Feature: Highlight conditional gadgets in all modes#6324
Open
MrQuantum1915 wants to merge 1 commit into
Open
Conversation
MrQuantum1915
requested review from
Rot127,
b1llow,
kazarmy,
notxvilka,
ret2libc,
thestr4ng3r and
wargio
as code owners
MrQuantum1915
force-pushed
the
feat/highlight-cond-gadget
branch
2 times, most recently
from
070b71f to
89dfa94
Compare
MrQuantum1915
force-pushed
the
feat/highlight-cond-gadget
branch
from
89dfa94 to
bed2a85
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files
... and 11 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
Contributor
Author
yeah, we'd probably need help from someone better with UI/colors, I am pretty bad at that 😂 |
wargio
reviewed
May 13, 2026
| const char *highlight_color = colorize ? Color_CYAN : ""; | ||
| const char *reset_color = colorize ? Color_RESET : ""; | ||
| if (is_conditional) { | ||
| rz_cons_printf("%sGadget 0x%" PFMT64x " [Conditional Gadget]%s\n", highlight_color, gadget_info->address, reset_color); |
Member
There was a problem hiding this comment.
Suggested change
| rz_cons_printf("%sGadget 0x%" PFMT64x " [Conditional Gadget]%s\n", highlight_color, gadget_info->address, reset_color); | |
| rz_cons_printf("%sGadget 0x%" PFMT64x " [Conditional]%s\n", highlight_color, gadget_info->address, reset_color); |
wargio
reviewed
May 13, 2026
| const char *highlight_color = colorize ? Color_CYAN : ""; | ||
| const char *reset_color = colorize ? Color_RESET : ""; | ||
| if (is_conditional) { | ||
| rz_cons_printf("%sGadget 0x%" PFMT64x " (size %d bytes) [Conditional Gadget]%s\n", highlight_color, addr, size, reset_color); |
Member
There was a problem hiding this comment.
Suggested change
| rz_cons_printf("%sGadget 0x%" PFMT64x " (size %d bytes) [Conditional Gadget]%s\n", highlight_color, addr, size, reset_color); | |
| rz_cons_printf("%sGadget 0x%" PFMT64x " (size %d bytes) [Conditional]%s\n", highlight_color, addr, size, reset_color); |
wargio
reviewed
May 13, 2026
Comment on lines
+4146
to
+4154
| 0x00000000 04e02de50000a0e10110a0e10080bd08 [Conditional Gadget] str lr, [sp, -4]!; ; mov r0, r0; ; mov r1, r1; ; ldmeq sp!, {pc}; | ||
| 0x00000004 0000a0e10110a0e10080bd08 [Conditional Gadget] mov r0, r0; ; mov r1, r1; ; ldmeq sp!, {pc}; | ||
| 0x00000008 0110a0e10080bd08 [Conditional Gadget] mov r1, r1; ; ldmeq sp!, {pc}; | ||
| 0x0000000c 0080bd08 [Conditional Gadget] ldmeq sp!, {pc}; | ||
| 0x00000000 04e02de50000a0e10110a0e10080bd081eff2fe1 str lr, [sp, -4]!; ; mov r0, r0; ; mov r1, r1; ; ldmeq sp!, {pc}; ; bx lr; | ||
| 0x00000004 0000a0e10110a0e10080bd081eff2fe1 mov r0, r0; ; mov r1, r1; ; ldmeq sp!, {pc}; ; bx lr; | ||
| 0x00000008 0110a0e10080bd081eff2fe1 mov r1, r1; ; ldmeq sp!, {pc}; ; bx lr; | ||
| 0x0000000c 0080bd081eff2fe1 ldmeq sp!, {pc}; ; bx lr; | ||
| 0x00000010 1eff2fe1 bx lr; |
Member
There was a problem hiding this comment.
the bytes length should be limited by an evar.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Your checklist for this pull request
RZ_APIfunction and struct this PR changes.RZ_API).Detailed description
As discussed with @notxvilka in mattermost, implemented highlighting of conditional gadgets in all modes (non-color mode too)
This applies when
e gadget.conditional=trueis setPlease let me know if you mean to highlight conditional terminator instruction in the output no matter what is the state of config :
gadget.conditionalJust to be clear
is_conditionalis set by using a trick actually. We get to know if teminator is conditional or not, by the function ingadget_[rjc]op.cso what i did is :gadget_is_valid_terminatorreturn true forallow_conditionalis passed astrue&&falsewhenallow_conditionalis passed as falseI did this hack so that it is same code for ROP/COP/JOP.
UI/UX and color choices may be slightly questionable, i may be bad at that :)
suggestions welcome...
Here are some ss (arm32)
I also injected
is_conditionalkey in JSON output when it is, otherwise the key is not injectedan exerpt:
{ "opcodes": [ { "offset": 0, "size": 4, "opcode": "str lr, [sp, -4]!", "type": "store" }, { "offset": 4, "size": 4, "opcode": "mov r0, r0", "type": "mov" }, { "offset": 8, "size": 4, "opcode": "mov r1, r1", "type": "mov" }, { "offset": 12, "size": 4, "opcode": "ldmeq sp!, {pc}", "type": "cret" } ], "retaddr": 12, "size": 16, "is_conditional": true },Test plan
Added (updated) new tests for conditonal gadgets
Closing issues