def get_ropper_service(self):
# not all options need to be given
options = {
"color": self.color,
"badbytes": self.badbytes,
"type": "rop",
} # if gadgets are printed, use detailed output; default: False
rs = RopperService(options)
for file in self.files:
if ":" in file:
file, base = file.split(":")
rs.addFile(file, arch=self.arch)
rs.clearCache()
rs.setImageBaseFor(name=file, imagebase=int(base, 16))
else:
rs.addFile(file, arch=self.arch)
rs.clearCache()
rs.loadGadgetsFor(file)
return rs
##### assemble instructions ######
hex_string = rs.asm('jmp esp')
print '"jmp esp" assembled to hex string =', hex_string
raw_bytes = rs.asm('jmp esp', format='raw')
print '"jmp esp" assembled to raw bytes =', raw_bytes
string = rs.asm('jmp esp', format='string')
print '"jmp esp" assembled to string =',string
arm_bytes = rs.asm('bx sp', arch='ARM')
print '"bx sp" assembled to hex string =', arm_bytes
##### disassemble bytes #######
arm_instructions = rs.disasm(arm_bytes, arch='ARM')
print arm_bytes, 'disassembled to "%s"' % arm_instructions
# Change the imagebase, this also change the imagebase for all loaded gadgets of this binary
rs.setImageBaseFor(name=ls, imagebase=0x0)
# reset image base
rs.setImageBaseFor(name=ls, imagebase=None)
gadgets = rs.getFileFor(name=ls).gadgets
# gadget address
print hex(gadgets[0].address)
# get instruction bytes of gadget
print bytes(gadgets[0].bytes).encode('hex')
# remove all gadgets containing bad bytes in address
rs.options.badbytes = '000a0d' # gadgets are filtered automatically
import sys
rs = RopperService()
rs.options.color = True
rs.options.detailed = True
binname = sys.argv[1]
dbname = sys.argv[2]
binfile = open(binname, 'rb')
binary = binfile.read()
binfile.close()
rs.addFile("arm", bytes=binary, raw=True, arch="ARM")
rs.addFile("thumb", bytes=binary, raw=True, arch="ARMTHUMB")
rs.setImageBaseFor(name="arm", imagebase=0x100000)
rs.setImageBaseFor(name="thumb", imagebase=0x100000)
print("Loading gadgets for", binname)
rs.loadGadgetsFor()
dbfile = open(dbname, 'w')
def add_raw_gadget(name, addr):
dbfile.write(name + " = " + hex(addr) + "\n")
def add_gadget(name, pattern):
result = rs.search(search=pattern)
try:
##### assemble instructions ######
hex_string = rs.asm('jmp esp')
print '"jmp esp" assembled to hex string =', hex_string
raw_bytes = rs.asm('jmp esp', format='raw')
print '"jmp esp" assembled to raw bytes =', raw_bytes
string = rs.asm('jmp esp', format='string')
print '"jmp esp" assembled to string =', string
arm_bytes = rs.asm('bx sp', arch='ARM')
print '"bx sp" assembled to hex string =', arm_bytes
##### disassemble bytes #######
arm_instructions = rs.disasm(arm_bytes, arch='ARM')
print arm_bytes, 'disassembled to "%s"' % arm_instructions
# Change the imagebase, this also change the imagebase for all loaded gadgets of this binary
rs.setImageBaseFor(name=ls, imagebase=0x0)
# reset image base
rs.setImageBaseFor(name=ls, imagebase=None)
gadgets = rs.getFileFor(name=ls).gadgets
# gadget address
print hex(gadgets[0].address)
# get instruction bytes of gadget
print bytes(gadgets[0].bytes).encode('hex')
# remove all gadgets containing bad bytes in address
rs.options.badbytes = '000a0d' # gadgets are filtered automatically
G = Gadgets(rg_bin, rg_args, rg_offset)
exec_sections = rg_bin.getExecSections()
rg_gadgets = []
for section in exec_sections:
rg_gadgets += G.addROPGadgets(section)
rg_gadgets = G.passClean(rg_gadgets, rg_args.multibr)
rg_gadgets = Options(rg_args, rg_bin, rg_gadgets).getGadgets()
# ---------------------
if not ropper_parsing_error:
rs.setArchitectureFor(name=f, arch='x86')
rs.loadGadgetsFor(name=f)
rp_gadgets = rs.getFileFor(f).gadgets
rp_gadgets.sort(key=attrgetter('address'))
print 'Found {} gadgets!'.format(len(rp_gadgets))
rs.setImageBaseFor(name=f, imagebase=0x0)
else:
rp_gadgets = []
rp_len = len(rp_gadgets)
rg_len = len(rg_gadgets)
rp = True
gadgets = rp_gadgets
if rp_len < rg_len:
gadgets = rg_gadgets
rp = False
rep = (len(gadgets) / 5000) + 1
for r in xrange(rep):
_map = dict()
_map['PE_info'] = pe_info
for gn, g in enumerate(gadgets[r * 5000:(r + 1) * 5000]):
