pwntools 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c323ddeb8d8f4ea3d4d087fc69eb53ee7594f64c2ee01dfb57ada9e2a9eb111
-  data.tar.gz: b9177cb71feb8ecc038680cf850f0b654eea567c7f6774d8ad35cdb1b8949e93
+  metadata.gz: 3385a46a409e98ef0ffac19fb93c5ec19d7fde592abbb99ccdc462e186d2b922
+  data.tar.gz: d865773d92a7b3068005bfaa9c9d5ba5f1a8bce0e62e05eb55b340c80d2fe3dd
 SHA512:
-  metadata.gz: 76cbcd91657ecaee5b8bfae49bfe378539937718a1eb46fbe517c8559919877a153cffb0e5beeb06dde68fe64cd7ab9e1fb30af507547771f49331e7bb90c93b
-  data.tar.gz: 1aedd2cb397654aa4bc4e13761a1587431f7a67ecec2150c5e6393f1275dfd14801089e0de7234ddd887b2fb99c9635c9bc438ba183c6fcf8d021331269d99b5
+  metadata.gz: 1d529315d4e222cc89d3783f4454e804d8ce9d4c8a23a2657b29f23be14dd63e7b5f8f668aa95db944b7ec887d7fc2563f00067a93ec2b841448408e3aee141c
+  data.tar.gz: 1f95b2194ac3fea17ea87d030bbba0f52e638978797a7f9068e9af92c2c2d98f39d25cb90be6b73d2e7008e41fd2f913684395a68fbbb6d22115b341533fc8fd

data/README.md

@@ -1,10 +1,13 @@
 [![GitHub stars](https://img.shields.io/github/stars/peter50216/pwntools-ruby.svg)](https://github.com/peter50216/pwntools-ruby/stargazers)
-[![Dependency Status](https://img.shields.io/gemnasium/peter50216/pwntools-ruby.svg)](https://gemnasium.com/peter50216/pwntools-ruby)
+[![GitHub issues](https://img.shields.io/github/issues/peter50216/pwntools-ruby.svg)](https://github.com/peter50216/pwntools-ruby/issues)
 [![Build Status](https://img.shields.io/travis/peter50216/pwntools-ruby.svg)](https://travis-ci.org/peter50216/pwntools-ruby)
-[![Test Coverage](https://img.shields.io/codeclimate/coverage/github/peter50216/pwntools-ruby.svg)](https://codeclimate.com/github/peter50216/pwntools-ruby/coverage)
-[![Code Climate](https://img.shields.io/codeclimate/github/peter50216/pwntools-ruby.svg)](https://codeclimate.com/github/peter50216/pwntools-ruby)
+[![Test Coverage](https://img.shields.io/codeclimate/coverage/peter50216/pwntools-ruby.svg)](https://codeclimate.com/github/peter50216/pwntools-ruby/coverage)
+[![Code Climate](https://img.shields.io/codeclimate/maintainability/peter50216/pwntools-ruby.svg)](https://codeclimate.com/github/peter50216/pwntools-ruby)
 [![Inline docs](https://inch-ci.org/github/peter50216/pwntools-ruby.svg)](https://inch-ci.org/github/peter50216/pwntools-ruby)
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
+[![Dependabot Status](https://api.dependabot.com/badges/status?host=github&repo=peter50216/pwntools-ruby)](https://dependabot.com)
+[![Rawsec's CyberSecurity Inventory](https://inventory.rawsec.ml/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.rawsec.ml/)
+<!-- [![Dependency Status](https://img.shields.io/gemnasium/peter50216/pwntools-ruby.svg)](https://gemnasium.com/peter50216/pwntools-ruby) -->
 
 # pwntools-ruby
 

data/lib/pwn.rb

@@ -1,4 +1,5 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 
 # require this file for easy exploit development, but would pollute main Object and some built-in objects. (String,
 # Integer, ...)

data/lib/pwnlib/abi.rb

@@ -1,4 +1,5 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 
 require 'pwnlib/context'
 

data/lib/pwnlib/asm.rb

@@ -1,4 +1,5 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 
 require 'tempfile'
 
