Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
def run():
syms = ['atoi', 'atol', 'isascii', 'isblank', 'isalpha', 'isdigit', 'isalnum', 'isspace', 'isupper', 'islower', 'tolower', 'toupper', 'isprint', 'ispunct', 'tzset', 'tp2tm', 'localtime', 'gmtime', 'mktime', 'pre_main', 'malloc', 'free', 'memtst_full', 'memtst_show', 'memtst_summary', 'memtst_init', 'memtst_put', 'memtst_get', 'memtst_bt', 'memtst_malloc', 'memtst_free', 'swap', 'fix', 'qsort', 'srand', 'rand', 'rnode_make', 'rnode_free', 'uc_len', 'uc_dec', 'ratom_copy', 'brk_len', 'ratom_read_brk', 'ratom_read', 'uc_beg', 'isword', 'brk_match', 'ratom_match', 'rnode_grp', 'rnode_atom', 'rnode_seq', 'rnode_parse', 'rnode_count', 're_insert', 'rnode_emitnorep', 'rnode_emit', 'regcomp', 'regfree', 're_rec', 're_recmatch', 'regexec', 'regerror', 'ic', 'setbuf', 'fgetc', 'getchar', 'ungetc', 'iint', 'istr', 'vfscanf', 'fscanf', 'scanf', 'vsscanf', 'sscanf', 'fgets', 'va_arg', 'fflush', 'whatisthis_0', 'oc', 'ostr', 'digits', 'oint', 'vfprintf', 'perror', 'vsnprintf', 'vsprintf', 'putc', 'puts', 'printf', 'fprintf', 'sprintf', 'snprintf', 'fputs', 'abs', 'labs', 'atexit', '__neatlibc_exit', 'exit', 'putstr', 'puti', 'puttz', 'strftime', 'strncpy', 'strcat', 'strstr', 'whatisthis_11', '_exit', 'whatisthis_14', 'read', 'write', 'gettimeofday', 'whatisthis_9', 'whatisthis_10', 'memset', 'memcpy', 'memtst_back', 'memcmp', 'mprotect', 'whatisthis_12', 'whatisthis_13', 'strlen', 'strncmp', 'strcpy', 'strchr', 'strcmp', 'wait']
# define _start
bv.platform = Platform['clem']
start = bv.get_function_at(0) = '_start'
# Find the base of libc
pre_main_addr = 0x901 # Fallback addr
main_addr = None
start_insns = list(start.basic_blocks[0])
for i, ins in enumerate(start_insns):
if 'car' in ins[0][0].text:
pre_main_addr = int(ins[0][1].text, 16)
main_addr = int(start_insns[i+1][0][1].text, 16)
# Check which way the stack grows, one function will be missing if it grows up
# don't...worry too much about this
if 'adi' in list(bv.get_function_at(pre_main_addr).basic_blocks[0])[0][0][0].text:
# Rename main
if main_addr is not None:
bv.get_function_at(main_addr).name = 'main'
# Find the base (atoi) based on this address
addr = pre_main_addr - 0x8a1
# Define the rest of libc
for sym in syms:
print '{}@{}'.format(sym, hex(addr))
func = bv.get_function_at(addr) = sym
addr = max(bb.end for bb in func.basic_blocks)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment