Permalink
Browse files

Merge branch 'beta' into dev

  • Loading branch information...
2 parents 8f01294 + 7ba3a1b commit fecd6f8222280e2616dd2bd6ce8753964efa04b9 @Idolf Idolf committed Jan 10, 2017
Showing with 42 additions and 19 deletions.
  1. +10 −3 CHANGELOG.md
  2. +1 −1 README.md
  3. +31 −15 pwnlib/shellcraft/templates/amd64/mov.asm
View
@@ -11,7 +11,8 @@ The table below shows which release corresponds to each branch, and what date th
| ---------------- | -------- | ---------------------- |
| [3.5.0](#350) | `dev` | Mar 18, 2017 (planned)
| [3.4.0](#340) | `beta` | Feb 4, 2017 (planned)
-| [3.3.2](#332) | `stable` | Jan 10, 2016
+| [3.3.3](#333) | `stable` | Jan 10, 2016
+| [3.3.2](#332) | | Jan 10, 2016
| [3.3.1](#331) | | Jan 10, 2016
| [3.3.0](#330) | | Dec 24, 2016
| [3.2.1](#321) | | Dec 24, 2016
@@ -45,11 +46,17 @@ To be released on Feb 4, 2017.
[b83a6c7]: https://github.com/Gallopsled/pwntools/commit/b83a6c7
[546061e]: https://github.com/Gallopsled/pwntools/commit/546061e
+## 3.3.3
+
+- [#843][843] fixed a bug in `amd64.mov`.
+
+[843]: https://github.com/gallopsled/pwntools/pull/843
+
## 3.3.2
-- [#840][840] Fixed a regression introduced by [#837][837].
+- [#840][840] fixed a regression introduced by [#837][837].
-[840]: https://github.com/Gallopsled/pwntools/pull/840
+[840]: https://github.com/gallopsled/pwntools/pull/840
## 3.3.1
View
@@ -2,7 +2,7 @@
![pwntools logo](https://github.com/Gallopsled/pwntools/blob/stable/docs/source/logo.png?raw=true)
[![Docs](https://readthedocs.org/projects/pwntools/badge/?version=stable)](https://docs.pwntools.com/)
-[![PyPI](https://img.shields.io/badge/pypi-v3.3.2-green.svg?style=flat)](https://pypi.python.org/pypi/pwntools/)
+[![PyPI](https://img.shields.io/badge/pypi-v3.3.3-green.svg?style=flat)](https://pypi.python.org/pypi/pwntools/)
[![Travis](https://travis-ci.org/Gallopsled/pwntools.svg)](https://travis-ci.org/Gallopsled/pwntools)
[![Coveralls](https://img.shields.io/coveralls/Gallopsled/pwntools/dev.svg)](https://coveralls.io/github/Gallopsled/pwntools?branch=dev)
[![Twitter](https://img.shields.io/badge/twitter-pwntools-4099FF.svg?style=flat)](https://twitter.com/pwntools)
@@ -61,17 +61,26 @@ Example:
mov rax, 0x1010110dfac01fe
xor [rsp], rax
pop rax
- >>> with context.local(os = 'linux'):
- ... print shellcraft.amd64.mov('eax', 'SYS_read').rstrip()
- xor eax, eax /* (SYS_read) */
- >>> with context.local(os = 'freebsd'):
- ... print shellcraft.amd64.mov('eax', 'SYS_read').rstrip()
- push (SYS_read) /* 3 */
- pop rax
- >>> with context.local(os = 'linux'):
- ... print shellcraft.amd64.mov('eax', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip()
- push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */
- pop rax
+ >>> print shellcraft.amd64.mov('rax', 0xffffffff).rstrip()
+ mov eax, 0xffffffff
+ >>> print shellcraft.amd64.mov('rax', 0x7fffffff).rstrip()
+ mov eax, 0x7fffffff
+ >>> print shellcraft.amd64.mov('rax', 0x80010101).rstrip()
+ mov eax, 0x80010101
+ >>> print shellcraft.amd64.mov('rax', 0x80000000).rstrip()
+ mov eax, 0x1010101 /* 2147483648 == 0x80000000 */
+ xor eax, 0x81010101
+ >>> with context.local(os = 'linux'):
+ ... print shellcraft.amd64.mov('eax', 'SYS_read').rstrip()
+ xor eax, eax /* (SYS_read) */
+ >>> with context.local(os = 'freebsd'):
+ ... print shellcraft.amd64.mov('eax', 'SYS_read').rstrip()
+ push (SYS_read) /* 3 */
+ pop rax
+ >>> with context.local(os = 'linux'):
+ ... print shellcraft.amd64.mov('eax', 'PROT_READ | PROT_WRITE | PROT_EXEC').rstrip()
+ push (PROT_READ | PROT_WRITE | PROT_EXEC) /* 7 */
+ pop rax
Args:
dest (str): The destination register.
@@ -99,25 +108,32 @@ if get_register(src):
if dest.size == 64 and src.size <= 32:
dest = get_register(dest.native32)
- src_size = src.size
else:
with ctx.local(arch = 'amd64'):
src = eval(src)
if not dest.fits(src):
log.error("cannot mov %s, %r: dest is smaller than src" % (dest, src))
- src_size = bits_required(src)
+ orig_dest = dest
- if dest.size == 64 and src_size <= 32:
+ if dest.size == 64 and bits_required(src) <= 32:
dest = get_register(dest.native32)
# Calculate the packed version
srcp = packing.pack(src & ((1<<dest.size)-1), dest.size)
# Calculate the unsigned and signed versions
srcu = packing.unpack(srcp, dest.size, sign=False)
- srcs = packing.unpack(srcp, dest.size, sign=True)
+
+ # N.B.: We may have downsized the register for e.g. mov('rax', 0xffffffff)
+ # In this case, srcp is now a 4-byte packed value, which will expand
+ # to "-1", which isn't correct.
+ if orig_dest.size != dest.size:
+ srcs = src
+ else:
+ srcs = packing.unpack(srcp, dest.size, sign=True)
+
%>\
% if is_register(src):
% if src == dest:

0 comments on commit fecd6f8

Please sign in to comment.