crackers 0.9.0

A tool for synthesizing Code Reuse Attacks (ROP chains) using Ghidra's p-code and Z3
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

use crate::error::CrackersError;
use crate::error::CrackersError::UnsimulatedOperation;
use crate::gadget::Gadget;
use jingle::modeling::ModeledBlock;
use jingle::sleigh::SleighArchInfo;
use std::borrow::Borrow;

#[derive(Clone, Debug, Default)]
pub struct CandidateBuilder {
    random_sample_size: usize,
}

impl CandidateBuilder {
    pub fn with_random_sample_size(mut self, size: usize) -> Self {
        self.random_sample_size = size;
        self
    }

    pub fn build<'a, T: Iterator<Item = Vec<Option<&'a Gadget>>>>(
        &self,
        iter: T,
    ) -> Result<Candidates, CrackersError> {
        let mut candidates: Vec<Vec<Gadget>> = vec![];
        for gc in iter {
            // todo: this feels ugly but I just need something that works for now
            if gc.len() != candidates.len() {
                candidates = gc.iter().map(|_| vec![]).collect();
            }
            gc.iter()
                .enumerate()
                .filter_map(|(i, g)| g.map(|g| (i, g.clone())))
                .for_each(|(i, g)| {
                    if candidates[i].len() < self.random_sample_size {
                        candidates[i].push(g)
                    }
                });
            if !candidates.iter().any(|g| g.len() < self.random_sample_size) {
                break;
            }
        }
        // We never found ANY candidates for ANYTHING
        if candidates.is_empty() {
            Err(UnsimulatedOperation { index: 0 })
        }
        // We never found candidates for something
        else if let Some((index, _)) = candidates.iter().enumerate().find(|(_, f)| f.is_empty()) {
            Err(UnsimulatedOperation { index })
        } else {
            // candidates!
            Ok(Candidates { candidates })
        }
    }
}

#[derive(Clone)]
pub struct Candidates {
    pub candidates: Vec<Vec<Gadget>>,
}

impl Candidates {
    pub fn model<T: Borrow<SleighArchInfo>>(
        &self,
        info: T,
    ) -> Result<Vec<Vec<ModeledBlock>>, CrackersError> {
        let info = info.borrow();
        let mut result = vec![];
        for x in &self.candidates {
            let mut v = vec![];
            for g in x {
                v.push(g.model(info)?);
            }
            result.push(v)
        }
        Ok(result)
    }
}