def fmtoff(clx, args):
fmtstr_addr = int(args[0], 16)
if proc.is_64():
sp = info.reg('rsp')
offset = hex((int)((fmtstr_addr - sp) / 8) + 6)
print("<amd64> fmtstr offset --> " + offset)
elif proc.is_32():
sp = info.reg('esp')
offset = hex((int)((fmtstr_addr - sp) / 4))
print("<i386> fmtstr offset --> " + offset)
def sps(clx, args):
nfu = None
bit_cmd = 'wx'
sp = info.reg('esp')
if proc.is_64():
bit_cmd = 'gx'
sp = info.reg('rsp')
if len(args) >= 2: # bpc offset len
nfu = '/' + args[1] + 's'
else:
nfu = '/4s'
offset = info.calc(args[0])
addr = sp - offset
exec_cmd.execute_exam(nfu, addr)
def bpc(clx, args):
"""
bpc offset len
"""
nfu = None
bit_cmd = 'wx'
bp = info.reg('ebp')
if proc.is_64():
bit_cmd = 'gx'
bp = info.reg('rbp')
if len(args) >= 2: # bpc offset len
nfu = '/' + args[1] + 'c'
else:
nfu = '/16c'
offset = info.calc(args[0])
addr = bp - offset
exec_cmd.execute_exam(nfu, addr)
def st(clx, args):
top = args[0]
ip = 'rip'
if proc.is_32():
ip = 'eip'
while (1):
exec_cmd.execute('si')
addr = info.reg(ip)
cop = info.opcode(addr)
if top == cop:
break
return gdb.execute('context')
def sp(clx, args):
nfu = None
bit_cmd = 'wx'
sp = info.reg('esp')
if proc.is_64():
bit_cmd = 'gx'
sp = info.reg('rsp')
if len(args) >= 2:
if '/' not in args[0]: # bp offset len
nfu = '/' + args[1] + bit_cmd
offset = info.calc(args[0])
else: # bp/nfu offset
nfu = args[0]
offset = info.calc(args[1])
else:
nfu = '/20' + bit_cmd
offset = info.calc(args[0])
addr = hex(sp + offset)
exec_cmd.execute_exam(nfu, addr)
def nps(clx, args):
if len(args) == 0:
if proc.is_64():
addr = info.reg('rsp')
else:
addr = info.reg('esp')
else:
addr = int(args[0], 16)
num = 0x20
cap = 4
if len(args) >= 2:
num = info.calc(args[1])
if proc.is_64():
cap = 8
memory = info.read(addr, cap * num)
for i in range(num):
con = parse.u(memory[i * cap:(i + 1) * cap], cap)
show1 = parse.color(('[{}] '.format(hex(i))).rjust(12), 'yellow')
show2 = '{}: '.format(hex(addr + cap * i))
show3 = clx.np([hex(con)], 1)
print(show1 + show2 + show3)
def parse_eflags():
eflags = {
"CF": 0,
"PF": 0,
"AF": 0,
"ZF": 0,
"SF": 0,
"TF": 0,
"IF": 0,
"DF": 0,
"OF": 0
}
eflags_value = info.reg('eflags')
eflags["CF"] = bool(eflags_value & EFLAGS_CF)
eflags["PF"] = bool(eflags_value & EFLAGS_PF)
eflags["AF"] = bool(eflags_value & EFLAGS_AF)
eflags["ZF"] = bool(eflags_value & EFLAGS_ZF)
eflags["SF"] = bool(eflags_value & EFLAGS_SF)
eflags["TF"] = bool(eflags_value & EFLAGS_TF)
eflags["IF"] = bool(eflags_value & EFLAGS_IF)
eflags["DF"] = bool(eflags_value & EFLAGS_DF)
eflags["OF"] = bool(eflags_value & EFLAGS_OF)
return (eflags, eflags_value)
def rejmp(clx, args):
ip = 0
if proc.is_64():
ip = info.reg('rip')
elif proc.is_32():
ip = info.reg('eip')
opcode = info.opcode(ip)
def is_jump():
jump_opcode = [
'jmp', 'je', 'jne'
'jg', 'jge', 'ja', 'jae', 'jl', 'jle', 'jb', 'jbe', 'jo',
'jno', 'jz', 'jnz'
]
if opcode in jump_opcode:
return True
return False
if is_jump():
EFLAGS_CF = 1 << 0
EFLAGS_PF = 1 << 2
EFLAGS_AF = 1 << 4
EFLAGS_ZF = 1 << 6
EFLAGS_SF = 1 << 7
EFLAGS_TF = 1 << 8
EFLAGS_IF = 1 << 9
EFLAGS_DF = 1 << 10
EFLAGS_OF = 1 << 11
def parse_eflags():
eflags = {
"CF": 0,
"PF": 0,
"AF": 0,
"ZF": 0,
"SF": 0,
"TF": 0,
"IF": 0,
"DF": 0,
"OF": 0
}
eflags_value = info.reg('eflags')
eflags["CF"] = bool(eflags_value & EFLAGS_CF)
eflags["PF"] = bool(eflags_value & EFLAGS_PF)
eflags["AF"] = bool(eflags_value & EFLAGS_AF)
eflags["ZF"] = bool(eflags_value & EFLAGS_ZF)
eflags["SF"] = bool(eflags_value & EFLAGS_SF)
eflags["TF"] = bool(eflags_value & EFLAGS_TF)
eflags["IF"] = bool(eflags_value & EFLAGS_IF)
