Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Gadget address for vmlinux ELF x86_64 off by 0x200000

See original GitHub issue

I’m not convinced #107 was entirely resolved by e0f704faaa05b537fbb678df7c4e3a172918f63d. The same section.offset code pattern is in use in a few places, and I recently ran into this issue using RopperService.searchInstructions on Ropper 1.13.5.

Note discrepancy below of 0x200000L between the gadgets returned by RopperService.searchInstructions versus the gadgets returned by CLI with the --instructions flag.

It’s possible that the discrepancy is due to Python environment, but the sanity check implies otherwise.

test@ubuntu-16-04-x64:~/Desktop/Ropper$ git diff ropper/rop.py
diff --git a/ropper/rop.py b/ropper/rop.py
index e176009..fa2fda9 100644
--- a/ropper/rop.py
+++ b/ropper/rop.py
@@ -216,6 +216,7 @@ class Ropper(object):
         toReturn = []
         code = bytearray(section.bytes)
         offset = section.offset
+        print("sanity check - we are using this lib file")
         for match in re.finditer(opcode, code):
             opcodeGadget = Gadget(binary.checksum, section.name, binary.arch)
 
test@ubuntu-16-04-x64:~/Desktop/Ropper$ python3 -m ropper --file /home/test/Desktop/vmlinux --instructions 'mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret'
sanity check - we are using this lib file
sanity check - we are using this lib file



Instructions
============


0xffffffff8117d5d7: mov rdi, rax; pop rbx; mov rax, rdi; pop r12; pop rbp; ret; 

1 gadgets found
test@ubuntu-16-04-x64:~/Desktop/Ropper$ python3 ./sample.py 
sanity check - we are using this lib file
0xffffffff8137d5d7: mov rdi, rax; pop rbx; mov rax, rdi; pop r12; pop rbp; ret; 
test@ubuntu-16-04-x64:~/Desktop/Ropper$ python -c "print(hex(0xffffffff8137d5d7 - 0xffffffff8117d5d7))"
0x200000L
test@ubuntu-16-04-x64:~/Desktop/Ropper$ cat sample.py 
#!/usr/bin/env python3
import ropper
from ropper import RopperService

# not all options need to be given
options = {
  'color' : True,
  'badbytes': '00',
  'all' : True,
  'type' : 'all',
  'detailed' : False
}

rs = RopperService(options)

f = '/home/test/Desktop/vmlinux'
rs.addFile('vmlinux', bytes=open(f, 'rb').read(), raw=True, arch='x86_64')

code = 'mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret'

rs.setImageBaseFor(name='vmlinux', imagebase=0xffffffff81000000)

gadgets_dict = rs.searchInstructions(code=code, name='vmlinux')

for file, gadgets in gadgets_dict.items():
    for g in gadgets:
        print(g)

test@ubuntu-16-04-x64:~/Desktop/Ropper$ python3 -m ropper -v
Version: Ropper 1.13.5
Author: Sascha Schirra
Website: http://scoding.de/ropper

test@ubuntu-16-04-x64:~/Desktop/Ropper$