Skip to content

Tutorial unchain

Jump to bottom
magrazia edited this page May 24, 2016 · 1 revision

This phase applies a number of assembly transformations to simplify each ROP trace by removing the connections between gadgets and merging the content of consecutive gadgets in a single basic block. This step is also responsible to remove immediate values from the stack and assign them to the corresponding registers.

In the example, it is shown how to invoke the unchain plugin, how its output looks like and what it contains.

        emdel -> time python vol.py unchain -f ../rop_dumps/0/rkrop_pmem_raw_0x00.ram --profile Linuxubuntu-serverx64x64 -B /tmp/prova.bin -i 25-04-16_part1_0-78100_hwcontext.json -S 1 -G 10 --dtb=62967808
	Volatility Foundation Volatility Framework 2.3.1
	[+] From gadget: 1
	[+] To gadget: 10
	[+] Getting 25-04-16_part1_0-78100_hwcontext.json
	[+] Creating /tmp/prova.bin
	[INPUT] 1) ret 
	[INPUT] 2) pop rax
	[OUTPUT]  mov rax, 0xffff88001bc00000
	[INPUT] 3) ret 
	[INPUT] 4) mov qword ptr [rax], rdx
	[OUTPUT]  mov rdx, 0x0
            ...

it generates /tmp/prova.bin that is a binary blob containing the new version of the chain.

        emdel -> ndisasm -b 64 /tmp/prova.bin | egrep -v "\-00|\-FF" | head
	00000000  48B80000C01B0088  mov rax,0xffff88001bc00000
	0000000A  48BA000000000000  mov rdx,0x0
	00000014  488910            mov [rax],rdx
	00000017  48B80800C01B0088  mov rax,0xffff88001bc00008
	00000021  48BA000000000000  mov rdx,0x0
	0000002B  48BA000000000000  mov rdx,0x0
	00000035  488910            mov [rax],rdx
	00000038  48B934946A81FFFF  mov rcx,0xffffffff816a9434
	00000042  48BA6E6B6281FFFF  mov rdx,0xffffffff81626b6e
	0000004C  4881C410000000    add rsp,0x10

Under the hood, in the /tmp directory we have the ropmemu directory containing the assembly code used by nasm and the generated binary blobs as shown below:

        emdel -> cat /tmp/ropmemu/ropmemu_2.asm 
	[BITS 64]
	mov rax, 0xffff88001bc00000

	emdel -> xxd /tmp/ropmemu/ropmemu_2
	0000000: 48b8 0000 c01b 0088 ffff                 H.........

This directory and consequently all the files can be removed with the -C flag (clean). To speedup the performance, and to try to reduce the number of calls to nasm you can use and load the so called opcode db. To dump the opcodes in the opcode db use the -D flag (e.g., -D /tmp/db) as shown below:

                emdel -> time python vol.py unchain -f ../rop_dumps/0/rkrop_pmem_raw_0x00.ram --profile Linuxubuntu-serverx64x64 -B /tmp/prova.bin -i 25-04-16_part1_0-78100_hwcontext.json -S 1 -G 10 -D /tmp/db --dtb=62967808
            ...
            [INPUT] 14) pop rdx
	[OUTPUT]  mov rdx, 0xffffffff81626b6e
	[INPUT] 15) ret 
	[INPUT] 16) add rsp, 0x10
	[OUTPUT]  add rsp, 0x10
	[INPUT] 17) ret 

	[+] Dumping /tmp/db_dechain_10.json


	real    0m27.059s
	user    0m25.148s
	sys     0m1.880s

The db format is:

           emdel -> cat /tmp/db_dechain_10.json
	{
	  "mov rax, 0xffff88001bc00000": "SLgAAMAbAIj//w==", 
	  "mov rdx, 0x0\nmov qword [rax], rdx": "SLoAAAAAAAAAAEiJEA==", 
	  "mov rax, 0xffff88001bc00008": "SLgIAMAbAIj//w==", 
	  "mov qword rdx, 0x0": "SLoAAAAAAAAAAA==", 
	  "mov rcx, 0xffffffff816a9434": "SLk0lGqB/////w==", 
	  "mov rdx, 0xffffffff81626b6e": "SLpua2KB/////w==", 
	  "add rsp, 0x10": "SIHEEAAAAA=="
	}

ROPMEMU Framework

Clone this wiki locally