-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect more endings #139
base: master
Are you sure you want to change the base?
Detect more endings #139
Conversation
it culled valid but weird gadgets (e.g. bx pc) which is allowed but deprecated
after thinking more about this and experimenting some, it may make sense to modify this somewhat. on ARM, the pop (i.e. ldm) base register can be any register and as such, an instruction like |
Other case in question: |
The refined split between ROP and JOP for ldm* instructions is:
its JOP if:
|
Hi. |
I add it when disassembling the gadget so that relative branch targets are correct (I can show an example if you'd like), but then subtract it for the gadget address because there's logic elsewhere that adds the imageBase back on for printing e.g. Line 209 in 9a94802
I'm open to trying to combine all of that so it's consistent, I just wanted to keep the changes narrowed down until you weighed in. Are there other areas where the distinction between |
Also I've totally just mixed together these pull requests at this point, sorry :/ |
I found some cases where Ropper would output fewer instructions for a given binary than ROPGadget. I found that the regex for end instructions on both x86 and ARM are overly specific:
x86: missing the retf/retn distinction
ARM: only included one type of pop when imo any pop into pc (aside from conditionals) should qualify as an end instruction. also the JOP code for ARM was missing some forms of bl and blx
Most of the regex here is pulled from ROPGadget and I attempted to validate as best I could against the instruction set documentation (https://iitd-plos.github.io/col718/ref/arm-instructionset.pdf)
There is also a regex compilation caching feature I added that relates to another pull request I am going to send soon.