delay slot note

2020-07-26 03:18:08 -04:00 · 2020-07-26 03:18:08 -04:00 · a75699b904
parent 32c1a47905
commit a75699b904
1 changed files with 5 additions and 1 deletions
--- a/2020/3kctf/babym1ps/README.md
+++ b/2020/3kctf/babym1ps/README.md
@ -80,7 +80,11 @@ stored in a register `ra` rather than directly on the stack. so instead of most
 epilogue being able to work as a ROP gadget, only epilogues that pop `ra` from the stack and then
 return are applicable. there are also some gadgets involving the temp register `t9` - which is used
 by MIPS compilers to load certain library function calls from `gp` or other registers. so it's
-really a mix of both return- and call-oriented programming.
+really a mix of both return- and call-oriented programming. another important thing about MIPS is
+that each branch/jump has a _delay slot_, the instruction directly after the branch gets executed
+before the branch/jump gets taken, and also if it's not taken. the delay slots are prefixed in
+ghidra with `_`. this means useful gadget operations can actually come after the corresponding
+`jalr`, for example.

 it turns out pwntools is fairly useless for MIPS ROP, and i also tried a port of some IDA scripts to
 ghidra <https://github.com/tacnetsol/ghidra_scripts> but these didn't really turn up good results,