From 1bc88096bdb734a23ad64c60c5583254fd124e2d Mon Sep 17 00:00:00 2001 From: jr Date: Sat, 27 Feb 2021 09:39:16 -0500 Subject: [PATCH 01/10] support more endings for ROPing on x86 and ARM --- ropper/arch.py | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/ropper/arch.py b/ropper/arch.py index 6d27fe9..9ae9c92 100644 --- a/ropper/arch.py +++ b/ropper/arch.py @@ -30,7 +30,7 @@ from ropper.common.enum import Enum from ropper.common.error import NotSupportedError from ropper.search import Searcher, Searcherx86, SearcherARM, SearcherMIPS -from re import compile +import re from capstone import * from . import gadget try: @@ -72,6 +72,7 @@ def __init__(self, arch, mode, addressLength, align, endianess=Endianess.LITTLE, self._align = align self._endings = {} + self._endings_re = None self._badInstructions = [] self._categories = {} self._maxInvalid = 1 @@ -137,7 +138,13 @@ def addressLength(self): @property def endings(self): return self._endings - + + @property + def endings_re(self): + if not self._endings_re: + self._endings_re = {key: [(re.compile(x), y) for x, y in value] for key, value in self.endings.items()} + return self._endings_re + @property def badInstructions(self): return self._badInstructions @@ -202,8 +209,8 @@ def pprs(self): def _initGadgets(self): super(ArchitectureX86, self)._initGadgets() - self._endings[gadget.GadgetType.ROP] = [(b'\xc3', 1), # ret - (b'\xc2[\x00-\xff]{2}', 3)] # ret xxx + self._endings[gadget.GadgetType.ROP] = [(b'[\xc3|\xcb]', 1), # ret + (b'[\xc2|\xca][\x00-\xff]{2}', 3)] # ret xxx self._endings[gadget.GadgetType.SYS] = [(b'\xcd\x80', 2), # int 0x80 (b'\x0f\x05',2), # syscall @@ -383,9 +390,9 @@ def __init__(self, endianess=Endianess.LITTLE): def _initGadgets(self): super(ArchitectureArm, self)._initGadgets() - self._endings[gadget.GadgetType.ROP] = [(b'[\x01-\xff]\x80\xbd\xe8', 4)] # pop {[reg]*,pc} - self._endings[gadget.GadgetType.JOP] = [(b'[\x10-\x1e]\xff\x2f\xe1', 4), # bx - (b'[\x30-\x3e]\xff\x2f\xe1', 4), # blx + self._endings[gadget.GadgetType.ROP] = [(b'[\x00-\xff][\x80-\xff][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\xe8\xe9]', 4)] + self._endings[gadget.GadgetType.JOP] = [(b'[\x10-\x19\x1e]{1}\xff\x2f\xe1', 4), # bx + (b'[\x30-\x39\x3e]{1}\xff\x2f\xe1', 4), # blx (b'[\x00-\x0f]\xf0\xa0\xe1', 4), # mov pc, (b'\x01\x80\xbd\xe8', 4)] # ldm sp! ,{pc} @@ -401,9 +408,9 @@ def __init__(self): def _initEndianess(self, endianess): super(ArchitectureArmBE, self)._initEndianess(endianess) - self._endings[gadget.GadgetType.ROP] = [(b'\xe8\xbd\x80[\x01-\xff]', 4)] # pop {[reg]*,pc} - self._endings[gadget.GadgetType.JOP] = [(b'\xe1\x2f\xff[\x10-\x1e]', 4), # bx - (b'\xe1\x2f\xff[\x30-\x3e]', 4), # blx + self._endings[gadget.GadgetType.ROP] = [(b'[\xe8\xe9][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\x80-\xff][\x00-\xff]', 4)] # pop {[reg]*,pc} + self._endings[gadget.GadgetType.JOP] = [(b'\xe1\x2f\xff[\x10-\x19\x1e]{1}', 4), # bx + (b'\xe1\x2f\xff[\x30-\x39\x3e]{1}', 4), # blx (b'\xe1\xa0\xf0[\x00-\x0f]', 