Last active
May 3, 2024 17:29
-
-
Save k4lizen/8423e4c01bd8c31093ee539f9b3435cf to your computer and use it in GitHub Desktop.
glibc pointer (de)mangling
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# for exit funcs | |
def shift_right_carry(number: int, shift_amount: int) -> int: | |
for i in range(shift_amount): | |
if (number & 1) == 0: | |
number = number >> 1 | |
else: | |
number = (number >> 1) | 0x8000000000000000 | |
return number | |
def shift_left_carry(number: int, shift_amount: int) -> int: | |
for i in range(shift_amount): | |
if ((number & 0x8000000000000000) != 0): | |
number = ((number << 1) & 0xffffffffffffffff) | 0x1 | |
else: | |
number = ((number << 1) & 0xffffffffffffffff) | |
return number | |
def mangle_instruction_ptr(ins_ptr: int, key: int) -> int: | |
mangled_ptr = ins_ptr ^ key | |
mangled_ptr = shift_left_carry(mangled_ptr, 0x11) | |
return mangled_ptr | |
def demangle_instruction_ptr(mangled_ins_ptr: int, key: int) -> int: | |
demangled_ptr = shift_right_carry(mangled_ins_ptr, 0x11) | |
demangled_ptr = demangled_ptr ^ key | |
return demangled_ptr | |
# for tcache and fastbin next pointers | |
def mangle_ptr(next_ptr: int, ptr_loc: int) -> int: | |
return (next_ptr) ^ (ptr_loc >> 12) | |
def demangle_ptr(mangled_ptr: int, ptr_loc: int) -> int: | |
return mangle_ptr(mangled_ptr, ptr_loc) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment