BUGFIX: ARM, Fixing invalid opcode for pop with more than 5 destinations

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.

https://scoding.de/ropper

BSD 3-Clause "New" or "Revised" License

1.88k stars 206 forks source link

BUGFIX: ARM, Fixing invalid opcode for pop with more than 5 destinations #145

Closed cbayet closed 3 years ago

cbayet commented 3 years ago

Ropper is missing some gadgets in ARM and ARMBE because of an invalid definition of the opcode for a pop with more than 5 destinations.

In arm, if a pop instruction has more than 5 destinations, the second opcode is 81, and not 80. It needs to be added to the definition of a ROP gadget in arch.py.

$ kstool arm "pop {r4, r5, r6, r7, pc}"
pop {r4, r5, r6, r7, pc} = [ f0 80 bd e8 ]
$ kstool arm "pop {r4, r5, r6, r7, r8, pc}"
pop {r4, r5, r6, r7, r8, pc} = [ f0 81 bd e8 ]

cbayet commented 3 years ago

I pushed too fast, it can be more than 81 actually, coming with a better fix