func_call gadget in mips

[yamazaki15]

trafficstars

Question

I'm looking for a func_call gadget in my mips binary. Using ropper tool I've found this valid gadget:

move    $a1, $s1
jalr    $s3
move    $a2, $s0
lw $ra, 0x48($sp)
lw $s1, 0x48+var_24($sp)
lw $s0, 0x48+var_28($sp)
jr $ra
addiu $sp, 0x48

Using this gadget I can jump to any function (I've control over s3 from previous gadget) with 2 args.

However, when I try to use anrop, it truncates the gadget to the first 3 instructions:

move    $a1, $s1
jalr    $s3
move    $a2, $s0

and therefore fails to find a valid func_call gadget. I guess that it happens because angr terminates the block after the jalr instruction... Any ideas on how to fix this?

Thanks!