@@ -37,41 +38,44 @@ module Pwnlib
     #
     # @raise [Pwnlib::Errors::DependencyError]
     #   If libcapstone is not installed.
+    # @raise [Pwnlib::Errors::UnsupportedArchError]
+    #   If disassembling of +context.arch+ is not supported.
     #
     # @example
     #   context.arch = 'i386'
     #   print disasm("\xb8\x5d\x00\x00\x00")
-    #   #   0:   b8 5d 00 00 00 mov     eax, 0x5d
+    #   #   0:   b8 5d 00 00 00  mov eax, 0x5d
     #
     #   context.arch = 'amd64'
     #   print disasm("\xb8\x17\x00\x00\x00")
     #   #   0:   b8 17 00 00 00 mov     eax, 0x17
     #   print disasm("jhH\xb8/bin///sPH\x89\xe71\xd21\xf6j;X\x0f\x05", vma: 0x1000)
-    #   #  1000:   6a 68                         push    0x68
-    #   #  1002:   48 b8 2f 62 69 6e 2f 2f 2f 73 movabs  rax, 0x732f2f2f6e69622f
-    #   #  100c:   50                            push    rax
-    #   #  100d:   48 89 e7                      mov     rdi, rsp
-    #   #  1010:   31 d2                         xor     edx, edx
-    #   #  1012:   31 f6                         xor     esi, esi
-    #   #  1014:   6a 3b                         push    0x3b
-    #   #  1016:   58                            pop     rax
-    #   #  1017:   0f 05                         syscall
+    #   #  1000:   6a 68                          push    0x68
+    #   #  1002:   48 b8 2f 62 69 6e 2f 2f 2f 73  movabs  rax, 0x732f2f2f6e69622f
+    #   #  100c:   50                             push    rax
+    #   #  100d:   48 89 e7                       mov     rdi, rsp
+    #   #  1010:   31 d2                          xor     edx, edx
+    #   #  1012:   31 f6                          xor     esi, esi
+    #   #  1014:   6a 3b                          push    0x3b
+    #   #  1016:   58                             pop     rax
+    #   #  1017:   0f 05                          syscall
     def disasm(data, vma: 0)
       require_message('crabstone', install_crabstone_guide) # will raise error if require fail.
-      cs = Crabstone::Disassembler.new(cap_arch, cap_mode)
+      cs = Crabstone::Disassembler.new(cs_arch, cs_mode)
       insts = cs.disasm(data, vma).map do |ins|
-        [ins.address, ins.bytes.pack('C*'), ins.mnemonic, ins.op_str.to_s]
+        [ins.address, ins.bytes, ins.mnemonic.to_s, ins.op_str.to_s]
       end
       max_dlen = format('%x', insts.last.first).size + 2
       max_hlen = insts.map { |ins| ins[1].size }.max * 3
+      max_ilen = insts.map { |ins| ins[2].size }.max
       insts.reduce('') do |s, ins|
-        hex_code = ins[1].bytes.map { |c| format('%02x', c) }.join(' ')
+        hex_code = ins[1].map { |c| format('%02x', c) }.join(' ')
         inst = if ins[3].empty?
                  ins[2]
                else
-                 format('%-7s %s', ins[2], ins[3])
+                 format("%-#{max_ilen}s %s", ins[2], ins[3])
                end
-        s + format("%#{max_dlen}x:   %-#{max_hlen}s%s\n", ins[0], hex_code, inst)
+        s + format("%#{max_dlen}x:   %-#{max_hlen}s %s\n", ins[0], hex_code, inst)
       end
     end
 
@@ -79,10 +83,17 @@ module Pwnlib
     #
     # @param [String] code
     #   The assembly code to be converted.
+    # @param [Integer] vma
+    #   Virtual memory address.
     #
     # @return [String]
     #   The result.
     #
+    # @raise [Pwnlib::Errors::DependencyError]
+    #   If libkeystone is not installed.
+    # @raise [Pwnlib::Errors::UnsupportedArchError]
+    #   If assembling of +context.arch+ is not supported.
+    #
     # @example
     #   assembly = shellcraft.amd64.linux.sh
     #   context.local(arch: 'amd64') { asm(assembly) }
@@ -93,9 +104,9 @@ module Pwnlib
     #
     # @diff
     #   Not support +asm('mov eax, SYS_execve')+.
-    def asm(code)
+    def asm(code, vma: 0)
       require_message('keystone_engine', install_keystone_guide)
-      KeystoneEngine::Ks.new(ks_arch, ks_mode).asm(code)[0]
+      KeystoneEngine::Ks.new(ks_arch, ks_mode).asm(code, vma)[0]
     end
 
     # Builds an ELF file from executable code.
@@ -166,6 +177,7 @@ module Pwnlib
       phdr.p_filesz = phdr.p_memsz = entry + data.size
       elf = ehdr.to_binary_s + phdr.to_binary_s + data
       return elf unless to_file
+
       path = Dir::Tmpname.create(['pwn', '.elf']) do |temp|
         File.open(temp, 'wb', 0o750) { |f| f.write(elf) }
       end
@@ -173,32 +185,59 @@ module Pwnlib
     end
 
     ::Pwnlib::Util::Ruby.private_class_method_block do
-      def cap_arch
-        {
-          'i386' => Crabstone::ARCH_X86,
-          'amd64' => Crabstone::ARCH_X86
-        }[context.arch]
+      def cs_arch
+        case context.arch
+        when 'aarch64' then Crabstone::ARCH_ARM64
+        when 'amd64', 'i386' then Crabstone::ARCH_X86
+        when 'arm', 'thumb' then Crabstone::ARCH_ARM
+        when 'mips', 'mips64' then Crabstone::ARCH_MIPS
+        when 'powerpc64' then Crabstone::ARCH_PPC
+        when 'sparc', 'sparc64' then Crabstone::ARCH_SPARC
+        else unsupported!("Disasm on architecture #{context.arch.inspect} is not supported yet.")
+        end
       end
 
-      def cap_mode
-        {
-          32 => Crabstone::MODE_32,
-          64 => Crabstone::MODE_64
-        }[context.bits]
+      def cs_mode
+        case context.arch
+        when 'aarch64' then Crabstone::MODE_ARM
+        when 'amd64' then Crabstone::MODE_64
+        when 'arm' then Crabstone::MODE_ARM
+        when 'i386' then Crabstone::MODE_32
+        when 'mips' then Crabstone::MODE_MIPS32
+        when 'mips64' then Crabstone::MODE_MIPS64
+        when 'powerpc64' then Crabstone::MODE_64
+        when 'sparc' then 0 # default mode
+        when 'sparc64' then Crabstone::MODE_V9
+        when 'thumb' then Crabstone::MODE_THUMB
+        end | (context.endian == 'big' ? Crabstone::MODE_BIG_ENDIAN : Crabstone::MODE_LITTLE_ENDIAN)
       end
 
       def ks_arch
-        {
-          'i386' => KeystoneEngine::KS_ARCH_X86,
-          'amd64' => KeystoneEngine::KS_ARCH_X86
-        }[context.arch]
+        case context.arch
+        when 'aarch64' then KeystoneEngine::KS_ARCH_ARM64
+        when 'amd64', 'i386' then KeystoneEngine::KS_ARCH_X86
+        when 'arm', 'thumb' then KeystoneEngine::KS_ARCH_ARM
+        when 'mips', 'mips64' then KeystoneEngine::KS_ARCH_MIPS
+        when 'powerpc', 'powerpc64' then KeystoneEngine::KS_ARCH_PPC
+        when 'sparc', 'sparc64' then KeystoneEngine::KS_ARCH_SPARC
+        else unsupported!("Asm on architecture #{context.arch.inspect} is not supported yet.")
+        end
       end
 
