JonathanSalwan/ROPgadget

x86-64 "syscall ret" gadgets missed with version 5.7+

Closed this issue · 2 comments

langer69 commented

When I'm working on the binary below, I found that ROPgadget missed a gadget like syscall;ret.

  • disassembly of address 0x40019B
0x40019B:    0F 05    syscall
0x40019D:    F3 C3    rep ret
  • version 5.7 and above
$ ROPgadget --version
Version:        ROPgadget v5.8
Author:         Jonathan Salwan
Author page:    https://twitter.com/JonathanSalwan
Project page:   http://shell-storm.org/project/ROPgadget/

$ ROPgadget --binary ./binary | grep syscall
0x000000000040013b : adc ebx, eax ; mov eax, 1 ; syscall
0x0000000000400140 : add byte ptr [rax], al ; syscall
0x000000000040012e : add byte ptr [rax], al ; xor eax, eax ; syscall
0x000000000040013e : add dword ptr [rax], eax ; add byte ptr [rax], al ; syscall
0x000000000040014b : add ebx, eax ; xor edi, edi ; mov eax, 0xe7 ; syscall
0x0000000000400199 : loope 0x400170 ; syscall
0x000000000040014f : mov eax, 0xe7 ; syscall
0x000000000040013d : mov eax, 1 ; syscall
0x0000000000400150 : out 0, eax ; add byte ptr [rax], al ; syscall
0x0000000000400196 : sbb dword ptr [rax - 0x47], ecx ; loope 0x400173 ; syscall
0x0000000000400195 : sbb dword ptr es:[rax - 0x47], ecx ; loope 0x400174 ; syscall
0x0000000000400132 : syscall
0x0000000000400130 : xor eax, eax ; syscall
0x000000000040014d : xor edi, edi ; mov eax, 0xe7 ; syscall

$ ROPgadget --binary ./binary --range 0x40019B-0x40019F
Gadgets information
============================================================
0x000000000040019e : ret
0x000000000040019b : syscall
  • version 5.4
$ ROPgadget --version
Version:        ROPgadget v5.4
Author:         Jonathan Salwan
Author page:    https://twitter.com/JonathanSalwan
Project page:   http://shell-storm.org/project/ROPgadget/

$ROPgadget --binary ./binary | grep syscall
0x0000000000400199 : loope 0x400173 ; syscall ; ret
0x0000000000400196 : sbb dword ptr [rax - 0x47], ecx ; loope 0x400176 ; syscall ; ret0x0000000000400195 : sbb dword ptr es:[rax - 0x47], ecx ; loope 0x400177 ; syscall ; ret
0x000000000040019b : syscall ; ret

Which makes me confused. -_-||
binary.txt

nurmukhametov commented

Use option --multibr

=> ./ROPgadget.py --binary=./binary.txt --multibr | grep 40019b
0x000000000040019b : syscall ; ret
  • ❤️7
langer69 commented

Thanks, I've learned how to use this option.