allow stack_change to be negative

Kyle-Kyle · Kyle-Kyle · commit 7ce1b0709787 · 2025-02-04T16:32:31.000-07:00
diff --git a/angrop/gadget_finder/gadget_analyzer.py b/angrop/gadget_finder/gadget_analyzer.py
@@ -628,6 +628,12 @@ def _check_if_stack_controls_ast(self, ast, initial_state, gadget_stack_change=N
 
         return ans
 
+    def _to_signed(self, value):
+        bits = self.project.arch.bits
+        if value >> (bits-1): # if the MSB is 1, this value is negative
+            value -= (1<<bits)
+        return stack_change
+
     def _compute_sp_change(self, init_state, final_state, gadget):
         """
         Computes the change in the stack pointer for a gadget
@@ -655,7 +661,7 @@ def _compute_sp_change(self, init_state, final_state, gadget):
             if len(stack_changes) != 1:
                 raise RopException("SP change is symbolic")
 
-            gadget.stack_change = stack_changes[0]
+            gadget.stack_change = self._to_signed(stack_changes[0])
 
         elif type(gadget) is PivotGadget:
             # FIXME: step_to_unconstrained_successor is not compatible with conditional_branches
@@ -673,7 +679,7 @@ def _compute_sp_change(self, init_state, final_state, gadget):
                         break
                 prev_act = act
             if last_sp is not None:
-                gadget.stack_change = (last_sp - init_state.regs.sp).concrete_value
+                gadget.stack_change = self._to_signed((last_sp - init_state.regs.sp).concrete_value)
             else:
                 gadget.stack_change = 0
 
