Make brute forcing offset faster

autoRop.py

@@ -72,24 +72,27 @@ def run_program(payload: str, **kwargs) -> process:
 
 
 def find_offset_inc(low: int, high: int):
-    for i in range(low, high + 1):
+    default_padding = 64
-        print(f"  ├─[🤔] Trying payload {i}...")
+    print(f"  ├─[🤔] Generating offset discovery payload...")
     subprocess.run(
         [
             "ROPgadget",
             "--binary", exec_file,
             "--ropchain",
             "--silent",
-                "--paddingLen", str(i),
+            "--paddingLen", str(default_padding),
-                "--ropFile", rop_file,
+            "--ropFile", '/tmp/rop_file',
             "--execFile", 'rop_exec_default.json',
         ],
         stdout = subprocess.DEVNULL
     )
-
+    with open('/tmp/rop_file', 'rb') as f:
-        with open(rop_file, 'rb') as f:
+        original_payload = f.read()[default_padding:]
-            p = run_program(f.read())
+        for i in range(low, high + 1):
-            if b'[ Successful ROP! ]' in p.readall():
+            print(f"  ├─[🤔] Trying offset {i}...")
+            rop_payload = (b'A' * i) + original_payload
+            proc = run_program(rop_payload)
+            if b'[ Successful ROP! ]' in proc.readall():
                 print(f"  └─[😳] Found offset at {i}!\n")
                 return i
 
@@ -155,13 +158,12 @@ if run:
     atexit.unregister(pwnlibexit._run_handlers)
     pwnlibexit._run_handlers()
 
-    print()
+    print(f"\nExecuting {exec_file}...\n")
-    print(f"[ Run Program : ./{exec_file} {rop_file} ]")
     with open(rop_file, 'rb') as f:
-        p = run_program(f.read())
+        proc = run_program(f.read())
 
         if interactive:
             term.init()
-            p.interactive()
+            proc.interactive()
         else:
-            print(p.recvall().decode('utf-8'))
+            print(proc.recvall().decode('utf-8'))