kokjo/universalrop kokjo/universalrop

  • Stars
    star
    197
  • Rank 197,722 (Top 4 %)
  • Language
    Python
  • Created over 7 years ago
  • Updated almost 7 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
kokjo/universalrop
github

kokjo

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Small tool for generating ropchains using unicorn and z3 
$ time python test_amd64.py 
Gadgets used:
0x1000104: pop r13; pop r14; ret 
0x1000500: mov rax, r13; ret 
0x1000700: pop rdx; jmp rax
0x1000a00: pop rsi; ret 
0x1000102: pop r12; pop r13; pop r14; ret 
0x1000500: mov rax, r13; ret 
0x1000200: mov rdi, rax; pop rbx; ret 
Ropchain:
00000000  04 01 00 01  00 00 00 00  00 0a 00 01  00 00 00 00  │····│····│····│····│
00000010  52 44 49 3d  41 52 47 11  00 05 00 01  00 00 00 00  │RDI=│ARG·│····│····│
00000020  00 07 00 01  00 00 00 00  52 44 58 3d  41 52 47 33  │····│····│RDX=│ARG3│
00000030  52 53 49 3d  41 52 47 32  02 01 00 01  00 00 00 00  │RSI=│ARG2│····│····│
00000040  02 05 08 14  01 00 03 00  52 44 49 3d  41 52 47 31  │····│····│RDI=│ARG1│
00000050  52 44 49 3c  41 52 47 11  00 05 00 01  00 00 00 00  │RDI<│ARG·│····│····│
00000060  00 02 00 01  00 00 00 00  52 49 50 3d  46 55 4e 43  │····│····│RIP=│FUNC│
00000070  52 49 50 3d  46 55 4e 43                            │RIP=│FUNC││
00000078
 
real    1m25.203s
user    1m24.408s
sys 0m0.784s
$ time python test_arm.py
Gadgets used:
0x1000: pop {r1, r2, r7, pc}
0x1010: mov r0, r2; pop {r7, pc}
0x1000: pop {r1, r2, r7, pc}
0x1020: mov r3, r0; bx r7
0x1010: mov r0, r2; pop {r7, pc}
0x1000: pop {r1, r2, r7, pc}
Ropchain:
00000000  00 10 00 00  41 52 47 32  41 52 47 34  11 00 00 00  │····│ARG2│ARG4│····│
00000010  10 10 00 00  11 00 00 00  00 10 00 00  41 52 47 32  │····│····│····│ARG2│
00000020  41 52 47 31  10 10 00 00  20 10 00 00  41 52 47 32  │ARG1│····│ ···│ARG2│
00000030  00 10 00 00  41 52 47 32  41 52 47 33  00 00 00 00  │····│ARG2│ARG3│····│
00000040  46 55 4e 43                                         │FUNC││
00000044
 
real    0m13.315s
user    0m12.632s
sys 0m0.632s

More Repositories

1

MtGoxAPI

a trading api for Mt. Gox.
Python
7
star
2

pycoin

python implementation of bitcoin
Python
6
star
3

microcoded_riscv

Very slow implementation of riscv. Made for the lulz.
Verilog
4
star
4

yarv

Yet another RISCV.
Verilog
4
star
5

misc_fpga

iCE40 and ECP5 fpga libraries and projects. Using the open source toolchain yosys+nextpnr. Quality may vary.
Verilog
4
star
6

pyelf

A ELF parser for python
Python
3
star
7

cfgtool

Tool for generating control flow graphs. Written in rust, using capstone.
Rust
2
star
8

ldpreload_patcher

Small helper functions i wrote, to modify dynamically linked binary at load time.
C
2
star
9

efm32hg309_board

Small board for the Cortex-M0+ IC EFM32HG309 from Silicon Labs
2
star
10

roponarm

A simple disassemble for arm and thumb + ROP generator
Python
2
star
11

how_to_short_circut

small arm board with lora radio.
C
1
star
12

permute

Source code for the permute challenge from 35c3 CTF.
C
1
star
13

lightningtalk-33c3

TeX
1
star
14

efm32hg309_blinky

C
1
star
15

matcamp-logik

Logik kompendie til UNF's Matematik camp 2014
TeX
1
star
16

rc4connection

A simple c library that can encrypt stdin, stdout, stderr over a socket. DO NOT EXPECT THIS TO BE STRONG ENCRYPTION.
C
1
star
17

crypto-inside

Rust
1
star
18

swdviewer

View/modify peripheral registers of a running ARM processor over SWD with a nice webinterface
JavaScript
1
star