def fmtoff(clx, args):
fmtstr_addr = int(args[0], 16)
if proc.is_64():
sp = info.reg('rsp')
offset = hex((int)((fmtstr_addr - sp) / 8) + 6)
print("<amd64> fmtstr offset --> " + offset)
elif proc.is_32():
sp = info.reg('esp')
offset = hex((int)((fmtstr_addr - sp) / 4))
print("<i386> fmtstr offset --> " + offset)
def st(clx, args):
top = args[0]
ip = 'rip'
if proc.is_32():
ip = 'eip'
while (1):
exec_cmd.execute('si')
addr = info.reg(ip)
cop = info.opcode(addr)
if top == cop:
break
return gdb.execute('context')
def rejmp(clx, args):
ip = 0
if proc.is_64():
ip = info.reg('rip')
elif proc.is_32():
ip = info.reg('eip')
opcode = info.opcode(ip)
def is_jump():
jump_opcode = [
'jmp', 'je', 'jne'
'jg', 'jge', 'ja', 'jae', 'jl', 'jle', 'jb', 'jbe', 'jo',
'jno', 'jz', 'jnz'
]
if opcode in jump_opcode:
return True
return False
if is_jump():
EFLAGS_CF = 1 << 0
EFLAGS_PF = 1 << 2
EFLAGS_AF = 1 << 4
EFLAGS_ZF = 1 << 6
EFLAGS_SF = 1 << 7
EFLAGS_TF = 1 << 8
EFLAGS_IF = 1 << 9
EFLAGS_DF = 1 << 10
EFLAGS_OF = 1 << 11
def parse_eflags():
eflags = {
"CF": 0,
"PF": 0,
"AF": 0,
"ZF": 0,
"SF": 0,
"TF": 0,
"IF": 0,
"DF": 0,
"OF": 0
}
eflags_value = info.reg('eflags')
eflags["CF"] = bool(eflags_value & EFLAGS_CF)
eflags["PF"] = bool(eflags_value & EFLAGS_PF)
eflags["AF"] = bool(eflags_value & EFLAGS_AF)
eflags["ZF"] = bool(eflags_value & EFLAGS_ZF)
eflags["SF"] = bool(eflags_value & EFLAGS_SF)
eflags["TF"] = bool(eflags_value & EFLAGS_TF)
eflags["IF"] = bool(eflags_value & EFLAGS_IF)
eflags["DF"] = bool(eflags_value & EFLAGS_DF)
eflags["OF"] = bool(eflags_value & EFLAGS_OF)
return (eflags, eflags_value)
(eflags, eflags_value) = parse_eflags()
def jump_taken():
if opcode == "jmp":
return True
if opcode == "je" and eflags["ZF"]:
return True
if opcode == "jne" and not eflags["ZF"]:
return True
if opcode == "jg" and not eflags["ZF"] and (eflags["SF"]
== eflags["OF"]):
return True
if opcode == "jge" and (eflags["SF"] == eflags["OF"]):
return True
if opcode == "ja" and not eflags["CF"] and not eflags["ZF"]:
return True
if opcode == "jae" and not eflags["CF"]:
return True
if opcode == "jl" and (eflags["SF"] != eflags["OF"]):
return True
if opcode == "jle" and (eflags["ZF"] or
(eflags["SF"] != eflags["OF"])):
return True
if opcode == "jb" and eflags["CF"]:
return True
if opcode == "jbe" and (eflags["CF"] or eflags["ZF"]):
return True
if opcode == "jo" and eflags["OF"]:
return True
if opcode == "jno" and not eflags["OF"]:
return True
if opcode == "jz" and eflags["ZF"]:
return True
if opcode == "jnz" and eflags["OF"]:
return True
return False
if jump_taken():
def reverse_taken():
"""
change jump to not jump
"""
if opcode == 'je':
new_eflags_value = eflags_value & (~EFLAGS_ZF)
elif opcode == 'jne':
new_eflags_value = eflags_value | EFLAGS_ZF
elif opcode == 'jg':
new_eflags_value = ((eflags_value | EFLAGS_ZF)
| EFLAGS_SF) & (~EFLAGS_OF)
elif opcode == 'jge':
new_eflags_value = eflags_value | EFLAGS_SF & (
~EFLAGS_OF)
elif opcode == 'ja':
new_eflags_value = eflags_value | EFLAGS_CF | EFLAGS_ZF
elif opcode == 'jae':
new_eflags_value = eflags_value | EFLAGS_CF
elif opcode == 'jl':
new_eflags_value = eflags_value | EFLAGS_SF | EFLAGS_OF
elif opcode == 'jle':
new_eflags_value = (
eflags_value & ~EFLAGS_ZF) | EFLAGS_SF | EFLAGS_OF
elif opcode == 'jb':
new_eflags_value = eflags_value & (~EFLAGS_CF)
elif opcode == 'jbe':
new_eflags_value = (eflags_value &
(~EFLAGS_CF)) & (~EFLAGS_ZF)
elif opcode == 'jo':
new_eflags_value = eflags_value & (~EFLAGS_OF)
elif opcode == 'jno':
new_eflags_value = eflags_value | EFLAGS_OF
elif opcode == 'jz':
new_eflags_value = eflags_value & (~EFLAGS_ZF)
elif opcode == 'jnz':
new_eflags_value = eflags_value & (~EFLAGS_OF)
else:
print("error: no matach condition jump ins")
