Illegal pop instruction output in arm32

When I was doing a ctf chall lately, I tried to run ROPgadget with the following command `ROPgadget --binary sp33d5 --only "pop|ret"|grep r0`.    
The output is as below

<img width="476" alt="Image" src="https://github.com/user-attachments/assets/804ccbd3-da13-4513-b9f3-3fabf22045a1" />

The output contains pop instructions that pops the sp register, but these instructions are invalid, according to [this documentation](https://developer.arm.com/documentation/dui0489/e/arm-and-thumb-instructions/memory-access-instructions/push-and-pop), which states that "ARM POP instructions cannot have SP but can have PC in the reglist".   

When such a gadget is used in a ropchain, the system will give an error of "illegal instruction" and result in sending a sigkill signal.    

Thanks in advance for looking into this. Please let me know if I can provide any additional information or assist with fixing this issue.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Illegal pop instruction output in arm32 #211

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Illegal pop instruction output in arm32 #211

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions