I know o some disassemble libs , but what I'm looking for is one that has an api like:
void * findAddrOfFirstInstructionStartingFrom( void * startAddress , InstructionType instruction);
void* addr = findAddrOfFirstInstructionStartingFrom(startAddress , JMP);
and other apis smiler to this one like search for something specific not disassemble all instructions stating from an address and get all sorts of info because it slow if you only want to find something specific not everything.
If you know any pls let me know , if there isn't any pls tell me one that is open source and easy to modify.
You did not tag nor tell the processor architecture, so it is unlikely that you get a real answer.
Commonly native code instructions are with very varying length depending on operands they take so you have to disassemble the thing before searching. Otherwise you just find first sequence of bytes that matches the pattern of instruction you search for. It is most likely not a real instruction but part of operands of previous instruction.
EDIT: Since you updated title, i can think of choices Borg and PEDasm are open source. If you drop that open-source thing then definitely IDA pro.
I'm not aware of any API that can do this but it can be accomplished using some command line scripting:
objdump -d --start-address address file | grep -m 1 instruction | cut -d : -f 1
So, for example, to find the first JMP instruction starting at address 0x08048664 in the file a.out, you can do this:
$ objdump -d --start-address 0x08048664 a.out | grep -m 1 jmp | cut -d : -f 1
8048675
What you probably want is not just a library, but some Disassembler Framework. Have a look at IDA-Pro, which also provides a versatile scripting interface (and a disassembler API)
Related
I am trying to find and replace pattern on a very large file (43Go) and face some problems with that. I first tried to use sed for this but it does not seems to be optimized for large file, even smaller than 43 Go so i switched to perl.
I have this command :
perl -0777 -i -pe 's/(public\..)*_seq/\1_id_seq/mg' dump.sql
But it generates a segmentation fault before exiting and turns my dump of 43 Go into a 0 octet file. The file i am trying to parse is a simple postgresql database dump.
Just as an information :
# perl --version
This is perl 5, version 26, subversion 1 (v5.26.1) built for x86_64-linux-gnu-thread-multi
(with 67 registered patches, see perl -V for more detail)
Did someone already faced this problem or have any idea about how to solve this ? I would prefer prefer to keep this one line python command but if you have solutions with any other program i will take it too
-0777 tells perl to load the whole file into memory (see perlrun). If your memory is less than 43 Go (whatever it is), you'll have to find a way to process it in smaller chunks. For example, try dumping the option, or use -00 for the "paragraph mode".
Also note that, unlike in sed, you need to use $1 instead of \1 in the replacement part of a substitution in Perl.
So I've done some Google searching and this is something that has very little knowledge out there. What would be an effective and foolproof way of detecting whether X11 or Wayland is in use, preferrably at compile-time and with CMake? I need to apply this to a C++ project of mine.
The accepted answer is very inaccurate and dangerous. It just runs loginctl to dump a large list of user-sessions and greps every line with a username or other string that matches the current user's name, which can lead to false positives and multiple matching lines. Calling whoami is also wasteful. So it's harmful, and inaccurate.
Here's a much better way to get the user's session details, by querying your exact username's details and grabbing their 1st session scope's id.
This is a Bash/ZSH-compatible one-liner solution:
if [ "$(loginctl show-session $(loginctl user-status $USER | grep -E -m 1 'session-[0-9]+\.scope' | sed -E 's/^.*?session-([0-9]+)\.scope.*$/\1/') -p Type | grep -ic "wayland")" -ge 1 ]; then
echo "Wayland!"
else
echo "X11"
fi
I really wish that loginctl had a "list all sessions just for a specific user", but it doesn't, so we have to resort to these tricks. At least my trick is a LOT more robust and should always work!
I assume you want to evaluate the display server during compile time, when calling CMake, instead of for every compilation. That's how CMake works and hot it should be used. One downside is, that you have to re-run CMake for every changed display server.
There is currently no default way to detect the running display server. Similar, there is no default code snippet to evaluate the display server by CMake. Just pick one way of detecting the display server that manually works for you or your environment respectively.
Call this code from CMake and store the result in a variable and use it for your C++ code.
For example loginctl show-session $(loginctl | grep $(whoami) | awk '{print $1}') -p Type works for me. The resulting CMake check is
execute_process(
"loginctl show-session $(loginctl | grep $(whoami) | awk '{print $1}') -p Type"
OUTPUT_VARIABLE result_display_server)
if ("${resulting_display_server}" EQUALS "Type=x11")
set(display_server_x11 TRUE)
else()
set(display_server_x11 FALSE)
endif()
Probably you have to fiddle around with the condition and check for Type=wayland or similar to get it properly working in your environment.
You can use display_server_x11 and write it into a config.h file to use it within C++ code.
I have a stripped binary to analyze. Some interesting code is located at address 0x1234, how do I find all jumps to that address ?