eflags["DF"] = bool(eflags_value & EFLAGS_DF)
eflags["OF"] = bool(eflags_value & EFLAGS_OF)
return (eflags, eflags_value)
(eflags, eflags_value) = parse_eflags()
def jump_taken():
if opcode == "jmp":
return True
if opcode == "je" and eflags["ZF"]:
return True
if opcode == "jne" and not eflags["ZF"]:
return True
if opcode == "jg" and not eflags["ZF"] and (eflags["SF"]
== eflags["OF"]):
return True
if opcode == "jge" and (eflags["SF"] == eflags["OF"]):
return True
if opcode == "ja" and not eflags["CF"] and not eflags["ZF"]:
return True
if opcode == "jae" and not eflags["CF"]:
return True
if opcode == "jl" and (eflags["SF"] != eflags["OF"]):
return True
if opcode == "jle" and (eflags["ZF"] or
(eflags["SF"] != eflags["OF"])):
return True
if opcode == "jb" and eflags["CF"]:
return True
if opcode == "jbe" and (eflags["CF"] or eflags["ZF"]):
return True
if opcode == "jo" and eflags["OF"]:
return True
if opcode == "jno" and not eflags["OF"]:
return True
if opcode == "jz" and eflags["ZF"]:
return True
if opcode == "jnz" and eflags["OF"]:
return True
return False
if jump_taken():
def reverse_taken():
"""
change jump to not jump
"""
if opcode == 'je':
new_eflags_value = eflags_value & (~EFLAGS_ZF)
elif opcode == 'jne':
new_eflags_value = eflags_value | EFLAGS_ZF
elif opcode == 'jg':
new_eflags_value = ((eflags_value | EFLAGS_ZF)
| EFLAGS_SF) & (~EFLAGS_OF)
elif opcode == 'jge':
new_eflags_value = eflags_value | EFLAGS_SF & (
~EFLAGS_OF)
elif opcode == 'ja':
new_eflags_value = eflags_value | EFLAGS_CF | EFLAGS_ZF
elif opcode == 'jae':
new_eflags_value = eflags_value | EFLAGS_CF
elif opcode == 'jl':
new_eflags_value = eflags_value | EFLAGS_SF | EFLAGS_OF
elif opcode == 'jle':
new_eflags_value = (
eflags_value & ~EFLAGS_ZF) | EFLAGS_SF | EFLAGS_OF
elif opcode == 'jb':
new_eflags_value = eflags_value & (~EFLAGS_CF)
elif opcode == 'jbe':
new_eflags_value = (eflags_value &
(~EFLAGS_CF)) & (~EFLAGS_ZF)
elif opcode == 'jo':
new_eflags_value = eflags_value & (~EFLAGS_OF)
elif opcode == 'jno':
new_eflags_value = eflags_value | EFLAGS_OF
elif opcode == 'jz':
new_eflags_value = eflags_value & (~EFLAGS_ZF)
elif opcode == 'jnz':
new_eflags_value = eflags_value & (~EFLAGS_OF)
else:
print("error: no matach condition jump ins")
return
gdb.execute('set $eflags={}'.format(hex(new_eflags_value)))
reverse_taken()
else:
def reverse_not_taken():
"""
change not jump to jump
"""
if opcode == 'je':
new_eflags_value = eflags_value | EFLAGS_ZF
elif opcode == 'jne':
new_eflags_value = eflags_value & (~EFLAGS_ZF)
elif opcode == 'jg':
new_eflags_value = (
eflags_value &
(~EFLAGS_ZF)) | EFLAGS_SF | EFLAGS_OF
elif opcode == 'jge':
new_eflags_value = eflags_value | EFLAGS_SF | EFLAGS_OF
elif opcode == 'ja':
new_eflags_value = (eflags_value &
(~EFLAGS_CF)) & (~EFLAGS_ZF)
elif opcode == 'jae':
new_eflags_value = eflags_value & (~EFLAGS_CF)
elif opcode == 'jl':
new_eflags_value = (eflags_value
| EFLAGS_SF) & (~EFLAGS_OF)
elif opcode == 'jle':
new_eflags_value = eflags_value | EFLAGS_ZF
elif opcode == 'jb':
new_eflags_value = eflags_value | EFLAGS_CF
elif opcode == 'jbe':
new_eflags_value = eflags_value | EFLAGS_CF
elif opcode == 'jo':
new_eflags_value = eflags_value | EFLAGS_OF
elif opcode == 'jno':
new_eflags_value = eflags_value & (~EFLAGS_OF)
elif opcode == 'jz':
new_eflags_value = eflags_value | EFLAGS_ZF
elif opcode == 'jnz':
new_eflags_value = eflags_value | EFLAGS_OF
else:
print("error: no matach condition jump ins")
return
gdb.execute('set $eflags={}'.format(hex(new_eflags_value)))
reverse_not_taken()