ROPGenerator – Tool That Helps You Building ROP Exploits By Finding And Chaining Gadgets Together

ROPGenerator is a tool that makes ROP exploits easy. It enables you to automatically find gadgets or build ROP chains. The current version supports x86 and x64 binaries.OverviewROPGenerator uses the tool ROPgadget (https://github.com/JonathanSalwan/ROPgadget) to extract gadgets from binaries and the barf-project (https://github.com/programa-stic/barf-project) to disassembly them. After gadgets are extracted, it analyzes them in order to compute their semantic and stores them according to their usefullness. Once the analysis is done, you can request ROPGenerator to automatically find gadgets or ROP chains by supplying semantic queries.ROPGenerator is written in python. The tool has python2-only dependencies so it runs under python2 so far.Please note that the current ROPGenerator version is still a beta under active development, therefore it might not work perfectly on some systems.Why using ROPGenerator ?Nice Command Line Interface : Enjoy a nice and smooth CLI with easy-to-use commandsSemantic gadget search : Find your gadgets quickly by only specifying the desired semanticsGadget chaining engine : No suitable single gadget ? ROPGenerator will build ROP chains for youFully automated exploit building : ROPGenerator can build entire exploits… all by itself !InstallationInstall ROPGeneratorYou can download the source and run$ python setup.py install$ ROPGeneratorInstall DependenciesROPGenerator depends on ROPgadget, prompt_toolkit, enum, python-magic, pwntools and barf v0.4.0:python-magic, enum, pwntools barf v0.4.0, and prompt_toolkit packages will be added automaticaly during installationROPgadget will also be installed automatically if you don’t have it already. However, the currently available package on pypi is not up-to-date. Therefore, it will be installed as “ROPgadget4ROPGenerator", a recent fork of ROPgadget.Getting startedROPGenerator is very easy to use ! For a quick starting guide, check ROPGenerator’s WikiScreenshotsGet helpLoad gadgets from a binaryEasily look for gadgets !Download ROPGenerator

Link: http://feedproxy.google.com/~r/PentestTools/~3/XTBQY7vfKCE/ropgenerator-tool-that-helps-you.html

ROPgadget – This Tool Lets You Search Your Gadgets On Your Binaries To Facilitate Your ROP Exploitation

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. Since the version 5, ROPgadget has a new core which is written in Python using Capstone disassembly framework for the gadgets search engine – The older version can be found in the Archives directory but it will not be maintained.InstallIf you want to use ROPgadget, you have to install Capstone first.For the Capstone’s installation on nix machine:$ sudo pip install capstoneCapstone supports multi-platforms (windows, ios, android, cygwin…). For the cross-compilation, please refer to the https://github.com/aquynh/capstone/blob/master/COMPILE.TXT file.After Capstone is installed, ROPgadget can be used as a standalone tool:$ ROPgadget.pyOr installed into the Python site-packages library, and executed from $PATH.$ python setup.py install$ ROPgadgetOr installed from PyPi$ pip install ropgadget$ ROPgadgetUsageusage: ROPgadget.py [-h] [-v] [-c] [–binary ] [–opcode <opcodes>] [–string <string>] [–memstr <string>] [–depth <nbyte>] [–only <key>] [–filter <key>] [–range <start-end>] [–badbytes <byte>] [–rawArch <arch>] [–rawMode <mode>] [–re <re>] [–offset <hexaddr>] [–ropchain] [–thumb] [–console] [–norop] [–nojop] [–nosys] [–multibr] [–all] [–dump]optional arguments: -h, –help show this help message and exit -v, –version Display the ROPgadget’s version -c, –checkUpdate Checks if a new version is available –binary <binary> Specify a binary filename to analyze –opcode <opcodes> Search opcode in executable segment –string <string> Search string in readable segment –memstr <string> Search each