Ropper
Ropper copied to clipboard
sashs
context based calculations
Hi, It's maybe better to create a new issue/ticket for the context :) As explained in #33 , it should significantly increase the relevance of the results if we can define the context of execution. The context can be:
- cpu context (registers)
- stack dump + stack base adress
This will allow skipping the generation of gadgets that:
- dereference null pointers (eax = 0x00 and mov esp, [eax])
- dereference pointers outside of adressable memory (mov eax, [esp-0x8f123456])
- ...
It would be great also if we can provide the "crash pattern", this will allow the calculation of the stack pivot offset then print more accurate gadgets for that...
It could even go far from that by performing an automatic check of each gadget to verify if it will reach the desired esp/ebp values ;)
Have fun :)
The problem with filtering based on context is that when searching for gadgets, a person takes into account that maybe right now eax=0, but when after chaining a different gadget we can change eax's value and thatmov ebx, [eax] that was earlier useless can become useful again. So we'll need some sort of way to tell ropper to simulate execution until after a specific gadget in our chain and filter gadgets based on the resulted CPU context.
