Add --offset option to specify an arbitrary offset to the base address

sashs / Ropper

Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.

https://scoding.de/ropper

BSD 3-Clause "New" or "Revised" License

1.88k stars 206 forks source link

Add --offset option to specify an arbitrary offset to the base address #47

Closed hugsy closed 7 years ago

hugsy commented 7 years ago

Hi @sashs,

First kudos for the tool, I'm a super big fan (the search command saves me too much time :smile: ). One of the features I used in one of my tool was the --offset option I PR-ed to ROPgadget which allows to specify an offset to the gadget offset, like this:

ROPgadget.py --binary ./test-suite-binaries/Linux_lib64.so --offset 0xdeadbeef00000000

I couldn't find such option in ropper but maybe I missed it out. Does it exist (in master/dev)? Would you be ok to add this option? I can probably PR it if you don't have time.

Keep up the good work!

Cheers,

sashs commented 7 years ago

Hey,

ropper has such an option, but it works a little bit different. The option -I (upper i) sets the imagebase. The default imagebase of an library in linux is 0x0 and if you use that option, you can add an offset. But for example /bin/ls (x64) has an imagebase of 0x400000 0x000000000040d6cb: xlatb; jne 0xd6a8; mov rax, rcx; ret; If you set -I 0x1000000, you will get 0x000000000100d6cb: xlatb; jne 0xd6a8; mov rax, rcx; ret; If you set -I 0x0, you will get (only the offset in the file will be printed) 0x000000000000d6cb: xlatb; jne 0xd6a8; mov rax, rcx; ret;

This is very useful when you look for gadgets in PE files and the application makes use of ASLR.

I hope this helps. ;)

hugsy commented 7 years ago

How could I miss that... Sorry about that, closing the issue!

Thanks again for your tool!

sashs commented 7 years ago

No problem. :) You can set this in the interactive commandline as well. There is the command imagebase

hugsy commented 7 years ago

Yes, that's exactly what I was looking for. Just FYI, I made ropper the only ROP finder for my tool gef, and the use of the option imagebase is to create an accurate ROP chain based on the current debugging context (considering the process mapping, page permission and such). ROPgadget allows me only to do a subset of this but I think ropper will do the trick perfectly.

Cheers,

sashs commented 7 years ago

Cool! In the ropper cli it is possible to open multiple files. ATM I have noticed that I forgot to change -I that you can change the imagebase when you open multiple files with --files.