From 1a931e766383a53f12c726b37a7229d88639a8c7 Mon Sep 17 00:00:00 2001
From: Kyle Zeng <zengyhkyle@gmail.com>
Date: Tue, 13 Feb 2024 14:59:41 -0700
Subject: [PATCH] comply with the changes in angrop

---
 rex/exploit/technique.py           | 6 +-----
 rex/exploit/techniques/ret2libc.py | 4 ++--
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/rex/exploit/technique.py b/rex/exploit/technique.py
index 39c0b4f..ed03127 100644
--- a/rex/exploit/technique.py
+++ b/rex/exploit/technique.py
@@ -497,7 +497,7 @@ def _ip_overwrite_with_chain(self, chain, state=None, assert_next_ip_controlled=
 
             # okay we have a symbolic region which fits and is above sp
             # can we pivot there?
-            for gadget in rop.gadgets:
+            for gadget in rop.rop_gadgets:
                 # let's make sure the gadget is sane
 
                 # TODO: consult state before throwing out a gadget, some of these memory
@@ -505,10 +505,6 @@ def _ip_overwrite_with_chain(self, chain, state=None, assert_next_ip_controlled=
                 if len(gadget.mem_changes + gadget.mem_writes + gadget.mem_reads) > 0:
                     continue
 
-                if gadget.bp_moves_to_sp:
-                    # it'd better not touch sp
-                    continue
-
                 # FIXME: this assumption is very wrong
                 # if we assume all gadgets end in a 'ret' so we can subtract 4 (wordsize) from stack_change
                 # as we're not interested in the ret's effect on stack movement, because when the
diff --git a/rex/exploit/techniques/ret2libc.py b/rex/exploit/techniques/ret2libc.py
index 9ef0c15..1f20ff8 100644
--- a/rex/exploit/techniques/ret2libc.py
+++ b/rex/exploit/techniques/ret2libc.py
@@ -142,7 +142,7 @@ def _invoke_system(self, system_addr, cmd_addr):
         self._windup_to_unconstrained_successor()
 
         # list all potential JOP gadgets
-        gadgets = [g for g in self.libc_rop.gadgets if g.gadget_type == "jump"
+        gadgets = [g for g in self.libc_rop.rop_gadgets if g.gadget_type == "jump"
                    and g.jump_reg == 't9' and g.pc_reg != 't9']
 
         # filter out gadgets that touches a0
@@ -154,7 +154,7 @@ def _invoke_system(self, system_addr, cmd_addr):
         set_reg_gadget = None
         for jop_gadget in gadgets:
             pc_reg = jop_gadget.pc_reg
-            gadgets2 = [g for g in self.libc_rop.gadgets if pc_reg in g.popped_regs]
+            gadgets2 = [g for g in self.libc_rop.rop_gadgets if pc_reg in g.popped_regs]
             # we need to filter out reads and writes to avoid SIGSEGV from them with invalid addresses
             gadgets3 = [g for g in gadgets2 if 'a0' not in g.changed_regs and not g.mem_reads and not g.mem_writes]
             if gadgets3: