Small tool for generating ropchains using unicorn and z3
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
README.md
amd64.py
arm.py
emulator.py
load_gadgets.py
test_amd64.py
test_arm.py
test_gadgets.py
unirop.py
utils.py
x86.py

README.md

$ time python test_amd64.py 
Gadgets used:
0x1000104: pop r13; pop r14; ret 
0x1000500: mov rax, r13; ret 
0x1000700: pop rdx; jmp rax
0x1000a00: pop rsi; ret 
0x1000102: pop r12; pop r13; pop r14; ret 
0x1000500: mov rax, r13; ret 
0x1000200: mov rdi, rax; pop rbx; ret 
Ropchain:
00000000  04 01 00 01  00 00 00 00  00 0a 00 01  00 00 00 00  │····│····│····│····│
00000010  52 44 49 3d  41 52 47 11  00 05 00 01  00 00 00 00  │RDI=│ARG·│····│····│
00000020  00 07 00 01  00 00 00 00  52 44 58 3d  41 52 47 33  │····│····│RDX=│ARG3│
00000030  52 53 49 3d  41 52 47 32  02 01 00 01  00 00 00 00  │RSI=│ARG2│····│····│
00000040  02 05 08 14  01 00 03 00  52 44 49 3d  41 52 47 31  │····│····│RDI=│ARG1│
00000050  52 44 49 3c  41 52 47 11  00 05 00 01  00 00 00 00  │RDI<│ARG·│····│····│
00000060  00 02 00 01  00 00 00 00  52 49 50 3d  46 55 4e 43  │····│····│RIP=│FUNC│
00000070  52 49 50 3d  46 55 4e 43                            │RIP=│FUNC││
00000078
 
real    1m25.203s
user    1m24.408s
sys 0m0.784s
$ time python test_arm.py
Gadgets used:
0x1000: pop {r1, r2, r7, pc}
0x1010: mov r0, r2; pop {r7, pc}
0x1000: pop {r1, r2, r7, pc}
0x1020: mov r3, r0; bx r7
0x1010: mov r0, r2; pop {r7, pc}
0x1000: pop {r1, r2, r7, pc}
Ropchain:
00000000  00 10 00 00  41 52 47 32  41 52 47 34  11 00 00 00  │····│ARG2│ARG4│····│
00000010  10 10 00 00  11 00 00 00  00 10 00 00  41 52 47 32  │····│····│····│ARG2│
00000020  41 52 47 31  10 10 00 00  20 10 00 00  41 52 47 32  │ARG1│····│ ···│ARG2│
00000030  00 10 00 00  41 52 47 32  41 52 47 33  00 00 00 00  │····│ARG2│ARG3│····│
00000040  46 55 4e 43                                         │FUNC││
00000044
 
real    0m13.315s
user    0m12.632s
sys 0m0.632s