def main():
shadow.parse_nursery()
# print('[*] nursery at: 0x%08x' % (shadow.nursery_heap.start_addr))
fd = open('spray-reliability-nursery.txt', 'a')
fd.write('0x%08x\n' % (shadow.nursery_heap.start_addr))
fd.close()
lines = dbg.execute('s 0x0 l?0xffffffff 00 00 00 00 1e 00 00 00 1e 00 00 00 1e 00 00 00')
lines = lines.split('\n')
fd = open('spray-reliability.txt', 'a')
for line in lines:
end = line.find(' ')
if end == -1:
break
addr = line[:end]
addrinfo = shadow.find_address(dbg.to_int('0x%s' % (addr)))
if addrinfo.parent_region:
# print('0x%08x' % (addrinfo.addr))
fd.write('0x%08x\n' % (addrinfo.addr))
fd.close()
shadow.dump_all(path=path)
elif sys.argv[1] == 'jechunks':
shadow.dump_chunks()
elif sys.argv[1] == 'jechunk':
arg = sys.argv[2:]
if len(arg) >= 1:
addr = arg[0]
else:
print('[shadow] usage: jechunk <address>')
print('[shadow] for example: jechunk 0x900000')
sys.exit(1)
if addr.startswith('0x'):
addr = dbg.to_int(addr)
else:
addr = dbg.to_int('0x%s' % (addr))
shadow.dump_chunk(addr)
elif sys.argv[1] == 'jearenas':
shadow.dump_arenas()
elif sys.argv[1] == 'jeruns':
current_runs = False
size = 0
try:
alist, args = getopt.getopt(sys.argv[2:], 'cs:')
try:
size_class = int(sys.argv[2])
except:
print('[shadow] usage: jeregions <size class>')
print('[shadow] for example: jeregions 1024')
sys.exit()
shadow.dump_regions(size_class)
elif sys.argv[1] == 'pa':
addr = 0
new_len = 0x666
try:
if sys.argv[2].startswith('0x'):
addr = dbg.to_int(sys.argv[2])
new_len = dbg.to_int(sys.argv[3])
else:
addr = dbg.to_int('0x%s' % (sys.argv[2]))
new_len = dbg.to_int(sys.argv[3])
except:
if addr != 0:
shadow.pwnarray(addr)
sys.exit()
else:
print('[shadow] usage: pa <address> [<new length>]')
print('[shadow] for example: pa 0x13f1fc00 0x1000')
sys.exit()
shadow.pwnarray(addr, new_length=new_len)
