rp++ or rp is a C++ ROP gadget finder for PE/ELF/Mach-O executables and x86/x64/ARM/ARM64 architectures.

To find ROP gadget you need to specify a file with the --file / -f option and use the --rop / -r option specifying the maximum the number of instructions in the gadget:

You can customize the base address of the module with the --va option (if you pass a base of 0, then you get relative offsets) and you can also use the --raw option to analyze raw code dumps.

Oftentimes when building ROP chains, you might need to find pointers to integers with specific values. To look for those, you can use the --search-int option like in the below:

Other times, you might need to find pointers to specific strings. To look for those, you can use the --search-hexa option like in the below:

You can also use the --va option to specify your own base address.

You can find shell scripts in src/build for every supported platforms; below is the Linux example:

src/build$ chmod u+x ./build-release.sh && ./build-release.sh
-- The C compiler identification is GNU 9.3.0
-- The CXX compiler identification is GNU 9.3.0
[...]
[16/16] Linking CXX executable rp-lin-x64

• Axel '0vercl0k' Souchet