ROPgadget Quick Reference
=========================

BASIC USAGE
  ROPgadget --binary binary             Find all gadgets
  ROPgadget --binary binary --depth 10  Deeper search

FILTERING
  ROPgadget --binary binary --only "pop|ret"     Only pop/ret
  ROPgadget --binary binary --only "mov|ret"      Only mov/ret
  ROPgadget --binary binary --filter "leave"       Exclude leave

SEARCHING
  ROPgadget --binary binary --string "/bin/sh"    Find string
  ROPgadget --binary binary --opcode "c3"         Find by opcode
  ROPgadget --binary binary --re "pop .* ; ret"   Regex search

AUTO ROP CHAIN
  ROPgadget --binary binary --ropchain            Auto-generate chain

COMMON GADGETS TO FIND
  # x86-64 function call setup
  pop rdi ; ret          # 1st argument
  pop rsi ; ret          # 2nd argument
  pop rdx ; ret          # 3rd argument
  pop rax ; ret          # syscall number
  syscall ; ret          # syscall

  # x86 (32-bit)
  pop eax ; ret
  pop ebx ; ret
  int 0x80               # syscall

  # Stack pivot
  xchg rax, rsp ; ret
  leave ; ret

  # Write-what-where
  mov [rdi], rax ; ret
  mov qword ptr [rsi], rdi ; ret

ROPPER (alternative tool)
  ropper -f binary                    Find gadgets
  ropper -f binary --search "pop rdi" Search specific
  ropper -f binary --chain execve     Auto chain

PWNTOOLS ROP
  from pwn import *
  e = ELF("./binary")
  rop = ROP(e)

  rop.find_gadget(["pop rdi", "ret"])
  rop.find_gadget(["pop rsi", "pop r15", "ret"])
  rop.find_gadget(["ret"])           # ret gadget for alignment

  # Build chain
  rop.raw(ret_gadget)               # Stack alignment
  rop.call("puts", [got_puts])      # Call puts(GOT[puts])
  rop.call("main")                  # Return to main
  chain = rop.chain()

COMMON CTF ROP PATTERNS
  # ret2libc (x86-64)
  1. Leak libc address (puts GOT via puts PLT)
  2. Calculate libc base
  3. Find system() and "/bin/sh" in libc
  4. pop rdi; ret → "/bin/sh" → system()
