JonathanSalwan/ROPgadget

Can't match "xchg" instruction in 64-bit ELF file

firmianay opened this issue · 2 comments

firmianay commented

The file:

$ file fluff 
fluff: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=575282b847c71e8e939899f61bef6b261d88fe25, not stripped

It seem's ropgadget can't match a xchg instruction:

$ ropgadget --binary fluff --only "xchg|pop|mov|ret"
Gadgets information
============================================================
0x0000000000400713 : mov byte ptr [rip + 0x20096e], 1 ; ret
0x00000000004007ae : mov eax, 0 ; pop rbp ; ret
0x0000000000400835 : mov ebp, 0x604060 ; ret
0x0000000000400846 : mov ebx, 0x602050 ; ret
0x0000000000400827 : mov edi, 0x601050 ; ret
0x0000000000400845 : mov r11d, 0x602050 ; ret
0x0000000000400834 : mov r13d, 0x604060 ; ret
0x0000000000400832 : pop r12 ; mov r13d, 0x604060 ; ret
0x00000000004008bc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004008be : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400825 : pop r14 ; mov edi, 0x601050 ; ret
0x00000000004008c0 : pop r14 ; pop r15 ; ret
0x0000000000400843 : pop r15 ; mov r11d, 0x602050 ; ret
0x00000000004008c2 : pop r15 ; ret
0x0000000000400712 : pop rbp ; mov byte ptr [rip + 0x20096e], 1 ; ret
0x00000000004008bb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004008bf : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000004006b0 : pop rbp ; ret
0x0000000000400844 : pop rdi ; mov r11d, 0x602050 ; ret
0x00000000004008c3 : pop rdi ; ret
0x0000000000400826 : pop rsi ; mov edi, 0x601050 ; ret
0x00000000004008c1 : pop rsi ; pop r15 ; ret
0x0000000000400833 : pop rsp ; mov r13d, 0x604060 ; ret
0x00000000004008bd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004005b9 : ret

Unique gadgets found: 25

But using objdump, the elf file do have a xchg pop mov ret gadgets:

$ objdump -Mintel -D fluff | grep -A 5 xchg
  40028c:       93                      xchg   ebx,eax
  40028d:       98                      cwde   
  40028e:       99                      cdq    
  40028f:       f6 1b                   neg    BYTE PTR [rbx]
  400291:       ef                      out    dx,eax
  400292:       6b 26 1d                imul   esp,DWORD PTR [rsi],0x1d
--
  400646:       66 90                   xchg   ax,ax

Disassembly of section .text:

0000000000400650 <_start>:
  400650:       31 ed                   xor    ebp,ebp
--
  400840:       4d 87 d3                xchg   r11,r10
  400843:       41 5f                   pop    r15
  400845:       41 bb 50 20 60 00       mov    r11d,0x602050
  40084b:       c3                      ret    
  40084c:       41 5f                   pop    r15
  40084e:       4d 89 1a                mov    QWORD PTR [r10],r11

what's wrong?

JonathanSalwan commented

--depth <nbyte> Depth for search engine (default 10)

firmianay commented

Thx!