A better way to build a ROP chain.
Project description
ropinator
ROP gadget finder with constraint-based semantic search.
Finds gadgets in ELF, PE, Mach-O, and raw binaries across x86, ARM, MIPS, PowerPC, and RISC-V. Includes a Z3-backed symbolic execution engine for searching gadgets by behavior rather than text patterns.
Install
pip install ropinator
Requires Python 3.13+.
Usage
Find gadgets:
ropinator -f binary.elf
Set search depth (max instructions per gadget, default 3):
ropinator -f binary.elf -d 5
Custom base address:
ropinator -f binary.elf -b 0x400000
Export to file:
ropinator -f binary.elf -o gadgets.txt
Load previously exported gadgets:
ropinator -f binary.elf -g gadgets.txt --start-solver
Load gadgets without the original binary (requires --arch):
ropinator --arch x86_64 -g gadgets.txt --start-solver
Override architecture detection:
ropinator -f binary.raw --arch arm -b 0x10000
Expand all gadget addresses:
ropinator -f binary.elf -a
Constraint Solver
Launch the interactive solver to search gadgets by semantic behavior:
ropinator -f binary.elf --start-solver
Commands
| Command | Description |
|---|---|
move [dst] [src] |
Find register-to-register moves |
const <dst> <value> |
Find gadgets that load a constant |
load <dst> <src> [offset] |
Find memory read gadgets |
show <index> |
Inspect symbolic register state |
export <file> |
Export results to file |
registers |
List available registers |
Examples
rop> move rax rbx
Found 3 move gadget(s):
[0] 0x0000000000401000: rax <- rbx | mov rax, rbx ; ret
[1] 0x0000000000401020: rax <- rbx | push rbx ; pop rax ; ret
[2] 0x0000000000401040: rax <- rbx | xchg rax, rbx ; xchg rax, rbx ; mov rax, rbx ; ret
rop> const rax 0xdeadbeef
Found 1 constant-loading gadget(s):
[0] 0x0000000000401234: rax = 0xdeadbeef | pop rax ; ret
rop> load rax rbx 0x10
Found 2 load gadget(s):
[0] 0x0000000000402000: rax <- [rbx + 0x10] | mov rax, qword ptr [rbx + 0x10] ; ret
[1] 0x0000000000402030: rax <- [rbx + 0x10] | lea rcx, [rbx + 0x10] ; mov rax, qword ptr [rcx] ; ret
rop> show 0
Result [0]
Address: 0x0000000000401000
Instructions: mov rax, rbx ; ret
Move: rax <- rbx
Register state after execution:
rax = rbx
rbx = rbx (unchanged)
rcx = rcx (unchanged)
...
Supported Formats
| Format | Description |
|---|---|
| ELF | Linux, BSD, embedded |
| PE | Windows executables and DLLs |
| Mach-O | macOS, iOS |
| Raw | Flat binaries (use with -b to set base address) |
Supported Architectures
Gadget finding: x86 (16/32/64-bit), ARM (32/64/Thumb), MIPS (32/64), PowerPC (32/64), RISC-V (32/64).
Constraint solver: x86-64. Other architectures planned.
Options
-f, --file FILE Binary to analyze (required unless --arch and -g are used)
-b, --base ADDR Override base address
-d, --depth N Max gadget depth (default: 3)
-a, --all Expand all gadget addresses
-o, --output FILE Export gadgets to file
-g, --gadgets-file FILE Load gadgets from exported file instead of searching
--arch ARCH Override architecture detection (see below)
--start-solver Launch constraint solver shell
Architecture names for --arch:
| Name | Aliases |
|---|---|
| x86_64 | x86-64, x64 |
| x86 | i386 |
| ARM64 | aarch64 |
| ARM32 | arm |
| ThumbBE | thumb-be |
| MIPS32 | mips |
| MIPS64 | |
| PowerPC32 | ppc, ppc32 |
| PowerPC64 | ppc64 |
| RISCV64 | riscv |
Dependencies
Installed automatically via pip:
- Capstone - disassembly engine
- Keystone - assembler engine (for gadget file loading)
- z3-solver - symbolic execution backend
- cmd2 - interactive shell framework
License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ropinator-0.1.0.tar.gz.
File metadata
- Download URL: ropinator-0.1.0.tar.gz
- Upload date:
- Size: 29.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.9.30 {"installer":{"name":"uv","version":"0.9.30","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Debian GNU/Linux","version":"12","id":"bookworm","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dc2622248d83ade5150efe8f1f78637b06e93510e291197fe9911bcd092bb941
|
|
| MD5 |
0952b39a07bfa9bf01b4d70293df2a2c
|
|
| BLAKE2b-256 |
38f63a7d8874937fb651ecbf23dcd864b503ba34f1df34aed90b7cbfd553efc5
|
File details
Details for the file ropinator-0.1.0-py3-none-any.whl.
File metadata
- Download URL: ropinator-0.1.0-py3-none-any.whl
- Upload date:
- Size: 39.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.9.30 {"installer":{"name":"uv","version":"0.9.30","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Debian GNU/Linux","version":"12","id":"bookworm","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4d1d1b09d57556fd0cfc5584cdef724d49b3f0dbd5bde9b23163591f30460f2c
|
|
| MD5 |
73959d2e239faafb035ad5342ed5db8d
|
|
| BLAKE2b-256 |
0937cd00c8748ffe4ce42817350fe164d2ba42659f63ab65755b81657162d84e
|