byte in all readable segment –depth <nbyte> Depth for search engine (default 10) –only <key> Only show specific instructions –filter <key> Suppress specific instructions –range <start-end> Search between two addresses (0x…-0x…) –badbytes <byte> Rejects specific bytes in the gadget’s address –rawArch <arch> Specify an arch for a raw file –rawMode <mode> Specify a mode for a raw file –re <re> Regular expression –offset <hexaddr> Specify an offset for gadget addresses –ropchain Enable the ROP chain generation –thumb Use the thumb mode for the search engine (ARM only) –console Use an interactive console for search engine –norop Disable ROP search engine –nojop Disable JOP search engine –callPreceded Only show gadgets which are call-preceded (x86 only) –nosys Disable SYS search engine –multibr Enable multiple branch gadgets –all Disables the removal of duplicate gadgets –dump Outputs the gadget bytesScreenshotsDownload ROPgadget

Link: http://feedproxy.google.com/~r/PentestTools/~3/GLrMnvW88oo/ropgadget-this-tool-lets-you-search.html

Rp++ – Tool That Aims To Find ROP Sequences In PE/Elf/Mach-O X86/X64 Binaries

rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn’t support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I’m trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable.You can build very easily rp++ with CMake, it will generate a project file for your prefered IDE. There are some other things you will be able to do with rp++, like finding hexadecimal values, or strings, etc.Benchmark: Is it efficient ?Yeah, here are some benchmarks on Win7 x64, Intel i7 Q720 @ 1.6GHz, 4GB RAM:- Target: ntoskrnl.exe x64 version 6.1.7601.17790 D:\rp-win-x64.exe –file=ntoskrnl.exe –rop=8 > n ~80s for a total of 267356 gadgets found.- Target: chrome.exe x86 version 18.0.1025.168 D:\rp-win-x64.exe –file=chrome.exe –rop=8 > n ~13s for a total of 75459 gadgets found.- Target: cmd.exe x86 version v6.1.7600 D:\rp-win-x64.exe –file=cmd.exe –rop=8 > n ~15s for a total of 18818 gadgets found.- Target: bash x86 version 4.1.5.1 D:\rp-win-x64.exe –file=bash-x86 –rop=8 > n ~12s for a total of 45385 gadgets found.Screenshotsrp++ on Win7 x64 / Debian Squeeze x64 / FreeBSD x64 / Mac OSX Lion x64: How to use it ?USAGE:./rp++ [-hv] [-f ] [-i <1,2,3>] [-r <positive int>] [–raw=<archi>] [–atsyntax] [–unique] [–search-hexa=<\x90A\x90>] [–search-int=<int in hex>]OPTIONS: -f, –file=<binary path> give binary path -i, –info=<1,2,3> display information about the binary header -r, –rop=<positive int> find useful gadget for your future exploits, arg is the gadget maximum size in instructions –raw=<archi> find gadgets in a raw file, ‘archi’ must be in the following list: x86, x64 –atsyntax enable the at&t syntax –unique display only unique gadget –search-hexa=<\x90A\x90> try to find hex values –search-int=<int in hex> try to find a pointer on a specific integer value -h, –help print this help and exit -v, –version print version information and exitWhere I can download standalone binaries ?There are an x86 and an x64 versions for Windows (compiled with VS 2010 on Win7 x64), Linux (compiled with gcc 4.4.5 on Debian x64 6.0.1), FreeBSD (compiled with gcc 4.2.1 on FreeBSD 8.2) and Mac OSX (compiled with gcc 4.2.1 on OSX 10.7.3 ; not statically linked): https://github.com/0vercl0k/rp/downloadsHere are the sha1sums:a2e71e88a5c14c81ae184258184e5d83082f184d *rp-fbsd-x6429c2d5462865d28042bffe9e723d25c19f0da1f7 *rp-fbsd-x8657e23ef42954a08c9833099d87544e2166c58b94 *rp-lin-x64efcaf2a9584a23559e3e5b109eb37cbde89f8b29 *rp-lin-x865c612b3eff470b613ea06ebbbb882f0aaef8e3b4 *rp-osx-x642e32273b657b44d6b9a56e89ec2e2c2731713d87 *rp-osx-x86e5e6930eb469e92f79b59941330f23daf62800be *rp-win-x64.exef83d4d9f9e73a60a31e495e2fbd2404c560f1a27 *rp-win-x86.exeDownload Rp++

Link: http://feedproxy.google.com/~r/PentestTools/~3/IY0eObzZgyM/rp-tool-that-aims-to-find-rop-sequences.html

Ropper – You Can Use Ropper To Display Information About Files In Different File Formats And You Can Find Gadgets To Build Rop Chains For Different Architectures (X86/X86_64, ARM/ARM64, MIPS, PowerPC)

You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architectures (x86/X86_64, ARM/ARM64, MIPS/MIPS64, PowerPC). For disassembly ropper uses the awesome Capstone Framework.NOTE: I recommend to use the dev version of ropper, because bugfixes are earlier available in dev branch.InstallInstall Capstone with PyPi:$ sudo pip install capstoneInstall filebytes with PyPi:$ sudo pip install filebytesOptional (not needed to run ropper just to look for gadgets):Install Keystone:$ sudo pip install keystone-engineInstall and execute Ropper$ python setup.py install$ ropperYou can also install Ropper with pip$ pip install ropperIf you want, you can use Ropper without installation$ ./Ropper.pyIf you don’t want to install filebytes, filebytes is a submodule of the ropper repository. This means you don’t need to install filebytes and ropper.$ git clone https://github.com/sashs/ropper.git$ cd ropper$ git submodule init$ git submodule update$ ./Ropper.pyTHIS FEATURE IS STILL UNDER DEVELOPEMENT! Ropper has a semantic search command, which offers the possiblity to search for gadgets. Due to a dependency, this command only works with python2 on linux, but I am working on porting this dependency to python3. Since python3 is default on some systems, ropper2 can be used to execute ropper with python2.$ ropper2 –file –semantic “<any constraint>"The following optional dependencies are needed to use semantic search:Install pyvex$ sudo pip install pyvexInstall z3py$ python scripts/mk_make.py$ cd build$ make$ sudo make installCurrently Possible Constraintsreg == reg – assign register to anotherreg == number – assign number to registerreg == [reg] – assign memory to registerreg += number/reg/[reg]reg -= number/reg/[reg]reg *= number/reg/[reg]reg /= number/reg/[reg]Constraint Exampleeax==1 !ebx – set eax to 1 and look for gadgets which does not clobber ebxUsageusage: Ropper.py [-h] [-v] [–console] [-f <file>] [-r] [-a <arch>] [–section <section>] [–string [<string>]] [–hex] [–asm <asm> [H|S|R] [<asm> [H|S|R] …]] [–disasm <opcode>] [–disassemble-address <address:length>] [-i] [-e] [–imagebase] [-c] [-s] [-S] [–imports] [–symbols] [–set <option>] [–unset <option>] [-I <imagebase>] [-p] [-j <reg>] [–stack-pivot] [–inst-count <n bytes>] [–search <regex>] [–quality <quality>] [–opcode <opcode>] [–instructions <instructions>] [–type <type>] [–detailed] [–all] [–cfg-only] [–chain <generator>] [-b <badbytes>] [–nocolor] [–clear-cache]You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architecturessupported filetypes: ELF PE Mach-O Rawsupported architectures: x86 [x86] x86_64 [x86_64] MIPS [MIPS, MIPS64] ARM/Thumb [ARM, ARMTHUMB] ARM64 [ARM64] PowerPC [PPC, PPC64]available rop chain generators: execve (execve[=<cmd>], default /bin/sh) [Linux x86, x86_64] mprotect (mprotect=<address>:<size>) [Linux x86, x86_64] virtualprotect (virtualprotect=<address iat vp>:<size>) [Windows x86]optional arguments: -h, –help show this help message and exit -v, –version Print version –console Starts interactive commandline -f <file>, –file <file> The file to load -r, –raw Loads the file as raw file -a <arch>, –arch <arch> The architecture of the loaded file –section <section> The data of the this section should be printed –string [<string>] Looks for the string <string> in all data sections –hex Prints the selected sections in a hex format –asm <asm> [H|S|R] [<asm> [H|S|R] …] A string to assemble and a format of the output (H=HEX, S=STRING, R=RAW, default: H) –disasm <opcode> Opcode to disassemble (e.g. ffe4, 89c8c3, …) –disassemble-address <address:length> Disassembles instruction at address <address> (0x12345678:L3). The count of instructions to disassemble can be specified (0x….:L…) -i, –info Shows file header [ELF/PE/Mach-O] -e Shows EntryPoint –imagebase Shows ImageBase [ELF/PE/Mach-O] -c, –dllcharacteristics Shows DllCharacteristics [PE] -s, –sections Shows file sections [ELF/PE/Mach-O] -S, –segments Shows file segments [ELF/Mach-O] –imports Shows imports [ELF/PE] –symbols Shows symbols [ELF] –set <option> Sets options. Available options: aslr nx –unset <option> Unsets options. Available options: aslr nx -I <imagebase> Uses this imagebase for gadgets -p, –ppr Searches for ‘pop reg; pop reg; ret’ instructions [only x86/x86_64] -j <reg>, –jmp <reg> Searches for ‘jmp reg’ instructions (-j reg[,reg…]) [only x86/x86_64] –stack-pivot Prints all stack pivot gadgets –inst-count <n bytes> Specifies the max count of instructions in a gadget (default: 6) –search <regex> Searches for gadgets –quality <quality> The quality for gadgets which are found by search (1 = best) –opcode <opcode> Searchs for opcodes (e.g. ffe4 or ffe? or ff??) –instructions <instructions> Searchs for instructions (e.g. "jmp esp", "pop eax; ret") –type <type> Sets the type of gadgets [rop, jop, sys, all] (default: all) –detailed Prints gadgets more detailed –all Does not remove duplicate gadgets –cfg-only Filters out gadgets which fail the Microsoft CFG check. Only for PE files which are compiled with CFG check enabled (check DllCharachteristics) [PE] –chain <generator> Generates a ropchain [generator parameter=value[ parameter=value]] -b <badbytes>, –badbytes <badbytes> Set bytes which should not contains in gadgets –nocolor Disables colored output –clear-cache Clears the cacheexample uses: [Generic] ./Ropper.py ./Ropper.py –file /bin/ls –console [Informations] ./Ropper.py –file /bin/ls –info ./Ropper.py –file /bin/ls –imports ./Ropper.py –file /bin/ls –sections ./Ropper.py –file /bin/ls –segments ./Ropper.py –file /bin/ls –set nx ./Ropper.py –file /bin/ls –unset nx ./Ropper.py –file /bin/ls –inst-count 5 ./Ropper.py –file /bin/ls –search "sub eax" –badbytes 000a0d ./Ropper.py –file /bin/ls –search "sub eax" –detail ./Ropper.py –file /bin/ls –filter "sub eax" ./Ropper.py –file /bin/ls –inst-count 5 –filter "sub eax" ./Ropper.py –file /bin/ls –opcode ffe4 ./Ropper.py –file /bin/ls –opcode ffe? ./Ropper.py –file /bin/ls –opcode ??e4 ./Ropper.py –file /bin/ls –detailed ./Ropper.py –file /bin/ls –ppr –nocolor ./Ropper.py –file /bin/ls –jmp esp,eax ./Ropper.py –file /bin/ls –type jop ./Ropper.py –file /bin/ls –chain execve ./Ropper.py –file /bin/ls –chain "execve cmd=/bin/sh" –badbytes 000a0d ./Ropper.py –file /bin/ls –chain "mprotect address=0xbfdff000 size=0x21000" ./Ropper.py –file /bin/ls /lib/libc.so.6 –console [Assemble/Disassemble] ./Ropper.py –asm "jmp esp" ./Ropper.py –asm "mov eax, ecx; ret" ./Ropper.py –disasm ffe4 [Search] ./Ropper.py –file /bin/ls –search <searchstring> ? any character % any string Example: ./Ropper.py –file /bin/ls –search "mov e?x" 0x000067f1: mov edx, dword ptr [ebp + 0x14]; mov dword ptr [esp], edx; call eax 0x00006d03: mov eax, esi; pop ebx; pop esi; pop edi; pop ebp; ret ; 0x00006d6f: mov ebx, esi; mov esi, dword ptr [esp + 0x18]; add esp, 0x1c; ret ; 0x000076f8: mov eax, dword ptr [eax]; mov byte ptr [eax + edx], 0; add esp, 0x18; pop ebx; ret ; ./Ropper.py –file /bin/ls –search "mov [%], edx" 0x000067ed: mov dword ptr [esp + 4], edx; mov edx, dword ptr [ebp + 0x14]; mov dword ptr [esp], edx; call eax; 0x00006f4e: mov dword ptr [ecx + 0x14], edx; add esp, 0x2c; pop ebx; pop esi; pop edi; pop ebp; ret ; 0x000084b8: mov dword ptr [eax], edx; ret ; 0x00008d9b: mov dword ptr [eax], edx; add esp, 0x18; pop ebx; ret ; ./Ropper.py –file /bin/ls –search "mov [%], edx" –quality 1 0x000084b8: mov dword ptr [eax], edx; ret ;; ret ;Use ropper in Scripts#!/usr/bin/env pythonfrom ropper import RopperService# not all options need to be givenoptions = {‘color’ : False, # if gadgets are printed, use colored output: default: False ‘badbytes’: ’00’, # bad bytes which should not be in addresses or ropchains; default: ” ‘all’ : False, # Show all gadgets, this means to not remove double gadgets; default: False ‘inst_count’ : 6, # Number of instructions in a gadget; default: 6 ‘type’ : ‘all’, # rop, jop, sys, all; default: all ‘detailed’ : False} # if gadgets are printed, use detailed output; default: Falsers = RopperService(options)##### change options ######rs.options.color = Truers.options.badbytes = ’00’rs.options.badbytes = ”rs.options.all = True##### open binaries ####### it is possible to open multiple filesrs.addFile(‘test-binaries/ls-x86’)rs.addFile(‘ls’, bytes=open(‘test-binaries/ls-x86′,’rb’).read()) # other possiblityrs.addFile(‘ls_raw’, bytes=open(‘test-binaries/ls-x86′,’rb’).read(), raw=True, arch=’x86′)##### close binaries ######rs.removeFile(‘ls’)rs.removeFile(‘ls_raw’)# Set architecture of a binary, so it is possible to look for gadgets for a different architecture# It is useful for ARM if you want to look for ARM gadgets or Thumb gadgets# Or if you opened a raw filels = ‘test-binaries/ls-x86’rs.setArchitectureFor(name=ls, arch=’x86′)rs.setArchitectureFor(name=ls, arch=’x86_64′)rs.setArchitectureFor(name=ls, arch=’ARM’)rs.setArchitectureFor(name=ls, arch=’ARMTHUMB’)rs.setArchitectureFor(name=ls, arch=’ARM64′)rs.setArchitectureFor(name=ls, arch=’MIPS’)rs.setArchitectureFor(name=ls, arch=’MIPS64′)rs.setArchitectureFor(name=ls, arch=’PPC’)rs.setArchitectureFor(name=ls, arch=’PPC64′)rs.setArchitectureFor(name=ls, arch=’x86′)##### load gadgets ####### load gadgets for all opened filesrs.loadGadgetsFor() # load gadgets for only one opened filels = ‘test-binaries/ls-x86’rs.loadGadgetsFor(name=ls)# change gadget typers.options.type = ‘jop’rs.loadGadgetsFor() rs.options.type = ‘rop’rs.loadGadgetsFor() # change instruction countrs.options.inst_count = 10rs.loadGadgetsFor() ##### print gadgets #######rs.printGadgetsFor() # print all gadgetsrs.printGadgetsFor(name=ls)##### Get gadgets ######gadgets = rs.getFileFor(name=ls).gadgets##### search pop pop ret ######pprs = rs.searchPopPopRet(name=ls) # looks for ppr only in ‘test-binaries/ls-x86’pprs = rs.searchPopPopRet() # looks for ppr in all opened filesfor file, ppr in pprs.items(): for p in ppr: print p##### load jmp reg ######jmp_regs = rs.searchJmpReg(name=ls, regs=[‘esp’, ‘eax’]) # looks for jmp reg only in ‘test-binaries/ls-x86’jmp_regs = rs.searchJmpReg(regs=[‘esp’, ‘eax’])jmp_regs = rs.searchJmpReg() # looks for jmp esp in all opened filesfor file, jmp_reg in jmp_regs.items(): for j in jmp_reg: print j##### search opcode ######ls = ‘test-binaries/ls-x86’gadgets_dict = rs.searchOpcode(opcode=’ffe4′, name=ls)gadgets_dict = rs.searchOpcode(opcode=’ffe?’)gadgets_dict = rs.searchOpcode(opcode=’??e4′)for file, gadgets in gadgets_dict.items(): for g in gadgets: print g##### search instructions ######ls = ‘test-binaries/ls-x86’for file, gadget in rs.search(search=’mov e?x’, name=ls): print file, gadgetfor file, gadget in rs.search(search=’mov [e?x%]’): print file, gadget result_dict = rs.searchdict(search=’mov eax’)for file, gadgets in result_dict.items(): print file for gadget in gadgets: print gadget##### assemble instructions ######hex_string = rs.asm(‘jmp esp’)print ‘"jmp esp" assembled to hex string =’, hex_stringraw_bytes = rs.asm(‘jmp esp’, format=’raw’)print ‘"jmp esp" assembled to raw bytes =’, raw_bytesstring = rs.asm(‘jmp esp’, format=’string’)print ‘"jmp esp" assembled to string =’,stringarm_bytes = rs.asm(‘bx sp’, arch=’ARM’)print ‘"bx sp" assembled to hex string =’, arm_bytes##### disassemble bytes #######arm_instructions = rs.disasm(arm_bytes, arch=’ARM’)print arm_bytes, ‘disassembled to "%s"’ % arm_instructions# Change the imagebase, this also change the imagebase for all loaded gadgets of this binaryrs.setImageBaseFor(name=ls, imagebase=0x0)# reset image basers.setImageBaseFor(name=ls, imagebase=None)gadgets = rs.getFileFor(name=ls).gadgets# gadget addressprint hex(gadgets[0].address)# get instruction bytes of gadgetprint bytes(gadgets[0].bytes).encode(‘hex’)# remove all gadgets containing bad bytes in addressrs.options.badbytes = ‘000a0d’ # gadgets are filtered automaticallyProject pagehttp://scoding.de/ropperScreenshotsDownload Ropper

