I've struggled the past 2 hours with the new Websocket version. I've managed to get the handshake and receiving these new frames, but I'm having problems sending them now.
I'm encoding my text like this:
def encode_hybi(buf, opcode, base64=False):
""" Encode a HyBi style WebSocket frame.
Optional opcode:
0x0 - continuation
0x1 - text frame (base64 encode buf)
0x2 - binary frame (use raw buf)
0x8 - connection close
0x9 - ping
0xA - pong
"""
if base64:
buf = b64encode(buf)
b1 = 0x80 | (opcode & 0x0f) # FIN + opcode
payload_len = len(buf)
if payload_len <= 125:
header = struct.pack('>BB', b1, payload_len)
elif payload_len > 125 and payload_len < 65536:
header = struct.pack('>BBH', b1, 126, payload_len)
elif payload_len >= 65536:
header = struct.pack('>BBQ', b1, 127, payload_len)
#print("Encoded: %s" % repr(header + buf))
#return header + buf, len(header), 0
return header+buf
But I don't know in what form I have to pour it to send it over the socket.
By the way: isn't there some easy python websocket module somewhere? My code has now seen 3 websocket versions and it's an utter mess.
Related
I want to send packet over Modbus TCP. I want to use:
But I can not send this way how can I send this packet? (I don't know something will be)
req = struct.pack(
'Something', transaction, identifier, length, unitid, func_code, reg_addr
)
These are my variables:
transaction=0x01
identifier=0x00
length=[0x00,0x06]
unitid=0x01
func_code=0x03
reg_addr=[0x13,0x14,0x15]
At first you can use pymodbus library with very features.
Also struct.pack() not support a list as argument.
0001 0000 0006 11 03 006B 0003 is a standard example of Modbus-TCP packet which contained:
0001: Transaction Identifier
0000: Protocol Identifier
0006: Message Length (6 bytes to follow)
11: The Unit Identifier (17 = 11 hex)
03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
Reference
Thus, you can create a Modbus-TCP packet with the above example:
import struct
transaction = 0x0001
identifier = 0x0000
length = 0x0006
unitid = 0x11
fcode = 0x03 # Holding register fcode.
reg_addr = 0x006B # Register address.
count = 0x0003 # Read three register.
total_pack_string = '0x{:04x}{:04x}{:04x}{:02x}{:02x}{:04x}{:04x}'.format(
transaction, identifier, length, unitid, fcode, reg_addr, count
)
total_pack_hex = hex(int(total_pack_string, 16))
'''Or with using pack method.'''
pack_ = struct.pack(
'>HHHBBHH', transaction, identifier, length, unitid, fcode, reg_addr, count
)
# Then send the pack_ or total_pack_hex using a TCP-Socket.
[NOTE]:
transaction is 2Byte == Short == H
identifier is 2Byte == Short == H
length is 2Byte == Short == H
unitid is 1Byte == B
fcode is 1Byte == B
reg_addr is 2Byte == Short == H
count is 2Byte == Short == H
B is unsigned byte
H is unsigned short
Thus, the format will be like this >HHHBBHH
Using pymodbus equivalent:
from pymodbus.client.sync import ModbusTcpClient
unitid = 0x11
fcode = 0x03 # Holding register fcode.
reg_addr = 0x006B # Register address.
count = 0x0003 # Read three register.
cli = ModbusTcpClient('127.0.0.1', port=502)
if cli.connect():
res = cli.read_holding_registers(reg_addr, count=count, unit=unitid)
if not res.isError():
print(res.registers)
else:
print('There is an error.')
cli.close()
else:
print('Error in connection.')
So, I have a custom way for calculating CRC
Here it is :
class CrcCalc:
def __init__(self):
msk_11_4 = 0x0810
msk_0 = 0x0001
msk_data = 0x80
msk_15 = 0x8000
high = 1
low = 0
def __getcrc(self, buf):
msk_11_4 = 0x0810
# msk_0 = 0x0001
# msk_data = 0x80
msk_15 = 0x8000
crc = 0xffff
j=0
k = j
j += 1
for k in buf[k]:
data = buf[ord(k)]
i = 0
while i <= 7:
data << 1
crc_15 = crc & msk_15
if (data & msk_15):
flag = crc_15
flag = 0 if crc_15 == msk_15 else msk_15
else:
flag = crc_15
if (flag):
crc = ((msk_11_4 ^ crc) << 1) | 1
else:
crc << 1
return crc
I need to send to serial port some data and recieve the answer in bytes.
