From f376df092ab134550958390087279fa08f88dbca Mon Sep 17 00:00:00 2001
From: Zach Riggle <riggle@google.com>
Date: Sat, 21 May 2016 11:13:16 -0700
Subject: [PATCH 1/6] Add stuff for DEFCON quals; if you watch my commits close
 enough to see this, you deserve it.

---
 pwndbg/__init__.py        |  1 +
 pwndbg/commands/defcon.py | 91 +++++++++++++++++++++++++++++++++++++++
 pwndbg/hexdump.py         |  2 +-
 3 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 pwndbg/commands/defcon.py

diff --git a/pwndbg/__init__.py b/pwndbg/__init__.py
index c0411f962..851945d5c 100644
--- a/pwndbg/__init__.py
+++ b/pwndbg/__init__.py
@@ -60,6 +60,7 @@ import pwndbg.commands.segments
 import pwndbg.commands.xor
 import pwndbg.commands.peda
 import pwndbg.commands.gdbinit
+import pwndbg.commands.defcon
 
 
 
diff --git a/pwndbg/commands/defcon.py b/pwndbg/commands/defcon.py
new file mode 100644
index 000000000..1853bcc87
--- /dev/null
+++ b/pwndbg/commands/defcon.py
@@ -0,0 +1,91 @@
+from __future__ import print_function
+import gdb
+
+import pwndbg.vmmap
+import pwndbg.commands
+import pwndbg.memory
+
+from pwndbg.color import bold, blue, green, red
+
+@pwndbg.commands.Command
+@pwndbg.commands.OnlyWhenRunning
+def heap(addr=0x2aaaaaaaf000):
+    free = []
+
+    try:
+        free = heap_freebins()
+    except Exception as e:
+        print(e)
+        pass
+
+    try:
+        heap_allocations(addr, free)
+    except Exception as e:
+        print(e)
+        pass
+
+
+
+def heap_freebins(addr=0x060E360):
+    print(bold('Linked List'))
+
+    # addr = 0x0602558
+    addr = 0x060E360
+    print('    ' + hex(addr))
+    addr = pwndbg.memory.u64(addr)
+    free = []
+
+    while True:
+        if not pwndbg.memory.peek(addr):
+            break
+
+        free.append(addr)
+        size   = pwndbg.memory.u64(addr)
+        in_use = size & 1
+        size   &= ~3
+
+        linkedlist = addr + 8 + size - 0x10
+
+        bk = pwndbg.memory.u64(linkedlist)
+        fd = pwndbg.memory.u64(linkedlist+8)
+        print('    %#x %#x %s' % (addr, size, '*' if in_use else ''))
+
+        addr = bk
+    
+    print()
+    return free
+
+def heap_allocations(addr, free):
+    while True:
+        if not pwndbg.memory.peek(addr):
+            break
+
+        size   = pwndbg.memory.u64(addr)
+        in_use = size & 1
+        flags  = size & 3
+        done   = not (size & 2)
+        size   &= ~3
+
+        if size > 0x1000:
+            print(red(bold("FOUND CORRUPTION OR END OF DATA")))
+
+        data = ''
+
+        if not in_use or addr in free:
+            print(blue(bold("%#016x - usersize=%#x - [FREE %i]" % (addr, size, flags))))
+
+            linkedlist = addr + 8 + size - 0x10
+
+            bk = pwndbg.memory.u64(linkedlist)
+            fd = pwndbg.memory.u64(linkedlist+8)
+
+            print("  @ %#x" % linkedlist)
+            print("    bk: %#x" % bk)
+            print("    fd: %#x" % fd)
+        else:
+            print(green(bold("%#016x - usersize=%#x" % (addr, size))))
+            pwndbg.commands.hexdump.hexdump(addr+8, size)
+
+        addr += size + 8
+        print()
+
diff --git a/pwndbg/hexdump.py b/pwndbg/hexdump.py
index 052ddc430..a6debab6f 100644
--- a/pwndbg/hexdump.py
+++ b/pwndbg/hexdump.py
@@ -51,7 +51,7 @@ def hexdump(data, address = 0, width = 16, skip = True):
         if skip and line == last_line:
             if not skipping:
                 skipping = True
-                yield '*'
+                yield '...'
             continue
         else:
             skipping  = False

From d7e898cfcd66b95f12e97ea7526ceffb62a874b1 Mon Sep 17 00:00:00 2001
From: Zach Riggle <riggle@google.com>
Date: Thu, 26 May 2016 16:17:23 -0700
Subject: [PATCH 2/6] Remove clear command

---
 pwndbg/commands/shell.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pwndbg/commands/shell.py b/pwndbg/commands/shell.py
index 23b0af0ad..55223bb94 100644
--- a/pwndbg/commands/shell.py
+++ b/pwndbg/commands/shell.py
@@ -16,7 +16,7 @@ shellcmds = [
     "chattr",
     "chmod",
     "chown",
-    "clear",
+    # "clear",
     "cp",
     "date",
     "diff",

From f7e33ae33f3bc4591e79aa71f652fce5f83dc7f8 Mon Sep 17 00:00:00 2001
From: Zach Riggle <riggle@google.com>
Date: Thu, 26 May 2016 16:17:38 -0700
Subject: [PATCH 3/6] Dont explode if argv is broken

---
 pwndbg/argv.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pwndbg/argv.py b/pwndbg/argv.py
index 3becfa682..8c34f4de0 100644
--- a/pwndbg/argv.py
+++ b/pwndbg/argv.py
@@ -41,8 +41,10 @@ def update():
     envp = sp
 
     envc = 0
-    while pwndbg.memory.u(sp, ptrbits):
-        sp += ptrsize
-        envc += 1
-
+    try:
+        while pwndbg.memory.u(sp, ptrbits):
+            sp += ptrsize
+            envc += 1
+    except gdb.MemoryError:
+        pass
 

From e341e227e99fedc38f5d422d0d69f72cd0877626 Mon Sep 17 00:00:00 2001
From: Zach Riggle <riggle@google.com>
Date: Thu, 26 May 2016 16:17:48 -0700
Subject: [PATCH 4/6] Update defcon tools

---
 pwndbg/commands/defcon.py | 62 +++++++++++++++++++++++++++++----------
 1 file changed, 46 insertions(+), 16 deletions(-)

diff --git a/pwndbg/commands/defcon.py b/pwndbg/commands/defcon.py
index 1853bcc87..4aca17a25 100644
--- a/pwndbg/commands/defcon.py
+++ b/pwndbg/commands/defcon.py
@@ -3,13 +3,15 @@ import gdb
 
 import pwndbg.vmmap
 import pwndbg.commands
+import pwndbg.symbol
 import pwndbg.memory
 
 from pwndbg.color import bold, blue, green, red
 
 @pwndbg.commands.Command
 @pwndbg.commands.OnlyWhenRunning
-def heap(addr=0x2aaaaaaaf000):
+def heap(addr=0x2aaaaaad5000):
+# def heap(addr=0x2aaaaaaaf000):
     free = []
 
     try:
@@ -26,40 +28,43 @@ def heap(addr=0x2aaaaaaaf000):
 
 
 
-def heap_freebins(addr=0x060E360):
+def heap_freebins(addr=0x0602558):
     print(bold('Linked List'))
 
     # addr = 0x0602558
-    addr = 0x060E360
+    # addr = 0x060E360
+
     print('    ' + hex(addr))
     addr = pwndbg.memory.u64(addr)
     free = []
 
-    while True:
-        if not pwndbg.memory.peek(addr):
-            break
-
+    while addr and pwndbg.memory.peek(addr):
         free.append(addr)
         size   = pwndbg.memory.u64(addr)
+
         in_use = size & 1
         size   &= ~3
 
-        linkedlist = addr + 8 + size - 0x10
+        linkedlist = (addr + 8 + size - 0x10) & pwndbg.arch.ptrmask
 
-        bk = pwndbg.memory.u64(linkedlist)
-        fd = pwndbg.memory.u64(linkedlist+8)
-        print('    %#x %#x %s' % (addr, size, '*' if in_use else ''))
+        try:
+            bk = pwndbg.memory.u64(linkedlist)
+        except:
+            bk = None
+
+        try:
+            fd = pwndbg.memory.u64(linkedlist+8)
+        except:
+            fd = None
 
