Grant stack registers a higher score of writable constraints (#190)

* Grant stack registers a higher score of writable constraints * Replace slice with sub
2022-03-25 23:13:08 +08:00 · 2022-03-25 23:13:08 +08:00 · 8ae5478970
parent fc6537a6e7
commit 8ae5478970
1 changed files with 10 additions and 3 deletions
--- a/lib/one_gadget/gadget.rb
+++ b/lib/one_gadget/gadget.rb
@ -78,12 +78,19 @@ module OneGadget
        case expr
        when / & 0xf/ then 0.95
        when /GOT address/ then 0.9
-        when /^writable/ then 0.81
-        when / == NULL$/ then calculate_null_score(expr.slice(0...expr.rindex(' == NULL')))
-        when / <= 0$/ then calculate_null_score(expr.slice(0...expr.rindex(' <= ')))
+        when /^writable/ then calculate_writable_score(expr.sub('writable: ', ''))
+        when / == NULL$/ then calculate_null_score(expr.sub(' == NULL', ''))
+        when / <= 0$/ then calculate_null_score(expr.sub(' <= 0', ''))
        end
      end

+      def calculate_writable_score(identity)
+        lmda = OneGadget::Emulators::Lambda.parse(identity)
+        return 0.81 if lmda.deref_count != 0
+
+        OneGadget::ABI.stack_register?(lmda.obj) ? 0.95 : 0.81
+      end
+
      def calculate_null_score(identity)
        # remove <CAST>
        identity.sub!(/^\([s|u]\d+\)/, '')