def get_ropper_service(self): # not all options need to be given options = { "color": self.color, "badbytes": self.badbytes, "type": "rop", } # if gadgets are printed, use detailed output; default: False rs = RopperService(options) for file in self.files: if ":" in file: file, base = file.split(":") rs.addFile(file, arch=self.arch) rs.clearCache() rs.setImageBaseFor(name=file, imagebase=int(base, 16)) else: rs.addFile(file, arch=self.arch) rs.clearCache() rs.loadGadgetsFor(file) return rs
##### assemble instructions ###### hex_string = rs.asm('jmp esp') print '"jmp esp" assembled to hex string =', hex_string raw_bytes = rs.asm('jmp esp', format='raw') print '"jmp esp" assembled to raw bytes =', raw_bytes string = rs.asm('jmp esp', format='string') print '"jmp esp" assembled to string =',string arm_bytes = rs.asm('bx sp', arch='ARM') print '"bx sp" assembled to hex string =', arm_bytes ##### disassemble bytes ####### arm_instructions = rs.disasm(arm_bytes, arch='ARM') print arm_bytes, 'disassembled to "%s"' % arm_instructions # Change the imagebase, this also change the imagebase for all loaded gadgets of this binary rs.setImageBaseFor(name=ls, imagebase=0x0) # reset image base rs.setImageBaseFor(name=ls, imagebase=None) gadgets = rs.getFileFor(name=ls).gadgets # gadget address print hex(gadgets[0].address) # get instruction bytes of gadget print bytes(gadgets[0].bytes).encode('hex') # remove all gadgets containing bad bytes in address rs.options.badbytes = '000a0d' # gadgets are filtered automatically
import sys rs = RopperService() rs.options.color = True rs.options.detailed = True binname = sys.argv[1] dbname = sys.argv[2] binfile = open(binname, 'rb') binary = binfile.read() binfile.close() rs.addFile("arm", bytes=binary, raw=True, arch="ARM") rs.addFile("thumb", bytes=binary, raw=True, arch="ARMTHUMB") rs.setImageBaseFor(name="arm", imagebase=0x100000) rs.setImageBaseFor(name="thumb", imagebase=0x100000) print("Loading gadgets for", binname) rs.loadGadgetsFor() dbfile = open(dbname, 'w') def add_raw_gadget(name, addr): dbfile.write(name + " = " + hex(addr) + "\n") def add_gadget(name, pattern): result = rs.search(search=pattern) try:
##### assemble instructions ###### hex_string = rs.asm('jmp esp') print '"jmp esp" assembled to hex string =', hex_string raw_bytes = rs.asm('jmp esp', format='raw') print '"jmp esp" assembled to raw bytes =', raw_bytes string = rs.asm('jmp esp', format='string') print '"jmp esp" assembled to string =', string arm_bytes = rs.asm('bx sp', arch='ARM') print '"bx sp" assembled to hex string =', arm_bytes ##### disassemble bytes ####### arm_instructions = rs.disasm(arm_bytes, arch='ARM') print arm_bytes, 'disassembled to "%s"' % arm_instructions # Change the imagebase, this also change the imagebase for all loaded gadgets of this binary rs.setImageBaseFor(name=ls, imagebase=0x0) # reset image base rs.setImageBaseFor(name=ls, imagebase=None) gadgets = rs.getFileFor(name=ls).gadgets # gadget address print hex(gadgets[0].address) # get instruction bytes of gadget print bytes(gadgets[0].bytes).encode('hex') # remove all gadgets containing bad bytes in address rs.options.badbytes = '000a0d' # gadgets are filtered automatically
G = Gadgets(rg_bin, rg_args, rg_offset) exec_sections = rg_bin.getExecSections() rg_gadgets = [] for section in exec_sections: rg_gadgets += G.addROPGadgets(section) rg_gadgets = G.passClean(rg_gadgets, rg_args.multibr) rg_gadgets = Options(rg_args, rg_bin, rg_gadgets).getGadgets() # --------------------- if not ropper_parsing_error: rs.setArchitectureFor(name=f, arch='x86') rs.loadGadgetsFor(name=f) rp_gadgets = rs.getFileFor(f).gadgets rp_gadgets.sort(key=attrgetter('address')) print 'Found {} gadgets!'.format(len(rp_gadgets)) rs.setImageBaseFor(name=f, imagebase=0x0) else: rp_gadgets = [] rp_len = len(rp_gadgets) rg_len = len(rg_gadgets) rp = True gadgets = rp_gadgets if rp_len < rg_len: gadgets = rg_gadgets rp = False rep = (len(gadgets) / 5000) + 1 for r in xrange(rep): _map = dict() _map['PE_info'] = pe_info for gn, g in enumerate(gadgets[r * 5000:(r + 1) * 5000]):