Lazula
commented
2 years ago Seems to be caused by quiet mode.
$ r2 -
[0x00000000]> e rop.len
5
[0x00000000]> "wa mov rdi, rsi; jmp rax;"
INFO: Written 5 byte(s) (mov rdi, rsi; jmp rax;) = wx 4889f7ffe0 @ 0x00000000
[0x00000000]> "/R/q r[^d]i"
0x00000000: mov rdi, rsi; jmp rax;
[0x00000000]> "/R r[^d]i"
[0x00000000]> e rop.len=2
[0x00000000]> "/R/q [^p]+;[^p]+"
0x00000000: mov rdi, rsi; jmp rax;
0x00000001: mov edi, esi; jmp rax;
[0x00000000]> "/R [^p]+;[^p]+"
Environment
Description
Rop is not expected, as least for excluding characters.
Test
Using https://github.com/radareorg/radare2-testbins/blob/master/elf/analysis/ls-linux64
Same results for:
"/R/q [^p]+"or"/R/q [^p]+;"Further, another possibly more interesting case, using same rop.len and same binary:
Basically same results for
"/R/q r[^d]i;"However, the semicolon does make a difference:
Is there a specification on how the rop regex is supposed to work? I don't understand the logic in
construct_rop_gadget(...)inlibr/core/cmd_search.c. but there seems to be some processing to split tokens at the semicolon before and after calls to r_regex_match. Further, I'm not sure what should happen if the "regex tokens" separated by semicolons is < rop.len.Even if I make sure num(regex_tokens) == rop.len, I don't get expected results. This test uses rop.len =2, with two regex expressions separated by token
Normally I would expected [^p]+ to match the semicolon, but because of the preprocessing, it shouldn't be passed to regcomp. I have also experimented with putting \3b inside the excluded character set and sometimes I get better results (not correct), but this seems likely to break things if the intent is to scan for the semicolon before any regex match is attempted.