Ropper icon indicating copy to clipboard operation
Ropper copied to clipboard
verified publisher icon sashs

BUGFIX: gadgets missed because of a bad declaration of the pop pc gadget.

Open cbayet opened this issue 4 years ago • 2 comments

The pattern of a pop pc gadget in arch.py does not cover all the cases, making ropper to miss a lot of gadgets in ARM and ARMBE.

Fix this pattern to identify all possible instructions that ends up in a usable gadget is not an easy task. After a few attempts to fix this pattern myself, I finally decided to use the same pattern that is used in ROPGadget.

I'm not sure that it's perfect, but it's for sure a better version than the current pattern in ropper.

ropper is now able to find gadgets like pop {r4, r5, r6, r7, r8, pc}; in ARM and ARMBE.

cbayet avatar Jun 14 '21 13:06 cbayet

Second commit added to handle the detection of the pop {pc} gadget, which is surprisingly not handled by ropper and ROPGadget.

cbayet avatar Jun 14 '21 15:06 cbayet

Once again previous commit was bad. It was properly detecting pop {pc} gadgets, but introduced detection of other instructions that are not gadgets like :

$ kstool arm "ldr ip, [r1], #4" 
ldr ip, [r1], #4 = [ 04 c0 91 e4 ]

So I added a specific pattern for the detection of a pop {pc} gadget, and kept the original pattern from ROPGadget for everything else.

cbayet avatar Jun 15 '21 08:06 cbayet

Merged, THX

sashs avatar Aug 07 '22 10:08 sashs