Ropchain for Win32 DLL Crashed

I tried to generate some rop chains for an x86 DLL on Windows, and while the generator tried to permutate possible gadgets it suddenly crashed. The error information is below:

```
(ropper)> file EPG.dll
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] File loaded.
(EPG.dll/PE/x86)> ropchain virtualprotect address=0x1

[INFO] Ropchain Generator for VirtualProtect:


[INFO] eax 0x90909090
ecx old protection (writable addr)
edx 0x40 (RWE)
ebx size
esp address
ebp return address (jmp esp)
esi pointer to VirtualProtect
edi ret (rop nop)


[INFO] Try to create gadget to fill esi with content of IAT address: 0x1

[INFO] Cannot create fill esi gadget!

[INFO] Try to create this chain:


[INFO] eax Pointer to VirtualProtect
ecx old protection (writable addr)
edx 0x40 (RWE)
ebx size
esp address
ebp return address (pop ebp;ret)
esi pointer to jmp [eax]
edi ret (rop nop)


[INFO] Try to create chain which fills registers without delete content of previous filled registers
[*] Try permuation 181 / 5040Traceback (most recent call last):
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/console.py", line 368, in __generateChain
    chain = self.__rs.createRopChain(generator, str(self.currentFile.arch) ,options)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/service.py", line 787, in createRopChain
    return generator.create(options)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/ropchain/arch/ropchainx86.py", line 987, in create
    chain_tmp += self._createDependenceChain(gadgets)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/ropchain/arch/ropchainx86.py", line 125, in _createDependenceChain
    chain2 += g[0](*g[1], badRegs=badRegs, dontModify=dontModify,**g[2])[0]
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/ropchain/arch/ropchainx86.py", line 579, in _createNumber
    toReturn = self._printRopInstruction(popReg, padding=True, number=toHex(number,4))
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/ropchain/arch/ropchainx86.py", line 201, in _printRopInstruction
    toReturn += value
TypeError: can only concatenate str (not "NoneType") to str

[ERROR] Please report this error on https://github.com/sashs/ropper
[ERROR] Traceback (most recent call last):
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/console.py", line 62, in cmd
    func(self, text)
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/console.py", line 931, in do_ropchain
    self.__generateChain(text)
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/console.py", line 387, in __generateChain
    raise e
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/console.py", line 368, in __generateChain
    chain = self.__rs.createRopChain(generator, str(self.currentFile.arch) ,options)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/service.py", line 787, in createRopChain
    return generator.create(options)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/ropchain/arch/ropchainx86.py", line 987, in create
    chain_tmp += self._createDependenceChain(gadgets)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/ropchain/arch/ropchainx86.py", line 125, in _createDependenceChain
    chain2 += g[0](*g[1], badRegs=badRegs, dontModify=dontModify,**g[2])[0]
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/ropchain/arch/ropchainx86.py", line 579, in _createNumber
    toReturn = self._printRopInstruction(popReg, padding=True, number=toHex(number,4))
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/nanaha/anaconda3/envs/LLM/lib/python3.12/site-packages/ropper/ropchain/arch/ropchainx86.py", line 201, in _printRopInstruction
    toReturn += value
TypeError: can only concatenate str (not "NoneType") to str
```
Here is the file I analysis. 

[EPG.zip](https://github.com/user-attachments/files/19459983/EPG.zip)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Ropchain for Win32 DLL Crashed #190

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Ropchain for Win32 DLL Crashed #190

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions