Created
April 30, 2021 15:04
-
-
Save HACKE-RC/d98738bc33277349c45964c3409beb7d to your computer and use it in GitHub Desktop.
it helps in exploiting cmps automatically i guess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/env python3 | |
from r2pipe import open as r2open | |
from pwn import p64, xor | |
from sys import argv | |
from pwn import xor | |
from os import system as run | |
import fuckpy3 | |
do_xor = True if len(argv)>1 else exit() | |
key = int(argv[1].strip(), 16) if argv[1].startswith("0x") else int("0x"+argv[1].strip(), 16) | |
padding = 4 | |
pattern = 123456789 | |
input_file = open('pqqmm', 'w') | |
def get_registers(proc): | |
reg = proc.cmdj("drj") | |
for key in list(reg.keys()): | |
reg[key]=hex(reg[key]) | |
return reg | |
def get_data_from_addr(proc, addr): | |
data = list(filter(None, proc.cmd(f'pxw @{addr}').split(" "))) | |
data = [x.replace("0x", "") for x in data] | |
data = [x.replace("00", "") for x in data] | |
return data[1::] | |
def mangler(pattern, patt_res, to_mangle): | |
mangled_pattern = [str(patt_res).index(x) for x in str(pattern)] | |
demangled = [to_mangle[x] for x in mangled_pattern] | |
return "".join(demangled) | |
proc = r2open("/home/rc/ctfs/pwncollege/rev/rev8", flags=["-d", ]) | |
proc.cmd("aaa; s main") | |
input_file.write("A"*padding+str(pattern)) | |
input_file.close() | |
proc.cmd("db 0x55555555540c") | |
proc.cmd("ds;dc") | |
rsi = get_registers(proc)['rsi'] | |
rdi = get_registers(proc)['rdi'] | |
expected_results = "".join([xor(get_data_from_addr(proc, rsi)[i].unhex(), key).str() for i in range(0, 3)]) | |
mangled_input = str() | |
for i in range(3): | |
if i==2: | |
mangled_input+=xor(get_data_from_addr(proc, rdi)[i][2::].unhex(), key).str() | |
else: | |
mangled_input+=xor(get_data_from_addr(proc, rdi)[i].unhex(), key).str() | |
print(f"Expected result: {expected_results}") | |
print(f"Mangled input: {mangled_input}") | |
proc.quit() | |
expected_inp_mangled = mangler(pattern, mangled_input, expected_results) | |
input_file = open('pqqmm', 'w') | |
input_file.write("") | |
input_file.write("AAAA"+expected_inp_mangled.strip()) | |
proc = r2open("/home/rc/ctfs/pwncollege/rev/rev8", flags=["-d", ]) | |
proc.cmd("aaa; s main") | |
print("Seeked!") | |
proc.cmd("db *0x55555555540c") | |
proc.cmd("ds;dc") | |
rsi = get_registers(proc)['rsi'] | |
rdi = get_registers(proc)['rdi'] | |
print(get_data_from_addr(proc, rdi)) | |
print(proc.cmd('dc')) | |
input_file.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment