lcsajdump 1.0.0__tar.gz

lcsajdump-1.0.0/LICENSE

@@ -0,0 +1,7 @@
+Copyright 2026 Chris1sflaggin🅭
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

lcsajdump-1.0.0/MANIFEST.in

@@ -0,0 +1,21 @@
+include README.md
+include LICENSE
+include requirements.txt
+
+graft lcsajdump
+
+prune testCTFs
+prune unitTest
+prune _images
+
+prune build
+prune lcsajdump.egg-info
+
+prune lcsajdump/venv
+
+global-exclude *.pyc
+global-exclude __pycache__
+global-exclude *.so
+global-exclude .DS_Store
+global-exclude gadgets_found.txt  
+global-exclude PAPER.md           

lcsajdump-1.0.0/PKG-INFO

@@ -0,0 +1,230 @@
+Metadata-Version: 2.4
+Name: lcsajdump
+Version: 1.0.0
+Summary: A Graph-Based ROP Gadget Finder for RISC-V architectures
+Home-page: https://chris1sflaggin.it/LCSAJdump/
+Author: Chris1sFlaggin
+Author-email: lcsajdump@chris1sflaggin.it
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Topic :: Security
+Classifier: Environment :: Console
+Requires-Python: >=3.6
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: capstone
+Requires-Dist: pyelftools
+Requires-Dist: networkx
+Requires-Dist: click
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+
+<div id="top">
+
+<div align="center">
+
+<img src="_images/LOGO.png" width="60%" style="position: relative; top: 0; right: 0;" alt="Project Logo"/>
+
+# LCSAJdump
+
+<em>LCSAJDump: A Graph-Based Framework for Automated Gadget Discovery in RISC-V Environments.</em>
+
+<img src="https://img.shields.io/badge/status-Thesis_Prototype-orange?style=for-the-badge" alt="Status">
+
+---
+
+## Table of Contents
+
+- [Overview](#overview)
+- [Features](#features)
+- [Project Structure](#project-structure)
+    - [Project Index](#project-index)
+- [Getting Started](#getting-started)
+    - [Prerequisites](#prerequisites)
+    - [Installation](#installation)
+    - [Usage](#usage)
+    - [Testing](#testing)
+- [Roadmap](#roadmap)
+- [Contributing](#contributing)
+- [License](#license)
+
+---
+
+## Overview
+
+LCSAJdump is a static analysis framework designed to discover Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) gadgets within RISC-V binaries.
+
+Traditional ROP scanners typically employ a linear, sliding-window approach over raw executable bytes. While effective for standard instruction sequences, this method fails to identify **Shadow Gadgets**—executable chains that span non-contiguous memory blocks connected by unconditional jumps or conditional branches.
+
+LCSAJdump overcomes this limitation by reconstructing the Control-Flow Graph (CFG) through **Linear Code Sequence and Jump (LCSAJ)** analysis. By modeling the binary as a directed graph of basic blocks, the tool identifies:
+
+1. **Contiguous Gadgets:** Standard linear sequences terminating in a control-flow transfer.
+2. **Non-Contiguous (Shadow) Gadgets:** Complex chains traversing multiple basic blocks, effectively bypassing "bad bytes" (e.g., null bytes) and utilizing instructions that would otherwise be unreachable by linear scanning.
+
+## Features
+
+* **Comprehensive Architecture Support:** Full support for RISC-V 64-bit (RV64) and Compressed (C) extensions. Handling 16-bit compressed instructions is critical for maximizing gadget coverage in modern RISC-V binaries.
+* **Graph-Based Reconstruction:** The engine segments the `.text` section into basic blocks based on control-flow transfers (jumps, branches, returns) and reconstructs edges for both fallthrough and direct targets using NetworkX.
+* **Heuristic Backward Search:** Implements a specialized backward Breadth-First Search (BFS) algorithm starting from control-flow sinks (`ret`, `jr`, `jalr`) to reconstruct valid execution paths in reverse.
+* **Hybrid Discovery:** Capable of identifying both standard linear gadgets and complex, multi-block trampoline gadgets in a single pass.
+* **Scoring and Classification:** Includes a heuristic scoring system that prioritizes gadgets involving critical registers (`ra`, `a0`, `sp`) and classifies results into functional categories (Linear, Trampoline, Conditional, Fallthrough).
+* **Optimized Performance:** Features configurable pruning parameters ("Darkness" factor) to limit the search depth and node visitation, balancing analysis speed with coverage depth.
+
+## Project Structure
+
+The repository is organized into modular components responsible for binary loading, graph generation, and algorithmic search.
+
+```text
+LCSAJdump/
+├── loader.py       # ELF parsing and Capstone disassembly wrapper
+├── graph.py        # LCSAJ basic block decomposition and DiGraph construction
+├── rainbowBFS.py   # Backward search algorithm, scoring, and classification logic
+├── LCSAJdump.py    # Main entry point and CLI argument parsing
+└── utils.py        # Helper functions for formatting and logging
+
+```
+
+### Project Index
+
+* **`loader.py`**: Utilizes `pyelftools` to extract executable sections and `Capstone` to disassemble RV64GC instructions into a linear stream.
+* **`graph.py`**: Converts the linear instruction stream into a directed graph. Nodes represent basic blocks (LCSAJs), and edges represent control flow (jumps, branches, and fallthroughs).
+* **`rainbowBFS.py`**: The core analysis engine. It traverses the reverse graph from leaf nodes (returns) to find executable paths, applying heuristic scoring to filter non-viable chains.
+* **`LCSAJdump.py`**: Orchestrates the analysis pipeline, handling user input, parameter tuning, and output generation.
+
+## Getting Started
+
+### Prerequisites
+
+All of them listed in `requirements.txt`:
+* Python 3.8 or higher
+* `capstone` (Disassembly engine)
+* `networkx` (Graph algorithms)
+* `pyelftools` (ELF file parsing)
+
+### Installation
+
+#### GitHub
+
+Clone the repository and install the required dependencies:
+
+```bash
+git clone [https://github.com/Chris1sFlaggin/LCSAJdump.git](https://github.com/Chris1sFlaggin/LCSAJdump.git)
+cd LCSAJdump
+pip install -r requirements.txt
+
+```
+
+#### Pip
+
+```zsh
+pip install lcsajdump
+```
+
+### Usage
+
+**Basic Scan**
+Run the tool on a target binary using default parameters:
+
+```bash
+python LCSAJdump.py <path_to_binary>
+
+```
+
+**Advanced Configuration**
+Users can tune the search depth and pruning thresholds to handle larger binaries or deeper gadget chains:
+
+```bash
+python LCSAJdump.py -d 15 -k 100 -l 20 --verbose <path_to_binary>
+
+```
+
+**CLI Options:**
+
+* `-d, --depth`: Maximum search depth (in blocks) for the BFS algorithm.
+* `-k, --darkness`: Pruning threshold (maximum visits per node) to prevent infinite loops in cyclic graphs.
+* `-l, --limit`: Maximum number of top-ranked gadgets to display.
+* `-s, --min-score`: Minimum heuristic score threshold for reporting.
+* `-v, --verbose`: Enable detailed output of instruction decoding.
+
+### Testing
+
+To verify the integrity of the graph reconstruction and gadget finding logic, run the unit tests provided in the `tests/` directory:
+
+```bash
+python -m pytest unitTest/*
+```
+
+---
+
+## Output Example
+
+```text
+❯ time python LCSAJdump/LCSAJdump.py testCTFs/rop/vuln 
+[*] Analisi Target: testCTFs/rop/vuln
+[*] Caricamento binario: testCTFs/rop/vuln
+[*] Sezione .text trovata.
+    Dimensione: 258236 bytes
+    Indirizzo Base: 0x10250
+
+[*] Avvio disassemblaggio con Capstone...
+Disassembling   [████████████████████████████████████████████████████████████] 100.0%
+[*] Disassemblaggio completato. 89354 istruzioni estratte.
+
+[*] Costruzione Nodi LCSAJ...
+Building Graph  [████████████████████████████████████████████████████████████] 100.0%
+
+[*] Configurazione Rainbow: Depth=12, Darkness=30
+[*] Pruning effettuato: 0 rami tagliati.
+
+============================================================
+--- TOP 10 SEQUENTIAL GADGETS ---
+============================================================
+0x39ffe: c.ldsp ra, 0x48(sp); c.ldsp a0, 0x38(sp); c.addi16sp sp, 0x50; c.jr ra
+0x4078c: c.ldsp a0, 0x20(sp); c.ldsp ra, 0x58(sp); c.addi16sp sp, 0x60; c.jr ra
+0x45d2e: c.ld a0, 0x10(a5); c.ldsp ra, 0x38(sp); c.addi16sp sp, 0x40; c.jr ra
+0x460b8: c.ldsp ra, 0x38(sp); c.ldsp a0, 0x20(sp); c.addi16sp sp, 0x40; c.jr ra
+0x460e6: c.ldsp ra, 0x38(sp); c.ldsp a0, 0x20(sp); c.addi16sp sp, 0x40; c.jr ra
+0x4618c: c.ldsp ra, 0x28(sp); c.ldsp a0, 0x10(sp); c.addi16sp sp, 0x30; c.jr ra
+0x461b6: c.ldsp ra, 0x28(sp); c.ldsp a0, 0x10(sp); c.addi16sp sp, 0x30; c.jr ra
+0x46386: c.ldsp a0, 0(sp); c.ldsp ra, 0x18(sp); c.addi16sp sp, 0x20; c.jr ra
+0x4aa1a: c.ldsp a0, 0x18(sp); c.ldsp ra, 0x28(sp); c.addi16sp sp, 0x30; c.jr ra
+0x113be: c.ldsp a0, 8(sp); c.ldsp ra, 0x18(sp); c.sw s0, 0x70(a0); c.ldsp s0, 0x10(sp); c.addi16sp sp, 0x20; c.jr ra
+
+============================================================
+--- TOP 10 JUMP-BASED GADGETS ---
+============================================================
+0x4060a: c.ld a0, 0x18(s0); jal -0x27b12; c.ldsp a1, 8(sp); addi a7, zero, 0x87; c.li a0, 2; c.li a2, 0; c.li a3, 8; ecall ; c.ldsp ra, 0x18(sp); c.addi16sp sp, 0x20; c.jr ra
+0x46fc0: ld s8, -0x500(s0); ld a0, -0x480(s0); ld a6, -0x4f8(s0); beq a0, s8, 0x10; sd a6, -0x4c8(s0); jal -0x2e4da; c.sd a4, 0x28(a5); c.ldsp ra, 0x78(sp); c.ldsp s8, 0x30(sp); c.addi16sp sp, 0x80; c.jr ra
+0x2b9f4: auipc a3, 0x4e; ld a3, 0x504(a3); addi a2, sp, 0x4e0; c.mv a1, a2; c.add a3, tp; c.ld a0, 0(a3); jal 0x13ace; c.lw a4, 0(a5); c.andi a4, -0x11; c.sw a4, 0(a5); c.ldsp ra, 0x18(sp); c.addi16sp sp, 0x20; c.jr ra
+0x4146a: ld a0, 8(s10); jal -0x28974; c.mv a0, t3; bltz t3, 0x22e; c.ldsp s0, 0x50(sp); c.ldsp s1, 0x48(sp); c.ldsp s3, 0x38(sp); c.ldsp ra, 0x58(sp); c.ldsp s2, 0x40(sp); c.ldsp s4, 0x30(sp); c.ldsp s5, 0x28(sp); c.addi16sp sp, 0x60; c.jr ra
+0x46224: c.addi16sp sp, -0x30; c.sdsp a0, 0(sp); auipc a0, 0x34; ld a0, -0x328(a0); c.sdsp ra, 0x28(sp); c.sdsp s0, 0x20(sp); c.sdsp a1, 8(sp); c.sdsp ra, 0x10(sp); jal -0x16152; c.ldsp ra, 0x18(sp); c.ldsp s0, 0x10(sp); c.li a0, -1; c.addi16sp sp, 0x20; c.jr ra
+0x35a06: ld a0, 0x360(s1); c.li a5, -1; beq a0, a5, 8; jal -0x1cf16; c.ld a2, 0x58(s0); c.lw a1, 0x60(s0); auipc a0, 0x34; addi a0, a0, -0x1a; addi s0, s0, 0x80; jal 0x1b864; c.ldsp ra, 0x88(sp); c.ldsp s0, 0x80(sp); c.ldsp s1, 0x78(sp); c.addi16sp sp, 0x90; c.jr ra
+0x46366: c.ld a0, 0x10(a0); c.sdsp a5, 8(sp); c.sdsp a4, 0(sp); jal -0x1245a; add a4, a2, a1; c.lw a3, 0(a5); c.sd a2, 0x18(a5); c.sd a4, 8(a5); c.andi a3, -0x11; c.sd a4, 0x10(a5); c.sd a0, 0x90(a5); c.sw a3, 0(a5); c.ldsp ra, 0x28(sp); c.mv a0, a1; c.addi16sp sp, 0x30; c.jr ra
+0x1db48: c.ld a0, 8(s0); c.ldsp s0, 0x10(sp); c.ld a1, 8(s1); c.ldsp ra, 0x18(sp); c.ldsp s1, 8(sp); c.addi16sp sp, 0x20; j 0x141fe; c.lw a4, 0(a5); c.ld a3, 8(a5); andi a4, a4, 0x100; c.bnez a4, 0xe; c.ld a5, 0x18(a5); c.lw a0, 0x10(a0); sub a5, a3, a5; c.subw a0, a5; c.jr ra
+0x4145e: lw a5, 0(s6); andi a5, a5, 0x40; bnez a5, 0x2c0; ld a0, 8(s10); jal -0x28974; c.mv a0, t3; bltz t3, 0x22e; c.ldsp s0, 0x50(sp); c.ldsp s1, 0x48(sp); c.ldsp s3, 0x38(sp); c.ldsp ra, 0x58(sp); c.ldsp s2, 0x40(sp); c.ldsp s4, 0x30(sp); c.ldsp s5, 0x28(sp); c.addi16sp sp, 0x60; c.jr ra
+0x2bd72: c.mv a2, s8; addi a1, zero, 0x20; c.mv a0, s0; jal 0x109e8; slli a0, a4, 5; c.addi a0, 0x10; c.addi a4, 1; c.add a0, a2; c.sd a4, 8(a2); ld a5, 0xa0(gp); c.li a4, 1; c.ldsp ra, 0x18(sp); c.sd a4, 0(a0); c.add a5, a4; sd a5, 0xa0(gp); c.addi16sp sp, 0x20; c.jr ra
+
+[+] Report salvato in: gadgets_found.txt (Trovati 4637 gadget)
+python LCSAJdump/LCSAJdump.py testCTFs/rop/vuln  1,67s user 0,27s system 99% cpu 1,936 total
+```
+
+---
+
+## Contributing
+
+Contributions to improve the search algorithm or extend architecture support are welcome. Please ensure that any pull requests include relevant test cases and adhere to the existing coding standards.
+
+---
+
+## License
+
+This project is licensed under the MIT License. See the [LICENSE](https://www.google.com/search?q=LICENSE) file for details.

