def nuntil(self, *arg):
"""
Execute nexti until regex
Usage:
MYNAME regex callonlyflag=False
"""
(regex, callonlyflag) = utils.normalize_argv(arg, 2)
regex = str(regex)
r = re.compile(regex)
arch = e.getarch()
ctx = config.Option.get("context")
config.Option.set("context", "code")
if callonlyflag == True or callonlyflag == "True":
cmd = c.nextcall
else:
cmd = c.next
c.next()
while True:
(addr, code) = e.current_inst(e.getreg("pc"))
regexed_code = r.findall(code)
if len(regexed_code) > 0:
config.Option.set("context", ctx)
gdb.execute("context")
break
else:
cmd()
def brk(self, *arg):
"""
Set break point
Usage:
MYNAME symbol
"""
(sym, ) = utils.normalize_argv(arg, 1)
e.set_breakpoint(sym)
def nextcalluntil(self, *arg):
"""
Execute nextcall until regex
Usage:
MYNAME regex
"""
(regex, ) = utils.normalize_argv(arg, 1)
regex = str(regex)
c.nuntil(regex, True)
def suntilxor(self, *arg):
"""
Execute nexti until jmp-cmds
Usage:
MYNAME depth=1
"""
(depth, ) = utils.normalize_argv(arg, 1)
depth = utils.to_int(depth)
if depth == None:
depth = 1
c.suntil("xor", depth)
def contextmode(self, *arg):
"""
Set context options
Usage:
MYNAME options
"""
(opt, ) = utils.normalize_argv(arg, 1)
print(opt)
if opt == None:
return
config.Option.set("context", opt)
def stepi(self, *arg):
"""
Nexti n times
Usage:
MYNAME [n]
"""
(n, ) = utils.normalize_argv(arg, 1)
if n == None:
n = 1
gdb.execute("stepi " + str(n))
def infox(self, *arg):
"""
Customized xinfo command from https://github.com/longld/peda
Usage:
MYNAME address
MYNAME register [reg1 reg2]
"""
(address, regname) = utils.normalize_argv(arg, 2)
if address is None:
self._missing_argument()
text = ""
#if not self._is_running():
if False:
return
def get_reg_text(r, v):
text = green("%s" % r.upper().ljust(3), "bold") + ": "
chain = e.examine_mem_reference(v)
text += utils.format_reference_chain(chain)
text += "\n"
return text
(arch, bits) = e.getarch()
if str(address).startswith("r"):
# Register
regs = e.getregs(" ".join(arg[1:]))
if regname is None:
for r in REGISTERS[bits]:
if r in regs:
text += get_reg_text(r, regs[r])
else:
for (r, v) in sorted(regs.items()):
text += get_reg_text(r, v)
if text:
utils.msg(text.strip())
if regname is None or "eflags" in regname:
self.eflags()
return
elif utils.to_int(address) is None:
warning_utils.msg("not a register nor an address")
else:
# Address
chain = e.examine_mem_reference(address)
#text += '\n'
#text += 'info: '
text += utils.format_reference_chain(chain) # + "\n"
vmrange = e.get_vmrange(address)
if vmrange:
(start, end, perm, name) = vmrange
utils.msg(text)
return
def stepcalluntil(self, *arg):
"""
Execute stepcall until regex
Usage:
MYNAME regex depth=1
"""
(regex, depth) = utils.normalize_argv(arg, 2)
regex = str(regex)
depth = utils.to_int(depth)
if depth == None:
depth = 1
c.suntil(regex, depth, True)
def afterpc(self, *arg):
"""
Show n instructions after pc
Usage:
MYNAME n
"""
arch = e.getarch()
(expr, ) = utils.normalize_argv(arg,1)
