From 31ef0e9a7a67ba3c361e72d279ae84b9285fb470 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sat, 18 Mar 2023 21:21:44 -0400
Subject: rev: Normalize the reported offset of found gadgets

ROP gadgets returned through search from the r2 API will now always
contain a file-relative offset, even if they come from a non-pic binary
using a fixed baddr.

However, gadgets returned through the ELF API will be mapped according
to the ELF's Symtbl.  This ensures the correct offset is returned
following a library leak, and allows the user to always safely insert an
ELF-returned gadget into that ELF's Symtbl without issue.

Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
---
 sploit/rev/r2.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'sploit/rev/r2.py')

diff --git a/sploit/rev/r2.py b/sploit/rev/r2.py
index 24ab1f8..7101f07 100644
--- a/sploit/rev/r2.py
+++ b/sploit/rev/r2.py
@@ -80,6 +80,7 @@ def rop_gadgets(binary, *regexes, cont=False):
     ilog(f"Searching {binary} for {'; '.join(regexes)} gadgets with r2...")
     gadgets = rop_json(binary)
     results = []
+    base = int(get_bin_info(binary).baddr, 0)
 
     for gadget in gadgets:
         opcodes = gadget['opcodes']
@@ -90,7 +91,7 @@ def rop_gadgets(binary, *regexes, cont=False):
             size = end_idx - idx
             regexes_use = (regexes + (".*",) * size) if cont else regexes
 
-            offset = opcodes[idx]['offset']
+            offset = opcodes[idx]['offset'] - base
             matches = []
 
             for regex in regexes_use:
-- 
cgit v1.2.3