search

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
https://scoding.de/ropper
BSD 3-Clause "New" or "Revised" License
1.87k stars 206 forks source link

context based calculations #40

Open iz0n opened 8 years ago

iz0n commented 8 years ago

Hi, It's maybe better to create a new issue/ticket for the context :) As explained in #33 , it should significantly increase the relevance of the results if we can define the context of execution. The context can be:

This will allow skipping the generation of gadgets that:

It would be great also if we can provide the "crash pattern", this will allow the calculation of the stack pivot offset then print more accurate gadgets for that...

It could even go far from that by performing an automatic check of each gadget to verify if it will reach the desired esp/ebp values ;)

Have fun :)

eternaleclipse commented 6 years ago

The problem with filtering based on context is that when searching for gadgets, a person takes into account that maybe right now eax=0, but when after chaining a different gadget we can change eax's value and thatmov ebx, [eax] that was earlier useless can become useful again. So we'll need some sort of way to tell ropper to simulate execution until after a specific gadget in our chain and filter gadgets based on the resulted CPU context.