delay slot note
This commit is contained in:
parent
32c1a47905
commit
a75699b904
|
|
@ -80,7 +80,11 @@ stored in a register `ra` rather than directly on the stack. so instead of most
|
||||||
epilogue being able to work as a ROP gadget, only epilogues that pop `ra` from the stack and then
|
epilogue being able to work as a ROP gadget, only epilogues that pop `ra` from the stack and then
|
||||||
return are applicable. there are also some gadgets involving the temp register `t9` - which is used
|
return are applicable. there are also some gadgets involving the temp register `t9` - which is used
|
||||||
by MIPS compilers to load certain library function calls from `gp` or other registers. so it's
|
by MIPS compilers to load certain library function calls from `gp` or other registers. so it's
|
||||||
really a mix of both return- and call-oriented programming.
|
really a mix of both return- and call-oriented programming. another important thing about MIPS is
|
||||||
|
that each branch/jump has a _delay slot_, the instruction directly after the branch gets executed
|
||||||
|
before the branch/jump gets taken, and also if it's not taken. the delay slots are prefixed in
|
||||||
|
ghidra with `_`. this means useful gadget operations can actually come after the corresponding
|
||||||
|
`jalr`, for example.
|
||||||
|
|
||||||
it turns out pwntools is fairly useless for MIPS ROP, and i also tried a port of some IDA scripts to
|
it turns out pwntools is fairly useless for MIPS ROP, and i also tried a port of some IDA scripts to
|
||||||
ghidra <https://github.com/tacnetsol/ghidra_scripts> but these didn't really turn up good results,
|
ghidra <https://github.com/tacnetsol/ghidra_scripts> but these didn't really turn up good results,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue