Ropchain constraint syntax parser

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.

https://rizin.re

GNU Lesser General Public License v3.0

2.51k stars 341 forks source link

Ropchain constraint syntax parser #4552

Open giridharprasath opened 2 weeks ago

giridharprasath commented 2 weeks ago

Parse the rop constraints
Update esil output to rzil sdb
Add /Rg gadget command

Current ROP chain parser misses some gadget when compared with the ROPGadget Asm:

section .text
global _start
_start:
mov dword [esp+0x0],0x80484b0
ret

ROPgadget output: ScreenShot_2024-06-13_at_06:15:20-PM

Rizin output before ScreenShot_2024-06-13_at_06:14:47-PM

Rizin output now: ScreenShot_2024-06-13_at_06:15:54-PM

These ROP gadgets are needed for crafting better rop chains.

Partially fix: #2080

Your checklist for this pull request

[X] I've read the guidelines for contributing to this repository
[X] I made sure to follow the project's coding style
[X] I've documented or updated the documentation of every function and struct this PR changes. If not so I've explained why.
[X] I've added tests that prove my fix is effective or that my feature works (if possible)
[ ] I've updated the rizin book with the relevant information (if needed)

Detailed description

...

Test plan

...

Closing issues

...

giridharprasath commented 5 days ago

  0x00400565               0000  add byte [rax], al
  0x00400567           007cffff  add byte [rdi + rdi*8 - 1], bh
  0x0040056b           ff6c0000  jmp [rax + rax]
Gadget size: 10

Current /Rg output:
Gadget 0x400565
Stack change: 0x8
Changed registers: rax rdi rbx 
Register dependencies:
rax rax rax rdi rdi rdi rdi rbx rax rax

TODO: Update the changed registers based on the init_val and new_val The dependencies list(still in progress, has to be verbose) is memory read and write done on the registers in the gadget. Stack change should be updated. Show jump or syscall Fix leaks

giridharprasath commented 4 days ago

Current output:

  0x004003d0                 a6  cmpsb byte [rsi], byte ptr [rdi]
  0x004003d1               0440  add al, 0x40
  0x004003d3               00ff  add bh, bh
  0x004003d5         15160c2000  adc eax, 0x200c16
  0x004003da                 f4  hlt
Gadget size: 11
Gadget 0x4003d0
Stack change: 0x0
Changed registers: rsi rdi rax rbx 
Register dependencies:
Memory Read: rsi 5
Memory Read: rdi 4195495
Var write: rax 4195648 4195712
Var write: rbx 0 0
Var write: rbx 0 0
Var write: rax 4195648 6295958

Added support for stack change Add the memory read and write to dependencies list Track the register state in modified_registers

Another eg:

  0x0040052d                 5c  pop rsp
  0x0040052e               415d  pop r13
  0x00400530               415e  pop r14
  0x00400532               415f  pop r15
  0x00400534                 c3  ret
Gadget size: 8
Gadget 0x40052d
Stack change: 0x28
Changed registers: rsp r13 r14 r15 
Register dependencies:

giridharprasath commented 2 days ago

Current output:

ScreenShot_2024-06-27_at_12:26:01-AM

TODO:

Refactor construct_rop_gadget API and move the il event handling code to Rg handler Tidy up the Rg cmd output Fix Unit and regression TC

giridharprasath commented 10 hours ago

I think we can merge this PR(once review is over) and we can improve and add direct ROP gadget search in separate PR @XVilka @wargio