def nuntil(self, *arg): """ Execute nexti until regex Usage: MYNAME regex callonlyflag=False """ (regex, callonlyflag) = utils.normalize_argv(arg, 2) regex = str(regex) r = re.compile(regex) arch = e.getarch() ctx = config.Option.get("context") config.Option.set("context", "code") if callonlyflag == True or callonlyflag == "True": cmd = c.nextcall else: cmd = c.next c.next() while True: (addr, code) = e.current_inst(e.getreg("pc")) regexed_code = r.findall(code) if len(regexed_code) > 0: config.Option.set("context", ctx) gdb.execute("context") break else: cmd()
def brk(self, *arg): """ Set break point Usage: MYNAME symbol """ (sym, ) = utils.normalize_argv(arg, 1) e.set_breakpoint(sym)
def nextcalluntil(self, *arg): """ Execute nextcall until regex Usage: MYNAME regex """ (regex, ) = utils.normalize_argv(arg, 1) regex = str(regex) c.nuntil(regex, True)
def suntilxor(self, *arg): """ Execute nexti until jmp-cmds Usage: MYNAME depth=1 """ (depth, ) = utils.normalize_argv(arg, 1) depth = utils.to_int(depth) if depth == None: depth = 1 c.suntil("xor", depth)
def contextmode(self, *arg): """ Set context options Usage: MYNAME options """ (opt, ) = utils.normalize_argv(arg, 1) print(opt) if opt == None: return config.Option.set("context", opt)
def stepi(self, *arg): """ Nexti n times Usage: MYNAME [n] """ (n, ) = utils.normalize_argv(arg, 1) if n == None: n = 1 gdb.execute("stepi " + str(n))
def infox(self, *arg): """ Customized xinfo command from https://github.com/longld/peda Usage: MYNAME address MYNAME register [reg1 reg2] """ (address, regname) = utils.normalize_argv(arg, 2) if address is None: self._missing_argument() text = "" #if not self._is_running(): if False: return def get_reg_text(r, v): text = green("%s" % r.upper().ljust(3), "bold") + ": " chain = e.examine_mem_reference(v) text += utils.format_reference_chain(chain) text += "\n" return text (arch, bits) = e.getarch() if str(address).startswith("r"): # Register regs = e.getregs(" ".join(arg[1:])) if regname is None: for r in REGISTERS[bits]: if r in regs: text += get_reg_text(r, regs[r]) else: for (r, v) in sorted(regs.items()): text += get_reg_text(r, v) if text: utils.msg(text.strip()) if regname is None or "eflags" in regname: self.eflags() return elif utils.to_int(address) is None: warning_utils.msg("not a register nor an address") else: # Address chain = e.examine_mem_reference(address) #text += '\n' #text += 'info: ' text += utils.format_reference_chain(chain) # + "\n" vmrange = e.get_vmrange(address) if vmrange: (start, end, perm, name) = vmrange utils.msg(text) return
def stepcalluntil(self, *arg): """ Execute stepcall until regex Usage: MYNAME regex depth=1 """ (regex, depth) = utils.normalize_argv(arg, 2) regex = str(regex) depth = utils.to_int(depth) if depth == None: depth = 1 c.suntil(regex, depth, True)
def afterpc(self, *arg): """ Show n instructions after pc Usage: MYNAME n """ arch = e.getarch() (expr, ) = utils.normalize_argv(arg,1) expr = str(expr) n = gdb.parse_and_eval(expr) if arch[1] == 64: ip = "$rip" else: ip = "$eip" e.execute('pdisas %s /%s' % (ip, n))
def afteraddr(self, *arg): """ Show n instructions after given addr Usage: MYNAME addr n """ arch = e.getarch() (addr, expr) = utils.normalize_argv(arg,2) expr = str(expr) n = gdb.parse_and_eval(expr) n = utils.to_int(n) if arch[1] == 64: ip = e.getreg("rip") else: ip = e.getreg("eip") e.execute('pdisas %s /%s' % (addr, n))
def suntil(self, *arg): """ Execute stepi until regex Usage: MYNAME regex depth=1 callonlyflag=False """ (regex, depth, callonlyflag) = utils.normalize_argv(arg, 3) regex = str(regex) depth = utils.to_int(depth) r = re.compile(regex) r_call = re.compile("call") r_ret = re.compile("ret") if depth == None: depth = 1 now_depth = 0 if callonlyflag == True or callonlyflag == "True": cmd = c.nextcall else: cmd = c.next next_when_call = c.next step_when_call = c.step arch = e.getarch() ctx = config.Option.get("context") config.Option.set("context", "code") c.step() while True: (addr, code) = e.current_inst(e.getreg("pc")) regexed_code = r.findall(code) if len(regexed_code) > 0: config.Option.set("context", ctx) gdb.execute("context") break else: call_code = r_call.findall(code) ret_code = r_ret.findall(code) if len(call_code) > 0: if now_depth < depth: c.step() now_depth = now_depth + 1 continue elif len(ret_code) > 0: if now_depth <= depth: now_depth = now_depth - 1 c.next() continue cmd()
def grp(self, *arg): """ Grep command-output Usage: MYNAME command regexp """ try: (cmd, regex) = utils.normalize_argv(arg, 2) cmd = str(cmd) regex = str(regex) output = gdb.execute(cmd, to_string=True) regexed = re.findall(regex, output) for line in regexed: print(line) except Exception as e: utils.msg("Exception in grp(%s, %s): %s" % (repr(cmd), repr(regex), e), "red") traceback.print_exc() return False
def beforepc(self, *arg): """ Show n instructions before pc Usage: MYNAME n """ arch = e.getarch() (expr, ) = utils.normalize_argv(arg,1) expr = str(expr) n = gdb.parse_and_eval(expr) n = utils.to_int(n) if arch[1] == 64: ip = e.getreg("rip") else: ip = e.getreg("eip") if n == 1: e.execute('pdisas %s /%s' % (ip, n)) else: addr = e.prev_inst(ip, n)[1][0] e.execute('pdisas %s /%s' % (addr, n))
def beforeaddr(self, *arg): """ Show n instructions after given addr Usage: MYNAME addr n """ arch = pd.getarch() (addr, expr) = utils.normalize_argv(arg, 2) expr = str(expr) n = gdb.parse_and_eval(expr) n = utils.to_int(n) if arch[1] == 64: ip = pd.getreg("rip") else: ip = pd.getreg("eip") if n == 1: pd.execute('pdisas %s /%s' % (ip, n)) else: addr = pd.prev_inst(ip, n)[1][0] pd.execute('pdisas %s /%s' % (addr, n))
def patch(self, *arg): (addr, value, size) = utils.normalize_argv(arg, 3) if type(value) == str: c.patch(addr, value) elif type(value) == list: for (i, x) in enumerate(value): c.patch(addr+i, x) elif type(value) == int: if size == None: print("Please specify size.") return False bytes_list = int2bins(value) length = len(bytes_list) if size < length: print("ERROR: invalid size") return False n = size - length for i in range(n): c.patch(addr+i, 0) for (i, x) in enumerate(bytes_list): c.patch(addr+i, bytes_list[i]) return True
def parseheap(self, *arg): """ Customized parseheap command from https://github.com/scwuaptx/Pwngdb """ (arena, ) = utils.normalize_argv(arg, 1) if capsize == 0 : arch = getarch() if not get_heap_info(arena): print("Can't find heap info") return if (main_arena and not enable_thread) or thread_arena == main_arena : heapbase = int(gdb.execute("x/" + word + " &mp_.sbrk_base",to_string=True).split(":")[1].strip(),16) else : print("Can't find heap") chunkaddr = heapbase addr_str = yellow("addr", "bold") prev_str = yellow("prev", "bold") size_str = yellow("size", "bold")+yellow("|")+red("NM", "bold")+yellow("|")+green("IM", "bold")+yellow("|")+blue("PI", "bold")+yellow("|") fd_str = yellow("fd", "bold") bk_str = yellow("bk", "bold") NM = red("NM", "bold") IM = green("IM", "bold") PI = blue("PI", "bold") print('{:<32}{:<31}{:<114}{:<30}{:<28}'.format(addr_str, prev_str, size_str, fd_str, bk_str)) while chunkaddr != top["addr"] : try : cmd = "x/" + word + hex(chunkaddr) prev_size = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16) cmd = "x/" + word + hex(chunkaddr + capsize*1) size = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16) cmd = "x/" + word + hex(chunkaddr + capsize*2) fd = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16) cmd = "x/" + word + hex(chunkaddr + capsize*3) bk = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16) cmd = "x/" + word + hex(chunkaddr + (size & 0xfffffffffffffff8) + capsize) nextsize = int(gdb.execute(cmd,to_string=True).split(":")[1].strip(),16) status = nextsize & 1 NM = str(size & 4) if(NM == "0"): NM = red("0", "bold") else: NM = red("1", "bold") IM = str(size & 2) if(IM == "0"): IM = green("0", "bold") else: IM = green("1", "bold") PI = str(size & 1) if(PI == "0"): PI = blue("0", "bold") else: PI = blue("1", "bold") bits = yellow("|") + NM + yellow("|") + IM + yellow("|") + PI + yellow("|") size = size & 0xfffffffffffffff8 if size == 0 : print("\033[31mCorrupt ?! \033[0m(size == 0) (0x%x)" % chunkaddr) break if status : if chunkaddr in fastchunk : msg = "\033[1;34m Freed \033[0m" chunkaddr_str = blue(hex(chunkaddr)) print('{:<30}0x{:<17x}{:<102}{:<18}{:<18}'.format(chunkaddr_str, prev_size, hex(size)+bits, hex(fd), "None")) else : msg = "\033[31m Used \033[0m" chunkaddr_str = green(hex(chunkaddr), "bold") print('{:<32}0x{:<17x}{:<102}{:<18}{:<18}'.format(chunkaddr_str, prev_size, hex(size)+bits, "None", "None")) else : if chunkaddr in fastchunk: msg = "\033[1;34m Freed \033[0m" chunkaddr_str = blue(hex(chunkaddr)) print('{:<30}0x{:<17x}{:<102}{:<18}{:<18}'.format(chunkaddr_str, prev_size, hex(size)+bits, hex(fd), hex(bk))) else: msg = "\033[1;34m Freed \033[0m" chunkaddr_str = blue(hex(chunkaddr), "bold") print('{:<32}0x{:<17x}{:<102}{:<18}{:<18}'.format(chunkaddr_str, prev_size, hex(size)+bits, hex(fd), hex(bk))) chunkaddr = chunkaddr + (size & 0xfffffffffffffff8) if chunkaddr > top["addr"] : print("\033[31mCorrupt ?!\033[0m") break except : print("Corrupt ?!") break
def parse(self, argv): """Parse a set of arguments for this command.""" argv = utils.normalize_argv(argv) argv = self._parse_options(argv) argv = self._parse_arguments(argv) self._parse_command(argv)