Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2025-02-04 20:46:20 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity
radare2/test/db/cmd/cmd_rop
Anton Kochkov 2e24aa6b9f Fix #17458 - fix wrongly written tests
2020-08-19 11:13:50 +08:00

237 lines
6.6 KiB
Plaintext
Raw Blame History

NAME=rop search with maxhits
FILE=bins/elf/varsub
CMDS=<<EOF
e search.maxhits=1
/Rq pop r15
EOF
EXPECT=<<EOF
0x0040052c: pop r12; pop r13; pop r14; pop r15; ret;
EOF
RUN
NAME=rop search without maxhits
FILE=bins/elf/varsub
CMDS=/Rq pop r15~?
EXPECT=<<EOF
4
EOF
RUN
NAME=rop search without maxhits
FILE=bins/elf/varsub
CMDS=<<EOF
e search.maxhits=2
/Rq pop r15~?
EOF
EXPECT=<<EOF
2
EOF
RUN
NAME=search all rop gadgets
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.nbytes=8
e asm.arch=x86
e asm.bits=32
/R
EOF
EXPECT=<<EOF
0x000000b4 cd80 int 0x80
0x000000b6 b801000000 mov eax, 1
0x000000bb b900000000 mov ecx, 0
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b5 80b801000000b9 cmp byte [eax + 1], 0xb9
0x000000bc 0000 add byte [eax], al
0x000000be 0000 add byte [eax], al
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b7 0100 add dword [eax], eax
0x000000b9 0000 add byte [eax], al
0x000000bb b900000000 mov ecx, 0
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b8 0000 add byte [eax], al
0x000000ba 00b900000000 add byte [ecx], bh
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
EOF
RUN
NAME=search rop gadgets with a regexp
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
/R/ mov e[abcd]x
EOF
EXPECT=<<EOF
0x000000b4 cd80 int 0x80
0x000000b6 b801000000 mov eax, 1
0x000000bb b900000000 mov ecx, 0
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b7 0100 add dword [eax], eax
0x000000b9 0000 add byte [eax], al
0x000000bb b900000000 mov ecx, 0
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
EOF
RUN
NAME=search rop gadgets and show them linearly
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
/Rq
EOF
EXPECT=<<EOF
0x000000b4: int 0x80; mov eax, 1; mov ecx, 0; int 0x80; ret;
0x000000b5: cmp byte [eax + 1], 0xb9; add byte [eax], al; add byte [eax], al; int 0x80; ret;
0x000000b7: add dword [eax], eax; add byte [eax], al; mov ecx, 0; int 0x80; ret;
0x000000b8: add byte [eax], al; add byte [ecx], bh; int 0x80; ret;
EOF
RUN
NAME=search rop gadgets with filter
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
/R ecx
EOF
EXPECT=<<EOF
0x000000b4 cd80 int 0x80
0x000000b6 b801000000 mov eax, 1
0x000000bb b900000000 mov ecx, 0
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b7 0100 add dword [eax], eax
0x000000b9 0000 add byte [eax], al
0x000000bb b900000000 mov ecx, 0
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b8 0000 add byte [eax], al
0x000000ba 00b900000000 add byte [ecx], bh
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
EOF
RUN
NAME=search rop gadgets with filter and output JSON
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
/Rj ecx
EOF
EXPECT=<<EOF
[{"opcodes":[{"offset":180,"size":2,"opcode":"int 0x80","type":"swi"},{"offset":182,"size":5,"opcode":"mov eax, 1","type":"mov"},{"offset":187,"size":5,"opcode":"mov ecx, 0","type":"mov"},{"offset":192,"size":2,"opcode":"int 0x80","type":"swi"},{"offset":194,"size":1,"opcode":"ret","type":"ret"}],"retaddr":194,"size":15},{"opcodes":[{"offset":183,"size":2,"opcode":"add dword [eax], eax","type":"add"},{"offset":185,"size":2,"opcode":"add byte [eax], al","type":"add"},{"offset":187,"size":5,"opcode":"mov ecx, 0","type":"mov"},{"offset":192,"size":2,"opcode":"int 0x80","type":"swi"},{"offset":194,"size":1,"opcode":"ret","type":"ret"}],"retaddr":194,"size":12},{"opcodes":[{"offset":184,"size":2,"opcode":"add byte [eax], al","type":"add"},{"offset":186,"size":6,"opcode":"add byte [ecx], bh","type":"add"},{"offset":192,"size":2,"opcode":"int 0x80","type":"swi"},{"offset":194,"size":1,"opcode":"ret","type":"ret"}],"retaddr":194,"size":11}]
EOF
RUN
NAME=search rop gadgets with a regex of the form (a|b)
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
"/R/ (ecx|eax)"
EOF
EXPECT=<<EOF
0x000000b4 cd80 int 0x80
0x000000b6 b801000000 mov eax, 1
0x000000bb b900000000 mov ecx, 0
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b5 80b801000000b9 cmp byte [eax + 1], 0xb9
0x000000bc 0000 add byte [eax], al
0x000000be 0000 add byte [eax], al
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b7 0100 add dword [eax], eax
0x000000b9 0000 add byte [eax], al
0x000000bb b900000000 mov ecx, 0
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
0x000000b8 0000 add byte [eax], al
0x000000ba 00b900000000 add byte [ecx], bh
0x000000c0 cd80 int 0x80
0x000000c2 c3 ret
EOF
RUN
NAME=search rop gadgets with another end gadget as part of it.
FILE=bins/elf/analysis/unoriginal
CMDS=<<EOF
e asm.bits=32
e rop.len=15
e search.from=0x08048340
e search.to=0x08048400
"/R push esp"
EOF
EXPECT=<<EOF
0x08048350 fff4 push esp
0x08048352 6690 nop
0x08048354 6690 nop
0x08048356 6690 nop
0x08048358 6690 nop
0x0804835a 6690 nop
0x0804835c 6690 nop
0x0804835e 6690 nop
0x08048360 8b1c24 mov ebx, dword [esp]
0x08048363 c3 ret
EOF
RUN
NAME=search rop with sequence.
FILE=bins/elf/analysis/x86-helloworld-gcc
CMDS="/R push esi;push ebx"
EXPECT=<<EOF
0x08048421 57 push edi
0x08048422 31ff xor edi, edi
0x08048424 56 push esi
0x08048425 53 push ebx
0x08048426 e805ffffff call 0x8048330
EOF
RUN
NAME=search rop with regex sequence.
FILE=bins/elf/analysis/x86-helloworld-gcc
CMDS=<<EOF
e asm.bits=32
"/R/ push esi;push ebx"
EOF
EXPECT=<<EOF
0x08048421 57 push edi
0x08048422 31ff xor edi, edi
0x08048424 56 push esi
0x08048425 53 push ebx
0x08048426 e805ffffff call 0x8048330
EOF
RUN
Reference in New Issue View Git Blame Copy Permalink