The data I have to send is : 90 b8 00 00 07 55 a4 7b 00 da 03 02 05 01
the first two bytes are CRC for header, then 5 bytes are header, where last two bytes are CRC of the data and then 7 bytes are data, I need to receive the answer like this ( 39 6d 00 20).
But I can't understand how I must pack my data and send it to serial port to receive something.
So first, you need to call the function def__getcrc(self, buf) to get the return of the program.
Like this (it goes at the very bottom):
__getcrc(num-self-here, number-buf-here)
I put num-self-here and number-buf-here because I don't exactly understand what your program does.
Hope it helped you.
I have a strange problem with using mmap in python when writing to memory (/dev/mem).
To be clear, reading is done in the same manner and it works OK.
But when it comes to writing, it seems that every second byte is unwritable.
ex.
when I read i get
addr 0x200 val 0x1234
but when I try to write
addr 0x200 val 0x4321
what really is written is
addr 0x200 val 0x0021
When I try to write byte by byte, the same happens.
ex.
write:
addr 0x200 0x43
addr 0x201 0x21
I get
addr 0x200 0x00
addr 0x201 0x21
Code:
class Pydump:
def __init__(self, addr, length = 1, word_size = 4, filename = '/dev/mem'):
if addr < 0 or length < 0: raise ValueError('Address or length invalid')
self._verbose = verbose
self.word_size = word_size
self.mask = ~(self.word_size - 1)
self.base_addr = addr & ~(mmap.PAGESIZE - 1)
self.addr_offset = addr - self.base_addr
self.word_length = length
self.no_of_bytes = self.word_length * self.word_size
# align length to full words
end_addr = addr + self.no_of_bytes
if end_addr % self.mask:
end_addr = (end_addr + self.word_size) & self.mask
self.map_length = end_addr - self.base_addr
self.fname = filename
self.fd = os.open(self.fname, os.O_RDWR | os.O_SYNC)
self.mem = mmap.mmap(self.fd, self.map_length, mmap.MAP_SHARED,
mmap.PROT_READ | mmap.PROT_WRITE,
offset=self.base_addr)
def read(self):
mem = self.mem
virt_base_addr = self.addr_offset & self.mask
mem.seek(virt_base_addr)
data = []
for i in range(self.no_of_bytes):
data.append(struct.unpack('B', mem.read_byte())[0])
abs_addr = self.base_addr + virt_base_addr
return PydumpBuffer(abs_addr, data, self.word_size)
def write(self, data):
mem = self.mem
virt_base_addr = self.addr_offset & self.mask
mem.seek(virt_base_addr)
if self.word_size == 1:
mem.write(struct.pack('B', data))
elif self.word_size == 2:
mem.write(struct.pack('H', data))
elif self.word_size == 4:
mem.write(struct.pack('I', data))
else:
raise ValueError('Invalid word size')
def write_bytes(self, bytes):
if len(bytes) != self.no_of_bytes: raise ValueError('Wrong number of bytes given')
mem = self.mem
virt_base_addr = self.addr_offset & self.mask
mem.seek(virt_base_addr)
for byte in bytes:
mem.write_byte(byte)
Example run (I prepared the memory with other memdump tool [bin] to be 0xEEEEEEEE):
>>> from pydump import Pydump as memdump
>>> memdump(0x18007C20, 1, 4).read()
0xEEEEEEEE
>>> memdump(0x18007C20, 1, 4).write(0x12345678)
>>> memdump(0x18007C20, 1, 4).read()
0x00340078
>>> memdump(0x18007C20, 1, 4).write(0x87654321)
>>> memdump(0x18007C20, 1, 4).read()
0x00650021
Example no 2 (I could not write even 2 bytes at 'first' byte place):
>>> memdump(0x18007C20, 1, 2).write(0xABCD)
>>> memdump(0x18007C20, 1, 4).read()
0x00650021
>>> memdump(0x18007C21, 1, 1).write(0xCD)
>>> memdump(0x18007C20, 1, 4).read()
0x00650021
>>> memdump(0x18007C22, 1, 1).write(0xCD)
>>> memdump(0x18007C20, 1, 4).read()
0x00CDCD00
Any thoughts on what could be the problem ?
I know what is wrong now.
The answer is that it's fault as well of python as my specific hardware/driver.
I looked through the implementation of mmap and it uses memcpy, which as we know copies byte by byte. In C implemention this did not happen, when we needed to write 4 bytes, 4 bytes were written.
So here comes the limitation of my hardware/driver which is that every register must be written in full (I did not know this at the time of stating the question), thus when writing byte by byte I will get weird behaviour.
Some registers are 16bit and some are 32bit.