lcsajdump-1.0.0/README.md

@@ -0,0 +1,200 @@
+<div id="top">
+
+<div align="center">
+
+<img src="_images/LOGO.png" width="60%" style="position: relative; top: 0; right: 0;" alt="Project Logo"/>
+
+# LCSAJdump
+
+<em>LCSAJDump: A Graph-Based Framework for Automated Gadget Discovery in RISC-V Environments.</em>
+
+<img src="https://img.shields.io/badge/status-Thesis_Prototype-orange?style=for-the-badge" alt="Status">
+
+---
+
+## Table of Contents
+
+- [Overview](#overview)
+- [Features](#features)
+- [Project Structure](#project-structure)
+    - [Project Index](#project-index)
+- [Getting Started](#getting-started)
+    - [Prerequisites](#prerequisites)
+    - [Installation](#installation)
+    - [Usage](#usage)
+    - [Testing](#testing)
+- [Roadmap](#roadmap)
+- [Contributing](#contributing)
+- [License](#license)
+
+---
+
+## Overview
+
+LCSAJdump is a static analysis framework designed to discover Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) gadgets within RISC-V binaries.
+
+Traditional ROP scanners typically employ a linear, sliding-window approach over raw executable bytes. While effective for standard instruction sequences, this method fails to identify **Shadow Gadgets**—executable chains that span non-contiguous memory blocks connected by unconditional jumps or conditional branches.
+
+LCSAJdump overcomes this limitation by reconstructing the Control-Flow Graph (CFG) through **Linear Code Sequence and Jump (LCSAJ)** analysis. By modeling the binary as a directed graph of basic blocks, the tool identifies:
+
+1. **Contiguous Gadgets:** Standard linear sequences terminating in a control-flow transfer.
+2. **Non-Contiguous (Shadow) Gadgets:** Complex chains traversing multiple basic blocks, effectively bypassing "bad bytes" (e.g., null bytes) and utilizing instructions that would otherwise be unreachable by linear scanning.
+
+## Features
+
+* **Comprehensive Architecture Support:** Full support for RISC-V 64-bit (RV64) and Compressed (C) extensions. Handling 16-bit compressed instructions is critical for maximizing gadget coverage in modern RISC-V binaries.
+* **Graph-Based Reconstruction:** The engine segments the `.text` section into basic blocks based on control-flow transfers (jumps, branches, returns) and reconstructs edges for both fallthrough and direct targets using NetworkX.
+* **Heuristic Backward Search:** Implements a specialized backward Breadth-First Search (BFS) algorithm starting from control-flow sinks (`ret`, `jr`, `jalr`) to reconstruct valid execution paths in reverse.
+* **Hybrid Discovery:** Capable of identifying both standard linear gadgets and complex, multi-block trampoline gadgets in a single pass.
+* **Scoring and Classification:** Includes a heuristic scoring system that prioritizes gadgets involving critical registers (`ra`, `a0`, `sp`) and classifies results into functional categories (Linear, Trampoline, Conditional, Fallthrough).
+* **Optimized Performance:** Features configurable pruning parameters ("Darkness" factor) to limit the search depth and node visitation, balancing analysis speed with coverage depth.
+
+## Project Structure
+
+The repository is organized into modular components responsible for binary loading, graph generation, and algorithmic search.
+
+```text
+LCSAJdump/
+├── loader.py       # ELF parsing and Capstone disassembly wrapper
+├── graph.py        # LCSAJ basic block decomposition and DiGraph construction
+├── rainbowBFS.py   # Backward search algorithm, scoring, and classification logic
+├── LCSAJdump.py    # Main entry point and CLI argument parsing
+└── utils.py        # Helper functions for formatting and logging
+
+```
+
+### Project Index
+
+* **`loader.py`**: Utilizes `pyelftools` to extract executable sections and `Capstone` to disassemble RV64GC instructions into a linear stream.
+* **`graph.py`**: Converts the linear instruction stream into a directed graph. Nodes represent basic blocks (LCSAJs), and edges represent control flow (jumps, branches, and fallthroughs).
+* **`rainbowBFS.py`**: The core analysis engine. It traverses the reverse graph from leaf nodes (returns) to find executable paths, applying heuristic scoring to filter non-viable chains.
+* **`LCSAJdump.py`**: Orchestrates the analysis pipeline, handling user input, parameter tuning, and output generation.
+
+## Getting Started
+
+### Prerequisites
+
+All of them listed in `requirements.txt`:
+* Python 3.8 or higher
+* `capstone` (Disassembly engine)
+* `networkx` (Graph algorithms)
+* `pyelftools` (ELF file parsing)
+
+### Installation
+
+#### GitHub
+
+Clone the repository and install the required dependencies:
+
+```bash
+git clone [https://github.com/Chris1sFlaggin/LCSAJdump.git](https://github.com/Chris1sFlaggin/LCSAJdump.git)
+cd LCSAJdump
+pip install -r requirements.txt
+
+```
+
+#### Pip
+
+```zsh
+pip install lcsajdump
+```
+
+### Usage
+
+**Basic Scan**
+Run the tool on a target binary using default parameters:
+
+```bash
+python LCSAJdump.py <path_to_binary>
+
+```
+
+**Advanced Configuration**
+Users can tune the search depth and pruning thresholds to handle larger binaries or deeper gadget chains:
+
+```bash
+python LCSAJdump.py -d 15 -k 100 -l 20 --verbose <path_to_binary>
+
+```
+
+**CLI Options:**
+
+* `-d, --depth`: Maximum search depth (in blocks) for the BFS algorithm.
+* `-k, --darkness`: Pruning threshold (maximum visits per node) to prevent infinite loops in cyclic graphs.
+* `-l, --limit`: Maximum number of top-ranked gadgets to display.
+* `-s, --min-score`: Minimum heuristic score threshold for reporting.
+* `-v, --verbose`: Enable detailed output of instruction decoding.
+
+### Testing
+
+To verify the integrity of the graph reconstruction and gadget finding logic, run the unit tests provided in the `tests/` directory:
+
+```bash
+python -m pytest unitTest/*
+```
+
+---
+
+## Output Example
+
+```text
+❯ time python LCSAJdump/LCSAJdump.py testCTFs/rop/vuln 
+[*] Analisi Target: testCTFs/rop/vuln
+[*] Caricamento binario: testCTFs/rop/vuln
+[*] Sezione .text trovata.
+    Dimensione: 258236 bytes
+    Indirizzo Base: 0x10250
+
+[*] Avvio disassemblaggio con Capstone...
+Disassembling   [████████████████████████████████████████████████████████████] 100.0%
+[*] Disassemblaggio completato. 89354 istruzioni estratte.
+
+[*] Costruzione Nodi LCSAJ...
+Building Graph  [████████████████████████████████████████████████████████████] 100.0%
+
+[*] Configurazione Rainbow: Depth=12, Darkness=30
+[*] Pruning effettuato: 0 rami tagliati.
+
+============================================================
+--- TOP 10 SEQUENTIAL GADGETS ---
+============================================================
+0x39ffe: c.ldsp ra, 0x48(sp); c.ldsp a0, 0x38(sp); c.addi16sp sp, 0x50; c.jr ra
+0x4078c: c.ldsp a0, 0x20(sp); c.ldsp ra, 0x58(sp); c.addi16sp sp, 0x60; c.jr ra
+0x45d2e: c.ld a0, 0x10(a5); c.ldsp ra, 0x38(sp); c.addi16sp sp, 0x40; c.jr ra
+0x460b8: c.ldsp ra, 0x38(sp); c.ldsp a0, 0x20(sp); c.addi16sp sp, 0x40; c.jr ra
+0x460e6: c.ldsp ra, 0x38(sp); c.ldsp a0, 0x20(sp); c.addi16sp sp, 0x40; c.jr ra
+0x4618c: c.ldsp ra, 0x28(sp); c.ldsp a0, 0x10(sp); c.addi16sp sp, 0x30; c.jr ra
+0x461b6: c.ldsp ra, 0x28(sp); c.ldsp a0, 0x10(sp); c.addi16sp sp, 0x30; c.jr ra
+0x46386: c.ldsp a0, 0(sp); c.ldsp ra, 0x18(sp); c.addi16sp sp, 0x20; c.jr ra
+0x4aa1a: c.ldsp a0, 0x18(sp); c.ldsp ra, 0x28(sp); c.addi16sp sp, 0x30; c.jr ra
+0x113be: c.ldsp a0, 8(sp); c.ldsp ra, 0x18(sp); c.sw s0, 0x70(a0); c.ldsp s0, 0x10(sp); c.addi16sp sp, 0x20; c.jr ra
+
+============================================================
+--- TOP 10 JUMP-BASED GADGETS ---
+============================================================
+0x4060a: c.ld a0, 0x18(s0); jal -0x27b12; c.ldsp a1, 8(sp); addi a7, zero, 0x87; c.li a0, 2; c.li a2, 0; c.li a3, 8; ecall ; c.ldsp ra, 0x18(sp); c.addi16sp sp, 0x20; c.jr ra
+0x46fc0: ld s8, -0x500(s0); ld a0, -0x480(s0); ld a6, -0x4f8(s0); beq a0, s8, 0x10; sd a6, -0x4c8(s0); jal -0x2e4da; c.sd a4, 0x28(a5); c.ldsp ra, 0x78(sp); c.ldsp s8, 0x30(sp); c.addi16sp sp, 0x80; c.jr ra
+0x2b9f4: auipc a3, 0x4e; ld a3, 0x504(a3); addi a2, sp, 0x4e0; c.mv a1, a2; c.add a3, tp; c.ld a0, 0(a3); jal 0x13ace; c.lw a4, 0(a5); c.andi a4, -0x11; c.sw a4, 0(a5); c.ldsp ra, 0x18(sp); c.addi16sp sp, 0x20; c.jr ra
+0x4146a: ld a0, 8(s10); jal -0x28974; c.mv a0, t3; bltz t3, 0x22e; c.ldsp s0, 0x50(sp); c.ldsp s1, 0x48(sp); c.ldsp s3, 0x38(sp); c.ldsp ra, 0x58(sp); c.ldsp s2, 0x40(sp); c.ldsp s4, 0x30(sp); c.ldsp s5, 0x28(sp); c.addi16sp sp, 0x60; c.jr ra
+0x46224: c.addi16sp sp, -0x30; c.sdsp a0, 0(sp); auipc a0, 0x34; ld a0, -0x328(a0); c.sdsp ra, 0x28(sp); c.sdsp s0, 0x20(sp); c.sdsp a1, 8(sp); c.sdsp ra, 0x10(sp); jal -0x16152; c.ldsp ra, 0x18(sp); c.ldsp s0, 0x10(sp); c.li a0, -1; c.addi16sp sp, 0x20; c.jr ra
+0x35a06: ld a0, 0x360(s1); c.li a5, -1; beq a0, a5, 8; jal -0x1cf16; c.ld a2, 0x58(s0); c.lw a1, 0x60(s0); auipc a0, 0x34; addi a0, a0, -0x1a; addi s0, s0, 0x80; jal 0x1b864; c.ldsp ra, 0x88(sp); c.ldsp s0, 0x80(sp); c.ldsp s1, 0x78(sp); c.addi16sp sp, 0x90; c.jr ra
+0x46366: c.ld a0, 0x10(a0); c.sdsp a5, 8(sp); c.sdsp a4, 0(sp); jal -0x1245a; add a4, a2, a1; c.lw a3, 0(a5); c.sd a2, 0x18(a5); c.sd a4, 8(a5); c.andi a3, -0x11; c.sd a4, 0x10(a5); c.sd a0, 0x90(a5); c.sw a3, 0(a5); c.ldsp ra, 0x28(sp); c.mv a0, a1; c.addi16sp sp, 0x30; c.jr ra
+0x1db48: c.ld a0, 8(s0); c.ldsp s0, 0x10(sp); c.ld a1, 8(s1); c.ldsp ra, 0x18(sp); c.ldsp s1, 8(sp); c.addi16sp sp, 0x20; j 0x141fe; c.lw a4, 0(a5); c.ld a3, 8(a5); andi a4, a4, 0x100; c.bnez a4, 0xe; c.ld a5, 0x18(a5); c.lw a0, 0x10(a0); sub a5, a3, a5; c.subw a0, a5; c.jr ra
+0x4145e: lw a5, 0(s6); andi a5, a5, 0x40; bnez a5, 0x2c0; ld a0, 8(s10); jal -0x28974; c.mv a0, t3; bltz t3, 0x22e; c.ldsp s0, 0x50(sp); c.ldsp s1, 0x48(sp); c.ldsp s3, 0x38(sp); c.ldsp ra, 0x58(sp); c.ldsp s2, 0x40(sp); c.ldsp s4, 0x30(sp); c.ldsp s5, 0x28(sp); c.addi16sp sp, 0x60; c.jr ra
+0x2bd72: c.mv a2, s8; addi a1, zero, 0x20; c.mv a0, s0; jal 0x109e8; slli a0, a4, 5; c.addi a0, 0x10; c.addi a4, 1; c.add a0, a2; c.sd a4, 8(a2); ld a5, 0xa0(gp); c.li a4, 1; c.ldsp ra, 0x18(sp); c.sd a4, 0(a0); c.add a5, a4; sd a5, 0xa0(gp); c.addi16sp sp, 0x20; c.jr ra
+
+[+] Report salvato in: gadgets_found.txt (Trovati 4637 gadget)
+python LCSAJdump/LCSAJdump.py testCTFs/rop/vuln  1,67s user 0,27s system 99% cpu 1,936 total
+```
+
+---
+
+## Contributing
+
+Contributions to improve the search algorithm or extend architecture support are welcome. Please ensure that any pull requests include relevant test cases and adhere to the existing coding standards.
+
+---
+
+## License
+
+This project is licensed under the MIT License. See the [LICENSE](https://www.google.com/search?q=LICENSE) file for details.

