we should turn on `multibr` by default
Kyle-Kyle opened this issue · 3 comments
Now multibr is off by default, we are missing vital gadgets like syscall; ret, int 0x80;ret, call xxxxx;xx;xx; ret.
Since the documentation Enable multiple branch gadgets is too vague. I didn't understand it before I read the source code.
And I don't quite understand why it is off by default. I think we should provide as many gadgets as possible and let users decide what to use, right? Especially this option affects so much.
syscall ; ret and int 0x80 ; ret seem to be rarely noticed in binaries. Often you can just spot non-ret-ending syscall or int.
@SweetVishnya
In normal assemblies, I agree. But we should also consider misalignment.
In practice, we can always find "syscall; ret" in large binaries like libc.
One other possibility is syscall wrappers. But I'm not sure how often we can see that in programs other than libc.
My previous statement holds for misalignment. These gadgets are still rarely met. However, I will think over this option later. One more problem I see is that there will be duplicated addresses when --multibr is on. For instance:
0xdeadbeef : syscall
0xdeadbeef : syscall ; ret