Grant stack registers a higher score of writable constraints (#190)

david942j · web-flow · commit 8ae547897024 · 2022-03-25T23:13:08.000+08:00
* Grant stack registers a higher score of writable constraints

* Replace slice with sub
diff --git a/lib/one_gadget/gadget.rb b/lib/one_gadget/gadget.rb
@@ -78,12 +78,19 @@ def calculate_score(expr)
         case expr
         when / & 0xf/ then 0.95
         when /GOT address/ then 0.9
-        when /^writable/ then 0.81
-        when / == NULL$/ then calculate_null_score(expr.slice(0...expr.rindex(' == NULL')))
-        when / <= 0$/ then calculate_null_score(expr.slice(0...expr.rindex(' <= ')))
+        when /^writable/ then calculate_writable_score(expr.sub('writable: ', ''))
+        when / == NULL$/ then calculate_null_score(expr.sub(' == NULL', ''))
+        when / <= 0$/ then calculate_null_score(expr.sub(' <= 0', ''))
         end
       end
 
+      def calculate_writable_score(identity)
+        lmda = OneGadget::Emulators::Lambda.parse(identity)
+        return 0.81 if lmda.deref_count != 0
+
+        OneGadget::ABI.stack_register?(lmda.obj) ? 0.95 : 0.81
+      end
+
       def calculate_null_score(identity)
         # remove <CAST>
         identity.sub!(/^\([s|u]\d+\)/, '')