expr = str(expr)
n = gdb.parse_and_eval(expr)
if arch[1] == 64:
ip = "$rip"
else:
ip = "$eip"
e.execute('pdisas %s /%s' % (ip, n))
def afteraddr(self, *arg):
"""
Show n instructions after given addr
Usage:
MYNAME addr n
"""
arch = e.getarch()
(addr, expr) = utils.normalize_argv(arg,2)
expr = str(expr)
n = gdb.parse_and_eval(expr)
n = utils.to_int(n)
if arch[1] == 64:
ip = e.getreg("rip")
else:
ip = e.getreg("eip")
e.execute('pdisas %s /%s' % (addr, n))
def suntil(self, *arg):
"""
Execute stepi until regex
Usage:
MYNAME regex depth=1 callonlyflag=False
"""
(regex, depth, callonlyflag) = utils.normalize_argv(arg, 3)
regex = str(regex)
depth = utils.to_int(depth)
r = re.compile(regex)
r_call = re.compile("call")
r_ret = re.compile("ret")
if depth == None:
depth = 1
now_depth = 0
if callonlyflag == True or callonlyflag == "True":
cmd = c.nextcall
else:
cmd = c.next
next_when_call = c.next
step_when_call = c.step
arch = e.getarch()
ctx = config.Option.get("context")
config.Option.set("context", "code")
c.step()
while True:
(addr, code) = e.current_inst(e.getreg("pc"))
regexed_code = r.findall(code)
if len(regexed_code) > 0:
config.Option.set("context", ctx)
gdb.execute("context")
break
else:
call_code = r_call.findall(code)
ret_code = r_ret.findall(code)
if len(call_code) > 0:
if now_depth < depth:
c.step()
now_depth = now_depth + 1
continue
elif len(ret_code) > 0:
if now_depth <= depth:
now_depth = now_depth - 1
c.next()
continue
cmd()
def grp(self, *arg):
"""
Grep command-output
Usage:
MYNAME command regexp
"""
try:
(cmd, regex) = utils.normalize_argv(arg, 2)
cmd = str(cmd)
regex = str(regex)
output = gdb.execute(cmd, to_string=True)
regexed = re.findall(regex, output)
for line in regexed:
print(line)
except Exception as e:
utils.msg("Exception in grp(%s, %s): %s" % (repr(cmd), repr(regex), e), "red")
traceback.print_exc()
return False
def beforepc(self, *arg):
"""
Show n instructions before pc
Usage:
MYNAME n
"""
arch = e.getarch()
(expr, ) = utils.normalize_argv(arg,1)
expr = str(expr)
n = gdb.parse_and_eval(expr)
n = utils.to_int(n)
if arch[1] == 64:
ip = e.getreg("rip")
else:
ip = e.getreg("eip")
if n == 1:
e.execute('pdisas %s /%s' % (ip, n))
else:
addr = e.prev_inst(ip, n)[1][0]
e.execute('pdisas %s /%s' % (addr, n))
def beforeaddr(self, *arg):
"""
Show n instructions after given addr
Usage:
MYNAME addr n
"""
arch = pd.getarch()
(addr, expr) = utils.normalize_argv(arg, 2)
expr = str(expr)
n = gdb.parse_and_eval(expr)
n = utils.to_int(n)
if arch[1] == 64:
ip = pd.getreg("rip")
else:
ip = pd.getreg("eip")
if n == 1:
pd.execute('pdisas %s /%s' % (ip, n))
else:
addr = pd.prev_inst(ip, n)[1][0]
pd.execute('pdisas %s /%s' % (addr, n))
def patch(self, *arg):
(addr, value, size) = utils.normalize_argv(arg, 3)
if type(value) == str:
c.patch(addr, value)
elif type(value) == list:
for (i, x) in enumerate(value):
c.patch(addr+i, x)
elif type(value) == int:
if size == None:
print("Please specify size.")
return False
bytes_list = int2bins(value)
length = len(bytes_list)
if size < length:
print("ERROR: invalid size")
return False
n = size - length
for i in range(n):
c.patch(addr+i, 0)
for (i, x) in enumerate(bytes_list):
c.patch(addr+i, bytes_list[i])
return True
def parseheap(self, *arg):
"""
Customized parseheap command from https://github.com/scwuaptx/Pwngdb
"""
(arena, ) = utils.normalize_argv(arg, 1)
if capsize == 0 :
arch = getarch()
if not get_heap_info(arena):
print("Can't find heap info")
return
if (main_arena and not enable_thread) or thread_arena == main_arena :
heapbase = int(gdb.execute("x/" + word + " &mp_.sbrk_base",to_string=True).split(":")[1].strip(),16)
else :
print("Can't find heap")
chunkaddr = heapbase
addr_str = yellow("addr", "bold")
prev_str = yellow("prev", "bold")
size_str = yellow("size", "bold")+yellow("|")+red("NM", "bold")+yellow("|")+green("IM", "bold")+yellow("|")+blue("PI", "bold")+yellow("|")
fd_str = yellow("fd", "bold")
bk_str = yellow("bk", "bold")
NM = red("NM", "bold")
IM = green("IM", "bold")
PI = blue("PI", "bold")
print('{:<32}{:<31}{:<114}{:<30}{:<28}'.format(addr_str, prev_str, size_str, fd_str, bk_str))
while chunkaddr != top["addr"] :
try :
cmd = "x/" + word + hex(chunkaddr)
prev_size = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16)
cmd = "x/" + word + hex(chunkaddr + capsize*1)
size = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16)
cmd = "x/" + word + hex(chunkaddr + capsize*2)
fd = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16)
cmd = "x/" + word + hex(chunkaddr + capsize*3)
bk = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16)
cmd = "x/" + word + hex(chunkaddr + (size & 0xfffffffffffffff8) + capsize)
nextsize = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16)
status = nextsize & 1
NM = str(size & 4)
if(NM == "0"):
NM = red("0", "bold")
else:
NM = red("1", "bold")
IM = str(size & 2)
if(IM == "0"):
IM = green("0", "bold")
else:
IM = green("1", "bold")
PI = str(size & 1)
if(PI == "0"):
PI = blue("0", "bold")
else:
PI = blue("1", "bold")
bits = yellow("|") + NM + yellow("|") + IM + yellow("|") + PI + yellow("|")
size = size & 0xfffffffffffffff8
if size == 0 :
print("\033[31mCorrupt ?! \033[0m(size == 0) (0x%x)" % chunkaddr)
break
if status :
if chunkaddr in fastchunk :
msg = "\033[1;34m Freed \033[0m"
chunkaddr_str = blue(hex(chunkaddr))
print('{:<30}0x{:<17x}{:<102}{:<18}{:<18}'.format(chunkaddr_str, prev_size, hex(size)+bits, hex(fd), "None"))
else :
msg = "\033[31m Used \033[0m"
chunkaddr_str = green(hex(chunkaddr), "bold")
print('{:<32}0x{:<17x}{:<102}{:<18}{:<18}'.format(chunkaddr_str, prev_size, hex(size)+bits, "None", "None"))
else :
if chunkaddr in fastchunk:
msg = "\033[1;34m Freed \033[0m"
chunkaddr_str = blue(hex(chunkaddr))
print('{:<30}0x{:<17x}{:<102}{:<18}{:<18}'.format(chunkaddr_str, prev_size, hex(size)+bits, hex(fd), hex(bk)))
else:
msg = "\033[1;34m Freed \033[0m"
chunkaddr_str = blue(hex(chunkaddr), "bold")
print('{:<32}0x{:<17x}{:<102}{:<18}{:<18}'.format(chunkaddr_str, prev_size, hex(size)+bits, hex(fd), hex(bk)))
chunkaddr = chunkaddr + (size & 0xfffffffffffffff8)
if chunkaddr > top["addr"] :
print("\033[31mCorrupt ?!\033[0m")
break
except :
print("Corrupt ?!")
break
def parse(self, argv):
"""Parse a set of arguments for this command."""
argv = utils.normalize_argv(argv)
argv = self._parse_options(argv)
argv = self._parse_arguments(argv)
self._parse_command(argv)
