🔗 ROP Chain Calculator v1.0

Created by Mohammad Hussam Alzeyyat
📚 Documentation

📚 Documentation

Precise x86 instruction size analysis for exploit development

🚧 Roadmap & Upcoming Features

🎯 Coming Soon

  • 🔥 Full x64 Support - Complete 64-bit instruction database with REX prefixes
  • 💪 ARM Architecture - ARMv7/ARMv8 instruction analysis for mobile/embedded exploitation
  • 🌐 MIPS Support - Router and embedded device instruction sizing
  • ⚡ RISC-V Support - Next-generation IoT and embedded systems

🎯 What is this?

A web-based calculator that provides exact instruction sizes for x86 assembly instructions, designed specifically for exploit developers working with ROP (Return-Oriented Programming) chains.

🔍 Why Precision Matters

In exploit development, every byte counts:

  • Buffer overflow constraints require exact payload sizes
  • Shellcode optimization needs minimal instruction footprints
  • ROP chain construction demands precise stack calculations
  • Badchar avoidance relies on accurate size estimations

🚀 Features

📊 Single Gadget Analysis

Calculate individual instruction sizes with real x86 encoding precision:

mov eax, 0 ; 5 bytes (B8 00 00 00 00)
xor eax, eax ; 2 bytes (31 C0) - Better!
pop eax ; 1 byte (58)

🔗 ROP Chain Analysis

Analyze complete chains with automatic gadget grouping:

pop eax ; ret ; 2 bytes (offset: +0)
neg eax ; ret ; 2 bytes (offset: +2)
xchg eax, ebp ; ret ; 2 bytes (offset: +4)

🎯 Accurate Encoding Database

  • 1000+ instruction patterns with exact byte sizes
  • Real x86 opcode mappings (not conservative estimates)
  • ModR/M byte calculations for memory operations
  • Immediate value handling for different data sizes

🎮 Usage Examples

Basic Instruction Analysis

# Input
pop eax ; ret

# Output
Instructions Analysis: pop eax ; ret (2 bytes)
Total Instruction Size: 2 bytes

Complex ROP Chain

# Input
pop eax ; ret
neg eax ; ret
mov eax, [eax] ; ret
add eax, ebp ; ret

# Output
Gadget #1: pop eax ; ret (2 bytes, offset: +0)
Gadget #2: neg eax ; ret (2 bytes, offset: +2)
Gadget #3: mov eax, [eax] ; ret (3 bytes, offset: +4)
Gadget #4: add eax, ebp ; ret (3 bytes, offset: +7)
Total Size: 10 bytes

🛠️ Technical Details

Supported Architectures

  • x86 (32-bit) - Complete instruction database
  • x64 (64-bit) - Core instruction support

Instruction Categories

  • Single-byte: ret, nop, push eax, pop eax, inc eax, etc.
  • Two-byte: Register operations, memory moves, arithmetic
  • Multi-byte: Immediate values, displacement addressing
  • Special: retn 0x04, conditional jumps, calls

Encoding Accuracy

Based on Intel x86 instruction encoding format:

[Prefixes] [Opcode] [ModR/M] [SIB] [Displacement] [Immediate]

🎓 Educational Use

Perfect for:

  • 🎯 OSED Certification prep (EXP-301)
  • 🛡️ Exploit Development training
  • 🔬 Security Research and analysis
  • 📚 Assembly Programming education
  • 🧩 Reverse Engineering practice

🤝 Reporting Issues

Please include:

  • The exact instruction that's wrong
  • Expected vs actual size
  • Reference documentation (Intel manual page)
  • Contact me: LinkedIn Profile

Made with ❤️ for the exploit development community

🌐 Website 📧 Contact 🐦 Twitter