return
gdb.execute('set $eflags={}'.format(hex(new_eflags_value)))
reverse_taken()
else:
def reverse_not_taken():
"""
change not jump to jump
"""
if opcode == 'je':
new_eflags_value = eflags_value | EFLAGS_ZF
elif opcode == 'jne':
new_eflags_value = eflags_value & (~EFLAGS_ZF)
elif opcode == 'jg':
new_eflags_value = (
eflags_value &
(~EFLAGS_ZF)) | EFLAGS_SF | EFLAGS_OF
elif opcode == 'jge':
new_eflags_value = eflags_value | EFLAGS_SF | EFLAGS_OF
elif opcode == 'ja':
new_eflags_value = (eflags_value &
(~EFLAGS_CF)) & (~EFLAGS_ZF)
elif opcode == 'jae':
new_eflags_value = eflags_value & (~EFLAGS_CF)
elif opcode == 'jl':
new_eflags_value = (eflags_value
| EFLAGS_SF) & (~EFLAGS_OF)
elif opcode == 'jle':
new_eflags_value = eflags_value | EFLAGS_ZF
elif opcode == 'jb':
new_eflags_value = eflags_value | EFLAGS_CF
elif opcode == 'jbe':
new_eflags_value = eflags_value | EFLAGS_CF
elif opcode == 'jo':
new_eflags_value = eflags_value | EFLAGS_OF
elif opcode == 'jno':
new_eflags_value = eflags_value & (~EFLAGS_OF)
elif opcode == 'jz':
new_eflags_value = eflags_value | EFLAGS_ZF
elif opcode == 'jnz':
new_eflags_value = eflags_value | EFLAGS_OF
else:
print("error: no matach condition jump ins")
return
gdb.execute('set $eflags={}'.format(hex(new_eflags_value)))
reverse_not_taken()
def nfile(clx, args):
cap = 8
length = 0x40
arch = 'amd64'
if proc.is_32():
cap = 4
length = 0x28
arch = 'i386'
clx.nflag(args)
addr = int(args[0], 16)
def getvalue(key, arch=arch, addr=addr):
return info.value(addr + clx._IO_FILE_PLUS[arch].get(key))
def buf():
print(parse.color("[_IO_FILE->Buffer]:", 'green'))
buf_base = getvalue('_IO_buf_base')
buf_end = getvalue('_IO_buf_end')
print(
parse.color(
'[6]' + '_IO_buf_base'.rjust(20, ' ') + ' --> ' +
hex(buf_base), 'yellow'))
print(
parse.color(
'[7]' + '_IO_buf_end'.rjust(20, ' ') + ' --> ' +
hex(buf_end), 'yellow'))
if buf_base == buf_end:
print(
parse.color('\tBase == End: Buffer not malloced', 'white'))
print(parse.color("=========================", 'cyan'))
def read_buf():
print(parse.color("[_IO_FILE->Read]:", 'green'))
read_base = getvalue('_IO_read_base')
read_end = getvalue('_IO_read_end')
read_ptr = getvalue('_IO_read_ptr')
print(
parse.color(
'[2]' + '_IO_read_base'.rjust(20, ' ') + ' --> ' +
hex(read_base), 'blue'))
print(
parse.color(
'[1]' + '_IO_read_end'.rjust(20, ' ') + ' --> ' +
hex(read_end), 'blue'))
print(
parse.color(
'[0]' + '_IO_read_ptr'.rjust(20, ' ') + ' --> ' +
hex(read_ptr), 'blue'))
if read_base == read_end:
print(
parse.color('\tBase == End: Read Buffer not used',
'white'))
else:
if read_ptr < read_end:
print(
parse.color('\tPtr < End: Read Buffer have space left',
'white'))
elif read_ptr == read_end:
print(
parse.color('\tPtr == End: Read Buffer empty or full',
'white'))
print(parse.color("=========================", 'cyan'))
def write_buf():
print(parse.color("[_IO_FILE->Write]:", 'green'))
write_base = getvalue('_IO_write_base')
write_end = getvalue('_IO_write_end')
write_ptr = getvalue('_IO_write_ptr')
print(
parse.color(
'[3]' + '_IO_write_base'.rjust(20, ' ') + ' --> ' +
hex(write_base), 'blue'))
print(
parse.color(
'[5]' + "_IO_write_end".rjust(20, ' ') + ' --> ' +
hex(write_end), 'blue'))
print(
parse.color(
'[4]' + '_IO_write_ptr'.rjust(20, ' ') + ' --> ' +
hex(write_ptr), 'blue'))
if write_base == write_end:
print(
parse.color('\tBase == End: Write Buffer not used',
'white'))
else:
if write_ptr < write_end:
print(
parse.color(
'\tPtr < End: Write Buffer have space left',
'white'))
elif write_ptr == write_end:
print(
parse.color('\tPtr == End: Write Buffer empty or full',
'white'))
print(parse.color("=========================", 'cyan'))
buf()
read_buf()
write_buf()