When I was writing 0xFFFF to 16bit register I ended up having 0x00FF. So memcpy was copying 0xFF twice. My driver got write(0xFF) then write(0xFF), so what I was actually doing (because of the python) was two writes to register of byte 0xFF :)
Probably the same happened with 32bit registers, although it looked different (but also the driver may behave different).
For it to work I would have to change the implementation of python mmap :(
I have a file (original.exe) which I edit using OllyDbg but I want to learn how to do this with Python.
In OllyDbg I go to Address:
0045B82C
Then I would change:
JNZ SHORT 0045B89F
To:
JE SHORT 0045B90F
So in python using readtest.py:
offset = 0x0045B82C
with open('original.exe', 'r+b') as victim:
victim.seek(offset)
line = victim.readline()
print(line)
I get:
b'Wf93\x8b\xe9\x89t$\x10u\x05\xe8\x83\'\x00\x00f\x81{\x02\xd3\x07sP\xa1\xe4\xf2\x9c\x00\x8b\x15\xa8#\xae\x00\x8d\x0c\xc0\xc1\xe1\x04\x03\xc8\x8d\x84J\x80\x00\x00\x00\x8b\x8cJ\x80\x00\x00\x00;\xcet+\x8b\t\x89\r\xa45\xa8\x00\x890\xa1\xe4\xf2\x9c\x00\x8d\x14\xc0\xc1\xe2\x04\x03\xd0\xa1\xa8#\xae\x00\x8d\x0cPQ\xe8A\xfb\xcd\xff\x83\xc4\x04\x89pij\xffh\xd3\x07\x00\x00j\x06j\x01\x8dL$,\xe8\xc7\xe6\xce\xff\x8b\x08\x8bP\x04\x89L$\x14f\x8bD$\x16f;C\x02\x89T$\x18\x0f\x85\xa4\x00\x00\x00f;\x0b\x0f\x85\x9b\x00\x00\x00\xa1\xa45\xa8\x00\x83\xf8\xff\x0f\x84\x8d\x00\x00\x00\x8b\x15\xb0#\xae\x00\x8d\x0c\x80\xc1\xe1\x03+\xc8\xa1\xe4\xf2\x9c\x00\x8d\x0cJ\x8d\x14\xc0\xc1\xe2\x04\x03\xd0\xa1\xa8#\xae\x00\x89\x8cP\x80\x00\x00\x00\xa1\xe4\xf2\x9c\x00\x8b\x15\xa8#\xae\x00\x8d\x0c\xc0\xc1\xe1\x04\x03\xc8\x8d4JV\xe8\xae\xfa\xcd\xff\x8b\x8e\x80\x00\x00\x00\x83\xc4\x04\x89Hi\xa1\xa45\xa8\x00\xb9\x90_\x01\x00\x8d\x14\x80\xc1\xe2\x03+\xd0\xa1\xb0#\xae\x00\x89LP<\xa1\xa45\xa8\x00\x8d\x14\x80\xc1\xe2\x03+\xd0\xa1\xb0#\xae\x00\x89LP#\xc7\x05\xa45\xa8\x00\xff\xff\xff\xff\x0f\xbf\x03\x99\xb9\x1e\x00\x00\x00\xf7\xf9\x85\xd2\x0f\x85\xb2\x00\x00\x00\x8b}\x00\x85\xff\x0f\x84\xa7\x00\x00\x00\x8bE\x043\xf6\x85\xc0\x0f\x8e\x9a\x00\x00\x00\x8b\x13\x8bC\x04\x89T$\x14f\x8bT$\x16\x89D$\x183\xc0\x8d\x0c#\x8dD\x8f\x04f\x8bL\x8f\x06f;\xd1w\x15r\'f\x8b\\$\x143\xc9f;\x18\x0f\x9f\xc1\x8b\xc1\x85\xc0t\x14\x8bD$\x10\x8bM\x04#F\x89D$\x10\x0f\xbf\xc6;\xc1|\xc6\x8bD$\x10f\x85\xc0tC\x0f\xbf\xd0\x8bE\x04;\xd0}\x1d\x8d\x0cR+\xc2\xc1\xe1\x02H\x8d\x04#\x8d4\x87\x8b\xc1\xc1\xe9\x02\xf3\xa5\x8b\xc8\x83\xe1\x03\xf3\xa4\x8bE\x04\x8bM\x00+\xc2h\x80\xe3\x85\x00j\x0cPQ\x89E\x04\xe8\x08\x99\x0e\x00\x83\xc4\x10_^][\x83\xc4\x14\xc2\x04\x00\x90\x90\x90\x90\x90\x90\x90\x90\x81\xec\x04\x02\x00\x00SUVWh(\xf9\x98\x00h\xe05\xa8\x00\x8b\xf9h\xa0}\x98\x00\xe8\x80\x03\x0b\x00\x83\xc4\x08P\xe8\x97\xa0\x0e\x00\x8b\xf0\x83\xc4\x08\x85\xf6\x0f\x84"\x03\x00\x00V\x8do\x08j\x01j\x04U\xe8z\xa1\x0e\x00\x83\xc4\x10\x83\xf8\x01tv\x8dD$\x14\x8d\x8c$\x14\x01\x00\x00PQj\x00j\x00h\xb05\xa8\x00\xe8X\x92\x0e\x00\x83\xc4\x14\x8dT$\x14\x8d\x84$\x14\x01\x00\x00h\xf2\x00\x00\x00RP\xe8o\x16\x0b\x00Ph\xe8p\x98\x00h\xd0$\xae\x00\xe8\xce\x91\x0e\x00j\x00h\xd0$\xae\x00h\xe0p\x98\x00\xe8\xae\xc7\xd8\xffV\xc7\x054z\xb6\x00\x00\x00\x00\x00\xe8\x17\x9f\x0e\x00\x83\xc4(3\xc0_^][\x81\xc4\x04\x02\x00\x00\xc3V\x8d_\x04j\x01j\x04S\xe8\xee\xa0\x0e\x00\x83\xc4\x10\x83\xf8\x01t5\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14QRj\x00j\x00h\xb05\xa8\x00\xe8\xcc\x91\x0e\x00\x83\xc4\x14\x8d\x84$\x14\x01\x00\x00\x8dL$\x14h\xf9\x00\x00\x00PQ\xe9o\xff\xff\xff\x8bE\x003\xed;\xc5tG\x8d\x14#\xc1\xe2\x02R\xe8\xe4\x92\x0e\x00\x83\xc4\x04;\xc5\x89\x07u2\x8d\x84$\x14\x01\x00\x00\x8dL$\x14PQUUh\xb05\xa8\x00\xe8{\x91\x0e\x00\x83\xc4\x14\x8d\x94$\x14\x01\x00\x00\x8dD$\x14h\x05\x01\x00\x00R\xe9\xc6\x01\x00\x00\x8b\x03;\xc5tH\x8b\x0fVPj\x0cQ\xe8O\xa0\x0e\x00\x8b\x0b\x83\xc4\x10;\xc1t3\x8d\x94$\x14\x01\x00\x00\x8dD$\x14RPUUh\xb05\xa8\x00\xe8.\x91\x0e\x00\x83\xc4\x14\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14h\x13\x01\x00\x00QR\xe9y\x01\x00\x00V\x8do\x14j\x01j\x04U\xe8\x05\xa0\x0e\x00\x83\xc4\x10\x83\xf8\x01t4\x8d\x84$\x14\x01\x00\x00\x8dL$\x14PQj\x00j\x00h\xb05\xa8\x00\xe8\xe3\x90\x0e\x00\x83\xc4\x14\x8d\x94$\x14\x01\x00\x00\x8dD$\x14h\x1d\x01\x00\x00R\xe9\x86\xfe\xff\xffV\x8d_\x10j\x01j\x04S\xe8\xbb\x9f\x0e\x00\x83\xc4\x10\x83\xf8\x01t5\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14QRj\x00j\x00h\xb05\xa8\x00\xe8\x99\x90\x0e\x00\x83\xc4\x14\x8d\x84$\x14\x01\x00\x00\x8dL$\x14h$\x01\x00\x00PQ\xe9<\xfe\xff\xffVj\x01\x8dW\x18j\x01R\xe8p\x9f\x0e\x00\x83\xc4\x10\x83\xf8\x01t4\x8d\x84$\x14\x01\x00\x00\x8dL$\x14PQj\x00j\x00h\xb05\xa8\x00\xe8N\x90\x0e\x00\x83\xc4\x14\x8d\x94$\x14\x01\x00\x00\x8dD$\x14h+\x01\x00\x00R\xe9\xf1\xfd\xff\xff\x8bE\x003\xed;\xc5tC\xc1\xe0\x04