About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> dennis's Blog

Created: Saturday, July 24 2010 06:23.54 CDT Modified: Saturday, July 31 2010 05:41.04 CDT
Printer Friendly ...
Dr. Gadget IDAPython plugin
Author: dennis # Views: 24097

Hi,

I wanted to share with you this little IDAPython plugin which helps in writing and analyzing return oriented payload. It uses IDA's custom viewers in order to display an array of DWORDs called 'items', where an item can be either a pointer to a gadget or a simple 'value'.
There are several keyboard shortcuts to access functionality that otherwise also is accessible via the context menu:

ESC   - closes the plugin
ENTER - jumps to item address in disassembly
O     - toggles item type (offset, value)
D     - deletes an item
I     - inserts an item
E     - edits an item's value

Functionality that is accessible via context menu only:

Load payload     - loads a payload from disk
Save payload     - saves a payload to disk

Auto analysis I  - tries to determine each item's type (offset, value)
Reset            - resets each item's type
Show disassembly - opens a disassembly subwindow


Below screenshots show the plugin's interface. The IDB is a disassembly
of 'BIB.dll' (MD5: 2ec16a4cdb828a31a432513a82cbafdf). _rop.bin is some
exploit's payload in binary form (more info:
http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/)









The plugin can be used either on a static disassembly or during an IDA debugging session.

The plugin is available here: http://www.openrce.org/repositories/users/dennis/drgadget.py
_rop.bin is available here: http://www.openrce.org/repositories/users/dennis/rop.bin

edit:
just uploaded v0.2 which adds Elias Bachaalany's "find instruction/opcode" script from
http://hexblog.com/2009/09/assembling_and_finding_instruc.html


Blog Comments
dennis Posted: Thursday, August 26 2010 02:49.19 CDT
new version 0.3 uploaded, introducing following changes:

- bugfixes
- added ARM support
- primitive stack/pc tracing for ARM
- Disassembly view export to file
- string reference scanning in disasm view
- add support for comments both in rop view and disasm view in sync
- sync offset number display between ropview and disasm

screenshot below shows stage 2 of the ROP code of the http://www.jailbreakme.com/ exploit.



code is available here

all changes courtesy of Karthik (neox.fx at gmail dot com)

dennis Posted: Wednesday, September 12 2012 06:11.12 CDT
Dr. Gadget has just been updated due to a bugfix (thanks Ivanlef0u). The project is now available on github (https://github.com/patois/DrGadget) and licensed under the Beerware license ;-)



Add New Comment
Comment:









There are 31,302 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit