###########################################################################
# ROP Regexes !
###########################################################################
*avoid instruction: or
# Search for specific file
$ grep -P '{regex}' rop.txt
# Search all files in the current folder (recursively)
$ grep -rP '{regex}' .
# *HUNT: mov dword [ebx/esi/edi], r32 ; ret ;
# find storage registry that less do arithmetic.
# Output: mov dword [reg], reg ; ... ret
$ grep -rP 'mov\s+dword\s+\[\s*(ebx|esi|edi)\s*\]\s*,\s*(eax|ebx|ecx|edx|esp|ebp|esi|edi)\b\s*;.*?\bret\b' .
mov\s+dword\s+ → mov dword with spaces
\[\s*(ebx|esi|edi)\s*\] → [ebx] / [esi] / [edi]
\s*,\s* → comma with optional spaces
(eax|...|edi) → any 32-bit register
\b → clean end of register
\s*; → start of gadget chain
.*? → any junk instructions
\bret\b → must contain ret
HUNT: xchg ebx, r32
$ xchg\s+ebx,\s*(eax|ecx|edx|esp|ebp|esi|edi)\b
$ xchg\s+(eax|ecx|edx|esp|ebp|esi|edi),\s*ebx\b <- reverse order
$ xchg\s+(ebx,\s*(eax|ecx|edx|esp|ebp|esi|edi)|(eax|ecx|edx|esp|ebp|esi|edi),\s*ebx)\b <- one liner, both direction
# Output:
xchg ebx, edx
xchg eax, ebx
xchg ebx, esi
HUNT: mov ebx, r32
mov\s+ebx,\s*(eax|ecx|edx|esp|ebp|esi|edi)\b
mov\s+ebx, → move into ebx
(eax|ecx|edx|esp|ebp|esi|edi) → any 32-bit register as source
\b = “end of a word”. makes sure you match only full register names like "eax", "eaxx" not allowed.
# Output:
mov ebx, eax
mov ebx, edx
mov ebx, esi
HUNT: mov ebx, 0x.* ; ret
Convert to valid address.
# Example output: mov ebx, 0x401000 ; ret
$ grep -rP 'mov\s+ebx,\s0x[0-9a-fA-F]+\b.\bret\b' .
grep → searches text in files
-r → search recursively in all folders/subfolders
-P → use Perl-compatible regex (PCRE)
'...' → pattern to search for
mov → matches the text “mov”
\s+ → one or more whitespace (spaces/tabs)
ebx, → literal text “ebx,”
\s → single whitespace
0x[0-9a-fA-F]+ → hexadecimal number starting with 0x
\b → word boundary (end of that number)
. → any single character (note: not a dot, it means any char)
\b → word boundary again
ret → matches “ret” instruction
\b → ensures “ret” is a full word
. → current directory (search starting point)