ROPChain

Fast ROPChain generator for controlling the value of registers.
This will find the gadgets by heuristics that the missing gadgets will be alternated by equivalent gadgets.

Platform

OS

Architecture

x86, x64 architectures are supported.

Features

• Fast (Implemented in C++)
• Alternative gadgets will be used by heuristics in case required ROPGadgets (e.g., pop rax; ret) are not found.
• Able to exclude specific characters if needed.

Requirement

• C++17
• Boost.Python
• radare2 (Optional)
• rp++

Example

Executable

ropchain -f /bin/ls -g r2 --rax=0x114514 -d

Python

>>> from ropchain import *
>>> libropchain.setArch(libropchain.Arch.AMD64)
>>> rop = solve({rax: 0x3b, rbx: 0x4242424242424242}, '/bin/ls', 0, {})
>>> rop.dump()
0x413072:        pop, rdi; ret
0x3b

0x40adf4:        mov, rax, rdi; ret

0x413700:        pop, rbx; ret
0x4242424242424242

>>> rop.payload()
'r0A\x00\x00\x00\x00\x00;\x00\x00\x00\x00\x00\x00\x00\xf4\xad@\x00\x00\x00\x00\x00\x007A\x00\x00\x00\x00\x00BBBBBBBB'
>>>

Installation

You can install python module by pip.

pip install ropchain

For executable, you have to clone and build manually.