4), # mov pc, (b'\xe8\xdb\x80\x01', 4)] # ldm sp! ,{pc} @@ -424,7 +431,7 @@ def __init__(self): def _initGadgets(self): super(ArchitectureArmThumb, self)._initGadgets() self._endings[gadget.GadgetType.ROP] = [(b'[\x00-\xff]\xbd', 2)] # pop {[regs]*,pc} - self._endings[gadget.GadgetType.JOP] = [(b'[\x00-\x7f]\x47', 2), # bx + self._endings[gadget.GadgetType.JOP] = [(b'[\x00\x08\x10\x18\x20\x28\x30\x38\x40\x48\x70]{1}\x47', 2), # bx (b'[\x80\x88\x90\x98\xa0\xa8\xb0\xb8\xc0\xc8\xd0\xd8\xe0\xe8\xf0\xf8]\x47', 2) # blx ] From 94d97bfbf5ebac38033fdbb6fd23d9210f7570cb Mon Sep 17 00:00:00 2001 From: jr Date: Sat, 27 Feb 2021 10:00:55 -0500 Subject: [PATCH 02/10] revert thumb change it culled valid but weird gadgets (e.g. bx pc) which is allowed but deprecated --- ropper/arch.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ropper/arch.py b/ropper/arch.py index 9ae9c92..ed32be6 100644 --- a/ropper/arch.py +++ b/ropper/arch.py @@ -414,6 +414,7 @@ def _initEndianess(self, endianess): (b'\xe1\xa0\xf0[\x00-\x0f]', 4), # mov pc, (b'\xe8\xdb\x80\x01', 4)] # ldm sp! ,{pc} + class ArchitectureArmThumb(Architecture): def __init__(self): @@ -431,13 +432,11 @@ def __init__(self): def _initGadgets(self): super(ArchitectureArmThumb, self)._initGadgets() self._endings[gadget.GadgetType.ROP] = [(b'[\x00-\xff]\xbd', 2)] # pop {[regs]*,pc} - self._endings[gadget.GadgetType.JOP] = [(b'[\x00\x08\x10\x18\x20\x28\x30\x38\x40\x48\x70]{1}\x47', 2), # bx + self._endings[gadget.GadgetType.JOP] = [(b'[\x00-\x7f]\x47', 2), # bx (b'[\x80\x88\x90\x98\xa0\xa8\xb0\xb8\xc0\xc8\xd0\xd8\xe0\xe8\xf0\xf8]\x47', 2) # blx ] - - class ArchitectureArm64(Architecture): def __init__(self): From e953cdf77feb0fb29b3b27643426ad73f522f7da Mon Sep 17 00:00:00 2001 From: jr Date: Sat, 27 Feb 2021 10:10:12 -0500 Subject: [PATCH 03/10] Adds detection of ROP ending instructions in the middle of gadgets and truncates the gadget --- ropper/rop.py | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/ropper/rop.py b/ropper/rop.py index 6c5722d..73347a8 100644 --- a/ropper/rop.py +++ b/ropper/rop.py @@ -454,19 +454,28 @@ def __gatherGadgetsByEnding(self, code, arch, fileName, sectionName, offset, end def __createGadget(self, arch, code_str, codeStartAddress, ending, binary=None, section=None): gadget = Gadget(binary, section, arch) hasret = False - if codeStartAddress == 0x0000000001b34d74: - print("found") disassembler = self.__getCs(arch) - - for i in disassembler.disasm(code_str, codeStartAddress): - if re.match(ending[0], i.bytes): + instrs = list(disassembler.disasm(code_str, codeStartAddress+gadget.imageBase)) + for i, inst in enumerate(instrs): + + if re.match(ending[0], inst.bytes): hasret = True - if hasret or i.mnemonic not in arch.badInstructions: - gadget.append( - i.address, i.mnemonic,i.op_str, bytes=i.bytes) + reset_gadget = False + if i != len(instrs)-1: + for ending2 in arch.endings_re[GadgetType.ROP]: + if ending2[0].match(inst.bytes): + # anything before this (including this instr) isn't part of this gadget + reset_gadget = True + break + if reset_gadget: + gadget = Gadget(binary, section, arch) + continue + + if hasret or inst.mnemonic not in arch.badInstructions: + gadget.append(inst.address, inst.mnemonic,inst.op_str, bytes=inst.bytes) - if (hasret and not arch.hasBranchDelaySlot) or i.mnemonic in arch.badInstructions: + if (hasret and not arch.hasBranchDelaySlot) or inst.mnemonic in arch.badInstructions: break From 5b83e69751c10034671f208aefbe125584530851 Mon Sep 17 00:00:00 2001 From: jr Date: Sat, 27 Feb 2021 10:15:40 -0500 Subject: [PATCH 04/10] remove code better destined for it's own pull request --- ropper/rop.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ropper/rop.py b/ropper/rop.py index 73347a8..3b6ecec 100644 --- a/ropper/rop.py +++ b/ropper/rop.py @@ -455,7 +455,7 @@ def __createGadget(self, arch, code_str, codeStartAddress, ending, binary=None, gadget = Gadget(binary, section, arch) hasret = False disassembler = self.__getCs(arch) - instrs = list(disassembler.disasm(code_str, codeStartAddress+gadget.imageBase)) + instrs = list(disassembler.disasm(code_str, codeStartAddress)) for i, inst in enumerate(instrs): if re.match(ending[0], inst.bytes): From 368c3eb241dc46e5e22c3236329f3e7fa6425fd0 Mon Sep 17 00:00:00 2001 From: jr Date: Sat, 27 Feb 2021 10:27:34 -0500 Subject: [PATCH 05/10] fixes the jump targets for relative jumps like 'bl' on ARM --- ropper/rop.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ropper/rop.py b/ropper/rop.py index 3b6ecec..73347a8 100644 --- a/ropper/rop.py +++ b/ropper/rop.py @@ -455,7 +455,7 @@ def __createGadget(self, arch, code_str, codeStartAddress, ending, binary=None, gadget = Gadget(binary, section, arch) hasret = False disassembler = self.__getCs(arch) - instrs = list(disassembler.disasm(code_str, codeStartAddress)) + instrs = list(disassembler.disasm(code_str, codeStartAddress+gadget.imageBase)) for i, inst in enumerate(instrs): if re.match(ending[0], inst.bytes): From 258320dfd710df0986145bb0869db5294f47f0f4 Mon Sep 17 00:00:00 2001 From: jr Date: Sat, 27 Feb 2021 15:47:25 -0500 Subject: [PATCH 06/10] fixes regression where gadget addresses were incorrect --- ropper/rop.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ropper/rop.py b/ropper/rop.py index 73347a8..2eb80a0 100644 --- a/ropper/rop.py +++ b/ropper/rop.py @@ -473,7 +473,7 @@ def __createGadget(self, arch, code_str, codeStartAddress, ending, binary=None, continue if hasret or inst.mnemonic not in arch.badInstructions: - gadget.append(inst.address, inst.mnemonic,inst.op_str, bytes=inst.bytes) + gadget.append(inst.address-gadget.imageBase, inst.mnemonic,inst.op_str, bytes=inst.bytes) if (hasret and not arch.hasBranchDelaySlot) or inst.mnemonic in arch.badInstructions: break From 12052e906bd512812dc8707ba5a3dce170680b93 Mon Sep 17 00:00:00 2001 From: jr Date: Sun, 28 Feb 2021 10:35:41 -0500 Subject: [PATCH 07/10] refines difference between ROP and JOP ldm instructions --- ropper/arch.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/ropper/arch.py b/ropper/arch.py index ed32be6..b8cd4f6 100644 --- a/ropper/arch.py +++ b/ropper/arch.py @@ -390,11 +390,16 @@ def __init__(self, endianess=Endianess.LITTLE): def _initGadgets(self): super(ArchitectureArm, self)._initGadgets() - self._endings[gadget.GadgetType.ROP] = [(b'[\x00-\xff][\x80-\xff][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\xe8\xe9]', 4)] + # bitfields, yes if pc is set + self._endings[gadget.GadgetType.ROP] = [((b'[\x00-\xff][\x80-\xff]' + # pc + any reg + b'[\xbd\xfd]' + # u=1, s=0, w=1, l=1, Rn=1101 (sp) + b'[\xe8\xe9]'), 4)] # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything self._endings[gadget.GadgetType.JOP] = [(b'[\x10-\x19\x1e]{1}\xff\x2f\xe1', 4), # bx (b'[\x30-\x39\x3e]{1}\xff\x2f\xe1', 4), # blx (b'[\x00-\x0f]\xf0\xa0\xe1', 4), # mov pc, - (b'\x01\x80\xbd\xe8', 4)] # ldm sp! ,{pc} + ((b'[\x00-\xff][\x80-\xff]' + # pc + any reg + b'[\x10-\x1c\x1e\x30-\x3c\x3e\x50-\x5c\x5e\x70-\x7c\x7e\x90-\x9c\x9e\xb0-\xbc\xbe\xd0-\xdc\xde\xf0-\xfc\xfe]' + # u=0/1, s=0/1, w=0/1, l=1, Rn=anything but sp or pc + b'[\xe8\xe9]'), 4)] # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything class ArchitectureArmBE(ArchitectureArm): @@ -408,11 +413,16 @@ def __init__(self): def _initEndianess(self, endianess): super(ArchitectureArmBE, self)._initEndianess(endianess) - self._endings[gadget.GadgetType.ROP] = [(b'[\xe8\xe9][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\x80-\xff][\x00-\xff]', 4)] # pop {[reg]*,pc} + #(b'[\xe8\xe9][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\x80-\xff][\x00-\xff]', 4) + self._endings[gadget.GadgetType.ROP] = [((b'[\xe8\xe9]' + # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything + b'[\xbd\xfd]' + # u=1, s=0/1, w=1, l=1, Rn=1101 (sp) + b'[\x80-\xff][\x00-\xff]'), 4)] # pc + any reg self._endings[gadget.GadgetType.JOP] = [(b'\xe1\x2f\xff[\x10-\x19\x1e]{1}', 4), # bx (b'\xe1\x2f\xff[\x30-\x39\x3e]{1}', 4), # blx (b'\xe1\xa0\xf0[\x00-\x0f]', 4), # mov pc, - (b'\xe8\xdb\x80\x01', 4)] # ldm sp! ,{pc} + ((b'[\xe8\xe9]' + # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything + b'[\x10-\x1c\x1e\x30-\x3c\x3e\x50-\x5c\x5e\x70-\x7c\x7e\x90-\x9c\x9e\xb0-\xbc\xbe\xd0-\xdc\xde\xf0-\xfc\xfe]' + # u=0/1, s=0/1, w=0/1, l=1, Rn=anything but sp or pc + b'[\x80-\xff][\x00-\xff]'), 4)] # pc + any reg class ArchitectureArmThumb(Architecture): From ec88529aa50cf47981391f9a76afe61acbc4691c Mon Sep 17 00:00:00 2001 From: jr Date: Sun, 28 Feb 2021 10:36:12 -0500 Subject: [PATCH 08/10] Revert "refines difference between ROP and JOP ldm instructions" This reverts commit 12052e906bd512812dc8707ba5a3dce170680b93. --- ropper/arch.py | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/ropper/arch.py b/ropper/arch.py index b8cd4f6..ed32be6 100644 --- a/ropper/arch.py +++ b/ropper/arch.py @@ -390,16 +390,11 @@ def __init__(self, endianess=Endianess.LITTLE): def _initGadgets(self): super(ArchitectureArm, self)._initGadgets() - # bitfields, yes if pc is set - self._endings[gadget.GadgetType.ROP] = [((b'[\x00-\xff][\x80-\xff]' + # pc + any reg - b'[\xbd\xfd]' + # u=1, s=0, w=1, l=1, Rn=1101 (sp) - b'[\xe8\xe9]'), 4)] # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything + self._endings[gadget.GadgetType.ROP] = [(b'[\x00-\xff][\x80-\xff][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\xe8\xe9]', 4)] self._endings[gadget.GadgetType.JOP] = [(b'[\x10-\x19\x1e]{1}\xff\x2f\xe1', 4), # bx (b'[\x30-\x39\x3e]{1}\xff\x2f\xe1', 4), # blx (b'[\x00-\x0f]\xf0\xa0\xe1', 4), # mov pc, - ((b'[\x00-\xff][\x80-\xff]' + # pc + any reg - b'[\x10-\x1c\x1e\x30-\x3c\x3e\x50-\x5c\x5e\x70-\x7c\x7e\x90-\x9c\x9e\xb0-\xbc\xbe\xd0-\xdc\xde\xf0-\xfc\xfe]' + # u=0/1, s=0/1, w=0/1, l=1, Rn=anything but sp or pc - b'[\xe8\xe9]'), 4)] # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything + (b'\x01\x80\xbd\xe8', 4)] # ldm sp! ,{pc} class ArchitectureArmBE(ArchitectureArm): @@ -413,16 +408,11 @@ def __init__(self): def _initEndianess(self, endianess): super(ArchitectureArmBE, self)._initEndianess(endianess) - #(b'[\xe8\xe9][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\x80-\xff][\x00-\xff]', 4) - self._endings[gadget.GadgetType.ROP] = [((b'[\xe8\xe9]' + # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything - b'[\xbd\xfd]' + # u=1, s=0/1, w=1, l=1, Rn=1101 (sp) - b'[\x80-\xff][\x00-\xff]'), 4)] # pc + any reg + self._endings[gadget.GadgetType.ROP] = [(b'[\xe8\xe9][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\x80-\xff][\x00-\xff]', 4)] # pop {[reg]*,pc} self._endings[gadget.GadgetType.JOP] = [(b'\xe1\x2f\xff[\x10-\x19\x1e]{1}', 4), # bx (b'\xe1\x2f\xff[\x30-\x39\x3e]{1}', 4), # blx (b'\xe1\xa0\xf0[\x00-\x0f]', 4), # mov pc, - ((b'[\xe8\xe9]' + # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything - b'[\x10-\x1c\x1e\x30-\x3c\x3e\x50-\x5c\x5e\x70-\x7c\x7e\x90-\x9c\x9e\xb0-\xbc\xbe\xd0-\xdc\xde\xf0-\xfc\xfe]' + # u=0/1, s=0/1, w=0/1, l=1, Rn=anything but sp or pc - b'[\x80-\xff][\x00-\xff]'), 4)] # pc + any reg + (b'\xe8\xdb\x80\x01', 4)] # ldm sp! ,{pc} class ArchitectureArmThumb(Architecture): From c1656dbae404d0b9b7c943302532ceecc629ebd0 Mon Sep 17 00:00:00 2001 From: jr Date: Sun, 28 Feb 2021 10:41:09 -0500 Subject: [PATCH 09/10] refines difference between ROP and JOP ldm instructions --- ropper/arch.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/ropper/arch.py b/ropper/arch.py index ed32be6..bceb233 100644 --- a/ropper/arch.py +++ b/ropper/arch.py @@ -390,11 +390,16 @@ def __init__(self, endianess=Endianess.LITTLE): def _initGadgets(self): super(ArchitectureArm, self)._initGadgets() - self._endings[gadget.GadgetType.ROP] = [(b'[\x00-\xff][\x80-\xff][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\xe8\xe9]', 4)] + self._endings[gadget.GadgetType.ROP] = [((b'[\x00-\xff][\x80-\xff]' + # pc + any reg + b'[\xbd\xfd]' + # u=1, s=0, w=1, l=1, Rn=1101 (sp) + b'[\xe8\xe9]'), 4)] # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything self._endings[gadget.GadgetType.JOP] = [(b'[\x10-\x19\x1e]{1}\xff\x2f\xe1', 4), # bx (b'[\x30-\x39\x3e]{1}\xff\x2f\xe1', 