AArch64 multi-ret gadgets

[zachriggle]

It seems that we should never see the following:

0x0000000000409328 : ldp x20, x19, [sp], #0x20 ; ret ; adrp x8, #0x52c000 ; add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret

Note that there are two ret gadgets.

The full sequence per objdump is:

  409328:	f4 4f c2 a8 	ldp	x20, x19, [sp], #32
  40932c:	c0 03 5f d6 	ret
  409330:	08 09 00 f0 	adrp	x8, #1191936
  409334:	08 01 07 91 	add	x8, x8, #448
  409338:	08 41 00 91 	add	x8, x8, #16
  40933c:	28 00 00 f9 	str		x8, [x1]
  409340:	08 04 40 f9 	ldr	x8, [x0, #8]
  409344:	28 04 00 f9 	str	x8, [x1, #8]
  409348:	c0 03 5f d6 	ret

[JonathanSalwan]

Go ahead for a PR :)

[JonathanSalwan]

btw, i don't really maintain ropgadget since i'm on other projects now. So, if you want to be a maintainer, i'm ok with this :)

[zachriggle]

Ah, bummer! Are you aware of any currently-maintained projects which offer similar functionality?

[JonathanSalwan]

Ropper by @sashs maybe ?

[zachriggle]

I'll have to check it out. It's a bummer that it's GPLed though :(

[0vercl0k]

I am 5 years late... but fwiw i'm finally adding arm64 support to rp in 0vercl0k/rp#31:

>C:\work\codes\rp\src\build\RelWithDebInfo\rp-win-x64.exe --file z.bin --raw arm64 --rop=10
Trying to open 'z.bin'..
FileFormat: raw, Arch: ARM64

Wait a few seconds, rp++ is looking for gadgets (2 threads max)..
A total of 9 gadgets found.
0xc: add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x01\x07\x91\x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x18: ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x8: adrp x8, #0x123000 ; add x8, x8, #0x1c0 ; add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x09\x00\xf0\x08\x01\x07\x91\x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x10: add x8, x8, #0x10 ; str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x08\x41\x00\x91\x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x14: str x8, [x1] ; ldr x8, [x0, #8] ; str x8, [x1, #8] ; ret  ; \x28\x00\x00\xf9\x08\x04\x40\xf9\x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x1c: str x8, [x1, #8] ; ret  ; \x28\x04\x00\xf9\xc0\x03\x5f\xd6 (1 found)
0x4: ret  ; \xc0\x03\x5f\xd6 (1 found)
0x20: ret  ; \xc0\x03\x5f\xd6 (1 found)
0x0: ldp x20, x19, [sp], #0x20 ; ret  ; \xf4\x4f\xc2\xa8\xc0\x03\x5f\xd6 (1 found)

Cheers