Skip to content

Instantly share code, notes, and snippets.

@k4lizen
Last active May 3, 2024 17:29
Show Gist options
  • Save k4lizen/8423e4c01bd8c31093ee539f9b3435cf to your computer and use it in GitHub Desktop.
Save k4lizen/8423e4c01bd8c31093ee539f9b3435cf to your computer and use it in GitHub Desktop.
glibc pointer (de)mangling
# for exit funcs
def shift_right_carry(number: int, shift_amount: int) -> int:
for i in range(shift_amount):
if (number & 1) == 0:
number = number >> 1
else:
number = (number >> 1) | 0x8000000000000000
return number
def shift_left_carry(number: int, shift_amount: int) -> int:
for i in range(shift_amount):
if ((number & 0x8000000000000000) != 0):
number = ((number << 1) & 0xffffffffffffffff) | 0x1
else:
number = ((number << 1) & 0xffffffffffffffff)
return number
def mangle_instruction_ptr(ins_ptr: int, key: int) -> int:
mangled_ptr = ins_ptr ^ key
mangled_ptr = shift_left_carry(mangled_ptr, 0x11)
return mangled_ptr
def demangle_instruction_ptr(mangled_ins_ptr: int, key: int) -> int:
demangled_ptr = shift_right_carry(mangled_ins_ptr, 0x11)
demangled_ptr = demangled_ptr ^ key
return demangled_ptr
# for tcache and fastbin next pointers
def mangle_ptr(next_ptr: int, ptr_loc: int) -> int:
return (next_ptr) ^ (ptr_loc >> 12)
def demangle_ptr(mangled_ptr: int, ptr_loc: int) -> int:
return mangle_ptr(mangled_ptr, ptr_loc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment