NAME=rop search with maxhits
FILE=bins/elf/varsub
CMDS=<<EOF
e search.maxhits=1
/Rq pop r15
EOF
EXPECT=<<EOF
0x0040052c: pop r12; pop r13; pop r14; pop r15; ret;
EOF
RUN

NAME=rop search without maxhits
FILE=bins/elf/varsub
CMDS=/Rq pop r15~?
EXPECT=<<EOF
4
EOF
RUN

NAME=rop search without maxhits
FILE=bins/elf/varsub
CMDS=<<EOF
e search.maxhits=2
/Rq pop r15~?
EOF
EXPECT=<<EOF
2
EOF
RUN

NAME=search all rop gadgets
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.nbytes=8
e asm.arch=x86
e asm.bits=32
/R
EOF
EXPECT=<<EOF
  0x000000b4               cd80  int 0x80
  0x000000b6         b801000000  mov eax, 1
  0x000000bb         b900000000  mov ecx, 0
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b5     80b801000000b9  cmp byte [eax + 1], 0xb9
  0x000000bc               0000  add byte [eax], al
  0x000000be               0000  add byte [eax], al
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b7               0100  add dword [eax], eax
  0x000000b9               0000  add byte [eax], al
  0x000000bb         b900000000  mov ecx, 0
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b8               0000  add byte [eax], al
  0x000000ba       00b900000000  add byte [ecx], bh
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

EOF
RUN

NAME=search rop gadgets with a regexp
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
/R/ mov e[abcd]x
EOF
EXPECT=<<EOF
  0x000000b4               cd80  int 0x80
  0x000000b6         b801000000  mov eax, 1
  0x000000bb         b900000000  mov ecx, 0
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b7               0100  add dword [eax], eax
  0x000000b9               0000  add byte [eax], al
  0x000000bb         b900000000  mov ecx, 0
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

EOF
RUN

NAME=search rop gadgets and show them linearly
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
/Rq
EOF
EXPECT=<<EOF
0x000000b4: int 0x80; mov eax, 1; mov ecx, 0; int 0x80; ret;
0x000000b5: cmp byte [eax + 1], 0xb9; add byte [eax], al; add byte [eax], al; int 0x80; ret;
0x000000b7: add dword [eax], eax; add byte [eax], al; mov ecx, 0; int 0x80; ret;
0x000000b8: add byte [eax], al; add byte [ecx], bh; int 0x80; ret;
EOF
RUN

NAME=search rop gadgets with filter
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
/R ecx
EOF
EXPECT=<<EOF
  0x000000b4               cd80  int 0x80
  0x000000b6         b801000000  mov eax, 1
  0x000000bb         b900000000  mov ecx, 0
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b7               0100  add dword [eax], eax
  0x000000b9               0000  add byte [eax], al
  0x000000bb         b900000000  mov ecx, 0
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b8               0000  add byte [eax], al
  0x000000ba       00b900000000  add byte [ecx], bh
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

EOF
RUN

NAME=search rop gadgets with filter and output JSON
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
/Rj ecx
EOF
EXPECT=<<EOF
[{"opcodes":[{"addr":180,"size":2,"opcode":"int 0x80","type":"swi"},{"addr":182,"size":5,"opcode":"mov eax, 1","type":"mov"},{"addr":187,"size":5,"opcode":"mov ecx, 0","type":"mov"},{"addr":192,"size":2,"opcode":"int 0x80","type":"swi"},{"addr":194,"size":1,"opcode":"ret","type":"ret"}],"retaddr":194,"size":15},{"opcodes":[{"addr":183,"size":2,"opcode":"add dword [eax], eax","type":"add"},{"addr":185,"size":2,"opcode":"add byte [eax], al","type":"add"},{"addr":187,"size":5,"opcode":"mov ecx, 0","type":"mov"},{"addr":192,"size":2,"opcode":"int 0x80","type":"swi"},{"addr":194,"size":1,"opcode":"ret","type":"ret"}],"retaddr":194,"size":12},{"opcodes":[{"addr":184,"size":2,"opcode":"add byte [eax], al","type":"add"},{"addr":186,"size":6,"opcode":"add byte [ecx], bh","type":"add"},{"addr":192,"size":2,"opcode":"int 0x80","type":"swi"},{"addr":194,"size":1,"opcode":"ret","type":"ret"}],"retaddr":194,"size":11}]
EOF
RUN

NAME=search rop gadgets with a regex of the form (a|b)
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
"/R/ (ecx|eax)"
EOF
EXPECT=<<EOF
  0x000000b4               cd80  int 0x80
  0x000000b6         b801000000  mov eax, 1
  0x000000bb         b900000000  mov ecx, 0
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b5     80b801000000b9  cmp byte [eax + 1], 0xb9
  0x000000bc               0000  add byte [eax], al
  0x000000be               0000  add byte [eax], al
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b7               0100  add dword [eax], eax
  0x000000b9               0000  add byte [eax], al
  0x000000bb         b900000000  mov ecx, 0
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

  0x000000b8               0000  add byte [eax], al
  0x000000ba       00b900000000  add byte [ecx], bh
  0x000000c0               cd80  int 0x80
  0x000000c2                 c3  ret

EOF
RUN

NAME=search rop gadgets with another end gadget as part of it.
FILE=bins/elf/analysis/unoriginal
CMDS=<<EOF
e asm.bits=32
e rop.len=15
e search.from=0x08048340
e search.to=0x08048400
"/R push esp"
EOF
EXPECT=<<EOF
  0x08048350               fff4  push esp
  0x08048352               6690  nop
  0x08048354               6690  nop
  0x08048356               6690  nop
  0x08048358               6690  nop
  0x0804835a               6690  nop
  0x0804835c               6690  nop
  0x0804835e               6690  nop
  0x08048360             8b1c24  mov ebx, dword [esp]
  0x08048363                 c3  ret

EOF
RUN

NAME=search rop with sequence.
FILE=bins/elf/analysis/x86-helloworld-gcc
CMDS="/R push esi;push ebx"
EXPECT=<<EOF
  0x08048421                 57  push edi
  0x08048422               31ff  xor edi, edi
  0x08048424                 56  push esi
  0x08048425                 53  push ebx
  0x08048426         e805ffffff  call 0x8048330

EOF
RUN

NAME=search rop with regex sequence.
FILE=bins/elf/analysis/x86-helloworld-gcc
CMDS=<<EOF
e asm.bits=32
"/R/ push esi;push ebx"
EOF
EXPECT=<<EOF
  0x08048421                 57  push edi
  0x08048422               31ff  xor edi, edi
  0x08048424                 56  push esi
  0x08048425                 53  push ebx
  0x08048426         e805ffffff  call 0x8048330

EOF
RUN

NAME=search rop for AVR
FILE=malloc://512
CMDS=<<EOF
e asm.arch=avr
e scr.color=false
wx 11241fbecfefd8e0debfcdbf12e0a0e0b1e0e6e3f4e302c005900d92a431b107d9f722e0a4e1b2e001c01d92ae3cb207e1f710e0c2e6d0e004c02197fe010e94041ac136d107c9f70e944f090c9456160c940000ef92ff920f931f93cf93df93cdb7deb7c054d1090fb6f894debf0fbecdbf6ce071e08fe192e00e946b04ce0101967c018e010f5c1f4ffc011192e017f107e1f720e330e0a7016ae08fe192e00e94d8080297f8f0c801d701fd01ee19ff092d91222321f0fc012193cf01f6cfe00ff11f108260e071e0c8010e949816892b49f46de171e08fe192e00e946b0481e090e008c066e471e08fe192e00e946b0480e090e0c05cdf4f0fb6f894debf0fbecdbfdf91cf911f910f91ff90ef9008956de671e08fe192e00e946b0485b1805885b908956fe771e08fe192e00e946b048bb180588bb908956de671e08fe192e00e946b0485b1805885b985b1805885b985b1805885b908956fe771e08fe192e00e946b048bb180588bb98bb180588bb98bb180588bb908950f931f93cf93df93cdb7deb727970fb6f894debf0fbecdbf9c018e010f5f1f4fd801ad01401b510bf90191919f01992311f09d93f6cffa01e00ff11f10826fe871e0c8010e949816892b81f40e948c00892bf9f027960fb6f894debf0fbecdbfdf91cf911f910f910c940f0163e971e0c8010e949816892b61f427960fb6f894debf0fbecdbf
/R ldi
q
EOF
EXPECT=<<EOF
  0x0000000e               a0e0  ldi r26, 0x00
  0x00000010               b1e0  ldi r27, 0x01
  0x00000012               e6e3  ldi r30, 0x36
  0x00000014               f4e3  ldi r31, 0x34
  0x00000016               02c0  rjmp 0x1c

  0x00000020               d9f7  brne 0x18
  0x00000022               22e0  ldi r18, 0x02
  0x00000024               a4e1  ldi r26, 0x14
  0x00000026               b2e0  ldi r27, 0x02
  0x00000028               01c0  rjmp 0x2c

  0x00000030               e1f7  brne 0x2a
  0x00000032               10e0  ldi r17, 0x00
  0x00000034               c2e6  ldi r28, 0x62
  0x00000036               d0e0  ldi r29, 0x00
  0x00000038               04c0  rjmp 0x42

  0x00000072               6ce0  ldi r22, 0x0c
  0x00000074               71e0  ldi r23, 0x01
  0x00000076               8fe1  ldi r24, 0x1f
  0x00000078               92e0  ldi r25, 0x02
  0x0000007a           0e946b04  call 0x8d6

  0x00000098               a701  movw r20, r14
  0x0000009a               6ae0  ldi r22, 0x0a
  0x0000009c               8fe1  ldi r24, 0x1f
  0x0000009e               92e0  ldi r25, 0x02
  0x000000a0           0e94d808  call 0x11b0

  0x000000c4               1082  std z+0, r1
  0x000000c6               60e0  ldi r22, 0x00
  0x000000c8               71e0  ldi r23, 0x01
  0x000000ca               c801  movw r24, r16
  0x000000cc           0e949816  call 0x2d30

  0x000000d4               6de1  ldi r22, 0x1d
  0x000000d6               71e0  ldi r23, 0x01
  0x000000d8               8fe1  ldi r24, 0x1f
  0x000000da               92e0  ldi r25, 0x02
  0x000000dc           0e946b04  call 0x8d6

  0x000000de               6b04  cpc r6, r11
  0x000000e0               81e0  ldi r24, 0x01
  0x000000e2               90e0  ldi r25, 0x00
  0x000000e4               08c0  rjmp 0xf6

  0x000000e6               66e4  ldi r22, 0x46
  0x000000e8               71e0  ldi r23, 0x01
  0x000000ea               8fe1  ldi r24, 0x1f
  0x000000ec               92e0  ldi r25, 0x02
  0x000000ee           0e946b04  call 0x8d6

  0x00000112               6de6  ldi r22, 0x6d
  0x00000114               71e0  ldi r23, 0x01
  0x00000116               8fe1  ldi r24, 0x1f
  0x00000118               92e0  ldi r25, 0x02
  0x0000011a           0e946b04  call 0x8d6

  0x00000126               6fe7  ldi r22, 0x7f
  0x00000128               71e0  ldi r23, 0x01
  0x0000012a               8fe1  ldi r24, 0x1f
  0x0000012c               92e0  ldi r25, 0x02
  0x0000012e           0e946b04  call 0x8d6

  0x0000013a               6de6  ldi r22, 0x6d
  0x0000013c               71e0  ldi r23, 0x01
  0x0000013e               8fe1  ldi r24, 0x1f
  0x00000140               92e0  ldi r25, 0x02
  0x00000142           0e946b04  call 0x8d6

  0x0000015a               6fe7  ldi r22, 0x7f
  0x0000015c               71e0  ldi r23, 0x01
  0x0000015e               8fe1  ldi r24, 0x1f
  0x00000160               92e0  ldi r25, 0x02
  0x00000162           0e946b04  call 0x8d6

  0x000001b6               1082  std z+0, r1
  0x000001b8               6fe8  ldi r22, 0x8f
  0x000001ba               71e0  ldi r23, 0x01
  0x000001bc               c801  movw r24, r16
  0x000001be           0e949816  call 0x2d30

EOF
EXPECT_ERR=<<EOF
EOF
RUN

NAME=ARM32 rop gadget count
FILE=bins/elf/analysis/hello-arm32
CMDS=<<EOF
e asm.arch=arm
e asm.bits=32
/Rq~?
EOF
EXPECT=<<EOF
2
EOF
RUN

NAME=ARM32 rop search for branch with link
FILE=bins/elf/analysis/hello-arm32
CMDS=<<EOF
e asm.arch=arm
e asm.bits=32
/R bl
EOF
EXPECT=<<EOF
  0x000101c0           80402de9  push {r7, lr}
  0x000101c4           00708de2  add r7, sp, 0
  0x000101c8           000200e3  movw r0, 0x200
  0x000101cc           010040e3  movt r0, 1
  0x000101d0           f1ffffeb  bl 0x1019c

  0x000101d4           0030b0e3  movs r3, 0
  0x000101d8           0300a0e1  mov r0, r3
  0x000101dc           f1ffffeb  bl 0x101a8

EOF
RUN

NAME=ARM64 rop gadget count
FILE=bins/elf/jni/jniO0-arm64
CMDS=<<EOF
e asm.arch=arm
e asm.bits=64
/Rq~?
EOF
EXPECT=<<EOF
19
EOF
RUN

