From 66e1e84145a96fda41fa4b6c9672bcf0aa90d6d3 Mon Sep 17 00:00:00 2001
From: Kyle Zeng <zengyhkyle@gmail.com>
Date: Wed, 12 Feb 2025 16:48:32 -0700
Subject: [PATCH] support execve for all arch

---
 angrop/arch.py                     | 6 ++++++
 angrop/chain_builder/sys_caller.py | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/angrop/arch.py b/angrop/arch.py
index d1c37f1..be5d022 100644
--- a/angrop/arch.py
+++ b/angrop/arch.py
@@ -17,6 +17,7 @@ def __init__(self, project, kernel_mode=False):
         self.base_pointer = a.register_names[a.bp_offset]
         self.syscall_insts = None
         self.ret_insts = None
+        self.execve_num = None
 
     def _get_reg_set(self):
         """
@@ -42,6 +43,7 @@ def __init__(self, project, kernel_mode=False):
         self.syscall_insts = {b"\xcd\x80"} # int 0x80
         self.ret_insts = {b"\xc2", b"\xc3", b"\xca", b"\xcb"}
         self.segment_regs = {"cs", "ds", "es", "fs", "gs", "ss"}
+        self.execve_num = 0xb
 
     def _x86_block_make_sense(self, block):
         capstr = str(block.capstone).lower()
@@ -68,6 +70,7 @@ def __init__(self, project, kernel_mode=False):
         super().__init__(project, kernel_mode=kernel_mode)
         self.syscall_insts = {b"\x0f\x05"} # syscall
         self.segment_regs = {"cs_seg", "ds_seg", "es_seg", "fs_seg", "gs_seg", "ss_seg"}
+        self.execve_num = 0x3b
 
     def block_make_sense(self, block):
         return self._x86_block_make_sense(block)
@@ -82,6 +85,7 @@ def __init__(self, project, kernel_mode=False):
         self.alignment = self.project.arch.bytes
         self.max_block_size = self.alignment * 8
         self.fast_mode_max_block_size = self.alignment * 6
+        self.execve_num = 0xb
 
     def set_thumb(self):
         self.is_thumb = True
@@ -109,6 +113,7 @@ def __init__(self, project, kernel_mode=False):
         self.ret_insts = {b'\xc0\x03_\xd6'}
         self.max_block_size = self.alignment * 10
         self.fast_mode_max_block_size = self.alignment * 6
+        self.execve_num = 0xdd
 
 class MIPS(ROPArch):
     def __init__(self, project, kernel_mode=False):
@@ -116,6 +121,7 @@ def __init__(self, project, kernel_mode=False):
         self.alignment = self.project.arch.bytes
         self.max_block_size = self.alignment * 8
         self.fast_mode_max_block_size = self.alignment * 6
+        self.execve_num = 0xfab
 
 def get_arch(project, kernel_mode=False):
     name = project.arch.name
diff --git a/angrop/chain_builder/sys_caller.py b/angrop/chain_builder/sys_caller.py
index 33dc39f..526c326 100644
--- a/angrop/chain_builder/sys_caller.py
+++ b/angrop/chain_builder/sys_caller.py
@@ -53,7 +53,7 @@ def filter_gadgets(self, gadgets) -> list: # pylint: disable=no-self-use
         return sorted(gadgets, key=functools.cmp_to_key(cmp))
 
     def _try_invoke_execve(self, path_addr):
-        execve_syscall = 0x3b if self.project.arch.bits == 64 else 0xb
+        execve_syscall = self.chain_builder.arch.execve_num
         # next, try to invoke execve(path, ptr, ptr), where ptr points is either NULL or nullptr
         if 0 not in self.badbytes:
             ptr = 0