # apply the constraints
             for expr in constraints:
                 solver_state.solver.add(expr)
+                if not solver_state.solver.satisfiable():
+                    raise RopException("bad chain!")
             concrete_vals.append((solver_state.solver.eval(ast), value.rebase))
 
         return concrete_vals
@@ -126,8 +119,8 @@ def payload_bv(self):
 
         test_state = self._blank_state.copy()
 
-        for value, _ in reversed(self._values):
-            test_state.stack_push(value)
+        for value in reversed(self._values):
+            test_state.stack_push(value.data)
 
         sp = test_state.regs.sp
         return test_state.memory.load(sp, self.payload_len)
@@ -156,17 +149,14 @@ def payload_code(self, constraints=None, print_instructions=True):
 
             instruction_code = ""
             if print_instructions:
-                if needs_rebase:
-                    #dealing with pie code
-                    value_in_gadget = AT.from_lva(value, self._p.loader.main_object).to_mva()
-                else:
-                    value_in_gadget = value
+                value_in_gadget = value
                 if value_in_gadget in gadget_dict:
-                    asmstring = rop_utils.gadget_to_asmstring(self._p,gadget_dict[value_in_gadget])
+                    asmstring = rop_utils.gadget_to_asmstring(self._p, gadget_dict[value_in_gadget])
                     if asmstring != "":
                         instruction_code = "\t# " + asmstring
 
             if needs_rebase:
+                value -= self._p.loader.main_object.mapped_base
                 payload += "chain += " + pack_rebase % value + instruction_code
             else:
                 payload += "chain += " + pack % value + instruction_code