ROP gadget finding

[pgoodman]

Just for fun, here is what it would look like to identify possible ROP gadgets.

#foreign gadget ```python Gadget```


; Declare a functor that will create an initial gadget, containing
; only one instruction (typically a return instruction).
#functor init_gadget(bound u64 RetEA, bound bytes RetInstBytes,
                     free gadget Chain) range(.)


; Declare a functor that will extend a gadget with a single instruction.
#functor extend_gadget(bound u64 EA, bound bytes InstBytes,
                       bound gadget BaseChain, free gadget Chain) range(.)


#local gadget_at(EA, Gadget)


; Make all discovered gadgets available.
#query gadget(free gadget Gadget)

gadget(Gadget) : gadget_at(_, Gadget).


; Base case, a return instruction.
gadget_at(InstEA, Gadget)
    : instruction(RetEA, INSN_RETURN, RetBytes)
    , init_gadget(RetEA, RetBytes, Gadget).


; Inductive case, a fall-through into a gadget.
gadget_at(InstEA, Gadget)
    : raw_transfer(InstEA, GadgetEA, EDGE_FALL_THROUGH)
    , gadget_at(GadgetEA, BaseGadget)
    , instruction(InstEA, INSN_NORMAL, InstBytes)
    , extend_gadget(InstEA, InstBytes, BaseGadget, Gadget).


; Inductive case, an unconditional jump into a gadget.
gadget_at(InstEA, Gadget)
    : raw_transfer(InstEA, GadgetEA, EDGE_JUMP_TAKEN)
    , gadget_at(GadgetEA, BaseGadget)
    , instruction(InstEA, INSN_DIRECT_JUMP, InstBytes)
    , extend_gadget(InstEA, InstBytes, BaseGadget, Gadget).


#prologue ```python

Gadget = Tuple[Tuple[int, bytes], ...]

def init_gadget_bbf(ea: int, ea_bytes: bytes) -> Gadget:
  reuturn ((ea, ea_bytes),)

def extend_gadget_bbbf(ea: int, ea_bytes: bytes, gadget_chain: Gadget) -> Gadget:
  return ((ea, ea_bytes),) + gadget_chain

#```