NAME=ARM64 rop search for adrp gadgets quiet mode
FILE=bins/elf/jni/jniO0-arm64
CMDS=<<EOF
e asm.arch=arm
e asm.bits=64
e search.maxhits=3
/Rq adrp
EOF
EXPECT=<<EOF
0x000004d0: stp x16, x30, [sp, -0x10]!; adrp x16, 0x10000; ldr x17, [x16, 0xfc8]; add x16, x16, 0xfc8; br x17;
0x000004f0: adrp x16, 0x10000; ldr x17, [x16, 0xfd0]; add x16, x16, 0xfd0; br x17;
0x00000500: adrp x16, 0x10000; ldr x17, [x16, 0xfd8]; add x16, x16, 0xfd8; br x17;
EOF
RUN

NAME=ARM64 rop search for store pair instruction
FILE=bins/elf/jni/jniO0-arm64
CMDS=<<EOF
e asm.arch=arm
e asm.bits=64
/R stp
EOF
EXPECT=<<EOF
  0x000004d0           f07bbfa9  stp x16, x30, [sp, -0x10]!
  0x000004d4           90000090  adrp x16, 0x10000
  0x000004d8           11e647f9  ldr x17, [x16, 0xfc8]
  0x000004dc           10223f91  add x16, x16, 0xfc8
  0x000004e0           20021fd6  br x17

  0x0000054c           fd7bbfa9  stp x29, x30, [sp, -0x10]!
  0x00000550           fd030091  mov x29, sp
  0x00000554           400000b4  cbz x0, 0x55c
  0x00000558           00003fd6  blr x0

EOF
RUN

NAME=x86-64 rop gadget count
FILE=bins/elf/analysis/calls_x64
CMDS=<<EOF
e asm.arch=x86
e asm.bits=64
/Rq~?
EOF
EXPECT=<<EOF
116
EOF
RUN

NAME=x86-64 rop search for call instructions
FILE=bins/elf/analysis/calls_x64
CMDS=<<EOF
e asm.arch=x86
e asm.bits=64
e search.maxhits=2
/R call
EOF
EXPECT=<<EOF
  0x0040024f               dcc7  fadd st(7), st(0)
  0x00400251               346a  xor al, 0x6a
  0x00400253         0d3f262786  or eax, 0x8627263f
  0x00400258       318e5eae5410  xor dword [rsi + 0x1054ae5e], ecx
  0x0040025e         e8cf010000  call 0x400432

  0x004003a8           4883ec08  sub rsp, 8
  0x004003ac     488b054d052000  mov rax, qword [rip + 0x20054d]
  0x004003b3             4885c0  test rax, rax
  0x004003b6               7405  je 0x4003bd
  0x004003b8         e843000000  call 0x400400

EOF
RUN

NAME=x86-64 rop search regex for mov register
FILE=bins/elf/analysis/calls_x64
CMDS=<<EOF
e asm.arch=x86
e asm.bits=64
e search.maxhits=2
"/R/ mov r(ax|cx|di)"
EOF
EXPECT=<<EOF
  0x004003a8           4883ec08  sub rsp, 8
  0x004003ac     488b054d052000  mov rax, qword [rip + 0x20054d]
  0x004003b3             4885c0  test rax, rax
  0x004003b6               7405  je 0x4003bd
  0x004003b8         e843000000  call 0x400400

  0x004003a9             83ec08  sub esp, 8
  0x004003ac     488b054d052000  mov rax, qword [rip + 0x20054d]
  0x004003b3             4885c0  test rax, rax
  0x004003b6               7405  je 0x4003bd
  0x004003b8         e843000000  call 0x400400

EOF
RUN

NAME=x86-32 rop with custom gadget length limit
FILE=bins/elf/analysis/x86-helloworld-phdr
ARGS=-n
CMDS=<<EOF
e asm.arch=x86
e asm.bits=32
e rop.len=2
/Rq
EOF
EXPECT=<<EOF
0x000000c0: int 0x80; ret;
EOF
RUN

NAME=ARM64 rop search with maxhits configuration
FILE=bins/elf/jni/jniO0-arm64
CMDS=<<EOF
e asm.arch=arm
e asm.bits=64
e search.maxhits=1
/Rq br
EOF
EXPECT=<<EOF
0x000004d0: stp x16, x30, [sp, -0x10]!; adrp x16, 0x10000; ldr x17, [x16, 0xfc8]; add x16, x16, 0xfc8; br x17;
EOF
RUN

NAME=x86-64 rop search for conditional jumps
FILE=bins/elf/analysis/calls_x64
CMDS=<<EOF
e asm.arch=x86
e asm.bits=64
e search.maxhits=1
/R je
EOF
EXPECT=<<EOF
  0x004003a8           4883ec08  sub rsp, 8
  0x004003ac     488b054d052000  mov rax, qword [rip + 0x20054d]
  0x004003b3             4885c0  test rax, rax
  0x004003b6               7405  je 0x4003bd
  0x004003b8         e843000000  call 0x400400

EOF
RUN

