Problem with "--unique"

[Not-C-Developer]

Hi

It might me a problem with "--unique" parameter

Release version: 2.1.3
Windows x86

When i've tested, some ROP gadgets has been lost.

Commands for test
rp-win.exe -f "C:\Program Files\ibm\gsk8\lib\N\icc\osslib\libeay32IBM019.dll" -r 5 --bad-bytes \x00\x09\x0a\x0b\x0c\x0d\x20 > libeay32IBM019.txt
Select-String -Path libeay32IBM019.txt -Pattern ': pop ecx ; ret '|Measure-Object -Line
rp-win.exe -f "C:\Program Files\ibm\gsk8\lib\N\icc\osslib\libeay32IBM019.dll" -r 5 --bad-bytes \x00\x09\x0a\x0b\x0c\x0d\x20 --unique > libeay32IBM019_uniq.txt
Select-String -Path libeay32IBM019_uniq.txt -Pattern ': pop ecx ; ret '|Measure-Object -Line

[0vercl0k]

Do you mind uploading the DLL file somewhere so that I can take a look? Cheers

…

On Thu, Feb 13, 2025 at 3:34 AM Not-C-Developer ***@***.***> wrote: Hi It might me a problem with "--unique" parameter Release version: 2.1.3 Windows x86 When i've tested, some ROP gadgets has been lost. Commands for test rp-win.exe -f "C:\Program Files\ibm\gsk8\lib\N\icc\osslib\libeay32IBM019.dll" -r 5 --bad-bytes \x00\x09\x0a\x0b\x0c\x0d\x20 --unique > libeay32IBM019_uniq.txt Select-String -Path libeay32IBM019.txt -Pattern ': pop ecx ; ret '|Measure-Object -Line rp-win.exe -f "C:\Program Files\ibm\gsk8\lib\N\icc\osslib\libeay32IBM019.dll" -r 5 --bad-bytes \x00\x09\x0a\x0b\x0c\x0d\x20 --unique > libeay32IBM019_uniq.txt Select-String -Path libeay32IBM019_uniq.txt -Pattern ': pop ecx ; ret '|Measure-Object -Line image.png (view on web) <https://github.com/user-attachments/assets/224cd77a-1615-464e-997f-d4ff735b58a1> — Reply to this email directly, view it on GitHub <#59>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORJVZ2CTT4IULH275FT2PR7MBAVCNFSM6AAAAABXB6JADGVHI2DSMVQWIX3LMV43ASLTON2WKOZSHA2TANZXGU4DMNY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***> [image: Not-C-Developer]*Not-C-Developer* created an issue (0vercl0k/rp#59) <#59> Hi It might me a problem with "--unique" parameter Release version: 2.1.3 Windows x86 When i've tested, some ROP gadgets has been lost. Commands for test rp-win.exe -f "C:\Program Files\ibm\gsk8\lib\N\icc\osslib\libeay32IBM019.dll" -r 5 --bad-bytes \x00\x09\x0a\x0b\x0c\x0d\x20 --unique > libeay32IBM019_uniq.txt Select-String -Path libeay32IBM019.txt -Pattern ': pop ecx ; ret '|Measure-Object -Line rp-win.exe -f "C:\Program Files\ibm\gsk8\lib\N\icc\osslib\libeay32IBM019.dll" -r 5 --bad-bytes \x00\x09\x0a\x0b\x0c\x0d\x20 --unique > libeay32IBM019_uniq.txt Select-String -Path libeay32IBM019_uniq.txt -Pattern ': pop ecx ; ret '|Measure-Object -Line image.png (view on web) <https://github.com/user-attachments/assets/224cd77a-1615-464e-997f-d4ff735b58a1> — Reply to this email directly, view it on GitHub <#59>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORJVZ2CTT4IULH275FT2PR7MBAVCNFSM6AAAAABXB6JADGVHI2DSMVQWIX3LMV43ASLTON2WKOZSHA2TANZXGU4DMNY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Not-C-Developer]

Ex.
https://www.sendspace.com/file/72zzd1

[0vercl0k]

Thank you, I can reproduce on my side - I will take a look at this this weekend! Cheers

…

On Fri, Feb 14, 2025 at 5:10 AM Not-C-Developer ***@***.***> wrote: Ex. https://www.sendspace.com/file/72zzd1 — Reply to this email directly, view it on GitHub <#59 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORN5767JFBDYQ4GC52D2PXTLZAVCNFSM6AAAAABXB6JADGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJZGMYDGNJRG4> . You are receiving this because you commented.Message ID: ***@***.***> [image: Not-C-Developer]*Not-C-Developer* left a comment (0vercl0k/rp#59) <#59 (comment)> Ex. https://www.sendspace.com/file/72zzd1 — Reply to this email directly, view it on GitHub <#59 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALIORN5767JFBDYQ4GC52D2PXTLZAVCNFSM6AAAAABXB6JADGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJZGMYDGNJRG4> . You are receiving this because you commented.Message ID: ***@***.***>

[0vercl0k]

Okay yeah I think I see the issue..🤦‍♂️

Basically uniqueness is calculated before applying the badbytes which means that if you have the same gadgets at N addresses and some of them have badbytes but some don't, the first one is picked as the 'unique' one discarding the other ones (regardless of it having badbytes or not). Then, all those unique hits are walked through & filtered for badbytes which means that now we have a gadget that has a badbyte so isn't shown; but there were duplicates that didn't have badbytes.

Anyways, give me a few days to get this fixed 😅

Cheers & thank you for the report!

[0vercl0k]

Okay I think I have a fix (it's not pretty but it'll have to do):

c:\>C:\work\codes\rp\src\build\RelWithDebInfo\rp-win.exe -r 5 -f libeay32IBM019.dll --unique --bad-bytes \x00\x09\x0a\x0b\x0c\x0d\x20 | rg ": pop ecx ; ret"
0x10011abb: pop ecx ; ret ; (283 found)

@Not-C-Developer you can try it out by grabbing the code in this branch: https://github.com/0vercl0k/rp/tree/fbl_%2359 & recompiling it yourself.

There's still this linking issue that I need to look into..

Cheers

[0vercl0k]

Okay actually I just fixed it - @Not-C-Developer you can also grab directly the CI artifacts if you don't want to rebuild it yourself; please give a shot to this one and let me know if it fixes your bug / if you see any other issue :)

• rp-win.zip

Cheers

[0vercl0k]

All right, if I don't here anything on here before next week-end I'll get this merged on ~Sunday :)

Cheers