+        print('    %#x %#x %s' % (addr, size, '*' if in_use else ''))
         addr = bk
     
     print()
     return free
 
 def heap_allocations(addr, free):
-    while True:
-        if not pwndbg.memory.peek(addr):
-            break
-
+    while addr and pwndbg.memory.peek(addr):
         size   = pwndbg.memory.u64(addr)
         in_use = size & 1
         flags  = size & 3
@@ -74,7 +79,10 @@ def heap_allocations(addr, free):
         if not in_use or addr in free:
             print(blue(bold("%#016x - usersize=%#x - [FREE %i]" % (addr, size, flags))))
 
-            linkedlist = addr + 8 + size - 0x10
+            linkedlist = (addr + 8 + size - 0x10) & pwndbg.arch.ptrmask
+
+            if not pwndbg.memory.peek(linkedlist):
+                print('Corrupted? (%#x)' % linkedlist)
 
             bk = pwndbg.memory.u64(linkedlist)
             fd = pwndbg.memory.u64(linkedlist+8)
@@ -89,3 +97,25 @@ def heap_allocations(addr, free):
         addr += size + 8
         print()
 
+
+
+@pwndbg.commands.Command
+@pwndbg.commands.OnlyWhenRunning
+def ll(addr=0x637128):
+    """
+    .bss:0000000000637128 ; core_entry *core_list
+    .bss:0000000000637128 core_list       dq ?                    ; DATA XREF: start_main_randomize+19Eo
+    """
+    fd = pwndbg.memory.u64(addr)
+    print('%16s%#16s %#16s %#16s %#16s' % ('', 'o','v','bk','fd'))
+
+    while fd:
+        o = pwndbg.memory.u64(fd)
+        v = pwndbg.memory.u64(o)
+
+        v = pwndbg.symbol.get(v-0x10) or hex(v)
+
+        at = fd
+        bk = pwndbg.memory.u64(fd+8)
+        fd  = pwndbg.memory.u64(fd+16)
+        print('@ %#-15x%#16x %16s %#16x %#16x' % (at, o,v,bk,fd))

From 6a27e94b9b1ec700cafa0f17dccad8cfe1d29c50 Mon Sep 17 00:00:00 2001
From: Zach Riggle <riggle@google.com>
Date: Thu, 26 May 2016 16:17:55 -0700
Subject: [PATCH 5/6] Restore IDA jmp

---
 pwndbg/commands/ida.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pwndbg/commands/ida.py b/pwndbg/commands/ida.py
index 9e9402f6f..6481cbce9 100644
--- a/pwndbg/commands/ida.py
+++ b/pwndbg/commands/ida.py
@@ -13,12 +13,16 @@ import pwndbg.regs
 @pwndbg.commands.ParsedCommand
 @pwndbg.commands.OnlyWhenRunning
 @pwndbg.events.stop
+@pwndbg.ida.withIDA
 def j(*args):
     """
     Synchronize IDA's cursor with GDB
     """
-    # pc = int(gdb.selected_frame().pc())
-    # pwndbg.ida.Jump(pc)
+    try:
+        pc = int(gdb.selected_frame().pc())
+        pwndbg.ida.Jump(pc)
+    except Exception:
+        pass
 
 
 if pwndbg.ida.available():

From 83ebc887c4196d3ac6b60ff2c2d3b2c905f0165a Mon Sep 17 00:00:00 2001
From: Zach Riggle <riggle@google.com>
Date: Thu, 26 May 2016 16:19:03 -0700
Subject: [PATCH 6/6] Add size_t and ssize_t

---
 pwndbg/typeinfo.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pwndbg/typeinfo.py b/pwndbg/typeinfo.py
index 74ce365dc..8f9cc6bc2 100644
--- a/pwndbg/typeinfo.py
+++ b/pwndbg/typeinfo.py
@@ -47,6 +47,9 @@ def update():
     module.int32  = gdb.lookup_type('int')
     module.int64  = gdb.lookup_type('long long')
 
+    module.ssize_t = module.long
+    module.size_t = module.ulong
+
     module.pvoid  = void.pointer()
     module.ppvoid = pvoid.pointer()
     module.pchar  = char.pointer()