.TH ROPGADGET 1 "" ""
.SH NAME
ROPgadget \- search executables for exploitable ROP gadgets
.SH SYNOPSIS
.SY ROPgadget
.RB [ \-\-binary " " \fIFILE\fR ]
.RI [ options ]
.YS
.SH DESCRIPTION
.B ROPGadget
is a tool for security research and vulnerability exploitation. It lets you
search binaries for sequences of useful machine code instructions followed by a
return statement ("gadgets"). If an exploit can manipulate the callstack to
point to a sequence of gadgets, the return statements will redirect the program
flow to execute the sequence ("return oriented programming"). By reusing
existing code out of context, an attacker can potentially circumvent security
measures which prevent the execution of injected code.
.B ROPgadget
supports ELF/PE/Mach-O format on x86, x64, ARM, PowerPC, SPARC and MIPS
architectures. 
.PP
The following options are available:
.TP
.BR \-\-binary " " \fIFILE\fR
specify the executable to be analyzed
.TP
.BR \-\-opcode " " \fIOPCODES\fR
Search for particular opcodes in executable sections
.TP
.BR \-\-string " " \fISTRING\fR
Search for a particular string in readable sections
.TP
.BR \-\-memstr " " \fISTRING\fR
Search for each byte in readable sections
.TP
.BR \-\-depth " " \fIDEPTH\fR
Limit search depth for internal engine (default: 10)
.TP
.BR \-\-only " " \fIKEY\fR
Only show specific instructions
.TP
.BR \-\-filter " " \fIKEY\fR
Suppress specific instructions
.TP
.BR \-\-range " " \fISTART\fR - \fIEND\fR
Limit search to address range between
.I START
and
.IR END .
.TP
.BR \-\-badbytes " " \fIBYTES\fR
Reject specific bytes in the address of a gadget
.TP
.BR \-\-rawArch " " \fIARCH\fR
Specify architecture for raw binaries
.TP
.BR \-\-rawMode " " \fIMODE\fR
Specify mode for raw binaries
.TP
.BR \-\-re " " \fIEXPR\fR
Search for gadgets using the regular expression
.IR EXPR .
.TP
.BR \-\-offset \fIOFFSET\fR
Add an offset to all gadget addresses
.TP
.B \-\-ropchain
Enable ROP chain generation
.TP
.B \-\-thumb
Use thumb mode for ARM architecture binaries
.TP
.B \-\-console
Enable the interactive console for the search engine
.TP
.B \-\-norop
Disable ROP search engine
.TP
.B \-\-nojop
Disable JOP search engine
.TP
.B \-\-nosys
Disable SYS search engine
.TP
.B \-\-multibr
Enable multiple branch gadgets
.TP
.B \-\-all
Show all gadgets, even duplicates
.TP
.B \-\-dump
Output the gadget bytes
.SH AUTHOR
This manual page was written for Debian by Timo R\[u00F6]hling and
may be used without restriction.