       def ks_mode
-        {
-          32 => KeystoneEngine::KS_MODE_32,
-          64 => KeystoneEngine::KS_MODE_64
-        }[context.bits]
+        case context.arch
+        when 'aarch64' then 0 # default mode
+        when 'amd64' then KeystoneEngine::KS_MODE_64
+        when 'arm' then KeystoneEngine::KS_MODE_ARM
+        when 'i386' then KeystoneEngine::KS_MODE_32
+        when 'mips' then KeystoneEngine::KS_MODE_MIPS32
+        when 'mips64' then KeystoneEngine::KS_MODE_MIPS64
+        when 'powerpc' then KeystoneEngine::KS_MODE_PPC32
+        when 'powerpc64' then KeystoneEngine::KS_MODE_PPC64
+        when 'sparc' then KeystoneEngine::KS_MODE_SPARC32
+        when 'sparc64' then KeystoneEngine::KS_MODE_SPARC64
+        when 'thumb' then KeystoneEngine::KS_MODE_THUMB
+        end | (context.endian == 'big' ? KeystoneEngine::KS_MODE_BIG_ENDIAN : KeystoneEngine::KS_MODE_LITTLE_ENDIAN)
       end
 
       # FFI is used in keystone and capstone binding gems, this method handles when libraries not installed yet.
@@ -210,7 +249,7 @@ module Pwnlib
 
       def install_crabstone_guide
         <<-EOS
-#disasm dependes on capstone, which is detected not installed yet.
+#disasm depends on capstone, which is detected not installed yet.
 Checkout the following link for installation guide:
 
 http://www.capstone-engine.org/documentation.html
@@ -220,7 +259,7 @@ http://www.capstone-engine.org/documentation.html
 
       def install_keystone_guide
         <<-EOS
-#asm dependes on keystone, which is detected not installed yet.
+#asm depends on keystone, which is detected not installed yet.
 Checkout the following link for installation guide:
 
 https://github.com/keystone-engine/keystone/tree/master/docs
@@ -264,7 +303,7 @@ https://github.com/keystone-engine/keystone/tree/master/docs
         header.p_offset = 0
         header.p_vaddr = vma
         header.p_paddr = vma
-        header.p_flags = 4 | 1 # r-x
+        header.p_flags = 4 | 2 | 1 # rwx
         header.p_align = arch_align
         header
       end
@@ -299,10 +338,8 @@ https://github.com/keystone-engine/keystone/tree/master/docs
 
       def e_machine
         const = ARCH_EM[context.arch.to_sym]
-        if const.nil?
-          raise ::Pwnlib::Errors::UnsupportedArchError,
-                "Unknown machine type of architecture #{context.arch.inspect}."
-        end
+        unsupported!("Unknown machine type of architecture #{context.arch.inspect}.") if const.nil?
+
         ::ELFTools::Constants::EM.const_get("EM_#{const}")
       end
 
@@ -310,6 +347,10 @@ https://github.com/keystone-engine/keystone/tree/master/docs
         context.endian.to_sym
       end
 
+      def unsupported!(msg)
+        raise ::Pwnlib::Errors::UnsupportedArchError, msg
+      end
+
       include ::Pwnlib::Context
     end
   end

data/lib/pwnlib/constants/constant.rb

@@ -1,4 +1,5 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 
 require 'pwnlib/util/fiddling'
 
@@ -27,9 +28,11 @@ module Pwnlib
       end
 
       # We don't need to fall back to super for this, so just disable the lint.
-      def method_missing(method, *args, &block) # rubocop:disable Style/MethodMissing
+      # rubocop:disable Style/MethodMissingSuper
+      def method_missing(method, *args, &block)
         @val.__send__(method, *args, &block)
       end
+      # rubocop:enable Style/MethodMissingSuper
 
       def respond_to_missing?(method, include_all)
         @val.respond_to?(method, include_all)

data/lib/pwnlib/constants/constants.rb

@@ -1,4 +1,5 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 
 require 'dentaku'
 
