skip to content
HexPharoah
Hexpharoah

[+] Basic Operation Program & Return-Oriented Program

/ 7 min read

View more blogs with the tag binary-exploitation , View more blogs with the tag bop , View more blogs with the tag rop
Table of Contents

Understanding BOP and ROP in Modern Exploitation

Modern software uses strong protections like DEP, ASLR, stack canaries, and code signing. These defenses reduce the chances of classic buffer overflow attacks where an attacker injects and executes their own shellcode. However, attackers evolved beyond injection. Today, code reuse attacks dominate, using techniques such as Return-Oriented Programming (ROP) and Basic Operation Programming (BOP). These methods allow attackers to construct malicious logic on top of instructions that already exist inside a binary.

This article explains how ROP and BOP work, why they bypass modern protections, and why code reuse remains one of the most critical concepts in reverse engineering and exploit development.

Return-Oriented Programming (ROP)

Return-Oriented Programming is a technique where an attacker chains together small snippets of code already present in a binary or linked libraries. These snippets are called gadgets, and almost all end with a ret instruction. A simple gadget may set a register, move data, perform arithmetic, or trigger system calls. On their own, gadgets are harmless. But when chained using overwritten return addresses, they form a complete malicious program that executes under the victim’s privileges.

ROP relies heavily on stack manipulation. If an attacker can overwrite the saved return pointer—usually through a buffer overflow, they redirect execution into the first gadget. The ret instruction loads the next address from the stack, so chaining becomes as simple as placing gadget addresses in the correct order. This approach bypasses DEP because no injected shellcode is executed; only existing instructions run.

ROP gadgets functioning

A typical gadget is only a few bytes long. For example:

pop rdi
ret

This gadget sets the RDI register, often the first argument to a function on x86-64. Another gadget might be:

xor eax, eax
ret

By combining such gadgets, attackers can perform complex tasks such as preparing system call arguments, setting registers, manipulating memory, and finally invoking functions like execve("/bin/sh"). Even though each gadget does very little, the chain becomes a Turing-complete structure capable of arbitrary logic.

What Makes ROP Effective

ROP succeeds because modern binaries and libraries contain thousands of possible gadgets. Compilers generate code sequences that unintentionally become gadget instructions. Libraries like libc, kernel interfaces, or graphics libraries give attackers a rich playground. Even without injecting shellcode, ROP chains are sufficient to spawn shells, steal data, or escalate privileges. This makes ROP a powerful and popular attack technique in exploit development and reverse engineering.

Stack Alignment

A small issue you may get when pwning on 64-bit systems is that your exploit works perfectly locally but fails remotely or even fails when you try to use the provided LIBC version rather than your local one. This arises due to something called stack alignment.

Essentially the x86-64 ABI (application binary interface) guarantees 16-byte alignment on a call instruction. LIBC takes advantage of this and uses SSE data transfer instructions to optimise execution; system in particular utilises instructions such as movaps.

That means that if the stack is not 16-byte aligned, that is, RSP is not a multiple of 16, the ROP chain will fail on system.

The fix is simple ; in your ROP chain, before the call to system, place a singular ret gadget:

ret = elf.address + 0x2439


[...]
rop.raw(POP_RDI)
rop.raw(0x4)        # first parameter
rop.raw(ret)        # align the stack
rop.raw(system)

This works because it will cause RSP to be popped an additional time, pushing it forward by 8 bytes and aligning it.

Basic Operation Programming (BOP)

Basic Operation Programming extends the concept of ROP by not limiting itself to gadgets ending in ret. Instead, attackers chain basic blocks, which are groups of instructions that execute sequentially until a branch instruction is encountered. A basic block might end in a conditional jump, an unconditional jump, an indirect call, or any control-transfer instruction.

With BOP, attackers are free to reuse a broader set of code fragments. This is especially useful when ROP gadgets are limited or when modern defenses reduce ret-based gadget availability. BOP was designed to bypass advanced protections such as Control Flow Integrity (CFI). CFI attempts to restrict which blocks of code can legally branch to others. BOP works around it by finding valid transitions within allowed control-flow paths.

ROP Vs BOP

  • ROP uses ret-based gadgets, while BOP uses any basic block.

  • ROP chains rely on the stack, but BOP can rely on indirect jumps or expected control paths.

  • BOP is more flexible and is effective even when systems enforce strict control-flow rules.

  • Both are code-reuse attacks, but BOP applies to environments where ROP alone is not enough.

While ROP is widely known in exploit development, BOP represents the next stage in bypassing modern defenses.

An Attcker building ROP Chain

A ROP attack typically follows:

  • Find a memory corruption bug such as buffer overflow, format string vulnerability, or heap misuse.

  • Control the return address on the stack by overwriting it.

  • Locate gadgets inside the binary or linked libraries using tools.

  • Craft a gadget chain that performs register setup, data movement, and finally triggers a syscall.

  • Execute the payload by redirecting execution into the first gadget.

A classical example is chaining asm pop rdi; ret, asm pop rsi; ret, asm pop rdx; ret, followed by a call to execve@plt to spawn a shell.

BOP Chain Construction

BOP requires the attacker to understand the binary’s control-flow graph. They identify basic blocks that perform useful operations, such as arithmetic, moves, or function calls and chain them using valid control-flow transitions. BOP chains may rely on:

  • virtual function tables in C++ programs

  • indirect jumps controlled through attacker-influenced values

  • exception handlers

  • computed branches

This makes BOP much harder to detect and prevent compared to traditional ret-based ROP chains.

Using Tools To Research ROP and BOP

  • Ghidra for reverse engineering and CFG visualization

  • IDA Free and Binary Ninja for static analysis

  • radare2 / Cutter for open-source reversing

  • ROPgadget, Ropper, and mrop for finding gadgets

  • pwntools for exploit development

  • Angr for symbolic execution

These tools are essential for locating gadgets, enumerating basic blocks, and constructing exploit chains.

BOP and ROP show that attackers don’t always need to write new code. They can take what already exists in a program and creatively combine it to perform powerful attacks.

If you’re learning reverse engineering or exploit development, understanding these two concepts gives you a big advantage. They also teach you how programs behave at a low level, how memory is structured, and how modern protections can still be bypassed with clever techniques.

Mastering ROP and BOP is a strong step toward becoming a skilled cybersecurity professional.

Until Next -- Tata Bye Bye!!
jaswanth