{"id":19297221,"url":"https://github.com/programa-stic/ropc-llvm","last_synced_at":"2025-04-22T08:31:20.178Z","repository":{"id":10834154,"uuid":"13112562","full_name":"programa-stic/ropc-llvm","owner":"programa-stic","description":" ropc-llvm is a PoC of a Turing complete ROP compiler  with support for a subset of LLVM IR. It is an extension of ropc.","archived":false,"fork":false,"pushed_at":"2013-10-03T14:40:40.000Z","size":6324,"stargazers_count":66,"open_issues_count":0,"forks_count":14,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-11-09T23:02:23.784Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/programa-stic.png","metadata":{"files":{"readme":"README.ROPC","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-09-26T04:01:47.000Z","updated_at":"2023-10-27T09:16:06.000Z","dependencies_parsed_at":"2022-08-29T10:20:54.504Z","dependency_job_id":null,"html_url":"https://github.com/programa-stic/ropc-llvm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/programa-stic%2Fropc-llvm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/programa-stic%2Fropc-llvm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/programa-stic%2Fropc-llvm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/programa-stic%2Fropc-llvm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/programa-stic","download_url":"https://codeload.github.com/programa-stic/ropc-llvm/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250206150,"owners_count":21392195,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T23:01:48.342Z","updated_at":"2025-04-22T08:31:15.169Z","avatar_url":"https://github.com/programa-stic.png","language":"C","readme":"ROPC\n----\n\nROPC is an example of a Turing complete ROP compiler. It's not supposed to be\npractical -- generated payloads are too big to be useful (emulating a stack is\nvery space consuming).  Generated programs are pure -- nothing is ever executed\nfrom executable memory. \n\nPrograms for ROPC are written in a 'high-level' language ROPL. Its features\ninclude:\n- conditional jumps ,\n- functions (even recursive),\n- local variables,\n- labels, pointers, memory derefencing, nested arithmetic operations, etc.\n\nFor examples, look in examples-ropl/.\n\nROPC is a POC, and should be treated as such -- don't expect it to work on apps\nfrom /usr/bin. Test it on the included synthetic example (test.asm, test.c).\n\nCompiling\n---------\n\nCompile BAP (bap-0.4) as explained in its README/INSTALL files (you will need\nto install some dependencies and die a little inside during this process).\n\nCompile all of ROPC's utils with `make test-all` in ropc/ dir. Expected output:\n\n./a.out compiled.bin\nbuf=0x09f34170\nroundup buf=0x09f40000\n0\n1\n1\n2\n3\n5\n8\n13\n21\n34\n55\nSegmentation fault\n\n(it's supposed to segfault.)\n\nUtils\n-----\n\ngadget - extracts and dynamically classifies gadgets found in a binary. Usage:\n./gadget \u003cexe file\u003e \u003coutput file with gadget candidates\u003e\n\nverify - verifies the semantics of gadgets returned by the 'gadget' util. Usage:\n./verify \u003ccandidates file\u003e \u003cverified gadgets file\u003e. You will need the STP SAT\nsolver to use it.\n\nropc - actual compiler. Usage; ./ropc \u003cropl src file\u003e \u003cverified gadgets file\u003e.\nThe compiled ROP payload is saved to 'compiled.bin'.\n\na.out - a synthetic example with gadgets defined in 'test.asm'. Logic is\ndefined in 'test.c'. Usage: ./a.out \u003ccompiled ROP payload file\u003e - this will\nallocate new stack, copy the payload there and start executing it. It's useful\nfor testing compiled ROP programs :).\n\ndumper - dumps contents of gadget files created by 'gadget' or 'verify'. Usage:\n./dumper \u003cgadget file\u003e.\n\n\nHow it works\n------------\n\nROPC is based on Q [1]. Gadget discovery, classification and verification\nalgorithms are identical. The approach to compilation is very different though. \n\nOverview:\n- byte sequences (possible gadget candidates) ending in RET are dynamically\n  classified (like in Q),\n- semantics of found candidates are verified with a SAT solver (like in Q),\n- the AST of the ROPL source file is simplified and flattened to a list of\n  pseudoinstructions (PI).  PIs express complex logic using simpler PIs, or\n  gadgets. \n- ROPC unrolls all PIs to a list of gadgets, making shure that there are no\n  register conflicts and gadgets will not overwrite registers used by other\n  gadgets.\n\nAll of the magic happens during the last two steps. Stack is emulated in the\n.data section of the targeted application. Conditional jumps are implemented\nusing lahf / add esp, \u003creg\u003e gadgets.\n\nSee gdtr.wordpress.com for more details.\n\nPerformance\n-----------\n\nEmulating x86 from ocaml is very slow. Classifing all gadgets from the \nincluded examples takes ~30 secs. \n\nThe compilation process on the other hand is optimal in the sense that\nits running time is O(n), where n is the number of ROPL instructions.\nThere's a slight problem with the constant hidden in O(), but it's a\nbit too convoluted to describe here.\n\nThe Fibonacci example: examples-ropl/fib.ropl compiles in 2 seconds.\n\nBAP\n---\n\nROPC relies heavily on BAP [2] for IR handling, symbolic execution and\ninterfacing with SAT solvers.  At least you can use ROPC as an example of how\nto use BAP's API :). BAP has so much stuff implemented, that it's a crime not\nto use it :P.\n\nI'd like to thank Edward J. Schwartz from the CMU team, for this helpful\ncomments regarding BAP, Q, and other things.\n\nAuthor\n------\np_k\ntwitter.com/pa_kt\ngdtr.wordpress.com\n\nReferences\n----------\n1. Q: Exploit Hardening Made Easy, http://users.ece.cmu.edu/~ejschwar/papers/usenix11.pdf\n2. BAP: The Next-Generation Binary Analysis Platform, http://http://bap.ece.cmu.edu/\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprograma-stic%2Fropc-llvm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprograma-stic%2Fropc-llvm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprograma-stic%2Fropc-llvm/lists"}