ropval auto addition

hawaii67 · Jan 24, 2013 · 532e297 · 532e297
1 parent f2160ec
commit 532e297
Showing 1 changed file with 63 additions and 19 deletions.
diff --git a/ropval.py b/ropval.py
@@ -12,36 +12,42 @@
 import os
 import re
 
+
+def find_first(number):
+	for items in result:
+		if items[0] <= number:
+			return (items)
+
+
 if len(sys.argv) < 2:
-	print 'To Use: '+ sys.argv[0]+' elffilename (offset)'
-	print 'Will find all static numeric values'
+	print'  Will find all static numeric values'
 	print 'very usefull for a rop add eax,[ebx-xxxxxx]'
 	print ' ex : ropval.py mybinary 0xb8a0008 | sort -n'
-
 	sys.exit()
+
 file = open(sys.argv[1], 'rb')
 filename = sys.argv[1]
 byteArr = bytearray(file.read())
 file.close()
 filesize = len(byteArr)
 
-#print "- Loaded " + str(filesize) + " Bytes"
+print "- Loaded " + str(filesize) + " Bytes"
 sys.stdout.flush()
-#print "- Elfread "
+print "- Elfread "
 sys.stdout.flush()
 
-if len(sys.argv) == 3:
+if len(sys.argv) >= 3:
 	offset=int(sys.argv[2],16)
 else:
 	offset=0
 
 
-
+# Find all mapped section in elf (thank's to readelf)
 elf=[]
 import subprocess
 cmd = subprocess.Popen('readelf -S '+sys.argv[1], shell=True, stdout=subprocess.PIPE)
 for line in cmd.stdout:
-	match = re.match(r'.* (AX|A|WA) ', line)
+	match = re.match(r'.* (AX|A) ', line)
 	if match:
 #		print line.rstrip()
 		regex = re.search(r']\s\S+\s+\S+\s+([0-9a-f]{8})\s([0-9a-f]{6})\s([0-9a-f]{6})',line)
@@ -50,9 +56,10 @@
 			elf.append([int(regex.group(2),16),int(regex.group(3),16),int(regex.group(1),16)])
 
 print "- Finding values"
+sys.stdout.flush()
 result= []
 
-
+# Fetch all possible values from elf sections
 for section in elf:
 	j = 0
 	for i in range(section[0],section[0]+section[1]-4):
@@ -61,20 +68,57 @@
 		for items in result:
 			if int(potential) == items[0]:
 				found = True
+				break
 		if not found:
 			result.append ( [int(potential), section[2]+j ])	
 		j = j+1
 
-print "Decval","Hexval","mOffset",
-if offset<>0:
-	print "sOffest"
-else:
+result.sort()
+
+if len(sys.argv) == 5:
+	print "Find a way from "+ sys.argv[3] + " to " + sys.argv[4],
+	SRC = int(sys.argv[3],16)
+	DST = int(sys.argv[4],16)
+	if DST > SRC:
+		GAP = DST-SRC
+	else:
+		GAP = 0xFFFFFFFF - SRC + DST + 1
+	print "Gap is " + hex(GAP)
+	result.reverse()
+	SOLUTION= []
+	print "solution :"+ str(GAP)+" sub(",
+	while GAP <> 0:
+		# hopefully 1 is alway present
+		CANDIDATE = find_first(GAP)
+		SOLUTION.append (CANDIDATE)
+		GAP = GAP - CANDIDATE[0]
+	for items in SOLUTION:
+		print str(items[0]),
+	print ")"
+	print "memory location :",
+	for items in SOLUTION:
+		print '%08X' % int(items[1]) + ",",
+	print ""
+	print "memory offset (" + str(offset) + ") :",
+	for items in SOLUTION:	
+		print '"%08X"' % int(int(items[1]+offset) % 0xffffffff) + "," ,
 	print ""
 
-for items in result:
-	print str(items[0]),
-	print '%08X' % items[0] ,
-	print '%08X' % int(items[1]),
+else:
+	print "Decval","Hexval","mOffset",
 	if offset<>0:
-		print '%08X' % int(int(items[1]+offset) % 0xffffffff),
-	print ""
+		print "sOffest"
+	else:
+		print ""
+
+	for items in result:
+		print str(items[0]),
+		print '%08X' % items[0] ,
+		print '%08X' % int(items[1]),
+		if offset<>0:
+			print '%08X' % int(int(items[1]+offset) % 0xffffffff),
+		print ""
+
+
+
+