How are return-oriented programs decompiled/reverse engineered ?
Any pointers to any papers or reports would be appreciated.
Asked
Active
Viewed 384 times
9
-
I think it would be helpful if you included more that you already do know about return oriented programs directly in your question. I would imagine that at the very least you could debug such a program in bochs... it would seem that following program flow through the gadgets is non trivial but I could be wrong about that... – cb88 Jun 21 '13 at 12:18
2 Answers
7
You might be interested in the Dr. Gadget IDAPython script (screenshots here, code here).
This little IDAPython plugin helps in writing and analyzing return oriented payloads. It uses IDA's custom viewers in order to display an array of DWORDs called 'items', where an item can be either a pointer to a gadget or a simple 'value'.
asheeshr
- 2,465
- 8
- 28
- 41
Rolf Rolles
- 9,198
- 1
- 23
- 33
-
Thanks for the pointer: I didn't know about Dr. Gadget, but will definitely check it out. – debray Jun 21 '13 at 18:17
1
reverse engineering ROP is like normal RE but i recommend to do Dynamic analysis ROP is from my point of view all about ESP , so you faster way to undersand what the ROP code is doing is find Pivot (to get control of ESP) or start of ROP put a breakpoint on it and trace the stack then you can easily understand which functions are getting called and what the ROP code is really doing so key Point to understand the ROP is Stack.
n00b
- 581
- 5
- 5
-
I'm just pointing this out but this is only a valid answer on x86. Of course most such software is x86 but its possible to do ROP on ARM as well for instance. – cb88 Jun 21 '13 at 12:20
-
My thanks to everyone for their answers. I'm leaning towards dynamic analysis myself (as suggested by n00b), but I'll certainly check out the Dr. Gadget script that Rolf mentioned. – debray Jun 21 '13 at 18:16
-