mov rax, rbx
ret
nopn $0x2,$0x2
mov_i64 rax,rbx
qemu_ld_i64 tmp0,rsp,leq,$0x0
movi_i64 tmp11,$0x8
add_i64 tmp3,rsp,tmp11
mov_i64 rsp,tmp3
st_i64 tmp0,env,$0x80
exit_tb $0x0
end
%Lgv = load i64* @rbx
store i64 %Lgv, i64* @rax
%Lgv1 = load i64* @rsp
%Ildq = inttoptr i64 %Lgv1 to i64*
%Ldq = load i64* %Ildq
%Oarith = add i64 %Lgv1, 8
store i64 %Oarith, i64* @rsp
store i64 %Ldq, i64* @rip
ret i64 0
(solver
(and true
(= Lgv rbx) (= rax Lgv) (= Lgv1 rsp) (= Ildq Lgv1)
(= Ldq (select ram Ildq)) (= Oarith (bvadd #x8 Lgv1))
(= rsp1 Oarith) (= rip Ldq))
(and true
(= t_Lgv t_rbx) (= t_rax t_Lgv) (= t_Lgv1 t_rsp) (= t_Ildq t_Lgv1)
(= t_Ldq (select t_ram t_Ildq)) (= t_Oarith (bvadd #x8 t_Lgv1))
(= t_rsp1 t_Oarith) (= t_rip t_Ldq))
(= rbx t_rbx) (not (= rax t_rax))
(= rsp t_rsp) (= rsp1 t_rsp1) (not (= rip t_rip)))
xor rax, rax
not rax
and rax, rbx
ret
nopn $0x2,$0x2
mov_i64 rax,rbx
mov_i64 cc_dst,rbx
qemu_ld_i64 tmp0,rsp,leq,$0x0
movi_i64 tmp11,$0x8
add_i64 tmp3,rsp,tmp11
mov_i64 rsp,tmp3
st_i64 tmp0,env,$0x80
movi_i32 cc_op,$0x19
exit_tb $0x0
end
%Lgv = load i64* @rbx
store i64 %Lgv, i64* @rax
%Lgv1 = load i64* @rsp
%Ildq = inttoptr i64 %Lgv1 to i64*
%Ldq = load i64* %Ildq
%Oarith = add i64 %Lgv1, 8
store i64 %Oarith, i64* @rsp
store i64 %Ldq, i64* @rip
ret i64 0
Use nROP and discover tricky gadgets using the docker image :
$ sudo docker pull awailly/nrop
$ sudo docker run -h nrop -t -i awailly/nrop:latest /bin/bash
Current ROP tools suffer from static gadget search and does not extract the underlying semantic. Combining the intermediate language of Qemu with the LLVM optimization, nROP is able to seek exotic combination to achieve your exploit.
Exploiting softwares require subtle gadget chaining to bypass state-of-the-art memory protection. nROP helps exploit writers to achieve non-trivial gadget chaining on various architecture.