Link: http://feedproxy.google.com/~r/PentestTools/~3/TIPVwZVtIOQ/ropper-you-can-use-ropper-to-display.html

BARF – A multiplatform open source Binary Analysis and Reverse engineering Framework

The analysis of binary code is a crucial activity in many areas of the computer sciences and software engineering disciplines ranging from software security and program analysis to reverse engineering. Manual binary analysis is a difficult and time-consuming task and there are software tools that seek to automate or assist human analysts. However, most of these tools have several technical and commercial restrictions that limit access and use by a large portion of the academic and practitioner communities. BARF is an open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline. It is a scriptable platform that supports instruction lifting from multiple architectures, binary translation to an intermediate representation, an extensible framework for code analysis plugins and interoperation with external tools such as debuggers, SMT solvers and instrumentation tools. The framework is designed primarily for human-assisted analysis but it can be fully automated. The BARF project includes BARF and related tools and packages. So far the project is composed of the following items: BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework PyAsmJIT : A JIT for the Intel x86_64 and ARM architecture. Tools built upon BARF : BARFgadgets : Lets you search , classifiy and verify ROP gadgets inside a binary program. BARFcfg : Lets you recover the control-flow graph of the functions of a binary program. BARFcg : Lets you recover the call graph of the functions of a binary program. For more information, see: BARF: A multiplatform open source Binary Analysis and Reverse engineering Framework (Whitepaper) [ en ] BARFing Gadgets (ekoparty2014 presentation) [ es ] Current status: Latest Release v0.3 URL https://github.com/programa-stic/barf-project/releases/tag/v0.3 Change Log https://github.com/programa-stic/barf-project/blob/v0.3/CHANGELOG.md All packages were tested on Ubuntu 16.04 (x86_64). BARF BARF is a Python package for binary analysis and reverse engineering. It can: Load binary programs in different formats ( ELF , PE , etc), It supports the Intel x86 architecture for 32 and 64 bits, It supports the ARM architecture for 32 bits, It operates on an intermediate language ( REIL ) thus all analysis algorithm are architecture-agnostic, It has integration with Z3 and CVC4 SMT solvers which means that you can express fragments of code as formulae and check restrictions on them. It is currently under development . Installation BARF depends on the following SMT solvers: Z3 : A high-performance theorem prover being developed at Microsoft Research. CVC4 : An efficient open-source automatic theorem prover for satisfiability modulo theories (SMT) problems. The following command installs BARF on your system: $ sudo python setup.py installYou can also install it locally: $ sudo python setup.py install –user Notes Only one SMT solver is needed in order to work. You may choose between Z3 and CVC4 or install both. You can use the barf-install-solver.sh script which downloads and install both solver. To run some tests you need to install PyAsmJIT first. Quickstart This is a very simple example which shows how to open a binary file and print each instruction with its translation to the intermediate language ( REIL ). from barf import BARF# Open binary file.barf = BARF(“examples/bin/x86/branch1")# Print assembly instruction.for addr, asm_instr, reil_instrs in barf.translate(): print("0x{addr:08x} {instr}".format(addr=addr, instr=asm_instr)) # Print REIL translation. for reil_instr in reil_instrs: print("{indent:11s} {instr}".format(indent="", instr=reil_instr))We can also recover the CFG and save it to a .dot file. # Recover CFG.cfg = barf.recover_cfg()# Save CFG to a .dot file.cfg.save("branch1_cfg")We can check restrictions on code using a SMT solver. For instance, suppose you have the following code: 80483ed: 55 push ebp 80483ee: 89 e5 mov ebp,esp 80483f0: 83 ec 10 sub esp,0x10 80483f3: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] 80483f6: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc] 80483f9: 01 d0 add eax,edx 80483fb: 83 c0 05 add eax,0x5 80483fe: 89 45 fc mov DWORD PTR [ebp-0x4],eax 8048401: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] 8048404: c9 leave 8048405: c3 retAnd you want to know what values you have to assign to memory locations ebp-0x4 , ebp-0x8 and ebp-0xc in order to obtain a specific value in eax register after executing the code. First, we add the instructions to the analyzer component. from barf import BARF# Open ELF filebarf = BARF("examples/bin/x86/constraint1")# Add instructions to analyze.for addr, asm_instr, reil_instrs in barf.translate(0x80483ed, 0x8048401): for reil_instr in reil_instrs: barf.code_analyzer.add_instruction(reil_instr)Then, we generate expressions for each variable of interest # Get smt expression for eax and ebp registerseap = barf.code_analyzer.get_register_expr("eax")ebp = barf.code_analyzer.get_register_expr("ebp")# Get smt expressions for memory locations (each one of 4 bytes)a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4)b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4)c = barf.code_analyzer.get_memory_expr(ebp-0x4, 4)And add the desired restrictions on them. # Set range for variablesbarf.code_analyzer.set_preconditions([a >= 2, a <= 100])barf.code_analyzer.set_preconditions([b >= 2, b <= 100])# Set desired value for the resultbarf.code_analyzer.set_postcondition(c == 13)Finally, we check is the restrictions we establish can be resolved. # Check satisfiability.if barf.code_analyzer.check() == ‘sat’: print("SAT!") # Get concrete value for expressions. eax_val = barf.code_analyzer.get_expr_value(eax) a_val = barf.code_analyzer.get_expr_value(a) b_val = barf.code_analyzer.get_expr_value(b) c_val = barf.code_analyzer.get_expr_value(c) # Print values. print("eax : 0x{0:%08x} ({0})".format(eax_val)) print("ebp : 0x{0:%08x} ({0})".format(ebp_val)) print(" a : 0x{0:%08x} ({0})".format(a_val)) print(" b : 0x{0:%08x} ({0})".format(b_val)) print(" c : 0x{0:%08x} ({0})".format(c_val))else: print("UNSAT!")You can see these and more examples in the examples directory. Overview The framework is divided in three main components: core , arch and analysis . Core This component contains essential modules: REIL : Provides definitions for the REIL language. It, also, implements an emulator and a parser . SMT : Provides means to interface with Z3 SMT solver. Also, it provides functionality to translate REIL instructions to SMT expressions. BI : The Binary Interface module is responsible for loading binary files for processing (it uses [PEFile] and [PyELFTools].) Arch Each supported architecture is provided as a subcomponent which contains the following modules. Architecture : Describes the architecture, i.e., registers, memory address size. Translator : Provides translators to REIL for each supported instruction. Disassembler : Provides disassembling functionalities (it uses Capstone.) Parser : Transforms instruction in string to object form (provided by the Instruction module.) Analysis So far this component consists of two modules: Control-Flow Graph , Call Graph and Code Analyzer . The first two, provides functionality for CFG and CG recovery, respectively. The latter, its a high-level interface to the SMT-solver-related functionalities. Directory Structure barf/ Framework’s main directory.doc/ Documentation.examples/ Basic example scripts that show various functionalities.scripts/ Installation scripts.tests/ BARF package tests.tools/ Tools build upon BARF. Notes SMT solver interfacing is provided by the file core/smt/smtlibv2.py taken from PySymEmu . Tools BARFgadgets BARFgadgets is a Python script built upon BARF that lets you search , classifiy and verify ROP gadgets inside a binary program. The search stage finds all ret -, jmp – and call -ended gadgets inside the binary. The classification stage classifies previously found gadgets according to the following types: No-Operation, Move Register, Load Constant, Arithmetic/Logical Operation, Load Memory, Store Memory, Arithmetic/Logical Load, Arithmetic/Logical Store and Undefined. This is done through instruction emulation. Finally, the verification stage consists of using a SMT solver to verify the semantic assigned to each gadget in the second stage. usage: BARFgadgets [-h] [–version] [–bdepth BDEPTH] [–idepth IDEPTH] [-u] [-c] [-v] [-o OUTPUT] [-t] [–sort {addr,depth}] [–color] [–show-binary] [–show-classification] filenameTool for finding, classifying and verifying ROP gadgets.positional arguments: filename Binary file name.optional arguments: -h, –help show this help message and exit –version Display version. –bdepth BDEPTH Gadget depth in number of bytes. –idepth IDEPTH Gadget depth in number of instructions. -u, –unique Remove duplicate gadgets (in all steps). -c, –classify Run gadgets classification. -v, –verify Run gadgets verification (includes classification). -o OUTPUT, –output OUTPUT Save output to file. -t, –time Print time of each processing step. –sort {addr,depth} Sort gadgets by address or depth (number of instructions) in ascending order. –color Format gadgets with ANSI color sequences, for output in a 256-color terminal or console. –show-binary Show binary code for each gadget. –show-classification Show classification for each gadget.For more information, see README . BARFcfg BARFcfg is a Python script built upon BARF that lets you recover the control-flow graph of a binary program. usage: BARFcfg [-h] [-s SYMBOL_FILE] [-a] [-o RECOVER_ONE] [-f {graph,text}] [-t] [-d OUTPUT_DIR] [-b] [-r] filenameTool for recovering CFG of a binary.positional arguments: filename Binary file name.optional arguments: -h, –help show this help message and exit -s SYMBOL_FILE, –symbol-file SYMBOL_FILE Load symbols from file. -a, –recover-all Recover all functions. -o RECOVER_ONE, –recover-one RECOVER_ONE Recover specified function. -f {graph,text}, –format {graph,text} Output format. -t, –time Print process time. -d OUTPUT_DIR, –output-dir OUTPUT_DIR Ouput directory. -b, –brief Brief output. -r, –show-reil Show REIL translation.For more information, see README . BARFcg BARFcg is a Python script built upon BARF that lets you recover the call graph of a binary program. usage: BARFcg [-h] [-s SYMBOL_FILE] [-a] [-t] filenameTool for recovering CG of a binary.positional arguments: filename Binary file name.optional arguments: -h, –help show this help message and exit -s SYMBOL_FILE, –symbol-file SYMBOL_FILE Load symbols from file. -a, –recover-all Recover all functions. -t, –time Print process time.For more information, see README . PyAsmJIT PyAsmJIT is a Python package for x86_64/ARM assembly code generation and execution. This package was developed in order to test BARF instruction translation from x86_64/ARM to REIL. The main idea is to be able to run fragments of code natively. Then, the same fragment is translated to REIL and executed in a REIL VM. Finally, both final contexts (the one obtained through native execution and the one from emulation) are compare for differences. For more information, see PyAsmJit . Download BARF

Link: http://feedproxy.google.com/~r/PentestTools/~3/sy2otH3qVr8/barf-multiplatform-open-source-binary.html