Merge branch 'dc23'

10 years ago · 280d7aee55
parent 6b3615d9b9 83ebc887c4
commit 280d7aee55
7 changed files with 139 additions and 8 deletions
--- a/pwndbg/init.py
+++ b/pwndbg/init.py
@ -60,6 +60,7 @@ import pwndbg.commands.segments
 import pwndbg.commands.xor
 import pwndbg.commands.peda
 import pwndbg.commands.gdbinit
+import pwndbg.commands.defcon



--- a/pwndbg/argv.py
+++ b/pwndbg/argv.py
@ -41,8 +41,10 @@ def update():
    envp = sp

    envc = 0
-    while pwndbg.memory.u(sp, ptrbits):
-        sp += ptrsize
-        envc += 1
-
+    try:
+        while pwndbg.memory.u(sp, ptrbits):
+            sp += ptrsize
+            envc += 1
+    except gdb.MemoryError:
+        pass

--- a/pwndbg/commands/defcon.py
+++ b/pwndbg/commands/defcon.py
@ -0,0 +1,121 @@
+from __future__ import print_function
+import gdb
+
+import pwndbg.vmmap
+import pwndbg.commands
+import pwndbg.symbol
+import pwndbg.memory
+
+from pwndbg.color import bold, blue, green, red
+
+@pwndbg.commands.Command
+@pwndbg.commands.OnlyWhenRunning
+def heap(addr=0x2aaaaaad5000):
+# def heap(addr=0x2aaaaaaaf000):
+    free = []
+
+    try:
+        free = heap_freebins()
+    except Exception as e:
+        print(e)
+        pass
+
+    try:
+        heap_allocations(addr, free)
+    except Exception as e:
+        print(e)
+        pass
+
+
+
+def heap_freebins(addr=0x0602558):
+    print(bold('Linked List'))
+
+    # addr = 0x0602558
+    # addr = 0x060E360
+
+    print('    ' + hex(addr))
+    addr = pwndbg.memory.u64(addr)
+    free = []
+
+    while addr and pwndbg.memory.peek(addr):
+        free.append(addr)
+        size   = pwndbg.memory.u64(addr)
+
+        in_use = size & 1
+        size   &= ~3
+
+        linkedlist = (addr + 8 + size - 0x10) & pwndbg.arch.ptrmask
+
+        try:
+            bk = pwndbg.memory.u64(linkedlist)
+        except:
+            bk = None
+
+        try:
+            fd = pwndbg.memory.u64(linkedlist+8)
+        except:
+            fd = None
+
+        print('    %#x %#x %s' % (addr, size, '*' if in_use else ''))
+        addr = bk
+    
+    print()
+    return free
+
+def heap_allocations(addr, free):
+    while addr and pwndbg.memory.peek(addr):
+        size   = pwndbg.memory.u64(addr)
+        in_use = size & 1
+        flags  = size & 3
+        done   = not (size & 2)
+        size   &= ~3
+
+        if size > 0x1000:
+            print(red(bold("FOUND CORRUPTION OR END OF DATA")))
+
+        data = ''
+
+        if not in_use or addr in free:
+            print(blue(bold("%#016x - usersize=%#x - [FREE %i]" % (addr, size, flags))))
+
+            linkedlist = (addr + 8 + size - 0x10) & pwndbg.arch.ptrmask
+
+            if not pwndbg.memory.peek(linkedlist):
+                print('Corrupted? (%#x)' % linkedlist)
+
+            bk = pwndbg.memory.u64(linkedlist)
+            fd = pwndbg.memory.u64(linkedlist+8)
+
+            print("  @ %#x" % linkedlist)
+            print("    bk: %#x" % bk)
+            print("    fd: %#x" % fd)
+        else:
+            print(green(bold("%#016x - usersize=%#x" % (addr, size))))
+            pwndbg.commands.hexdump.hexdump(addr+8, size)
+
+        addr += size + 8
+        print()
+
+
+
+@pwndbg.commands.Command
+@pwndbg.commands.OnlyWhenRunning
+def ll(addr=0x637128):
+    """
+    .bss:0000000000637128 ; core_entry *core_list
+    .bss:0000000000637128 core_list       dq ?                    ; DATA XREF: start_main_randomize+19Eo
+    """
+    fd = pwndbg.memory.u64(addr)
+    print('%16s%#16s %#16s %#16s %#16s' % ('', 'o','v','bk','fd'))
+
+    while fd:
+        o = pwndbg.memory.u64(fd)
+        v = pwndbg.memory.u64(o)
+
+        v = pwndbg.symbol.get(v-0x10) or hex(v)
+
+        at = fd
+        bk = pwndbg.memory.u64(fd+8)
+        fd  = pwndbg.memory.u64(fd+16)
+        print('@ %#-15x%#16x %16s %#16x %#16x' % (at, o,v,bk,fd))
--- a/pwndbg/commands/ida.py
+++ b/pwndbg/commands/ida.py
@ -13,12 +13,16 @@ import pwndbg.regs
@pwndbg.commands.ParsedCommand
@pwndbg.commands.OnlyWhenRunning
@pwndbg.events.stop
+@pwndbg.ida.withIDA
 def j(*args):
    """
    Synchronize IDA's cursor with GDB
    """
-    # pc = int(gdb.selected_frame().pc())
-    # pwndbg.ida.Jump(pc)
+    try:
+        pc = int(gdb.selected_frame().pc())
+        pwndbg.ida.Jump(pc)
+    except Exception:
+        pass


 if pwndbg.ida.available():
--- a/pwndbg/commands/shell.py
+++ b/pwndbg/commands/shell.py
@ -16,7 +16,7 @@ shellcmds = [
    "chattr",
    "chmod",
    "chown",
-    "clear",
+    # "clear",
    "cp",
    "date",
    "diff",
--- a/pwndbg/hexdump.py
+++ b/pwndbg/hexdump.py
@ -51,7 +51,7 @@ def hexdump(data, address = 0, width = 16, skip = True):
        if skip and line == last_line:
            if not skipping:
                skipping = True
-                yield '*'
+                yield '...'
            continue
        else:
            skipping  = False
--- a/pwndbg/typeinfo.py
+++ b/pwndbg/typeinfo.py
@ -47,6 +47,9 @@ def update():
    module.int32  = gdb.lookup_type('int')
    module.int64  = gdb.lookup_type('long long')

+    module.ssize_t = module.long
+    module.size_t = module.ulong
+
    module.pvoid  = void.pointer()
    module.ppvoid = pvoid.pointer()
    module.pchar  = char.pointer()