diff --git a/ropper/ropchain/arch/ropchainx86.py b/ropper/ropchain/arch/ropchainx86.py index 7a26300..132a3a8 100644 --- a/ropper/ropchain/arch/ropchainx86.py +++ b/ropper/ropchain/arch/ropchainx86.py @@ -659,7 +659,7 @@ def create(self, options={}): raise RopChainError('No argument support for execve commands') self._printMessage('ROPchain Generator for syscall execve:\n') - self._printMessage('\nwrite command into data section\neax 0x3b\nebx address to cmd\necx address to null\nedx address to null\n') + self._printMessage('\nwrite command into data section\neax 0xb\nebx address to cmd\necx address to null\nedx address to null\n') chain = self._printHeader() gadgets = [] can_create_command = False @@ -695,7 +695,7 @@ def create(self, options={}): gadgets.append((self._createAddress, [cmdaddress],{'reg':'ebx'},['ebx', 'bx', 'bl', 'bh'])) gadgets.append((self._createAddress, [nulladdress],{'reg':'ecx'},['ecx', 'cx', 'cl', 'ch'])) gadgets.append((self._createAddress, [nulladdress],{'reg':'edx'},['edx', 'dx', 'dl', 'dh'])) - gadgets.append((self._createNumber, [0x3b],{'reg':'eax'},['eax', 'ax', 'al', 'ah'])) + gadgets.append((self._createNumber, [0xb],{'reg':'eax'},['eax', 'ax', 'al', 'ah'])) if address is not None and not can_create_command: if type(address) is str: cmdaddress = int(address, 16) @@ -709,7 +709,7 @@ def create(self, options={}): gadgets.append((self._createNumber, [cmdaddress],{'reg':'ebx'},['ebx', 'bx', 'bl', 'bh'])) gadgets.append((self._createNumber, [nulladdress],{'reg':'ecx'},['ecx', 'cx', 'cl', 'ch'])) gadgets.append((self._createNumber, [nulladdress],{'reg':'edx'},['edx', 'dx', 'dl', 'dh'])) - gadgets.append((self._createNumber, [0x3b],{'reg':'eax'},['eax', 'ax', 'al', 'ah'])) + gadgets.append((self._createNumber, [0xb],{'reg':'eax'},['eax', 'ax', 'al', 'ah'])) self._printMessage('Try to create chain which fills registers without delete content of previous filled registers') chain_tmp += self._createDependenceChain(gadgets)