mmkhitaryan/stack_seeker.py

## stack_seeker.py
# python stack_seeker.py some_file_in_cwd
import r2pipe
import sys

r = r2pipe.open('/bin/ls')

r.cmd('ood')
r.cmd('aaa')
file_name = sys.argv[1]

all_imports = r.cmdj('iaj')

for r2_import in all_imports["imports"]:
    if r2_import["name"]=="opendir":
        opendir_pointer = r2_import["plt"]

last_pointer = ''

r.cmd(f'dcu {opendir_pointer}')

while True:
    poiner_from_stack = str(r.cmdj('pxqj 8 @rsp')[0])

    # skip same pointer
    if last_pointer != poiner_from_stack:
        heap_read = r.cmd(f'prx 1024 @ {poiner_from_stack}')
        if file_name in heap_read:
            print(heap_read)
            break
        last_pointer = poiner_from_stack

    r.cmd('ds')
	# python stack_seeker.py some_file_in_cwd
	import r2pipe
	import sys

	r = r2pipe.open('/bin/ls')

	r.cmd('ood')
	r.cmd('aaa')
	file_name = sys.argv[1]

	all_imports = r.cmdj('iaj')

	for r2_import in all_imports["imports"]:
	if r2_import["name"]=="opendir":
	opendir_pointer = r2_import["plt"]

	last_pointer = ''

	r.cmd(f'dcu {opendir_pointer}')

	while True:
	poiner_from_stack = str(r.cmdj('pxqj 8 @rsp')[0])

	# skip same pointer
	if last_pointer != poiner_from_stack:
	heap_read = r.cmd(f'prx 1024 @ {poiner_from_stack}')
	if file_name in heap_read:
	print(heap_read)
	break
	last_pointer = poiner_from_stack

	r.cmd('ds')