From ea9a78d8b934bfe02039748b8689ae80cc566c87 Mon Sep 17 00:00:00 2001
From: Liam Dalgarno <liamdalg99@gmail.com>
Date: Sun, 29 Nov 2020 22:59:38 +0000
Subject: [PATCH] Offset data by 1

---
 ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py b/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
index d46d83c..90068db 100644
--- a/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
+++ b/ROPgadget/ropgadget/ropchain/arch/ropmakerx86.py
@@ -111,6 +111,10 @@ class ROPMakerX86(object):
         return p
 
     def __buildRopChain(self, write4where, popDst, popSrc, xorSrc, xorEax, incEax, popEbx, popEcx, popEdx, syscall):
+        #print("== Gadgets ==")
+        #print(self.__gadgets)
+        #print("=============\n\n\n\n")
+
         sects = self.__binary.getDataSections()
         dataAddr = None
         for s in sects:
@@ -123,6 +127,13 @@ class ROPMakerX86(object):
         print(f"dataAddr = 0x{dataAddr:08x}")
         print(f"int 0x80 = 0x{syscall['vaddr']:08x}")
 
+        # Offset address to make all addresses even.
+        # This prevent having a null byte in any addresses we write to. 
+        if dataAddr % 2 == 0:
+            dataAddr += 1
+
+        print(f"dataAddr = 0x{dataAddr:08x}")
+
         # prepend padding
         p = bytes('A' * self.paddingLen, "ascii")