Can't find the 'pop ecx' instruction

[ghost]

Hello, I tried using ROPgadget v6.3 on a test file with a buffer overflow and I keep getting a "Can't find the 'pop ecx' instruction" message when I try to generate the ropchain.

Anyone else has a similar problem?

Here's my code, compiled as "gcc -static test.c -o test" test.txt

Here's the ROPgadget output, using the command-line input: ROPgadget --binary test --ropchain> ropS Gadgets information >> ropS.txt

Here's ROP chain output

ROP chain generation

• Step 1 -- Write-what-where gadgets

  [+] Gadget found: 0x805875a mov dword ptr [edx], eax ; ret [+] Gadget found: 0x805ed9e pop edx ; pop ebx ; pop esi ; ret [+] Gadget found: 0x8052a24 pop eax ; ret [+] Gadget found: 0x804f7e0 xor eax, eax ; ret

• Step 2 -- Init syscall number gadgets

  [+] Gadget found: 0x804f7e0 xor eax, eax ; ret [+] Gadget found: 0x807feea inc eax ; ret

• Step 3 -- Init syscall arguments gadgets

  [+] Gadget found: 0x804901e pop ebx ; ret [-] Can't find the 'pop ecx' instruction

[SweetVishnya]

ROPgadget chains gadgets quite straightforward. It searches for exact pop ecx ; ret that is not contained in your binary. ROPgadget is mostly about searching gadgets. You can check out more advanced ROP chain generating tools. These tools can be found in Section 17 (Experimental tools comparison) in this paper.

[SweetVishnya]

Also, you'd better start with overflow via memcpy. If overflow is performed via strcpy, you should consider bad chars ('\0' which stops copying). Most open source ROP chain generation tools partially implement bad chars support. They remove gadgets with bad chars in addresses, but leave them in values loaded from stack. For instance, string "/bin/sh\x00".