P\xe8j\x91\x0e\x00\x83\xc4\x04;\xc5\x89G\x0cu0\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14QRUUh\xb05\xa8\x00\xe8\x00\x90\x0e\x00\x83\xc4\x14\x8d\x84$\x14\x01\x00\x00\x8dL$\x14h7\x01\x00\x00PQ\xebN\x8b\x03;\xc5\x0f\x84\xc9\x00\x00\x00\x8bW\x0cVPj\x10R\xe8\xd1\x9e\x0e\x00\x8b\x0b\x83\xc4\x10;\xc1to\x8d\x84$\x14\x01\x00\x00\x8dL$\x14PQUUh\xb05\xa8\x00\xe8\xb0\x8f\x0e\x00\x83\xc4\x14\x8d\x94$\x14\x01\x00\x00\x8dD$\x14hE\x01\x00\x00RP\xe8\xc7\x13\x0b\x00Ph\xe8p\x98\x00h\xd0$\xae\x00\xe8&\x8f\x0e\x00Uh\xd0$\xae\x00h\xe0p\x98\x00\xe8\x07\xc5\xd8\xffV\x89-4z\xb6\x00\xe8t\x9c\x0e\x00\x83\xc4(_^]3\xc0[\x81\xc4\x04\x02\x00\x00\xc3;\xcd\x89l$\x10~<3\xd2\x8bO\x0c\x8bD\x11\x0c\x8dL\x11\x0c\x83\xf8\xfft\x16\x8d,\x80\xc1\xe5\x03+\xe8\xa1\xb0#\xae\x00\x8d\x04h3\xed\x89\x01\xeb\x02\x89)\x8bD$\x10\x8b\x0b#\x83\xc2\x10;\xc1\x89D$\x10|\xc6\xa1\x10q\xdd\x00\x993\xc2+\xc2=)\xe0\x03\x00\x0f\x8c\x80\x00\x00\x00Vj\x01j\x04h\xa45\xa8\x00\xe8\xf1\x9d\x0e\x00\x83\xc4\x10\x83\xf8\x01ti\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14QRUUh\xb05\xa8\x00\xe8\xd1\x8e\x0e\x00\x83\xc4\x14\x8d\x84$\x14\x01\x00\x00\x8dL$\x14h\\\x01\x00\x00PQ\xe8\xe8\x12\x0b\x00Ph\xe8p\x98\x00h\xd0$\xae\x00\xe8G\x8e\x0e\x00Uh\xd0$\xae\x00h\xe0p\x98\x00\xe8(\xc4\xd8\xff\x83\xc4$\x89-4z\xb6\x003\xc0_^][\x81\xc4\x04\x02\x00\x00\xc3V\xe8\x85\x9b\x0e\x00\x83\xc4\x04\xb8\x01\x00\x00\x00_^][\x81\xc4\x04\x02\x00\x00\xc3\x90\x90\x90\x90\x90\x90\x90\x90\x90\x81\xec\x04\x02\x00\x00SUVWh(\x7f\x9a\x00h\xe05\xa8\x00\x8b\xf1h\xa0}\x98\x00\xe8 \xff\n'
I then apply the changes using OllyDbg and re run readtest.py
b'Wf93\x8b\xe9\x89t$\x10u\x05\xe8\x83\'\x00\x00f\x81{\x02\xd3\x07sP\xa1\xe4\xf2\x9c\x00\x8b\x15\xa8#\xae\x00\x8d\x0c\xc0\xc1\xe1\x04\x03\xc8\x8d\x84J\x80\x00\x00\x00\x8b\x8cJ\x80\x00\x00\x00;\xcet+\x8b\t\x89\r\xa45\xa8\x00\x890\xa1\xe4\xf2\x9c\x00\x8d\x14\xc0\xc1\xe2\x04\x03\xd0\xa1\xa8#\xae\x00\x8d\x0cPQ\xe8A\xfb\xcd\xff\x83\xc4\x04\x89pij\xffh\xd3\x07\x00\x00j\x06j\x01\x8dL$,\xe8\xc7\xe6\xce\xff\x8b\x08\x8bP\x04\x89L$\x14f\x8bD$\x16f;C\x02\x89T$\x18\x0f\x85\xa4\x00\x00\x00f;\x0b\x0f\x85\x9b\x00\x00\x00\xa1\xa45\xa8\x00\x83\xf8\xff\x0f\x84\x8d\x00\x00\x00\x8b\x15\xb0#\xae\x00\x8d\x0c\x80\xc1\xe1\x03+\xc8\xa1\xe4\xf2\x9c\x00\x8d\x0cJ\x8d\x14\xc0\xc1\xe2\x04\x03\xd0\xa1\xa8#\xae\x00\x89\x8cP\x80\x00\x00\x00\xa1\xe4\xf2\x9c\x00\x8b\x15\xa8#\xae\x00\x8d\x0c\xc0\xc1\xe1\x04\x03\xc8\x8d4JV\xe8\xae\xfa\xcd\xff\x8b\x8e\x80\x00\x00\x00\x83\xc4\x04\x89Hi\xa1\xa45\xa8\x00\xb9\x90_\x01\x00\x8d\x14\x80\xc1\xe2\x03+\xd0\xa1\xb0#\xae\x00\x89LP<\xa1\xa45\xa8\x00\x8d\x14\x80\xc1\xe2\x03+\xd0\xa1\xb0#\xae\x00\x89LP#\xc7\x05\xa45\xa8\x00\xff\xff\xff\xff\x0f\xbf\x03\x99\xb9\x1e\x00\x00\x00\xf7\xf9\x85\xd2\x0f\x85\xb2\x00\x00\x00\x8b}\x00\x85\xff\x0f\x84\xa7\x00\x00\x00\x8bE\x043\xf6\x85\xc0\x0f\x8e\x9a\x00\x00\x00\x8b\x13\x8bC\x04\x89T$\x14f\x8bT$\x16\x89D$\x183\xc0\x8d\x0c#\x8dD\x8f\x04f\x8bL\x8f\x06f;\xd1w\x15r\'f\x8b\\$\x143\xc9f;\x18\x0f\x9f\xc1\x8b\xc1\x85\xc0t\x14\x8bD$\x10\x8bM\x04#F\x89D$\x10\x0f\xbf\xc6;\xc1|\xc6\x8bD$\x10f\x85\xc0tC\x0f\xbf\xd0\x8bE\x04;\xd0}\x1d\x8d\x0cR+\xc2\xc1\xe1\x02H\x8d\x04#\x8d4\x87\x8b\xc1\xc1\xe9\x02\xf3\xa5\x8b\xc8\x83\xe1\x03\xf3\xa4\x8bE\x04\x8bM\x00+\xc2h\x80\xe3\x85\x00j\x0cPQ\x89E\x04\xe8\x08\x99\x0e\x00\x83\xc4\x10_^][\x83\xc4\x14\xc2\x04\x00\x90\x90\x90\x90\x90\x90\x90\x90\x81\xec\x04\x02\x00\x00SUVWh(\xf9\x98\x00h\xe05\xa8\x00\x8b\xf9h\xa0}\x98\x00\xe8\x80\x03\x0b\x00\x83\xc4\x08P\xe8\x97\xa0\x0e\x00\x8b\xf0\x83\xc4\x08\x85\xf6\x0f\x84"\x03\x00\x00V\x8do\x08j\x01j\x04U\xe8z\xa1\x0e\x00\x83\xc4\x10\x83\xf8\x01tv\x8dD$\x14\x8d\x8c$\x14\x01\x00\x00PQj\x00j\x00h\xb05\xa8\x00\xe8X\x92\x0e\x00\x83\xc4\x14\x8dT$\x14\x8d\x84$\x14\x01\x00\x00h\xf2\x00\x00\x00RP\xe8o\x16\x0b\x00Ph\xe8p\x98\x00h\xd0$\xae\x00\xe8\xce\x91\x0e\x00j\x00h\xd0$\xae\x00h\xe0p\x98\x00\xe8\xae\xc7\xd8\xffV\xc7\x054z\xb6\x00\x00\x00\x00\x00\xe8\x17\x9f\x0e\x00\x83\xc4(3\xc0_^][\x81\xc4\x04\x02\x00\x00\xc3V\x8d_\x04j\x01j\x04S\xe8\xee\xa0\x0e\x00\x83\xc4\x10\x83\xf8\x01t5\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14QRj\x00j\x00h\xb05\xa8\x00\xe8\xcc\x91\x0e\x00\x83\xc4\x14\x8d\x84$\x14\x01\x00\x00\x8dL$\x14h\xf9\x00\x00\x00PQ\xe9o\xff\xff\xff\x8bE\x003\xed;\xc5tG\x8d\x14#\xc1\xe2\x02R\xe8\xe4\x92\x0e\x00\x83\xc4\x04;\xc5\x89\x07u2\x8d\x84$\x14\x01\x00\x00\x8dL$\x14PQUUh\xb05\xa8\x00\xe8{\x91\x0e\x00\x83\xc4\x14\x8d\x94$\x14\x01\x00\x00\x8dD$\x14h\x05\x01\x00\x00R\xe9\xc6\x01\x00\x00\x8b\x03;\xc5tH\x8b\x0fVPj\x0cQ\xe8O\xa0\x0e\x00\x8b\x0b\x83\xc4\x10;\xc1t3\x8d\x94$\x14\x01\x00\x00\x8dD$\x14RPUUh\xb05\xa8\x00\xe8.\x91\x0e\x00\x83\xc4\x14\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14h\x13\x01\x00\x00QR\xe9y\x01\x00\x00V\x8do\x14j\x01j\x04U\xe8\x05\xa0\x0e\x00\x83\xc4\x10\x83\xf8\x01t4\x8d\x84$\x14\x01\x00\x00\x8dL$\x14PQj\x00j\x00h\xb05\xa8\x00\xe8\xe3\x90\x0e\x00\x83\xc4\x14\x8d\x94$\x14\x01\x00\x00\x8dD$\x14h\x1d\x01\x00\x00R\xe9\x86\xfe\xff\xffV\x8d_\x10j\x01j\x04S\xe8\xbb\x9f\x0e\x00\x83\xc4\x10\x83\xf8\x01t5\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14QRj\x00j\x00h\xb05\xa8\x00\xe8\x99\x90\x0e\x00\x83\xc4\x14\x8d\x84$\x14\x01\x00\x00\x8dL$\x14h$\x01\x00\x00PQ\xe9<\xfe\xff\xffVj\x01\x8dW\x18j\x01R\xe8p\x9f\x0e\x00\x83\xc4\x10\x83\xf8\x01t4\x8d\x84$\x14\x01\x00\x00\x8dL$\x14PQj\x00j\x00h\xb05\xa8\x00\xe8N\x90\x0e\x00\x83\xc4\x14\x8d\x94$\x14\x01\x00\x00\x8dD$\x14h+\x01\x00\x00R\xe9\xf1\xfd\xff\xff\x8bE\x003\xed;\xc5tC\xc1\xe0\x04P\xe8j\x91\x0e\x00\x83\xc4\x04;\xc5\x89G\x0cu0\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14QRUUh\xb05\xa8\x00\xe8\x00\x90\x0e\x00\x83\xc4\x14\x8d\x84$\x14\x01\x00\x00\x8dL$\x14h7\x01\x00\x00PQ\xebN\x8b\x03;\xc5\x0f\x84\xc9\x00\x00\x00\x8bW\x0cVPj\x10R\xe8\xd1\x9e\x0e\x00\x8b\x0b\x83\xc4\x10;\xc1to\x8d\x84$\x14\x01\x00\x00\x8dL$\x14PQUUh\xb05\xa8\x00\xe8\xb0\x8f\x0e\x00\x83\xc4\x14\x8d\x94$\x14\x01\x00\x00\x8dD$\x14hE\x01\x00\x00RP\xe8\xc7\x13\x0b\x00Ph\xe8p\x98\x00h\xd0$\xae\x00\xe8&\x8f\x0e\x00Uh\xd0$\xae\x00h\xe0p\x98\x00\xe8\x07\xc5\xd8\xffV\x89-4z\xb6\x00\xe8t\x9c\x0e\x00\x83\xc4(_^]3\xc0[\x81\xc4\x04\x02\x00\x00\xc3;\xcd\x89l$\x10~<3\xd2\x8bO\x0c\x8bD\x11\x0c\x8dL\x11\x0c\x83\xf8\xfft\x16\x8d,\x80\xc1\xe5\x03+\xe8\xa1\xb0#\xae\x00\x8d\x04h3\xed\x89\x01\xeb\x02\x89)\x8bD$\x10\x8b\x0b#\x83\xc2\x10;\xc1\x89D$\x10|\xc6\xa1\x10q\xdd\x00\x993\xc2+\xc2=)\xe0\x03\x00\x0f\x8c\x80\x00\x00\x00Vj\x01j\x04h\xa45\xa8\x00\xe8\xf1\x9d\x0e\x00\x83\xc4\x10\x83\xf8\x01ti\x8d\x8c$\x14\x01\x00\x00\x8dT$\x14QRUUh\xb05\xa8\x00\xe8\xd1\x8e\x0e\x00\x83\xc4\x14\x8d\x84$\x14\x01\x00\x00\x8dL$\x14h\\\x01\x00\x00PQ\xe8\xe8\x12\x0b\x00Ph\xe8p\x98\x00h\xd0$\xae\x00\xe8G\x8e\x0e\x00Uh\xd0$\xae\x00h\xe0p\x98\x00\xe8(\xc4\xd8\xff\x83\xc4$\x89-4z\xb6\x003\xc0_^][\x81\xc4\x04\x02\x00\x00\xc3V\xe8\x85\x9b\x0e\x00\x83\xc4\x04\xb8\x01\x00\x00\x00_^][\x81\xc4\x04\x02\x00\x00\xc3\x90\x90\x90\x90\x90\x90\x90\x90\x90\x81\xec\x04\x02\x00\x00SUVWh(\x7f\x9a\x00h\xe05\xa8\x00\x8b\xf1h\xa0}\x98\x00\xe8 \xff\n'
They are both the same.
