Feature: consider register with controllable content of pointer as gadgets' constraint

[scwuaptx]

For example :

If r12 is controllable, it could execute any command. :)

[david942j]

Currently constraints of all one-gadgets are some value(s) to be zero (NULL).
Maybe we should add another option to find gadgets that constraint is register to be a controllable string?

For example, if rdi is a controllable string then we can use system as 'one-gadget'.
And in your case, it works if r12 is a command string.

Maybe add an option --all then one_gadget <file> --all will show this kind of gadgets.

I think separate the null-condition and string-condition cases can prevent confusing users.

[david942j]

Assume this request gets supported by #206, an example on one_gadget 1.9.0:

➜ one_gadget -b aad7dbe330f23ea00ca63daf793b766b51aceb5d -l1
0x4551f execve("/bin/sh", rsp+0x30, environ)
constraints:
  address rsp+0x40 is writable
  {"sh", "-c", rbx, NULL} is a valid argv

0x45526 execve("/bin/sh", rsp+0x30, environ)
constraints:
  address rsp+0x40 is writable
  rax == NULL || {rax, "-c", rbx, NULL} is a valid argv

0x4557a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv

<... more gadgets followed ...>