lcsajdump-1.0.0/lcsajdump/cli.py

@@ -0,0 +1,57 @@
+import click
+import sys
+from .core.loader import BinaryLoader
+from .core.graph import LCSAJGraph
+from .core.rainbowBFS import RainbowFinder
+
+@click.command()
+@click.argument('binary_path', type=click.Path(exists=True))
+@click.option('--depth', '-d', default=12, help='Profondità massima di ricerca (blocchi LCSAJ).')
+@click.option('--darkness', '-k', default=30, help='Soglia di pruning (Max visite per nodo).')
+@click.option('--limit', '-l', default=10, help='Numero di gadget da mostrare a video.')
+@click.option('--min-score', '-s', default=0, help='Punteggio minimo per mostrare un gadget.')
+@click.option('--verbose', '-v', is_flag=True, help='Mostra dettagli extra sui gadget trovati.')
+@click.version_option(version='1.0.0', prog_name='LCSAJdump')
+def main(binary_path, depth, darkness, limit, min_score, verbose):
+    """
+    RISC-V LCSAJ ROP Finder.
+    Analizza un binario per trovare gadget ROP usando l'algoritmo Rainbow BFS.
+    """
+    print('\33[33m'+r"""
+        ██╗      ██████╗███████╗ █████╗      ██╗██████╗ ██╗   ██╗███╗   ███╗██████╗               ██╗   ██╗ ██╗    ██████╗     ██████╗ 
+        ██║     ██╔════╝██╔════╝██╔══██╗     ██║██╔══██╗██║   ██║████╗ ████║██╔══██╗              ██║   ██║███║   ██╔═████╗   ██╔═████╗
+        ██║     ██║     ███████╗███████║     ██║██║  ██║██║   ██║██╔████╔██║██████╔╝    █████╗    ██║   ██║╚██║   ██║██╔██║   ██║██╔██║
+        ██║     ██║     ╚════██║██╔══██║██   ██║██║  ██║██║   ██║██║╚██╔╝██║██╔═══╝     ╚════╝    ╚██╗ ██╔╝ ██║   ████╔╝██║   ████╔╝██║
+        ███████╗╚██████╗███████║██║  ██║╚█████╔╝██████╔╝╚██████╔╝██║ ╚═╝ ██║██║                    ╚████╔╝  ██║██╗╚██████╔╝▄█╗╚██████╔╝
+        ╚══════╝ ╚═════╝╚══════╝╚═╝  ╚═╝ ╚════╝ ╚═════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝                     ╚═══╝   ╚═╝╚═╝ ╚═════╝ ╚═╝ ╚═════╝                                                                                                                                
+    """+'\33[0m')
+
+    print(f"[*] Analizing Target: {binary_path}")
+    
+    loader = BinaryLoader(binary_path)
+    insns = loader.disassemble()
+    
+    gb = LCSAJGraph(insns)
+    gb.build()
+    
+    finder = RainbowFinder(gb, max_depth=depth, max_darkness=darkness)
+    gadgets = finder.search()
+    
+    # Output a video filtrato
+    finder.print_gadgets(limit=limit, min_score=min_score, verbose=verbose)
+    
+    # Output su file 
+    output_file = "gadgets_found.txt"
+    try:
+        with open(output_file, "w") as f:
+            sys.stdout = f
+            print(f"REPORT GADGET - Depth:{depth} Darkness:{darkness}\n")
+            finder.print_gadgets(limit=len(gadgets), min_score=min_score)
+            sys.stdout = sys.__stdout__ 
+        print(f"\n[+] Report saved in: {output_file} (Found {len(gadgets)} gadgets)")
+    except Exception as e:
+        sys.stdout = sys.__stdout__
+        print(f"[!] Errore while saving file: {e}")
+
+if __name__ == '__main__':
+    main()

lcsajdump-1.0.0/lcsajdump/core/graph.py

@@ -0,0 +1,82 @@
+import networkx as nx
+from .loader import draw_progress
+
+class LCSAJGraph:
+    def __init__(self, instructions):
+        self.instructions = instructions
+        self.graph = nx.DiGraph()
+        self.addr_to_node = {} # Inizio blocco -> Dati blocco
+        self.insn_to_block_start = {} # Indirizzo istruzione -> Inizio blocco di appartenenza
+        self.reverse_graph = {} 
+        self.nodes = []
+
+    def build(self):
+        self._create_nodes()
+        self._build_edges()
+
+    def _create_nodes(self):
+        if not self.instructions: return
+
+        print("[*] Building LCSAJ Nodes...") 
+        
+        total_insns = len(self.instructions)
+        current_block_insns = []
+        block_start = self.instructions[0].address 
+
+        for idx, insn in enumerate(self.instructions):
+            
+            if idx % 1000 == 0:
+                draw_progress(idx, total_insns, "Building Graph")
+
+            current_block_insns.append(insn)
+            mnem = insn.mnemonic.lower()
+            
+            is_jump = mnem in ['ret', 'c.jr', 'c.jalr', 'jr', 'jalr'] or \
+                      mnem in ['j', 'jal', 'c.j', 'c.jal'] or \
+                      mnem.startswith('b') or mnem.startswith('c.b')
+
+            if is_jump:
+                self._add_node(block_start, current_block_insns)
+                current_block_insns = []
+                if idx + 1 < total_insns:
+                    block_start = self.instructions[idx+1].address 
+
+        if current_block_insns:
+            self._add_node(block_start, current_block_insns)
+            
+        draw_progress(total_insns, total_insns, "Building Graph")
+
+    def _add_node(self, start, insns):
+        node = {'start': start, 'end': insns[-1].address, 'insns': insns, 'last_insn': insns[-1]}
+        self.nodes.append(node)
+        self.addr_to_node[start] = node
+        for i in insns:
+            self.insn_to_block_start[i.address] = start
+
+    def _build_edges(self):
+        for node in self.nodes:
+            last = node['last_insn']
+            mnem = last.mnemonic.lower()
+            targets = []
+
+            if mnem not in ['j', 'jal', 'c.j', 'c.jal', 'ret', 'jr', 'c.jr']:
+                next_addr = last.address + last.size
+                if next_addr in self.insn_to_block_start:
+                    targets.append(self.insn_to_block_start[next_addr])
+
+            if mnem.startswith('b') or mnem in ['jal', 'j', 'c.j', 'c.jal']:
+                try:
+                    import re
+                    hex_match = re.findall(r'0x[0-9a-fA-F]+', last.op_str)
+                    if hex_match:
+                        addr = int(hex_match[-1], 16)
+                        if addr in self.insn_to_block_start:
+                            targets.append(self.insn_to_block_start[addr])
+                except: pass
+
+            for t in set(targets):
+                if t not in self.reverse_graph: self.reverse_graph[t] = []
+                self.reverse_graph[t].append(node['start'])
+
+    def get_gadget_tails(self):
+        return [n for n in self.nodes if n['last_insn'].mnemonic.lower() in ['ret', 'c.jr', 'jr', 'jalr']]

lcsajdump-1.0.0/lcsajdump/core/loader.py

@@ -0,0 +1,100 @@
+import capstone
+from elftools.elf.elffile import ELFFile
+import sys
+
+def draw_progress(current, total, label=""):
+    percent = float(current) / float(total) * 100
+    bar_length = 60
+    filled_length = int(bar_length * current // total)
+    
+    bar = '█' * filled_length + '░' * (bar_length - filled_length)
+    
+    sys.stdout.write(f"\r{label:15} \033[32m[{bar}]\033[0m {percent:>5.1f}%")
+    sys.stdout.flush()
+    
+    if current == total:
+        print()
+
+class BinaryLoader:
+    def __init__(self, path):
+        self.path = path
+        self.code_bytes = None
+        self.base_addr = 0
+        
+        # --- CONFIGURAZIONE CAPSTONE ---
+        # CS_ARCH_RISCV: Architettura principale
+        # CS_MODE_RISCV64: Modalità a 64-bit
+        # CS_MODE_RISCVC: Abilita le istruzioni "Compressed" (16-bit).
+        self.md = capstone.Cs(capstone.CS_ARCH_RISCV, 
+                              capstone.CS_MODE_RISCV64 | capstone.CS_MODE_RISCVC)
+        
+        # Abilitiamo i dettagli per poter analizzare gli operandi (registri, imm) dopo
+        self.md.detail = True 
+
+    def load(self):
+        """
+        Apre il file ELF, cerca la sezione .text (codice eseguibile)
+        e la carica in memoria.
+        """
+        print(f"[*] Loadaing binary: {self.path}")
+        try:
+            with open(self.path, 'rb') as f:
+                elf = ELFFile(f)
+                text_section = elf.get_section_by_name('.text')
+                
+                if not text_section:
+                    raise ValueError("Error: Section .text not found in binary!")
+                
+                self.code_bytes = text_section.data()
+                self.base_addr = text_section['sh_addr']
+                
+                print(f"[*] Section .text found.")
+                print(f"    Dimension: {len(self.code_bytes)} bytes")
+                print(f"    Start Address: {hex(self.base_addr)}\n")
+                
+        except FileNotFoundError:
+            print(f"[!] Errore: File {self.path} non trovato.")
+            sys.exit(1)
+        except Exception as e:
+            print(f"[!] Errore nel parsing ELF: {e}")
+            sys.exit(1)
+
+    def disassemble(self):
+        if self.code_bytes is None:
+            self.load()
+            
+        print("[*] Capstone is disassembling...")
+        
+        instructions = []
+        total_bytes = len(self.code_bytes)
+        ptr = 0
+        
+        while ptr < total_bytes:
+            curr_addr = self.base_addr + ptr
+            
+            # v6 OTTIMIZZAZIONE: Invece di chiederne 1 alla volta,
+            try:
+                # Slicing (solo con buco nel codice)
+                chunk = self.code_bytes[ptr:]
+                disasm_iter = self.md.disasm(chunk, curr_addr)
+                
+                count = 0
+                for insn in disasm_iter:
+                    instructions.append(insn)
+                    ptr += insn.size
+                    count += 1
+                    
+                    if len(instructions) % 5000 == 0:
+                        draw_progress(ptr, total_bytes, "Disassembling")
+                
+                # Se count == 0, significa che Capstone si è bloccato SUBITO.
+                # Quindi il byte a 'ptr' è sporco.
+                if count == 0:
+                    ptr += 2 
+                    
+            except Exception:
+                ptr += 2
+
+        draw_progress(total_bytes, total_bytes, "Disassembling")
+        print(f"[*] Disassembling complete. {len(instructions)} instructions estracted.\n")
+        return instructions