What am I doing wrong? Why can I not see a change in the readline()?
#Ethan Furman
offset1 = 0x472077
offset2 = 0x472078
offset3 = 0x472079
offset4 = 0x47208a
offset5 = 0x47208b
offset6 = 0x47208c
newvalue1 = b'\xe9'
newvalue2 = b'\xe9'
newvalue3 = b'\x00'
newvalue4 = b'\x00'
newvalue5 = b'\x00'
newvalue6 = b'\x90'
#originals
#offset old new
#0x472077 0xf 0xe9
#0x472078 0x85 0xe9
#0x472079 0xe8 0x0
#0x47208a 0x0 0x0
#0x47208b 0x0 0x0
#0x47208c 0x0 0x90
with open('test.exe', 'r+b') as victim:
victim.seek(offset1)
victim.write(newvalue1)
victim.seek(offset2)
victim.write(newvalue2)
victim.seek(offset3)
victim.write(newvalue3)
victim.seek(offset4)
victim.write(newvalue4)
victim.seek(offset5)
victim.write(newvalue5)
victim.seek(offset6)
victim.write(newvalue6)
The hard part is not changing the file, it's know what the codes are:
NOP = ???
OFFSET = 0x0045b82c
with open('some.exe', 'r+b') as victim:
victim.seek(OFFSET)
victim.write(NOP * 2)
I have an application which read live SIP Packets and decode information in real time.
when packet is small UDP/TCP is able to get the information, but when packet is large, it arrives in different segments:
The following is an extract from Wireshark:
3 Reassembled TCP Segments (3331 bytes): #1(1448), #3(1448), #5(435)
Frame: 1, payload: 0-1447 (1448 bytes)
Frame: 3, payload: 1448-2895 (1448 bytes)
Frame: 5, payload: 2896-3330 (435 bytes)
Segment count: 3
Reassembled TCP length: 3331
My application believes there is a new SIP Packet for each fragment and fails to decode info.
How can I do this? I need to read the packet, assemble all sip message if fragmented and pass the info to my control module. This is my current code:
s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
while (True):
packet = s.recvfrom(65565)
#packet string from tuple
packet = packet[0]
#parse ethernet header
eth_length = 14
eth_header = packet[:eth_length]
eth = unpack('!6s6sH' , eth_header)
eth_protocol = socket.ntohs(eth[2])
if eth_protocol == 8 :
#Parse IP header
#take first 20 characters for the ip header
ip_header = packet[eth_length:20+eth_length]
#now unpack them :)
iph = unpack('!BBHHHBBH4s4s' , ip_header)
version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF
iph_length = ihl * 4
ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);
#TCP protocol
if protocol == 6 :
t = iph_length + eth_length
tcp_header = packet[t:t+20]
#now unpack them :)
tcph = unpack('!HHLLBBHHH' , tcp_header)
source_port = tcph[0]
dest_port = tcph[1]
sequence = tcph[2]
acknowledgement = tcph[3]
doff_reserved = tcph[4]
tcph_length = doff_reserved >> 4
if dest_port == sipLocatorConfig.SIP_PORT:
print
logging.info("------------------------------------------------------SIP Packet detected------------------------------------------------------")
h_size = eth_length + iph_length + tcph_length * 4
data_size = len(packet) - h_size
#get data from the packet
data = packet[h_size:]
ipInfo = {}
ipInfo['protocol'] = protocol
ipInfo['s_addr'] = str(s_addr)
ipInfo['source_port'] = source_port
ipInfo['d_addr'] = str(d_addr)
ipInfo['dest_port'] = dest_port
processSipPacket(data,ipInfo)
I believe this is what I wrote bufsock for:
http://stromberg.dnsalias.org/~strombrg/bufsock.html
It allows you to say "give me all the data until the next null" or "give me the next 64 bytes" and similar things. It deals intelligently with fragmented and aggregated packets.
Unlike many such tools, it does not require that you have bufsock at both the producer and the consumer - you can use it fine on one end and not the other. It is a little bit like stdio for sockets, in python.
It works on CPython 2.x, CPython 3.x, Pypy, Pypy3 (which is still beta at this time) and Jython.