A tool to search for gadgets, operations, and ROP chains using a backtracking algorithm in a tree-like structure
Home Page: https://doi.org/10.1109/SPW53761.2021.00056
License: GNU General Public License v3.0
Extend the YAML processing to give native support for the virtual operations defined in ROPLang, which mainly can be operations composed of other virtual operations (a sort of meta-operations).
Following up #4, another enhancement would be to avoid bytes of terminator canary in ROP gadgets shown when duplicated are removed. The terminator canary is usually represented as 0x000aff0d, which includes \x00 (for strcpy() and functions alike), string-terminator bytes as \x0a and \x0d (for gets() and others alike), and \xff (EOF).
When duplicated gadgets are skipped in the output, there is no way for the user to know that there are more gadgets as that in other memory addresses. It is better if the tool can report the number of duplicated gadgets skipped, as it might happen that the gadget selected and shown by the tool has some invalid byte in its address.
Following up #5, add a new optional argument, --badchars to allow the user to specify the byte (or set of bytes) that must be avoided in the addresses of ROP gadgets returned by the tool.
Text description
Re-basing is not working with multiple files are given with --file parameter
Actual behavior
--base rebases all the files
Expected behavior
We need to give the choice of rebasing every file given with --file independently. I recommend a simplest solution:
python3 rop3.py --binary file1 file2 ... --base imageBase1,imageBase2,...
Text description
When executing rop3 with options "--ropchain" + "--base", the rebasing is not done.
Actual behavior
$ python3 rop3.py --binary /Volumes/Datos/sharedVM/kernel32.dll --ropchain ../ropchain.txt --base 0x761c1000
================================================================================
Ropchain 1
================================================================================
{'op': 'nop', 'dst': '', 'src': '', 'data': 'nop()', '': ''}
nop() []
[kernel32.dll @ 0x75a51480]: ret
[kernel32.dll @ 0x75ab5f6c]: retf
{'op': 'lc', 'dst': 'edi', 'src': '', 'data': 'lc(edi)', 'edi': 'edi', '': ''}
lc(edi) [edi: edi]
[kernel32.dll @ 0x75aa3cf9]: pop edi ; leave ; ret
[ ... redacted ... ]
Expected behavior
All gadgets shall consider the base given by parameter, 0x761c1000 in this case, rather than 0x75a....
Steps to reproduce the behavior
See the actual behavior above for an example. You only need to provide a ropchain in a .txt file, as well as use the --base parameter
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.