Pwntools Quick Reference
========================

INSTALLATION
  pip install pwntools

CONNECTION
  from pwn import *

  # Remote connection
  r = remote("host", port)

  # Local process
  p = process("./binary")

  # SSH
  s = ssh("user", "host", password="pass")

SEND / RECEIVE
  r.send(b"data")               Send raw bytes
  r.sendline(b"data")           Send + newline
  r.sendafter(b"prompt", data)  Send after receiving
  r.sendlineafter(b">", data)   Sendline after prompt

  r.recv(1024)                  Receive up to N bytes
  r.recvline()                  Receive one line
  r.recvuntil(b":")             Receive until delimiter
  r.recvall()                   Receive everything
  r.interactive()               Interactive mode

PACKING / UNPACKING
  p32(0x41414141)               Pack 32-bit (little-endian)
  p64(0x41414141)               Pack 64-bit
  u32(b"\x41\x41\x41\x41")     Unpack 32-bit
  u64(data)                     Unpack 64-bit
  p32(addr, endian='big')       Big-endian pack

ELF ANALYSIS
  e = ELF("./binary")
  e.symbols["main"]             Function address
  e.got["puts"]                 GOT entry
  e.plt["puts"]                 PLT entry
  e.search(b"/bin/sh")          Search for bytes
  e.address                     Base address

ROP
  rop = ROP(e)
  rop.call("puts", [got_puts])  Call function
  rop.raw(gadget_addr)          Raw gadget
  rop.chain()                   Build chain
  rop.find_gadget(["pop rdi"])  Find gadget

SHELLCODE
  shellcraft.sh()               /bin/sh shellcode
  shellcraft.cat("flag.txt")    cat file
  asm(shellcraft.sh())          Assemble shellcode

CRYPTO
  xor(data, key)                XOR data with key
  xor_key(plain, cipher)        Find XOR key

CONTEXT
  context.arch = "amd64"        Set architecture
  context.os = "linux"          Set OS
  context.log_level = "debug"   Debug output
  context.terminal = ["tmux", "splitw", "-h"]

FORMAT STRING
  fmtstr_payload(offset, {addr: value})

COMMON PATTERNS
  # Buffer overflow
  payload = b"A" * offset
  payload += p64(ret_addr)
  r.sendline(payload)

  # Leak address
  r.recvuntil(b"output: ")
  leak = u64(r.recv(6).ljust(8, b"\x00"))
