mariuszskon
commented
4 years ago Hi,
I am interested in working on this.
The only thing I am unsure of at the moment is how we would handle setting multiple registers "at once" i.e. with the minimum number of rop chains. I see that we are using _ delimited registers in __getattr__:
#
# Check for a '_'-delimited list of registers
#
x86_suffixes = ['ax', 'bx', 'cx', 'dx', 'bp', 'sp', 'di', 'si',
'r8', 'r9', '10', '11', '12', '13', '14', '15']
if all(map(lambda x: x[-2:] in x86_suffixes, attr.split('_'))):
return self.search(regs=attr.split('_'), order='regs')But what should go on the right hand side of the assignment? A tuple? e.g.
rop.rax_rdi_rsi = (0xdead, 0xbeef, 0xcafe)This looks a bit ugly to me, but I'm not sure what else we can do.
Ideally something like this would work, but would require each __setattr__ call to check previous ones:
rop.rax = 0xdead
rop.rdi = 0xbeef
rop.rsi = 0xcafe
rop.chain() # minimum rop chain for setting all of the above, not three separate chains (if possible)Thanks, Mariusz
Arusekk
zachriggle
Currently, if you have a ROP gadget that has a
pop eax; retgadget, you can accessROP.eaxand get the gadget information.This should work in the other direction, so that setting e.g.
rop.rax = 0xdeadbeefadds the correct data to the stack.