search

0vercl0k / rp

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.
MIT License
1.75k stars 250 forks source link

Feature Request - Raw Bytes w/ results #26

Closed jstaursky closed 3 years ago

jstaursky commented 3 years ago

Could you create an option that would show the raw byte values corresponding with the gadget instructions found? Would lessen some tedium of doing it manually.

0vercl0k commented 3 years ago

I'm kinda curious - what's your use case exactly?

Cheers

Le dim. 21 févr. 2021 à 12:36, jstaursky notifications@github.com a écrit :

Could you create an option that would show the raw byte values corresponding with the gadget instructions found? Would lessen some tedium of doing it manually.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/0vercl0k/rp/issues/26, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORLRF74W35BA2EXZHVTTAFVD7ANCNFSM4X7K5XVQ .

jstaursky commented 3 years ago

Its helpful for finding unintended subinstructions for example, say I find 

add dword [eax], 0xdeafcafe

If I see its corresponding byte pattern raw bytes = 0x81, 0x00, 0xfe, 0xca, 0xaf, 0xde I can recognize that

retf 0xdeaf

is a subsequence, as it has bytes raw bytes = 0xca, 0xaf, 0xde I'm not a savant and know the full x86 architecture or anything, but recognizing a few patterns is still useful.

0vercl0k commented 3 years ago

But in that case the ret 0xdeaf should also be in the output list of gadgets; and it should be close as well (I think the gadgets are displayed ordered by address) so I am not sure if it's really useful 🤔

Cheers

Le mar. 23 févr. 2021 à 08:30, jstaursky notifications@github.com a écrit :

Its helpful for finding unintended subinstructions for example, say I find

add dword [eax], 0xdeafcafe

If I see its corresponding byte pattern raw bytes = 0x81, 0x00, 0xfe, 0xca, 0xaf, 0xde I can recognize that

retf 0xdeaf

is a subsequence, as it has bytes raw bytes = 0xca, 0xaf, 0xde I'm not a savant and know the full x86 architecture or anything, but recognizing a few patterns is still useful.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/0vercl0k/rp/issues/26#issuecomment-784329735, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORMIGBZMFAFPXXWE4JDTAPJ2XANCNFSM4X7K5XVQ .

jstaursky commented 3 years ago

Ah well I suppose its just up to my personal preference then. I found other tools to accomplish this anyway. So we both win. I'll close the issue.

0vercl0k commented 3 years ago

Happy to write a patch for you that does it, it should be pretty easy - but not sure how useful it is for everybody; that's why I asked the question :)

Cheers

Le mer. 24 févr. 2021 à 12:11, jstaursky notifications@github.com a écrit :

Ah well I suppose its just up to my personal preference then. I found other tools to accomplish this anyway. So we both win. I'll close the issue.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/0vercl0k/rp/issues/26#issuecomment-785342356, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORM43KVVCXRSFPBSV5DTAVMPHANCNFSM4X7K5XVQ .