| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Call r2's iI command and return a subset of the fields that we care
about.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Sets the value of rop.len = 10 in r2, to give the search function more
data to sift through. This is a doubling from the default value (5).
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Development on the rop chain builder has produced this upgrade to our
gadget search facility. The primary advantages in this version are
increased flexibility and runtime performance.
It is now easier to find specific 'stray' instructions (not immediately
followed by a ret) since we search from every position in the data
returned by r2. If you _do_ want a ret, just specify it in your input
regexes. For this reason, a dedicated function for locating a simple
'ret' gadget is no longer present - elf.gadget("ret") is the equivalent.
A major change in this version is that we now obtain and operate on r2's
JSON representation of the gadget data. We now only reach out to r2
once to get all information for a binary (which is cached) and the
actual 'search' is implemented in Python. This provides a significant
performance speedup in cases where we need many gadgets from one binary,
as r2 doesn't need to inspect the entire file each time. Additional
caching is done on specific search results, so that 100% redundant
searches are returned immediately. Access to the raw JSON data is made
available through a new function rop_json(), but is not exposed in the
ELF interface, since it seems like a niche need.
Search results are returned via Gadget objects (or a list thereof),
which contain regular expression Match objects for each assembly
instruction found in the gadget. This allows the caller to retrieve the
values contained in regular expression capture groups if present.
Also, anecdotally, the search functionality in r2 has seemed to return
false negatives for some queries in the past, whereas I haven't noticed
similar cases with this implementation yet.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
I assume that the preferred style is to leave one major class each to a
file. In this case, synchronize the names of the Symtbl class and its
containing module. Per PEP8, the module is lowercase, and the class
remains Pascal case.
If other memory-oriented utilities are introduced in the future, we may
wish to move them, as well as Symtbl, back into a subpackage named
'mem'.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The baddr property identified by r2 is now used as the base address for
ELF symbol tables. This should not change the addresses retrieved via
the table normally, however should fix the internal offsets of the table
so that rebasing makes sense.
Note that for PIC/PIE binaries we would already get a Symtbl with
'correct' offsets, as r2 is unable to absolutely resolve them for us.
In these cases, the Symtbl base value remains at zero.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
rather than cacheing ELF instantiations, just cache the results of
external commands
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
accidentally left the argument as "elf" instead of "binary" and had the
arguments in the wrong order
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Consolidate some of the r2 calls that get combined to create the symbol
list. Instead of doing multiple calls with different greps within
radare2, just do a single call and search it in the python side. This
gives us a slight, but noticeable performance increase.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
forgot to remove the r2 namespace from the calls from back when it was
implemented differently
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
rev.r2's get_locals() function returns a Symtbl of offsets representing
the local variables on in a stack frame of a particular function. The
offsets returned by r2 are based around the base of the stack, but they
are increasing in value as they grow from the stack. To properly model
memory, they should decrease in value as they grow from the stack.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add an r2 module with several helper functions that do a number of
simple reverse engineering tasks to aid in writing simple sploit
scripts. The functions in this module invoke radare2 to accomplish their
tasks.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
