ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • Helper Python
    Hack/Pwnable 2018. 10. 22. 12:30
    1. from idautils import *
    2. from idc import *
    3.  
    4. const_startEA = [] # const startEA
    5. const_endEA = [] # const endEA
    6.  
    7. got_startEA = [] # got startEA
    8. got_endEA = [] # got endEA
    9.  
    10. stubs_startEA = [] # stubs startEA
    11. stubs_endEA = [] # stubs endEA
    12.  
    13. #set_name(0xFFFFFFF0070015C0,"gggg")
    14.  
    15. def get_const_seg():
    16. image_base = idaapi.get_imagebase()
    17. end_addr = MaxEA()
    18. start_addr = image_base
    19. while True:
    20. next_seg_addr = NextSeg(start_addr)
    21.  
    22. if SegName(next_seg_addr).rfind("__const") != -1:
    23. const_startEA.append(next_seg_addr)
    24. const_endEA.append(SegEnd(next_seg_addr))
    25.  
    26. start_addr = next_seg_addr
    27.  
    28. if start_addr == 0xFFFFFFFFFFFFFFFF:
    29. break
    30.  
    31. def get_got_seg():
    32. image_base = idaapi.get_imagebase()
    33. end_addr = MaxEA()
    34. start_addr = image_base
    35. while True:
    36. next_seg_addr = NextSeg(start_addr)
    37.  
    38. if SegName(next_seg_addr).rfind("__got") != -1:
    39. got_startEA.append(next_seg_addr)
    40. got_endEA.append(SegEnd(next_seg_addr))
    41.  
    42. start_addr = next_seg_addr
    43.  
    44. if start_addr == 0xFFFFFFFFFFFFFFFF:
    45. break
    46.  
    47. def get_stubs_seg():
    48. image_base = idaapi.get_imagebase()
    49. end_addr = MaxEA()
    50. start_addr = image_base
    51. while True:
    52. next_seg_addr = NextSeg(start_addr)
    53.  
    54. if SegName(next_seg_addr).rfind("__stubs") != -1:
    55. stubs_startEA.append(next_seg_addr)
    56. stubs_endEA.append(SegEnd(next_seg_addr))
    57.  
    58. start_addr = next_seg_addr
    59.  
    60. if start_addr == 0xFFFFFFFFFFFFFFFF:
    61. break
    62.  
    63.  
    64. def op_work():
    65. func_name = ""
    66. seg_count = 0
    67. print "[+] Working op_offset"
    68. for i in range(0,len(const_startEA)):
    69. for const_addr in range(const_startEA[i], const_endEA[i], 8):
    70. op_plain_offset(const_addr,0,0)
    71.  
    72. for i in range(0,len(got_startEA)):
    73. for got_addr in range(got_startEA[i], got_endEA[i], 8):
    74. op_plain_offset(got_addr,0,0)
    75. func_name = GetOpnd(got_addr,0)
    76. func_name = func_name + "_" + str(seg_count)
    77. set_name(got_addr, func_name, SN_NOWARN)
    78.  
    79. # for xref in XrefsTo(got_addr,0):
    80. # set_name(xref.frm, func_name, SN_NOWARN)
    81. seg_count += 1
    82.  
    83. print hex(xref.frm)
    84. print str(func_name)
    85.  
    86. # TODO, stubs code section parsing and renamed function, Demangle
    87.  
    88.  
    89. get_const_seg()
    90. get_got_seg()
    91. get_stubs_seg()
    92. op_work()
    93.  
    94.  


    'Hack > Pwnable' 카테고리의 다른 글

    ASIS CTF 2018 Tinypwn  (1) 2018.08.30
    Shallow Copy 문제점  (0) 2018.01.29
    File Stream Pointer에 관한 글  (6) 2017.01.24
    nc서버 열기 (XINETD)  (0) 2016.12.19
    malloc large_chunk exploit scenario  (2) 2016.12.02

    댓글

Designed by Tistory.