Finding Ropper/ROPgadget offsets in Ghidra disassembly

Question

How is the offsets returned from ROP gadget finders related to the files they come from? For example, if the ROP gadget finder says that a certain gadget is at offset 0x0002ae74 in libuClibc.0.9.3.so where should I go to look for the gadget in libuClibc.0.9.3.so?

sudhackar · Accepted Answer

ropper bases the binary at address 0. This can be changed using the -I flag. This value of the base can be picked up from Ghidra to reflect in ropper's output
In Ghidra go to Window > Memory Map.

In this case libc is loaded at base address 0x100000. From ropper
$ ropper -I 0x100000 --nocolor --file ./libc.so.6

Now the output can be directly used with G to go to that address.
0x0000000000197853: pop r13; pop r14; jmp rax;

Additionally if you can't run ropper again for some reason you can try this with your old output.
0x0000000000097853: pop r13; pop r14; jmp rax;

Add base to this address
hex(0x100000+0x0000000000097853)
0x197853

Press G and paste the above address
        00197848 48 83 c4 10     ADD        RSP,0x10
        0019784c 4c 89 ee        MOV        RSI,R13
        0019784f 5b              POP        RBX
        00197850 5d              POP        RBP
        00197851 41 5c           POP        R12
        00197853 41 5d           POP        R13
        00197855 41 5e           POP        R14
        00197857 ff e0           JMP        RAX

One thing to notice is that ropper can produce rop gadgets from addresses which are not known to ghidra as instruction boundaries. For example
018258c30000 add dword ptr[edx+0xc358], eax

can be used by ropper as
58c3 pop eax; ret

because 58c3 is still a valid pair of instructions

Finding Ropper/ROPgadget offsets in Ghidra disassembly

One Answer

Add your own answers!

Ask a Question