@@ -50,6 +51,7 @@ module Pwnlib
       #   # Pwnlib::Errors::ConstantNotFoundError: Undefined constant(s): meow
       def eval(str)
         return str unless str.instance_of?(String)
+
         begin
           val = calculator.evaluate!(str.strip).to_i
         rescue Dentaku::UnboundVariableError => e
@@ -94,6 +96,7 @@ module Pwnlib
       def load_constants((os, arch))
         filename = File.join(__dir__, os, "#{arch}.rb")
         return {} unless File.exist?(filename)
+
         builder = ConstantBuilder.new
         builder.instance_eval(IO.read(filename))
         builder.tbl

data/lib/pwnlib/constants/linux/amd64.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 const :__NR_read, 0
 const :__NR_write, 1
 const :__NR_open, 2

data/lib/pwnlib/constants/linux/i386.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 const :__NR_exit, 1
 const :__NR_fork, 2
 const :__NR_read, 3

data/lib/pwnlib/context.rb

@@ -1,4 +1,5 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 
 require 'logger'
 
@@ -96,6 +97,7 @@ module Pwnlib
       def update(**kwargs)
         kwargs.each do |k, v|
           next if v.nil?
+
           public_send("#{k}=", v)
         end
         self
@@ -123,6 +125,7 @@ module Pwnlib
       #   # little
       def local(**kwargs)
         raise ArgumentError, "Need a block for #{self.class}##{__callee__}" unless block_given?
+
         # XXX(Darkpi):
         #   improve performance for this if this is too slow, since we use this in many places that has argument
         #   endian / signed / ...
@@ -183,6 +186,7 @@ module Pwnlib
         arch = arch.to_s.downcase.gsub(/[[:punct:]]/, '')
         defaults = ARCHS[arch]
         raise ArgumentError, "arch must be one of #{ARCHS.keys.sort.inspect}" unless defaults
+
         defaults.each { |k, v| @attrs[k] = v }
         @attrs[:arch] = arch
       end
@@ -192,7 +196,8 @@ module Pwnlib
       # @param [Integer] bits
       #   The word size.
       def bits=(bits)
-        raise ArgumentError, "bits must be > 0 (#{bits} given)" unless bits > 0
+        raise ArgumentError, "bits must be > 0 (#{bits} given)" unless bits.positive?
+
         @attrs[:bits] = bits
       end
 
@@ -219,6 +224,7 @@ module Pwnlib
       def endian=(endian)
         endian = ENDIANNESSES[endian.to_s.downcase]
         raise ArgumentError, "endian must be one of #{ENDIANNESSES.sort.inspect}" if endian.nil?
+
         @attrs[:endian] = endian
       end
 
@@ -239,6 +245,7 @@ module Pwnlib
           log_level = value
         end
         raise ArgumentError, "log_level must be an integer or one of #{LOG_LEVELS.inspect}" unless log_level
+
         @attrs[:log_level] = log_level
       end
 
@@ -252,6 +259,7 @@ module Pwnlib
       def os=(os)
         os = os.to_s.downcase
         raise ArgumentError, "os must be one of #{OSES.sort.inspect}" unless OSES.include?(os)
+
         @attrs[:os] = os
       end
 
@@ -275,6 +283,7 @@ module Pwnlib
           signed = value
         end
         raise ArgumentError, "signed must be boolean or one of #{SIGNEDNESSES.keys.sort.inspect}" if signed.nil?
+
         @attrs[:signed] = signed
       end
 

data/lib/pwnlib/dynelf.rb

@@ -1,4 +1,5 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 
 require 'elftools'
 
@@ -80,6 +81,7 @@ module Pwnlib
     def build_id
       build_id_offsets.each do |offset|
         next unless @leak.n(@libbase + offset + 12, 4) == "GNU\x00"
+
         return @leak.n(@libbase + offset + 16, 20).unpack('H*').first
       end
       nil
@@ -105,6 +107,7 @@ module Pwnlib
       ptr &= PAGE_MASK
       loop do
         return @base = ptr if @leak.n(ptr, 4) == "\x7fELF"
+
         ptr -= PAGE_SIZE
       end
     end
@@ -116,6 +119,7 @@ module Pwnlib
       loop do
         ptype = @leak.d(e_phoff)
         break if ptype == ELFTools::Constants::PT::PT_DYNAMIC
+
         e_phoff += phdr_size
       end
       offset = { 32 => 8, 64 => 16 }[@elfclass]
@@ -134,6 +138,7 @@ module Pwnlib
         d_addr = unpack(tmp[@elfword, @elfword])
         break if d_tag.zero?
         return d_addr if tag == d_tag
+
         ptr += dyn_size
       end
       nil
@@ -157,8 +162,8 @@ module Pwnlib
     def build_id_offsets
       {
         i386: [0x174],
-        arm:  [0x174],
-        thumb:  [0x174],
+        arm: [0x174],
+        thumb: [0x174],
         aarch64: [0x238],
         amd64: [0x270, 0x174],
         powerpc: [0x174],

data/lib/pwnlib/elf/elf.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 require 'ostruct'
 
 require 'elftools'
+require 'one_gadget/one_gadget'
 require 'rainbow'
 
 require 'pwnlib/logger'
@@ -40,14 +43,15 @@ module Pwnlib
       #   # PIE:      PIE enabled
       #   #=> #<Pwnlib::ELF::ELF:0x00559bd670dcb8>
       def initialize(path, checksec: true)
-        path = File.realpath(path)
+        @path = File.realpath(path)
         @elf_file = ELFTools::ELFFile.new(File.open(path, 'rb'))
         load_got
         load_plt
         load_symbols
         @address = base_address
         @load_addr = @address
-        show_info(path) if checksec
+        @one_gadgets = nil
+        show_info(@path) if checksec
       end
 
       # Set the base address.
@@ -56,6 +60,7 @@ module Pwnlib
       #   got
       #   plt
       #   symbols
+      #   one_gadgets
       #
       # @param [Integer] val
       #   Address to be changed to.
@@ -68,6 +73,7 @@ module Pwnlib
         [@got, @plt, @symbols].compact.each do |tbl|
           tbl.each_pair { |k, _| tbl[k] += val - old }
         end
+        @one_gadgets&.map! { |off| off + val - old }
       end
 
       # Return the protection information, wrapper with color codes.
@@ -82,7 +88,7 @@ module Pwnlib
             none: Rainbow('No RELRO').red
           }[relro],
           'Stack:'.ljust(10) + {
-            true =>  Rainbow('Canary found').green,
+            true => Rainbow('Canary found').green,
             false => Rainbow('No canary found').red
           }[canary?],
           'NX:'.ljust(10) + {
@@ -102,10 +108,13 @@ module Pwnlib
       def relro
         return :none unless @elf_file.segment_by_type(:gnu_relro)
         return :full if dynamic_tag(:bind_now)
+
         flags = dynamic_tag(:flags)
         return :full if flags && (flags.value & ::ELFTools::Constants::DF_BIND_NOW) != 0
+
         flags1 = dynamic_tag(:flags_1)
         return :full if flags1 && (flags1.value & ::ELFTools::Constants::DF_1_NOW) != 0
+
         :partial
       end
 
@@ -159,6 +168,7 @@ module Pwnlib
       #   #=> true
       def search(needle)
         return enum_for(:search, needle) unless block_given?
+
         load_address_fixup = @address - @load_addr
         stream = @elf_file.stream
         @elf_file.each_segments do |seg|
@@ -173,6 +183,7 @@ module Pwnlib
           loop do
             offset = data.index(needle, offset)
             break if offset.nil?
+
             yield (addr + offset + load_address_fixup)
             offset += 1
           end
@@ -181,6 +192,58 @@ module Pwnlib
       end
       alias find search
 
