About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Store
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
dennis
's Blog
Created: Saturday, July 24 2010 06:23.54 CDT
Modified: Saturday, July 31 2010 05:41.04 CDT
Printer Friendly ...
Dr. Gadget IDAPython plugin
Author:
dennis
# Views:
2089
Hi,
I wanted to share with you this little IDAPython plugin which helps in writing and analyzing return oriented payload. It uses IDA's custom viewers in order to display an array of DWORDs called 'items', where an item can be either a pointer to a gadget or a simple 'value'.
There are several keyboard shortcuts to access functionality that otherwise also is accessible via the context menu:
ESC - closes the plugin
ENTER - jumps to item address in disassembly
O - toggles item type (offset, value)
D - deletes an item
I - inserts an item
E - edits an item's value
Functionality that is accessible via context menu only:
Load payload - loads a payload from disk
Save payload - saves a payload to disk
Auto analysis I - tries to determine each item's type (offset, value)
Reset - resets each item's type
Show disassembly - opens a disassembly subwindow
Below screenshots show the plugin's interface. The IDB is a disassembly
of 'BIB.dll' (MD5: 2ec16a4cdb828a31a432513a82cbafdf). _rop.bin is some
exploit's payload in binary form (more info:
http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/
)
The plugin can be used either on a static disassembly or during an IDA debugging session.
The plugin is available here:
http://www.openrce.org/repositories/users/dennis/drgadget.py
_rop.bin is available here:
http://www.openrce.org/repositories/users/dennis/rop.bin
edit:
just uploaded v0.2 which adds Elias Bachaalany's "find instruction/opcode" script from
http://hexblog.com/2009/09/assembling_and_finding_instruc.html
Blog Comments
dennis
Posted: Thursday, August 26 2010 02:49.19 CDT
new version 0.3 uploaded, introducing following changes:
- bugfixes
- added ARM support
- primitive stack/pc tracing for ARM
- Disassembly view export to file
- string reference scanning in disasm view
- add support for comments both in rop view and disasm view in sync
- sync offset number display between ropview and disasm
screenshot below shows stage 2 of the ROP code of the
http://www.jailbreakme.com/
exploit.
code is available
here
all changes courtesy of Karthik (neox.fx at gmail dot com)
Add New Comment
Comment:
There are
22,007
total registered users.
Recently Created Topics
How to call C++ func...
Sep/09
Sep/09
Searching freelist[0...
Sep/05
How to fix this in o...
Sep/03
Trouble linking plug...
Sep/02
PyEmu error when cal...
Sep/02
Restore Themida/Winl...
Sep/02
Anti-olly technique
Aug/30
RAR Password
Aug/29
Heap protection on W...
Aug/23
Recent Forum Posts
Trouble linking plug...
timtoady
reverse engineering ...
Silkut
Trouble linking plug...
jduck
Trouble linking plug...
timtoady
Trouble linking plug...
jduck
Trouble linking plug...
timtoady
Trouble linking plug...
jduck
reverse engineering ...
raiden56
pydbg, memory breakp...
Researc...
RAR Password
Ineedhelp
Recent Blog Entries
waleedassar
Sep/08
svchost from A to zinc part5
waleedassar
Sep/06
svchost from A to zinc part4
waleedassar
Sep/04
svchost from A to Zinc part3
waleedassar
Sep/04
svchost from A to Zinc part2
Mcstyle
Sep/03
Cheap Pegeout Partner Tepee...
More ...
Recent Blog Comments
convik
on:
Sep/04
Is it legal??
djnemo
on:
Sep/04
Gunpack (God's Unpacker) - ...
frozenrain
on:
Sep/02
Restore Themida/Winlicense ...
tosanjay
on:
Sep/02
PyEmu 0.0.2
GynvaelColdwind
on:
Sep/01
Is it legal??
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit