“得县 ROP Basic Skill Repeatable add into %eax. ·pop%edx ret -ret pop %edi movl %ecx,(%edx) ret ret addl (%edx),%eax push %edi pop %ecx %esp ret pop %edx ret Oxdeadbeef 2023/2/7 16
2023/2/7 16 ROP Basic Skill ⚫ Repeatable add into %eax
效绵县 ROP Basic skill .An infinite loop by means of an unconditional jump %esp pop %esp ret 2023/2/7 17
2023/2/7 17 ROP Basic Skill ⚫ An infinite loop by means of an unconditional jump
效绵县 ROP Basic skill Conditional jumps,phase one:Clear CF if eax is zero,set CF if %eax is nonzero. neg %eax %esp ret 2023/2/7 18
2023/2/7 18 ROP Basic Skill ⚫ Conditional jumps, phase one: Clear CF if %eax is zero, set CF if %eax is nonzero
效绵县 ROP Basic Skill ● Conditional jumps,phase two:Store either 1 or 0 in the data word labeled "CF goes here,depending on whether CF is set or not. movl %ecx,(%edx) ret adc %cl,%cl ret 0x00000000 %esp ·popy%ecx pop %edx ret (CF goes here) 2023/2/7 19
2023/2/7 19 ROP Basic Skill ⚫ Conditional jumps, phase two: Store either 1 or 0 in the data word labeled "CF goes here," depending on whether CF is set or not
效绵身 ROP Basic skill ● Conditional jumps,phase three,part one:Convert the word (labeled "CF here")containing either 1 or 0 to contain either esp_delta or 0.The data word labeled 0xbadcOded is used for scratch. 2023/2/7 20
2023/2/7 20 ROP Basic Skill ⚫ Conditional jumps, phase three, part one: Convert the word (labeled "CF here") containing either 1 or 0 to contain either esp_delta or 0. The data word labeled 0xbadc0ded is used for scratch