+      # Returns one-gadgets of glibc.
+      #
+      # @return [Array<Integer>]
+      #   Returns array of one-gadgets, see examples.
+      #
+      # @example
+      #   ELF::ELF.new('/lib/x86_64-linux-gnu/libc.so.6').one_gadgets[0]
+      #   #=> 324293 # 0x4f2c5
+      #
+      # @example
+      #   libc = ELF::ELF.new('/lib/x86_64-linux-gnu/libc.so.6')
+      #   libc.one_gadgets[1]
+      #   #=> 324386 # 0x4f322
+      #
+      #   libc.address = 0x7fff7fff0000
+      #   libc.one_gadgets[1]
+      #   #=> 140735341130530 # 0x7fff8003f322
+      #
+      # @example
+      #   libc = ELF::ELF.new('/lib/x86_64-linux-gnu/libc.so.6')
+      #   context.log_level = :debug
+      #   libc.one_gadgets[0]
+      #   # [DEBUG] 0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
+      #   # constraints:
+      #   #   rcx == NULL
+      #   #=> 324293
+      def one_gadgets
+        return @one_gadgets if @one_gadgets
+
+        gadgets = OneGadget.gadgets(file: @path, details: true, level: 1)
+        @one_gadgets = gadgets.map { |g| g.offset + address }
+        @one_gadgets.instance_variable_set(:@gadgets, gadgets)
+
+        class << @one_gadgets
+          def [](idx)
+            super.tap { log.debug(@gadgets[idx].inspect) }
+          end
+
+          def first
+            self[0]
+          end
+
+          def last
+            self[-1]
+          end
+
+          include ::Pwnlib::Logger
+        end
+
+        @one_gadgets
+      end
+
       private
 
       def show_info(path)
@@ -192,7 +255,8 @@ module Pwnlib
       # @return [ELFTools::Dynamic::Tag, nil]
       def dynamic_tag(type)
         dynamic = @elf_file.segment_by_type(:dynamic) || @elf_file.section_by_name('.dynamic')
-        return nil if dynamic.nil? # No dynamic present, might be static-linked.
+        return nil if dynamic.nil? # No dynamic table presents, might be statically linked.
+
         dynamic.tag_by_type(type)
       end
 
@@ -202,9 +266,11 @@ module Pwnlib
         sections_by_types(%i(rel rela)).each do |rel_sec|
           symtab = @elf_file.section_at(rel_sec.header.sh_link)
           next unless symtab.respond_to?(:symbol_at)
+
           rel_sec.relocations.each do |rel|
             symbol = symtab.symbol_at(rel.symbol_index)
             next if symbol.nil? # Unusual case.
+
             @got[symbol.name] = rel.header.r_offset.to_i
           end
         end
@@ -220,15 +286,19 @@ module Pwnlib
         @plt = nil
         plt_sec = @elf_file.section_by_name('.plt')
         return log.warn('No PLT section found, PLT not loaded') if plt_sec.nil?
+
         rel_sec = @elf_file.section_by_name('.rel.plt') || @elf_file.section_by_name('.rela.plt')
         return log.warn('No REL.PLT section found, PLT not loaded') if rel_sec.nil?
+
         symtab = @elf_file.section_at(rel_sec.header.sh_link)
         return unless symtab.respond_to?(:symbol_at) # unusual case
+
         @plt = OpenStruct.new
         address = plt_sec.header.sh_addr.to_i + PLT_OFFSET
         rel_sec.relocations.each do |rel|
           symbol = symtab.symbol_at(rel.symbol_index)
           next if symbol.nil? # unusual case
+
           @plt[symbol.name] = address
           address += PLT_OFFSET
         end
@@ -239,11 +309,13 @@ module Pwnlib
         @symbols = OpenStruct.new
         @elf_file.each_sections do |section|
           next unless section.respond_to?(:symbols)
+
           section.each_symbols do |symbol|
-            # Don't care symbols without name.
+            # Don't care symbols without a name.
             next if symbol.name.empty?
             next if symbol.header.st_value.zero?
-            # TODO(david942j): handle symbols with same name.
+
+            # TODO(david942j): handle symbols with the same name.
             @symbols[symbol.name] = symbol.header.st_value.to_i
           end
         end
@@ -255,6 +327,7 @@ module Pwnlib
 
       def base_address
         return 0 if pie?
+
         # Find the min of PT_LOAD's p_vaddr
         @elf_file.segments_by_type(:load)
                  .map { |seg| seg.header.p_vaddr }