创建: 2021-11-12 12:29
http://scz.617.cn:8/python/202111121229.txt
假设内存数据如下
> db poi(poi(@rdx))+4 l 0x10
00007fff`84893914 01 6b 77 45 56 59 85 44-9f 80 f4 28 f7 d6 01 29
不考虑"dt ntdll!_GUID",可用如下Python脚本转成
{45776b01-5956-4485-9f80-f428f7d60129}
x = '01 6b 77 45 56 59 85 44-9f 80 f4 28 f7 d6 01 29'
x = x.replace( '-', '' ).replace( ' ', '' )
y = x[0:8]
x0 = ''.join( map( str.__add__, y[-2::-2], y[-1::-2] ) )
y = x[8:12]
x1 = ''.join( map( str.__add__, y[-2::-2], y[-1::-2] ) )
y = x[12:16]
x2 = ''.join( map( str.__add__, y[-2::-2], y[-1::-2] ) )
x3 = x[16:20]
x4 = x[20:]
print( x0 + '-' + x1 + '-' + x2 + '-' + x3 + '-' + x4 )
上面的办法蠢透了,bluerust演示了uuid模块的正确用法
import uuid
x = '01 6b 77 45 56 59 85 44-9f 80 f4 28 f7 d6 01 29'
x = bytes.fromhex( x.replace( '-', '' ).replace( ' ', '' ) )
print( uuid.UUID( bytes_le=x ) )
之前测过Python的uuid模块,测过bytes,bytes什么都没转,完全是顺序的,想当然地以为bytes_le是整体逆序,那没意义啊,谁知它实际上符合预期。没认真看文档,也没认真实测。
已知UUID,将之转换成两个64位整数,windbg条件断点用得上
x = '45776b01-5956-4485-9f80-f428f7d60129'
x = x.replace( '-', '' )
y = x[16:]
print( x[12:16] + x[8:12] + x[0:8] )
print( ''.join( map( str.__add__, y[-2::-2], y[-1::-2] ) ) )
$ python3 -c "import sys;x=sys.argv[1].replace('-','');y=x[16:];print(x[12:16]+x[8:12]+x[0:8]);print(''.join(map(str.__add__,y[-2::-2],y[-1::-2])))" 45776b01-5956-4485-9f80-f428f7d60129
4485595645776b01
2901d6f728f4809f
下面是uuid模块的正确用法
import uuid
x = '45776b01-5956-4485-9f80-f428f7d60129'
x = x.replace( '-', '' )
x = uuid.UUID( x ).bytes_le.hex()
y = x[0:16]
print( ''.join( map( str.__add__, y[-2::-2], y[-1::-2] ) ) )
y = x[16:]
print( ''.join( map( str.__add__, y[-2::-2], y[-1::-2] ) ) )
4485595645776b01
2901d6f728f4809f