Advanced OS Customizations & Bootloaders

Reverse Engineering Android Binaries for ROP Gadgets: The Ultimate Guide

By Antigravity Research Published May 30, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to ROP Chains and Android Exploitation

Return-Oriented Programming (ROP) is a powerful exploit technique used to bypass modern exploit mitigations like Non-Executable (NX) memory, also known as Data Execution Prevention (DEP). On Android devices, which predominantly run on ARM architecture and Linux kernel, understanding ROP is crucial for advanced vulnerability research and exploit development. This guide will walk you through the process of reverse engineering Android binaries to discover ROP gadgets, essential building blocks for constructing ROP chains.

The primary goal of ROP is to gain arbitrary code execution without injecting executable code into memory. Instead, an attacker chains together small, existing instruction sequences (gadgets) found within the target binary or its loaded libraries. Each gadget typically ends with a return instruction, allowing the attacker to control the program’s execution flow by manipulating the stack with a sequence of gadget addresses.

Understanding Exploit Mitigations on Android/Linux

Before diving into gadget hunting, let’s briefly review the common exploit mitigations present on Android and Linux:

  • Non-Executable (NX) / Data Execution Prevention (DEP): Prevents code from being executed from data segments (stack, heap). ROP directly counters this by executing existing code.
  • Address Space Layout Randomization (ASLR): Randomizes the base addresses of executables, libraries, stack, and heap, making it harder to predict the location of functions or gadgets.
  • Position-Independent Executables (PIE): Similar to ASLR, but applied to the main executable, ensuring it’s loaded at a random base address. Many Android system binaries are PIE enabled.
  • Stack Canaries: A random value placed on the stack before a function’s local variables, checked before the function returns to detect stack buffer overflows.

Our focus here is on discovering ROP gadgets to bypass NX, with a consideration for how ASLR/PIE complicates gadget addresses.

Prerequisites and Tools

To follow along, you’ll need:

  • A rooted Android device or an Android Emulator (AVD) running a suitable architecture (e.g., ARM64).
  • adb (Android Debug Bridge) installed and configured.
  • Disassembler/Decompiler: IDA Pro or Ghidra (highly recommended).
  • Binary analysis tools: objdump, readelf (typically part of binutils).
  • ROP gadget finder: ROPgadget (Python tool).

Step-by-Step: Locating and Extracting Target Binaries

First, you need a target binary from an Android device. System binaries are good candidates as they are often statically linked or use common libraries where useful gadgets reside.

1. Connect to your Android device via ADB:

adb shell

2. Navigate to common binary directories:

ls -l /system/bin/ls -l /system/xbin/ls -l /vendor/bin/

3. Identify a target binary (e.g., /system/bin/cat) and pull it to your host machine:

exit # Exit adb shelladb pull /system/bin/cat .

Disassembling the Binary for Initial Inspection

Once you have the binary, inspect its characteristics.

1. Check architecture and file type:

file catcat: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /system/bin/linker64, BuildID[sha1]=..., stripped

This tells us it’s an ARM 64-bit (aarch64) shared object (PIE enabled) and stripped (no symbol information), which is common for system binaries.

2. Use objdump for a quick peek at instructions:

objdump -d cat | less

This command disassembles all sections. You’ll see ARM64 assembly instructions. Look for instruction sequences ending in a return equivalent (e.g., ret, ldr x30, [sp, #0x0]; add sp, sp, #0x8; ret on ARM64 which pops the link register `x30` and returns).

Deep Dive with Ghidra/IDA Pro

For serious gadget hunting, a disassembler/decompiler like Ghidra or IDA Pro is indispensable. We’ll use Ghidra as an example.

1. Load the binary into Ghidra:

Open Ghidra, create a new project, and import your cat binary. Let Ghidra perform its auto-analysis.

2. Navigate the Disassembly/Decompiler Views:

In the Listing view (disassembly), you can explore functions. ROP gadgets are often found at the end of functions or within their instruction streams, before a return instruction.

3. Manual Gadget Search:

The simplest type of ROP gadget is a single instruction followed by a return. For ARM64, a ret instruction typically corresponds to ldr x30, [sp, #0x0]; add sp, sp, #0x8; ret (or similar sequences that restore the link register and return). Search for these return instructions.

  • In Ghidra, go to Search -> For Instruction Pattern. You can search for the byte sequence of `ret` (e.g., `C0 03 5F D6` for `ret` on ARM64).
  • Once you find a `ret`, look at the instructions immediately preceding it.

Example ARM64 Gadgets:

  • pop x0, x1, x2, x30; ret; (hypothetical, used for illustration): Pops multiple registers and returns.
  • ldr x0, [sp]; add sp, sp, #0x8; ret;: Loads value from stack into x0, adjusts stack, returns.
  • mov x8, x0; ret;: Moves x0 into x8, returns. Useful for setting up syscall arguments.

Automated ROP Gadget Discovery with ROPgadget

Manual searching is tedious. `ROPgadget` automates this process efficiently.

1. Install ROPgadget:

pip install ropgadget

2. Run ROPgadget on your binary:

To find all gadgets ending in `ret` for an ARM64 binary:

ROPgadget --binary ./cat --arm64 --all

This will list numerous gadgets. To make it more practical for constructing chains, you might want to filter or generate a chain directly:

ROPgadget --binary ./cat --arm64 --ropchain --depth 5 --badbytes "00"
  • --arm64: Specifies ARM 64-bit architecture.
  • --all: Lists all found gadgets.
  • --ropchain: Attempts to build a `system(‘sh’)` ROP chain (useful for seeing common gadget sequences).
  • --depth 5: Limits the number of instructions in a gadget (e.g., 5 instructions before `ret`).
  • --badbytes "00": Excludes gadgets containing null bytes, which can terminate string copying.

Example Output (simplified for ARM64):

0x0000000000001234: pop {x0}; ret0x0000000000001238: pop {x1}; ret0x000000000000123c: mov x8, x0; ret0x0000000000001240: blr x0;

Note that addresses are relative offsets if the binary is PIE. When loaded, the actual address will be `base_address + offset`.

Building ROP Chains (Conceptual)

The goal of a typical ROP chain is to call a function, often `system(

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #ARM Assembly #Exploit Development #Reverse Engineering #ROP

Related Technical Guides

Automated Android Network Diagnostics: A BPF Scripting Masterclass

May 30, 2026

GRUB Hacks: Unlocking Hidden Boot Options for Your Android Dual-Boot System

May 29, 2026

Deep Dive: Android Initramfs Structure & Loading Custom Kernel Modules for Peripheral Devices

May 29, 2026