4), # blx (b'[\x00-\x0f]\xf0\xa0\xe1', 4), # mov pc, - (b'\x01\x80\xbd\xe8', 4)] # ldm sp! ,{pc} + # ldm anything not sp into pc + ((b'[\x00-\xff][\x80-\xff]' + # pc + any reg + b'[\x10-\x1c\x1e\x30-\x3c\x3e\x50-\x5c\x5e\x70-\x7c\x7e\x90-\x9c\x9e\xb0-\xbc\xbe\xd0-\xdc\xde\xf0-\xfc\xfe]' + # u=0/1, s=0/1, w=0/1, l=1, Rn=anything but sp or pc + b'[\xe8\xe9]'), 4)] # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything class ArchitectureArmBE(ArchitectureArm): @@ -408,11 +413,16 @@ def __init__(self): def _initEndianess(self, endianess): super(ArchitectureArmBE, self)._initEndianess(endianess) - self._endings[gadget.GadgetType.ROP] = [(b'[\xe8\xe9][\x10-\x1e\x30-\x3e\x50-\x5e\x70-\x7e\x90-\x9e\xb0-\xbe\xd0-\xde\xf0-\xfe][\x80-\xff][\x00-\xff]', 4)] # pop {[reg]*,pc} + self._endings[gadget.GadgetType.ROP] = [((b'[\xe8\xe9]' + # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything + b'[\xbd\xfd]' + # u=1, s=0/1, w=1, l=1, Rn=1101 (sp) + b'[\x80-\xff][\x00-\xff]'), 4)] # pc + any reg self._endings[gadget.GadgetType.JOP] = [(b'\xe1\x2f\xff[\x10-\x19\x1e]{1}', 4), # bx (b'\xe1\x2f\xff[\x30-\x39\x3e]{1}', 4), # blx (b'\xe1\xa0\xf0[\x00-\x0f]', 4), # mov pc, - (b'\xe8\xdb\x80\x01', 4)] # ldm sp! ,{pc} + # ldm anything not sp into pc + ((b'[\xe8\xe9]' + # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything + b'[\x10-\x1c\x1e\x30-\x3c\x3e\x50-\x5c\x5e\x70-\x7c\x7e\x90-\x9c\x9e\xb0-\xbc\xbe\xd0-\xdc\xde\xf0-\xfc\xfe]' + # u=0/1, s=0/1, w=0/1, l=1, Rn=anything but sp or pc + b'[\x80-\xff][\x00-\xff]'), 4)] # pc + any reg class ArchitectureArmThumb(Architecture): From 2c972bf6a718441ca8f0f6e0a694506562592271 Mon Sep 17 00:00:00 2001 From: jr Date: Sun, 28 Feb 2021 10:44:11 -0500 Subject: [PATCH 10/10] fixes spelling mistake --- ropper/arch.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ropper/arch.py b/ropper/arch.py index bceb233..bb79b96 100644 --- a/ropper/arch.py +++ b/ropper/arch.py @@ -413,14 +413,14 @@ def __init__(self): def _initEndianess(self, endianess): super(ArchitectureArmBE, self)._initEndianess(endianess) - self._endings[gadget.GadgetType.ROP] = [((b'[\xe8\xe9]' + # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything + self._endings[gadget.GadgetType.ROP] = [((b'[\xe8\xe9]' + # e=unconditional, 8/9=opcode+pre/post indexing bit set to anything b'[\xbd\xfd]' + # u=1, s=0/1, w=1, l=1, Rn=1101 (sp) b'[\x80-\xff][\x00-\xff]'), 4)] # pc + any reg self._endings[gadget.GadgetType.JOP] = [(b'\xe1\x2f\xff[\x10-\x19\x1e]{1}', 4), # bx (b'\xe1\x2f\xff[\x30-\x39\x3e]{1}', 4), # blx (b'\xe1\xa0\xf0[\x00-\x0f]', 4), # mov pc, # ldm anything not sp into pc - ((b'[\xe8\xe9]' + # e=undconditional, 8/9=opcode+pre/post indexing bit set to anything + ((b'[\xe8\xe9]' + # e=unconditional, 8/9=opcode+pre/post indexing bit set to anything b'[\x10-\x1c\x1e\x30-\x3c\x3e\x50-\x5c\x5e\x70-\x7c\x7e\x90-\x9c\x9e\xb0-\xbc\xbe\xd0-\xdc\xde\xf0-\xfc\xfe]' + # u=0/1, s=0/1, w=0/1, l=1, Rn=anything but sp or pc b'[\x80-\xff][\x00-\xff]'), 4)] # pc + any reg