lcsajdump-1.0.0/lcsajdump/core/rainbowBFS.py

@@ -0,0 +1,115 @@
+import collections
+
+class RainbowFinder:
+    jump_mnemonics = ['j', 'c.j', 'jal', 'c.jal']
+
+    def __init__(self, graph_manager, max_depth, max_darkness):
+        self.gm = graph_manager
+        self.gadgets = []
+        
+        self.MAX_DEPTH = max_depth
+        self.MAX_DARKNESS = max_darkness
+
+    def score_gadget(self, path):
+        score = 100
+        full_insns = []
+        for addr in path: 
+            if addr in self.gm.addr_to_node:
+                full_insns.extend(self.gm.addr_to_node[addr]['insns'])
+        
+        # v4 fix: togliere anche (len(path) * 10) era troppo penalizzante per gadget LCSAJ
+        score -= (len(full_insns) * 2)
+        
+        has_ra = any('ra' in i.op_str and 'ld' in i.mnemonic for i in full_insns)
+        has_a0 = any('a0' in i.op_str and 'ld' in i.mnemonic for i in full_insns)
+        # v4 fix: premiare i salti trampolino
+        has_J = any(i.mnemonic in self.jump_mnemonics for i in full_insns)
+
+        if has_ra: score += 50
+        if has_a0: score += 40
+        if has_J: score += 30
+
+        # Penalità JOP (Salti a registro non-ra)
+        if full_insns:
+            last = full_insns[-1]
+            if last.mnemonic in ['jr', 'jalr', 'c.jr', 'c.jalr'] and 'ra' not in last.op_str:
+                 score -= 20
+
+        return score
+
+    def search(self):
+        print(f"\n[*] RainbowBFS config: Depth={self.MAX_DEPTH}, Darkness={self.MAX_DARKNESS}")
+        tails = self.gm.get_gadget_tails()
+        queue = collections.deque([([t['start']], {t['start']}) for t in tails])
+        node_darkness = collections.defaultdict(int)
+        pruned = 0
+
+        while queue:
+            path, visited = queue.popleft()
+            head = path[0]
+            # V4 fix: '>' was blocking sequential gadgets
+            if len(path) >= 1: self.gadgets.append(path)
+            if len(path) >= self.MAX_DEPTH: continue
+
+            for parent in self.gm.reverse_graph.get(head, []):
+                if parent in visited: continue
+                if node_darkness[parent] >= self.MAX_DARKNESS:
+                    pruned += 1
+                    continue
+                node_darkness[parent] += 1
+                queue.append(([parent] + path, visited | {parent}))
+        
+        print(f"[*] Pruning: {pruned} pruned branches.")
+        return self.gadgets
+
+    def _classify_gadget(self, path):
+        """Ritorna una etichetta e una categoria per il gadget"""
+        if len(path) == 1:
+            return "LINEAR", "Sequential"
+        
+        # Analizziamo il tipo di salto
+        first_node = self.gm.addr_to_node[path[0]]
+        last_insn = first_node['last_insn']
+        mnem = last_insn.mnemonic.lower()
+        
+        if mnem in ['j', 'c.j', 'jal', 'c.jal']:
+            return "TRAMPOLINE", "Jump-Based" # Salta sopra ostacoli
+        elif mnem.startswith('b') or mnem.startswith('c.b'):
+            return "CONDITIONAL", "Jump-Based" # Logica if/else
+        else:
+            return "FALLTHROUGH", "Jump-Based" # Discontinuità di memoria
+
+    def print_gadgets(self, limit, min_score, verbose=False):
+        categories = {'Sequential': [], 'Jump-Based': []}
+
+        for g in self.gadgets:
+            s = self.score_gadget(g)
+            if s < min_score: continue
+            
+            tag, cat = self._classify_gadget(g)
+            categories[cat].append((s, g, tag)) 
+
+        for cat_name in ['Sequential', 'Jump-Based']:
+            gadgets = categories[cat_name]
+            gadgets.sort(key=lambda x: x[0], reverse=True)
+            
+            print(f"\033[33m\n{'='*60}\033[0m")
+            print(f"\033[33m--- TOP {limit} {cat_name.upper()} GADGETS ---\033[0m")
+            print(f"\033[33m{'='*60}\033[0m")
+            
+            for i, (s, p, tag) in enumerate(gadgets[:limit]):
+                if verbose:
+                    print(f"\nRANK #{i+1} | SCORE: {s} | TYPE: {tag}")
+                    for addr in p:
+                        node = self.gm.addr_to_node[addr]
+                        for insn in node['insns']:
+                             print(f"  \033[33m{hex(insn.address)}\033[0m: {insn.mnemonic} {insn.op_str}")
+                else:
+                    full_gadget_str = []
+                    for addr in p:
+                        node = self.gm.addr_to_node[addr]
+                        for insn in node['insns']:
+                            full_gadget_str.append(f"{insn.mnemonic} {insn.op_str}")
+                    
+                    start_addr = hex(p[0])
+                    print(f"\033[33m{start_addr}\033[0m: {'; '.join(full_gadget_str)}")

lcsajdump-1.0.0/lcsajdump.egg-info/SOURCES.txt

@@ -0,0 +1,11 @@
+LICENSE
+MANIFEST.in
+README.md
+requirements.txt
+setup.py
+lcsajdump/__init__.py
+lcsajdump/cli.py
+lcsajdump/core/__init__.py
+lcsajdump/core/graph.py
+lcsajdump/core/loader.py
+lcsajdump/core/rainbowBFS.py

lcsajdump-1.0.0/requirements.txt

@@ -0,0 +1,4 @@
+capstone>=5.0.0
+pyelftools>=0.29
+networkx>=3.0
+click>=8.0

lcsajdump-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

lcsajdump-1.0.0/setup.py

@@ -0,0 +1,45 @@
+from setuptools import setup, find_packages
+
+with open("README.md", "r", encoding="utf-8") as fh:
+    long_description = fh.read()
+
+setup(
+    name="lcsajdump",
+    version="1.0.0", 
+    author="Chris1sFlaggin",
+    author_email="lcsajdump@chris1sflaggin.it",
+    description="A Graph-Based ROP Gadget Finder for RISC-V architectures",
+    long_description=long_description,
+    long_description_content_type="text/markdown",
+    url="https://chris1sflaggin.it/LCSAJdump/",
+    
+    packages=find_packages(exclude=[
+        "testCTFs*",       
+        "unitTest*",       
+        "_images*",        
+        "build*",          
+        "dist*",           
+        "venv*",           
+        "lcsajdump.venv*"  
+    ]),
+    
+    classifiers=[
+        "Programming Language :: Python :: 3",
+        "License :: OSI Approved :: MIT License",
+        "Operating System :: OS Independent",
+        "Topic :: Security",
+        "Environment :: Console",
+    ],
+    python_requires='>=3.6',
+    install_requires=[
+        "capstone",
+        "pyelftools",
+        "networkx",
+        "click",
+    ],
+    entry_points={
+        'console_scripts': [
+            'lcsajdump=lcsajdump.cli:main',
+        ],
+    },
+)