Skip to content

Instantly share code, notes, and snippets.

View yannayl's full-sized avatar

yannayl

70 followers · 5 following
View GitHub Profile
@yannayl
yannayl / de_bruijn_iterative.py
Created July 24, 2020 14:22
def db(word_size, alphabet_size):
L1 = alphabet_size**(word_size-1)
lookup_table = {}
i = 0
for _ in range(L1*alphabet_size):
if i not in lookup_table:
lookup_table[i] = alphabet_size - 1
s = lookup_table[i]
yield alphabet_size - s - 1
@yannayl
yannayl / populate_ram.py
Last active January 20, 2019 07:23
Populates the RAM and adds references according to a memory dump
import sark
import construct as ct
import ida_xref
## I have dumped the memory content to ram.bin
dump = open("ram.bin", "rb").read()
ram = sark.Segment(name='RAM')
## memoizing can make it more efficient but IDC
def in_segs(ea, segs):
@yannayl
yannayl / sark_spoil.py
Created August 21, 2018 09:07
def spoils(f):
"""return the list of spoiled registers
default is r0-r3
not too smart, but safe - i.e. if list of spoiled registers is smaller than 4 - it's quite safe to assume only these registers are spoiled
the opposite is false
"""
spoiled = ['R0', 'R1', 'R2', 'R3']
if any(f.xrefs_from):
return spoiled
@yannayl
yannayl / ida_sarlk_function_strings_ref.py
Last active August 17, 2020 22:45
A function which returns all the strings referenced from function
def strs(f=None, visited=None, level=0, maxlevel=-1):
if maxlevel >= 0 and level > maxlevel:
return [], set()
if not f:
f = sark.Function()
if not visited:
visited = set()
root = True
else:
root = False
@yannayl
yannayl / babyheap.py
Created April 2, 2018 15:53
0ctf 2018 babyheap challenge exploit
from pwn import *
context.bits = 64
#libc = ELF('./libc-2.23.so')
libc = ELF('./libc-2.24.so')
main = ELF('./babyheap.dbg')
#main = ELF('./babyheap')
#dbg_file = './libc-2.23.debug'
def gdb_load_symbols_cmd(sym_file, elf, base):
@yannayl
yannayl / x.py
Last active March 27, 2018 09:03
yanc challenge #ins18 exploit
from pwn import *
context.bits = 64
libc = ELF('./libc-2.23.so')
main = ELF('./yanc.dbg')
dbg_file = './libc-2.23.debug'
notes_used = set()
local = True
if local:
@yannayl
yannayl / x.py
Created March 24, 2018 03:21
solution to insomnihack18 bytefinex challenge
from pwn import *
context.bits = 64
libc = ELF('./libc-223-05b841eae6f475817ebb3b99562cd6535cc61b099350a25019cd5d3b3136881d.so')
main = ELF('./bytefinex-8fe15d1eb750fe2cb0b2dae88a048c1876c799fb37f9d73ba3646f7d158774a9.bin.dbg')
dbg_file = './libc-2.23.debug'
local = False
if local:
r = main.process(env={'LD_PRELOAD' : libc.path})
@yannayl
yannayl / prefix_globals.py
Last active August 17, 2020 22:46
import sark
for segname in ['.bss', '.data']:
for line in sark.Segment(name=segname).lines:
if not line.name:
continue
if line.name.startswith('g_'):
continue
@yannayl
yannayl / prefix_globals.py
Created January 18, 2018 16:23
import sark
for line in sark.Segment(name='.bss').lines:
if not line.name:
continue
if line.name.startswith('g_'):
continue
line.name = 'g_' + line.name
@yannayl
yannayl / ida_sark_install.md
Last active June 12, 2018 08:12
Installation of custom python + pip + sark on Ubuntu 16.04 for IDA

Script:

sudo apt install gcc-multilib g++-multilib libssl-dev:i386 zlib1g-dev:i386 clang

wget https://www.python.org/ftp/python/2.7.15/Python-2.7.15.tar.xz
tar xf Python-2.7.15.tar.xz
cd Python-2.7.15/
CC="clang -m32" CXX="clang++ -m32" CFLAGS=-m32 CXXFLAGS=-m32 ./configure --prefix=/opt/Python2.7.15-32bits  --enable-shared --enable-unicode=ucs4  --enable-optimizations
CC="clang -m32" CXX="clang++ -m32" CFLAGS=-m32 CXXFLAGS=-m32 make -j