(of course I don't expect to find computed jumps to that address, just the ones which are hardcoded). I cannot use a simple search since the jumps instruction are typically coded with relative offset and there are many kind of jumps (je, jne, jmp...). I am working with GDB-PEDA on x86_64 / linux for now if it has to be a platform specific approach.
how do I find all jumps to that address?
Try objdump -d a.out | egrep 'j.* 0x1234'
I have an application that needs to use GDB/MI to get information about a process. Right now I am setting a breakpoint in main and running the process. By using "info locals" I can get a neat list of the local variables in the current frame. While this is good, I need to be able to see what the global variables are.
Is there a way to do this that isn't too painful? I can use "info variables" and get a list of ALL variables that is way too extensive and could hurt the performance of my application. Is there a simpler way to get a list of the global variables?
EDIT: Added that I'm wanting to use GDB/MI.
According to GDB docs the info variables will print out any variables defined outside of functions. This will include your globals and static variables.
If you know the name of the global, or follow a particular naming pattern, you can provide GDB with regex to narrow it down.
So I found a solution for what I want to do.
I followed this answer here. However, I found that when I ran the command that was given in the answer, I got some unneeded garbage (I'm running this on a Mac). I fixed this by eliminating the lines that end in .eh and I noticed that the other lines had lines that started with "__" so I eliminated lines with " __" (that's a space before the two underscores). I used the following to get the correct output:
g++ -O0 -c test.cpp && nm test.o | egrep ' [A-Z] ' | egrep -v ' [UTW] ' | egrep -v '.eh' | egrep -v ' __'
I am experimenting with a brute force attack using C++ against a password protected rar file. I am already able to generate all of the possible 'passwords'. I am just unsure how to automate attempts to extract the archive using each of the generated combinations from my program. I'm on Windows and am trying to do this with WinRar.
One could somewhat easily do something like:
int main (int argc, char** argv)
{
for (;;) {
/* do something */
cout << clever_password << "\0";
}
}
… and then in the shell, simply:
your-clever-password-guesser | \
sed -e 's,'\'','\''"'\''"'\'',g' | \
xargs -0 -n1 -r -t -I {} -- unrar e 'p{}' some-file.rar
Breaking that down:
Print out each password guess with a terminating '\0' character. This allows the password to (potentially) contain things like spaces and tabs that might otherwise “mess up” in the shell.
Ask the stream editor sed to protect you from apostrophes '. Each ' must be encoded as a sequence of '\'' (apos-backslash-apos-apos) or '"'"' (apos-quote-apos-quote-apos) to pass through the shell safely. The s///g pattern replaces every ' with '"'"', but the apostrophes that it, itself is passing to sed are written as '\''. (I mixed the styles of escaping the ' to make it easier for me to distinguish between the apostrophe-escaping for sed and the apostrophe-escaping which sed is adding to the stream of passwords.) One could, instead, alter the strings as they're being printed in the C++ program.
Invoke xargs to run unrar with each password, with the options that mean:
Each password is delimited by \0 (-0)
Use only one at a time (-n1)
Don't run if there isn't anything to do (-r) — e.g. if your program didn't print out any possible passwords at all.
Show the command-line as it's going to be run (-t) — this lets you monitor the guesses as they fly past on your screen
Put the password in place of the somewhat traditional for that purpose symbol {} (-I {})
Then, run the command that follows --
Extract from the RAR file (unrar e …)
With the password given replacing the {} in 'p{}'; the ' here protect against spaces and things that may be in the password
Then, the filename to un-RAR
If you wanted to try to run multiple unrar instances in parallel, you could also insert -P4 into the xargs invocation (e.g. …-I {} -P4 --…) to run 4 instances at a time; adjust this until your machine gets too loaded down to gain any benefits. (Since this is likely disc I/O bound, you might want to make sure to copy the RAR file into a RAM filesystem like /tmp or /run before starting it, if it's a reasonable size, so that you're not waiting on disc I/O as much, but the OS will likely cache the file after a few dozen rounds, so that might not actually help much over the course of a long run.)
This is a brute-force way to do it, but doesn't require as deep a knowledge of programming as, say, using fork/exec/wait to launch unrar processes, or using a rar-enabled library to do it yourself (which would probably yield a significant improvement in speed over launching the executable hundreds or thousands of times)
PS
I realized afterwards that perhaps you're looking for interaction with the actual WinRAR™ program. The above isn't at all helpful for that; but it will enable you to run the command-line unrar repeatedly.
Also, if you're on a Windows system, you'd need to install some of the standard shell utilities — a POSIX-compatible Bourne shell like BASH, sed, and xargs — which might imply something like Cygwin being needed. I don't have any practical experience with Windows systems to give good advice about how to do that, though.
Winrar has an api, though it only supports decompression. This is as simple as one function call from their api to attempt to decompress the file. Follow the link:
http://www.rarlab.com/rar_add.htm
Good luck!