def nx(clx, args):
proc_base = 0
if proc.is_pie():
proc_base = proc.proc_base()
nfu = None
addr = None
bit_cmd = 'wx'
if proc.is_64():
bit_cmd = 'gx'
if len(args) >= 2:
if '/' not in args[0]:
# nx offset length
nfu = '/' + length + bit_cmd
offset = info.calc(args[0])
else:
# nx/nfu offset
nfu = args[0]
offset = info.calc(args[1])
else:
# nx offset 20
nfu = '/20' + bit_cmd
offset = info.calc(args[0])
addr = hex(proc_base + offset)
exec_cmd.execute_exam(nfu, addr)
def z(clx, args):
cap = 4
if proc.is_64():
cap = 8
n = 20
addr = info.calc(args[0])
if len(args) == 2:
n = info.calc(args[1])
if n % 2 == 1:
n += 1
mem = info.read(addr, n * cap)
need_color_addr = []
color = []
all_con = []
x = 0
for i in range(int(len(mem) / (cap * 2))):
lddr = addr + i * cap * 2
lnum = parse.u(mem[i * cap * 2:i * cap * 2 + cap], cap)
rnum = parse.u(mem[i * cap * 2 + cap:i * cap * 2 + cap * 2], cap)
all_con += [lddr, lnum, rnum]
for a in [lnum, rnum]:
if addr <= a < (addr + n * cap) and a not in color:
need_color_addr.append(a)
color.append(31 + x % 6)
x += 1
payload = ''
for i in range(int(len(all_con) / 3)):
if all_con[3 * i] in need_color_addr:
payload += parse.color(
hex(all_con[3 * i]).strip('L'),
color[need_color_addr.index(all_con[3 * i])]) + '\t'
else:
payload += hex(all_con[3 * i]).strip('L') + '\t'
for j in all_con[3 * i + 1:3 * i + 3]:
if j in need_color_addr:
payload += parse.color(
'0x' + hex(j)[2:].rjust(cap * 2, '0').strip('L'),
color[need_color_addr.index(j)]) + '\t'
elif j == 0:
payload += '-' * (cap * 2 + 2) + '\t'
elif j == parse.u('\xff' * cap, cap):
payload += '*' * (cap * 2 + 2) + '\t'
else:
payload += '0x' + hex(j)[2:].strip('L').rjust(
cap * 2, '0') + '\t'
payload += '\n'
print(payload.strip('\n'))
def nf(clx, args):
"""
based on pwngdb
"""
cap = 4
if proc.is_64():
cap = 8
addr = info.calc(args[0])
gdb.execute('free ' + hex(addr + cap * 2))
def lb(clx, args):
libc_base = proc.libc_base()
for line in args:
try:
brk_cmd = 'b *{}'.format(hex(libc_base + info.calc(line)))
gdb.execute(brk_cmd)
except:
print('error when exec ' + brk_cmd, 'offset is: ' + line)
pass
def nb(clx, args):
proc_base = 0
if proc.is_pie():
proc_base = proc.proc_base()
for line in args:
try:
bp = info.calc(line) + proc_base
brk_cmd = 'b *{}'.format(hex(bp))
gdb.execute(brk_cmd)
except:
print('error when exec nb')
pass
def sp(clx, args):
nfu = None
bit_cmd = 'wx'
sp = info.reg('esp')
if proc.is_64():
bit_cmd = 'gx'
sp = info.reg('rsp')
if len(args) >= 2:
if '/' not in args[0]: # bp offset len
nfu = '/' + args[1] + bit_cmd
offset = info.calc(args[0])
else: # bp/nfu offset
nfu = args[0]
offset = info.calc(args[1])
else:
nfu = '/20' + bit_cmd
offset = info.calc(args[0])
addr = hex(sp + offset)
exec_cmd.execute_exam(nfu, addr)
def nflag(clx, args):
addr = info.calc(args[0])
flag = info.value(addr)
key = list(clx.iofile_flag.keys())
value = list(clx.iofile_flag.values())
flag_bits = ""
for i in range(len(value)):
if flag & value[i]:
flag_bits += ('{}\n'.format(key[i])).rjust(25, ' ')
payload = parse.color("[_IO_FILE->flag]:", 'green') + '\n'
payload += parse.color(flag_bits, 'red').strip('\n')
payload += parse.color("=========================", 'cyan')
print(payload)
def sps(clx, args):
nfu = None
bit_cmd = 'wx'
sp = info.reg('esp')
if proc.is_64():
bit_cmd = 'gx'
sp = info.reg('rsp')
if len(args) >= 2: # bpc offset len
nfu = '/' + args[1] + 's'
else:
nfu = '/4s'
offset = info.calc(args[0])
addr = sp - offset
exec_cmd.execute_exam(nfu, addr)
def nxs(clx, args):
"""
nxs offset len, len default is 4
"""
proc_base = 0
if proc.is_pie():
proc_base = proc.proc_base()
nfu = None
if len(args) >= 2:
nfu = '/' + args[1] + 's'
else:
nfu = '/4s'
offset = info.calc(args[0])
addr = hex(proc_base + offset)
exec_cmd.execute_exam(nfu, addr)
def bpc(clx, args):
"""
bpc offset len
"""
nfu = None
bit_cmd = 'wx'
bp = info.reg('ebp')
if proc.is_64():
bit_cmd = 'gx'
bp = info.reg('rbp')
if len(args) >= 2: # bpc offset len
nfu = '/' + args[1] + 'c'
else:
nfu = '/16c'
offset = info.calc(args[0])
addr = bp - offset
exec_cmd.execute_exam(nfu, addr)
def nxc(clx, args):
"""
nxc offset len, len default is 16
"""
proc_base = 0
if proc.is_pie():
proc_base = proc.proc_base()
nfu = None
if len(args) >= 2:
nfu = "/" + args[1] + 'c'
else:
nfu = '/16c'
offset = info.calc(args[0])
proc_base = proc.proc_base()
addr = hex(proc_base + offset)
exec_cmd.execute_exam(nfu, addr)
def nps(clx, args):
if len(args) == 0:
if proc.is_64():
addr = info.reg('rsp')
else:
addr = info.reg('esp')
else:
addr = int(args[0], 16)
num = 0x20
cap = 4
if len(args) >= 2:
num = info.calc(args[1])
if proc.is_64():
cap = 8
memory = info.read(addr, cap * num)
for i in range(num):
con = parse.u(memory[i * cap:(i + 1) * cap], cap)
show1 = parse.color(('[{}] '.format(hex(i))).rjust(12), 'yellow')
show2 = '{}: '.format(hex(addr + cap * i))
show3 = clx.np([hex(con)], 1)
print(show1 + show2 + show3)
def rep(clx, args):
cmd_str = args[0]
n = info.calc(args[1])
for i in range(n):
exec_cmd.execute(cmd_str)