Encode the shellcode to avoid the listed bytes (provided as hex)
-n, --newline Encode the shellcode to avoid newlines
-z, --zero Encode the shellcode to avoid NULL bytes
-d, --debug Debug the shellcode with GDB
-e ENCODER, --encoder ENCODER
Specific encoder to use
-i INFILE, --infile INFILE
Specify input file
-r, --run Run output
这里的asm命令有一个-z选项和-n选项,可以通过修改原本的指令来避免指令中出现换行和空字符。但是经过实际测试发现,这个功能转换出来的汇编指令并不是很好看。因此asm的这两个选项谨慎使用。
### 2. checksec
usage: pwn checksec [-h] [–file [elf …]] [elf …]
Check binary security settings
positional arguments:
elf Files to check
options:
-h, --help show this help message and exit
–file [elf …] File to check (for compatibility with checksec.sh)
这个命令就不必多言了,检查ELF的安全选项,常用的命令。
### 3. constgrep
usage: pwn constgrep [-h] [-e] [-i] [-m] [-c arch_or_os] regex [constant]
Looking up constants from header files.
Example: constgrep -c freebsd -m ^PROT_ ‘3 + 4’
positional arguments:
regex The regex matching constant you want to find
constant The constant to find
options:
-h, --help show this help message and exit
-e, --exact Do an exact match for a constant instead of searching for a regex
-i, --case-insensitive
Search case insensitive
-m, --mask-mode Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.
-c arch_or_os, --context arch_or_os
The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘baremetal’, ‘cgc’, ‘freebsd’, ‘linux’,
‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘riscv’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’,
‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]
这个命令的功能有点意思。我们都知道在C语言标准库中有很多的宏定义常量,如mmap中的映射选项、读写权限选项等,有的时候,这种常量可能很多,在IDA中查看源码的时候,IDA当然是不可能会将函数传入的常数转换为这种宏定义的,这就会让我们阅读代码带来一定的困难,还需要去查阅源码才能知道传入常量的具体含义。而constgrep命令则允许我们通过一定的正则匹配筛选出源码中的常量,然后根据我们给出的值自动进行或操作拼接,最终给出原本的宏定义含义。如输入命令constgrep -c amd64 -m ^PROT\_ 7,其输出如下: